Privacy Policy
Last updated: 30 June 2026
NorReach ("we", "us", or "our") is operated by Youpal Group AB, registered in Stockholm, Sweden. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the NorReach platform, website, browser extension, and related services (collectively, the "Service").
We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Data Controller
Youpal Group AB is the data controller for the personal data processed through the Service. For questions about this policy or your data rights, contact us at privacy@norreach.ai.
2. Data We Collect
2.1 Account data
When you create an account, we collect:
- Name, email address, and password (hashed)
- Company name and workspace details
- Profile information you choose to provide
2.2 Usage data
We automatically collect:
- Pages visited, features used, and interaction timestamps
- Device type, browser, IP address (anonymised for analytics)
- Performance and error logs for service reliability
2.3 Contact and outreach data
Data you import or generate through the Service:
- Contact records (names, emails, phone numbers, company info)
- Message content (emails, SMS, WhatsApp, call transcripts)
- Campaign activity and engagement metrics
- Calendar and meeting booking data
2.4 Payment data
Payment processing is handled by our payment provider. We store your plan type, billing cycle, and invoice history but never store credit card numbers directly.
3. How We Use Your Data
We process your data for the following purposes:
- Service delivery — operating the platform, sending outreach on your behalf, processing replies
- AI features — powering voice calling, message generation, lead scoring, and the Nora assistant
- Improvement — analysing usage patterns to improve features and fix issues
- Communication — sending service updates, security alerts, and billing notices
- Legal compliance — meeting regulatory requirements and responding to lawful requests
4. Legal Basis for Processing
We process your personal data under the following legal bases (GDPR Art. 6):
- Contract performance — to provide the Service you signed up for
- Legitimate interest — to improve the Service, prevent fraud, and ensure security
- Consent — for optional features like marketing emails (you can withdraw at any time)
- Legal obligation — when required by law
5. Data Storage & EU Residency
All primary data is hosted within the European Union. Our infrastructure is provisioned in EU data centres. Where sub-processors outside the EU are used, appropriate safeguards (Standard Contractual Clauses) are in place.
6. Data Sharing
We do not sell your personal data. We share data only with:
- Sub-processors — infrastructure, email delivery, telephony, and AI providers necessary to operate the Service
- Your integrations — when you connect third-party tools (CRM, calendar, etc.)
- Legal authorities — when required by law or to protect our rights
A Data Processing Agreement (DPA) is available on request.
7. Data Retention
We retain your data for as long as your account is active and for a reasonable period afterward for legitimate business purposes. When you delete your account, we remove your personal data within 30 days, except where retention is required by law.
8. Your Rights
Under the GDPR, you have the right to:
- Access — request a copy of your personal data
- Rectification — correct inaccurate data
- Erasure — request deletion of your data
- Portability — receive your data in a structured, machine-readable format
- Restriction — limit how we process your data
- Objection — object to processing based on legitimate interest
- Withdraw consent — where processing is based on consent
To exercise any of these rights, email privacy@norreach.ai. We respond within 30 days.
9. Cookies
We use essential cookies for authentication and session management. Analytics cookies are only set with your consent. You can manage cookie preferences at any time through your browser settings.
10. Security
We implement industry-standard security measures including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. Despite these measures, no system is 100% secure — we encourage you to use strong passwords and enable two-factor authentication.
11. AI & Automated Processing
NorReach uses AI for voice calling, message generation, lead scoring, and the in-app assistant. AI-generated content is always presented for your review before sending. Call recordings are processed for transcription and quality purposes. You can opt out of AI features at any time through your workspace settings.
In compliance with the EU AI Act, AI-generated voice calls include disclosure that the call is AI-powered.
12. Children's Privacy
NorReach is a business tool and is not intended for individuals under 18. We do not knowingly collect data from children.
13. Changes to This Policy
We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.
14. Contact
For privacy-related questions or to exercise your rights:
Youpal Group AB
Stockholm, Sweden
Email: privacy@norreach.ai