Privacy Policy

1. Overview

Noru ("we," "us," or "our") is a lifestyle and behavioral coaching application designed to support people on GLP-1 medications. We are committed to protecting your privacy and being transparent about how your data is handled.

This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using Noru, you agree to the practices described in this policy.

2. What We Collect

Information you provide directly:

• Account details: name, email address, and password
• Profile information: body weight, GLP-1 medication type, and start date
• Daily check-in responses: mood, energy level, nausea, hunger, and protein intake
• Nutrition logs: meal names and protein gram estimates you enter
• Injection day logs and any side effect notes you record
• Emotional food journal entries
• Community posts and responses (posted anonymously)

Information collected automatically:

• Device type, operating system version, and app version
• App usage patterns (screens viewed, features used, session duration) via Mixpanel
• Crash reports and error logs for app stability
• Push notification interaction data via OneSignal

Information we do not collect:

• We do not access your contacts, camera roll, or location without explicit permission
• We do not collect your actual medical records or prescriptions
• We do not sell your data to advertisers or data brokers

3. How We Use Your Data

We use the information we collect to:

• Provide and personalize the Noru app experience
• Calculate your Muscle Risk Score and protein progress
• Generate personalized insights from the Noru AI coach (powered by OpenAI GPT-4)
• Send injection day reminders and daily check-in notifications
• Improve app features and fix bugs using anonymized usage analytics
• Communicate with you about your account, updates, and support
• Process your Noru+ subscription via RevenueCat and Apple/Google billing

We do not use your personal health data to train AI models without your explicit consent. AI coaching responses are generated in real-time and your data is not used to train third-party models.

4. Sharing & Disclosure

We do not sell your personal information. We may share data with the following trusted service providers who are contractually obligated to protect it:

• Supabase — database hosting and authentication (servers in US-West)
• OpenAI — powers the Noru AI coach (data processed per OpenAI's data usage policies for API customers)
• RevenueCat — subscription and in-app purchase management
• OneSignal — push notification delivery
• Mixpanel — anonymized usage analytics

We may disclose information if required by law, court order, or to protect the safety of our users or others.

Community posts are visible to other Noru users. They are posted under an anonymous username — your real name and account details are never displayed publicly.

5. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or compliance purposes.

Anonymized, aggregated analytics data (with no personal identifiers) may be retained indefinitely for product improvement purposes.

6. Security

We take the security of your data seriously. We use industry-standard measures including:

• TLS encryption for all data in transit
• Encrypted storage for sensitive fields in our database
• Secure authentication via Supabase Auth with hashed passwords
• Access controls limiting which team members can access user data

No method of transmission over the internet is 100% secure. If you believe your account has been compromised, please contact us immediately at support@usenoru.app.

7. Children's Privacy

Noru is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your account and personal data
• Portability: Request your data in a machine-readable format
• Opt-out: Opt out of analytics tracking at any time in app Settings

To exercise any of these rights, contact us at support@usenoru.app. We will respond within 30 days.

California residents (CCPA): You have the right to know what personal information is collected, to opt out of the sale of personal information (we do not sell your data), and to request deletion.

9. Health & Wellness Data

Noru collects wellness information such as mood, energy, nausea, protein intake, and body weight that you voluntarily enter. This information is used solely to power the Noru experience for you.

Noru does not integrate with Apple Health, Google Fit, or any other health platform by default. Any future health platform integration will be opt-in only with explicit user consent.

10. Third-Party Services

Noru uses the following third-party services. Each has its own privacy policy:

• Supabase Privacy Policy
• OpenAI Privacy Policy
• RevenueCat Privacy Policy
• OneSignal Privacy Policy
• Mixpanel Privacy Policy

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via the app or by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of Noru after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

If you have questions, concerns, or requests about this Privacy Policy or how we handle your data, please reach out:

• Email: support@usenoru.app
• Website: usenoru.app