Privacy Policy

1. About this policy

This Privacy Policy explains how Tal ADI LLC ("we", "us", "our") collects, uses, stores, and shares information in connection with Norma (the "Service"). Norma is operated by Tal ADI LLC.

We try to be specific. Where this policy uses general language, the Service's actual practices follow the more privacy-protective interpretation.

2. Information we collect

Account information. When you create an account, we collect your name, email address, and a hashed version of your password. If you join a workspace by invitation, we also collect the role assigned to you within that workspace.

Customer Data. When you use the Service, you upload firm financial and operational data, including timesheets, project budgets, accounts receivable, pipeline, contracts, employee compensation information, and firm financials. This is collectively "Customer Data."

Usage information. We collect information about how you interact with the Service, including pages visited, features used, and timestamps. This is used to operate, secure, and improve the Service.

Device and connection information. When you use the Service, we automatically collect technical information including IP address, browser type, operating system, and timestamps. This is used for security, analytics, and to ensure the Service functions correctly.

Communications. When you contact us via email or signup forms, we collect the content of those communications.

We do not knowingly collect biometric information, precise location data, or special categories of personal data (race, religion, health, etc.) through the Service.

3. How we use information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your Customer Data to generate the analyses, recommendations, and outputs the Service is designed to produce
• Authenticate users and secure the Service against unauthorized access
• Send transactional communications (account notifications, password resets, billing)
• Send product updates and announcements (only if you have opted in or are an active customer)
• Comply with legal obligations and respond to lawful requests from authorities
• Investigate and prevent fraud, abuse, and security incidents

We do not use Customer Data to train AI models. We do not sell Customer Data. We do not share Customer Data with third parties for advertising.

4. AI providers

The Service uses two AI providers (Anthropic and OpenAI) to power its reasoning and generation features. When you ask the Service a question, the Service may send portions of your Customer Data (specifically, the data needed to answer the question (relevant metrics, contract excerpts, or financial summaries) to one of these providers via their commercial API.

Both Anthropic and OpenAI's standard commercial API terms state that data sent through their APIs is not used to train their models. We have not opted into any data-sharing arrangement that would change this.

We do not send full firm databases or all uploaded files to these providers. We send only the context the question requires.

5. How we share information

We do not sell or rent your information. We share information only in these specific cases:

Service providers. We use a small number of third-party services to operate the Service. These include:

• Railway: hosting and database infrastructure
• Anthropic: AI provider (primary copilot)
• OpenAI: AI provider (specific structured-output tasks)
• Resend: transactional email delivery
• Loops: marketing email signup management (for users who opt in via the marketing site)
• Plausible: privacy-friendly website analytics (marketing site only, no cookies, no personal data)

These providers process information on our behalf under contractual obligations to maintain confidentiality and security.

Legal compliance. We may disclose information if required by law, regulation, valid legal process, or governmental request, or to protect the rights, property, or safety of any person.

Business transfers. If we are involved in a merger, acquisition, or sale of assets, your information may be transferred as part of the transaction. We will notify you before your information becomes subject to a different privacy policy.

6. Data retention

We retain Customer Data for as long as your account is active. When you delete a file from the Service, the file is removed from active storage immediately, and the metadata record is retained for audit purposes for up to ninety days before being purged.

When you cancel your subscription or delete your account, we begin the decommissioning process. Your workspace and its associated data are removed from active systems within thirty days. Backups containing your data are purged within ninety days of decommissioning.

We retain a minimum amount of account information (email address, account history) for legal, financial, and security record-keeping purposes for up to seven years after account closure.

7. Security

We protect your information using commercially reasonable security practices, including encryption in transit, encrypted storage, hashed passwords, rate-limited authentication, and workspace-scoped data access controls. A more detailed description of our security posture is on the Security and data handling page.

No system is perfectly secure. We cannot guarantee absolute security. In the event of a security incident affecting your data, we will notify you in accordance with applicable law.

8. Your rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold about you
• Correct inaccurate personal information
• Delete your personal information
• Object to or restrict certain processing
• Receive a portable copy of your information
• Withdraw consent where we rely on consent for processing

To exercise these rights, email us at hello@tal.design. We will respond within thirty days, or sooner if required by law.

If you are in the European Economic Area, United Kingdom, or California, you may have additional rights under GDPR, UK GDPR, or CCPA respectively. We honor those rights regardless of where you are located.

9. International users

The Service is operated from the United States. If you access the Service from outside the United States, you understand that your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

By using the Service, you consent to this transfer.

10. Children's privacy

The Service is not directed at children under 18, and we do not knowingly collect personal information from anyone under 18. If we learn we have collected personal information from a child under 18, we will delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or by prominently posting a notice on the Service before the change takes effect. The "Last updated" date at the top of this policy reflects the most recent material revision.

12. Contact

For privacy-related questions or to exercise your rights, contact us at hello@tal.design.