privacy policy

last updated: january 28, 2026

our commitment

noro is built on the principle of privacy by design. we believe you should have complete control over your data. this policy explains what information we collect, how we use it, and the measures we take to protect your privacy.

zero-knowledge encryption

noro uses end-to-end encryption with a zero-knowledge architecture:

  • all secrets and vault contents are encrypted client-side using AES-256-GCM
  • encryption keys are derived from your master password using Argon2id
  • we never have access to your unencrypted data or encryption keys
  • even if compelled by law, we cannot provide your decrypted data

information we collect

account information

when you create an account, we collect:

  • email address (for account recovery and notifications)
  • hashed authentication credentials (never stored in plain text)
  • account creation timestamp

encrypted data

we store your encrypted vault data and shared secrets. this data is encrypted before it reaches our servers and we cannot decrypt it.

usage data

we collect minimal, anonymized usage data:

  • aggregate feature usage statistics (not tied to accounts)
  • error logs for debugging (stripped of personal information)
  • performance metrics

information we do not collect

  • your master password or secret key
  • unencrypted contents of your vault or shared secrets
  • ip addresses (beyond what's needed for rate limiting)
  • tracking cookies or advertising identifiers
  • browsing history outside of noro

how we use your information

we use collected information to:

  • provide and maintain the service
  • authenticate your identity
  • send essential account notifications
  • improve service reliability and performance
  • comply with legal obligations

data sharing

we do not sell, rent, or trade your personal information. we may share data only in these circumstances:

  • with service providers who help operate noro (under strict confidentiality agreements)
  • when required by law (but we can only provide encrypted data)
  • to protect the rights and safety of users and the public

data retention

  • shared secrets: automatically deleted after expiration or view limit
  • vault data: retained until you delete your account
  • account information: deleted within 30 days of account deletion
  • anonymized analytics: retained indefinitely for service improvement

your rights

you have the right to:

  • access your account information
  • export your encrypted vault data
  • delete your account and all associated data
  • opt out of non-essential communications
  • request information about how your data is used

security measures

we implement comprehensive security measures:

  • all data transmitted over TLS 1.3
  • infrastructure hosted on SOC 2 compliant providers
  • regular security audits and penetration testing
  • encrypted backups with geographic redundancy
  • strict access controls for employees

cookies

we use only essential cookies required for authentication and session management. we do not use tracking cookies, analytics cookies, or advertising cookies.

children's privacy

noro is not intended for users under 16 years of age. we do not knowingly collect information from children.

international transfers

your encrypted data may be processed in countries other than your own. we ensure appropriate safeguards are in place for any international data transfers.

changes to this policy

we may update this privacy policy from time to time. we will notify you of material changes via email or through the service. the "last updated" date at the top indicates when the policy was last revised.

contact us

for privacy-related questions or concerns, contact us at privacy@noro.sh

privacy policy - noro | noro