1. Introduction & Scope

Nora (currently operating as a pre-incorporation entity in Taiwan, hereinafter "Nora," "we," "us," or "our") provides a hybrid wellness ecosystem connecting users with independent wellness professionals and AI-powered health tracking tools (the "Service").

This Privacy Policy describes how we collect, use, process, and disclose your information, including sensitive health data, across our mobile application, website (findnora.com), and AI dashboard.

This Policy applies to all users globally, including:

Clients: Individuals seeking wellness guidance.
Professionals: Nutritionists, trainers, and coaches providing services.
Visitors: Individuals browsing our public site.

By using our Service, you agree to the collection and use of information in accordance with this Policy. If you do not agree with this Policy, especially regarding the processing of sensitive health data, please do not use our Service.

2. Information We Collect

A. Information You Provide Directly

1. Identity & Profile Data:

Name, email address, phone number.
Profile photography (shared with Professionals).
Date of birth (for age verification and health calculations).

2. Sensitive Health & Wellness Data ("Special Category Data"):

Biometrics: Height, weight, body composition, gender.
Nutrition: Caloric intake logs, meal photos, dietary restrictions, allergies.
Activity: Exercise logs, step counts, sleep patterns.
Psychological: Mood logs, stress indicators, journal entries.

3. Payment Information:

Credit card details and billing address (processed securely via Stripe; we do not store raw credit card numbers).

B. Information We Collect Automatically

Device Data: Device type, operating system, IP address, and app crash logs.
Usage Data: Feature interaction (e.g., "Meal Prep" usage frequency), session duration, and navigation paths.
AI Interactions: Text prompts, voice queries, and conversations with the Nora AI assistant.

C. Information from Third Parties

Wearables & Integrations: Data synced from Apple Health, Google Fit, Oura Ring, or MyFitnessPal (only if you explicitly authorize the connection).
Professional Notes: Notes, plans, and assessments created by the Professionals you hire on the platform.

3. How We Use Your Information

A. Service Provision (The "Nora Triangle")

To Connect You: We display your profile and relevant health data only to the specific Professionals you actively hire or book.
To Personalize via AI: We use your data to generate Daily AI Summaries, Automated Grocery Lists, and Trend Analysis.
To Process Payments: To handle subscription fees and Professional service charges.

B. Service Improvement

AI Training (Aggregated): We use de-identified, aggregated data to improve our machine learning models (e.g., teaching the AI to better recognize "Quinoa Salad" from photos). We do NOT use your private, direct messages with Professionals to train our public models.

C. Communications

Transactional: Appointment reminders, payment receipts, security alerts.
Marketing: Updates on new features or newsletters (opt-out available).

For users in the EEA and UK, we process data based on:

Contract Performance (Art. 6(1)(b)): To provide the matchmaking service and AI tools you signed up for.
Explicit Consent (Art. 9(2)(a)): For the processing of Special Category Data (Health Data). You grant this consent when you onboard and sync your health devices.
Legitimate Interests (Art. 6(1)(f)): For fraud detection, security, and product improvement.

A. With Wellness Professionals (Core Feature)

This is the core of our Service. When you book a Professional, you grant them access to:

Your Dashboard (Logs, Biometrics, AI Summaries).
Your Chat/Video capabilities.
Limitation: You can revoke a Professional’s access at any time by terminating the service relationship via the app.

B. Service Providers

We work with trusted third-party sub-processors:

Category

Providers

Purpose

AI Models

OpenAI, Google Gemini

Generating health summaries and meal plans.

Cloud Hosting

Google Cloud / AWS

Secure data storage and database management.

Payment

Stripe

Processing subscription and session fees

Analytics

Google Analytics

App performance and user journey tracking.

C. Legal & Safety

We may disclose information if required by law (subpoena, court order) or to protect the safety of any person (e.g., if we detect an imminent risk of self-harm in user logs).

6. International Data Transfers

Nora is a global platform.

Primary Processing: Your data may be processed in the United States (where major cloud providers host servers) and Taiwan (where our operations team is located).
Safeguards: We rely on Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) with our sub-processors to ensure data protection aligns with GDPR and Canadian standards.

7. Data Security

We employ enterprise-grade security measures:

Encryption: Data is encrypted in transit (TLS 1.3) and at rest (AES-256).
Access Control: Professionals only see data for clients they are currently booked with.
Strict Internal Access: Only authorized engineering staff have access to the backend database.

8. Data Retention

Active Accounts: We retain your health history for as long as your account is active to provide longitudinal trends.
Deleted Accounts: If you delete your account, we delete your personal identifiers within 30 days.
Backups: Encrypted database backups may retain data for up to 90 days before being overwritten.

9. General User Rights

Regardless of your location, you can:
Access Your Data: Request a copy of the data we hold about you.
Correct Your Data: Update inaccurate or incomplete information via the app.
Delete Your Data: Request deletion of your account and associated data.
Manage Communications: Opt-out of marketing emails.

10. Jurisdiction-Specific Provisions (Additional Rights by Region)

A. European Economic Area (EEA) and United Kingdom (UK) - GDPR Rights

If you are located in the EEA or UK, you have the following additional rights:

Right to Rectification: Correct inaccurate personal data.
Right to Erasure ("Right to be Forgotten"): Request deletion of your data under certain circumstances.
Right to Restrict Processing: Request that we limit how we use your data.
Right to Data Portability: Receive your data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.
Rights Related to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning you. Note: Nora's AI provides suggestions, not legal or medical decisions.
Right to Withdraw Consent: Where we rely on consent (e.g., for health data), you may withdraw it at any time.

B. California, USA - CCPA/CPRA Rights

If you are a California resident, the CCPA/CPRA grants you specific rights:

Right to Know: Request the categories and specific pieces of personal information we have collected, sources, and purposes.
Right to Delete: Request deletion of personal information, subject to certain exceptions.
Right to Opt-Out of Sale/Sharing: Nora does NOT sell your personal information. We do not share your health data with third parties for cross-context behavioral advertising.
Right to Correction: Correct inaccurate personal information.
Right to Limit Use of Sensitive Personal Information: You have the right to limit the use of your sensitive personal information (health data, precise geolocation) to that which is necessary to perform the services.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

C. Canada - PIPEDA Rights

We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA):

Right to Access: You have the right to access the personal information we hold about you and to be informed of its use and disclosure.
Right to Correction: You may challenge the accuracy and completeness of your information and have it amended as appropriate.
Right to Withdraw Consent: You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice.
Accountability: Our designated Privacy Officer is responsible for our compliance with these principles.

D. Brazil - LGPD Rights

Brazilian residents have rights similar to the GDPR under the Lei Geral de Proteção de Dados (LGPD), including:

Confirmation of the existence of processing.
Access to data.
Correction of incomplete, inaccurate, or out-of-date data.
Anonymization, blocking, or elimination of unnecessary or excessive data.
Portability of data to another service provider.
Elimination of personal data processed with the consent of the data subject.
Information about public and private entities with which we have shared data.

11. AI & Automated Processing Transparency

Not Medical Advice: The Nora AI uses probabilistic models. It is not a doctor. Do not use Nora for medical emergencies.
Human-in-the-Loop: We encourage users to have their connected Professional review any major AI-generated changes to their diet or fitness plan.
Opt-Out: AI processing is integral to the Service. If you do not wish for your data to be processed by AI, you must cease using the Service.

12. Children's Privacy

Nora is strictly for users aged 18+. We do not knowingly collect data from minors. If we discover a user is under 18, we will immediately delete the account and all associated data.

13. Changes to This Policy

We may update this Privacy Policy.

Minor Changes: Will be posted here with an updated date.
Material Changes: We will notify you via email or an in-app prompt (e.g., "We have updated how we share data with Professionals").

14. Contact Information

For any privacy inquiries, requests to exercise rights, or complaints, please contact:

Nora Privacy Team
Email: privacy@findnora.com
Attn: Data Protection Officer (DPO)