Introduction
At Elnora AI, we take privacy seriously. This Privacy Policy explains how Elnora AI, Inc. and its subsidiary Elnora AI OÜ (collectively, "Elnora," "we," "us," or "our") collect, use, disclose, and protect your personal information when you use our website (www.elnora.ai), our AI-powered protocol generation platform, and related services (collectively, the "Services").
This Policy applies to all individuals who interact with our Services, including visitors to our website, registered users, and business contacts. Please read this Policy carefully to understand our practices regarding your personal information.
1. Scope
This policy applies to
- Our website at www.elnora.ai
- Our AI-powered protocol generation and optimization platform
- Communications with us via email, forms, or other channels
- Marketing and promotional activities
This policy does NOT apply to
- Enterprise customer data: Where Elnora acts as a data processor on behalf of enterprise customers, the customer's privacy policy governs. Our processing of enterprise customer data is governed by our Data Processing Addendum (DPA) and customer agreements, which include Standard Contractual Clauses (SCCs) for international data transfers. For questions about such data, please contact your organization's administrator or email us at privacy@elnora.ai to request our DPA.
- Third-party services: Our Services may contain links to third-party websites or integrate with third-party services. We are not responsible for the privacy practices of these third parties.
Regulatory coverage
This Policy is designed to comply with:
- EU General Data Protection Regulation (GDPR)
- UK GDPR
- California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
- Other applicable privacy laws
2. Information we collect
Information you provide directly
| Category | Examples |
|---|---|
| Account information | Name, email address, company name, job title, password, phone number |
| Payment information | Billing address and payment details. We use Stripe for payment processing and do not directly store your payment card information on our servers. |
| Protocol and research data | Lab protocols, experimental data, research parameters, and other scientific content you upload or input into our platform |
| Communications | Support requests, feedback, survey responses, and correspondence with us |
| Marketing information | Demo requests, newsletter signups, webinar registrations |
Information collected automatically
| Category | Examples |
|---|---|
| Usage data | Pages viewed, features used, actions taken, access times, referring URLs |
| Device information | Device type, operating system, browser type and version, device identifiers |
| Log data | IP address, browser settings, date/time of access, error logs |
| Location information | General location (city/country) derived from IP address |
| Cookie data | Information collected via cookies and similar technologies (see Section 4) |
Information from third parties
| Source | Data |
|---|---|
| SSO providers | Name, email address, authentication tokens (when you sign in via Google, Microsoft, etc.) |
| Analytics partners | Aggregated usage and interaction data |
| Business partners | Business contact information from events or partnerships |
Sensitive data
Elnora does not intentionally collect sensitive personal data such as health information, biometric data, or special category data as defined under GDPR. While you may upload scientific protocols containing research data, we do not request or require personal health information.
3. How we use your information
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing services | Operate, maintain, and deliver our AI protocol generation platform |
| Account management | Create and manage your account, process transactions |
| Customer support | Respond to inquiries, provide technical assistance |
| Service improvement | Analyze usage patterns, improve platform functionality |
| Security | Detect, prevent, and address fraud, abuse, and security threats |
| Communications | Send service updates, technical notices, and administrative messages |
| Marketing | Send promotional content, newsletters (with your consent or where permitted) |
| Legal compliance | Comply with applicable laws, regulations, and legal processes |
| Analytics | Understand how users interact with our Services |
We do NOT use your data for
- Training or improving our AI models using your uploaded protocols or research data (see Section 13)
- Selling your personal information to third parties
- Cross-contextual behavioral advertising
4. Cookies and tracking technologies
We use essential cookies (authentication, security) and analytics cookies (including but not limited to PostHog) to understand how visitors use our Services. You can manage cookie preferences via your browser settings. We honor Do Not Track (DNT) and Global Privacy Control (GPC) signals.
5. How we share your information
We do not sell your personal information. We may share your information in the following circumstances:
Service providers (subprocessors)
We use trusted third-party service providers to help us operate our business, including:
- Cloud infrastructure and data hosting
- AI model providers for protocol generation
- Payment processing
- Product analytics
All service providers are contractually bound to protect your information and use it only for specified purposes.
For a complete and current list of subprocessors, visit our Trust Center. Enterprise customers with Data Processing Addendums may have specific notification rights as outlined in their agreements.
Other disclosures
| Circumstance | Description |
|---|---|
| Legal requirements | When required by law, court order, or government request |
| Rights protection | To enforce our terms, protect our rights, or ensure safety |
| Business transfers | In connection with a merger, acquisition, or sale of assets (you will be notified) |
| With your consent | When you have given us permission |
6. Data retention
We retain your personal information only as long as necessary for the purposes described in this Policy.
| Data type | Retention period |
|---|---|
| Account information | Duration of your account plus 60 days for account recovery |
| Customer/protocol data | Deleted within 60 days of contract termination or account closure, except where retention is required by law or for legal claims (up to 3 years for potential disputes) |
| Payment records | As required by tax and accounting laws |
| Usage/analytics data | Anonymized after 90 days; anonymized data retained for product improvement |
| Marketing preferences | Until you unsubscribe or request deletion |
| Support communications | As long as needed to resolve issues |
When retention periods expire, we securely delete or anonymize your data.
7. Data security
We implement robust technical, organizational, and administrative security measures to protect your information:
- Encryption: Industry-standard encryption for data at rest and in transit
- Access controls: Role-based access control with principle of least privilege
- Authentication: Multi-factor authentication for privileged access
- Monitoring: Security monitoring and logging
- Audits: Regular security assessments and penetration testing
- Compliance: Working toward SOC 2 Type II and ISO 27001 certification
Visit our Trust Center for current compliance status and security documentation.
While we take extensive measures to protect your information, no method of transmission over the Internet or electronic storage is completely secure. You are responsible for maintaining the confidentiality of your account credentials.
Data breach notification
In the event of a data breach that affects your personal information, we will:
- Notify affected individuals without undue delay, and within 72 hours where required by applicable law
- Notify relevant supervisory authorities as required by GDPR and other applicable regulations
- Provide information about the nature of the breach, the data affected, and steps we are taking to mitigate harm
- Offer guidance on protective measures you can take
To report a suspected security incident, contact us at security@elnora.ai.
8. International data transfers
Elnora AI, Inc. is headquartered in the United States. Our primary infrastructure is hosted on Amazon Web Services (AWS) in the United States.
Data location
Customer data is primarily stored and processed in AWS data centers located in the United States. AI model providers may process data in their respective data center locations to provide real-time responses.
Transfer mechanisms
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to countries without adequate data protection laws, we rely on:
- Standard Contractual Clauses (SCCs): EU Commission-approved contractual clauses
- Supplementary measures: Additional technical and organizational safeguards where necessary
Data controllers
| Region | Controller | Address |
|---|---|---|
| United States | Elnora AI, Inc. | 48 South Rio Grande Street, Salt Lake City, UT 84101 |
| EU/UK | Elnora AI OÜ | Harju maakond, Saue vald, Laagri alevik, Vesiroosi tn 6, 76401, Estonia |
9. Your rights and choices
Depending on your location, you may have the following rights regarding your personal information:
| Right | Description |
|---|---|
| Access | Request a copy of the personal information we hold about you |
| Correction | Request correction of inaccurate or incomplete information |
| Deletion | Request deletion of your personal information |
| Portability | Receive your data in a structured, machine-readable format |
| Restriction | Request that we limit processing of your information |
| Objection | Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds. |
| Withdraw consent | Withdraw consent where processing is based on consent |
How to exercise your rights
- Email: privacy@elnora.ai
- Support: support@elnora.ai
- Mail:
- US: 48 South Rio Grande Street, Salt Lake City, UT 84101
- EU: Vesiroosi tn 6, 76401 Laagri, Estonia
We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
Marketing communications
You can opt out of marketing communications at any time by:
- Clicking the "unsubscribe" link in our marketing emails
- Contacting us at privacy@elnora.ai
- Updating your communication preferences in your account settings
10. California privacy rights (CCPA/CPRA)
California residents have additional rights under CCPA/CPRA, including the right to know, delete, and correct personal information. We do NOT sell personal information or share it for cross-contextual behavioral advertising. To exercise California privacy rights, contact privacy@elnora.ai.
11. European privacy rights (GDPR)
If you are located in the EEA, UK, or Switzerland, you have rights under the GDPR.
Legal bases for processing
We process your personal data based on:
- Contract performance: To provide our Services to you
- Legitimate interests: For business operations, security, and service improvement
- Consent: For marketing communications and non-essential cookies
- Legal obligation: To comply with applicable laws
Your GDPR rights
In addition to the rights in Section 9, you have the right to:
- Lodge a complaint: File a complaint with your local data protection supervisory authority
- Data portability: Receive your data in a structured format and transfer it to another controller
EU/UK representative
Our EU and UK representative is:
- Company: Elnora AI OÜ
- Address: Harju maakond, Saue vald, Laagri alevik, Vesiroosi tn 6, 76401, Estonia
- Phone: +372 51 96 51 96
- Email: contact@elnora.ai
Data protection authorities
12. Children's privacy
Our Services are not intended for use by anyone under the age of 18. We do not knowingly collect personal information from individuals under 18.
If we become aware that we have collected personal information from someone under 18, we will take steps to delete such information as quickly as possible. If you believe we have inadvertently collected information from a minor, please contact us at privacy@elnora.ai.
13. AI and model training
Customer data is NOT used for model training
Important: Elnora does NOT use your uploaded protocols, experimental data, or other customer content to train the underlying AI models. Your research data is never sent to AI providers for the purpose of training their foundation models.
How we improve our product
While we do not train AI models on your data, we may use anonymized and aggregated information to improve our Services. This includes:
- Refining prompts and instructions that guide our AI agent
- Improving tool descriptions and workflow configurations
- Enhancing the overall user experience through product analytics
This product improvement process does not involve training or fine-tuning AI models. Your identifiable data is not used for these purposes.
How our AI works
- We use third-party AI model providers (including but not limited to OpenAI, Anthropic, Microsoft Azure, and Google Vertex AI) via their business API services
- Your data is processed by these providers solely to generate responses for you in real-time
- Per the privacy policies and terms of service of these providers, data submitted via their business APIs is not used to train their models
- We maintain business accounts with all AI providers to ensure appropriate data protection terms
14. Changes to this policy
We may update this Privacy Policy from time to time. When we make changes:
- We will update the "Effective Date" at the top of this Policy
- For material changes, we will notify you via email or prominent notice on our website
- Your continued use of our Services after changes become effective constitutes acceptance of the revised Policy
We encourage you to review this Policy periodically.
15. Contact us
If you have questions about this Privacy Policy or our privacy practices, please contact us:
General inquiries
- Email: contact@elnora.ai
- Phone (US): +1 801 384 9988
- Phone (EU): +372 51 96 51 96
Privacy contact
- Name: Carmen Kivisild
- Email: privacy@elnora.ai
Support
- Email: support@elnora.ai
Security concerns
- Email: security@elnora.ai
Mailing addresses
United States (Headquarters)
- Elnora AI, Inc.
- 48 South Rio Grande Street
- Salt Lake City, UT 84101, USA
European Union / United Kingdom
- Elnora AI OÜ
- Harju maakond, Saue vald, Laagri alevik
- Vesiroosi tn 6, 76401, Estonia
Trust center
For detailed information about our security practices, compliance certifications, and data handling procedures, visit our Trust Center.
This Privacy Policy was last updated on December 17, 2025.