This Privacy Policy (“Policy”) describes how Nogra (Singapore-based individual operator) (“Nogra,” “we,” “us,” or “our”) collects, uses, discloses, and safeguards information in connection with our websites, subdomains, web applications, utilities, extensions, and official messaging-platform integrations (collectively, the “Services”). This Policy is incorporated into and forms part of our Terms of Service.
If you do not agree with this Policy, do not access or use the Services.
Contact: support[at]nogra.app
1. Scope and Roles
1.1 Unified Coverage. This Policy applies to all Services operated by or on behalf of Nogra across domains and subdomains under nogra.app and nogra.xyz, as well as any official integrations or extensions we provide on third-party platforms.
1.2 Controller. For personal data processed through the Services, Nogra acts as a data controller (PDPA/GDPR terminology) because we determine the purposes and means of processing. We are not a processor-for-hire to business customers.
1.3 Third-Party Services. Your interactions with third-party platforms, tools, or data sources (“Third-Party Services”) are governed by their own privacy terms, not this Policy.
2. Information We Collect
We may collect and process the following categories of information, depending on how you use the Services:
2.1 Account & Profile Information. Name, email address, username/handle, password hash (we do not store raw passwords), and optional profile attributes (e.g., avatar).
2.2 Identifiers from Platform Sign-Ins. If you sign in or connect through a platform (e.g., an identity provider or messaging platform), we may receive platform-specific identifiers and basic profile data (e.g., user ID, username/handle). Where a feature explicitly asks for an email address (e.g., for status updates/notifications), we may collect that email.
2.3 Messaging-Integration Metadata. For official integrations (e.g., bots or companion tools), we may process the platform user ID, chat or channel ID, timestamps, and limited operational metadata necessary to perform requested functions. We do not persist message bodies unless strictly required to deliver a requested feature.
2.4 Usage, Device, and Log Data. IP address, user-agent, device/OS/browser information, access times, pages or features used, referrers, and diagnostic/event logs.
2.5 Files & User Content. Content you upload or submit to use features of the Services (collectively, “User Content”).
2.6 Location Data. Where a feature requests device location, we process with your permission. Unless needed to fulfill the feature, we handle location ephemerally and do not persist precise coordinates; if stored, we may round/obfuscate precision.
2.7 Support & Communications. Content of messages you send us (including through contact forms), your email address, and related metadata.
2.8 Cookies and Similar Technologies. We use cookies/local storage and SDKs to support core functionality (e.g., authentication, security) and limited diagnostics/telemetry. See Section 7.
We do not intentionally collect special/sensitive categories (e.g., health, biometric, government ID). Do not submit such data through the Services.
3. Sources of Information
3.1 Directly from You. When you create an account, use features, submit content, or communicate with us.
3.2 Automatically. Through the Services (e.g., logs, telemetry, limited analytics/error reporting).
3.3 Third-Party Services. Identifiers and limited profile data when you sign in through, or use features connected to, third-party platforms (subject to your settings with those platforms).
4. How We Use Information
We use information for the following purposes and legal bases:
4.1 Provide and Operate the Services. To authenticate, enable features, fulfill requests, host and display User Content, and maintain functionality. (Legal bases: contract performance; legitimate interests.)
4.2 Security and Integrity. To detect, prevent, and respond to abuse, fraud, unauthorized access, and violations of our Terms, including rate-limiting, anomaly detection, and enforcement actions. (Legitimate interests; legal obligations.)
4.3 Diagnostics and Improvement. To monitor performance, fix errors, and improve the Services (e.g., limited telemetry and error/crash reporting). (Legitimate interests.)
4.4 Communications. To respond to inquiries and send important service notices (e.g., material changes to terms or privacy). (Contract performance; legitimate interests; legal obligations.)
4.5 Compliance and Legal. To comply with law, enforce our terms, and protect rights, property, users, and the public. (Legal obligations; legitimate interests.)
4.6 AI-Assisted Processing. Some features use automated/AI-assisted processing to interpret or transform inputs in the background (e.g., parsing a natural-language expense entry into structured data). See Section 8.
We do not engage in interest-based advertising at this time.
5. Legal Bases (where GDPR/UK GDPR applies)
When GDPR/UK GDPR applies, our processing relies primarily on:
- Contract performance (Article 6(1)(b)) for operating requested features;
- Legitimate interests (Article 6(1)(f)) for security, diagnostics, and improvement, balanced against user rights;
- Consent (Article 6(1)(a)) for optional features that require it (e.g., device location, non-essential cookies/SDKs in regions requiring consent); and
- Legal obligations (Article 6(1)(c)) where applicable.
6. How We Share Information
We share information only as described below:
6.1 Service Providers / Subprocessors. Vendors that host, store, send, or process data to help us operate the Services (e.g., infrastructure, security/CDN, email delivery, error/crash reporting, platform/PaaS). We require appropriate confidentiality, security, and data-protection commitments.
Live list (placeholder): https://nogra.app/legal/subprocessors
6.2 Platform Integrations. If you enable an integration or connect a third-party account, we may share necessary identifiers/metadata to operate that integration consistent with your settings with the platform.
6.3 Legal and Safety. We may disclose information if we believe in good faith it is necessary to comply with law or legal process; to protect rights, property, or safety of Nogra, users, or the public; to enforce our Terms; or to detect/prevent fraud, security, or technical issues.
6.4 Business Changes. If we reorganize or transfer operations, information may be transferred as part of that transaction, subject to this Policy.
6.5 No Sale/Share for Targeted Ads. We do not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined in certain U.S. state laws.
We do not publish a marketing directory of users’ names or logos without consent.
7. Cookies, Local Storage, and Similar Technologies
7.1 What We Use.
- Strictly Necessary: Authentication/session management, security, load balancing.
- Diagnostics/Telemetry: Limited error/crash reporting and performance metrics.
7.2 Controls. Your browser may allow you to block or delete cookies; some features may not function without them. In regions where required, we may display consent tools to manage non-essential cookies/SDKs.
7.3 Global Privacy Control (GPC). We do not currently respond to GPC or similar global opt-out signals. If this changes, we will update this Policy.
8. AI-Assisted Processing
8.1 How It Works. Certain backend features use automated or AI-assisted processing to interpret or transform inputs you provide (e.g., converting a free-form text description into structured fields). This processing may occur transparently without a separate UI.
8.2 Data Handling. We do not persist prompts/outputs longer than necessary to perform the feature and operate the Services, apart from limited operational logs and diagnostics consistent with the retention schedule below.
8.3 Third-Party Model Providers. When we use a third-party model provider, your inputs/outputs may be transmitted to that provider for processing. We do not opt into provider training programs that use our API data, and we do not intentionally transmit special categories of personal data. Providers may retain limited logs for abuse or operational purposes for a short period (currently disclosed by some providers as up to 30 days).
8.4 Outputs Are Not Advice. AI-assisted outputs may be inaccurate or incomplete and are not a substitute for professional advice.
9. International Data Transfers
9.1 Locations. We may process and store information in Singapore, the United States, the European Union, and other locations where we or our service providers operate.
9.2 Transfer Mechanisms. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) for transfers from the EEA/UK/Switzerland to third countries.
9.3 EU/UK Representative. We do not currently appoint an EU or UK representative; our offering to EU/UK users is limited and incidental. If our targeting expands, we may reassess.
10. Retention
We apply the following baseline retention practices:
- Account/Profile Data: For the life of the account and up to 30 days after deletion for operational closure, unless a longer period is required by law or necessary for legal claims.
- Operational Logs/Telemetry: Generally up to 90 days for app/server logs; 30 days for authentication logs; up to 90 days for error/crash diagnostics.
- Backups: Rolling backups retained for approximately 35 days.
- User Content/Files: Retained until you delete the content or close your account, subject to operational delays and backup cycles.
- Legal Holds: If reasonably necessary to comply with law or to protect our rights, we may preserve specific data beyond the standard periods.
When retention periods expire, we aim to delete or de-identify data within a reasonable time.
11. Your Rights and Choices
Your rights depend on your location and applicable law:
11.1 Access, Correction, Deletion. You may request access to or deletion of your personal data, or correction of inaccuracies. Where self-service tools are available, use them; otherwise contact support[at]nogra.app. We generally respond within 30 days.
11.2 Portability. You may request an export (e.g., JSON/CSV) where technically feasible.
11.3 Consent Management. Where required, you may manage non-essential cookies/SDKs via regional consent tools.
11.4 Objections and Restrictions (GDPR/UK GDPR). You may object to processing based on legitimate interests and request restrictions in certain cases.
11.5 Singapore PDPA Rights. You may request access and correction, and you may withdraw consent (if consent is the basis) subject to legal or contractual restrictions.
11.6 US State Privacy Laws. Where applicable, you may have rights to know, access, delete, correct, or obtain a portable copy. We do not “sell” or “share” personal information for targeted advertising.
11.7 Identity Verification. We may request reasonable information to verify your identity before fulfilling requests.
12. Children’s Privacy
The Services are not directed to children and are intended for users 13 or older (or older if local law requires). We do not knowingly collect personal data from children. If you believe a child provided personal data, contact support[at]nogra.app and we will take appropriate steps.
13. Security
We implement commercially reasonable technical and organizational safeguards designed to protect information, including encryption in transit and at rest provided by our infrastructure providers, hashed passwords, access controls, secret management, least-privilege practices, administrative 2FA, and monitoring. No method of transmission or storage is completely secure.
14. Third-Party Services and Data Sources
14.1 Independent Privacy Practices. Third-Party Services have their own privacy policies; we are not responsible for their practices.
14.2 Restricted/Non-Public Endpoints. We do not authorize acquisition or dissemination of data from non-public, restricted, or unauthorized endpoints (ours or third parties) via the Services. We may suspend or remove features that depend on such data or upon a provider’s request.
15. Changes to this Policy
We may update this Policy from time to time. For material changes, we will update the “Last Updated” date and provide reasonable notice (e.g., a site-wide banner for approximately 15 days). Your continued use of the Services after changes take effect constitutes acceptance.
16. Contact
For privacy inquiries, requests, or complaints, contact: support[at]nogra.app
We currently do not publish a physical mailing address. If required by law in your country, you may still contact us via the email above to obtain address details for a specific statutory process.
17. Region-Specific Disclosures
17.1 EEA/UK/Switzerland. Nogra is the controller. Our primary bases for processing are contract performance and legitimate interests; consent is used where required (e.g., non-essential cookies, device location). Transfers outside the EEA/UK/CH rely on appropriate safeguards (e.g., SCCs). You may lodge a complaint with your local supervisory authority. We do not appoint an EU/UK representative at this time.
17.2 Singapore (PDPA). We collect, use, and disclose personal data for reasonable purposes notified in this Policy, with appropriate protection, accuracy, and retention limits. We will make reasonable efforts to notify affected users of a data breach that results in, or is likely to result in, significant harm.
17.3 United States State Laws. We do not “sell” or “share” personal information for cross-context behavioral advertising. We do not respond to Global Privacy Control (GPC) signals at this time. You may exercise applicable rights by contacting support[at]nogra.app.
18. Data Controller
Nogra (Singapore-based individual operator)
Contact: support[at]nogra.app
Glossary (Informative)
- “Personal data/personal information” means information that identifies or can reasonably be linked to an identifiable individual.
- “Process/processing” means any operation performed on personal data (e.g., collect, store, use, disclose, delete).
- “Subprocessor” means a service provider that processes personal data on our behalf.
By using the Services, you acknowledge that you have read and understood this Privacy Policy.