Privacy and personal data processing policy

NomiNest — Nanara S.A.S. · Version 0.1 · June 10, 2026

1. Data controller

NANARA S.A.S. ("Nanara") is the controller of the personal data collected through the NomiNest application, under Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015) and other rules that modify or complement them.

2. Nature of the application and the data

NomiNest is a parenting and childcare tracking application: it allows fathers, mothers and legal guardians to record and review information about the sleep, feeding, growth, health and routines of their minor children.

By its nature, the application processes data of two categories of data subjects:

1. The adult account holder (the child's father, mother or legal guardian).
2. The child or adolescent whose data the adult records.

The child's data — and in particular data relating to their health — are sensitive data subject to reinforced protection under articles 5, 6 and 7 of Law 1581 of 2012.

3. Personal data we process

3.1 Data of the adult account holder

• Email address and authentication identifiers (Sign in with Apple or Google).
• Display name (optional).
• Application usage data (navigation and feature-usage events) and technical diagnostic data (crashes, device model, operating system).
• Subscription status (free or premium plan) and, in due course, purchase data managed by the app stores (Apple App Store / Google Play). Nanara does not receive or store card numbers or payment methods.

3.2 Data of the child (recorded voluntarily by their legal guardian)

• Basic identification: name or nickname, date of birth, sex (optional), photograph (optional), weeks of prematurity (optional).
• Sleep records: naps, night sleep, sleep quality, sleep training.
• Feeding records: nursing, bottle, solids, food introduction, pumping and milk bank.
• Hygiene records: diaper changes, including stool characteristics.
• Growth: weight, height, head circumference.
• Health: symptoms, temperature, medications, vaccines, medical appointments and prescriptions recorded by the adult.
• Development: milestones reached.
• Routines, activities and daily notes.

Minimization: to use the application, only a name — which can be a nickname, with no need for the child's real name — and their date of birth are required. All other fields (sex, photograph, prematurity and any record) are optional: the adult decides what information to enter.

3.3 Data we do NOT process

• We do not collect data directly from minors: the child is not a user of the application; all information is recorded by their legal guardian.
• We do not use the child's data for advertising, commercial profiling or marketing.
• We do not sell or transfer personal data to third parties for commercial purposes.

4. Processing of children's and adolescents' data

Article 7 of Law 1581 of 2012 prohibits, as a general rule, the processing of minors' data. In accordance with Ruling C-748 of 2011 of the Constitutional Court and article 12 of Decree 1377 of 2013, such processing is only possible when the following conditions are met simultaneously, which Nanara adopts as commitments:

1. Best interests of the child. The child's data is processed exclusively to provide the application's functions for the benefit of the child's care (tracking sleep, feeding, growth, health and routines), and never for advertising, profiling or purposes unrelated to that care.
2. Respect for their fundamental rights. We apply reinforced security and confidentiality measures to the child's data (section 8), and we guarantee the rights to know, update, rectify and delete their information, exercised through their legal guardian.
3. Legal guardian's authorization. Before recording any data about a child, the application requires the adult to: (i) declare that they are the child's father, mother or legal guardian; (ii) expressly accept this Policy and authorize the processing of the child's data, including sensitive health data; and (iii) separately authorize the international transfer of data described in section 6. Nanara keeps a verifiable record of each authorization (authorizing account, date, time and version of the accepted document).

Authorization to process sensitive data is optional (art. 6, Law 1581): the adult may decline to record the child's health data and still use the application's other functions.

5. Purposes of processing

1. Create and manage the user's account and authenticate them.
2. Provide the application's features: recording and visualizing the child's sleep, feeding, growth, health, routines, milestones and notes.
3. Generate, on the device and on the service's servers, indicative predictions and suggestions (e.g. sleep windows and routines) based solely on the data recorded by the user.
4. Sync information across the user's devices and with the caregivers the legal guardian invites (section 7).
5. Display anonymous, aggregated comparative statistics (peer stats), which do not allow any child to be identified.
6. Manage the premium subscription.
7. Diagnose errors, ensure security and improve the service (adult's technical and usage data).
8. Handle inquiries, claims and the exercise of data subjects' rights.
9. Comply with Nanara's legal obligations.

6. Data processors and international data transfer

To operate the service, Nanara uses technology providers acting as data processors, with servers located outside Colombia (mainly the United States and/or the European Union):

By accepting this Policy, the data subject grants their express and unequivocal authorization for the international transfer of their data and the child's data to these processors, in accordance with article 26 of Law 1581 of 2012. Data processing agreements are in place with all processors, requiring them to follow Nanara's instructions and to maintain equivalent security measures.

7. Invited caregivers

The legal guardian may invite other adults (e.g. the other parent, grandparents or caregivers) to access the child's data. This sharing:

• Only happens by express invitation of the account holder, through an invitation code.
• May be revoked at any time from the application.
• It is the legal guardian's responsibility to choose whom to invite.

8. Security measures

• Encryption of communications in transit (TLS).
• Per-account access control: row-level security (RLS) policies in the database, so each user only accesses the data of the children in their care or those they were invited to.
• The child's photographs are stored in a private repository and served only through temporary signed links, accessible only to the child's authorized caregivers.
• Minimization: only what is necessary for the described functions is collected; the child's fields are optional except the name (which can be a nickname) and the date of birth.
• Exclusion of the child's data from analytics and diagnostic tools.
• Restricted internal access and a record of authorizations granted.

9. Data subjects' rights

The adult holder — on their own behalf and on behalf of the child — has the right to:

1. Know, update and rectify the data.
2. Request proof of the authorization granted.
3. Be informed about the use that has been made of the data.
4. Revoke the authorization and/or request the deletion of the data.
5. File complaints with the Superintendence of Industry and Commerce (SIC) for violations of the law.
6. Access their data free of charge.

How to exercise them

• Within the application: data can be viewed, edited and deleted directly. The entire account can be deleted from Profile → Delete account, which removes the adult's and the child's data from the servers.
• In writing: by sending a request to dev@nanara.co, indicating your name, the email associated with the account and the right you wish to exercise.
• Web page: account and data deletion instructions are available at nanara.co/en/delete-account.

Time limits (arts. 14 and 15, Law 1581 of 2012)

• Inquiries: response within a maximum of ten (10) business days, extendable by five (5) more with notice to the data subject.
• Claims: response within a maximum of fifteen (15) business days, extendable by eight (8) more with notice to the data subject. If the claim is incomplete, the interested party will be asked to complete it within the following five (5) days; after two (2) months without a response, it will be deemed withdrawn.

Area responsible for handling requests: Legal Representation of NANARA S.A.S. — dev@nanara.co.

10. Retention and deletion

• Data is retained while the account is active and necessary for the described purposes.
• Upon account deletion, the adult's and the child's personal data are removed from Nanara's systems and those of its processors, except for data that must be retained by legal obligation (e.g. accounting information or records of the authorization), in which case it is blocked from any other use.
• Backups are purged in the infrastructure provider's normal backup cycles.

11. Changes to this Policy

Nanara may modify this Policy. Substantial changes — especially those affecting the processing of the child's data — will be notified within the application and will require renewed acceptance before continuing to use it. The current version will always be published at nanara.co/privacidad with its update date.

12. Applicable regulations and validity

• Law 1581 of 2012, Decree 1377 of 2013 (compiled in Decree 1074 of 2015), Ruling C-748 of 2011 and other concordant rules of the Republic of Colombia.
• Supervisory authority: Superintendence of Industry and Commerce (SIC) — www.sic.gov.co.
• This Policy is effective as of its publication. The databases will remain in force while the application is in operation.