Nestli Privacy Policy

Last updated: 5 May 2026

This Privacy Policy describes how Nestli ("we", "our", or "the app"), a mobile application for tracking baby care activities, collects, uses, stores, and shares information about you when you use the app. It should be read alongside our Terms & Conditions.

1. Information We Collect

We collect the following categories of information:

• Account information — email address, username, and password (stored in hashed form) provided during sign-up. A user identifier (UUID) is generated server-side to identify your account.
• Baby profile data — baby name, date of birth, sex, birth measurements, and cover photo that you voluntarily enter.
• Care logs — feeding, diaper, sleep, growth, health, and milestone records that you create in the app.
• Photos — images you choose to upload from your device camera or photo library. Three sizes (original, preview, thumbnail) are generated on-device and stored in our private photo bucket. By uploading any photo to Nestli, you confirm that you own or have the necessary rights to that image, and — where the image depicts a child — that you are the parent or legal guardian of the child or have authority from them. See section 5 of the Terms & Conditions for the full responsibilities and warranties that apply to content you upload.
• Voice recordings (optional) — when you use the voice-log feature, audio is sent to our server for transcription into a care log. Audio is processed in memory only and is not persisted by Nestli. See section 5 for the third-party transcription provider.
• Usage data — basic, non-identifying information about how the app is used (e.g. feature interactions) for reliability and improvement. We do not use analytics SDKs that profile users.

2. Camera, Photo Library, and Microphone Access

Nestli requests access to your device camera and photo library so that you can capture or select photos of your baby to attach to your records. Microphone access is requested only when you use the voice-log feature. These permissions are used only when you explicitly invoke the corresponding feature inside the app.

You can deny or revoke any of these permissions at any time via your device settings. Denying them will disable the relevant features but will not affect other parts of the app.

3. How We Use Information

• To provide the core features of the app — storing and displaying your baby care records.
• To authenticate you and keep your account secure.
• To send transactional emails such as email verification, password reset, email change notifications, and family invites.
• To provide the optional AI+ assistant feature, which sends a summary of recent log activity (not raw data, not photos) to a third-party AI provider to generate responses to your questions. You can attach a photo to an AI question if you choose to; that photo is sent for that single request.
• To transcribe voice-log recordings into care logs via a third-party transcription provider.
• To diagnose problems and improve reliability.

We do not sell your personal information. We do not use your data for advertising.

4. Data Storage and Security

Text records (feeding, diaper, sleep, growth, etc.), account data, and authentication are stored on Supabase, a managed backend provider, using encrypted connections and row-level security so that only you and the family members you explicitly invite can access your baby records.

Photos are stored on Amazon Web Services (AWS S3) in the Asia Pacific (Sydney) region, in a private bucket that is not publicly readable. They are served to your device through Amazon CloudFront, a global content delivery network, using short-lived signed URLs — this lets users in different regions (including mainland China, via CloudFront edge locations in Hong Kong, Tokyo, or Singapore) load photos quickly without making the bucket public.

Photos uploaded to Nestli pass through an automated image-moderation step that screens for content that breaches our policies or applicable law. This screening is automated and best-effort: we do not warrant that it will catch every prohibited image, and we may remove a photo we subsequently determine to be in breach. Concerns about a specific photo can be reported to the contact address in section 11.

All data is encrypted in transit (HTTPS). Supabase and AWS S3 encrypt data at rest using their standard provider-managed keys.

5. Third-Party Service Providers

Nestli uses the following service providers to operate the app. Limited user data is shared with each only as required for the listed purpose, and none of them sell your data.

• Supabase — application database, authentication, and serverless functions.
• Amazon Web Services (AWS) — Amazon S3 photo storage, Asia Pacific (Sydney) region.
• Amazon CloudFront — global content delivery network that serves photos from edge locations closer to your device.
• OpenAI — processes AI+ chat requests and voice-log transcriptions. Baby context data is sent per your questions; voice audio is sent per your recordings. OpenAI states that data submitted via its API is not used to train models.
• Resend — sends transactional emails such as verification codes, password resets, email-change notifications, and family invites.

By using the Service you agree to these sub-processors being used. The list may be updated as our infrastructure evolves; material additions will be communicated in-app.

6. Family Sharing

You may invite other users (for example, a partner or caregiver) to view or edit records for a specific baby. Invited members only gain access after accepting an invite code or email invitation. You can revoke their access at any time from the app. Revoking access removes a member's ability to view future data but does not erase entries they previously created.

7. Children's Privacy

Nestli is designed for use by adult caregivers to record information about their own children. The app is not directed at children under 13, and we do not knowingly collect personal information directly from children. The data stored about an infant or child within Nestli is provided by the parent or legal guardian on behalf of that child.

8. Your Rights

You can:

• Access, update, or delete your records from within the app.
• Delete your account, which will remove your profile and associated records from our systems.
• Contact us to request a copy or deletion of your data.

9. Data Retention

We retain your data for as long as your account is active. When you delete your account, your personal information and uploaded photos are removed from live systems within a reasonable period. Routine backups may retain data for up to 30 days before being purged. Voice-log audio is not retained at all by Nestli — it is passed through to the transcription provider in memory and discarded.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the app or by email. Continued use of Nestli after a change constitutes acceptance of the updated policy.

11. Contact

Questions about this policy or your data can be sent to:
[email protected]