Nestosai logo Nestosai

Legal

Privacy Policy

Last updated: 2 May 2026 · Effective: 2 May 2026

This Privacy Policy explains how Nestosai ("Nestosai", "we", "us", or "our") collects, uses, shares, and protects information when you use the Nestosai mobile application and related services (the "Service"). By creating an account or using the Service, you acknowledge the practices described below.

The short version. We collect what we need to make the Service work and to make it better. We never sell your personal data. Within a household, one member's private conversations with the AI are never exposed to another member's AI session. You can export or delete your data at any time.

On this page

  1. Who we are
  2. Information we collect
  3. How we use information
  4. Legal basis (GDPR)
  5. How we share information
  6. AI processing
  7. Retention
  8. International transfers
  9. Your rights
  10. Security
  11. Children
  12. Changes
  13. Contact

1. Who we are

Nestosai provides an AI-powered family relationship companion that offers private reflection, parenting coaching, and consent-based family insights. The data controller for personal data processed through the Service is the entity operating Nestosai. Contact details are in section 13.

2. Information we collect

2.1 Information you provide

Category Examples
Account Name, email, password (hashed), date of birth, language, profile photo, optional gender.
Family / Nest Family role, household ("nest") membership, invite codes, relationships you describe.
Conversations Text and voice messages you exchange with the AI or with other family members in shared spaces, photos you choose to send, AI-generated replies.
Profile signals Optional self-assessments (e.g. attachment style, love language, personality, culture) used to personalize coaching.
Support Messages and attachments you send when contacting us.

2.2 Information collected automatically

  • Device & technical: device model, OS version, app version, language, time zone, crash logs, performance traces.
  • Usage: screens viewed, features used, in-app events (without the content of your conversations).
  • Network: IP address (truncated where feasible), approximate region derived from IP.
  • Push tokens: a device push token if you enable notifications.

2.3 Information from permissions you grant

  • Microphone: only when you record a voice message or start a voice session.
  • Camera / Photo Library: only when you attach an image or set a profile photo.

We do not access your microphone, camera, contacts, or location in the background.

3. How we use information

  • To provide and operate the Service (accounts, messaging, AI replies, voice sessions, notifications).
  • To personalize coaching prompts and reflections to your goals and preferences.
  • To extract anonymized themes that inform family-level insights, with strict isolation between members.
  • To maintain safety: detect crisis signals, abusive content, and safeguard minors.
  • To diagnose crashes and improve reliability and performance.
  • To prevent fraud, abuse, and violations of our Terms.
  • To comply with legal obligations.
  • Contract — to deliver the Service you signed up for.
  • Consent — for optional features such as voice processing, sensitive personal categories, and marketing communications. You can withdraw consent at any time.
  • Legitimate interests — for safety, fraud prevention, security, and product improvement, balanced against your rights.
  • Legal obligation — to respond to lawful requests and meet regulatory duties.

5. How we share information

We do not sell personal data and we do not share it for cross-context behavioral advertising. We share only as follows:

  • Service providers (processors) who help us operate the Service under contract — cloud hosting, storage, push notifications, analytics, error monitoring, email delivery.
  • AI providers for generating responses (see section 6).
  • Other family members only when you explicitly choose to share an insight, send a message in a shared space, or join a group session.
  • Legal & safety when necessary to comply with law, enforce our Terms, or protect rights, property, or safety.
  • Successors in a merger, acquisition, or asset transfer, with continued protections.

6. AI processing

The Service uses third-party large language model providers (currently OpenAI) to generate AI responses, transcriptions, and summaries. When you send a message, the relevant prompt and minimum necessary context are transmitted to the provider for inference. We have agreements in place that prohibit the provider from using your content to train their general models. Outputs generated by the AI may be inaccurate; do not rely on them as professional advice.

7. Retention

  • Account data is retained while your account is active.
  • Conversations are retained until you delete them or your account.
  • Backups are rotated on a rolling schedule (typically 30 days).
  • Crash and diagnostic logs are retained for up to 90 days.
  • Records we are legally required to keep (e.g. tax, fraud) are retained for the period required by law.

8. International data transfers

Personal data may be processed in countries other than your own, including the United States and the European Economic Area, depending on where our service providers operate. Where required, transfers are governed by Standard Contractual Clauses or an adequacy decision.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Port your data in a structured, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your local data protection authority.

You can exercise most of these rights directly from the app (Settings → Account). To request deletion or export, see our Account Deletion page or email us at the address in section 13.

9.1 California (CCPA / CPRA) residents

California residents have rights to know, delete, correct, and limit the use of sensitive personal information, plus the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising.

10. Security

We use encryption in transit (TLS 1.2+) and at rest, scoped database access, audit logging, multi-factor authentication for administrative access, and least-privilege controls. No system is perfectly secure; we work continuously to harden ours. See the Security overview for more.

11. Children

Nestosai is intended for users aged 13 and older (16 in the EEA where required by local law). We do not knowingly collect personal data from children under those ages without verifiable parental consent. See the Children's Privacy page for details.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or by email before they take effect. The "Last updated" date at the top of this page indicates the latest revision.

13. Contact us

For privacy questions or to exercise your rights, contact us at:
privacy@nestosai.com