Privacy Policy

Last updated: 2026-05-30 · Effective on launch

Nestli Inc. (“Nestli”, “we”) makes a parental-control device and service that runs on your home network. This policy describes what we collect, what we don’t, and what we do with it.

The short version. Nestli sees that a device on your network tried to reach a VPN provider — not what your family is reading, watching, typing, or saying. We never inspect message contents, browsing payloads, page contents, or application data. We collect the minimum metadata required to operate the service.

1. Who we are

Nestli Inc., a Florida C-Corporation. Mailing address: Wesley Chapel, FL. Contact: privacy@nestli.io.

2. What we collect

From your account

Email address (login + transactional emails)
Hashed password (we never see or store your password in cleartext)
Subscription plan + billing tokens from our payment processor (Stripe). We do not store full payment card numbers.

From your Nestli router/agent

Heartbeat telemetry every ~30 seconds: device ID, agent version, uptime, free memory, count of connected devices, count of total blocks, blocklist size, timestamp.
Alert events: VPN-bypass and content-block events as short text labels and timestamps. Example: "NordVPN tunnel blocked at DNS (Layer 1)".
The MAC address of the router and of clients on your home network (used as opaque identifiers; never linked back to a person by Nestli).

From this website

If you join the waitlist, the email you submit and the time you submitted.
Anonymous server logs (IP, user-agent, referrer) for ~30 days for security and abuse protection. No third-party tracking pixels.

3. What we do not collect

The product is engineered around not seeing the things parental-control products usually slurp up. By design, Nestli does not collect:

DNS query contents (which sites a device looked up)
URLs visited or pages loaded
Browsing history
Message contents, chat logs, social-media content, or application data of any kind
Payload data from any traffic (no deep-packet inspection of contents — only metadata signatures for VPN detection)
Location data beyond what is implied by your ISP
Microphone, camera, or any sensor data

4. Children (COPPA / GDPR-K)

Nestli accounts are for adults (18+). We do not knowingly create accounts for children under 13 (or under 16 in the EU/UK). Children’s devices appear to Nestli only as anonymous MAC addresses on a parent’s home network; we do not assign identities to those devices or build profiles about them. A parent may name a device (e.g., "Emma’s iPhone") — that label stays on the parent’s account and is never sold, transferred, or used for advertising.

If we learn that a child has created an account, we will delete it. Contact privacy@nestli.io.

5. How we use what we collect

To operate the service (deliver blocklists, sync rules, fire push alerts).
To detect abuse and fraud.
To improve the product (aggregate, never per-user analysis).
To bill you (via Stripe).
To contact you about your account.

We do not sell, license, or transfer your data to advertisers, data brokers, or analytics firms.

6. Who we share with

Stripe — payment processing. Stripe sees billing info; Nestli never stores full card numbers.
Our cloud host (Render and/or AWS/GCP) — runs the API and stores account data.
Expo / Apple / Google push services — to deliver push notifications to your phone. The push payload is a short alert label; no PII is in the payload.
Email provider — to send transactional and account email.
Law enforcement, only with valid legal process. We publish requests we receive when permitted.

7. How long we keep it

Account data: while your subscription is active, plus 30 days after cancellation.
Heartbeat telemetry: rolling 90 days, then deleted.
Alert events: rolling 12 months on your dashboard; you can clear them at any time.
Server logs: ~30 days.
Waitlist email: until launch, then converted into a marketing-list opt-in or deleted on request.

8. Your rights

You can:

Access the data we hold about you — request via privacy@nestli.io.
Export your data in a portable format.
Delete your account and all associated data.
Correct inaccurate data.
Opt out of marketing email at any time.

If you’re in the EU/UK, you have rights under GDPR (access, rectification, erasure, restriction, portability, objection). If you’re in California, you have rights under CCPA/CPRA. Same email above.

9. Security

All API traffic uses TLS 1.2+.
Auth tokens are stored encrypted at rest on your router (chmod 600) and on your phone (Secure Enclave / Android Keystore).
Passwords are hashed with bcrypt.
Cloud database access is restricted and audited.

If you discover a vulnerability, please report it to security@nestli.io.

10. Cookies

This website uses one essential cookie to remember if you’ve joined the waitlist. No third-party advertising cookies. No tracking pixels.

11. Legal basis for monitoring on a home network

Under US federal law (the Electronic Communications Privacy Act, “ECPA”) parents generally have the legal authority to monitor and filter internet traffic on the home network they own, for minors in their household. This is sometimes called the “consent exception” or the “provider exception.” Nestli is built to operate within that authority. Nestli is not intended for use against adults without their knowledge, or against minors in households where the operator is not their parent or legal guardian. If you are uncertain about your situation, consult counsel.

12. Changes to this policy

If we make a material change to this policy we will email account holders and post the update on this page with a new "Last updated" date.

13. Contact

Email: privacy@nestli.io · Mailing address available on request.