← Back to home

Privacy Policy

Version 1.0 · Effective April 2026

1. Introduction

Nuhra (“we,” “us,” or “our”) is a SaaS platform for video production companies, operated by a company based in Nova Scotia, Canada. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our platform and website at nuhra.com.

We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

By creating an account or using the Nuhra platform, you acknowledge that you have read and understood this Privacy Policy.

2. Who This Policy Applies To

This policy applies to all individuals whose personal information we process, including:

  • Staff and admin users — employees and team members of companies (tenants) that subscribe to Nuhra
  • Client portal users — clients of those companies who access a limited portal
  • Public reviewers — individuals who access shared links (agreements, scripts, assets, e-sign documents) without an account
  • API integration contacts — individuals whose information is submitted via webhook integrations from third-party booking platforms
  • Waitlist subscribers — individuals who submit their email for early access

Age Requirement: Nuhra is a B2B platform intended for users 18 years of age or older. We do not knowingly collect personal information from minors.

3. Personal Information We Collect

3.1 Account and Identity Information

When a company registers or invites a team member, we collect:

  • Full name and email address
  • Business name and address (street, city, province, country, postal code)
  • User role within the company (e.g., admin, producer, editor)
  • Password (stored in hashed form via Firebase Authentication — we never store plaintext passwords)
  • Timestamp and version of Terms of Service acceptance

3.2 Client and Contact Records (Entered by Staff)

Staff users enter information about their own clients and contacts into Nuhra. This may include:

  • Business names, addresses, phone numbers, emails, and websites
  • Contact names, roles, and communication details
  • Social media profile URLs
  • Industry, company size, relationship status, and custom notes
  • Tags, flags, mission/vision statements
  • Headshot photos and uploaded documents

We process this data as a data processor on behalf of the subscribing company (the data controller for that information).

3.3 Project and Production Data

  • Project names, descriptions, statuses, and dates
  • Deliverables, production schedules, and shoot locations
  • Scripts, shot lists, lighting diagrams, treatments, whiteboards, and mind maps
  • Uploaded project files, images, and reference photos

3.4 Financial Data

  • Invoice line items, amounts, tax rates, and due dates
  • Payment records and transaction references
  • Quotes, expense records, and uploaded receipts
  • Equipment inventory values and insurance amounts
  • Stripe Connect account identifiers

We do not store credit card numbers. All payment card processing is handled directly by Stripe. We only store Stripe-issued transaction references and identifiers.

3.5 Communication and Collaboration Data

  • Meeting details, scheduling information, and meeting notes
  • Task descriptions, assignments, and statuses
  • Agreement and contract text, amendments, and review comments
  • E-sign documents, electronic signatures, and audit logs (timestamp, IP address, action)
  • Interview session notes, audio recordings, and transcripts
  • Questionnaire responses and AI-generated analysis summaries
  • Knowledge base articles

3.6 AI Feature Data

When you use AI-powered features, we transmit certain data to third-party AI providers:

  • Business names and website URLs (for client autofill)
  • Chat messages and CRM context (for the AI Assistant)
  • Audio recordings in WebM format (for interview transcription via OpenAI Whisper)
  • Questionnaire answers and scores (for AI-generated summaries)

We do not use your data to train AI models. Data is sent to AI providers solely to generate responses to your specific requests, in accordance with those providers’ API terms.

3.7 Usage and Technical Data

  • Pages visited and features used (captured only in the context of errors)
  • Browser type, device information, and IP address
  • Error stack traces and session replays (only triggered by application errors)
  • API request logs (method, path, status, duration, and user/company identifiers)

3.8 Public Link Access Data

When individuals access shared public links (agreements, scripts, assets, invoices, e-sign documents), we log access events. These links are protected by unique opaque tokens and optionally by passwords. Asset delivery links expire after a configurable period (default: 30 days).

4. How We Use Personal Information

We use personal information for the following purposes:

PurposeLegal Basis (PIPEDA)
Providing and operating the Nuhra platformConsent (agreement to Terms of Service)
User authentication and access controlConsent / Legitimate interest
Processing payments via StripeContract performance
Sending transactional emails (invitations, password resets)Consent / Legitimate interest
Detecting and diagnosing errors and performance issuesLegitimate interest
Generating AI-assisted responses on requestConsent (feature opt-in)
Complying with legal obligationsLegal obligation
Maintaining e-sign audit trailsLegal obligation / Legitimate interest
Enforcing our Terms of ServiceLegitimate interest

We do not use personal information for automated decision-making that produces legal or similarly significant effects on individuals.

5. Third-Party Service Providers (Sub-Processors)

We share data with the following third-party providers to operate the platform. All providers are subject to contractual data processing obligations.

Google Cloud / Firebase

Used for authentication, database storage (Firestore), file storage (Cloud Storage), backend processing (Cloud Functions), and web hosting. Data is stored and processed in the United States (us-central1 region) under Google’s Data Processing Terms and Standard Contractual Clauses.

Stripe

Used for payment processing, Stripe Connect onboarding, and payment link checkout. Card data is handled entirely by Stripe — we never receive or store card numbers. Stripe operates under its own Privacy Policy and Data Processing Agreement.

OpenAI

Used for the AI Assistant, client autofill, questionnaire analysis, and interview audio transcription (Whisper). Data is processed in the United States under OpenAI’s API terms. OpenAI does not use API data for model training.

Anthropic

An alternative AI provider companies may select for the AI Assistant. Data is processed in the United States under Anthropic’s usage policies.

Sentry

Used for error tracking, performance monitoring, and session replay (triggered only by errors). Captures technical data including browser information, IP addresses, and error context.

SMTP2Go

Used to send transactional emails (staff invitations, portal account creation, password resets). SMTP2Go is headquartered in New Zealand with global delivery infrastructure.

Google Fonts and CDN Resources

Typography resources are loaded from Google Fonts in printable views. PDF rendering uses the unpkg CDN for the PDF.js worker library. These requests transmit standard HTTP metadata (IP address, referrer).

6. International Data Transfers

Nuhra is based in Nova Scotia, Canada. Some personal information is transferred to and processed in the United States and other jurisdictions:

JurisdictionServicesSafeguard
United StatesGoogle Cloud / Firebase, OpenAI, Anthropic, Stripe, SentryGoogle DPA / Standard Contractual Clauses; vendor-specific DPAs
Global (various)SMTP2Go, Google Fonts CDNVendor terms of service

These transfers are made in accordance with PIPEDA’s requirements for cross-border data transfers.

7. Cookies and Tracking

We use a single session cookie (__session) for authentication purposes only. This cookie is set when you log in and is required for the platform to function.

We do not currently use marketing cookies, analytics cookies, or tracking pixels. If this changes in the future, this policy will be updated accordingly.

8. Data Retention

DataRetention Period
Account and user dataRetained for the duration of the active subscription, plus a 90-day post-cancellation grace period, then permanently deleted
Client, project, and financial recordsRetained until deleted by an authorized user, or permanently deleted at the end of the post-cancellation grace period
Interview audio recordingsAutomatically deleted 30 days after the session is marked complete; transcripts are retained until account deletion
Asset delivery filesAutomatically deleted 30 days after the delivery expiration date (configurable per delivery)
E-sign audit logsRetained for the duration of the account; permanently deleted at end of post-cancellation grace period
Error logs and technical dataRetained per Sentry’s default retention settings

Post-cancellation grace period: When a subscription is cancelled, all account data is retained in read-only form for 90 days to allow for data export. After 90 days, all data associated with the account is permanently and irreversibly deleted from our systems. You will receive email notices at 30 days and 7 days before deletion. Early deletion may be requested by contacting us at privacy@nuhra.ca.

Some data categories support user-initiated deletion during an active subscription (see Section 9). Drafted invoices may be hard-deleted; issued invoices must be voided to preserve financial record integrity. Knowledge base articles use soft deletion (marked as deleted, not permanently removed immediately).

9. Your Privacy Rights

Under PIPEDA and applicable provincial law, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate or incomplete personal information
  • Withdraw consent for non-essential uses of your personal information
  • Request deletion of your personal information, subject to legal and contractual obligations

For staff and admin users: You may update your profile information directly within the platform. Account deletion removes both your Firestore profile and Firebase Authentication record.

For client portal users: You may contact the company whose portal you access. That company controls your portal account. We can assist upon verified request.

For public reviewers and API contacts: Contact us using the information in Section 12.

Note on data subject access requests: We do not currently have an automated data export feature. We will fulfill access requests manually within a reasonable timeframe as required by law.

To exercise your rights, contact us at the address in Section 12.

10. Data Security

We implement the following security measures:

  • Encryption in transit: All connections use TLS (HTTPS). Firebase enforces TLS 1.2 or higher.
  • Encryption at rest: Google Cloud applies default encryption to all Firestore and Cloud Storage data.
  • Authentication: Firebase Authentication with hashed passwords; session cookies with secure flags.
  • Authorization: JWT-based access control with company-scoped claims verified on every API request.
  • Multi-tenancy isolation: All data is partitioned under each company’s identifier. Staff from one company cannot access another company’s data.
  • Rate limiting: Applied globally and specifically to authentication and AI endpoints.
  • Input validation: Schema validation applied on all critical API endpoints.
  • API key security: API keys are hashed with SHA-256 before storage — only the hash is retained.
  • Token-based sharing: Public links use opaque tokens with optional password protection and expiration dates.

No security system is perfect. In the event of a data breach that poses a risk of significant harm, we will notify affected individuals and relevant authorities as required by law.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or through an in-platform notice. The effective date at the top of this document will reflect the date of the most recent revision. Continued use of the platform after changes are posted constitutes acceptance of the revised policy.

12. Contact Us

For privacy-related inquiries, access requests, or complaints:

Nuhra
Nova Scotia, Canada
Email: privacy@nuhra.ca
Website: nuhra.com

If you have an unresolved privacy concern, you may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca.

This Privacy Policy was last reviewed in April 2026.

See also: Terms of Service