← Back to Noorelia
Noorelia
// Privacy Policy
Privacy Policy
Last updated: 04 June 2026
This Privacy Policy describes how Noorelia ("we", "us", "our") collects, uses, and protects personal data when funeral home directors, their staff, and the families they serve use our software platform at noorelia.com.
We take privacy seriously. The data we handle includes information about deceased individuals and their grieving families — some of the most sensitive information a person can share. This policy is written to be read and understood, not to obscure.
Our principles: We collect only what we need to deliver the service. We never sell data. We do not run advertising or marketing analytics on our users. We store primary data in the European Union (Frankfurt). Funeral homes own their data and can export or delete it at any time.
1. Who is the data controller?
Funeral home directors are the data controllers for any information they enter about deceased individuals or family contacts. They decide what information is collected and for what purpose, in accordance with local laws governing funeral arrangements.
Noorelia is the data processor — we provide the software that stores and processes that information on the funeral home's behalf. A Data Processing Agreement (DPA) governing this relationship is available on request at [email protected] and is offered as part of every subscription.
For Noorelia's own contact with funeral home directors (account email, billing, support), Noorelia is the data controller.
2. What data do we collect?
Account data (from funeral home directors and staff)
- Name, email address, password (hashed by Supabase Auth using bcrypt), country, phone number
- Funeral home name, branding (logo, colours), default email signature
- Subscription plan and billing status; Stripe customer ID
- Authentication logs (sign-in IP, timestamp, last seen) for security and account integrity
Case data (entered by funeral home directors and staff)
- Deceased's full name, date of death, religious or cultural tradition, location of death
- Family contact name, email, phone number, language preference
- Documents uploaded by the funeral home (death certificates, authorisations, contracts, statement of funeral goods)
- General Price List (GPL), Casket Price List (CPL), Outer Burial Container Price List (OBCPL) items and prices
- Messages exchanged between funeral home and family
- Service milestones and timestamps
- Aftercare schedules and message bodies
Family-shared content (from family members via the portal)
- Photos and written memories shared on the Memory Wall
- Messages sent to the funeral director
- Electronic signatures, including the printed legal name, IP address, browser information, and timestamp for audit purposes
- Names typed when signing documents (for legal binding under E-SIGN, eIDAS, UETA and equivalent regimes)
- Portal view counts (used by directors to know when the family has engaged)
Technical data
- IP address (only when used to access the service)
- Browser type and version (for compatibility)
- Authentication tokens (managed by Supabase Auth)
- Error reports (limited to a per-error stack trace and the user-agent string of the failing browser; routed to Sentry — see Subprocessors below)
What we do NOT collect
- We do not use third-party analytics that track users across sites (no Google Analytics, no Facebook Pixel, no advertising cookies, no session-replay tools)
- We do not sell, rent, share, or otherwise disclose data with marketing companies or data brokers
- We do not run ad targeting against funeral home data or family data
- We do not access funeral home data for any purpose other than providing the service, security incident response, or as required by law
3. How we use the data
We use the data only to:
- Operate the Noorelia platform (display dashboards, send emails, store documents, deliver the family portal)
- Send transactional emails (welcome, milestone updates, aftercare messages, password resets, signature requests)
- Process subscription payments and send invoices via Stripe
- Provide customer support when requested
- Detect and prevent fraud, abuse, or unauthorised access
- Comply with legal obligations (court orders, regulatory requests)
4. AI Processing
Noorelia uses Anthropic's Claude AI to:
- Generate milestone update messages to families
- Generate aftercare check-in messages (with the funeral director's approval at setup)
- Translate the family portal interface into the family's language
- Answer common questions in the family portal chat
- Generate suggested obituary text from director-provided inputs
When AI processes data, the relevant content is sent to Anthropic's API for generation. Anthropic does not train its models on data submitted via the API (per Anthropic's commercial terms for API access). We do not enable any feature that would store data with the AI provider beyond the immediate generation request, and we do not opt into Anthropic's optional retention features.
Funeral directors can disable AI features for their account from the Settings panel.
5. Cookies, local storage, and tracking
Noorelia uses the following client-side storage, all of which is strictly necessary for the service to function:
- localStorage — stores your authentication session (key:
fw_auth), in-progress drafts, and UI preferences (dark mode, language). No third-party access.
- sessionStorage — temporary session data cleared when you close the browser tab.
- Service Worker — caches static assets so the dashboard works offline; no tracking.
We do not use first-party or third-party cookies for analytics, advertising, or social media. Because all client-side storage is strictly necessary, no consent banner is required under the EU ePrivacy Directive or UK PECR.
6. Where data is stored — Subprocessors
All primary data is stored in Supabase infrastructure located in Frankfurt, Germany (European Union). Documents and uploads are encrypted at rest. Below is the complete list of subprocessors and their roles:
| Subprocessor | Role | Region |
|---|
| Supabase | Database, file storage, authentication | Frankfurt, EU |
| Cloudflare | Edge proxy, request routing, API backend (Worker) | Global edge |
| Netlify | Static site hosting (marketing site and dashboard frontend) | Global CDN |
| Resend | Transactional email delivery | USA (transient) |
| Anthropic | AI text generation for milestones, aftercare, translations, chat assistant, obituary drafts | USA (transient) |
| Stripe | Subscription billing and payment processing for funeral home subscriptions to Noorelia | USA / Ireland |
| DocuSign | Optional eSignature envelope delivery for documents requiring legal-grade signatures | USA |
| Sentry | Error monitoring (stack traces and user-agent only; no body content captured) | EU (Frankfurt) |
Each of these subprocessors is bound by a Data Processing Agreement appropriate to their role. We will give 30 days' notice to funeral home customers before adding a new subprocessor, by email to the account contact and on this page.
7. International transfers
Primary data is stored in the EU (Frankfurt). Some processing involves transfers to the US (Anthropic AI generation, Resend email delivery, Stripe billing, DocuSign envelopes) or Ireland (Stripe). These transfers are covered by the EU Standard Contractual Clauses (SCCs) (2021/914) and the UK International Data Transfer Addendum, and rely on the EU–US Data Privacy Framework where applicable.
For UAE-based funeral homes, the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) applies; transfers outside the UAE are governed by the corresponding model contractual provisions.
8. Data sharing
Beyond the subprocessors listed above, we share data only:
- With family members the funeral home has invited to a case (via the portal link, scoped to that case only)
- When required by law, court order, or regulatory authority — we will notify the affected funeral home where legally permitted
- In the event of a corporate transaction (sale, merger, or acquisition), with the same protections as this policy and 30 days' notice to customers
We do not share data with any other third parties.
9. Your rights
Under GDPR (EU), UK DPA 2018, UAE PDPL, California CCPA/CPRA, and equivalent privacy laws, you have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — ask us to correct inaccurate data
- Deletion — request that we delete your data (subject to legal retention requirements)
- Portability — receive your data in a machine-readable format (CSV/JSON)
- Objection — object to certain types of processing
- Withdrawal of consent — withdraw consent at any time (where consent is the legal basis)
- Non-discrimination (CCPA/CPRA, California residents) — we do not, and will not, discriminate against you for exercising any of these rights
- Opt out of sale/sharing (CCPA/CPRA) — N/A; we do not sell or share personal data as defined under CCPA/CPRA
For funeral home directors and staff: you can export and delete your account directly from the Settings panel of your dashboard.
For family members: please contact the funeral home that sent you the portal link, or contact us at the address below. Where the funeral home is the data controller, we will forward your request to them and respond on their behalf where instructed.
We respond to verifiable requests within 30 days. We may extend this by 60 days for complex requests and will tell you why.
10. Data retention
- Active accounts: data retained as long as the account is active
- Cancelled accounts: data retained for 30 days, then permanently deleted; backup deletion follows within a further 30 days
- E-signature audit records: retained for 7 years to comply with E-SIGN, eIDAS, UETA and equivalent regimes that require a verifiable audit trail
- Billing records: retained for the period required by tax law (typically 6 years in the UK/EU, 7 years in the US)
- Backups: kept for up to 30 days for disaster recovery purposes
- Error logs (Sentry): 30 days
Note on deceased data: Under GDPR and UK DPA 2018, personal data of deceased individuals is not personal data of the deceased themselves. However, the data may contain personal data of living family members (their names, contact details, photos) which remains subject to this policy.
11. Security
- All data transmitted over HTTPS (TLS 1.2+)
- Documents encrypted at rest in EU storage (Supabase Storage)
- Passwords hashed with bcrypt (managed by Supabase Auth)
- Database access restricted by Row Level Security (RLS) — users can only see their own funeral home's data
- Service role keys and API secrets are server-side only and never exposed to the browser
- Family portal access requires a unique random token per case (cryptographically generated, not guessable)
- Memorial pages optionally protected by a director-set password; password attempts are rate-limited
- Rate limits on authentication, account creation, password reset, e-signature, and family portal verification
- Webhook signatures verified for Stripe and DocuSign (HMAC-SHA256)
- Mandatory MFA available for funeral home directors (optional for staff, recommended)
12. Data breach notification
If we become aware of a personal data breach likely to result in risk to the rights and freedoms of individuals, we will:
- Notify the affected funeral home customer(s) without undue delay and within 72 hours where required by GDPR
- Provide a description of the breach, the categories and approximate number of individuals concerned, the likely consequences, and the measures taken to address it
- Cooperate with the funeral home's notification to families or other affected individuals
13. Children
Noorelia is intended for use by funeral home professionals and adult family members. We do not knowingly collect data from children under 16 (or under 13, the threshold under COPPA in the US). If you believe we have inadvertently collected such data, please contact us so we can delete it.
14. Marketing and communications
Funeral home directors who sign up receive transactional emails related to their account (welcome, billing, security, milestone notifications they configure). We do not send unsolicited marketing email.
If we publish a customer newsletter in the future, it will be strictly opt-in with a clear unsubscribe link in every message.
15. Accessibility
We aim to meet WCAG 2.1 Level AA for the family portal and dashboard. If you encounter an accessibility issue, please contact [email protected] and we will work to resolve it.
16. Changes to this policy
If we make material changes to this policy, we will notify funeral home directors by email at least 30 days before the change takes effect and update the "Last updated" date at the top. Continued use of the service after the change indicates acceptance of the updated policy.
17. Contact us
For complaints, you may also contact your local data protection authority. Examples:
- UK: Information Commissioner's Office (ICO) — ico.org.uk
- France: Commission Nationale de l'Informatique et des Libertés (CNIL)
- Germany: Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
- Ireland: Data Protection Commission (DPC)
- UAE: UAE Data Office
- California: California Privacy Protection Agency (CPPA)
© 2026 Noorelia · Operated as a sole-trader micro-business · noorelia.com