Introduction
This Privacy Policy explains how Milos Jovic trading as Nora PM ("we", "us", "our") collects, processes, stores, and protects personal data when you use Nora, our AI-powered property management assistant ("Service").
This policy applies to:
- Agencies — property management companies and their staff who subscribe to Nora
- Tenants — individuals whose data is processed through Nora on behalf of an agency
- Prospects — individuals who interact with Nora regarding property viewings or inquiries
We are committed to protecting personal data and complying with applicable data protection laws, including the General Data Protection Regulation (GDPR) for UK and EU/EEA users and relevant US state privacy laws including the California Consumer Privacy Act (CCPA).
Who Controls Your Data
Agencies are the data controller for their tenants' and prospects' personal data. Milos Jovic trading as Nora PM acts as a data processor, processing that data only on the agency's instructions.
For agency staff data, Milos Jovic trading as Nora PM is the data controller.
If you are a tenant and have questions about how your data is used, contact your property management agency first. They are responsible for how your data is handled through Nora.
What Data We Collect
3.1 Agency Data
When an agency subscribes to Nora, we collect:
- Agency name, contact details, and billing information
- Manager name, WhatsApp number, and email address
- Property and unit information entered into the system
3.2 Tenant Data (processed on behalf of the agency)
When tenants interact with Nora via WhatsApp, the following data is collected:
- Name (first name only in outbound communications)
- WhatsApp number
- Unit number and property address
- Lease dates, rent amount, and payment status
- Maintenance requests and issue descriptions
- Photos submitted with maintenance requests
- GDPR/consent records (date, method, outcome)
- Inbound message content (used to classify and respond to requests)
Note: Nora does not collect emergency contact information during onboarding. Agencies are responsible for managing emergency contacts through their own systems and existing tenant documentation.
3.3 Prospect Data
When prospects enquire about properties:
- Name (if provided)
- WhatsApp number
- Property preferences (bedrooms, budget, move-in date, pets)
- Viewing appointment details
3.4 Automated Logs
The system automatically logs:
- Message metadata (timestamps, channel, message preview — first 100 characters only)
- Security events (rate limit breaches, injection attempts — phone numbers masked to last 4 digits)
- System health metrics (response times, queue depth)
How We Use Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Delivering the Nora service to agencies | Contract |
| Processing tenant communications on agency's behalf | Legitimate interest / Contract |
| Sending rent reminders and maintenance updates | Legitimate interest / Consent (via onboarding gate) |
| Emergency escalation and safety responses | Vital interests |
| Billing and subscription management | Contract |
| Security monitoring and fraud prevention | Legitimate interest |
| Improving the service | Legitimate interest |
We do not use tenant data for advertising, profiling, or any purpose unrelated to delivering property management services. We do not sell data to any third party.
Data Retention
| Data Type | Retention Period |
|---|---|
| Financial records (rent payments, invoices, deposit data) | 6 years from end of tenancy |
| General tenancy data (maintenance, communications, onboarding) | 3 years from end of tenancy |
| Prospect/inquiry data | 12 months from last interaction |
| Security logs | 90 days |
| System health metrics | 30 days |
| Agency billing records | 7 years (tax compliance) |
Data is retained for these periods even following a deletion request where legal obligations require it. We will always explain the reason when this applies.
Third-Party Processors
We use the following third-party services to deliver Nora. Each has been selected for their data protection standards.
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Anthropic | AI language model processing | USA | DPA, commercial terms |
| DigitalOcean | Server hosting and data storage | USA (New York) | SOC 2 certified, DPA available |
| Operational dashboard and reporting | USA / EU | Google Workspace DPA, SCCs | |
| WhatsApp (Meta) | Tenant and manager communication channel | USA | Meta Business Terms |
Note for UK and EU agencies: Where data is transferred to processors outside the UK/EU/EEA, we rely on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms. Agencies may request that Google Sheets operational logging is disabled for their deployment — contact mj@meetnora.app.
We do not sell data to any third party. Processors are contractually prohibited from using your data for their own purposes.
Security
We implement the following security measures:
- Server hardening: UFW firewall, fail2ban, SSH key-only authentication, automatic security updates
- Access control: Gateway authentication token, restricted file permissions
- Rate limiting: Automated blocks on suspicious message volumes
- Injection protection: All inbound messages treated as untrusted input; injection attempts logged and blocked
- Data minimisation: Phone numbers masked to last 4 digits in logs; full names not used in shared contexts
- Daily backups: Operational data is backed up daily to an off-server secure location
- Dedicated infrastructure: Each client's data runs on a dedicated server instance — no shared databases between agencies
No security system is perfect. We notify affected agencies of any data breach without undue delay and, where required by law, within 72 hours.
Your Rights
Tenant Rights — GDPR (UK and EU/EEA tenants)
If you are a UK or EU/EEA tenant, you have the right to:
- Access — request a copy of your personal data held by your agency
- Rectification — request correction of inaccurate data
- Erasure — request deletion of your data ("right to be forgotten")
- Restriction — request that processing is limited in certain circumstances
- Portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — withdraw consent at any time (reply STOP to any Nora message)
Important limitation on erasure: Where data must be retained for legal compliance (e.g. financial records required by tax law), we cannot delete it but will anonymise or restrict its use where possible. We will always explain the reason.
To exercise your rights, contact your property management agency, who will coordinate with us as data processor.
US Tenant Rights — CCPA (California residents)
California residents have the right to:
- Know what personal information is collected and how it is used
- Request deletion of personal information
- Opt out of the sale of personal information — we do not sell data
- Non-discrimination for exercising these rights
To submit a request: mj@meetnora.app
Agency Rights
Agencies may request a full data export at any time. On termination of subscription, data is available for export for 30 days before deletion.
GDPR Consent Gate
When a new tenant is onboarded via Nora, they receive a consent message explaining:
- That they will be communicating with an AI-powered property management assistant
- What data is collected and how it is used
- How to withdraw consent at any time (reply STOP)
No tenant data is stored until consent is given. If consent is declined, only a minimal record (number, agency, outcome, timestamp) is retained in the consent log for compliance purposes.
Data Deletion Requests
To request deletion of your data:
- Tenants: Contact your property management agency, who will submit a request on your behalf
- Agencies: Email mj@meetnora.app with your agency name and the request details
- Prospects: Email mj@meetnora.app with the WhatsApp number used
We will respond within 30 days. Where legal retention requirements prevent full deletion, we will explain what data must be kept and why.
Children's Data
Nora is not intended for use with individuals under 18. We do not knowingly collect data from minors.
Changes to This Policy
We will notify agencies of material changes to this policy with at least 14 days' notice. The current version is always available at meetnora.app/privacy.
Contact and Complaints
Get in touch
Data protection enquiries, deletion requests, and agency data export requests:
UK and EU/EEA users: If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection authority — the ICO in the UK, or your local EU supervisory authority.