Built so your baby's data stays your baby's.

Nestli is a baby tracker, not an ad network. Here's exactly what we do — and don't do — with the information you trust us with.

What we do

Encrypted on your device

The cache that powers fast cold-launches — feeds, sleeps, growth, photo captions — is encrypted with a per-install key stored in the device's secure enclave (Keychain on iOS, EncryptedSharedPreferences on Android). A lost or wiped phone can't have your baby's records read off it.

Family-isolated by default

Every read and write goes through a per-baby membership check. Another family cannot see your records, even if our systems were misconfigured — the database itself enforces the boundary, not just the app.

Photos checked before they're saved

Every photo runs through automatic content review the moment it's uploaded. Anything that doesn't meet our family-friendly guidelines is rejected and removed before it's stored — keeping your timeline appropriate even when extended family is invited.

Real account deletion

Deleting a baby is a verified, three-step action: warning, type the baby's name, then enter a 6-digit code we email to you. A wrong tap can't wipe a year of memories. Account deletion removes your profile and uploaded photos from live systems.

No ads. No resale. No tracking SDKs.

There are no advertising networks, no analytics SDKs that profile users, and no data brokers in the picture. We don't sell your information; we don't trade it. Nestli is funded by the people who pay for it — full stop.

AI+ stays inside the lane

The AI assistant only answers baby-care questions. Off-topic and jailbreak attempts — including text hidden inside uploaded photos — are refused. Your AI conversations are never used to train models; the providers we use forbid that on their API.

Stored in Australia

Your records and photos live in the Asia Pacific (Sydney) region. Photos are served through a global delivery network so a relative in another country sees your baby's first steps quickly — without making the underlying storage public.

Encrypted in transit

Every connection between the app, our servers, and our subprocessors uses HTTPS. Photo URLs are short-lived and signed — even if one is intercepted, it expires in hours and only points to your own private bucket path.

What we don't claim

Marketing pages love to overstate what's possible. We'd rather be plain:

We're not end-to-end encrypted. The AI feature needs to read your context to answer questions, and your partner's device needs to read your records to show them — that means our servers see the data while it's in use.
We're not "unhackable." Nothing on the internet is. We minimise what we collect, isolate it per family, and watch for problems — but absolute claims are red flags wherever you read them.
We don't currently hold formal certifications like SOC 2 or HIPAA. We follow the principles those frameworks teach (least-privilege access, encrypted storage, audit logging) without paying for the badge.
We're a small team. If a serious vulnerability is reported to us, we'll fix it and tell affected users — but we don't pretend to have a 24/7 security operations centre.

Who we share data with

The full list of subprocessors and what they do — same list as our Privacy Policy, restated plainly:

Supabase

Database, authentication, and serverless functions. Holds your records.

Amazon Web Services

Photo storage in Sydney, plus the image-moderation service that powers automatic content review.

Amazon CloudFront

Global delivery network that serves your photos quickly to invited family in other countries.

OpenAI

Powers AI+ chat answers and voice-log transcription. API data is not used to train models.

Moonshot (Kimi)

Alternative AI provider for routine Chinese-language questions; same no-training contract.

Resend

Sends transactional emails: verification codes, password resets, family invites, baby-delete confirmations.

What you can do

Use a device passcode or biometric. The on-device encryption above relies on your device being locked when you're not using it.
Sign out on shared devices. Signing out wipes the cached data so the next person doesn't see your baby's records.
Review who's invited. Open Family Settings to see exactly who has access to each baby. Revoke any member at any time.
Reach out. If something looks off — a member you didn't invite, a record you didn't make — email [email protected] and we'll investigate the same day.