Nora
Legal

Privacy Policy

Last updated · April 29, 2026

Nora ("we," "our," or "the Service") is operated by Nimble Labs, Inc. and offers two distinct services: an AI-powered plan-finder chat that helps you compare health insurance plans, and an Enhanced Direct Enrollment (EDE) application platform that lets you complete a Marketplace application and enroll in a Qualified Health Plan without leaving our site. This policy explains what we collect for each, how we use it, and your rights.

Service 1 — Plan-Finder Chat

When you use the chat to research plans, Nora asks for general household information needed for a plan search and price estimate:

  • ZIP code and county
  • Household size, ages, and relationships
  • Estimated annual household income
  • Tobacco use and pregnancy status
  • Doctor and medication preferences

The chat alone does not require a Social Security number, immigration documentation, bank-account details, or any other information used to complete an enrollment. If you only use the chat and never start an EDE application, none of those data types is ever collected from you.

Service 2 — Enhanced Direct Enrollment (EDE) Application

If you choose to apply for coverage through Nora rather than on HealthCare.gov, we operate as a CMS-approved Enhanced Direct Enrollment entity under the Affordable Care Act and 45 CFR § 155.220. Our authority to collect and process the information below comes from a signed EDE Business Agreement with CMS and, for federal tax information, from Internal Revenue Code § 6103(l)(21) and the safeguards set out in IRS Publication 1075.

To complete an EDE application, we collect the information CMS requires for an eligibility determination, including:

  • Names, dates of birth, and Social Security numbers (SSNs) of each applicant who has one
  • U.S. citizenship status, or immigration documentation for non-citizens
  • Address, phone number, and email
  • Relationships between household members and tax-filing household composition
  • Income and deductions, including employer-sponsored coverage offers
  • Pregnancy, disability, incarceration, and tribal-membership status where applicable
  • Selected health and dental plans, applied premium tax credits, and payment-method information forwarded to your chosen issuer

SSN and similarly sensitive identifiers are masked in the user interface, transmitted to CMS over a TLS-encrypted connection, encrypted at rest in our database, and not retained beyond the periods required by federal regulation.

How We Use Your Information

For the plan-finder chat, we use the information you provide to:

  • Estimate your eligibility for premium tax credits (APTC) and cost-sharing reductions (CSR)
  • Search the Marketplace for plans available in your area
  • Check whether your doctors and medications are covered by specific plans

For an EDE application, we additionally use your information to:

  • Submit your application to CMS for an official eligibility determination
  • Verify your identity through CMS's Remote Identity Proofing (RIDP) service
  • Resolve Data Matching Issues (DMIs) and Special Enrollment Period verification issues
  • Enroll you with the issuer of the plan you select and forward initial-payment information

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your application data to train AI models.

Cookies and Local Storage

We use a small number of cookies:

  • Locale preference — remembers your language choice (English or Spanish)
  • Anonymous session token — links your chat conversation so you can return to it
  • Authentication and session-activity cookies — when signed in, keep your account logged in and enforce automatic logout after 15 minutes of inactivity and 12 hours total session length

We do not use advertising cookies or third-party tracking scripts.

Third-Party Services and Subprocessors

Nora integrates with the following services. Each is bound by a Data Processing Agreement, Business Associate Agreement (where the service handles protected information), or equivalent.

  • CMS Marketplace API and CMS Hub (SES) — to search for plans, check provider networks, estimate subsidies, look up drug formularies, and submit EDE applications for eligibility and enrollment
  • Vercel — application hosting (United States)
  • Render — managed PostgreSQL database hosting (United States)
  • Resend — transactional email (verification, notices, eligibility communications)
  • Axiom — application logging and audit-record retention
  • Anthropic — powers the AI conversation in the plan-finder chat. EDE application data is not sent to Anthropic. Anthropic's use of chat data is governed by their privacy policy.
  • Google — optional sign-in via Google OAuth
  • Experian — Remote Identity Proofing (RIDP) for EDE applicants only, performed via the CMS Hub

Data Retention

Plan-finder chat conversations are retained to let you return to previous sessions. You may request deletion at any time using the contact below.

EDE application data is retained for the periods required by federal regulation, including 45 CFR § 155.1210 (ten years for Marketplace records) and applicable IRS Publication 1075 retention rules. After those periods we securely dispose of the information. While we hold it, you have the right to request access, correction, or deletion of your information; deletion requests for EDE records are subject to the federal retention requirements above.

Security

We protect your information with encrypted connections (TLS 1.3), encryption at rest, multi-factor authentication for administrative access, audit logging, network access restrictions, and an annual third-party penetration test. We follow the security and privacy controls required of CMS Enhanced Direct Enrollment entities under ARC-AMPE (NIST SP 800-53 Rev 5) and the HIPAA Security Rule where applicable. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

If we discover a security incident that compromises personal information, we will notify affected individuals, CMS, and other authorities as required by law.

Your Rights

You can:

  • Access the information you have provided through your account dashboard
  • Request a correction or update by contacting us
  • Withdraw consent for non-required processing at any time
  • Request deletion of plan-finder chat data; EDE application data is retained per the federal periods listed above

Contact

If you have questions about this privacy policy or wish to exercise any of the rights above, contact us at privacy@nimblelabs.co.