Privacy Policy

Last updated: 25 April 2026. Applies to norji.co.uk and the NORĴI service.

This policy explains what data NORĴI Ltd collects, why, how long we keep it, and the rights you have over it. We've written it in plain English. Where we use a legal term we define it on the spot.

1. Who we are

NORĴI Ltd (Companies House 15442214) is the data controller for personal data processed by the NORĴI service. Registered office: York, England.

Our contact for privacy matters is privacy@norji.co.uk.

2. What we do with your content — straight talk

NORĴI processes your email content, calendar data, and related business information to provide the service. This processing is necessary for features such as drafting responses, flagging compliance issues, managing commissions, and coordinating schedules. Processing happens in encrypted form wherever possible and content is decrypted only when required for the service to function. We never retain data longer than necessary, never use it to train AI models, and never sell it to third parties.

We don't claim end-to-end encryption, zero-knowledge architecture, or that NORĴI "cannot see" your content — those claims would be false for a service that drafts replies in your voice. What we do claim is in section 10.

3. What data we collect and why

Account + identity

• Name, email, Telegram or WhatsApp handle — to create your account and let you sign in.
• Industry + role (if you share them) — to tune the voice NORĴI uses when drafting on your behalf.
• Stripe customer ID — for billing only. We never see or store your card number; Stripe holds that.

The content NORĴI operates on

• Email content — when you connect Gmail or Outlook, NORĴI reads your inbox to draft replies and calendar responses. Drafts wait for your tap before anything sends.
• Calendar events — to schedule, reschedule, and RSVP on your behalf.
• Voice notes, photos, PDFs you send to our Telegram bot — transcribed or analysed to produce a response, then stored with your account.
• CRM records — when you connect Reapit or Salesforce, NORĴI reads contact and deal data to match buyers to listings and update records per your approval.

Memory + embeddings

NORĴI stores short summaries of your past conversations so it can reference them later ("you mentioned last week that your daughter starts school in September"). These summaries and their vector embeddings sit on our database in the UK region of our hosting provider.

Audit log

Every action NORĴI takes on your behalf (a draft sent, a calendar event created, an invoice chased) is written to an append-only audit log. This is a hard requirement — it's how you verify what ran and reverse it if wrong.

OAuth tokens

When you connect Gmail, Outlook, or a CRM, we store an encrypted access token. Tokens are encrypted at rest using Fernet with a key rotated every 90 days. Refresh tokens are stored separately. You can revoke access from the provider's side at any time and it takes effect immediately.

Diagnostic data

• Error reports via Sentry (EU region) — stack traces, timestamps, user ID. No message content is sent to Sentry.
• Access logs — IP, timestamp, route. Retained 30 days.
• Cookies — see section 12.

4. Legal basis for processing

We rely on the following UK GDPR bases:

• Contract (Art. 6(1)(b)) for anything needed to deliver the NORĴI service to you — account setup, drafting, sending approved actions.
• Legitimate interest (Art. 6(1)(f)) for the audit log (fraud / misuse prevention), basic performance analytics, and deliverability monitoring on outbound email we send at your direction.
• Consent (Art. 6(1)(a)) for non-essential cookies and marketing email. You opt in; we don't assume.
• Legal obligation (Art. 6(1)(c)) for tax and accounting records we're required to keep for 7 years.

5. Prospect data (people we contact who aren't customers yet)

NORĴI's acquisition engine surfaces business contacts as candidate prospects for outreach by you (or, where you authorise it, on your behalf). If your data is in our prospect database, here is the basis:

• Legal basis — legitimate interest under UK GDPR Art. 6(1)(f) for B2B outreach to professional contacts in roles where our service is plausibly relevant.
• Source — publicly available professional data: LinkedIn, company websites, Companies House, public news, conference attendee lists.
• Data types held — name, company, role, business email, public activity signals (recent moves, funding events, public posts).
• Retention — 12 months from last meaningful activity; if no engagement (no reply, no opens of two consecutive emails) the record is deleted at the 12-month mark.
• Right to object — you can email privacy@norji.co.uk at any time to have your data removed. We action within 30 days and add you to a permanent suppression list so we don't re-add you from a future scrape.
• Documented legitimate interest assessment — available on request from the same address.

6. Who we share data with

NORĴI shares your data only with sub-processors we need to deliver the service. Each has its own DPA with us:

• Anthropic — for LLM inference. Prompts and relevant context are sent, responses returned. Anthropic does not train on our API traffic.
• OpenAI or Deepgram — for voice-note transcription (whichever is configured; current default: Deepgram).
• Railway — our hosting provider (database, compute, backups).
• Stripe — payment processing. You pay Stripe directly; we see the customer ID and invoice metadata only.
• Google, Microsoft, Reapit, Salesforce — only when you explicitly connect them. Data flows per your connected integration.
• Telegram, WhatsApp — our messaging channels; standard platform terms apply.
• Sentry — error monitoring (EU region).

We do not sell your data. We do not share it with advertisers. We do not use it to train AI models.

7. International data transfers

NORĴI's primary infrastructure (database, application servers, backups) is hosted by Railway in their EU region. Some sub-processors operate outside the UK; in each case we rely on appropriate UK GDPR transfer safeguards:

• Anthropic (United States) — AI inference. Transfers covered by EU Standard Contractual Clauses (SCCs) with the UK International Data Transfer Addendum. Anthropic does not train on our API traffic.
• Stripe (United States / global) — payment processing. Transfers covered by SCCs and the UK Addendum.
• Google (Gmail, Calendar OAuth) and Microsoft (Outlook, Calendar OAuth) — data flows when you connect those services occur within their own published data-protection frameworks (Google Workspace DPA / Microsoft Online Services DPA, both with SCCs).
• Railway (hosting) — data stays in the EU region NORĴI is provisioned to. The specific Railway region in use at the time of writing is published on the trust page and updated whenever it changes.
• Sentry (error monitoring) — EU region only.

8. How long we keep data

• Account data — for as long as you have an active NORĴI account, then 30 days after closure (for accidental-closure recovery), then deleted.
• Email + calendar + CRM content read by NORĴI — not stored permanently; summarised into memory, then the raw content is discarded within 30 days.
• Memories + embeddings — kept for the life of the account; deleted on closure.
• Audit log — kept for the life of the account; deleted on closure unless we have a legal obligation to retain specific entries longer.
• Billing records — 7 years (HMRC requirement).
• Diagnostic logs — 30 days.
• OAuth tokens — deleted immediately on integration disconnect or account closure.

Full detail in our data retention policy.

9. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of all data we hold on you. Use /export-my-data in Telegram or email us.
• Rectify — correct inaccurate data.
• Erase — ask us to delete your data ("right to be forgotten"). We will unless a legal obligation keeps us holding a specific item (e.g. billing records for 7 years).
• Restrict — pause processing while we resolve a query.
• Portability — receive your data in a machine-readable format (JSON).
• Object — to processing based on legitimate interest.
• Withdraw consent — for anything you've consented to.

Exercise any of these at privacy@norji.co.uk. We respond within 30 days (usually within a week). If you're unhappy with our response, you can complain to the Information Commissioner's Office.

10. Security

What we actually do, in concrete terms:

• Encryption in transit — TLS 1.2 or higher for every connection between you, NORĴI, and the sub-processors we route through.
• Encryption at rest — AES-256, applied at the database and backup layer by our hosting provider (Railway Postgres).
• Application-level encryption for sensitive credentials — OAuth access tokens and refresh tokens are additionally encrypted at the application layer using Fernet (AES-128-CBC + HMAC-SHA256) with a rotating key set, on top of the disk-level AES-256. Two layers, not one.
• OAuth-based authentication — when you connect Gmail, Outlook, or a CRM you authenticate against the provider directly. NORĴI never sees and never stores your account password.
• No training on your data — your content is never used to train AI models, ours or anyone else's.
• No selling of your data — full stop.
• Minimum necessary access — a small number of named engineers can reach production data, only when investigating a specific issue, and under contractual confidentiality obligations.
• Audit logging of access — every action NORĴI takes on your behalf is recorded in an append-only audit log. Engineer access to production data is also recorded.
• Append-only audit log — entries cannot be modified or deleted; this is enforced at the database level via trigger. Audit records are preserved for security review and to support Subject Access Requests.
• Backups — encrypted, retained 30 days, restorable point-in-time.
• Two-factor authentication — required for all engineer access to production systems.
• Incident response plan — documented and rehearsed. If a breach occurs we notify the ICO within 72 hours and affected users without undue delay. The plan is described in our trust page.

What we don't claim, because they wouldn't be true today:

• We do not claim end-to-end encryption — the service decrypts content to draft responses.
• We do not claim a zero-knowledge architecture — same reason.
• We do not claim SOC 2, ISO 27001, or independent audit certification at this time. See the next section for our roadmap.

11. Compliance roadmap

NORĴI is committed to achieving industry-standard security certifications as we grow. We have implemented the operational controls required for SOC 2 Type II certification (encryption, access logging, incident response, vendor management, change management) and are working toward formal certification. Further certifications and independent audits will follow as the company scales. We won't claim a certification we haven't earned; when one lands it will appear here, on the trust page, and on our footer.

12. Cookies

We use a small number of cookies, all optional except strictly-necessary ones:

• Strictly necessary — session continuity on norji.co.uk. Cannot be turned off without breaking the site.
• Analytics (optional, off by default until you consent) — first-party counts of how many people read each page. No third-party trackers.

You control all non-essential cookies from the banner on your first visit and from the preferences link at any time.

13. Children

NORĴI is a B2B service for estate brokers. We do not knowingly collect data from anyone under 18. If you believe we hold data on a minor, email us and we'll delete it.

14. Changes to this policy

We may update this privacy policy as our service evolves. Material changes will be communicated to customers via email and via notice on norji.co.uk. Continued use of the service after changes constitutes acceptance of the updated policy. The "last updated" date at the top reflects the most recent revision.