Welcome to NORA (the "Platform"). At NORA, we are committed to protecting your privacy and ensuring that your personal information is handled in a safe and responsible manner. This Privacy Policy ("Policy") outlines how we collect, use, disclose, and protect your information when you use our Platform. It applies to all users and merchants who interact with NORA, including visitors to our website and users of our mobile application.
By accessing or using the Platform, you agree to this Policy. If you do not agree with the terms of this Policy, you should not use our Platform. We encourage you to read this Policy carefully and contact us if you have any questions.
NORA is the data controller responsible for your personal data collected through the Platform. This means that we determine the purposes and means of processing your personal data. Our contact details are:
As the data controller, NORA is responsible for ensuring that your personal data is processed in accordance with applicable data protection laws, including the General Data Protection Regulation (GDPR), Kenyan privacy laws, Rwandan privacy laws, and relevant U.S. privacy laws. We may engage third-party data processors to process your data on our behalf, and we ensure that these processors comply with strict data protection standards.
We may process your personal data based on your explicit consent. For example, we will obtain your consent before sending you marketing communications or collecting sensitive personal information.
Processing your personal data may be necessary to perform a contract to which you are a party or to take steps at your request before entering into such a contract. This includes processing data to provide you with our services, such as facilitating the purchase and use of gift cards.
We may process your personal data to comply with our legal obligations, such as maintaining records for tax purposes or responding to valid legal requests from authorities.
We may process your personal data based on our legitimate interests, provided that such processing does not override your rights and freedoms. Our legitimate interests include improving our services, preventing fraud, and enhancing the security of our Platform.
We will only process special categories of personal data (such as data concerning health or biometric data) if we have obtained your explicit consent or if we are required to do so by law.
We collect various types of personal data to provide and improve our services. This includes:
We collect personal data through various means, including:
Users and merchants may provide personal data to us when registering for an account, purchasing or issuing gift cards, and communicating with us. This data is necessary to deliver our services and ensure a seamless user experience.
We use your personal data to deliver our services, including facilitating transactions, managing your account, and providing customer support. We also use the data to improve our Platform's functionality, performance, and user experience.
We may use your personal data to communicate with you about your account, transactions, and our services. This includes sending transactional emails, notifications, and responding to your inquiries.
With your consent, we may use your personal data for marketing and promotional purposes. This includes sending you newsletters, special offers, and advertisements that may be of interest to you. You can opt-out of marketing communications at any time.
We process your personal data to comply with our legal obligations, such as maintaining business records, responding to lawful requests from public authorities, and complying with applicable laws and regulations.
We use your personal data to detect, prevent, and investigate fraudulent activities and security breaches. This helps us protect the integrity of our Platform and ensure the safety of our users and merchants.
For users, we collect and process the following personal data:
For merchants, we collect and process the following personal data:
We take reasonable steps to ensure that the personal data we collect is accurate, complete, and up-to-date. You are responsible for providing accurate information and updating it as necessary.
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including any legal, accounting, or reporting requirements. The specific retention period depends on the type of data and the purposes for which it was collected.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process the data, and whether we can achieve those purposes through other means.
When the retention period expires, or the data is no longer needed for the specified purposes, we will securely delete, destroy, or anonymize the personal data. This ensures that your data is not kept longer than necessary and is protected from unauthorized access or use.
You have the right to request access to the personal data we hold about you. This includes information on how we process your data, the purposes of processing, the categories of data processed, and any third parties with whom your data is shared. To exercise this right, please contact us at [Contact Information]. We will respond to your request within the timeframe required by applicable law.
If you believe that any personal data we hold about you is inaccurate or incomplete, you have the right to request its correction or completion. You can update your information directly through your account settings or by contacting us at [Contact Information]. We will rectify your data promptly in accordance with applicable law.
You have the right to request the deletion of your personal data under certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or if you withdraw your consent (where applicable). To request erasure, please contact us at [Contact Information]. We will evaluate your request and comply as required by applicable law.
You have the right to request the restriction of processing your personal data under specific conditions, such as when you contest the accuracy of the data or object to the processing. To request restriction, please contact us at [Contact Information]. We will restrict processing as required by applicable law while we review your request.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible. This right applies to data processed based on your consent or contractual necessity. To request data portability, please contact us at [Contact Information].
You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. To exercise this right, please contact us at [Contact Information].
Merchants have similar rights as users regarding their personal data. This includes the rights to access, rectification, erasure, restriction of processing, data portability. Merchants can exercise these rights by contacting us at [Contact Information].
In addition to personal data, merchants provide business-related data, such as business registration details and contact information. While these data may not always be subject to the same privacy rights as personal data, we are committed to protecting all information provided by merchants and ensuring it is processed in accordance with applicable laws.
We seek your explicit consent before collecting or processing your personal data where required by law. This includes instances such as subscribing to marketing communications, accepting cookies, or collecting sensitive personal data. Consent is typically obtained through clear affirmative actions, such as checking a box or selecting a preference on our Platform.
You have the right to withdraw your consent at any time. To do so, please contact us at [Contact Information] or use the opt-out mechanisms provided in our communications. Note that the withdrawal of consent does not affect the lawfulness of any processing carried out based on consent before its withdrawal.
Withdrawing your consent may impact our ability to provide you with certain services or features. We will inform you about any such impact at the time you choose to withdraw your consent.
We implement a variety of technical and organizational measures to ensure the security of your personal data and protect it from unauthorized access, misuse, loss, or alteration. These measures include, but are not limited to, encryption, secure servers, firewalls, and regular security audits. We continuously improve our security practices to keep pace with evolving threats and technological advancements.
In the event of a data breach that poses a high risk to your rights and freedoms, we will notify you and the relevant data protection authorities without undue delay, in accordance with applicable laws. Our notification will include details about the nature of the breach, the types of data affected, the potential consequences, and the measures we are taking to address and mitigate the breach.
While we strive to protect your personal data, you also play a critical role in maintaining its security. You are responsible for keeping your account credentials confidential and using strong, unique passwords. Please notify us immediately if you suspect any unauthorized use of your account or other security breaches. We are not liable for any loss or damage resulting from your failure to protect your account information.
To provide our services effectively, we may transfer your personal data to countries outside your home country. These transfers will be conducted in compliance with applicable data protection laws. We utilize legally recognized transfer mechanisms, such as Standard Contractual Clauses approved by the European Commission, to ensure your data is adequately protected.
Your personal data may be processed in countries that may not offer the same level of data protection as your home country. Regardless of where your data is processed, we take steps to ensure that it remains protected in accordance with this Policy and applicable laws.
For data transfers to countries without an adequacy decision by the European Commission, we implement appropriate safeguards to protect your personal data. These safeguards may include contractual obligations for the recipients to adhere to data protection standards equivalent to those in your home country.
We may engage third-party service providers to process personal data on our behalf. These third-party processors provide services such as payment processing, data hosting, customer support, and marketing assistance. We ensure that these processors comply with strict data protection standards and process data only for the purposes specified by us.
We enter into data processing agreements with all third-party processors, requiring them to protect personal data in accordance with this Policy and applicable data protection laws. These agreements outline the processors' responsibilities, including implementing appropriate security measures, maintaining confidentiality, and complying with our data protection requirements.
Third-party processors are responsible for processing personal data strictly according to our instructions and for implementing adequate security measures to protect the data. They are also required to notify us promptly in the event of any data breaches or security incidents involving personal data.
Our Platform may contain links to third-party websites or services that are not operated or controlled by NORA. We are not responsible for the privacy practices or content of these external sites. We encourage you to review the privacy policies of any third-party sites you visit to understand how they collect, use, and protect your information.
We do not sell, trade, or otherwise transfer your personal data to third parties without your consent, except as required by law or as described in this Policy. We may share your data with trusted third parties who assist us in operating our Platform, conducting our business, or providing services to you, provided that these parties agree to keep your data confidential and use it only for the purposes we specify.
We use cookies and similar tracking technologies to enhance your experience on our Platform. Cookies are small data files stored on your device that help us understand how you use our services, remember your preferences, and improve our offerings. Types of cookies we use include essential cookies, performance cookies, functionality cookies, and advertising cookies.
Cookies serve various purposes, such as enabling the functionality of our Platform, providing personalized content, analyzing usage patterns, and delivering relevant advertisements. They help us understand your preferences and interactions, allowing us to enhance your overall experience.
You can manage your cookie preferences through your browser settings. Most browsers allow you to block cookies, delete cookies, or receive notifications when cookies are being sent. Please note that if you disable cookies, some features of our Platform may not function properly, and your experience may be affected.
For more detailed information about our use of cookies and how you can manage them, please refer to our Cookie Policy, which is available on our Platform. This policy provides comprehensive details about the types of cookies we use, their purposes, and how you can control them.
We will only send you marketing communications if you have explicitly opted in to receive them. You can opt out of receiving marketing emails at any time by following the unsubscribe link included in our emails or by contacting us at [Contact Information]. Your decision to opt out will not affect your ability to use our services.
Our marketing communications may include newsletters, promotional offers, updates on new products or services, and personalized advertisements. We tailor these communications based on your preferences and interactions with our Platform to provide you with relevant and valuable information.
With your consent, we may use your personal data to personalize marketing communications and make them more relevant to your interests. You can manage your marketing preferences in your account settings or by contacting us at [Contact Information].
Our Platform is not intended for use by children under the age of 18. We do not knowingly collect personal data from children under 18 without verifiable parental consent. If we become aware that we have collected personal data from a child under 18 without such consent, we will take steps to delete that information promptly.
If you are a parent or guardian and believe that your child under 18 has provided us with personal data without your consent, please contact us at [Contact Information]. We will take appropriate steps to investigate and address the issue.
In cases where we do collect personal data from minors, we will seek verifiable parental consent before processing their data. Parents or guardians have the right to review, delete, and refuse further collection of their child's personal data. We will provide mechanisms for parents to exercise these rights and ensure the child's privacy is protected.
We may use automated decision-making processes to analyze your personal data and make decisions that affect your use of our services. These processes can include profiling to understand your preferences and provide personalized content or recommendations.
Automated decision-making processes are designed to enhance your experience by tailoring our services to your needs. The logic behind these decisions involves analyzing data such as your interactions, preferences, and behaviors. The consequences may include personalized advertisements, recommendations, or content delivery based on your profile.
You have the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. To exercise this right or request human intervention, please contact us at [Contact Information]. We will review your request and provide a meaningful response.
To ensure compliance with data protection laws and to manage data protection matters, we have appointed a Data Protection Officer (DPO). The DPO is responsible for overseeing our data protection strategy and implementation to ensure compliance with GDPR, Kenyan, Rwandan, and U.S. privacy laws.
You can contact our DPO for any questions, concerns, or requests regarding your personal data and this Privacy Policy. The DPO's contact details are:
The DPO's responsibilities include monitoring compliance with data protection laws, providing advice on data protection impact assessments, acting as a point of contact for data subjects and supervisory authorities, and conducting regular training for employees on data protection practices.
We adhere to the General Data Protection Regulation (GDPR) for users and merchants in the European Economic Area (EEA). This includes implementing appropriate technical and organizational measures to protect personal data, ensuring lawful processing, and upholding data subject rights.
We comply with the Data Protection Act, 2019, in Kenya. This involves protecting personal data, ensuring data processing is lawful and transparent, and providing individuals with rights regarding their data. We also conduct data protection impact assessments as required.
We abide by the Law N0 058/2021 of 13/10/2021 relating to the protection of personal data and privacy in Rwanda. This includes obtaining consent for data processing, ensuring data accuracy, and protecting personal data from unauthorized access or breaches.
We comply with relevant U.S. privacy laws, such as the California Consumer Privacy Act (CCPA). This includes providing notice of data collection practices, offering the right to opt-out of the sale of personal data, and ensuring transparency in data processing activities.
Users are responsible for ensuring that the personal data they provide to us is accurate, complete, and up-to-date. You can update your information through your account settings or by contacting us at [Contact Information].
You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Please notify us immediately if you suspect any unauthorized use of your account or other security breaches.
Merchants are responsible for providing accurate and complete business information. This includes business registration details, business names, and contact information. Merchants should update their information promptly to ensure it remains accurate.
Merchants must comply with this Privacy Policy and our Terms of Service when using the Platform. This includes adhering to data protection principles, protecting user data, and respecting user rights.
In the event of a data breach, we have established procedures to promptly identify, assess, and respond to the incident. If a breach occurs, we will investigate and take appropriate measures to mitigate the impact and prevent future occurrences.
If a data breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. This notification will include information about the breach, the types of data affected, and the measures we are taking to address the breach. We will also notify relevant data protection authorities as required by applicable law.
Following a data breach, we will take steps to remediate the situation, which may include enhancing security measures, providing support to affected individuals, and reviewing our data protection practices to prevent future incidents.
If you have any complaints or concerns regarding our data protection practices, please contact us at [Contact Information]. We will investigate your complaint and respond within a reasonable timeframe, in accordance with our internal complaint handling procedures.
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority. For users in the EEA, this would be the data protection authority in your country of residence. For users in Kenya, this would be the Office of the Data Protection Commissioner. For users in Rwanda, this would be the National Cyber Security Authority (NCSA).
In the event of a dispute that cannot be resolved through internal complaint handling or regulatory authorities, we may agree to resolve the dispute through arbitration. This process will be conducted in accordance with the rules of an agreed-upon arbitration organization and will be binding on both parties.
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. We will notify you of any significant changes by posting the updated Policy on our Platform and updating the "Last Updated" date at the top of this Policy.
For significant changes to this Policy, we will provide additional notice, such as sending an email notification or displaying a prominent notice on our Platform. We encourage you to review this Policy periodically to stay informed about how we protect your personal data.
By continuing to use our Platform after any updates to this Policy, you acknowledge and agree to the changes. If you do not agree with the updated Policy, you should stop using the Platform and contact us to deactivate your account.
If you have any questions or need assistance with your account, please contact our customer support team at [Customer Support Contact Information].
For any inquiries related to data protection or this Privacy Policy, please contact our Data Protection Officer (DPO) at:
While we strive to protect your personal data, we cannot guarantee absolute security due to inherent risks in data transmission and storage. We implement robust security measures, but you acknowledge that no method is entirely secure, and we cannot ensure or warrant the security of any information you transmit to us.
To the maximum extent permitted by applicable law, we shall not be liable for any indirect, incidental, consequential, or punitive damages arising from the use of our Platform or this Privacy Policy. Our total liability to you for any claims arising out of or related to this Policy or the Platform shall not exceed the amount paid by you, if any, for accessing the Platform.