Nooah is operated by Snowrose Holding Ltd, a company incorporated in Cyprus.
| Legal name | Snowrose Holding Ltd |
| Registered address | Griva Digeni 36, of. 501, 1066 Nicosia, Cyprus |
| Trading as | Nooah |
| Website | nooah.ai |
| Data protection contact | info@nooah.ai (subject: “Data Protection”) |
Snowrose Holding Ltd is the data controller for all personal data processed through the Nooah service. This means we determine the purposes and means of processing your data.
The lead supervisory authority for data protection matters is the Commissioner for Personal Data Protection (Office of the Commissioner for Personal Data Protection, Cyprus).
This policy applies to:
It describes what personal data we collect, why we collect it, the legal basis for each processing activity, who we share it with, how long we keep it, and what rights you have.
We process personal data for the following purposes. For each purpose we identify the data category, the reason we collect it, and the legal basis under GDPR Article 6 (or Article 9 for special category data).
What: Name or handle, email address, Telegram user ID, timezone, language preference, account plan.
Why: To create and manage your account, authenticate you, deliver the service, and communicate with you about your account.
Legal basis: Article 6(1)(b) — performance of a contract with you.
Retention: For the duration of your account. Deleted 30 days after account closure, except where legal retention obligations apply.
What: Messages, notes, goals, habits, and tasks you send to Nooah; documents, photos, and files you upload (e.g. receipts, notes, lab results); voice messages (transcribed for processing); onboarding information you share at setup.
Why: To provide the core service — processing your inputs, generating responses, and maintaining the context that makes the assistant useful.
Legal basis: Article 6(1)(b) — performance of a contract with you.
Retention: For the duration of your account. Permanently deleted within 30 days of account closure. Backup copies purged within 90 days.
What: Structured facts, summaries, tags, reminders, preferences, and inferred relationships derived from your content by AI processing. Memory Items are not directly provided by you — they are generated by Nooah from what you share over time.
Why: To personalise the service — enabling Nooah to remember context, surface relevant information, and adapt to your needs without you repeating yourself.
Legal basis: Article 6(1)(b) — performance of a contract with you (personalisation is a core service feature); Article 9(2)(a) for any Memory Items derived from health-related content (see Section 3.4).
Retention: For the duration of your account. Deleted within 30 days of account closure or upon request.
What: Any health-related information you voluntarily choose to share — including physical symptoms, medications, medical history, mental health, sleep, nutrition, energy, or health goals. Health-related Memory Items derived from this content are also subject to this section.
Why: To enable Nooah's health-related assistance features — summaries, reminders, and personalised observations. This data is never required to use Nooah.
Legal basis: Article 9(2)(a) — your explicit consent. Health data is a special category under GDPR and requires a stronger basis than standard personal data. Before enabling health-related features or processing health-related information, we request your separate explicit consent in the product. You may withdraw this consent at any time by contacting info@nooah.ai. Withdrawal will result in deletion of all stored health-related content and associated Memory Items within 30 days and will disable health-related features.
Retention: Until you withdraw consent or close your account. Deleted within 30 days of withdrawal or account closure.
What: Financial information you voluntarily share (e.g. budgets, expenses, account summaries, bank statements); legal documents or information you upload or describe (e.g. contracts, visa documents, insurance, tax documents).
Why: To provide Nooah's finance and legal organisation features — summaries, reminders, and contextual assistance. Always optional.
Legal basis: Article 6(1)(b) — performance of a contract with you.
Note: Some documents you upload may contain special categories of personal data (such as immigration status, criminal records, or medical references) or personal data relating to other people. Where required by applicable law, we will request additional consent or limit processing to what is necessary to provide the Service. See also Section 9 (Data About Other People).
Retention: For the duration of your account. Deleted within 30 days of account closure.
What: Career context, workplace information, relationship descriptions, and family context you choose to share with Nooah. Always optional.
Legal basis: Article 6(1)(b) — performance of a contract with you.
Retention: For the duration of your account. Deleted within 30 days of account closure.
What: Telegram chat ID (technical identifier); request timestamps; sanitised error logs (no message content); token usage counts per session; routine execution status; daily usage statistics (aggregate counts, not content).
Why: To operate and secure the service, enforce usage limits, diagnose technical problems, and prevent abuse.
Legal basis: Article 6(1)(f) — legitimate interest in maintaining a secure and reliable service. We do not process message content in technical logs.
Retention: 90 days for operational logs. Aggregated statistics not linked to personal data may be retained longer.
What: Email content if you contact us at info@nooah.ai.
Why: To respond to your enquiry and maintain a record for follow-up.
Legal basis: Article 6(1)(f) — legitimate interest; Article 6(1)(c) — legal obligation for data subject rights requests.
Retention: 2 years from last contact, or as required by legal obligations.
What: Page views, session duration, traffic source, approximate device and browser type. IP addresses are anonymised before storage.
Why: To understand how visitors use the nooah.ai website and improve its content.
Legal basis: Article 6(1)(a) — your consent, given through the cookie consent banner. Analytics cookies are activated only after you click “Accept.” If you decline, no analytics data is collected.
Retention: Per analytics provider settings (up to 14 months).
What: Subscription and purchase records — plan, transaction amounts and dates, billing country, and invoice records. Payments are taken by our Reseller acting as Merchant of Record (see Section 6); we do not receive or store your full payment card number.
Why: To manage your Subscription and entitlements, prevent fraud and abuse, keep accounting records, and comply with tax and accounting law.
Legal basis: Article 6(1)(b) — performance of a contract with you; Article 6(1)(c) — compliance with a legal obligation (tax and accounting records).
Retention: Transaction and invoice records are retained for the period required by applicable tax and accounting law (generally at least 6 years), independent of account closure.
Nooah is an AI assistant. When you interact with Nooah, you are interacting with an AI system, not a human. We make this disclosure to support transparency and to align with EU AI Act transparency principles, including those set out in Article 50.
We use Anthropic's Claude large language model, accessed via Anthropic's commercial API.
When you send a message to Nooah, the following is transmitted to Anthropic's API for processing:
We do not send your entire history on every request — only the context relevant to the current interaction.
We do not use your content to train or fine-tune AI models.
We use Anthropic's commercial API. Anthropic processes API inputs and outputs according to its commercial API terms and applicable data processing terms. We do not opt in to any programme that would allow Anthropic to use your content for model training. Where available and appropriate, we may use retention-reducing configurations to minimise how long Anthropic retains API data.
For details on Anthropic's data handling, see anthropic.com.
Nooah does not make automated decisions about you that produce legal effects or similarly significant consequences. All recommendations, summaries, and suggestions generated by Nooah are informational. You make all final decisions. GDPR Article 22 protections are respected.
AI-generated content may be inaccurate, incomplete, or outdated. Nooah is a personal organisation tool — not a substitute for professional medical, financial, or legal advice. See our Terms of Service for full disclaimers.
Nooah builds Memory Items from your content over time (see Section 3.3). Memory Items are created by automated AI systems and may be incomplete, inaccurate, or based on incorrect interpretation of your inputs.
You may access, correct, delete, or export your Memory Items at any time by contacting info@nooah.ai. Deleting Memory Items may reduce the quality of personalised features.
The table below lists the sub-processors we currently use. All sub-processors are bound by data processing agreements that restrict them to processing your data solely to provide services to us.
| Sub-Processor | Role | Data Processed | Location | Transfer Basis |
|---|---|---|---|---|
| Anthropic PBC | AI model provider (Claude API) | Messages, Memory Items, loaded context | USA | Standard Contractual Clauses |
| Supabase Inc. | Database and file storage | All user content, account data | EU (where selected) | EU hosting where applicable; SCCs otherwise |
| Railway / Fly.io | API and worker hosting | Data in transit; no persistent user storage | USA / EU | SCCs |
| Inngest Inc. | Scheduled routine orchestration | Routine metadata, execution status | USA | SCCs |
| Functional Software (Sentry) | Error monitoring | Sanitised error logs (no message content) | USA | SCCs |
| Telegram Messenger Inc. | Message delivery platform | Message content, Telegram user ID | Netherlands (EEA users) | EEA data centre; see Section 12 |
| Google LLC | Website analytics (GA4); website hosting (Firebase) | Anonymised usage data (consent only); website files | USA | SCCs; EU-US Data Privacy Framework |
| Meta Platforms Ireland Ltd | Advertising measurement (Meta Pixel): website conversion tracking and optimisation | Pixel events, ad click identifiers, cookie IDs (marketing consent only) | Ireland / USA | SCCs; acts as independent/joint controller for ad measurement |
| Payment & tax provider (Merchant of Record) | Reseller that processes payments, billing, invoicing, fraud prevention, and tax compliance for paid features | Name, email, billing address/country, transaction and subscription records (no full card number) | EU / UK | Acts as Merchant of Record; for payment and tax data, an independent controller; SCCs where applicable |
Our payment Reseller acts as Merchant of Record for paid features and, for payment and tax data, as an independent controller. Its identity is disclosed to you at checkout, and its name is available on request at info@nooah.ai.
We do not sell your data. With your marketing consent, we share limited website-interaction data (Meta Pixel events and ad click identifiers) with Meta for advertising measurement and optimisation. Without marketing consent, we do not share your data with third parties for advertising.
This list reflects sub-processors currently in use. We update this policy when sub-processors change. For material additions, we will provide at least 14 days' notice before a new processor begins processing your data.
Snowrose Holding Ltd is established in Cyprus (EU). Some sub-processors are located in the United States, which is not covered by an EU adequacy decision for all transfer scenarios.
For transfers to US-based sub-processors, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission (2021 Implementing Decision), incorporated into our data processing agreements with each provider. Google LLC is additionally certified under the EU-US Data Privacy Framework.
We have assessed the laws and practices of each destination country. Where US surveillance law creates residual risks, we rely on contractual and technical mitigations — including encryption in transit and at rest, and access controls — implemented by each sub-processor.
You may request copies of applicable transfer documentation by contacting info@nooah.ai.
We keep your data only for as long as necessary for the purpose it was collected.
| Data Category | Retention Period |
|---|---|
| Account and identity data | Account duration + 30 days after closure |
| Messages and conversations | Account duration + 30 days after closure |
| Memory Items | Account duration + 30 days after closure, or earlier on request |
| Health information and related Memory Items | Until consent withdrawn + 30 days |
| Financial, legal, career, family content | Account duration + 30 days after closure |
| Backup copies | Purged within 90 days of account closure |
| Technical / operational logs | 90 days |
| Support communications | 2 years from last contact |
| Billing and transaction records | Period required by tax and accounting law (generally at least 6 years), independent of account closure |
| Website analytics | Up to 14 months (provider default) |
After the applicable retention period, data is permanently deleted and cannot be recovered.
You may choose to upload or forward messages, documents, contacts, or other materials containing personal data about other people — family members, colleagues, or third parties.
We process this data only to provide the Service to you. You are responsible for ensuring that you have an appropriate legal basis or permission to share information about others with Nooah. Do not upload data about others that you do not have the right to share.
Do not send the following through Nooah unless the Service specifically requests it through a secure, dedicated flow:
We implement the following security measures to protect your personal data:
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Commissioner for Personal Data Protection within 72 hours and inform affected users without undue delay.
Nooah is delivered primarily through the Telegram messaging platform.
Messages sent to or from Nooah through Telegram are transmitted via Telegram's infrastructure and are subject to Telegram's own Terms of Service and Privacy Policy. Telegram is not operated or controlled by Nooah. Telegram may process your data as an independent controller for its own services. Nooah is not responsible for Telegram's availability, security, retention, or data handling practices.
For EEA users, Telegram stores data in data centres in the Netherlands. We recommend reviewing Telegram's privacy policy at telegram.org/privacy.
You should not send information through Telegram that you would not be comfortable sending through a third-party messaging platform. If Telegram is unavailable, restricts its API, or suspends the Nooah bot, the Telegram interface of the Service may be interrupted.
| Type | Legal Basis | Examples | Can Opt Out? |
|---|---|---|---|
| Strictly necessary | Legitimate interest / contract | Cookie consent preference stored locally | No |
| Analytics | Consent | Google Analytics (_ga, _gid, _ga_*) | Yes — decline in banner |
| Marketing | Consent | Meta Pixel (_fbp, _fbc); ad attribution data (nooah_addata) | Yes — decline in banner |
Analytics and marketing cookies are activated only after you allow the matching category in our cookie banner. You can allow analytics and marketing independently. If you decline a category, no cookies for that category are set.
You can withdraw consent at any time by clearing your browser's site data for nooah.ai and revisiting the site.
We use Google Analytics 4 on our website. Data collected includes page views, session duration, approximate device type, and traffic source. IP addresses are anonymised. Data is processed by Google LLC under SCCs and the EU-US Data Privacy Framework. See policies.google.com/privacy.
With your marketing consent, we use the Meta Pixel. It sends website events (page views and a “Lead” signal when you open our Telegram link) to Meta Platforms Ireland Ltd for advertising measurement and optimisation, using cookies (_fbp, _fbc) and ad click identifiers. Data may be transferred to Meta in the USA under Standard Contractual Clauses. If you do not give marketing consent, the Pixel is not loaded. See facebook.com/privacy/policy.
Nooah is not intended for users under 16 years of age, or the minimum age for digital consent in your country if higher. We do not knowingly collect personal data from children. If you believe we have received data from a child, contact info@nooah.ai and we will delete it promptly.
Under GDPR and applicable Cyprus data protection law, you have the following rights. Contact info@nooah.ai to exercise them. We will respond within one month. For complex requests, we may extend this by up to two further months with notice.
| Right | What It Means |
|---|---|
| Access (Art. 15) | Receive a copy of the personal data we hold about you and information on how we process it. |
| Rectification (Art. 16) | Request correction of inaccurate or incomplete data. |
| Erasure (Art. 17) | Request deletion of your personal data. We will delete your account, conversations, Memory Items, and uploaded content within 30 days. Some data may be retained where legally required. |
| Restriction (Art. 18) | Request that we limit processing in certain circumstances (e.g. while you contest accuracy). |
| Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON). Applies to data processed on the basis of contract or consent. |
| Objection (Art. 21) | Object to processing based on legitimate interests. We will stop unless we have compelling legitimate grounds. |
| Withdraw consent | Withdraw any consent (health data, analytics) at any time without affecting the lawfulness of prior processing. |
| No solely automated decisions (Art. 22) | Not be subject to decisions based solely on automated processing with legal or significant effects. Nooah does not make such decisions. |
If you believe we have not handled your personal data correctly, you have the right to lodge a complaint with the supervisory authority:
Commissioner for Personal Data Protection
1 Iasonos Street, 1082 Nicosia, Cyprus
commissioner@dataprotection.gov.cy
+357 22 818 456
dataprotection.gov.cy
You may also contact the supervisory authority in your country of residence (for EU/EEA users).
We may update this Privacy Policy from time to time. If we make material changes, we will notify active users via Telegram message or email at least 14 days before the changes take effect.
For any questions about this Privacy Policy, your personal data, or to exercise your rights:
Snowrose Holding Ltd
Griva Digeni 36, of. 501
1066 Nicosia, Cyprus
Email: info@nooah.ai (subject: “Data Protection” or “Data Rights Request”)
Website: nooah.ai