Privacy Policy

Welcome to Nora AI Voice Companion ("Nora," "we," "us," or "our"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our mobile application (package ID: com.nora.ai) and related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

This Policy applies to all users worldwide. Additional rights may apply depending on your jurisdiction; see Section 9 for GDPR-specific rights and Section 8 for general data rights.

We collect the following categories of information:

2.1 Account Information

• Email address — used for account creation, authentication, and service communications.
• Password — stored as a cryptographic hash; we never store plain-text passwords.
• Account preferences — language settings, notification preferences, subscription tier.

2.2 Voice and Audio Data

• Voice recordings — audio captured during conversations with Nora for transcription and AI response generation.
• Voice clone samples — audio recordings voluntarily submitted by you to clone your voice for personalized speech synthesis.
• Transcripts — text transcriptions of your spoken input produced by OpenAI Whisper.

2.3 Conversation Data

• Conversation history — full text records of your exchanges with the AI, stored in Firebase Firestore.
• Journal summaries — AI-generated weekly summaries derived from your conversation history.
• Emotional tone indicators — metadata inferred from the content of your conversations (not raw audio analysis).

2.4 Device and Technical Data

• Device identifiers — push notification tokens, device OS version, app version.
• Usage data — session duration, features used, credit consumption, error logs.
• IP address — logged by Firebase and third-party services for security and fraud prevention.

2.5 Payment Data

Subscription and payment transactions are processed entirely by Apple App Store and Google Play Store through RevenueCat. We do not receive, process, or store your credit card numbers, bank account details, or other primary payment credentials. We receive only subscription status, tier, and anonymized transaction identifiers from RevenueCat.

3.1 How Voice Recordings Are Used

Each time you speak to Nora, your audio is transmitted securely to our servers (or directly to OpenAI Whisper) for transcription only. Live conversation audio is not stored permanently — only the resulting text transcript is retained in your conversation history. Raw audio from individual conversation turns is discarded after transcription is complete.

3.2 Voice Clone Samples

• Voice clone samples are transmitted to and stored on RunPod GPU infrastructure solely for the purpose of synthesizing speech that sounds like your voice.
• Voice models derived from your samples are associated exclusively with your account identifier.
• Your voice model is never used to generate speech for any other user, shared with third parties, or used for any purpose other than generating audio responses in your personal Nora session.
• Voice clone data is not used to train AI models, improve Nora's general capabilities, or for any commercial purpose beyond powering your personal voice synthesis feature.

3.3 Voice Sharing Feature

If you choose to share your voice with a friend via a sharing code, you explicitly authorize that specific friend's account to use your voice model for their Nora sessions. You may revoke this permission at any time through the app, which immediately removes access.

3.4 Deleting Voice Data

You can delete your voice clone at any time through Settings → Voice Clone → Delete Voice. Upon deletion, we will remove your voice samples and derived voice model from RunPod servers within 30 days. We will send you a confirmation email when deletion is complete.

3.5 Emotion Detection

Nora may infer emotional context from the text content of your conversations (e.g., detecting sadness from words used) to adjust response tone. This analysis is performed using the AI language model and is not based on acoustic voice analysis. Emotional metadata is stored alongside conversation records and is subject to the same deletion rights as all other conversation data.

We use collected data for the following purposes, each grounded in a lawful basis:

4.1 Providing the Service (Contract Performance)

• Transcribing your voice input to text.
• Generating AI responses to your messages.
• Synthesizing speech using text-to-speech or your cloned voice.
• Storing conversation history so the AI can maintain context.
• Generating weekly journal summaries from your conversations.
• Scheduling push notification reminders you request during conversations.
• Enforcing subscription tier limits (daily credits).

4.2 Account Management (Contract Performance)

• Creating and authenticating your account.
• Sending email verification and password reset emails.
• Processing subscription status changes.

4.3 Safety and Legal Compliance (Legitimate Interest / Legal Obligation)

• Detecting and preventing fraud, abuse, and violations of our Terms of Service.
• Responding to legal requests from law enforcement or courts.
• Protecting the rights, property, and safety of Nora, its users, and the public.

4.4 Service Improvement (Legitimate Interest)

We may use anonymized and aggregated data (never linked to your identity) to understand usage patterns, improve app performance, and develop new features. We will not use your identifiable voice recordings or conversation content for AI model training without your explicit, separate opt-in consent.

4.5 Communications (Consent / Legitimate Interest)

• Sending service-critical notifications (account changes, security alerts).
• Sending push notification reminders you have explicitly scheduled through the app.
• Occasional product updates — you may opt out at any time.

Nora relies on the following third-party services to operate. Each has its own privacy policy and data processing practices. By using Nora, you acknowledge that your data may be transmitted to and processed by these services as described below.

5.1 OpenAI

Your voice audio and conversation text are transmitted to OpenAI's API. OpenAI's data handling is governed by the OpenAI Privacy Policy and their API data usage policies. As of the date of this policy, OpenAI does not use API inputs/outputs to train its models by default.

5.2 Anthropic

PRO and MAX tier conversations are processed by Anthropic's Claude API. Anthropic's data handling is governed by the Anthropic Privacy Policy.

5.3 Google Firebase

Firebase services (hosted in the United States) process authentication and store your conversation history and user profile. Firebase is governed by Google's privacy terms and the Google Cloud Data Processing Addendum, which includes Standard Contractual Clauses for international data transfers.

5.4 RunPod

Voice clone samples and TTS (text-to-speech) requests are processed on RunPod serverless GPU infrastructure. RunPod data centers are located in the United States. Your voice data on RunPod is isolated to your account and not accessible to other RunPod customers.

5.5 RevenueCat

RevenueCat manages subscription state on our behalf. RevenueCat receives your app store customer ID and subscription events. RevenueCat does not receive payment card details. See the RevenueCat Privacy Policy.

We do not sell, rent, or trade your personal data to third parties for their marketing purposes. We disclose data only in the following circumstances:

• Service providers: As listed in Section 5, we share data with vendors that process it on our behalf under data processing agreements.
• Legal requirements: We may disclose data if required by law, subpoena, court order, or other legal process, or if we believe disclosure is necessary to prevent harm or protect rights.
• Business transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, your data may be transferred. We will notify you via email and/or a prominent in-app notice at least 30 days prior to any such transfer, and your continued use of the Service will constitute consent.
• With your explicit consent: We may share data for purposes not covered here with your explicit prior consent (e.g., voice sharing feature described in Section 3.3).
• Aggregated/anonymized data: We may share de-identified, aggregated statistics (e.g., "X% of users set daily reminders") that cannot reasonably be used to identify you.

7.1 Retention Periods

7.2 Account Deletion

You may delete your Nora account at any time via Settings → Account → Delete Account, or by emailing dilmurodshukurullayev75@gmail.com with the subject "Delete My Account." Upon account deletion:

• Your email, display name, and profile data will be deleted from Firebase Auth.
• Your conversation history and user document will be deleted from Firestore.
• Your voice clone samples and model will be queued for deletion from RunPod (completed within 30 days).
• We will confirm deletion by email within 10 business days of your request.
• Anonymized, aggregated data derived from your usage (with no link to your identity) may be retained.
• Financial transaction records required for tax compliance will be retained per applicable law.

Regardless of your location, you have the following rights with respect to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request that inaccurate data be corrected.
• Deletion: Request deletion of your personal data (subject to legal retention obligations).
• Data Portability: Request your conversation history and profile data in a machine-readable format (JSON).
• Opt-out of communications: Unsubscribe from non-essential communications at any time.
• Withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, contact us at dilmurodshukurullayev75@gmail.com. We will respond within 30 days. We may require identity verification before processing sensitive requests.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation (GDPR) or equivalent legislation:

9.1 Legal Bases for Processing

• Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
• Legitimate Interests (Art. 6(1)(f)): Security, fraud prevention, service improvement (where balanced against your rights).
• Legal Obligation (Art. 6(1)(c)): Compliance with applicable laws (e.g., financial record retention).
• Consent (Art. 6(1)(a)): Marketing communications, optional feature enhancements — withdrawable at any time.

9.2 Additional GDPR Rights

• Right to restriction of processing (Art. 18)
• Right to object to processing based on legitimate interests (Art. 21)
• Right not to be subject to solely automated decision-making with legal effects (Art. 22) — Note: AI responses from Nora do not constitute automated decisions with legal or similarly significant effects.
• Right to lodge a complaint with a supervisory authority — You have the right to complain to your local data protection authority if you believe we have violated your rights.

9.3 International Data Transfers

See Section 12 below for details on international transfers and the safeguards we rely on.

In certain jurisdictions (e.g., where age of digital consent is higher), Nora may require users to be at least 16 or 17 years of age. Users should comply with the age requirements applicable in their jurisdiction.

If you are a parent or guardian and believe your child under 13 has created an account or provided personal data to us, please contact us immediately at dilmurodshukurullayev75@gmail.com. We will promptly delete the child's account and all associated data upon verification.

We rely on users to accurately represent their age during account registration. If we become aware that a user is under the minimum age, we will suspend and delete the account without prior notice.

We implement industry-standard technical and organizational security measures to protect your data, including:

• Encryption in transit: All data transmitted between your device and our servers uses TLS 1.2 or higher (HTTPS).
• Encryption at rest: Firebase Firestore and Firebase Auth data are encrypted at rest by Google.
• Access controls: Database access is restricted by Firebase Security Rules; only your authenticated user ID can read your own data.
• API key security: Server-side API keys (OpenAI, Anthropic, RunPod) are stored as environment variables on server infrastructure, not exposed to clients.
• Secure password hashing: Passwords are hashed using Firebase Auth's built-in bcrypt-based system.
• Isolated voice data: Voice clone models on RunPod are keyed to user account identifiers and not accessible across accounts.

Nora is operated globally. Your data is processed and stored on servers located primarily in the United States (Firebase/Google, RunPod, OpenAI, Anthropic, RevenueCat). If you are located outside the United States, your data will be transferred to, processed, and stored in the United States and potentially other countries that may not provide the same level of data protection as your home country.

For transfers from the EEA, UK, or Switzerland to the United States, we rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with Google (Firebase), OpenAI, Anthropic, and RevenueCat where applicable.
• Adequacy decisions where applicable.
• The legitimate interests of providing a globally available service, balanced against appropriate safeguards.

By using Nora, you consent to the transfer of your personal data to the United States and other countries for the purposes described in this Privacy Policy.

Nora may send push notifications and reminders that you explicitly schedule during conversations (e.g., "remind me to meditate at 8 PM"). Push notification tokens (device identifiers) are stored in Firebase Cloud Messaging and linked to your account.

You may disable push notifications at any time through your device's system settings or through Settings → Notifications in the app. Disabling notifications will prevent delivery of reminders you have set, but will not affect the rest of the Service.

The Nora mobile app does not use browser cookies. The app may use device-local storage (AsyncStorage) to cache session tokens and preferences for performance. This local data is not transmitted to third parties.

Firebase and third-party SDKs may collect anonymous usage analytics. Where required by applicable law, we will seek your consent for analytics collection that goes beyond what is strictly necessary for service operation.

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Send an in-app notification and/or email to registered users at least 14 days before material changes take effect.
• For significant changes affecting how we use voice data or sensitive information, we will request renewed consent where required by law.

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the changes. If you disagree with the updated policy, please delete your account before the effective date.