Privacy Policy

Nestly ("we", "us", "our") is a platform for families of neurodivergent children, operated by Nestly Technologies Ltd., registered in Portugal (EU). Our platform is accessible at mynestly.org and all associated applications.

We are the data controller for personal data processed through Nestly. For all privacy-related enquiries, contact our Data Protection Officer at [email protected].

We operate under EU GDPR (Regulation 2016/679), UK GDPR (UK Data Protection Act 2018), CCPA/CPRA (California), COPPA (USA), and PECR (UK).

We collect the following categories of personal data, depending on which features you use:

Account data: name, email address, login method — provided via OAuth.
Child profile data: name, date of birth, neurotype, medical notes, development milestones — entered by the parent or carer.
Health data (Special Category under GDPR Art. 9): diagnoses, medications, vaccines, therapy notes — entered by the parent or carer with explicit consent.
School data: attendance logs, EHCP/PEI details, academic progress, wellbeing flags — entered by school staff under a Data Processing Agreement.
Usage data: pages visited, features used, session duration — collected automatically and anonymised.
Device data: browser type, operating system, IP address (anonymised) — collected automatically.
Communications: messages sent via the platform and contact form submissions.

Health and neurological data constitutes Special Category data under Article 9 GDPR. We process it only with your explicit consent and under strict security controls.

We use personal data for the following purposes:

Providing the service: creating and managing accounts, child profiles, and school records.
Personalisation: displaying relevant content based on your child's age, neurotype, and care plan.
Communication: sending service notifications, appointment reminders, and support messages.
Safety and safeguarding: flagging wellbeing concerns to authorised school staff.
Product improvement: aggregated, anonymised analytics to understand feature usage.
Legal compliance: responding to lawful requests from authorities.

We do not use your data for advertising, profiling for commercial purposes, or sell it to third parties.

Under Article 6 and Article 9 GDPR and UK GDPR, we rely on the following legal bases:

Account creation and authentication: Contract (Art. 6(1)(b))
Child profile and health data: Explicit consent (Art. 6(1)(a) + Art. 9(2)(a))
School records and EHCP/PEI data: Explicit consent + Vital interests (Art. 9(2)(c))
Service notifications: Contract (Art. 6(1)(b))
Analytics (anonymised): Legitimate interests (Art. 6(1)(f)) or Consent
Legal compliance: Legal obligation (Art. 6(1)(c))

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. To withdraw consent, go to Account Settings → Privacy & Data or email [email protected].

Who this app is designed for

Nestly is designed exclusively for use by adults — specifically parents, legal guardians, authorised carers, school staff, and health specialists aged 18 and over. The app is not directed at children, and children should not create accounts or use the platform directly.

COPPA (Children's Online Privacy Protection Act — USA)

Nestly does not knowingly collect personal information directly from children under the age of 13. All data relating to children — including milestones, activities, health records, and child profiles — is entered by the parent, carer, or authorised adult account holder. If we become aware that a child under 13 has submitted personal information directly, we will delete it immediately. If you believe this has occurred, contact us at [email protected].

GDPR / UK GDPR — Children's Data

Child profile data (including health and developmental information) is classified as Special Category data. It is processed only with the explicit consent of the parent or legal guardian, and is subject to enhanced security controls including encryption at rest and in transit.

School context

When school staff add or view child data, they do so under a Data Processing Agreement (DPA) with the school as a separate data controller. Parents retain the right to request deletion of their child's data at any time by contacting [email protected].

We do not sell, rent, or trade personal data. We share data only with:

Cloud infrastructure provider: hosting, database, file storage — bound by DPA and EU Standard Contractual Clauses.
Authentication provider (Manus OAuth): secure login — bound by DPA.
Email service provider: transactional emails — bound by DPA and SCCs.
School (as separate controller): EHCP/PEI records, attendance — governed by a Data Processing Agreement.
Health specialists (with consent): care coordination — requires explicit user consent.
Law enforcement / regulators: legal obligation only — requires a lawful request.

All sub-processors are contractually required to implement appropriate security measures and process data only as instructed.

Our primary infrastructure is located within the European Economic Area (EEA). Where data is transferred outside the EEA or UK, we ensure adequate protection through:

EU Standard Contractual Clauses (SCCs) — approved by the European Commission under Article 46(2)(c) GDPR.
UK International Data Transfer Agreements (IDTAs) — for transfers from the UK.
Adequacy decisions — where the destination country has been deemed adequate by the European Commission or UK ICO.

You may request a copy of the applicable transfer mechanism by emailing [email protected].

We retain data for the following periods:

Account data: until account deletion + 30-day grace period.
Child profile data: until parent requests deletion or account is closed.
Health / Special Category data: until explicit deletion request; max 7 years for medical records (legal requirement).
School records: per school's data retention policy (typically 25 years for EHCP records under UK law).
Usage analytics (anonymised): 24 months rolling.
Server logs: 90 days.
Backup copies: deleted within 30 days of original deletion.

Under GDPR, UK GDPR, and applicable law, you have the following rights. To exercise any of them, email [email protected] or use the in-app Privacy settings.

Right of Access (Art. 15): receive a copy of your personal data.
Right to Rectification (Art. 16): correct inaccurate data.
Right to Erasure / 'Right to be Forgotten' (Art. 17): delete your data, subject to legal retention obligations.
Right to Restriction (Art. 18): limit how we process your data.
Right to Data Portability (Art. 20): receive your data in a machine-readable format.
Right to Object (Art. 21): object to processing based on legitimate interests.
Right to Withdraw Consent (Art. 7(3)): withdraw consent at any time without penalty.
Right to Lodge a Complaint (Art. 77): complain to your national supervisory authority.

We respond to all requests within 30 days. Supervisory authorities: CNPD (Portugal) — cnpd.pt · ICO (UK) — ico.org.uk.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA grants you additional rights:

Right to Know: request disclosure of the categories and specific pieces of personal information we have collected about you in the past 12 months.
Right to Delete: request deletion of your personal information, subject to certain exceptions.
Right to Correct: request correction of inaccurate personal information.
Right to Opt-Out of Sale/Sharing: we do not sell or share personal information for cross-context behavioural advertising. No opt-out is required, but you may confirm this by emailing [email protected].
Right to Limit Use of Sensitive Personal Information: you may limit our use of sensitive personal information (including health data) to what is necessary to provide the service.
Non-Discrimination: we will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, email [email protected] with the subject line "CCPA Request". We will verify your identity before processing the request.

Categories of personal information collected (CCPA): Identifiers (name, email); Internet or network activity; Geolocation data (country only); Professional/employment information (for school staff); Health information (Special Category, with consent).

We use the following categories of cookies:

Strictly necessary: session authentication, security tokens — always active, no consent required.
Preferences: language choice, theme settings — requires consent under GDPR/UK GDPR.
Analytics: anonymous usage statistics — requires consent under GDPR/UK GDPR.
Marketing: not used.

You can manage your cookie preferences at any time using the cookie settings link in the footer, or by clicking "Manage cookie preferences" below. For full details, see our Cookie Policy at mynestly.org/cookies.

We implement appropriate technical and organisational measures to protect your data, including:

TLS 1.3 encryption for all data in transit.
Encryption at rest for all database records.
Role-based access control — staff can only access data relevant to their role.
Multi-factor authentication for all administrative access.
Regular security audits and penetration testing.
Incident response plan with 72-hour breach notification (GDPR Art. 33).

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by Articles 33–34 GDPR.

If you grant permission, Nestly may send push notifications to your device to remind you of upcoming appointments, scheduled activities, and developmental milestones. These notifications are delivered via Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) on Android.

Your device token is stored securely and associated with your account. It is used solely to deliver notifications relevant to your Nestly account and is never shared with third parties for marketing purposes.

You can manage notification preferences at any time from within the Nestly app under Settings → Notifications, or by disabling notifications for Nestly in your device settings.

We may update this Privacy Policy from time to time. Material changes will be notified via email and a prominent notice on the platform at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the current version was last updated.

Continued use of Nestly after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree with the changes, you may close your account before the effective date.

For all privacy-related requests, questions, or complaints:

Data Protection Officer
Email: [email protected]

General enquiries
Email: [email protected]
Website: mynestly.org

We aim to respond to all privacy requests within 5 business days and resolve them within 30 calendar days.

Supervisory authorities:
Portugal (EU): CNPD — cnpd.pt
United Kingdom: ICO — ico.org.uk
California (USA): California Privacy Protection Agency — cppa.ca.gov