Privacy Policy

This Privacy Policy describes how NestRules collects, uses and shares personal information when you use our mobile and web applications.

Data controller

NestRules

Postal address

Dirección pendiente de confirmación — disponible a solicitud escribiendo a legal@nestrules.app

Privacy email

privacidad@nestrules.app

NestRules operates as a natural person in Mexico. If you are located in the European Union, the United Kingdom, or any other jurisdiction with applicable laws, this policy applies to you to the extent those laws are relevant.

This policy applies when:

• You create or use an account in our apps (iOS, Android, or web).
• You enter information about the minors in your care as a parent or legal guardian.
• You share a care guide through a link.
• You sign up for our waitlist or mailing list.
• You contact us for support or to exercise your rights.

This policy applies alongside our Terms of Service.

3.1 Account data

3.2 Children's profile data (entered by you)

3.3 Family and care-rule data

3.4 Billing data

3.5 Technical and usage data

3.6 Waitlist data

We process your data for the purposes listed below. For each purpose we indicate the legal basis under the General Data Protection Regulation (GDPR, art. 6) and the Mexican Federal Law on Protection of Personal Data Held by Private Parties.

Providing the contracted service

legal basis: performance of the contract (GDPR 6.1.b). Includes creating your account, saving your rules, generating shareable links and PDFs.

Authentication and security

legal basis: performance of the contract and legitimate interest (GDPR 6.1.b and 6.1.f). Includes sign-in, 2FA, abuse blocking, and detection of suspicious access.

Payment processing

legal basis: performance of the contract (GDPR 6.1.b) and legal obligation for tax purposes (GDPR 6.1.c).

Service notifications

legal basis: performance of the contract (GDPR 6.1.b) for transactional email (welcome, verification, password reset, someone viewed your guide).

Storage of the child's health data

legal basis: explicit consent (GDPR 9.2.a). If you withdraw consent or delete the information, we stop processing it.

Service improvement and fraud prevention

legal basis: legitimate interest (GDPR 6.1.f), kept to the minimum necessary and without profiling.

Compliance with legal obligations

legal basis: legal obligation (GDPR 6.1.c), for example to keep tax records or respond to requests from competent authorities.

Minors do not create accounts in NestRules. The account is opened by an adult (parent or legal guardian) who voluntarily enters information about the children in their care.

As an adult account holder:

The minor's data is only visible to:

We record the date and time you granted that consent (field health_data_consent_at). You can withdraw consent at any time by deleting that information from the app.

We never transmit health data to Sentry, Firebase, analytics services or similar. If an error occurs in the app while you are working with those fields, our error-capture layer strips the content before sending it to the diagnostic service.

We work with third-party providers that help us operate the service. Each acts as a processor under a contract (DPA) and only handles the data strictly necessary for its function.

Stripe Payments Europe, Ltd.

payment processing (web).

Apple Inc.

in-app purchases on iOS and "Sign in with Apple".

Google LLC

push notifications (Firebase Cloud Messaging), Sign in with Google, and Android in-app purchases (via RevenueCat).

RevenueCat, Inc.

mobile subscription orchestration.

Resend, Inc.

transactional email delivery.

DigitalOcean, LLC and/or Amazon Web Services, Inc.

file storage (guide PDFs).

Laravel Nightwatch

backend monitoring.

Functional Software, Inc. (Sentry)

crash reporting on the mobile app, with personal data stripped before sending.

The full, up-to-date list, with links to each provider’s policy, is maintained in our registro público de sub-encargados.

Some of our providers (Stripe, Google, Apple, Resend, AWS, DigitalOcean, Sentry) have infrastructure outside Mexico or the European Economic Area. Transfers rely on:

• Standard Contractual Clauses (SCCs) approved by the European Commission.
• The EU-US Data Privacy Framework when the provider is certified.
• The DPAs we sign with each provider.

Active account

as long as you keep it open.

Deleted account

personal data is wiped from our systems within 30 days. Shared links are invalidated immediately.

Tax and payment records

5 years as required by law (Código Fiscal de la Federación, Mexico).

Error and crash logs

90 days max.

Encrypted backups

up to 35 days, then overwritten.

We apply technical and organizational measures proportionate to the risk, including:

• End-to-end encrypted traffic via HTTPS/TLS.
• Passwords stored with bcrypt (cost ≥ 12).
• Optional two-factor authentication (2FA) based on TOTP.
• Rotated and revocable session tokens; lockout after failed attempts.
• Mandatory email verification to access family data.
• Strict environment separation and least-privilege access for the technical team.
• Encrypted backups with periodic restore tests.
• Security code reviews before every deploy.

You have the following rights over your personal data, recognized by GDPR, LFPDPPP and other applicable laws:

Access

obtain a copy of the data we hold about you.

Rectification

correct inaccurate or incomplete information.

Erasure (right to be forgotten)

request that we delete your data.

Portability

receive your data in a structured format to move it to another service.

Objection

object to processing based on legitimate interest.

Restriction

ask us to temporarily suspend processing while a dispute is resolved.

Withdraw consent

for processing based on consent (e.g. health data).

You can exercise most of these rights directly in the app (export your data, update your profile, delete your account). For more specific requests, write to us at privacidad@nestrules.app. We respond within 30 days.

NestRules does not use advertising cookies or cross-site trackers. We use only strictly necessary technical cookies:

laravel_session

keep your session signed in on the web.

XSRF-TOKEN

cross-site request forgery protection.

locale

remember your preferred language.

These cookies are strictly necessary (LSSI-CE art. 22.2) and do not require prior consent.

NestRules does not make automated decisions that produce legal effects on you, and does not perform profiling. All service logic is driven by the rules you configure yourself.

NestRules is intended exclusively for people aged 16 or older who act as parents or legal guardians. By registering you confirm that you meet that minimum age.

If we learn that an account was created by a person below the minimum age, we will delete it along with all associated information.

We may update this policy to reflect legal, technical or product changes. When changes are significant:

• We will notify you inside the app or by email before they take effect.
• We will update the version and date at the top of this document.
• If the change requires new consent (for example, a new purpose), we will ask you to accept it before you continue using the app.

If you believe we have processed your personal data unlawfully, you can file a complaint with the competent authority in your country, including:

Mexico

Mexico's National Institute for Transparency, Access to Information and Protection of Personal Data (INAI): home.inai.org.mx

Spain

Spanish Data Protection Agency (AEPD): www.aepd.es

European Union

Data-protection authority in the data subject's country (list at edpb.europa.eu).

United States (California)

California Privacy Protection Agency: cppa.ca.gov

We would like the chance to resolve your concern directly first, so please email us at privacidad@nestrules.app before escalating to a regulator.

Privacy and data-subject requests

privacidad@nestrules.app

Legal matters

legal@nestrules.app

General support

soporte@nestrules.app

Postal address

Dirección pendiente de confirmación — disponible a solicitud escribiendo a legal@nestrules.app