Noorish

Privacy Policy

Last updated: May 7, 2026

This Privacy Policy explains how Noorish ("we", "us", "our") collects, uses, stores, and protects your personal information when you use the Noorish app (app.getnoorish.com) or our website (getnoorish.com).

We are committed to protecting your privacy and handling your data — especially your health information — with care and transparency.

Who We Are

Noorish is operated by Natalia Morozova, trading as Noorish, based at 241 rue de Bercy, 75012 Paris, France.

For privacy inquiries, contact us at: support@noorish.ai

What Data We Collect

Account information

When you create an account, we collect:

  • Your name
  • Your email address
  • Your password (stored in encrypted form; we never see it in plain text)

Health and symptom data

To provide Noorish's core features, we collect health-related information you choose to enter, including:

  • Gut symptoms (e.g. bloating, constipation, reflux)
  • Food and meal logs
  • Supplements and medications you are tracking
  • Lifestyle factors you choose to record
  • Notes and observations you add

This is sensitive data. Under the General Data Protection Regulation (GDPR), health information is classified as "special category data" and receives the highest level of protection. We only process it with your explicit consent, which you give when you create an account and start entering data.

You are never required to enter health information. You control what you share.

Payment information

If you purchase an action plan or any paid feature, payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or full card details on our servers. Stripe handles all payment processing and is PCI DSS compliant. We retain a record of your transaction (amount, date, product) for accounting and support purposes.

Stripe's privacy policy: https://stripe.com/privacy

Usage and technical data

When you use the app or visit our website, we may collect:

  • Browser type and version
  • Device type and operating system
  • Pages viewed and features used
  • Approximate location (country/region level, derived from IP address)
  • Referring URL

This data is collected via cookies and analytics tools (see the Cookies section below).

Why We Collect Your Data and Our Legal Basis

We only process your data when we have a lawful reason to do so. The table below sets out our purposes and the legal basis we rely on under GDPR.

| Purpose | Legal basis | |---|---| | Creating and managing your account | Performance of a contract | | Providing the core app features (symptom tracking, action plans) | Performance of a contract | | Processing your health/symptom data to generate insights | Your explicit consent | | Using AI to analyse your data and generate personalised recommendations | Your explicit consent | | Processing payments | Performance of a contract | | Sending transactional emails (account confirmations, receipts) | Performance of a contract | | Improving the product and fixing bugs | Legitimate interests | | Analytics and usage statistics (aggregated, not personal) | Legitimate interests | | Complying with legal obligations | Legal obligation |

We do not use your health data to train AI models, sell to third parties, or share with advertisers.

How Long We Keep Your Data

| Data type | Retention period | |---|---| | Account information | Until you delete your account | | Health and symptom data | Until you delete it or your account | | Payment records | 7 years (legal/accounting obligation) | | Usage and analytics data | 26 months from collection |

When you delete your account, we delete or anonymise all personal data within 30 days, except where we are legally required to retain it (e.g. payment records).

Who We Share Your Data With

We do not sell your personal data. We share data only with trusted third-party service providers who process it on our behalf, and only to the extent necessary to provide the service.

| Provider | Purpose | Privacy policy | |---|---|---| | Supabase | Database and backend infrastructure (stores your account and health data) | supabase.com/privacy | | Stripe | Payment processing | stripe.com/privacy | | Vercel | Website and app hosting | vercel.com/legal/privacy-policy | | Google Workspace | Internal email and communication | policies.google.com/privacy | | Anthropic, Inc. | AI processing — generating personalised gut health insights and action plans | anthropic.com/privacy | | OpenAI, Inc. | AI processing — generating personalised gut health insights and action plans | openai.com/privacy | | Umami | Usage analytics (cookieless, no personal data collected) | umami.is/privacy |

All providers are required to handle your data in accordance with applicable privacy laws. Where data is transferred outside the UK or EU, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses).

AI and Automated Processing

Noorish uses artificial intelligence to analyse your health data and generate personalised insights and action plans. This is a core feature of the product.

Which AI providers we use: We work with Anthropic (Claude) and OpenAI (GPT models). These are third-party AI providers based in the United States.

What data is sent to AI providers: When you request an analysis or action plan, we send anonymised or aggregated health data to the AI provider's API. We do not send your name, email address, or any information that directly identifies you alongside your health data.

AI providers do not train on your data: Both Anthropic and OpenAI state in their API terms that data submitted via the API is not used to train their models. Your health data is not retained by these providers beyond the processing of your request.

No solely automated decisions with legal or significant effects: Noorish does not make decisions about you that are based solely on automated processing and that have legal or similarly significant effects (such as denying you access to services or affecting your medical care). All AI-generated insights are informational and require your own judgement. Noorish is not a medical service.

Cookies

We use cookies on our website and app. Cookies are small text files stored on your device.

Strictly necessary cookies are required for the app to function (e.g. keeping you logged in). These cannot be disabled.

Analytics: We use Umami for usage analytics. Umami is a privacy-first, cookieless analytics tool — it does not set cookies, does not collect personal data, and does not track you across websites. No analytics cookie consent is required for Umami.

We do not use advertising or tracking cookies.

Your Rights

Depending on where you are located, you have the following rights regarding your personal data.

GDPR rights (EU and UK users)

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure ("right to be forgotten") — ask us to delete your data
  • Restriction — ask us to pause processing your data in certain circumstances
  • Portability — receive your data in a machine-readable format
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — for any processing based on consent (including health data), you can withdraw at any time; this does not affect the lawfulness of prior processing

To exercise any of these rights, email us at support@noorish.ai. We will respond within 30 days.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with your local data protection authority. Our lead supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés, cnil.fr). If you are based in another EU member state or in the UK, you may also contact your national supervisory authority.

CCPA rights (California residents)

Under the California Consumer Privacy Act, you have the right to:

  • Know what personal information we collect and how it is used
  • Delete your personal information (subject to certain exceptions)
  • Opt out of the sale of your personal information — we do not sell your data
  • Non-discrimination for exercising your privacy rights

To exercise these rights, contact us at support@noorish.ai.

PIPEDA rights (Canadian users)

Under Canada's Personal Information Protection and Electronic Documents Act, you have the right to:

  • Access the personal information we hold about you
  • Challenge the accuracy or completeness of your information
  • Withdraw consent to the collection and use of your personal information (note: withdrawing consent may limit your ability to use the service)

Contact us at support@noorish.ai to exercise these rights.

Children's Privacy

Noorish is intended for adults aged 18 and over. We do not knowingly collect personal information from anyone under the age of 18. If you believe a minor has created an account, please contact us at support@noorish.ai and we will delete the account promptly.

Security

We take the security of your data seriously, including your health information. Measures in place include:

  • Encryption of data in transit (HTTPS/TLS)
  • Encrypted storage of passwords
  • Access controls limiting who within our team can access personal data
  • Reputable, security-audited infrastructure providers (Supabase, Vercel)

No system is completely secure. If you have concerns about the security of your data, please contact us at support@noorish.ai.

Changes to This Policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes, we will notify you by email or via an in-app notification. Continued use of Noorish after changes take effect constitutes acceptance of the updated policy.

Contact Us

For any questions, requests, or complaints about this Privacy Policy or how we handle your data:

Email: support@noorish.ai Website: getnoorish.com

Natalia Morozova, trading as Noorish 241 rue de Bercy, 75012 Paris, France