✓ PIPEDA Compliant

Privacy Policy

Last updated: April 19, 2025 · Effective: April 19, 2025 · Version 1.0

At FL Professional Services ("noli," "we," "us," or "our"), your privacy is foundational — not optional. This Privacy Policy explains what personal information we collect, why we collect it, how we use and protect it, and the rights you have over it. We comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and all applicable provincial privacy legislation.

Contents

Who we are & accountability
What information we collect
Why we collect it (identifying purposes)
Consent
How we use your information
Data storage, residency & security
Third-party services
Data retention
Your rights under PIPEDA
Children's privacy
Changes to this policy
Contact & complaints

1 Who We Are & Accountability

FL Professional Services is a company incorporated under the laws of Canada. We are the "organization" responsible for personal information under our control, as defined by PIPEDA.

We have designated a Privacy Officer who is accountable for our compliance with this policy and PIPEDA. To contact our Privacy Officer:

Email: privacy@meetnoli.com
Subject line: "PIPEDA Privacy Inquiry"
Response time: We will acknowledge your request within 5 business days and respond in full within 30 calendar days.

2 What Information We Collect

We limit collection to what is necessary to provide the noli service. We do not collect information indiscriminately.

Category	Examples	Required?
Account & identity	Email address, display name, age range (used for age-gating only)	Required
Emotional check-in data	Selected emotion tile, intensity, optional short note, timestamp	Core feature
Journal entries	Free-text written by you, associated timestamps	Optional
Nori conversation history	Messages you send and receive in the Compass tab	Optional
Usage & interaction data	Streak counts, lesson progress, features used, session duration	Core feature
Device information	Device OS version, app version (for crash diagnostics only)	Automatic
Location (coarse)	City-level location, used only if you enable the weather feature	Optional & explicit

📍 We do not collect: precise GPS coordinates (stored beyond the session), government-issued ID, financial information, biometric data, health records, Social Insurance Numbers, or any sensitive personal information not listed above.

3 Why We Collect It

Consistent with PIPEDA Principle 2 (Identifying Purposes), we identify the purposes for collecting personal information before or at the time of collection:

To provide the noli service — authenticate your account, store your check-ins and journals, enable Nori conversations, track your constellation and streaks.
To improve Nori's responses — conversation summaries are stored so Nori can remember context across sessions. We do not use your conversations to train AI models without your explicit written consent.
To personalise your experience — time-of-day aware prompts, mood-aware suggestions, streak milestones.
To ensure app stability — device and version data to diagnose crashes and bugs.
To comply with legal obligations — age verification, abuse prevention, law enforcement requests under valid legal process.

We do not use your personal information for advertising, profiling for sale to third parties, or any purpose not listed above.

4 Consent

We obtain your meaningful consent before collecting personal information. Consent is obtained:

At onboarding — you must agree to this Privacy Policy and our Terms of Service before creating an account.
In-app for sensitive features — location access for weather requires a separate, explicit permission grant via your device's OS prompt.
Opt-in only for optional data uses — if we ever wish to use your data for a new purpose (e.g., research), we will ask for fresh explicit consent.

Withdrawing consent

You may withdraw consent at any time by deleting your account (Settings → Account → Delete Account) or by emailing privacy@meetnoli.com. Withdrawal of consent may affect your ability to use some or all of the noli service. We will advise you of the implications before processing your withdrawal request.

5 How We Use Your Information

We use personal information only for the purposes identified at the time of collection. Specifically:

Check-in data and journal entries are used solely to render your personal history, constellation, and insights — they are not shared with any third party.
Conversation history with Nori is passed to OpenAI's API (see §7) in real time to generate responses. We pass only the minimum context required. We do not retain conversation data with OpenAI beyond the API call.
Aggregate, anonymised, non-identifiable statistics may be used internally to improve the app (e.g., "most commonly selected emotions"). These statistics cannot be used to identify you.
We will never sell, rent, trade, or disclose your personal information to third parties for marketing or advertising purposes.

6 Data Storage, Residency & Security

Where your data lives

All personal information is stored on servers located in Canada (ca-central-1 region) via Supabase, our database and authentication provider. We do not replicate, transfer, or process your personal data on servers located outside Canada.

🍁 Canadian data residency is a hard architectural constraint. It is enforced at the infrastructure level, not just policy. Your data does not leave Canada.

Security safeguards

We implement the following technical and organisational safeguards, consistent with PIPEDA Principle 7:

Encryption at rest: AES-256 encryption for all stored data via Supabase.
Encryption in transit: TLS 1.3 for all data transmitted between your device and our servers.
Row-Level Security (RLS): Database policies ensure no user can access another user's data, even if they possess a valid session token.
Authentication: JWT-based sessions with automatic expiry and secure refresh token rotation.
SOC 2 Type II: Our infrastructure provider (Supabase) holds SOC 2 Type II certification, the enterprise standard for security, availability, and confidentiality controls.
Access controls: Internal access to production data is limited to authorised personnel only, with audit logs maintained.
Vulnerability management: Dependencies are reviewed and updated regularly. Security disclosures can be made to privacy@meetnoli.com.

Data breach notification

In the event of a breach of security safeguards involving personal information that poses a real risk of significant harm, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as required under PIPEDA's breach notification requirements (Breach of Security Safeguards Regulations, SOR/2018-64).

7 Third-Party Services

We use a limited set of third-party services, each selected for their privacy posture and security certifications:

Service	Purpose	Data shared	Location
Supabase	Database, authentication, storage	All app data (stored, not processed for third-party purposes)	Canada (ca-central-1)
OpenAI	Nori AI responses (Compass tab)	Conversation messages (ephemeral — not retained by OpenAI per API data policy)	USA (API call only)
Open-Meteo	Weather data (optional feature)	Coarse location coordinates (no personal identifier)	EU (no PII transferred)
Apple / Google	App distribution, push notifications	Device token for push (anonymised)	Per App Store policies
Expo	App framework & OTA updates	App version, device OS (no personal data)	USA

⚠️ OpenAI API note: When you send a message to Nori, that message is transmitted to OpenAI's API to generate a response. Per OpenAI's API data usage policy, API inputs and outputs are not used to train OpenAI's models. We minimise the context sent to OpenAI and do not include your email address, name, or account identifiers in API calls.

We do not use Google Analytics, Facebook Pixel, advertising SDKs, or any behavioural tracking libraries.

8 Data Retention

Consistent with PIPEDA Principle 5 (Limiting Use, Disclosure, and Retention):

Active accounts: Data is retained for as long as your account is active or as needed to provide the service.
After account deletion: Personal data is deleted from our production systems within 30 days of account deletion, except where retention is required by law.
Backups: Encrypted database backups may retain your data for up to 90 days post-deletion for disaster recovery purposes, after which they are permanently purged.
Legal holds: We may retain data longer if required to comply with a legal obligation, court order, or to resolve a dispute.
Anonymised data: Aggregate statistical data that cannot be used to identify you may be retained indefinitely for product improvement purposes.

9 Your Rights Under PIPEDA

As a Canadian resident, you have the following rights under PIPEDA (and additional rights under applicable provincial legislation):

Right of access (§4.9): You may request a copy of the personal information we hold about you and an explanation of how it is used.
Right to correction (§4.9.5): If you believe your personal information is inaccurate or incomplete, you may request a correction.
Right to withdraw consent (§4.3.8): You may withdraw consent to the collection, use, or disclosure of your personal information, subject to legal and contractual restrictions.
Right to deletion: You may request deletion of your personal information. We will process all deletion requests within 30 days.
Right to know about disclosures: You may request a list of organisations to which we have disclosed your personal information.
Right to complain: You may file a complaint with the Office of the Privacy Commissioner of Canada.

How to exercise your rights

Most rights can be exercised directly in the app: Settings → Account → Privacy & Data. For requests not available in-app, email privacy@meetnoli.com with the subject "PIPEDA Rights Request." We will acknowledge within 5 business days and fulfil within 30 calendar days.

10 Children's Privacy

noli is intended for users aged 13 and over. Users under 13 are not permitted to create accounts. Users between 13 and 17 are considered minors and, where required by applicable law, parental or guardian consent may be required.

We do not knowingly collect personal information from children under 13. If we discover that we have collected personal information from a child under 13 without verifiable parental consent, we will delete that information promptly. If you believe we have collected personal information from a child under 13, please contact us at privacy@meetnoli.com.

11 Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page.
Send an in-app notification to all active users.
Where changes require new consent, prompt you to review and re-consent before continuing to use the service.

Continued use of noli after the effective date of a revised Privacy Policy constitutes acceptance of the changes, provided no new consent is required. Where new consent is required, you may choose not to consent, in which case your ability to use affected features may be limited.

12 Contact & Complaints

For any privacy questions, requests, or complaints, contact our Privacy Officer:

Email: privacy@meetnoli.com
Postal: FL Professional Services, Privacy Officer, Canada

If you are not satisfied with our response, you have the right to file a complaint with:

Office of the Privacy Commissioner of Canada
30 Victoria Street, Gatineau, QC K1A 1H3
www.priv.gc.ca · 1-800-282-1376

Privacy questions?

We respond to all privacy inquiries within 5 business days.

privacy@meetnoli.com