Privacy Policy

Last updated: March 25, 2026

        The short version: Your data is encrypted at rest (AES-128, server-side), you own it, and you can delete it anytime. We don't sell your data. Ever.
    

⚠️ Testnet Notice: Project Nobi is currently in testnet phase (Bittensor SN272). The service is under active development and testing. Data handling practices described in this policy are subject to change. During the testnet phase, data may be reset and service availability is not guaranteed. Use at your own risk.

This Privacy Policy explains how Project Nobi ("we", "us", "our") collects, uses, stores, and protects your personal data. This policy complies with GDPR Articles 13 & 14, UK GDPR, CCPA, and COPPA.

1. Data Controller

Project Nobi is the data controller for personal data processed through the Nori service.

Privacy email: privacy@projectnobi.ai
DPO email: dpo@projectnobi.ai
Location: United Kingdom
Supervisory authority (UK): Information Commissioner's Office — ico.org.uk

2. What Data We Collect

2.1 Data You Provide Directly

Category	Examples	Purpose
Account information	Display name, email address	Account creation and communication
Conversation content	Messages, voice transcriptions, image descriptions	Providing the companion service
Memory data	Facts and preferences Nori learns from chats	Personalisation and continuity
Feedback and support	Bug reports, feature requests, tickets	Service improvement
Account information	Username, platform ID (Telegram/Discord)	Service authentication

2.2 Data Collected Automatically

Category	Examples	Purpose
Usage statistics	Features used, session length, message frequency	Service improvement
Device information	Device type, OS, app version	Compatibility and debugging
Technical data	IP address (hashed), error logs	Security and performance
Cookies and local storage	Session tokens, preferences, consent flags	Authentication and UX

2.3 What We Do NOT Collect

Payment card numbers (we do not collect any payment information — the service is free)
Audio recordings (voice messages are transcribed; audio is not permanently stored)
Original images (analysed for context; not permanently stored)
GPS or location data
Contacts or address book data

3. Legal Basis for Processing (GDPR)

Processing Activity	Legal Basis
Providing the companion service	Contract (Art. 6(1)(b))
Memory storage and personalisation	Contract (Art. 6(1)(b))
Service operation	Contract (Art. 6(1)(b))
Safety filtering and abuse prevention	Legitimate interests (Art. 6(1)(f))
Service analytics and improvement	Legitimate interests (Art. 6(1)(f))
Marketing communications	Consent (Art. 6(1)(a)) — opt-in only
Legal compliance	Legal obligation (Art. 6(1)(c))

4. How We Use Your Data

Provide the service — process messages and generate AI responses
Enable memory — store context to make Nori feel like a real companion
Personalise your experience — adapt Nori's tone and topics to you
Maintain operations — authentication, security, and abuse prevention
Improve service quality — analyse anonymised usage patterns
Ensure safety — detect and prevent abuse and harmful content
Legal compliance — fulfil obligations under applicable law

We do NOT: sell your data, use your conversations to train AI without opt-in consent, or share data with advertising networks.

5. Data Storage and Security

All conversation data and memory data is encrypted using AES-128 encryption before storage. Encryption keys are derived from your account credentials and never stored in plaintext. Data in transit is protected by TLS 1.3.

5.1 Decentralised Storage (Bittensor Network)

Nori operates on the Bittensor decentralised AI network. Messages may be processed by network participants ("miners") to generate AI responses. Data transmitted to miners is:

Encrypted in transit (TLS 1.3) and at rest (AES-128)
Stripped of personal identity (no name, email, or account details)
Transmitted using pseudonymous identifiers only

Honest disclosure: Miners decrypt conversation content during response generation — they process message text in order to produce AI responses. Stored memories remain encrypted at rest (AES-128, server-side). End-to-end TEE encryption (which prevents miners from seeing plaintext) is code-complete and deploying to production — it is not yet live for all users.

5.2 Data Architecture: Decentralised AI, Centralised Compliance

The AI inference layer (miners generating responses) is decentralised across the Bittensor network. However, all legal and compliance data is stored centrally on Project Nobi's own infrastructure — never on miners.

This includes:

Consent records — your Terms of Service and Privacy Policy acceptance, with timestamps and policy versions
Age verification — your 18+ confirmation status (date of birth is NOT stored)
Audit trail — all data access, deletion, and consent change events (append-only, immutable)
Conversation history backups — maintained on our servers for GDPR request fulfilment

This architecture ensures that your data rights (access, erasure, portability) can always be fulfilled regardless of the state of the decentralised network. GDPR requires a data controller — that is Project Nobi. We will always operate the application layer and at least one validator to ensure legal compliance.

6. Data Sharing

Recipient	Purpose	Safeguards
Bittensor miners	AI response generation	Miners process conversation content during response generation; stored data encrypted at rest (AES-128)
Cloud infrastructure	Hosting and storage	Data processing agreements; encrypted data
Legal authorities	Legal compliance	Only when required by law or court order

We do NOT share data with advertising networks, data brokers, social media platforms, or any third party for marketing purposes.

7. Your Rights

7.1 GDPR Rights (EU/UK residents)

Access (Art. 15) — Request a copy of all personal data we hold
Rectification (Art. 16) — Request correction of inaccurate data
Erasure / "Right to be Forgotten" (Art. 17) — Request deletion of your data
Restriction of Processing (Art. 18) — Request limits on data use
Data Portability (Art. 20) — Request your data in machine-readable format
Object (Art. 21) — Object to processing based on legitimate interests

7.2 CCPA Rights (California residents)

Know what personal information is collected and how it is used
Delete personal information (subject to certain exceptions)
Opt out of "sale" of personal information (we do not sell personal information)
Non-discrimination for exercising your rights

7.3 How to Exercise Your Rights

In-app: Use /memories, /forget, /forgetme, /export on Telegram, or Settings in the web app
/forget — deletes your data from our local systems
/forgetme — deletes locally AND broadcasts erasure to all miners on the network (best-effort, network-wide)
By email: privacy@projectnobi.ai with subject "Privacy Rights Request"
Response time: Within 30 days (extendable to 90 days for complex requests)

8. Data Retention

Data Category	Retention Period
Active account data	While your account is active
Inactive account data	Auto-deleted after 12 months of inactivity
Deleted account data	Permanently deleted within 30 days
Safety and abuse logs	12 months
Anonymous analytics	12 months then permanently deleted
Support tickets	24 months then anonymised

9. Children's Privacy

United States (COPPA): Nori is not directed to users under 18. We do not knowingly collect data from users under 18.
EU/EEA (GDPR Art. 8): Users must be at least 18 years old.
Parental concerns: If you believe your child has an account, contact privacy@projectnobi.ai and we will delete the account within 5 business days.

10. Cookie Policy

Type	Purpose	Duration
Essential cookies	Authentication, session management	Session or up to 30 days
Preference storage (localStorage)	Theme, language, consent flags	Persistent until cleared
Analytics cookies	Anonymous usage analytics	Up to 12 months

We do not use advertising or tracking cookies. We respect the "Do Not Track" (DNT) browser signal.

11. International Data Transfers

Project Nobi is based in the United Kingdom. For EEA users, transfers to the UK are covered by the UK Adequacy Decision. Data transferred to Bittensor miners globally is encrypted in transit (TLS 1.3) and at rest (AES-128). Miners process conversation content during response generation — end-to-end TEE encryption is code-complete and deploying to production.

12. Data Breach Procedures

In the event of a personal data breach:

Regulatory notification: We will notify the ICO within 72 hours of becoming aware (GDPR Art. 33)
User notification: If there is a high risk to your rights, we will notify you directly without undue delay
Remediation: We will take all reasonable steps to mitigate damage

To report a security vulnerability: security@projectnobi.ai

13. Data Protection Officer

We have appointed a Data Protection Officer to oversee GDPR compliance.

DPO Contact: dpo@projectnobi.ai

14. Professional Advice Disclaimer

⚠️ Nori does NOT provide professional advice of any kind.

Nori is a personal AI companion for general conversation and information purposes only. Nothing Nori communicates constitutes financial, investment, tax, legal, medical, mental health, or any other professional advice.

All information and opinions shared by Nori are for general reference only. Always consult a qualified professional (financial advisor, lawyer, doctor, therapist, etc.) for matters specific to your situation.

By using Nori, you acknowledge that Nori's responses are not a substitute for professional advice.

15. Changes to This Policy

We may update this policy periodically. Material changes will be communicated with at least 14 days' notice via email or in-app notification. The latest version is always at projectnobi.ai/privacy.

16. Contact Us

Privacy: privacy@projectnobi.ai
DPO: dpo@projectnobi.ai
Security: security@projectnobi.ai
Website: projectnobi.ai
UK Supervisory Authority: ICO — ico.org.uk — 0303 123 1113

GDPR Articles 13 & 14 compliant · UK GDPR · CCPA · COPPA — Last updated March 30, 2026