← Back to Nora

Privacy Policy

Effective Date: March 17, 2026 · Version 1.0.0

1. Data Controller

Nora Coaching ("we," "us," "our") is the data controller for personal data processed through the Platform. For organizational accounts, the Organization acts as data controller and Nora Coaching acts as data processor for employee data, as defined in our Data Processing Agreement.

Contact: [email protected]

2. Personal Data We Collect

2.1 Account Information

Name, email address, password (hashed), role, department, job title, coaching focus preference.

2.2 Coaching Conversations

Messages exchanged with the AI Coach, including text content. All coaching messages are encrypted at rest using AES-256-GCM with per-user encryption keys. Messages are decrypted only in-memory during active sessions.

2.3 Psychological and Emotional Data

This includes data that may be classified as "special category" or "sensitive" data under applicable laws:

  • EQ assessment responses and competency scores
  • AI-inferred psychological profiles (coaching dossiers)
  • AI-adjusted competency scores based on coaching conversations
  • Session summaries generated by AI (themes, emotional arcs, commitments)
  • Emotional check-ins (mood, energy, emotion type, context)
  • 360-degree feedback scores from peers and managers

2.4 Human Coaching Data

Session bookings, attendance records, ratings, feedback, and group session participation.

2.5 Financial Data

Coach payout details (bank/payment information), session pricing, platform fee records.

2.6 Usage Data

Login timestamps, feature usage patterns, consent records (with IP address and user agent).

3. How We Use Your Data

PurposeLegal Basis (GDPR)
Providing the coaching serviceContractual necessity (Art. 6(1)(b))
AI processing of conversations and profilesExplicit consent (Art. 9(2)(a))
AI-inferred psychological scoringExplicit consent (Art. 9(2)(a))
Aggregate analytics for organizationsLegitimate interest (Art. 6(1)(f))
Safety classification of conversationsLegitimate interest (Art. 6(1)(f))
Service improvement and securityLegitimate interest (Art. 6(1)(f))
Email notifications and nudgesConsent / Legitimate interest

4. AI Processing Disclosure

We use Anthropic's Claude AI models to power the coaching experience:

  • Claude Sonnet — processes coaching conversations in real time (streaming)
  • Claude Haiku — generates session summaries, updates coaching profiles, classifies safety events, and infers EQ score adjustments

Your conversation data is sent to Anthropic's API for processing. Anthropic does not use customer data to train their models. See Anthropic's privacy policy for details on their data handling practices.

AI Score Inference Safeguards: Score adjustments are capped at ±0.2 per competency per session. Total drift from your last human assessment is limited to 1.0. Sessions require at least 4 messages to trigger inference.

5. Data Sharing

5.1 Within Your Organization (B2B)

Organization administrators can see aggregate engagement metrics only — session counts, assessment completion rates, and team-level score averages. They cannot access individual coaching conversations, personal assessments, or emotional check-in data. All coaching content is encrypted with per-user keys that administrators do not have access to.

5.2 With Coaches

Human coaches you book sessions with can see your booking history, attendance, and session notes. They do not have access to your AI coaching conversations.

5.3 Sub-Processors

  • Anthropic — AI processing (conversations, summaries, scoring)
  • Cloud hosting provider — infrastructure and database hosting
  • SMTP provider — transactional email delivery

5.4 We Do Not Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Cross-Border Data Transfer

Your data may be processed in jurisdictions outside your country of residence, including the United States (for AI processing via Anthropic). We ensure appropriate safeguards are in place, including standard contractual clauses where required by applicable law.

7. Data Retention

  • Account data: Retained while your account is active, plus 30 days after deletion request
  • Coaching conversations: Retained while your account is active. Deleted upon account deletion.
  • Assessment data: Retained while your account is active
  • Audit logs: Retained for 2 years for security and compliance
  • Consent records: Retained for 5 years after consent is given or withdrawn (legal compliance)

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Correct inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Portability: Export your data in a machine-readable format
  • Withdraw consent: Withdraw AI processing consent at any time (this will disable AI coaching features)
  • Object: Object to processing based on legitimate interest
  • Restrict: Request limitation of processing

To exercise these rights, use the data export and privacy controls in your Profile Settings, or contact [email protected].

9. Cookies

We use strictly necessary cookies for authentication (session management). We do not currently use analytics or marketing cookies. See our Cookie Policy for details.

10. Children's Privacy

The Platform is not intended for users under 16 years of age. We do not knowingly collect data from children. If we become aware that a child under 16 has provided personal data, we will take steps to delete it.

11. Security

We implement industry-standard security measures including:

  • AES-256-GCM encryption for all coaching messages with per-user encryption keys
  • Two-layer key architecture (master KEK + per-user DEK)
  • Bcrypt password hashing (cost factor 12)
  • JWT-based session management with 8-hour expiry
  • Login lockout after 5 failed attempts in 15 minutes
  • Comprehensive audit logging

12. Jurisdiction-Specific Provisions

GDPR (EU/EEA)

Processing of psychological data is based on explicit consent under Art. 9(2)(a). You may withdraw consent at any time via Profile Settings. Withdrawal does not affect the lawfulness of processing before withdrawal.

CCPA (California)

California residents have the right to know what personal information is collected, request deletion, and opt out of sale. We do not sell personal information. To exercise your rights, contact [email protected].

LGPD (Brazil)

Brazilian users have rights to confirmation of processing, access, correction, anonymization, portability, deletion, and information about shared data. Contact [email protected].

PIPEDA (Canada)

Canadian users have the right to access, correct, and withdraw consent for processing of personal information. We obtain meaningful consent before processing sensitive data.

13. Changes to This Policy

We will notify you of material changes via email or in-platform notification at least 30 days before they take effect. Continued use after the effective date constitutes acceptance.

14. Contact

For privacy inquiries: [email protected]