Privacy Policy

This policy applies to (a) visitors to our website, (b) personnel at customer organizations who use the Nooriel platform, and (c) the handling of personal information that our customers process through the platform, where we act as a service provider on their behalf.

Where our customer is the party that decides why and how end-customer information is processed, that customer is the business accountable for it and we act under their instructions. Our commitments in that role are set out in our Data Processing Agreement.

We collect only what we need to provide and secure the service:

• Account & contact data — name, work email, organization, role, and authentication credentials (passwords are stored only as salted Argon2id hashes, never in plain text).
• Billing data — handled by our payment processor; we do not store full card numbers on our systems.
• Usage & security logs — actions taken in the platform, timestamps, and limited technical data (e.g. IP address, browser) used for security, audit, and reliability.
• Customer-processed data — the financial and customer records our customers connect for monitoring. Sensitive identifiers in this data are tokenized inside our Secret Vault (see section 5) and are never exposed to the AI models that assist with analysis.

• To provide, operate, secure, and improve the platform.
• To detect and help our customers meet anti-money-laundering and regulatory obligations.
• To authenticate users and maintain an audit trail.
• To process payments and manage subscriptions.
• To communicate with you about your account, security, and (with consent where required) product updates.

We do not sell or share personal information for cross-context behavioral advertising, and we do not use customer-processed data to train AI models.

We process personal information to deliver a service you or your organization has requested, and as otherwise permitted by law. Where applicable law gives you the right to opt out of certain processing, we honor those choices.

• Tokenization first. Sensitive identifiers are replaced with tokens in our Secret Vault before any AI processing. The reasoning layer operates on tokens, not raw personal information.
• Encryption. Data is encrypted in transit (TLS) and at rest (AES-256).
• Access control & audit. Least-privilege access with a tamper-evident audit trail.
• Data residency. Production data is hosted in the United States.

More detail is on our Security page.

We use a small set of vetted providers to deliver the service — for example payment processing, transactional email, identity verification, and U.S. cloud hosting. Each is bound by contract to protect personal information and to use it only as instructed. The AI reasoning providers we use receive tokenized inputs only. A current list of sub-processors is available on request and is referenced in our Data Processing Agreement.

We keep personal information only as long as needed for the purposes above or as required by law (including record-keeping obligations that apply to regulated financial activity, such as those administered by FinCEN). When no longer needed, it is securely deleted or de-identified.

Depending on your state of residence, you may have the right to access, correct, delete, or obtain a copy of your personal information, and to opt out of certain processing. To exercise a right, email support@nooriel.com. If you are an end-customer of one of our customers, please contact that organization directly, as they are accountable for your information.

Our Privacy Officer can be reached at support@nooriel.com. If you are not satisfied, you may also contact your state attorney general or the U.S. Federal Trade Commission.

We may update this policy as our service or the law evolves. Material changes will be posted here with a new “last updated” date and, where required, communicated to you directly.