Nestosai logo Nestosai

Legal

Privacy Policy

Last updated: 2 May 2026 · Effective: 2 May 2026

This Privacy Policy explains how Nestosai ("Nestosai", "we", "us", or "our") collects, uses, shares, and protects information when you use the Nestosai mobile application and related services (the "Service"). By creating an account or using the Service, you acknowledge the practices described below.

The short version. We collect what we need to make the Service work and to make it better. We never sell your personal data. Within a household, one member's private conversations with the AI are never exposed to another member's AI session. You can export or delete your data at any time.

On this page

  1. Who we are
  2. Information we collect
  3. How we use information
  4. Legal basis (GDPR)
  5. How we share information
  6. AI processing
  7. Retention
  8. International transfers
  9. Your rights
  10. Security
  11. Children & minors
  12. Health-adjacent information
  13. Changes
  14. Contact

1. Who we are

Nestosai provides an AI-powered family relationship companion that offers private reflection, parenting coaching, and consent-based family insights. The data controller for personal data processed through the Service is the entity operating Nestosai. Contact details are in section 13.

2. Information we collect

2.1 Information you provide

Category Examples
Account Name, email, password (hashed), date of birth, language, profile photo, optional gender.
Family / Nest Family role, household ("nest") membership, invite codes, relationships you describe.
Conversations Text and voice messages you exchange with the AI or with other family members in shared spaces, photos you choose to send, AI-generated replies.
Profile signals Optional self-assessments (e.g. attachment style, love language, personality, culture) used to personalize coaching.
Support Messages and attachments you send when contacting us.

2.2 Information collected automatically

  • Device & technical: device model, OS version, app version, language, time zone, crash logs, performance traces.
  • Usage: screens viewed, features used, in-app events (without the content of your conversations).
  • Network: IP address (truncated where feasible), approximate region derived from IP.
  • Push tokens: a device push token if you enable notifications.

2.3 Information from permissions you grant

  • Microphone: only when you record a voice message or start a voice session.
  • Camera / Photo Library: only when you attach an image or set a profile photo.

We do not access your microphone, camera, contacts, or location in the background.

3. How we use information

  • To provide and operate the Service (accounts, messaging, AI replies, voice sessions, notifications).
  • To personalize coaching prompts and reflections to your goals and preferences.
  • To extract anonymized themes that inform family-level insights, with strict isolation between members.
  • To maintain safety: detect crisis signals, abusive content, and safeguard minors.
  • To diagnose crashes and improve reliability and performance.
  • To prevent fraud, abuse, and violations of our Terms.
  • To comply with legal obligations.
  • Contract — to deliver the Service you signed up for.
  • Consent — for optional features such as voice processing, sensitive personal categories, and marketing communications. You can withdraw consent at any time.
  • Legitimate interests — for safety, fraud prevention, security, and product improvement, balanced against your rights.
  • Legal obligation — to respond to lawful requests and meet regulatory duties.

5. How we share information

We do not sell personal data and we do not share it for cross-context behavioral advertising. We share only as follows:

  • Service providers (processors) who help us operate the Service under contract — cloud hosting, storage, push notifications, analytics, error monitoring, email delivery.
  • AI providers for generating responses (see section 6).
  • Other family members only when you explicitly choose to share an insight, send a message in a shared space, or join a group session.
  • Legal & safety when necessary to comply with law, enforce our Terms, or protect rights, property, or safety.
  • Successors in a merger, acquisition, or asset transfer, with continued protections.

6. AI processing

The Service uses third-party large language model providers (currently OpenAI) to generate AI responses, transcriptions, and summaries. When you send a message, the relevant prompt and minimum necessary context are transmitted to the provider for inference. We have agreements in place that prohibit the provider from using your content to train their general models. Outputs generated by the AI may be inaccurate; do not rely on them as professional advice.

7. Retention

  • Account data is retained while your account is active.
  • Conversations are retained until you delete them or your account.
  • Backups are rotated on a rolling schedule (typically 30 days).
  • Crash and diagnostic logs are retained for up to 90 days.
  • Records we are legally required to keep (e.g. tax, fraud) are retained for the period required by law.

8. International data transfers

Personal data may be processed in countries other than your own, including the United States and the European Economic Area, depending on where our service providers operate. Where required, transfers are governed by Standard Contractual Clauses or an adequacy decision.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data ("right to be forgotten").
  • Port your data in a structured, machine-readable format.
  • Object to or restrict certain processing.
  • Withdraw consent for processing based on consent.
  • Lodge a complaint with your local data protection authority.

You can exercise most of these rights directly from the app (Settings → Account). To request deletion or export, see our Account Deletion page or email us at the address in section 13.

9.1 California (CCPA / CPRA) residents

California residents have rights to know, delete, correct, and limit the use of sensitive personal information, plus the right not to be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising.

10. Security

We use encryption in transit (TLS 1.2+) and at rest, scoped database access, audit logging, multi-factor authentication for administrative access, and least-privilege controls. No system is perfectly secure; we work continuously to harden ours. See the Security overview for more.

11. Children & minors

Nestosai accepts users aged 6 and older. Different protections apply depending on age and region:

  • Under 13 (or under 16 in the EEA / EU): a parent or legal guardian must give verifiable consent before the account becomes usable. We collect the parent's email address at sign-up, send a one-time consent link, and only activate the account after the parent has clicked it on our consent page. This is how we comply with the U.S. Children's Online Privacy Protection Act (COPPA) and the EU GDPR-K rules.
  • Ages 13–17 (outside EU): the user signs up directly. The AI runs in a stricter "minor mode" with hardened content filters and crisis-handling rules.
  • Under 6: not permitted on Nestosai.

What we collect from minors

Email, display name, date of birth, country, language, optional gender, profile photo, conversation content, AI-derived memory facts, mood logs, and parent's email (for under-13/EU under-16 only). We do not collect or display precise location, device contacts, or social graph from outside the family nest.

Lawful basis for processing minors' data

Consent of the parent or guardian (Article 8 GDPR; COPPA §312.5). For 13–17 users outside the EU we rely on the user's own consent, obtained at registration when they accept this policy.

Special protections we apply to minor accounts

  • No behavioral or targeted advertising. Ever.
  • Minors' personal data is not used to train AI models.
  • The AI runs in age-banded "child mode" (6–12) or "minor mode" (13–17) with stricter content guardrails and a hard rule to redirect crisis topics to a trusted adult and a regional helpline.
  • One household member's private chat is never exposed to another member's AI session.
  • Sensitive features (e.g. open-ended voice sessions) may be disabled for minor accounts.

Retention & deletion

A minor's account and all derived data (chats, memory facts, files) are deleted within 30 days of a verified deletion request from the minor or the consenting parent.

Parental rights

If you are a parent or legal guardian, you may request access to, correction of, or deletion of your child's data; withdraw consent; or ask us to stop further processing. Email privacy@nestosai.com from an address we can use to verify your relationship with the child. Full details on our Children's Privacy page.

12. Health-adjacent information

Nestosai is a coaching and wellness companion, not a medical, mental- health, or therapy service. We do not diagnose, treat, or cure any condition, and the app is not a substitute for professional care. As part of normal use, the Service may collect and store information that is adjacent to wellness and emotional state, including:

  • Daily wellness check-ins, mood scores, and reflective prompts.
  • Self-reported attachment-style and love-language results.
  • Free-text chat content discussing feelings, stress, or relationships.

This information is treated with the same encryption-in-transit, access controls, and retention rules as the rest of your account data, and is never sold or used for behavioral advertising. If a conversation triggers our safety pipeline (e.g. self-harm cues), we surface a region-appropriate crisis-resource referral inside the app; we do not transmit that signal to third parties.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or by email before they take effect. The "Last updated" date at the top of this page indicates the latest revision.

14. Contact us

For privacy questions or to exercise your rights, contact us at:
privacy@nestosai.com