Justifi

Privacy Policy

Nori Labs, Inc. Effective Date: 2026-03-23

This Privacy Policy explains how Nori Labs, Inc. ("Company," "we," "us," or "our") collects, uses, stores, and shares personal data when you use Justifi ("Service"), available at [PRODUCT_URL].

Partes de horas a prueba de auditoría para proyectos CDTI y ACCIÓ.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

1. Data We Collect

1.1 Account & Authentication Data

| Data | Purpose | Basis (GDPR) | |------|---------|---------------| | Email address | Account creation, login, communications | Contract performance | | Name (if provided) | Account personalization | Contract performance | | OAuth provider ID (Google, GitHub, etc.) | Federated authentication | Contract performance | | Hashed password (if email/password auth) | Authentication | Contract performance | | Session token | Maintaining your authenticated session | Contract performance |

Authentication is handled via Neon Auth / Better Auth. Session tokens are stored server-side in our PostgreSQL database.

1.2 Billing Data

| Data | Purpose | Basis (GDPR) | |------|---------|---------------| | Stripe customer ID | Link your account to payment records | Contract performance | | Subscription status & plan | Provision correct feature access | Contract performance |

All payment information (card numbers, billing addresses) is collected and processed exclusively by Stripe. We never receive, store, or transmit your card details. See Stripe's Privacy Policy.

1.3 Product-Specific Data

  • Data related to mvp_features_prioritized

Legal basis (GDPR): Contract performance — this data is necessary to provide the Service's core functionality.

1.4 Analytics Data (Opt-In Only)

We use PostHog for product analytics. PostHog tracking is disabled by default and only activated if you explicitly opt in via our cookie consent banner.

When opted in, PostHog may collect:

  • Page views and navigation paths
  • Custom product events (e.g., feature usage)
  • User properties (e.g., subscription plan, account creation date)
  • Device type, browser, operating system
  • Approximate location (derived from IP; IP is not stored long-term)

Legal basis (GDPR): Consent. You can withdraw consent at any time through the cookie settings accessible in the Service.

1.5 Technical / Automatically Collected Data

| Data | Purpose | Basis (GDPR) | |------|---------|---------------| | IP address | Security, abuse prevention, infrastructure routing | Legitimate interest | | Server logs (request method, URL, status code, timestamp) | Debugging, security monitoring | Legitimate interest |

Server logs are generated by Vercel (edge/serverless hosting) and retained for a limited period as described in Section 5.

2. Cookies & Local Storage

| Cookie / Storage | Type | Consent Required | Purpose | |-----------------|------|-------------------|---------| | Auth session cookie | Strictly necessary | No | Maintains your login session | | PostHog analytics cookies | Analytics | Yes — opt-in only | Product analytics (disabled until you consent) | | Theme preference | localStorage | No | Stores your UI theme preference client-side |

Cookie Consent Mechanism

On first visit, analytics cookies are not set. A cookie consent banner is displayed. PostHog is only initialized if you actively opt in. You may change your preference at any time via the cookie settings link in the Service. Declining or withdrawing consent does not affect your access to any Service functionality.

3. How We Use Your Data

We use your data to:

  1. Provide and operate the Service — account management, authentication, core product functionality.
  2. Process payments — via Stripe; we interact only with Stripe customer IDs and subscription status.
  3. Improve the Service — if you opt in to analytics, we use aggregated usage data to identify bugs and improve features.
  4. Communicate with you — transactional emails (password resets, billing receipts, service updates). We do not send marketing emails without separate consent.
  5. Ensure security — fraud detection, abuse prevention, and infrastructure monitoring.
  6. Comply with legal obligations — tax records, lawful data requests.

4. Third-Party Services & Data Sharing

We share personal data only with the following categories of service providers, and only as necessary:

| Provider | Data Shared | Purpose | |----------|-------------|---------| | Vercel | IP address, request metadata | Hosting, edge functions, serverless compute | | Neon (PostgreSQL) | All application data (encrypted at rest) | Database storage | | Stripe | Stripe customer ID, subscription events | Payment processing | | PostHog | Analytics events, device info (if opted in) | Product analytics | | No additional third-party services | As described per integration | Product functionality |

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

We may disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, or property of Nori Labs, Inc., our users, or the public.

In the event of a merger, acquisition, or asset sale, your data may be transferred to the successor entity. We will notify you before your data becomes subject to a different privacy policy.

5. Data Retention

| Data Category | Retention Period | |---------------|-----------------| | Account data | Until you delete your account + 30 days for backup purge | | Billing records (Stripe customer ID, invoices) | 7 years after last transaction (tax/legal compliance) | | Product-specific data | Until you delete it or your account, whichever comes first | | Analytics data (PostHog) | 12 months, then auto-deleted | | Server logs (Vercel) | Up to 30 days | | Auth session tokens | Expire after inactivity period; purged on logout or account deletion |

Upon account deletion, we delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records).

6. Data Security

We implement industry-standard security measures including:

  • Encryption in transit: All data is transmitted over TLS/HTTPS.
  • Encryption at rest: Database storage (Neon PostgreSQL) encrypts data at rest.
  • Secure authentication: Passwords are hashed using modern algorithms; session tokens are stored server-side.
  • Payment security: Stripe is PCI DSS Level 1 compliant. Card data never touches our servers.
  • Infrastructure: Vercel serverless architecture minimizes attack surface; no persistent servers to compromise.
  • Access control: Internal access to production data is restricted and logged.

No system is 100% secure. If we discover a breach affecting your personal data, we will notify you and relevant authorities as required by GDPR (within 72 hours) and applicable law.

7. Your Rights

Under GDPR (EEA, UK, Switzerland residents)

You have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your personal data.
  • Restriction — request that we limit processing of your data.
  • Portability — receive your data in a structured, machine-readable format (JSON or CSV).
  • Object — object to processing based on legitimate interest.
  • Withdraw consent — for any processing based on consent (e.g., analytics), at any time, without affecting the lawfulness of prior processing.
  • Lodge a complaint — with your local data protection authority.

Under CCPA (California residents)

You have the right to:

  • Know — what personal information we collect, use, and disclose.
  • Delete — request deletion of your personal information.
  • Opt out of sale — we do not sell your personal information. No opt-out is necessary.
  • Non-discrimination — we will not discriminate against you for exercising your rights.

How to Exercise Your Rights

Email us at hey@getnori.ai with your request. We will verify your identity and respond within 30 days (GDPR) or 45 days (CCPA). For data portability requests, we will provide your data in JSON format.

You may also delete your account and associated data directly through the Service's account settings.

8. International Data Transfers

Our infrastructure is hosted in the United States (Vercel, Neon). If you are located outside the US, your data will be transferred to and processed in the US. We rely on:

  • Standard Contractual Clauses (SCCs) where required for GDPR compliance.
  • Selecting processors (Vercel, Neon, Stripe, PostHog) that maintain appropriate safeguards and certifications.

9. Children's Privacy

The Service is not intended for anyone under the age of 16 (or the applicable minimum age in your jurisdiction). We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at hey@getnori.ai and we will delete it promptly.

10. Do Not Track

The Service does not respond to browser "Do Not Track" signals. However, analytics tracking (PostHog) is disabled by default and requires your explicit consent.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes at least 30 days in advance via email or an in-app notice. The "Effective Date" at the top reflects the latest revision. Continued use of the Service after the effective date constitutes acceptance.

12. Data Protection Contact

For any privacy-related questions, requests, or complaints:

Nori Labs, Inc. 1111B S Governors Ave # 91173 Dover, DE 19904 Email: hey@getnori.ai

If you are in the EEA and believe we have not adequately addressed your concerns, you have the right to lodge a complaint with your local supervisory authority.