Nestora
Back to Nestora
Legal

Privacy Notice

Effective May 23, 2026

This Privacy Notice describes how NESTORA ("Nestora", "we") collects, uses and protects personal data when you use the Nestora website, applications and services. We are the data controller. Contact us at mail@murgioni.nl.

1. Data we collect

  • Account data: email address, display name, password hash, authentication tokens.
  • Profile data: optional information you add to your profile such as preferred city and onboarding preferences.
  • Usage data: saved searches, prompts you submit, neighbourhoods you view, plan tier, daily prompt counts, feature interactions.
  • Support data: messages you send us and metadata about those messages.
  • Device data: IP address, browser type, operating system, language, approximate location derived from IP, log timestamps.
  • Cookies: essential cookies for sign-in and session management. We do not use marketing or advertising cookies.

Payment data (card details, billing address) is collected directly by our reseller Paddle and is never processed or stored by Nestora.

2. How we use your data and our legal bases

  • Provide the Service (contract): create your account, run searches, deliver AI recommendations, save searches, show subscription status.
  • Secure the Service (legitimate interest): detect abuse, prevent fraud, investigate incidents, enforce our Terms.
  • Improve the Service (legitimate interest): analyse aggregate usage, debug, evaluate model quality. We do not sell personal data.
  • Customer support (legitimate interest / contract): respond to your questions.
  • Legal compliance (legal obligation): respond to lawful requests, meet tax and accounting obligations.
  • Marketing emails (consent, where required): only if you opt in. You can unsubscribe at any time.

3. Sharing with third parties

We share personal data only with the categories of recipients listed below, and only as needed for the purposes above:

  • Hosting and backend: Lovable Cloud (provides our managed database, authentication and serverless infrastructure).
  • AI model providers: Google and OpenAI, accessed via the Lovable AI Gateway. Prompts you submit are sent to these providers to generate responses.
  • Mapping and places: Mapbox (map rendering and routing) and Google (places data).
  • Payments and Merchant of Record: Paddle.com, which handles checkout, billing, tax, invoicing and refunds.
  • Email delivery: our transactional email provider for sign-in, receipts and service notices.
  • Professional advisers: our legal, accounting and tax advisers, under confidentiality.
  • Authorities: where required by law, court order, or to protect our rights, users, or the public.

4. International transfers

Some of our providers process data outside the European Economic Area (for example in the United States). Where this happens, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and provider-side supplementary measures.

5. Data retention

We keep personal data only as long as needed for the purposes above. Account data is kept while your account is active and deleted or anonymised within a reasonable period after closure. Saved searches and prompts are kept while your account exists; you can delete them at any time. Billing and tax records are retained by Paddle and by us for the periods required by law (typically seven years). Logs are kept for up to 12 months.

6. Your rights

Subject to applicable law, including the GDPR for users in the EEA and the UK GDPR for users in the UK, you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase your data ("right to be forgotten");
  • restrict or object to certain processing;
  • data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your local supervisory authority. In the Netherlands this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).

To exercise any of these rights, email mail@murgioni.nl. We will respond within one month.

7. Security

We use appropriate technical and organisational measures to protect personal data, including encryption in transit, encrypted storage, access controls, and principle-of-least-privilege for staff and contractors. No system is perfectly secure - if you believe your account has been compromised, contact us immediately.

8. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Cookies

We use only essential cookies required to keep you signed in and to operate the Service. We do not use third-party advertising or cross-site tracking cookies. If we introduce analytics or marketing cookies in the future, we will request your consent first.

10. Changes

We may update this Privacy Notice from time to time. The "Effective" date at the top reflects the latest version. Material changes will be communicated via the Service or by email.

11. Contact

Privacy questions or requests: mail@murgioni.nl.