Legal

Privacy Policy

We take the privacy of your health data seriously. This policy explains exactly what we collect, why, and how we protect it.

Last updated: 1 January 2025

1. Who We Are

NORAO SAS ("NORAO", "we", "us", "our") is the controller of the personal data you provide when using the NORAO wearable ECG belt, the NORAO mobile application, and associated online services (collectively, the "Service"). Our registered office is in France.

For all privacy-related enquiries, contact our Data Protection Officer at: privacy@norao.fr.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through or in connection with the Service, including data collected via the NORAO mobile application, our website (norao.fr), customer support communications, and any other interactions with NORAO. It does not apply to third-party services you may connect to through the app, which are governed by their own privacy policies.

3. Data We Collect

3.1 Account & Identity Data
When you create an account: your name, email address, date of birth, sex assigned at birth (for physiological calibration), and your chosen password (stored in hashed form).

3.2 Health & Biometric Data
ECG waveform recordings, heart rate measurements, heart rate variability (HRV) data, rhythm classifications, and related derived metrics generated by the NORAO device. This data constitutes special category (sensitive) personal data under GDPR Article 9 and is processed only with your explicit consent.

3.3 Device & Usage Data
Device identifiers (unique hardware ID), firmware version, Bluetooth pairing logs, app session metadata, feature usage patterns, and crash diagnostics. This data is used to maintain and improve the Service and is not linked to your health records.

3.4 Technical Data
IP address (anonymised after 24 hours), browser type and version, operating system, referring URLs, and pages visited on norao.fr. Collected via standard web server logs and first-party analytics.

3.5 Communications Data
If you contact us by email or via our contact form, we retain the contents of that correspondence and your contact details for the purpose of responding to your enquiry and maintaining a record of communications.

4. How We Use Your Data

We process your personal data for the following purposes and on the following legal bases:

We do not use your health data for advertising, profiling for marketing purposes, or any purpose incompatible with those listed above.

5. Data We Do NOT Collect or Sell

NORAO does not:

6. Data Storage and Security

Local-first architecture: ECG recordings and derived health metrics are stored primarily on your device. Synchronisation to NORAO servers is optional and requires your explicit activation in the app settings.

Where data is transmitted or stored on our servers, we apply:

No system is completely immune to attack. In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by GDPR Article 33–34.

7. Data Retention

We retain your data only for as long as necessary for the purposes for which it was collected:

You can delete your account and all associated data at any time through the app settings or by contacting us at privacy@norao.fr.

8. Sharing Your Data

We share your data only in the following limited circumstances:

All data processing by third-party processors takes place under GDPR-compliant data processing agreements (DPAs) or appropriate Standard Contractual Clauses (SCCs) for international transfers.

9. International Data Transfers

NORAO is based in France and our primary data storage is located within the European Economic Area (EEA). If any personal data is transferred outside the EEA (for example, to a sub-processor with servers elsewhere), we ensure such transfers are protected by appropriate safeguards, including EU Standard Contractual Clauses (SCCs) or adequacy decisions issued by the European Commission.

10. Your Rights Under GDPR

If you are located in the EEA or the UK, you have the following rights regarding your personal data:

To exercise any of these rights, contact us at privacy@norao.fr. We will respond within 30 days. You also have the right to lodge a complaint with the French data protection authority, the CNIL (Commission Nationale de l'Informatique et des Libertés), at www.cnil.fr.

11. Cookies and Tracking

Our website (norao.fr) uses only strictly necessary cookies required for the site to function (session management, security tokens). We do not use advertising cookies, third-party tracking pixels, or social media cookies. You can manage cookie preferences through your browser settings.

12. Children's Privacy

The Service is not directed to children under 13 years of age. We do not knowingly collect personal data from children under 13. If you believe a child under 13 has provided us with personal data, please contact us at privacy@norao.fr and we will delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes via the app or by email at least 30 days before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

14. Contact Our Data Protection Officer


This Privacy Policy was last reviewed and updated on 1 January 2025. It complies with the EU General Data Protection Regulation (GDPR) 2016/679 and the French Data Protection Act (Loi Informatique et Libertés).