Privacy Policy

Nestor ("the Service") is operated by Aletheia Labs("we", "us"). We are the data controller for personal data processed through the Service. You can reach us about privacy at [email protected].

We collect the following categories of data:

• Account data — email address, username, password (stored only as a salted hash), and optional profile details you choose to provide (first/last name, phone, address, profile image).
• Content data — the messages you send, files you upload (documents and images), and AI responses, plus derived data such as text embeddings and conversation summaries used to power search and context.
• Verification data — one-time passcodes (stored only as a hash) used for email verification, two-factor authentication, and password resets.
• Technical data — IP address, device and browser information, and request logs, used for security, abuse prevention, and reliability.
• Consent & cookie data — your cookie/consent choices and the cookies described in our Cookie Notice.

• To provide, maintain, and secure your account and the Service.
• To process your prompts and generate responses, including building a personal knowledge base from your content so the assistant can give grounded answers.
• To authenticate you and send transactional emails (verification, password reset).
• To prevent fraud, spam, and abuse (including bot protection — see Section 6).
• To measure and improve the Service via analytics, where you have consented.
• To comply with legal obligations and enforce our Terms.

Where the GDPR applies, we rely on these legal bases:

• Performance of a contract — to provide the Service you sign up for.
• Legitimate interests — to keep the Service secure and prevent abuse.
• Consent— for non-essential cookies and analytics; you can withdraw it at any time via "Cookie preferences".
• Legal obligation — where we must retain or disclose data by law.

To operate the Service we share the minimum necessary data with the following processors/sub-processors, each acting under their own terms and security commitments:

• Groq — large-language-model inference. Your prompts and relevant context are sent to generate responses.
• Voyage AI — text/image embeddings used for search and retrieval.
• Email/SMTP provider — to deliver verification and password-reset messages.
• Cloudflare — hosting, content delivery, and bot protection (Turnstile).
• Google — Analytics and Tag Manager, loaded only after consent.
• CookieYes — consent management.

We use these providers solely to operate the Service. Please review their privacy policies for details, and confirm their data-retention and model-training terms meet your requirements.

We use Cloudflare Turnstile on sign-in, registration, and similar forms to tell humans from bots. Turnstile is designed to be privacy-preserving and does not require tracking cookies.

We use strictly necessary cookies to run the Service and, only with your consent, analytics cookies to understand usage. You control non-essential cookies through the consent banner and the "Cookie preferences" link in the footer. See our Cookie Notice for details.

We keep account and content data for as long as your account is active. You can delete your content, and you can ask us to delete your account, after which we remove or anonymize your personal data within a reasonable period, except where we must retain it for legal, security, or fraud-prevention purposes. Verification codes and security logs are kept only as long as needed for those purposes.

We protect data in transit with TLS, store passwords and one-time codes only as hashes, apply rate limiting and bot protection, and restrict access to production systems. No method of transmission or storage is perfectly secure, so we cannot guarantee absolute security.

Some of our providers are located outside your country, including in the United States. Where we transfer personal data internationally, we rely on appropriate safeguards such as the providers' Standard Contractual Clauses or equivalent mechanisms.

Depending on where you live, you may have rights to access, correct, delete, restrict, or object to our processing of your personal data, to data portability, and to withdraw consent. Under the GDPR you may also lodge a complaint with your supervisory authority.

If you are a California resident, you have rights under the CCPA/CPRA to know, delete, and correct your personal information, and to opt out of "sale" or "sharing" of personal information. We do not sell your personal information. We will not discriminate against you for exercising your rights.

To exercise any right, contact us at [email protected]. We may need to verify your identity before acting on a request.

The Service is not directed to children under 16 (or the minimum age of digital consent in your country), and we do not knowingly collect their personal data. If you believe a child has provided us data, contact us and we will delete it.

We may update this policy from time to time. We will post the new version here and update the "Last updated" date. Material changes may be communicated to you directly.

Questions or requests? Email [email protected]. This policy is governed by the laws of the Hashemite Kingdom of Jordan.