Last updated: 2026-04-06
Privacy Policy
1. Data Controller
The data controller responsible for your personal data is:
[COMPANY_NAME]NIF/VAT: [NIF]
[ADDRESS], Spain
Privacy contact: privacy@nestora.family
Product support: support@nestora.family
As the controller is established in Spain (EU), no EU representative is required under GDPR Art. 27. The competent lead supervisory authority is the Agencia Española de Protección de Datos (AEPD).
2. Data We Collect and Why
- Account data — email address, first and last name, password hash. Used to create and manage your account.
- Family and household data — family name, household details, member relationships. Core product functionality.
- Tasks and notes — content you create inside Nestora. Core product functionality.
- Children's data — names and ages of children you add to your family profile. See Section 7.
- Financial data — budget items, expense records you enter. Core product functionality.
- Payment data — processed exclusively by Stripe; we do not store card numbers or full payment details.
- Authentication logs and IP addresses — login events, session metadata. Used for account security.
- Error and performance data — anonymised stack traces via Sentry. Used to fix bugs.
3. Lawful Basis for Processing
| Data type | Purpose | Basis | GDPR Art. |
|---|---|---|---|
| Email, name (account) | Account creation and management | Contract performance | Art. 6(1)(b) |
| Family data, tasks, notes | Core product functionality | Contract performance | Art. 6(1)(b) |
| Children's data | Family planning features | Consent (parent/guardian) | Art. 6(1)(a) + Art. 8 |
| Financial data | Core product functionality | Contract performance | Art. 6(1)(b) |
| Payment data (Stripe) | Payment processing | Contract + Legal obligation | Art. 6(1)(b)(c) |
| Auth logs, IP | Account security | Legitimate interest | Art. 6(1)(f) |
| Marketing emails | Product news, updates | Consent | Art. 6(1)(a) |
| Technical cookies | Session, CSRF protection | Legitimate interest | Art. 6(1)(f) |
4. Children's Data
When adding a child's profile, the adult account holder must confirm they are the parent or legal guardian and consent to processing that child's data. This confirmation is recorded with the date and the version of the Privacy Policy in effect at the time.
We do not use children's profile data for analytics, marketing, or profiling. Children's data is deleted when the associated family account is deleted. Consent records are retained for the lifetime of the account to document compliance.
This section applies in accordance with GDPR Article 8 and Recital 38.
5. Data Retention
| Data type | Retention period | Basis |
|---|---|---|
| Active account | Until deletion + 30-day grace period | Contract performance |
| Tasks, notes, trips, contacts | Until account deletion | Contract performance |
| Transactional email logs | 90 days | Legitimate interest (support) |
| Auth logs (login events) | 90 days | Security / legitimate interest |
| Application logs (Loki) | 30 days | Operations |
| Backup snapshots | 30 days rolling | Business continuity |
| Payment records (Stripe) | 7 years | Legal obligation (EU accounting law) |
| Deleted data in backups | Max 60 days after deletion request | GDPR Art. 17 |
When you delete your account, your personal data is removed from active databases within 30 days and fully purged from backup systems within 60 days of your deletion request.
6. Third-party Processors (Subprocessors)
| Processor | Role | Data | Region | DPA Status |
|---|---|---|---|---|
| Sentry | Error tracking | Stack traces, anonymised user context | EU (Frankfurt) | Pending |
| Stripe | Payment processing | Billing data | US / EU | Included in Stripe ToS |
| Resend | Transactional email delivery | Email address, message content | EU | Pending |
| GitHub Actions | CI/CD pipeline | Source code, environment variables | US (SCCs) | Available online |
| VPS / hosting provider | Infrastructure | All user data (encrypted at rest) | EU | Pending |
| Keycloak (self-hosted) | Authentication | Credentials, session tokens | Our server (EU) | N/A — self-hosted |
“Pending” means the DPA has not yet been signed. For US-based processors, transfers rely on Standard Contractual Clauses (SCCs) approved by the European Commission.
7. International Data Transfers
Some subprocessors (GitHub Actions, Stripe) are based in the United States. Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, or on an adequacy decision, to ensure an equivalent level of data protection.
8. Cookies
Nestora uses only technically necessary cookies (session management, authentication, CSRF protection). These cookies do not require your consent under the ePrivacy Directive. We do not currently use analytics or marketing cookies. If we introduce non-essential cookies in the future, we will update this policy and request your consent before setting them.
9. Your Rights
Under GDPR you have the following rights:
- Access — request a copy of your personal data.
- Rectification — ask us to correct inaccurate data.
- Erasure — request deletion of your data (subject to legal retention obligations). You can also delete your account directly in Settings → Privacy.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interest.
- Restriction — ask us to restrict processing of your data.
- Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing.
To exercise any of these rights, email privacy@nestora.family. We will respond within 30 days.
10. Right to Lodge a Complaint
You have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) at www.aepd.es, or with the supervisory authority of your country of residence.
11. Changes to This Policy
We will notify you by email of any material changes to this Privacy Policy before they take effect. Minor changes will be noted by updating the “Last updated” date at the top of this page.
12. Contact
For privacy-related requests: privacy@nestora.family
For product support: support@nestora.family