1. Data We Collect — and What We Cannot Read
Nest is built around end-to-end encryption. Your data falls into two classes:
- Encrypted on your device, unreadable to us: transaction descriptions and notes, tags, merchant names, category names, wallet names and manually entered IBANs. These are encrypted in your browser with a key derived from your password. We store only ciphertext and cannot decrypt it.
- Readable by the server: your email address, display name, amounts, dates, transaction/category/wallet structure and budget caps. The server needs these to compute balances, budget progress and summaries.
- Bank sync data (limited availability): where bank sync is enabled, balances and transactions retrieved through Enable Banking's PSD2 service with your explicit consent are encrypted at rest with a server-held key, because syncing happens while you are offline.
2. How We Use Data
- Provide, maintain, and improve the Nest service.
- Calculate budgets, balances, and financial summaries from the server-readable fields.
- Send transactional emails (account verification, password reset). Nothing else.
- Category suggestions are computed on your device — your data is not sent to an AI provider for this.
- We never sell your data and do not use it for advertising.
3. Third-Party Services
Nest relies on a minimal set of services:
- Hetzner: server hosting in Germany (EU). All application data lives there.
- Brevo: delivery of transactional emails (verification, password reset).
- Enable Banking: PSD2-regulated, read-only bank connectivity — used only if bank sync is enabled for your account, and only with your explicit consent.
- Groq: used only to tidy up bank-synced transaction descriptions, never your manually entered (encrypted) data. No data is retained for training.
- CoinGecko: crypto price lookups, requested directly from your browser; no personal data is transmitted.
4. Cookies
Nest uses only functional cookies: a session refresh-token cookie and a
login marker. We do not use tracking cookies, analytics cookies, or any third-party advertising cookies.
5. Data Storage & Security
- All traffic is encrypted in transit (HTTPS) and all data is encrypted at rest.
- Sensitive text fields are additionally end-to-end encrypted (AES-256-GCM) with keys derived on your device (Argon2id). Your password never leaves your browser.
- Bank credentials are never seen or stored by Nest — bank authentication happens entirely at your bank via Enable Banking.
- Servers are located in the European Union; backups are encrypted and age out within 30 days.
6. Your Recovery Code — an Important Caveat
Because we cannot decrypt your data, we also cannot recover it for you. At signup you receive a one-time
recovery code. If you forget your password and lose the recovery code,
your encrypted fields (descriptions, notes, names) are permanently unreadable — by you and by us.
Amounts, dates and budgets survive a destructive password reset.
7. Your GDPR Rights
Under the General Data Protection Regulation (GDPR), you have the following rights:
- Right of access: request a copy of all personal data we hold about you.
- Right to rectification: correct inaccurate personal data.
- Right to erasure: request deletion of your personal data.
- Right to data portability: receive your data in a structured, machine-readable format.
- Right to restriction: request restriction of processing of your personal data.
- Right to object: object to processing of your personal data.
To exercise any of these rights, contact us at privacy@nestfinance.app.
We will respond within 30 days as required by GDPR.
8. Data Export
You can export your budgets and transactions as a markdown report at any time from the budget page.
The export is generated in your browser, where your data is decrypted.
9. Account Deletion & Retention
You can delete your account at any time from Tools. Deletion immediately and permanently removes all your
data — transactions, wallets, budgets, categories, keys and bank connections. Encrypted backups age out
within 30 days. This process is irreversible.
10. Children's Privacy
Nest is not intended for use by anyone under the age of 18. We do not knowingly collect personal
information from children under 18, and will delete such data promptly if we become aware of it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Significant changes will be announced by posting
the updated policy here and updating the "Last updated" date. Continued use of the service after changes
constitutes acceptance.