Privacy Notice — Last updated: June 2026

This Privacy Notice applies to the Norta app and the website norta.app.

§ 1 Controller

Norta GmbH, Rosenthaler Straße 38, 10178 Berlin, Germany
Email: support@norta.app
Represented by: Lara Planet, Jessica Holzbach
‍

§ 2 What data we process

2.1 Registration and profile data When you create an account: email address, password (hashed), and time of registration. If you sign in with Apple or Google, we receive your login token; Apple sign-in may also provide your name. With Apple, you can use a private relay email address. During onboarding, you provide additional details we use to personalise the app and your financial overview: your name, age, and city.

2.2 Bank account data (via finAPI) With your active consent, we retrieve your account transactions of the last 90 days: amount, date, counterparty (name, IBAN), payment reference, and category. Our access is strictly read-only. Your banking credentials never reach our servers — bank authentication happens directly with finAPI, and the connection credentials we store are randomly generated platform passwords, encrypted with AES-256.

2.3 Usage analytics (only with your consent) How you interact with the app (screens viewed, features used), collected via PostHog, hosted in the EU. This only happens if you opt in during onboarding, and you can withdraw your consent at any time in the app settings. Analytics events are filtered so they never contain financial details, names, or email addresses, and no location data is derived from your IP address.

2.4 Technical data & error logs Error reports and technical diagnostics (via Sentry, EU data residency) to keep the app stable and secure: technical details about what went wrong, your device platform and app version, and a pseudonymous user ID. We configure error reporting to exclude personal data; your email address and banking credentials are never included.

2.5 AI processing To provide the app's core functionality — your financial overview, the chat, and personalised guidance — we process your data using a large language model: your chat messages together with relevant context from your financial situation (such as your debts, recurring payments, and income). This processing is essential to the service; the app cannot be used without it, which is why we inform you about it during onboarding. Processing runs on Google Cloud (Vertex AI) using Anthropic's Claude model, exclusively on EU servers. Your data is never used to train AI models — this is contractually guaranteed.

2.6 AI-assisted categorisation To sort your transactions into income and expense categories automatically, transaction details are processed by the same EU-hosted AI service described in 2.5. This includes the payment reference and counterparty details (name and IBAN), as these are needed to recognise recurring payments, self-transfers, and for general category attribution. This data is used solely for categorising your transactions, is not used to train AI models, and is not shared with anyone else.

‍

§ 3 Legal Bases

We process your data on the following legal bases under GDPR Art. 6:

Art. 6(1)(b): Performance of contract — Processing is necessary for the performance of the user agreement, in particular for providing and operating the app and all associated features supporting your financial stabilisation.

Art. 6(1)(a): Consent — bank account connection via finAPI (PSD2) and usage analytics (together with Sec. 25 TDDDG).

Art. 6(1)(f): Legitimate interests — Security, error resolution.‍

No automated decision-making: Norta does not make automated decisions that produce legal or similarly significant effects on you (Art. 22 GDPR). All recommendations — such as suggested repayment orders — are suggestions only; every decision remains with you.

Which data is required: Registration data, bank account data, and AI processing (2.1, 2.2, 2.5, 2.6) are required to provide the service — without them, Norta cannot function. Usage analytics (2.3) is voluntary; you can use the app fully without opting in.

‍

§ 4 Data Processors

We engage the following data processors with whom we have entered into Data Processing Agreements (DPA) pursuant to Art. 28 GDPR. Where a provider is based outside the EU, we safeguard the EU level of data protection through the Standard Contractual Clauses issued by the European Commission (SCCs, Art. 46 GDPR) or certification under the EU-US Data Privacy Framework.

• Supabase Inc. — database hosting (user data, transaction data). Region: EU (Frankfurt). Safeguard: SCCs (included in DPA).
• Railway Corp. — backend infrastructure (API server, categorisation pipeline). Deployment region: EU. Safeguard: SCCs.
• Google Cloud / Vertex AI (Google Ireland Ltd.) — AI processing for chat and transaction categorisation (see 2.5, 2.6), using Anthropic's Claude model. Region: EU. No training on user data.
• PostHog, Inc. — usage analytics (opt-in only, see 2.3). Hosting: EU.
• Functional Software, Inc. (Sentry) — error monitoring (see 2.4). EU data residency. Safeguard: SCCs.
• Expo (650 Industries, Inc.) — push notification delivery and app updates. Expo only stores the push token; notification contents are deleted after delivery. US-based; safeguard: EU-US Data Privacy Framework.

‍

§ 5 Third-Party Controllers

Bank account connectivity is provided by finAPI GmbH, acting as a licensed payment institution under PSD2. finAPI enters into a direct contractual relationship with you as the user and processes your data as an independent data controller pursuant to Art. 4(7) GDPR. The legal basis is Art. 6(1)(b) GDPR. For more information: finapi.io/datenschutz

‍

§ 6 Retention Periods

We store your data for as long as your account is active or as necessary to provide the service.

Account and profile data: until account deletion + 30 days

Transaction data: until account deletion; anonymised aggregate data for max. 24 months thereafter

Billing data: 10 years (Sec. 147 German Fiscal Code – AO)

Log data: max. 90 days

‍

§ 7 Your Rights

You have the following rights under the GDPR:

Access (Art. 15): Copy of your stored data — email support@norta.app

Rectification (Art. 16): Correction of inaccurate data

Erasure (Art. 17): Right to be forgotten

Restriction (Art. 18): Restriction of processing

Data portability (Art. 20): Export of your data

Objection (Art. 21): Objection to processing based on legitimate interests

Withdrawal (Art. 7(3)): Withdrawal of consent at any time

Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany.

Exercising these rights is free of charge. We respond within one month of receiving your request.

‍

§ 8 Cookies and Tracking

Website: For information on cookies and tracking technologies used on the website, please refer to our Cookie Policy at norta.app/cookies.

App: The app uses the following technologies:

PostHog — usage analytics, EU-hosted, only with your opt-in consent (see 2.3). You can withdraw consent at any time in the app settings.

Sentry — error detection and technical monitoring (technically necessary, see 2.4).

Expo — delivery of push notifications, if you enable them on your device.

‍

§ 9 Changes to this Privacy Notice

We reserve the right to update this Privacy Notice. Material changes will be communicated by email or in-app notification.

‍

‍

‍