Privacy Policy.

We collect the minimum data needed to run Nestled. We don't sell it, share it, or use it to train AI models.

Last updated: 23 May 2026 · Effective immediately

Who we are

Nestled is operated by Flux8Labs, Jaipur, Rajasthan, India. Contact us at [email protected] for any privacy-related questions or requests.

What we collect

Account information

When you sign up, we collect your email address. If you provide it, we also store your name. This is used to identify your account and communicate with you.

Uploaded documents

Files you upload (PDF, TXT, Markdown) are stored in Supabase Storage and processed to create vector embeddings — mathematical representations of the text. The raw files are retained while your account is active. Embeddings are stored in our database and used exclusively to power your chatbots.

Query logs

Each question asked to your chatbot is logged. Logs include the question text, the response, response latency, and whether the question was answered. Logs are used for your analytics dashboard and to improve service quality. We do not use your visitors' queries to train AI models.

Usage data

We track query counts per month and total queries for billing and plan enforcement. We do not install third-party tracking scripts on your chatbot widget.

Payment information

Payments are processed by Razorpay. We do not store your card details — Razorpay handles all payment data under their own privacy policy. We store Razorpay subscription and customer IDs to manage your billing state.

BYOK keys

If you use the BYOK (Bring Your Own Key) plan, your API key is encrypted using AES-256-GCM before storage. The plaintext key is never persisted — it exists in memory only during the moment of encryption and at query time decryption.

How we use your data

• To authenticate you and manage your account
• To index your documents and answer questions on your behalf
• To enforce plan limits and process billing
• To send you transactional emails (signup confirmation, billing receipts, payment failures)
• To respond to support requests you initiate

We do not send marketing emails unless you explicitly opt in.

Third-party services

We use the following sub-processors to operate Nestled:

• Supabase — database, authentication, and file storage (EU/US)
• Groq — LLM inference for generating chatbot responses (US)
• Hugging Face — text embedding model inference (US/EU)
• Razorpay — payment processing (India)
• Resend — transactional email delivery (US)
• Netlify — frontend hosting (US)

Each provider is bound by their own privacy policies and data processing agreements. We do not share your data with these providers beyond what is necessary to deliver the service.

Data retention

Your data is retained for as long as your account is active. When you delete your account, all associated data — documents, embeddings, query logs, and profile information — is deleted within 30 days. Razorpay may retain transaction records independently as required by financial regulations.

Your rights

You have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your account and data
• Export your query logs (available from the chatbot analytics tab)
• Object to processing where we rely on legitimate interest

To exercise any of these rights, email us at [email protected]. We will respond within 30 days.

Cookies

The Nestled dashboard uses session cookies required for authentication (set by Supabase Auth). We do not use tracking or advertising cookies. The embeddable widget does not set any cookies on your visitors' browsers.

Security

All data is transmitted over HTTPS. We use row-level security on our database so users can only access their own data. BYOK keys are encrypted at rest. We do not log or expose Supabase service role keys in any frontend code.

Children's privacy

Nestled is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have collected data from a minor, please contact us immediately.

Changes to this policy

We may update this policy as our practices change. Material changes will be communicated by email and/or a notice in the dashboard at least 14 days before they take effect.

Questions? [email protected]