$99/mo forever, for the first 50 users. 31 spots left.Lock your price
Legal · Privacy

Privacy Policy

Effective May 28, 2026

This Privacy Policy explains what personal data Noara collects, why we collect it, how we use it, and the rights you have over it. It applies to the Noara platform, including our Telegram Mini App, PWA, Studio admin interface, sites under noara.bot and tenant custom domains, plus the bots and integrations operated through them.

Read it together with our Terms of Service and Refund Policy.

1. Who we are

Noara is operated by Noara, Inc., a Delaware C Corporation (United States), at 131 Continental Dr, Suite 305, Newark, DE 19713, USA. We act as a data controller for the account data we collect directly from you, and as a data processor for content a tenant uploads through Noara to operate their own business (for that content, the tenant is the controller).

Reach us at support@noara.bot.

2. What data we collect

  • Telegram identifiers, your numeric ID, username, first name, and language code provided when you open the Mini App;
  • Email, when you sign in to Studio, claim an imported account, or submit a deletion request;
  • Phone number, only when you explicitly share it through a Telegram contact button;
  • Profile details, display name and answers you submit to a creator's onboarding flow;
  • Content, messages in a tenant's bot or Instagram Direct, conversations with the AI assistant, course progress, and purchase records;
  • Analytics, bot event log, page views and clicks (anonymised hashes), marketing-pixel events (only when a tenant enables their own Meta Pixel);
  • Payment metadata, amount, currency, status, processor reference, the buyer's hashed identifier, and products purchased (we do not store card data);
  • Technical data, IP address, user-agent, device type, and browser language in server logs.

3. Why we collect it

  • Service operation, authentication, syncing courses across devices, message delivery;
  • Customer support, identifying your account and resolving issues;
  • Analytics for the creator, engagement, conversion, churn;
  • Marketing attribution (per-tenant, opt-in), relaying events to Meta when a tenant activates their own pixel;
  • Legal compliance, fraud prevention, tax records, responses to lawful requests;
  • Platform improvement, debugging and abuse detection (aggregate / anonymised).

4. Legal basis (GDPR Art 6)

  • Contract, we need the data to deliver the service you or your tenant signed up for;
  • Legitimate interest, platform security, fraud prevention, support;
  • Consent, for the 18+ self-attestation, marketing-pixel events, and optional analytics cookies;
  • Legal obligation, tax records and lawful-request responses.

5. How long we keep it

  • Account data, until you ask us to delete it, or after two years of inactivity;
  • Bot event log, for the lifetime of the account (a core analytics feature); aggregated to the customer record after 90 days;
  • AI conversation history, 90 days of raw turns, after which only the compressed memory is kept;
  • Payment records, up to 7 years (tax and accounting requirements);
  • Deletion-request records, 7 years, as proof of deletion;
  • Server access logs, 90 days, then deleted.

6. Who we share data with

We do not sell your personal data. We share it only with subprocessors, each bound by a data processing addendum:

  • Anthropic (US), the AI model behind the assistant and Coach features;
  • Bunny.net (EU), video and file hosting for course content;
  • Resend (US), transactional email delivery;
  • Telegram, the messaging layer for bots and the Mini App;
  • Meta Platforms (US), Instagram Login / Direct integrations and Pixel / CAPI events a tenant forwards;
  • Stripe, payment processing;
  • Cloudflare (US), DNS, CDN, and DDoS protection.

7. Tenants & data isolation

When you interact with a specific creator's bot, app, or Instagram account, that tenant sees your account details, your messages with them, your purchase history with them, and the analytics from your activity in their space. Other tenants do not see your data from a different tenant's space, we enforce strict tenant isolation at the database layer.

8. Cookies & tracking

  • Session cookies / JWT tokens, required to keep you logged in; the service won't work without them;
  • TWA / PWA local storage, caches the tenant's branding and theme preference; not transmitted off-device;
  • Meta Pixel cookies (_fbp, _fbc), set only on storefronts of tenants who activated their own pixel; you can block them in your browser;
  • Storefront experiment cookies, an anonymised hash that keeps you in the same A/B-test variant.

9. Your rights

Under GDPR, UK GDPR, and other applicable data-protection law you have the right to access, rectification, erasure (“right to be forgotten”), restriction, portability, objection, withdrawal of consent, and to lodge a complaint with a supervisory authority.

To exercise any of these rights, email support@noara.bot. We respond within 30 days (extendable by up to 60 days for complex requests, with notice).

10. California privacy rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (as amended by the CPRA) gives you the right to know what personal information we collect and how we use it, to request access to or deletion of that information, to correct inaccurate information, and not to be discriminated against for exercising these rights.

We do NOT sell your personal information, and we do NOT share it for cross-context behavioural advertising in exchange for money. The categories of data we collect and the purposes are described in sections 2-3 above; the parties we share with as service providers are listed in section 6.

To exercise your California rights, email support@noara.bot. We verify the request against your account and respond within the timelines required by law. You may use an authorised agent to submit a request on your behalf.

11. International transfers, children, security

Some subprocessors are located in the US and other countries outside the EEA (Anthropic, Resend, Stripe, Meta, Cloudflare). When data leaves the EEA we rely on Standard Contractual Clauses (SCCs) and technical measures (encryption in transit and at rest).

Noara is not directed to children under 16, and we do not knowingly collect their data. Some tenants operate 18+ content with a self-attestation age gate.

We protect data with industry-standard measures: HTTPS with HSTS, encrypted backups, envelope-encryption of payment and PII fields, rotating JWT keys, rate-limiting on auth endpoints, and tenant isolation at the ORM layer.

12. Changes & contact

We may update this policy when our practices change or the law requires it. The date at the top reflects the most recent revision.

Privacy questions, complaints, or requests: support@noara.bot.