Skip to content

Privacy Policy  ·  v2.4

Privacy, the short version.

We collect what's necessary to run the product, keep out fraud, and comply with the law. We don't sell your data. You can export or delete it anytime. The long version is below.

Effective
Apr 20, 2026
Version
2.4  supersedes 2.3
Read time
~6 min
Jurisdiction
Global · GDPR · CCPA

In plain English

A handshake before the contract.

We do

  • Collect the minimum needed to run the app: email, KYC required by law, your wallet address, transactions.
  • Let you export, correct, or delete your data from Settings.
  • Apply GDPR, CCPA, and U.S. state privacy laws where you live.
  • Publish a transparency report each year.

We don't

  • Hold your private keys, contacts, photos, or precise location.
  • Sell data to advertisers or brokers.
  • Train AI models on your account or transactions.
  • Use Google Analytics, Meta Pixel, or third-party ad cookies.

Applies to everyone using normies.co or the Normies app. Residents of the EU, UK, California, Virginia, Colorado, Connecticut, and Utah have additional rights, jump to Section 05.

Data inventory

What we collect

One row per data category, what it is, why we need it, how long we keep it, and which vendor (if any) sees it.

Category Examples Why How long Shared with
Account Email, passkey public key, device identifier Sign-in, key management Active + 90 days Privy MPC
Identity (KYC) Name, DOB, government ID, selfie, address Required to issue a card 5 yrs after closure Rain
Wallet address Your Base address Show balance, process txs Active + 90 days Public on-chain
Transaction metadata Card purchases, on-chain txs you initiate Statements, fraud, regulatory 5 yrs Rain, Bridge
Device & logs IP, user-agent, session timing, crash reports Security, debugging 30 days rolling AWS, Cloudflare
Waitlist email Just the email you provide Notify you at launch 24 mo or until unsub None

Off-limits

What we never collect

  • Your private key, or any shard of it that would let us reconstruct one.
  • Your external wallet contents or activity beyond what you explicitly connect.
  • Location data beyond approximate IP-derived region (used for fraud signals only).
  • Your contact list, photos, or device files.

Service providers

Who we share it with

We share the minimum amount necessary with service providers who are contractually bound to use the data only for the stated purpose.

  • Privy, wallet MPC key management. Receives your auth identifier; does not receive card or KYC data.
  • Rain, card issuance and transaction processing. Receives KYC and transaction data.
  • Bridge, stablecoin on/off-ramp. Receives banking details when you ramp fiat.
  • Intercom, support chat. Receives messages and topic; never wallet, transaction, balance, or KYC data, per our PII policy.
  • PostHog, product analytics. Receives anonymized event data only; no card or KYC fields.
  • AWS, Cloudflare, cloud infrastructure under standard DPAs.
  • Law enforcement & regulators, only in response to valid legal process. We publish a transparency report yearly.

We do not sell your personal information. We do not share it with advertisers, data brokers, or model-training companies.

Retention

How long we keep it

Account info
While your account is active + 90 days after deletion.
KYC records
5 years after account closure (required by U.S. Bank Secrecy Act).
Transaction records
5 years (regulatory).
Logs
30 days rolling, then aggregated.
Waitlist email
Until you unsubscribe, or 24 months, whichever comes first.

Your rights

Your rights

Regardless of where you live, you can always:

  • Export everything we have about you (self-serve in Settings, or email us).
  • Correct anything that's wrong.
  • Delete your account and, subject to records we're required to retain by law, your data.
  • Opt out of product analytics (Settings → Privacy).
  • Unsubscribe from marketing with one click.

Regional rights

EU / UK · GDPR

Rights to access, rectification, erasure, portability, restriction, and objection. Legal basis: contract (to provide the service), legal obligation (KYC/AML), and legitimate interest (security, fraud prevention). Data-protection contact: privacy@normies.co.

California · CCPA / CPRA

Right to know, delete, correct, and limit use of sensitive personal information. We do not “sell” or “share” personal information as defined under CCPA.

VA · CO · CT · UT

Same core rights, access, deletion, correction, portability, and opt-out of targeted advertising. We don't do targeted advertising.

Cookies

Cookies & tracking

Marketing site (normies.co) uses:

  • Strictly necessary: session cookies for the site to function. No opt-out.
  • Analytics: PostHog, first-party, IP-truncated, opt-out available in the cookie banner.

We do not use Google Analytics, Meta Pixel, or any third-party advertising cookie.

Minors

Kids

Normies is not for anyone under 18. We don't knowingly collect data from children. If you believe a child has provided data, email privacy@normies.co and we'll delete it.

Updates

Changes

Material changes to this policy will be announced by email to all users at least 30 days before they take effect. Non-material changes (typos, clarifications) may take effect immediately. Every version is stamped with an effective date.

Reach us

Contact

Privacy questions

privacy@normies.co

Legal & data-rights requests

legal@normies.co

Mailing address

Normies Labs LLC
1209 Orange Street, Wilmington, DE 19801, USA

Become a part of our vibrant tribe
Join waitlist
Join the Normies waitlist — become part of the community building the future of banking and crypto
The money app that speaks banking and crypto, so you don’t have to
Card
Blog
FAQ
Support
Contact
Partnerships
Careers
Security
Disclosures
Privacy
Terms
Support: support@normies.co
© 2026 Normies. All rights reserved.