Sign InApply for beta

Privacy Policy

How Norian collects, uses, and protects your personal information.

Last updated: March 2026 (version 2026-03)

This Privacy Notice for Norian(“we”, “us”, or “our”) describes how and why we access, collect, store, use, and share your personal information when you use our services (“Services”). This notice applies when you visit norian.ai, use the Norian application, or otherwise engage with us.

Norian is a SaaS application that connects to your Gmail account in read-only mode. It monitors email conversations with your clients, automatically detects unresolved commitments and requests, and sends you a daily digest notification. Norian never sends, modifies, or deletes emails on your behalf.

Questions or concerns? Contact us at privacy@norian.ai.

SUMMARY

What we collect:Your email address and job title (from our waitlist form); your Google account name and email address (via OAuth); subscription status from Stripe; usage analytics via PostHog; email metadata derived from your connected Gmail account; and — when the “Scan contacts using personal email addresses” setting is enabled (on by default) — the email addresses of contacts who communicate with you via personal email services such as Gmail or Outlook.

What we do not collect: Raw email bodies (processed in memory only, never stored); sensitive personal data; payment card details (handled by Stripe directly).

Who we share it with: Only the service providers listed in section 4, under written data processing agreements. We never sell your data.

How long we keep it: For as long as your account is active. Deleted within 60 seconds of account deletion.

Your rights: Access, rectify, erase, port, or object to processing of your data at norian.ai/settings or by emailing privacy@norian.ai.

TABLE OF CONTENTS

  1. What information do we collect?
  2. How do we process your information?
  3. What legal bases do we rely on?
  4. When and with whom do we share your information?
  5. Do we use cookies and tracking technologies?
  6. Do we use artificial intelligence?
  7. Google API data and limited use disclosure
  8. Is your information transferred internationally?
  9. How long do we keep your information?
  10. How do we keep your information safe?
  11. What are your privacy rights?
  12. Do United States residents have specific rights?
  13. Beta programme and feedback
  14. How do we update this notice?
  15. How can you contact us?

1. WHAT INFORMATION DO WE COLLECT?

Information you provide directly

  • Waitlist form: email address, job title
  • Support or feedback contact: any information you include in messages to us

Information collected automatically

  • Log and usage data:IP address, browser type, pages visited, features used, timestamps — collected via PostHog (EU-hosted)
  • Approximate location: derived from your IP address for aggregate analytics only. We do not collect GPS or precise location data.
  • Email metadata:from your connected Gmail account — email frequency per client domain, response time patterns, thread length. Computed automatically during processing. No raw email bodies are ever stored.
  • Contact email addresses (personal providers): When the “Scan contacts using personal email addresses” setting is enabled (default on), the full email address of each contact who emails you from a personal email service (e.g. gmail.com, outlook.com, icloud.com) is stored in our database to enable per-contact monitoring. These addresses are retained until you delete your account. You can disable this at any time in your account settings.

Information from third parties

  • Google (via OAuth): your Gmail address and Google account name, used to create and manage your Norian account
  • Stripe: customer reference ID and subscription status only. We never receive or store your card details or billing address.
  • Nylas:acts as an intermediary for Gmail API access. Email message content is accessed transiently in memory only — never stored permanently.

Payment data. All payment processing is handled by Stripe. You can find their privacy notice at stripe.com/privacy. Norian receives only a customer ID and subscription status.

Sensitive information. We do not process sensitive personal information (health data, ethnicity, religion, biometrics, etc.).

Google API. Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

2. HOW DO WE PROCESS YOUR INFORMATION?

We process your personal information for the following purposes:

  • Create and manage your account; authenticate your identity
  • Connect to your Gmail account and monitor email threads for unresolved commitments and requests (core service functionality)
  • Send daily digest email notifications containing flagged items
  • Send administrative communications (system alerts, policy updates, account notices)
  • Respond to your support enquiries
  • Analyse anonymised usage patterns to improve the service (via PostHog)
  • Detect and prevent fraud or abuse
  • Improve extraction accuracy by analysing feedback signals (items marked “not relevant” or added manually) — using account IDs only, no email content
  • Identify inactive accounts for capacity management and beta programme administration
  • Request feedback from beta users in accordance with the beta participation agreement
  • Comply with legal obligations

3. WHAT LEGAL BASES DO WE RELY ON?

This section is primarily relevant to EEA, UK, and Swiss residents under the GDPR and equivalent laws.

  • Performance of a contract (Article 6(1)(b) GDPR): Processing your Gmail data and sending digest notifications is necessary to deliver the service you signed up for. This is our primary legal basis for core processing activities.
  • Legitimate interests (Article 6(1)(f) GDPR): Analytics, fraud prevention, service improvement, extraction accuracy optimisation, and inactive account management. We have assessed that these interests do not override your fundamental privacy rights, given the limited and anonymised nature of the data involved.
  • Consent (Article 6(1)(a) GDPR): Beta feedback communications, where free beta users have explicitly opted in. You can withdraw consent at any time by contacting privacy@norian.ai.
  • Legal obligation (Article 6(1)(c) GDPR): Where processing is required by applicable law.

Canada: We process your information on the basis of express or implied consent, or where otherwise permitted under applicable Canadian privacy law (PIPEDA / Law 25). You may withdraw consent at any time by contacting us.

4. WHEN AND WITH WHOM DO WE SHARE YOUR INFORMATION?

We share personal information only with the sub-processors listed below, under written data processing agreements. We do not sell, rent, or trade your personal information.

ProviderPurposeData sharedLocationPrivacy policy
NylasGmail API intermediary — OAuth token management and email accessOAuth grant ID; email messages accessed transiently in memory onlyEU (api.eu.nylas.com)nylas.com
OpenAIAI text analysis — commitment and request detectionPre-processed one-line summaries only. No raw email bodies. No email addresses.United States (SCCs apply)openai.com
SupabaseDatabase hostingAccount data, extracted summaries, email metadata, subscription statusEU (Frankfurt)supabase.com
VercelApplication hostingApplication traffic, IP addresses, usage logsEUvercel.com
StripePayment processingCustomer reference ID, subscription status. Stripe independently collects payment details — we never see them.US / EU (SCCs apply)stripe.com
ResendTransactional email deliveryYour email address; digest notification contentEUresend.com
PostHogProduct analyticsAnonymised usage events, IP address, browser type, account ID. No email addresses or names.EU (eu.i.posthog.com)posthog.com

We may also disclose your information: (a) if required by law, court order, or governmental authority; (b) to protect the rights, property, or safety of Norian, our users, or the public; or (c) in connection with a merger, acquisition, or sale of assets, in which case we will notify you and require the receiving party to honour this policy.

5. DO WE USE COOKIES AND TRACKING TECHNOLOGIES?

We use two categories of cookies:

  • Strictly necessary: Session and authentication cookies (Supabase Auth). Required for the application to function. Cannot be disabled.
  • Analytics:PostHog cookies to track anonymised usage patterns for product improvement only — not for advertising.

We do not use advertising, targeting, or social media tracking cookies.

For full details, see our Cookie Notice: norian.ai/cookie-policy.

6. DO WE USE ARTIFICIAL INTELLIGENCE?

Yes. We use OpenAI's GPT-4o-mini to analyse email content and extract structured data about commitments and requests. This is central to the core functionality of Norian.

What happens to your email data during AI processing:

  • Raw email bodies are sent to the OpenAI API transiently for analysis, then immediately discarded. They are never stored in our database.
  • Only the extracted one-line summary and structured metadata (commitment type, confidence score) are stored — not the original email text.
  • OpenAI does not use API-submitted data to train its models under our API agreement.
  • We do not use Gmail data to train, fine-tune, or improve any AI or machine learning model.

No automated decisions with legal effect. Norian's AI flags items for your review. You always decide what action to take. No automated decisions with legal or significant personal effects are made.

Opting out: AI processing is necessary to deliver the core service. To stop all processing, disconnect your Gmail account or delete your account from norian.ai/settings.

7. GOOGLE API DATA AND LIMITED USE DISCLOSURE

Norian's use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We access your Gmail account via read-only OAuth authentication using the gmail.readonlyscope — the minimum necessary to provide the service. We access your emails solely to detect unresolved commitments and requests between you and your clients.

Specifically:

  • We do not store raw email bodies permanently. Email content is processed transiently in memory and immediately discarded after extraction.
  • We store only structured summaries, email metadata (sender domain, timestamp, response times), account settings, and — when the personal email contacts setting is enabled — sender email addresses of contacts who use personal email providers.
  • We do not use Gmail data to develop, improve, or train any AI or machine learning model.
  • We do not use Gmail data for advertising.
  • We do not sell, rent, or share Gmail data with third parties, except as strictly necessary to provide the service: Nylas (email access intermediary) and OpenAI (text analysis, under strict data processing terms).
  • No human at Norian accesses Gmail data except where required for security investigations, legal compliance, or at your explicit request.
  • Gmail data is used exclusively to provide the Norian monitoring service described in this policy.

8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?

Our primary infrastructure is EU-based (Netherlands). We transfer data to the United States only via OpenAI (AI text analysis) and Stripe (payment processing).

These transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) in accordance with GDPR Article 46. Our SCCs and sub-processor agreements can be provided upon request at privacy@norian.ai.

9. HOW LONG DO WE KEEP YOUR INFORMATION?

We retain personal information only for as long as your account is active. Specific retention periods:

  • Raw email bodies:Never stored — discarded in memory immediately after processing
  • Extracted summaries and metadata: Until account deletion
  • Digest action tokens: 48 hours (single-use, expire on use or timeout)
  • Account deletion log: Up to 12 months after deletion, for fraud prevention and security purposes only
  • Analytics data (PostHog):Per PostHog's retention policy, linked to anonymised account IDs only

When you delete your account, all personal data is permanently deleted within 60 seconds. No personal data is retained after account deletion, except where required by applicable law (e.g. tax or accounting obligations).

10. HOW DO WE KEEP YOUR INFORMATION SAFE?

Our security measures include:

  • Encryption in transit: All connections use HTTPS. No unencrypted connections are permitted.
  • Row Level Security (RLS):Enforced at the database level on every table. Users cannot access each other's data — this is architecturally enforced.
  • EU-only primary storage: All data at rest is stored in EU-based infrastructure.
  • No permanent email storage: Raw email bodies are processed in memory only and immediately discarded.
  • Restricted service credentials: The database service role key is restricted to server-side background jobs only. It is never exposed to client-side code.
  • Single-use tokenised action links: Digest email action links are cryptographically signed, single-use, and expire after 48 hours.

No electronic transmission or storage can be guaranteed 100% secure. If you become aware of a potential security issue, please notify us at privacy@norian.ai.

11. WHAT ARE YOUR PRIVACY RIGHTS?

Under the GDPR and equivalent laws (EEA, UK, Switzerland, Canada), you have the right to:

  • Access— request a copy of the personal data we hold about you
  • Rectification— correct inaccurate or incomplete data
  • Erasure— request deletion of your personal data
  • Restriction— ask us to limit how we process your data
  • Portability— receive your data in a structured, machine-readable format
  • Objection— object to processing based on legitimate interests
  • Withdraw consent— at any time, for consent-based processing (e.g. beta feedback emails)

To exercise your rights, visit norian.ai/settings or email privacy@norian.ai. We will respond within 30 days in accordance with GDPR Article 12.

If you believe we are unlawfully processing your personal data, you have the right to lodge a complaint with the Dutch data protection authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl). UK residents may contact the ICO.

Withdrawing consent does not affect the lawfulness of any processing carried out before the withdrawal.

12. DO UNITED STATES RESIDENTS HAVE SPECIFIC RIGHTS?

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional rights including the right to know, access, correct, delete, and port your personal information, and to opt out of profiling or sale of personal data.

We do not sell personal data, use it for targeted advertising, or create consumer profiles.

Categories of personal information collected (past 12 months)

CategoryCollected
A. Identifiers (email address, IP address, account name)YES
B. Personal information (California Customer Records) — name, job titleYES
C. Protected classification characteristicsNO
D. Commercial information (subscription status)YES
E. Biometric informationNO
F. Internet or network activity (usage analytics)YES
G. Geolocation data (approximate, from IP)YES
H. Audio, electronic, sensory informationNO
I. Professional information (job title)YES
J. Education informationNO
K. Inferences / consumer profilesNO
L. Sensitive personal informationNO

To exercise your rights, visit norian.ai/settings or email privacy@norian.ai. To appeal a decision, email privacy@norian.ai. If your appeal is denied, you may contact your state attorney general.

California “Shine the Light”: We do not disclose personal information to third parties for their direct marketing purposes.

13. BETA PROGRAMME AND FEEDBACK

Free beta users have agreed, as a condition of free access, to participate in occasional feedback requests. This may include email surveys or short interviews. Participation in individual activities is voluntary beyond the initial consent. Beta access may be deactivated for accounts inactive for an extended period, in accordance with the beta participation agreement accepted at signup.

14. HOW DO WE UPDATE THIS NOTICE?

We may update this notice from time to time. The version date at the top of this document identifies the current version (format: YYYY-MM). We conduct an annual review in line with CASA recertification requirements.

For material changes — particularly those affecting how we process Google user data or that require fresh consent under GDPR — we will notify you by email and display a notice within the application before changes take effect. Continued use of the service after notification constitutes acceptance. If you do not accept material changes, you may disconnect your Gmail account or delete your account from norian.ai/settings.

15. HOW CAN YOU CONTACT US?

For privacy-related enquiries, data subject requests, or questions about this notice:

Email: privacy@norian.ai
Post: Norian, Ruyschstraat 31A, Amsterdam, Noord-Holland 1091 BS, Netherlands

We aim to respond to all privacy enquiries within 30 days. For data subject access requests under GDPR, you may also use the self-service tools at norian.ai/settings.

To report a security vulnerability or suspected data breach, email privacy@norian.ai immediately. We are required to notify the Autoriteit Persoonsgegevens of qualifying breaches within 72 hours.