Trust & Security

Last updated: July 9, 2026

LittleNest AI is built for Canadian childcare centres. Educators trust us with sensitive observations, and families trust the centres who use us. This page summarizes how we handle data, how our AI features work, and the safeguards we've put in place.

Data hosting & residency

Application data (accounts, documentation, program plans, child portfolios) is stored with reputable cloud infrastructure providers. Where possible, storage is provisioned in Canadian regions. Some subprocessors — including our AI providers, analytics, and email delivery — may process data outside Canada (typically the United States). See our Privacy Policy §7 for the full picture.

Encryption

  • In transit: all traffic is served over HTTPS (TLS 1.2 or newer).
  • At rest: customer data is stored on providers that apply industry-standard at-rest encryption (AES-256 or equivalent) on managed databases and object storage.
  • Secrets: API keys and credentials are stored in provider-managed secret stores, never in source code.

Human review of AI output (educator-reviewed)

Every piece of AI-assisted content — learning stories, program plan drafts, coach replies — is designed to be educator-reviewed before it reaches a family. We display AI output as an editable draft, not a finished record. Educators are responsible for reviewing, correcting, and approving all AI content before sharing.

AI subprocessors

AI generation is performed by large language model providers accessed through our AI Gateway (for example, providers such as OpenAI and Anthropic). Our current subprocessor list is available on request at privacy@littlenestfinder.com. We do not use educator or family inquiry data to train AI models.

Child data minimization

We treat child information with special care.

  • Educators are instructed not to enter identifying child information (full name, birthdate, medical details, home address) into AI features.
  • Where child names appear in portfolios or documentation, we scope access to the child's educators and their centre administrator.
  • We collect the minimum data needed to route inquiries and generate documentation drafts.
  • Photos, when uploaded, are governed by the centre's own consent and retention rules.

Access controls

  • Role-based access (educator, admin, family) enforced by row-level security in the database.
  • Administrative access to production data is limited to a small number of authorized team members, gated by strong authentication.
  • Passwords are stored using industry-standard one-way hashing by our auth provider.

Incident response

If we become aware of a security incident affecting your data, we will notify affected customers without undue delay and follow PIPEDA breach reporting obligations where they apply. Report a suspected security issue to security@littlenestfinder.com.