$99/mo forever, for the first 50 users. 31 spots left.Lock your price
Legal · Data Processing

Data Processing Agreement

Effective June 6, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Noara, Inc., a Delaware C Corporation (“Noara”, the “Processor”), and the creator operating a tenant on Noara (the “Tenant”, the “Controller”). It governs Noara's processing of the personal data of the Tenant's end customers, carried out on the Tenant's behalf.

By using Noara as a Tenant, you accept this DPA. It reflects Article 28 of the GDPR (and the UK GDPR). For personal data Noara collects as its own controller (Tenant account data), the Privacy Policy applies instead.

1. Roles & scope

For the personal data of end customers that a Tenant collects and processes through Noara (messages, profiles, purchase records, analytics), the Tenant is the Controller and Noara is the Processor. Noara processes that data only to provide the service and only on the Tenant's documented instructions — which the configuration of the Tenant's Noara account, together with these Terms, constitute.

Noara acts as its own Controller for Tenant account data (billing, login, support); that processing is governed by the Privacy Policy, not this DPA.

2. Subject matter, duration, nature & purpose

Subject matter: processing of end-customer personal data to operate the Tenant's storefront, courses, community, inbox, funnels, automations, payments, and AI features.

Duration: for as long as the Tenant maintains an active Noara account, plus the retention periods set out in the Privacy Policy.

Nature & purpose: storage, hosting, transmission, analysis, and AI-assisted processing, strictly to deliver the Tenant's app and business operations.

3. Categories of data & data subjects

Data subjects: the Tenant's end customers, leads, and visitors.

Categories of personal data: identifiers (Telegram ID, username, email, phone when shared), profile details, messages and conversations, course progress, purchase metadata, and analytics events. Noara does not require special-category data; Tenants must not route such data through Noara without their own lawful basis.

4. Noara's obligations as processor

Noara will:

  • process personal data only on the Tenant's documented instructions, unless required by law (in which case Noara informs the Tenant where permitted);
  • ensure persons authorised to process the data are bound by confidentiality;
  • implement appropriate technical and organisational security measures (Art 32): encryption in transit and at rest, envelope-encryption of payment and PII fields, rotating keys, access controls, and tenant isolation at the database layer;
  • assist the Tenant, taking into account the nature of processing, in responding to data-subject requests and in ensuring security, breach notification, and data-protection impact assessments;
  • make available the information necessary to demonstrate compliance with Art 28.

5. Sub-processors

The Tenant grants general authorisation for Noara to engage sub-processors. The current sub-processors are those listed in the Privacy Policy (Anthropic, Bunny.net, Resend, Telegram, Meta, Stripe, Cloudflare), each bound by data-protection terms no less protective than this DPA.

Noara will give notice of intended changes to its sub-processors (via the Privacy Policy and in-app notice) and a reasonable opportunity to object on legitimate data-protection grounds.

6. Data-subject requests

If Noara receives a request directly from a Tenant's end customer (access, deletion, rectification, etc.), it will, where it can identify the relevant Tenant, refer the request to that Tenant and assist in responding. Tenants can also action most requests themselves through Studio and the built-in deletion tools.

7. Personal-data breach

Noara will notify the affected Tenant without undue delay after becoming aware of a personal-data breach affecting that Tenant's end-customer data, with the information the Tenant reasonably needs to meet its own notification obligations.

8. International transfers

Some sub-processors are located outside the EEA/UK (Anthropic, Resend, Stripe, Meta, Cloudflare). Where personal data is transferred outside the EEA/UK, Noara relies on Standard Contractual Clauses (SCCs) and the technical measures described above.

9. Deletion & return of data

On termination of the Tenant's account, Noara will — at the Tenant's choice — delete or return the end-customer personal data it processes on the Tenant's behalf, subject to the retention periods required by law (e.g. payment records) set out in the Privacy Policy, after which it is deleted.

10. Audits & information

On reasonable written request, and no more than once per year (unless a supervisory authority requires otherwise), Noara will make available the information reasonably necessary to demonstrate compliance with this DPA. Audit obligations are met first by Noara's documentation and security descriptions; any on-site audit strictly required is arranged with reasonable notice and under confidentiality.

11. Liability & governing law

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA is governed by the laws of the State of Delaware, USA, save where the GDPR / UK GDPR mandates otherwise for the protection of data subjects.

Questions: support@noara.bot.