Read-only access
Never sends, deletes, or modifies email.
Nothing stored
One-line summaries; bodies discarded.
EU infrastructure
All data on European servers. GDPR.
No AI training
OpenAI DPA signed. Your data never trains models.
Norian connects to your inbox in read-only mode via Nylas, our email infrastructure partner. We use the minimum permissions needed to read your messages — never to send, modify, delete, draft, or archive.
Email content is processed in memory and discarded immediately after extraction. We extract a one-line structured summary (commitment or request), then throw away the original. Your email bodies are never written to our database.
The only things stored are: the one-line summary, the email sender domain, a timestamp, and a link back to the original message in your inbox.
All data at rest is stored in EU-based infrastructure (Supabase Frankfurt, Vercel EU). Your data never leaves European servers, except for AI text analysis (OpenAI, via Standard Contractual Clauses) and payment processing (Stripe).
Norian uses OpenAI's GPT-4o-mini to extract structured summaries from your client emails. Only the extracted text is sent to OpenAI, never the original email body, your contacts, or metadata about you or your clients.
We have signed OpenAI's Data Processing Addendum, which contractually prohibits OpenAI from using your data to train models. Processing happens under EU Standard Contractual Clauses.
Every database table has Row Level Security (RLS) enforced at the database level. Users cannot access each other's data. This is architecturally enforced, not just a coding convention. Even if a bug existed in the application layer, the database would reject cross-account queries.
The action links in Norian's digest emails (Mark as done, Snooze, Not relevant) use cryptographically unique, single-use tokens. Each token expires after 48 hours and can only be used once. A replayed or forwarded link does nothing.
You can disconnect your inbox and delete your account from Settings at any time. Account deletion is OTP-verified and purges all personal data within 60 seconds. Nothing is retained after deletion, except where required by applicable law.
The database service role key (which bypasses Row Level Security) is restricted to server-side background jobs only. It is never sent to a browser, never logged, and never used in client-side code.
Norian shares data only with the sub-processors listed in our Privacy Policy, under written data processing agreements. We never sell, rent, or trade personal data.
To report a security vulnerability or ask a question: privacy@norian.ai