Privacy Policy

This policy applies to (a) visitors to our website, (b) personnel at customer organizations who use the Nooriel platform, and (c) the handling of personal information that our customers process through the platform, where we act as a service provider on their behalf.

Where our customer is the party that decides why and how end-customer information is processed, that customer is the entity accountable for it and we act under their instructions. Our commitments in that role are set out in our Data Processing Agreement.

We collect only what we need to provide and secure the service:

• Account & contact data — name, work email, organization, role, and authentication credentials (passwords are stored only as salted Argon2id hashes, never in plain text).
• Billing data — handled by our payment processor; we do not store full card numbers on our systems.
• Usage & security logs — actions taken in the platform, timestamps, and limited technical data (e.g. IP address, browser) used for security, audit, and reliability.
• Customer-processed data — the financial and customer records our customers connect for monitoring. Sensitive identifiers in this data are tokenized inside our Secret Vault (see section 5) and are never exposed to the AI models that assist with analysis.

• To provide, operate, secure, and improve the platform.
• To detect and help our customers meet anti-money-laundering and regulatory obligations.
• To authenticate users and maintain an audit trail.
• To process payments and manage subscriptions.
• To communicate with you about your account, security, and (with consent where required) product updates.

We do not sell personal information, and we do not use customer-processed data to train AI models.

We rely on consent and on our legitimate need to deliver a service you or your organization has requested. Where Law 25 or PIPEDA requires express consent, we obtain it. You may withdraw consent at any time, subject to legal or contractual limits (see section 8).

• Tokenization first. Sensitive identifiers are replaced with tokens in our Secret Vault before any AI processing. The reasoning layer operates on tokens, not raw personal information.
• Encryption. Data is encrypted in transit (TLS) and at rest (AES-256).
• Access control & audit. Least-privilege access with a tamper-evident audit trail.
• Data residency. Production data is hosted in Canada.

More detail is on our Security page.

We use a small set of vetted providers to deliver the service — for example payment processing, transactional email, identity verification, and cloud hosting in Canada. Each is bound by contract to protect personal information and to use it only as instructed. The AI reasoning providers we use receive tokenized inputs only. A current list of sub-processors is available on request and is referenced in our Data Processing Agreement.

We keep personal information only as long as needed for the purposes above or as required by law (including record-keeping obligations that apply to regulated financial activity). When no longer needed, it is securely deleted or de-identified.

Subject to legal limits, you may request to access, correct, or delete your personal information, withdraw consent, or ask about how it is handled. Quebec residents have additional rights under Law 25, including data portability. To exercise a right, email support@nooriel.com. If you are an end-customer of one of our customers, please contact that organization directly, as they are accountable for your information.

Our Privacy Officer can be reached at support@nooriel.com. If you are not satisfied, you may contact the Office of the Privacy Commissioner of Canada, or — for Quebec residents — the Commission d'accès à l'information.

We may update this policy as our service or the law evolves. Material changes will be posted here with a new “last updated” date and, where required, communicated to you directly.