1. Who we are
Kore Zero Labs ("we," "us," or "our") operates the Nori product and related services described in our Terms of Service. Kore Zero Labs is incorporated in the Republic of Rwanda and is the data controller for personal information processed through Nori, except where we process data solely on your documented instructions as a processor.
Contact us about privacy at mynoriappsupport@mynoriapp.com.
2. Scope
This Privacy Policy applies to personal information we collect when you visit our website, create an account, connect integrations, use dashboard features, or communicate with us. It does not apply to third-party services you connect (such as Google or Meta), which have their own privacy policies.
3. Information we collect
Account and identity information
- Email address, display name, phone number (if provided), and authentication metadata.
- Session tokens stored in secure httpOnly cookies after sign-in.
- Account preferences, plan status, and usage counters related to billing limits.
Connected service data
- Gmail: message metadata and content needed for triage, search, drafts, briefings, alerts, and optional Autonomous Gmail processing.
- Google Calendar (via Gmail connect): event titles, times, and locations for briefings and nudges.
- WhatsApp: recent messages and chat metadata you authorize through the integration.
- OAuth tokens required to maintain connections, stored by our backend infrastructure provider.
Content you create in Nori
- Notes, tasks, alert rules, feedback, AI chat history (if memory is enabled), and workspace settings.
- Autonomous Gmail request notes, approval status, and audit records of automated actions (sent, drafted, or skipped).
Technical and security information
- Browser type, device information, IP address, and server logs for security, abuse prevention, and diagnostics.
- Push notification subscription endpoints and delivery metadata if you enable push.
- Security audit events for authentication and sensitive actions.
Payment information
- If you purchase a paid plan, payment processors handle card or wallet details. We receive billing status, transaction references, and limited customer identifiers—not full payment card numbers.
4. How we use information
We use personal information to:
- Provide, operate, maintain, and secure the service.
- Authenticate you and enforce plan limits, feature gates, and admin controls.
- Sync, display, summarize, and draft communications from connected channels.
- Run optional Autonomous Gmail background processing when you request access, are approved, choose a mode, and enable the feature.
- Send verification codes, alert emails, push notifications, and service-related messages.
- Process payments and manage subscriptions.
- Detect abuse, fraud, and security incidents.
- Improve reliability and product quality through aggregated or de-identified analytics where possible.
- Comply with law and respond to lawful requests.
5. Legal bases (EEA, UK, and similar regions)
Where GDPR or similar laws apply, we rely on the following legal bases:
- Contract: to provide the service you request, including account management and connected integrations.
- Legitimate interests: to secure the platform, prevent abuse, improve the product, and communicate about the service, balanced against your rights.
- Consent: where required—for example, optional push notifications, certain marketing messages, or connecting integrations when consent is the appropriate basis.
- Legal obligation: to comply with applicable law, tax, accounting, or regulatory requirements.
You may withdraw consent where processing is consent-based without affecting the lawfulness of prior processing.
6. AI and automated processing
Selected message, calendar, and workspace context may be sent to AI providers (such as Google Gemini) to produce summaries, drafts, briefings, alerts, and autonomous reply suggestions. Do not connect accounts or submit content you are not permitted to share with us or our subprocessors.
Autonomous Gmail involves automated reading of unread Gmail and automated drafting or sending of replies according to your selected mode. This is not solely automated decision-making with legal or similarly significant effects on you as a Nori user; however, messages sent from your Gmail account may affect third parties. You are responsible for reviewing autonomous behavior and disabling the feature if it is not appropriate for your use case.
AI providers process data under their own terms and privacy policies.
7. How we share information
We do not sell your personal information. We do not share it for cross-context behavioral advertising.
We disclose information only to:
- Service providers / subprocessors that host infrastructure, databases, authentication, email delivery, AI APIs, payment processing, and analytics necessary to operate Nori (for example, hosting providers, InsForge or similar backend services, Resend or similar email providers, Google APIs, and payment processors such as Flutterwave or Stripe when enabled).
- Connected platforms you authorize (Google, Meta/WhatsApp) under permissions you grant.
- Professional advisers (lawyers, accountants, insurers) under confidentiality obligations.
- Business transfers in connection with a merger, acquisition, financing, or sale of assets, subject to this policy or equivalent protections.
- Authorities when required by law, subpoena, court order, or to protect rights, safety, and security.
We require service providers to process data only for authorized purposes and to apply appropriate security measures.
8. International transfers
We and our providers may process data in the United States and other countries where they operate. If you are located in the EEA, UK, or another region with data transfer restrictions, we rely on appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other mechanisms permitted by law.
By using Nori where permitted, you understand your information may be transferred internationally.
9. Data retention
We retain personal information while your account is active and as needed to provide the service. When you delete your account, we delete or anonymize associated records within a reasonable period, except where we must retain data for legal compliance, dispute resolution, fraud prevention, security, or enforcement of our terms—including blocked identifiers on deleted accounts to prevent re-registration abuse.
Retention of connected-provider data also depends on your integration settings and the provider's own policies.
10. Security
We use HTTPS, authenticated API routes, httpOnly session cookies, access controls on user-owned data, and provider-side encryption where available. No method of transmission or storage is completely secure. You use the service at your own risk and should protect your credentials and devices.
If we become aware of a personal data breach likely to pose a risk to your rights, we will notify you and/or regulators as required by applicable law.
11. Your choices and rights
Depending on your location, you may have the right to:
- Access, correct, or delete personal information we hold about you.
- Object to or restrict certain processing, or withdraw consent where processing is consent-based.
- Receive a portable copy of information you provided in a structured, commonly used format.
- Opt out of marketing emails using unsubscribe links where provided.
- Disable push notifications in device or app settings.
- Disconnect integrations to stop new data sync from those providers.
- Delete your account permanently from dashboard settings.
To exercise rights, email mynoriappsupport@mynoriapp.com or use the in-app feedback page. We may need to verify your identity before responding. We will respond within timeframes required by applicable law.
12. California privacy rights (CCPA/CPRA)
If you are a California resident, you have additional rights including:
- Right to know the categories and specific pieces of personal information collected, sources, purposes, and recipients.
- Right to delete personal information, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of sale or sharing. We do not sell or share personal information for cross-context behavioral advertising.
- Right to limit use of sensitive personal information where applicable; we use sensitive information only as necessary to provide the service.
- Non-discrimination for exercising privacy rights.
Categories collected in the last 12 months may include identifiers, commercial information (subscription status), internet activity (usage logs), and inferences from AI features. We disclose these categories to service providers as described above.
Authorized agents may submit requests on your behalf with proof of authorization. We do not knowingly sell the personal information of consumers under 16.
13. EEA/UK complaints
If you are in the EEA or UK and believe we have not addressed your concern, you may lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first so we can try to resolve the issue.
14. Cookies and similar technologies
We use essential cookies and similar technologies to maintain sessions and secure the service. We do not use advertising cookies on the core Nori application. Your browser may store additional data according to its settings.
15. Children
Nori is not directed to children under 16, and we do not knowingly collect personal information from children. If you believe a child has provided us data, contact us and we will take appropriate steps to delete it.
16. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will change when we do. Material changes may also be communicated in the app or by email where required by law. Continued use after the effective date constitutes acknowledgment of the updated policy.
17. Contact
Privacy questions or rights requests: email mynoriappsupport@mynoriapp.com.