Legal

Privacy Policy

Last updated: 30 June 2026

NorReach ("we", "us", or "our") is operated by Youpal Group AB, registered in Stockholm, Sweden. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the NorReach platform, website, browser extension, and related services (collectively, the "Service").

We are committed to protecting your privacy and complying with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws.

1. Data Controller

Youpal Group AB is the data controller for the personal data processed through the Service. For questions about this policy or your data rights, contact us at privacy@norreach.ai.

2. Data We Collect

2.1 Account data

When you create an account, we collect:

  • Name, email address, and password (hashed)
  • Company name and workspace details
  • Profile information you choose to provide

2.2 Usage data

We automatically collect:

  • Pages visited, features used, and interaction timestamps
  • Device type, browser, IP address (anonymised for analytics)
  • Performance and error logs for service reliability

2.3 Contact and outreach data

Data you import or generate through the Service:

  • Contact records (names, emails, phone numbers, company info)
  • Message content (emails, SMS, WhatsApp, call transcripts)
  • Campaign activity and engagement metrics
  • Calendar and meeting booking data

2.4 Payment data

Payment processing is handled by our payment provider. We store your plan type, billing cycle, and invoice history but never store credit card numbers directly.

3. How We Use Your Data

We process your data for the following purposes:

  • Service delivery — operating the platform, sending outreach on your behalf, processing replies
  • AI features — powering voice calling, message generation, lead scoring, and the Nora assistant
  • Improvement — analysing usage patterns to improve features and fix issues
  • Communication — sending service updates, security alerts, and billing notices
  • Legal compliance — meeting regulatory requirements and responding to lawful requests

4. Legal Basis for Processing

We process your personal data under the following legal bases (GDPR Art. 6):

  • Contract performance — to provide the Service you signed up for
  • Legitimate interest — to improve the Service, prevent fraud, and ensure security
  • Consent — for optional features like marketing emails (you can withdraw at any time)
  • Legal obligation — when required by law

5. Data Storage & EU Residency

All primary data is hosted within the European Union. Our infrastructure is provisioned in EU data centres. Where sub-processors outside the EU are used, appropriate safeguards (Standard Contractual Clauses) are in place.

6. Data Sharing

We do not sell your personal data. We share data only with:

  • Sub-processors — infrastructure, email delivery, telephony, and AI providers necessary to operate the Service
  • Your integrations — when you connect third-party tools (CRM, calendar, etc.)
  • Legal authorities — when required by law or to protect our rights

A Data Processing Agreement (DPA) is available on request.

7. Data Retention

We retain your data for as long as your account is active and for a reasonable period afterward for legitimate business purposes. When you delete your account, we remove your personal data within 30 days, except where retention is required by law.

8. Your Rights

Under the GDPR, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion of your data
  • Portability — receive your data in a structured, machine-readable format
  • Restriction — limit how we process your data
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — where processing is based on consent

To exercise any of these rights, email privacy@norreach.ai. We respond within 30 days.

9. Cookies

We use essential cookies for authentication and session management. Analytics cookies are only set with your consent. You can manage cookie preferences at any time through your browser settings.

10. Security

We implement industry-standard security measures including encryption in transit (TLS) and at rest, access controls, audit logging, and regular security reviews. Despite these measures, no system is 100% secure — we encourage you to use strong passwords and enable two-factor authentication.

11. AI & Automated Processing

NorReach uses AI for voice calling, message generation, lead scoring, and the in-app assistant. AI-generated content is always presented for your review before sending. Call recordings are processed for transcription and quality purposes. You can opt out of AI features at any time through your workspace settings.

In compliance with the EU AI Act, AI-generated voice calls include disclosure that the call is AI-powered.

12. Children's Privacy

NorReach is a business tool and is not intended for individuals under 18. We do not knowingly collect data from children.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related questions or to exercise your rights:

Youpal Group AB

Stockholm, Sweden

Email: privacy@norreach.ai