Privacy Policy

Effective Date: Dec 05, 2024

Last Updated: Feb 16, 2026

1. Introduction

Norby Labs Inc. and its affiliates, including Norby Pty Ltd (collectively, “Norby,” “we,” “us,” or “our”), are committed to protecting the privacy of individuals who interact with our products and services. This Privacy Policy explains how we collect, use, disclose, and safeguard information in connection with our website at www.heynorby.com (the “Site”), our AI-powered kiosk hardware devices (the “Devices”), our cloud platform, dashboard, and management tools (the “Platform”), and all related services, support, and documentation (collectively, the “Services”).

This Privacy Policy applies to: (a) business customers who purchase, deploy, or manage Norby Devices and Services; (b) end users who interact with Norby Devices in retail, enterprise, government, or other environments; and (c) visitors to the Site.

Your use of the Services is subject to the Norby Terms of Use, which incorporate this Privacy Policy. By using or accessing the Services, you acknowledge that you have read and understood this Privacy Policy. We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Site or through the Services. Your continued use of the Services after changes have been posted constitutes your acceptance of the updated Privacy Policy.

2. Information We Collect

2.1 Information You Provide to Us

Account and Business Information: When you register for an account, purchase Devices, or enter into a subscription or enterprise agreement, we collect information such as your name, business name, email address, phone number, physical address, billing information, and job title.

Support and Communications: When you contact our support team, submit a warranty claim, or communicate with us, we collect the information you provide, including any attachments or diagnostic data.

Order Information: When you make a purchase through the Site or an order form, we collect information necessary to process and fulfil your order, including payment details (processed by our third-party payment processor) and shipping information.

2.2 Information Collected Through the Devices

Conversation and Interaction Data: When end users interact with a Norby Device, the Device processes voice input and generates AI-powered responses. Conversation data may be transmitted to our cloud infrastructure and third-party AI service providers (such as Anthropic, OpenAI, and Google) for processing. The extent of data collected depends on the configuration chosen by the business customer deploying the Device.

Device Telemetry: We automatically collect technical data from Devices, including device identifiers, hardware model, firmware version, operating system version, network connectivity status, performance metrics, error logs, and usage patterns. This data helps us maintain, support, and improve the Devices and Services.

Configuration Data: We collect information about how business customers configure their Devices, including custom prompts, persona settings, language preferences, and integration configurations.

2.3 Information Collected Automatically

Site Usage Data: When you visit the Site, we automatically collect information such as your IP address, browser type and version, operating system, referring URL, pages viewed, time spent on pages, and other standard web analytics data.

Cookies and Similar Technologies: We use cookies and similar tracking technologies on the Site to provide functionality, analyse usage, and improve our Services. You can manage your cookie preferences through your browser settings. For more detail, see Section 8 (Cookies) below.

3. How We Use Your Information

We use the information we collect for the following purposes:

  1. to provide, operate, maintain, and improve the Services, including processing transactions, fulfilling orders, and providing customer support;
  2. to enable the AI-powered conversational features of the Devices, including processing voice input and generating responses;
  3. to monitor Device performance, diagnose technical issues, and deliver firmware and software updates;
  4. to personalise and improve user experiences based on Device configuration and usage patterns;
  5. to communicate with you about your account, orders, support requests, and service updates;
  6. to send marketing and promotional communications where you have opted in or where otherwise permitted by law (you may opt out at any time);
  7. to conduct research, analytics, and product development using aggregated and anonymised data;
  8. to enforce our Terms of Use, protect against fraud and unauthorised activity, and comply with applicable laws and legal obligations;
  9. to fulfil any other purpose disclosed to you at the time of collection or with your consent.

4. How We Share Your Information

We do not sell your personal information. We may share your information in the following circumstances:

AI and Cloud Service Providers: Conversation data processed through the Devices may be transmitted to third-party AI service providers, including Anthropic, OpenAI, and Google, for natural language processing and response generation. These providers process data in accordance with their own privacy policies and our contractual agreements with them.

Service Providers: We share information with third-party service providers who assist us in operating the Services, including payment processing, cloud hosting, analytics, email delivery, and customer support. These providers are contractually bound to use your information only for the purposes for which we disclose it to them and to maintain appropriate security measures.

Channel Partners and Resellers: If you purchase Devices through an authorised reseller or channel partner (such as Dell Technologies), we may share order and account information with that partner to the extent necessary to fulfil and support your purchase.

Affiliates: We may share information with our affiliates and subsidiaries for the purposes described in this Privacy Policy.

Legal Requirements: We may disclose information where required by applicable law, regulation, legal process, or governmental request, or where we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.

Business Transfers: If Norby is involved in a merger, acquisition, reorganisation, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change and any choices you may have regarding your information.

Aggregated and Anonymised Data: We may share aggregated, anonymised, or de-identified data that cannot reasonably be used to identify you with third parties for research, analytics, product improvement, and other business purposes.

5. Data Retention

We retain your information for as long as necessary to provide the Services, fulfil the purposes described in this Privacy Policy, comply with our legal obligations, resolve disputes, and enforce our agreements. The retention period may vary depending on the type of information and the context in which it was collected.

Account and Business Data: Retained for the duration of your account or business relationship, plus a reasonable period thereafter for legal, tax, and audit purposes.

Conversation Data: Conversation data processed through the Devices is retained in accordance with the data retention settings configured by the business customer, or for a default period of [SPECIFY PERIOD, e.g., 90 days] unless otherwise agreed in a Data Processing Agreement.

Device Telemetry: Retained for as long as necessary for product support, improvement, and analytics purposes.

Marketing Data: Retained until you opt out or request deletion.

When information is no longer required, we will securely delete or anonymise it.

6. Data Security

We implement appropriate technical and organisational measures to protect information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls, regular security assessments, and secure development practices. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

If you are an enterprise or government customer with specific security requirements, please contact us at security@heynorby.com to discuss your needs.

7. International Data Transfers

Norby operates globally and your information may be transferred to, stored, and processed in countries other than your country of residence, including Australia, the United States, and other jurisdictions where our service providers operate. These countries may have data protection laws that differ from those in your jurisdiction. Where required by law, we implement appropriate safeguards for international data transfers, including standard contractual clauses or other approved mechanisms.

8. Cookies and Tracking Technologies

The Site uses cookies and similar technologies to provide functionality, remember your preferences, analyse usage, and improve the Services. The types of cookies we use include:

Essential Cookies: Necessary for the Site to function properly. These cannot be disabled.

Analytics Cookies: Help us understand how visitors interact with the Site, allowing us to improve content and functionality.

Marketing Cookies: Used to deliver relevant advertising and track the effectiveness of marketing campaigns.

You can manage your cookie preferences through your browser settings. Disabling certain cookies may affect the functionality of the Site. We do not respond to Do Not Track browser signals at this time.

9. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

Access: You may request a copy of the personal information we hold about you.

Correction: You may request that we correct inaccurate or incomplete personal information.

Deletion: You may request that we delete your personal information, subject to applicable legal requirements and legitimate business interests.

Restriction: You may request that we restrict the processing of your personal information in certain circumstances.

Portability: Where technically feasible, you may request that we provide your personal information in a structured, commonly used, machine-readable format.

Objection: You may object to the processing of your personal information for direct marketing purposes.

Withdraw Consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise any of these rights, please contact us at privacy@heynorby.com. We will respond to your request within the timeframe required by applicable law. We may need to verify your identity before processing your request.

Marketing Communications

You can opt out of marketing communications at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@heynorby.com. Opting out of marketing communications does not affect transactional or service-related communications.

10. Business Customer Responsibilities

If you are a business customer deploying Norby Devices in environments where end users interact with the Services, you acknowledge and agree that:

  1. you are responsible for providing appropriate notice to end users about the data collection and processing that occurs through the Devices, in compliance with applicable privacy and data protection laws in your jurisdiction;
  2. you are responsible for obtaining any necessary consents from end users where required by applicable law;
  3. you will not configure or use the Devices to collect sensitive personal information (such as health, biometric, or financial data) without appropriate legal basis and adequate safeguards;
  4. you will comply with all applicable data protection laws in connection with your deployment of the Devices.

Enterprise and government customers requiring a Data Processing Agreement (DPA) should contact us at privacy@heynorby.com.

11. Children’s Privacy

The Services are primarily designed for business use. We do not knowingly collect personal information directly from children under the age of 16 (or the applicable age of consent in your jurisdiction) through the Site or Platform. Where Norby Devices are deployed in environments where children may interact with them (such as educational or retail settings), the business customer deploying the Device is responsible for ensuring compliance with applicable children’s privacy laws, including providing parental notice and obtaining consent where required.

If we become aware that we have collected personal information from a child without appropriate consent, we will take steps to delete that information promptly. If you believe a child has provided us with personal information, please contact us at privacy@heynorby.com.

12. Third-Party Links and Services

The Services may contain links to third-party websites, applications, or services that are not operated by Norby. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access. Norby is not responsible for the privacy practices of any third party.

13. Jurisdiction-Specific Provisions

Australia

If you are located in Australia, we handle your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). You have the right to access and correct your personal information, and to make a complaint about our handling of your personal information. If you are not satisfied with our response to a complaint, you may contact the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au.

European Economic Area, United Kingdom, and Switzerland

If you are located in the EEA, UK, or Switzerland, we process your personal data on the legal bases of: (a) performance of a contract; (b) our legitimate business interests (such as improving the Services and communicating with you), where those interests are not overridden by your rights; (c) your consent, where applicable; and (d) compliance with legal obligations. You have additional rights under the General Data Protection Regulation (GDPR) or UK GDPR, including the rights described in Section 9. You also have the right to lodge a complaint with your local supervisory authority.

Singapore

If you are located in Singapore, we collect, use, and disclose your personal data in accordance with the Personal Data Protection Act 2012 (PDPA). You may withdraw your consent to our collection, use, or disclosure of your personal data at any time by contacting us, subject to legal or contractual restrictions and reasonable notice.

United States

If you are a resident of California, you may have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale or sharing of personal information. We do not sell personal information. To exercise your rights, contact us at privacy@heynorby.com. We will not discriminate against you for exercising your privacy rights. Residents of other US states with comprehensive privacy laws (such as Virginia, Colorado, Connecticut, and others) may have similar rights under their respective state laws.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Norby Labs Inc.

Ferry Building, 1, Suite 201,
San Francisco, CA 94111,
United States

Email: privacy@heynorby.com

Web: heynorby.com/contact-us

For users in Australia:

Norby Pty Ltd

170 Peel Street

Windsor VIC 3181

Australia