Privacy Notice — Last updated: April 2026
This Privacy Notice applies to the Norta app and the website norta.app.
‍
§ 1 Controller
Norta GmbH, Rosenthaler Straße 38, 10178 Berlin, Germany
Email: support@norta.app
Represented by: Lara Planet, Jessica Holzbach
‍
§ 2 Data We Process
2.1 Registration Data
Email address, password (hashed), device information, time of registration.
2.2 Bank Account Data (via FinAPI)
Account transactions from the last 90 days (amount, date, recipient, category) — exclusively with your active consent. We receive read-only access. Your banking credentials are not stored by us, but exclusively by FinAPI.
2.3 Usage Data
App interactions, session duration, error logs (for technical operations and security).
2.4 AI Processing Data
Transaction data is transmitted in anonymised form for categorisation. No personally identifiable information (name, IBAN) is transmitted.
‍
§ 3 Legal Bases
We process your data on the following legal bases under GDPR Art. 6:
Art. 6(1)(b): Performance of contract — Processing is necessary for the performance of the user agreement, in particular for providing and operating the app and all associated features supporting your financial stabilisation.
Art. 6(1)(a): Consent — Bank account connection via FinAPI (PSD2).
Art. 6(1)(f): Legitimate interests — Security, error resolution, and app improvement.
‍
§ 4 Sub-Processors
We engage the following processors with whom we have entered into Data Processing Agreements (DPA) pursuant to Art. 28 GDPR:

Supabase Inc. (EU region) — Purpose: Database hosting (user data, transaction data). Region: EU (Frankfurt). DPA: supabase.com/privacy. SCCs: not applicable (EU region).
‍
Railway Corp. (EU region) — Purpose: Backend infrastructure (API server, categorisation pipeline). Location: Europe. DPA in progress (privacy@railway.com). Data transfers to third countries on the basis of SCCs pursuant to Art. 46 GDPR.

§ 5 Third-Party Controllers
Bank account connectivity is provided by FinAPI GmbH, acting as a licensed payment institution under PSD2. FinAPI enters into a direct contractual relationship with you as the user and processes your data as an independent data controller pursuant to Art. 4(7) GDPR. The legal basis is Art. 6(1)(b) GDPR. For more information: finapi.io/datenschutz
‍
§ 6 Retention Periods
We store your data for as long as your account is active or as necessary to provide the service.
Account and profile data: until account deletion + 30 days
Transaction data: until account deletion; anonymised aggregate data for max. 24 months thereafter
Billing data: 10 years (§ 147 AO)
Log data: max. 90 days
‍
§ 7 Your Rights
You have the following rights under the GDPR:
Access (Art. 15): Copy of your stored data — email support@norta.app
Rectification (Art. 16): Correction of inaccurate data
Erasure (Art. 17): Right to be forgotten
Restriction (Art. 18): Restriction of processing
Data portability (Art. 20): Export of your data
Objection (Art. 21): Objection to processing based on legitimate interests
Withdrawal (Art. 7(3)): Withdrawal of consent at any time
Right to lodge a complaint: You have the right to lodge a complaint with the competent supervisory authority: Berliner Beauftragte für Datenschutz und Informationsfreiheit, Friedrichstr. 219, 10969 Berlin, Germany.
‍
§ 8 Cookies and Tracking
Website: For information on cookies and tracking technologies used on the website, please refer to our Cookie Policy at norta.app/cookies.
App: The app uses the following tracking technologies:

Mixpanel — user behaviour analytics
Sentry — error detection and technical monitoring (technically necessary)

§ 9 Changes to this Privacy Notice
We reserve the right to update this Privacy Notice. Material changes will be communicated by email or in-app notification.

‍

‍