1. Scope

This Privacy Policy explains how NESTA SITES INC. ("Company," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information in connection with Nesta, including our websites, applications, hosted website tools, forms, reports, dashboards, customer support channels, public audits, and related services (collectively, the "Services").

For more detail about cookies, local storage, analytics scripts, chat tools, and similar technologies used on our own sites and applications, please also review our Cookie and Analytics Notice. Hosted websites published for customers should also have their own visitor-facing privacy and tracking disclosures.

This Privacy Policy applies to:

visitors to our own marketing site and product site;
people who request public visibility audits or reports;
trial users, subscribers, and account administrators;
authorized users invited into customer accounts;
businesses that use our hosted website, form, analytics, and integration tools; and
individuals who communicate with us directly.

This Privacy Policy does not replace privacy notices that our customers publish for their own websites, forms, or businesses.

2. Who We Are

NESTA SITES INC. is the organization responsible for personal information processed under this Privacy Policy in the contexts described below.

Contact:

Privacy: support@nesta.so
Support: support@nesta.so
Address: Winnipeg, MB, Canada

3. Our Roles: When We Act for Ourselves and When We Act for Customers

Our role depends on the context.

3.1 When We Act as Controller or Business

We generally act as the controller, business, or organization responsible for personal information when we process information about:

our website visitors and prospects;
people who request public visibility audits or reports;
our account holders and users;
billing contacts and subscription records;
people who communicate with us for support, demos, or sales; and
our own marketing, analytics, security, and operational data.

3.2 When We Act as Processor or Service Provider

When our customers use the Services to operate hosted websites, collect leads, use forms, view analytics, or manage data relating to their own customers, prospects, or website visitors, we generally process that data on the customer's behalf as a processor or service provider.

In those cases:

the customer is primarily responsible for deciding what data is collected and why;
the customer is responsible for providing required notices and obtaining required consents; and
individuals should review the relevant customer's privacy notice for more information.

We may also provide tools that help customers generate or publish privacy pages, cookie disclosures, or terms pages for their hosted websites. Those hosted-site notices are intended to address the customer's relationship with its own website visitors. They do not replace this Privacy Policy, which governs our own processing where we act as a controller or business.

4. Personal Information We Collect

Depending on how you interact with the Services, we may collect the following categories of personal information.

4.1 Account and Contact Information

name;
email address;
phone number;
business name;
account role, team membership, and profile details;
login credentials and authentication data.

4.2 Billing and Transaction Information

subscription plan and billing status;
billing contact details;
invoice and payment metadata;
tokenized payment and Stripe customer/subscription references.

We do not store full payment card numbers. Payment card processing is handled by our payment processor.

4.3 Public Audit and Prospect Information

If you request a free visibility audit, public scan, or similar report, we may collect:

email address;
business name;
website URL;
primary service or category;
city, service area, or selected market;
Google Business Profile or place identifier if selected;
public profile details such as address, rating, reviews, maps URL, category, and website;
source page, referral, UTM, device, log, and anti-abuse metadata; and
report status, result token, generated outputs, and audit result metadata.

4.4 Business Profile and Customer-Provided Data

Data that customers choose to connect, upload, or enter may include:

business contact and profile details;
website content, media, branding, and configuration;
reports, notes, operational tasks, and settings;
review and listing information;
analytics, ranking, advertising, and performance data;
prompts, messages, and other content submitted into AI or assistant features.

4.5 Hosted Website, Form, and Lead Data

If a customer uses our hosted website, form, or lead-capture features, we may process data such as:

form field responses and submission payloads;
lead name, email address, and phone number;
page, source, referrer, and destination URLs;
approximate location inferred from IP address;
IP address, browser, device, and user agent data;
conversion events such as phone, email, and map clicks; and
related metadata submitted by or on behalf of the customer.

4.6 Usage, Device, and Log Information

We may automatically collect:

IP address;
browser type and version;
device type and operating system;
session and event data;
app activity and feature usage;
timestamps, log files, diagnostics, and error data;
referrer pages and navigation paths.

4.7 Integration and Connected Account Data

If you connect third-party services, we may receive data from those services according to your permissions and settings, including data from:

Google Business Profile;
Google Search Console;
Google Ads or Local Services Ads;
WordPress;
analytics services; and
other third-party sources and integrations.

4.8 Support and Communications Data

If you contact us, we may collect:

the contents of your message;
support history and attachments;
chat transcripts and tickets; and
records of sales, onboarding, or support communications.

4.9 Cookies and Similar Technologies

We and our service providers may use cookies, pixels, scripts, SDKs, and similar technologies to operate the Services, remember preferences, secure sessions, measure usage, and improve performance.

5. Sources of Personal Information

We collect personal information:

directly from you;
from your employer or account administrator;
from customers using our hosted site and form tools;
from connected integrations and third-party platforms you authorize;
automatically from your browser, device, and interactions with the Services; and
from public or licensed data sources used to provide product functionality.

6. How We Use Personal Information

We use personal information for the following purposes:

to provide, operate, host, and maintain the Services;
to create and administer accounts and subscriptions;
to authenticate users and secure the Services;
to process payments, invoices, renewals, and billing events;
to generate public visibility audits, report links, and related follow-up communications you request;
to provide hosted websites, forms, analytics, and reporting features;
to retrieve and display integration data you authorize us to access;
to provide support, onboarding, and customer communications;
to improve, troubleshoot, and monitor the Services;
to detect, investigate, and prevent fraud, abuse, and security incidents;
to comply with legal obligations and enforce our agreements; and
to send service-related notices and, where permitted, marketing communications about our own Services.

We may also create aggregated or de-identified information that does not identify a specific person and use it for analytics, benchmarking, security, and product improvement.

7. AI Features and Automated Processing

If you use AI-assisted features, we may process prompts, business context, instructions, and related content to generate outputs such as recommendations, summaries, drafts, or assistant responses.

AI outputs may be generated using third-party providers. We use this information to provide the requested feature, improve reliability and safety, and maintain service operations.

We do not represent that AI outputs are always accurate, complete, or suitable for your purposes. Users are responsible for reviewing outputs before relying on or publishing them.

We do not use data obtained from Google APIs in a manner prohibited by the Google API Services User Data Policy.

8. How We Disclose Personal Information

We may disclose personal information as follows.

8.1 Service Providers and Subprocessors

We disclose information to vendors and service providers that help us operate the Services, such as:

hosting and infrastructure providers;
payment processors;
authentication, email, and support vendors;
analytics and monitoring vendors;
AI and automation vendors;
data and integration vendors;
public audit providers and visibility data vendors; and
security and fraud-prevention vendors.

These providers are authorized to process personal information only as needed to provide services to us.

8.2 At Your Direction or Through Integrations

We disclose information when you choose to connect integrations, publish hosted websites, send data to a connected account, request a report, or otherwise direct us to share information.

8.3 With Customers

If you are an authorized user under a customer account, your information may be visible to that customer and its administrators.

If you submit a lead or message through a website hosted for one of our customers, the relevant customer will receive that information.

8.4 Legal, Security, and Compliance Reasons

We may disclose information if necessary to:

comply with law, regulation, legal process, or enforceable government request;
enforce our terms and agreements;
protect the rights, safety, and security of our company, users, customers, or others; or
investigate fraud, abuse, or security incidents.

8.5 Corporate Transactions

We may disclose information in connection with a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of our business or assets.

9. Google API Disclosure

If you authorize us to access Google data, our use and transfer of information received from Google APIs will comply with the Google API Services User Data Policy, including applicable Limited Use requirements.

In particular:

we use Google API data only to provide or improve user-facing features you request;
we do not use Google API data to develop, improve, or train generalized AI or machine learning models where prohibited by Google's policy;
we do not sell Google API data; and
you may revoke access through your account settings or through Google's permission controls.

10. Cookies, Analytics, and Similar Technologies

We use cookies and similar technologies for:

authentication and session management;
security and fraud prevention;
remembering preferences;
measuring traffic and usage;
analytics and product performance; and
support and operational tools.

Our current product stack may include analytics, replay, support, and website tracking technologies used across the app and hosted websites.

Depending on context and configuration, these technologies may collect:

IP address;
device and browser information;
page URLs and referrers;
session and interaction data; and
form or conversion metadata.

If required by law, we will provide consent choices or other controls for non-essential technologies.

11. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to:

provide the Services;
maintain account history and backups;
comply with legal, tax, accounting, and regulatory obligations;
resolve disputes; and
enforce our agreements.

Retention periods may vary by data type and product area. In general:

account, billing, and transaction data may be kept for several years as required by law and operational necessity;
support and security logs may be retained for a shorter operational period;
public audit leads and report records may be retained for a limited operational and sales follow-up period, unless we need them longer for security, legal, or business records;
Customer Data may be retained during the subscription term and for a limited post-termination period to support export, recovery, or deletion workflows; and
backup copies may persist for a limited time after active deletion.

When information is no longer needed, we delete, anonymize, or securely dispose of it.

12. Security

We use reasonable technical, administrative, and organizational safeguards designed to protect personal information, including safeguards relating to access control, encryption in transit, credential handling, logging, and abuse prevention.

No system is completely secure, and we cannot guarantee absolute security.

You are responsible for maintaining the confidentiality of your account credentials and notifying us promptly of suspected unauthorized access.

13. International and Cross-Border Processing

We operate from Canada and the Services may be hosted or supported from Canada, the United States, and other jurisdictions where we or our service providers operate.

As a result, personal information may be transferred to or accessed from jurisdictions outside your province, state, or country, and may be subject to the laws of those jurisdictions.

14. Your Rights and Choices

Depending on where you live and the context in which we process your information, you may have rights to:

access personal information we hold about you;
correct inaccurate information;
request deletion of information, subject to legal and contractual exceptions;
request a copy of certain information;
opt out of our marketing communications; and
complain to the relevant regulator.

14.1 Account Controls

You may be able to update certain account and billing information through the Services.

14.2 Marketing Opt-Out

You can opt out of our marketing emails by using the unsubscribe link or contacting us at support@nesta.so.

We may still send you transactional or service-related communications.

14.3 Customer-Submitted Website or Lead Data

If your personal information was collected through a website, form, or service operated by one of our customers, you should generally contact that customer first, because we may be processing that information on the customer's behalf.

15. U.S. State Privacy Disclosures

If you are a resident of a U.S. state with a comprehensive privacy law, you may have additional rights under applicable law, subject to exemptions and verification requirements.

For California residents in particular, we may be required to disclose categories of personal information collected, categories of recipients, retention criteria, and rights to know, delete, correct, and opt out of certain sharing activities.

We do not sell personal information for money. If we engage in sharing that is regulated as "sale" or "sharing" under applicable state law, we will provide required notices and opt-out mechanisms.

16. Canadian Privacy Disclosures

For individuals in Canada, we handle personal information in accordance with applicable Canadian privacy law, including PIPEDA where applicable.

We collect, use, and disclose personal information for purposes that are reasonable in the circumstances and with consent where required or as otherwise permitted by law.

Individuals in Canada may request access to and correction of personal information we hold about them, subject to legal exceptions.

17. Children's Privacy

The Services are intended for business users and are not directed to children.

We do not knowingly collect personal information directly from children under 13 through our own Services. If we learn that we have collected such information without appropriate authorization, we will take reasonable steps to delete it.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated version and update the "Last Updated" date above. Where required by law, we will provide additional notice.

19. Contact Us

For privacy questions, requests, or complaints, contact:

NESTA SITES INC.

Winnipeg, MB, Canada

support@nesta.so

nesta.so

Nesta Privacy Policy