Privacy Policy
Last updated: April 24, 2026
Version 2026-04-24
This Privacy Policy explains how [YOUR LLC LEGAL NAME], LLC ("NextStep," "we," "our," or "us") collects, uses, discloses, and protects personal information in connection with the NextStep website at joinnextstepai.com, our browser extension, and related services (the "Service"). It also serves as our Notice at Collection for purposes of the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA").
The Service is intended for U.S. residents only. If you are outside the United States, please do not use the Service. By using the Service you agree to the collection and use of information in accordance with this Policy and our Terms of Service.
1. Notice at Collection — Categories We Collect
We collect the following CCPA-enumerated categories of personal information about you, from the sources and for the purposes described below. We do not sell personal information for money. We do not knowingly collect information from children under 13.
| Category | Examples |
|---|---|
| Identifiers | name, email, username, phone (if provided), IP address, device identifiers, cookie / session identifiers. |
| Customer-records info (Cal. Civ. Code § 1798.80(e)) | account credentials (hashed), profile, billing address (collected by Stripe). |
| Commercial information | subscription plan, billing history, products purchased, usage entitlements consumed. |
| Internet / network activity | pages visited within the Service, feature use, error logs, approximate geolocation derived from IP. |
| Professional / employment-related info | résumé content, work history, education, skills, target roles, applications you track, notes you write, AI drafts you generate. |
| Electronic / digital info | If you connect Outlook: structured extracts and short excerpts of job-related email (sender, recipient, subject, dates, snippets) processed for classification and timeline display. |
| Inferences | profile-derived signals such as application stage, contact-relevance ranking, recommended drafts. |
Sensitive personal information. We do not collect government IDs, financial-account numbers, precise geolocation, racial/ethnic origin, religion, union membership, genetic data, biometric data, health data, or sex-life information. Email content you authorize us to read may incidentally contain sensitive details; we process such content only for the purposes described and do not use it to infer characteristics for advertising. Stripe, our payment processor, separately handles your payment-card details under its own privacy practices; we never see, store, or transmit full card numbers.
Sources. Information comes (a) directly from you, (b) automatically from your device and use of the Service, (c) from your authorized integrations (Microsoft / Outlook), (d) from our service providers (Stripe billing events, analytics tooling), and (e) from publicly available professional sources used in contact discovery (e.g., company websites, search-engine results) and from third-party search/data providers we license (e.g., Brave, Tavily, Google Programmable Search, SerpAPI).
2. How We Use Personal Information
We use personal information for the following business purposes:
- provide, maintain, and operate the Service, including authentication, sessions, and entitlements;
- process Subscriptions and payments through Stripe;
- classify job-related email and build the timeline view of your applications (only when you have authorized Outlook access);
- generate AI Output — drafts, summaries, recommendations, contact rankings — using third-party LLM and search providers;
- communicate transactional notices (verification, password reset, billing receipts, security alerts, service announcements);
- secure the Service, prevent abuse, fraud, and credential stuffing, and enforce our Terms;
- comply with law and respond to lawful requests from public authorities;
- improve product quality through aggregated, de-identified analytics;
- conduct internal research and develop new features.
3. Automated Decision-Making and AI Processing
We use automated systems, including third-party large language models, to (a) generate drafts of outreach messages and résumé suggestions, (b) classify whether a given email relates to a specific application, and (c) rank potential professional contacts by estimated relevance. These outputs are recommendations only; no decision with a legal or similarly significant effect on you is made solely by automated processing. AI Output is delivered to you for your review; the decision to act on it (whether to send, save, or rely on it) is yours.
We do not use Your Content or AI Output to train any third-party general-purpose model. Where we use OpenAI's API or comparable LLM APIs, we rely on the provider's API-tier "not used for training" commitments.
4. How We Share Personal Information
We share personal information with the following categories of recipients, only as needed to provide the Service and under contractual confidentiality / use restrictions:
| Sub-processor / category | Purpose |
|---|---|
| Stripe, Inc. | Payments, billing, tax computation, fraud prevention. |
| Supabase, Inc. | Managed Postgres database, file storage. |
| Vercel, Inc. | Web hosting, edge / serverless compute, CDN. |
| Microsoft Corporation | Outlook / Graph API for email integration (only with your authorization). |
| Resend / email delivery | Transactional email (verification, receipts, password reset). |
| OpenAI, OpenRouter, and similar LLM providers | AI Output generation under API-tier no-training terms. |
| Search / contact-discovery providers | e.g., Brave Search, Tavily, Google Programmable Search, SerpAPI for surfacing publicly-available professional contacts. |
| Sentry | Error monitoring; PII redaction is enabled. |
| PostHog (if enabled) | Product analytics with sensitive fields redacted. |
We may also share personal information (a) with your direction or consent, (b) to comply with law, legal process, or a lawful government request, (c) to protect our rights, property, or safety, or those of our users or others, (d) in connection with a corporate transaction (merger, acquisition, financing, or sale of assets), in which case we will provide notice and continued protection of your information, and (e) in an aggregated or de-identified form that cannot reasonably identify you.
No sale of personal information for money. We do not sell personal information for monetary consideration. Some analytics or LLM-provider relationships could be construed as "sharing" or "selling" under the broad CCPA definitions; if so, you may exercise the "Do Not Sell or Share" right described in Section 9.
5. Microsoft / Outlook Email Integration
If you connect a Microsoft account, you authorize us to access your inbox using the scopes you grant via Microsoft Graph (typically Mail.Read / Mail.ReadBasic, offline_access, User.Read). We use this access to identify and classify job-related email, extract structured fields (sender, recipient, subject, dates), and store short snippets necessary to render your application timeline. We do not send mail from your account without an explicit user action. You can disconnect at any time from Settings → Email & Integrations, which revokes our stored OAuth refresh token.
6. Cookies and Similar Technologies
We use first-party cookies (or equivalent local storage) for authentication, session persistence, CSRF protection, preference storage, and basic product analytics. We honor browser Global Privacy Control (GPC) signals as a valid opt-out of "sale"/"sharing" under the CCPA. We do not currently use third-party advertising cookies.
7. Data Retention
We retain personal information for as long as your Account is active or as needed to provide the Service. Specific retention rules:
- Account & profile data: until you delete your Account.
- Application timelines, résumés, drafts: until you delete them or your Account.
- Outlook OAuth tokens: until you disconnect or revoke.
- Email extracts & snippets: retained for the lifetime of the linked application; deleted when the application is deleted.
- Billing records: retained for at least 7 years to satisfy tax and accounting obligations.
- Operational logs (errors, security events): typically retained 30–90 days.
- Backups: may persist in encrypted backups for up to 30 days after deletion.
- Aggregated / de-identified data: retained indefinitely; not associated with you.
8. Security
We use administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, encryption-at-rest provided by Supabase and Vercel, hashed passwords (bcrypt/argon2), encrypted OAuth tokens, fail- closed rate limiting on sensitive endpoints, narrow least-privilege access, and monitoring. No system is perfectly secure. You must use a strong, unique password and notify us immediately of any unauthorized use of your Account at [email protected].
9. Your California Rights (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know the categories and specific pieces of personal information we have collected about you in the last 12 months;
- Delete personal information we hold about you (subject to exceptions, including completion of a transaction, security, error correction, internal use compatible with the relationship, and legal obligations);
- Correct inaccurate personal information;
- Opt out of "sale" or "sharing" of personal information (we honor Global Privacy Control as a valid opt-out signal);
- Limit the use of sensitive personal information (we do not collect any of the CCPA categories of sensitive personal information);
- Non-discrimination for exercising your rights — we will not deny service, charge different prices, or provide a different level of service in retaliation for an exercise of these rights;
- Authorized agent. You may designate an authorized agent to make a request on your behalf. We will require proof of the agent's authority and will verify the agent's identity.
How to exercise your rights. Email [email protected] from the email address on your Account, or use the in-app data export and Account deletion tools at Settings → Privacy & Data. We will verify your request by reference to information in your Account and will respond within 45 days, with up to one 45-day extension where reasonably necessary, as permitted by law. We do not charge a fee for verifiable consumer requests, but may do so for manifestly unfounded or excessive requests as permitted by law. You may also appeal a denial by replying to our response email.
10. California "Shine the Light"
California Civil Code § 1798.83 permits California residents to request, once per year, certain information regarding our disclosure of personal information to third parties for those third parties' direct-marketing purposes. We do not disclose personal information to third parties for their own direct-marketing purposes. To request information under § 1798.83, contact us at [email protected].
11. Users Outside the United States
The Service is hosted in the United States and is intended only for U.S. residents. By using the Service from outside the U.S., you consent to processing of your information in the U.S. We do not target users in the European Economic Area, the United Kingdom, or other jurisdictions with comprehensive data-protection regimes, and we do not represent compliance with the GDPR, UK GDPR, or similar regimes.
12. Children's Privacy
The Service is not directed to children under 13, and we do not knowingly collect personal information from anyone under 13. If you believe a child has provided us personal information, contact us at [email protected] and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For non-material changes we will update the "Last updated" date and the version. For material changes that adversely affect your rights, we will provide at least 30 days' advance notice by email or in-app notice and require affirmative re-acceptance. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact
For privacy questions or to exercise your rights, contact:
Email: [email protected]