Nora
Legal

Privacy Policy

Last updated · May 1, 2026

Nora ("we," "our," or "the Service") is operated by Nimble Labs, Inc. and offers two distinct services: an AI-powered plan-finder chat that helps you compare health insurance plans, and an Enhanced Direct Enrollment (EDE) application platform that lets you complete a Marketplace application and enroll in a Qualified Health Plan without leaving our site. This policy explains what we collect for each, how we use it, and your rights.

Service 1 — Plan-Finder Chat

When you use the chat to research plans, Nora asks for general household information needed for a plan search and price estimate:

  • ZIP code and county
  • Household size, ages, and relationships
  • Estimated annual household income
  • Tobacco use and pregnancy status
  • Doctor and medication preferences

The chat alone does not require a Social Security number, immigration documentation, bank-account details, or any other information used to complete an enrollment. If you only use the chat and never start an EDE application, none of those data types is ever collected from you.

Service 2 — Enhanced Direct Enrollment (EDE) Application

If you choose to apply for coverage through Nora rather than on HealthCare.gov, we operate as a CMS-approved Enhanced Direct Enrollment entity under the Affordable Care Act and 45 CFR § 155.220. Our authority to collect and process the information below comes from a signed EDE Business Agreement with CMS and, for federal tax information, from Internal Revenue Code § 6103(l)(21) and the safeguards set out in IRS Publication 1075.

To complete an EDE application, we collect the information CMS requires for an eligibility determination, including:

  • Names, dates of birth, and Social Security numbers (SSNs) of each applicant who has one
  • U.S. citizenship status, or immigration documentation for non-citizens
  • Address, phone number, and email
  • Relationships between household members and tax-filing household composition
  • Income and deductions, including employer-sponsored coverage offers
  • Pregnancy, disability, incarceration, and tribal-membership status where applicable
  • Selected health and dental plans, applied premium tax credits, and payment-method information forwarded to your chosen issuer

SSN and similarly sensitive identifiers are masked in the user interface, transmitted to CMS over a TLS-encrypted connection, encrypted at rest in our database, and not retained beyond the periods required by federal regulation.

Identity Proofing (RIDP)

EDE applicants are required by CMS to verify their identity before an application can be submitted. Identity proofing is performed through the CMS Hub using Experian-powered Knowledge-Based Authentication (KBA), in which Experian asks you a small number of questions drawn from your credit and public-records history. Nora forwards your answers to the CMS Hub but does not see or store your credit file or the underlying KBA questions and answers; we only receive the pass / fail / referral result and a reference identifier.

For fraud detection, CMS requires EDE entities to load the CMS-issued JavaScript Collector on identity-proofing and account-creation pages. The Collector creates a device fingerprint (browser, operating system, screen, locale, and similar non-identifying signals) and sends it to the CMS Hub alongside your application. We use this signal only as part of the CMS-required anti-fraud workflow.

Working With a Licensed Insurance Agent or Broker

If you choose to be assisted by a licensed insurance agent or broker on Nora, the agent and the agency they represent are disclosed to you before any of your application data is shared with them. Before an agent is granted access to your application, you sign an Authorization of Representative (AOR) acknowledging:

  • The agent's legal name, agency, National Producer Number (NPN), and the states in which they are licensed
  • What information the agent will be able to view on your behalf
  • That the agent operates under a Web-Broker Agreement with CMS pursuant to 45 CFR § 155.220 and is bound by the same federal privacy and security rules that apply to Nora

You may revoke an agent's access to your application at any time from your account dashboard. Revocation takes effect immediately and removes the agent's ability to view, edit, or submit on your behalf going forward; it does not undo work the agent has already performed (such as a submitted application or completed enrollment). Every action an agent takes on your behalf is captured in our audit log.

How We Use Your Information

For the plan-finder chat, we use the information you provide to:

  • Estimate your eligibility for premium tax credits (APTC) and cost-sharing reductions (CSR)
  • Search the Marketplace for plans available in your area
  • Check whether your doctors and medications are covered by specific plans

For an EDE application, we additionally use your information to:

  • Submit your application to CMS for an official eligibility determination
  • Verify your identity through CMS's Remote Identity Proofing (RIDP) service
  • Resolve Data Matching Issues (DMIs) and Special Enrollment Period verification issues
  • Enroll you with the issuer of the plan you select and forward initial-payment information
  • Send required notifications (eligibility decisions, document requests, policy events) by email through our transactional-email service

For both surfaces, we additionally process information for limited operational purposes:

  • Operational, security, and audit logging — recording what happened, when, and by whom (with personal information redacted from log payloads) so that we can investigate incidents, respond to fraud or abuse, and meet our federal recordkeeping obligations
  • Detecting and preventing security threats (rate-limiting, intrusion detection, geofence enforcement on suspicious traffic)
  • Responding to subpoenas, lawful requests from CMS or other federal agencies, and obligations under the EDE Business Agreement and 45 CFR § 155.260

We do not sell, rent, or share your personal information with third parties for marketing purposes. We do not use your application data to train AI models.

Cookies and Local Storage

We use a small number of cookies:

  • Locale preference — remembers your language choice (English or Spanish)
  • Anonymous session token — links your chat conversation so you can return to it
  • Authentication and session-activity cookies — when signed in, keep your account logged in and enforce automatic logout after 15 minutes of inactivity and 12 hours total session length

We do not use advertising cookies or third-party tracking scripts.

Third-Party Services and Subprocessors

Nora integrates with the following services. Each is bound by a Data Processing Agreement, Business Associate Agreement (where the service handles protected information), or equivalent.

  • CMS Marketplace API and CMS Hub (SES) — to search for plans, check provider networks, estimate subsidies, look up drug formularies, and submit EDE applications for eligibility and enrollment
  • Vercel — application hosting (United States)
  • Amazon Web Services (AWS) — Aurora Serverless v2 PostgreSQL, Simple Email Service (SES) for transactional email (verification, notices, and eligibility communications), Key Management Service (KMS) for encryption-at-rest, S3 for document storage, and Secrets Manager for credential storage. All AWS services operate under a signed Business Associate Agreement (BAA) covering protected health information (United States).
  • Axiom — application logging and audit-record retention
  • Anthropic — powers the AI conversation in the plan-finder chat. EDE application data is not sent to Anthropic. Anthropic's use of chat data is governed by their privacy policy.
  • Google — optional sign-in via Google OAuth
  • Experian — Remote Identity Proofing (RIDP) for EDE applicants only, performed via the CMS Hub

Data Retention

Plan-finder chat conversations are retained to let you return to previous sessions. You may request deletion at any time using the contact below.

EDE application data is retained for the periods required by federal regulation, including 45 CFR § 155.1210 (ten years for Marketplace records) and applicable IRS Publication 1075 retention rules. After those periods we securely dispose of the information. While we hold it, you have the right to request access, correction, or deletion of your information; deletion requests for EDE records are subject to the federal retention requirements above.

Security

We protect your information with encrypted connections (TLS 1.3), encryption at rest (AWS KMS), multi-factor authentication for administrative access, audit logging, and network access restrictions. We follow the security and privacy controls required of CMS Enhanced Direct Enrollment entities under ARC-AMPE (NIST SP 800-53 Rev 5) and the HIPAA Security Rule where applicable.

Independent third-party penetration testing is performed annually in satisfaction of NIST SP 800-53 control CA-08. Our first formal engagement is scheduled for May 18 – June 5, 2026 with Elevate Consult, LLC; the final report will be incorporated into the Security Assessment Report (SAR) submitted to CMS as part of our Authority to Operate (ATO) package. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

If we discover a security incident that compromises personal information, we will notify affected individuals, CMS, and other authorities as required by law.

Your Rights

You can:

  • Access the information you have provided through your account dashboard
  • Request a correction or update by contacting us
  • Withdraw consent for non-required processing at any time
  • Request deletion of plan-finder chat data; EDE application data is retained per the federal periods listed above

Contact

If you have questions about this privacy policy or wish to exercise any of the rights above, contact us at privacy@nimblelabs.co.