← Back to home

Privacy Policy

Gest ("Gest," "we," "us") is the surrogacy companion app for intended parents and gestational carriers. This policy describes what personal data we collect, why we collect it, how we use and protect it, who helps us operate the service, and your rights.

This policy covers the website at thegest.app, the Gest mobile applications, and related support flows. Our Consumer Health Data Privacy Policy supplements this policy for reproductive-health and other consumer-health data.

1. Data controller

The data controller is Gest, operated by Gest LLC. For privacy inquiries, contact us at hello@thegest.app.

2. What we collect

We collect the following categories of personal data:

Account information: Name, email address, and authentication credentials when you create an account.

Journey information: Details you choose to provide, such as your journey phase, due date, state, and your surrogate's first name.

User-generated content: Photos, posts, messages, and documents you upload or share within the app.

AI companion conversations: Messages you send to the AI companion and the responses generated.

Payment information: Processed by Apple (App Store) or Google (Play Store). We receive confirmation of your subscription status through app-store tools and RevenueCat, but we do not receive or store your payment card details.

Device and usage data: Device type, operating system, app version, pages visited, feature usage, crash reports, and privacy-minimized analytics. We do not intentionally include message text, document contents, AI conversation text, or deletion/authentication tokens in analytics events.

Waitlist information: Email address and referral source when you join our waitlist. Stored in Loops.

3. Reproductive health data

Certain information you provide — such as pregnancy status, due dates, medical appointments, and fertility treatment details — constitutes reproductive health data. We treat this data with the highest level of care:

We do not sell, rent, license, trade, or otherwise monetize reproductive health data. We do not share it with data brokers, advertisers, or employers. We do not use reproductive health data for targeted advertising. We do not disclose it to law enforcement except where compelled by valid legal process directed specifically at our company, and we will notify you unless legally prohibited from doing so. Where applicable, we handle this data under state consumer-health privacy laws, including Washington's My Health My Data Act, Connecticut's consumer-health-data provisions, Nevada's health data privacy law, and similar laws.

Gest is not a covered entity or business associate under HIPAA. We are not a healthcare provider, health plan, or healthcare clearinghouse. We do not access your medical records from providers unless you voluntarily upload them.

4. How we use your data

We use personal data to:

Provide and operate the Gest app and its features, including the AI companion, shared messaging, checklists, calendar, and document vault. Personalize your experience based on your journey phase and state. Send you transactional emails (account verification, subscription confirmations). With your consent where required by applicable law, send you product updates and marketing communications — you can opt out at any time. Analyze usage patterns to improve the product using aggregated or de-identified data. Comply with legal obligations.

5. Lawful basis for processing (EEA/UK users)

If you are located in the European Economic Area or the United Kingdom, our lawful bases for processing your data are: performance of our contract with you (providing the service), your consent (marketing emails, advertising cookies), our legitimate interests (product improvement, fraud prevention, analytics), and compliance with legal obligations. For special-category data — including the health and reproductive-health information described in Section 3 — we rely on your explicit consent (GDPR Article 9(2)(a)), which we ask for separately in the app before processing that data. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before withdrawal; withdrawing consent for health data stops future processing of it.

6. Sub-processors and third-party services

We use the following third-party services to operate Gest:

Google Gemini (AI companion and document review) — Processes your AI conversation messages and, with your explicit consent, uploaded documents for AI-powered analysis. We use Google's paid API and do not opt in to data-sharing for model training. Google may retain prompts and responses for a limited period for abuse monitoring, service operation, and legally required disclosures, as described in Google's then-current API terms and data processing terms. United States.

Supabase (database and authentication) — Stores account data, journey information, and user-generated content. United States.

PostHog (analytics) — Collects privacy-minimized product usage data to help us improve the app. Hosted in the United States and reverse-proxied through our domain. We configure analytics to avoid session replay, autocapture, message text, document contents, and URL query strings.

RevenueCat (subscription management) — Helps validate app-store purchases and subscription status. United States.

Apple / Google (payments and app distribution) — Processes subscription payments and app-store account activity. We receive subscription status only.

Loops (waitlist and marketing email) — Stores waitlist email addresses, referral source, and email subscription preferences. United States.

Resend (transactional email) — Sends account, support, and account-deletion emails. United States.

Google Cloud Translation (message translation) — Translates messages between you and your surrogate when you speak different languages. Message text is sent to Google's Cloud Translation API for processing. United States.

Vercel (website hosting) — Hosts and serves the Gest website. Processes IP addresses and request metadata. United States.

Meta Pixel and Google Ads (website only) — Conversion tracking for advertising campaigns. These tags load only on selected marketing pages after you opt in via the cookie banner. They are not present in the mobile app or authenticated app surfaces. We do not send reproductive health data, AI conversations, uploaded documents, messages, or account-deletion/authentication tokens to advertising platforms. Loading these tags may cause data such as your IP address, page URL, and device identifiers to be received by Meta and Google for advertising purposes. Under some laws, this may constitute "sharing" for cross-context behavioral advertising. You can withdraw consent at any time using the "Cookies" link in the website footer.

We require each sub-processor to maintain appropriate security measures and to process your data only as necessary to provide their service to us.

7. Document encryption

The document vault is designed so sensitive documents (contracts, legal agreements, medical records) are encrypted before upload where that feature is available. Standard photos, posts, and messages are encrypted in transit (TLS) and at rest on our servers, but are not end-to-end encrypted.

8. AI features and third-party AI (Google Gemini)

Some Gest features use Google Gemini, Google's generative-AI service, to process information you provide. We send data to Google Gemini only for the feature you are using, and only after you accept the in-app AI disclosure for that feature. The data sent depends on the feature:

AI companion chat: the question you type, plus minimal journey context — your role, journey phase, expected due date, embryo or baby count, and surrogacy status.

Document analysis (opt-in): the contents of a document you explicitly select and grant access to. We do not send a document to Gemini unless you choose this feature for that specific document.

Birth-plan comparison: the birth-plan fields you entered — and, once both parties consent, both parties' fields — so the feature can compare them.

What we do not send: we do not send your contact information, precise location, payment data, or identifiers beyond the information you have entered for the feature you are using.

How this data is collected and used: it is the text you type, the documents you select, or the birth-plan fields you enter — collected only when you use the feature and accept its AI disclosure. Google Gemini uses it solely to generate the response, document summary, or comparison you requested. We use Google's paid API and send the "no-training" signal, so your data is not used to train Google's models. Google may retain prompts and responses for a limited period for abuse monitoring, service operation, and legally required disclosures, as described in Google's Gemini API terms and data processing terms. Under those terms, Google is required to protect this data with safeguards consistent with this policy and applicable law.

Your AI companion conversations are private to you. Your surrogate cannot see your AI conversations, and you cannot see hers. We do not read or review AI conversations except where necessary to investigate abuse, debug a support issue you raise, maintain the service, or comply with legal obligations. We may analyze aggregated or de-identified conversation metadata (such as message count and feature usage frequency) to improve the product.

9. Law enforcement requests

We do not voluntarily disclose personal data to law enforcement. If we receive a valid court order or subpoena directed specifically at our company, we will comply only to the extent legally required. We will notify affected users before disclosure unless we are legally prohibited from doing so. We will challenge requests we believe are overbroad or legally deficient.

10. Data retention

We retain your personal data for as long as your account is active or as needed to provide services. AI companion conversation history is retained for the duration of your account. Waitlist email addresses are retained until you unsubscribe or the waitlist closes. When you delete your account, we remove your personal data within 30 days, subject to legal, fraud-prevention, tax, security, and backup exceptions. Backup copies and logs containing personal data are purged on a rolling basis, generally within 90 days and no later than required by applicable law. We may retain aggregated or de-identified data indefinitely for analytics. Some processors — for example, our AI provider — may retain limited data for a short period for abuse monitoring or as required by law even after you delete your account; we direct our processors to delete your data where deletion is required by applicable law.

11. International data transfers

Gest is operated from the United States. If you access our services from outside the United States, your data will be transferred to and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) where required to safeguard international transfers.

12. Cookies and tracking

The Gest website uses essential storage for site functionality and consent preferences. PostHog analytics runs under our legitimate interest in product improvement, and we configure it to avoid session replay, autocapture, and URL query strings. Third-party advertising tags (Meta Pixel and Google Ads) load only on selected marketing pages and only after you consent via the cookie banner. The mobile app does not use browser cookies. You can change your cookie preferences at any time using the "Cookies" link in the website footer.

Global Privacy Control (GPC). If your browser sends a Global Privacy Control signal, we treat it as a valid request to opt out of the sale or sharing of your personal information for cross-context behavioral advertising, and we will not load Meta Pixel or Google Ads for that browser session.

13. Your rights

Depending on your jurisdiction, you may have the right to: access the personal data we hold about you, correct inaccurate data, delete your data, restrict or object to processing, data portability (receive your data in a structured, machine-readable format such as JSON), withdraw consent, and lodge a complaint with a supervisory authority.

California residents. If the CCPA/CPRA applies to us, you have additional rights, including the right to know what personal information we collect and how we use it; request deletion; correct inaccurate information; opt out of the sale or sharing of personal information; limit certain uses of sensitive personal information; and not be discriminated or retaliated against for exercising these rights. We do not sell personal information. We do not share personal information for cross-context behavioral advertising unless you opt in via the cookie banner, as described in Sections 6 and 12. We use sensitive personal information (including reproductive health data) only for purposes permitted under the CCPA/CPRA — such as providing the service you request — and not for purposes that would give you a right to limit its use.

Do Not Sell or Share My Personal Information. To opt out of sharing for cross-context behavioral advertising, use the "Cookies" link in the website footer or enable Global Privacy Control in your browser. Both methods stop Meta Pixel and Google Ads from loading.

To exercise any of these rights, email hello@thegest.app. We will respond within 30 days (or within the timeframe required by applicable law). You may designate an authorized agent to make a request on your behalf; we may require verification of your identity and the agent's authorization.

Consumer-health-data rights are described in more detail in our Consumer Health Data Privacy Policy.

14. Children's privacy

Gest is not directed to children under 18. We do not knowingly collect personal data from anyone under 18. The Service is intended for users age 18 and older. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal data, contact us at hello@thegest.app.

15. Security

We use administrative, technical, and organizational safeguards designed to protect personal data, including encryption in transit (TLS), encryption at rest where supported by our infrastructure, access controls, and security reviews. No system is perfectly secure, and we cannot guarantee absolute security. If we become aware of a data breach affecting your personal data, we will notify you and relevant authorities as required by applicable law.

16. Changes to this policy

We may update this policy from time to time. We will notify you of material changes by email or in-app notification at least 14 days before they take effect. Continued use of Gest after changes take effect constitutes acceptance of the updated policy.

17. Contact

For privacy inquiries, data requests, or complaints: hello@thegest.app.

Gest LLC, a Wyoming limited liability company
30 N Gould St, Ste R, Sheridan, WY 82801, United States