Nextro

Legal

Privacy Policy

Last updated: June 2026

This policy explains what personal data Nextro collects, why we collect it, and how we use and protect it — for both businesses and their customers.

1. Who we are

Nextro is operated by NEXTROUK LTD (trading as Nextro), a company registered in England and Wales (Company No. 17276330) (“Nextro”, “we”, “us”, “our”).

NEXTROUK LTD is the data controller for personal data processed through the Nextro platform. For data protection enquiries, contact us at admin@nextroapp.com.

Businesses act as independent data controllers in respect of personal data relating to their Customers and are responsible for their own compliance with applicable data protection law when processing Customer data outside the platform.

2. What data we collect

From Businesses (registered users):

  • Account information: name, email address, and password (hashed by Firebase Authentication).
  • Business information: location address, online booking links, arrival instructions, payment preferences.
  • Stripe Connect data: Stripe account ID and onboarding status (we do not store card or bank details).
  • Appointment and booking data: availability slots, service types, cancellation reasons, refund records.
  • Subscription and billing records: plan status, payment history via Stripe.
  • Technical data: IP address, browser type, device information, access timestamps.

From Customers (people who book appointments):

  • Booking details: name, email address, phone number, booked appointment time and service type.
  • Payment status: whether an appointment was paid by card or cash, and payment outcome (processed by Stripe; we do not store card numbers).
  • Technical data: IP address and browser type collected during the booking process.

When you use the booking link import feature:

  • The URL you submit when using the booking link import feature during account setup.
  • Publicly available business information retrieved from that URL (for example, business name). No customer data, payment information, or private account content is accessed or stored.
  • Import requests, including the submitted URL and your IP address, may be logged for security monitoring, abuse prevention, and troubleshooting.
  • Imported information becomes part of your account data and can be edited or deleted by you at any time in Settings.

When you upload a customer or service CSV:

  • Customer data you upload (such as names, email addresses, and phone numbers) is processed to create client records in your account. This data was collected by you independently, outside Nextro. You are the data controller for this data and are responsible for having a lawful basis for processing it.
  • Service data you upload (such as service names, durations, prices, descriptions, and categories) is processed to create service records in your account.
  • Raw CSV files are not stored on Nextro servers. Only the structured data extracted from the CSV is saved to your account.
  • Imported customer and service data can be edited or deleted by you at any time from within your account.
  • CSV import activity may be logged for security monitoring and abuse prevention.

3. How we use your data

We process personal data for the following purposes:

  • Providing and operating the Nextro platform and its features.
  • Creating and managing Business accounts and authentication.
  • Facilitating bookings and payment processing via Stripe Connect.
  • Sending booking confirmation and reminder emails to Customers (via Resend).
  • Managing subscriptions and credit balances.
  • Processing booking link import requests and logging import activity for security and abuse prevention.
  • Processing customer and service CSV uploads to create account records and assist with platform migration.
  • Detecting and preventing fraud, abuse, and security incidents.
  • Complying with our legal obligations (including tax and financial record-keeping).
  • Providing customer support and responding to enquiries.

Transactional service emails (such as booking confirmations, reminders, security notifications, and billing communications) are necessary for the performance of the service and cannot be opted out of while maintaining an active account.

4. Legal bases for processing (UK GDPR)

We rely on the following legal bases under UK GDPR Article 6:

  • Contract (Art. 6(1)(b)): processing is necessary to provide the Nextro service to Businesses, and to fulfil the booking transaction with Customers.
  • Legitimate interests (Art. 6(1)(f)): processing is necessary for our legitimate interests including platform security, fraud prevention, improving service reliability, and direct communications with existing users. We have carried out a balancing test and concluded our interests do not override your fundamental rights.
  • Legal obligation (Art. 6(1)(c)): where we are required to process data to comply with applicable law (e.g. financial record-keeping, responding to lawful requests from authorities).
  • Consent (Art. 6(1)(a)): where we rely on consent (e.g. for optional communications), you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

5. Third-party data processors

We share personal data with the following processors, who are contractually bound to process data only on our documented instructions:

  • Google LLC / Firebase — provides authentication, Firestore database, and cloud infrastructure. Data may be stored on Google Cloud servers in the EU/UK or US. Transfers outside the UK are covered by Google's Standard Contractual Clauses and adequacy decisions where applicable.
  • Stripe Technology Europe, Limited — processes card payments via Stripe Connect. Stripe is an independent controller for its own services and is subject to its own privacy policy. Stripe may transfer data internationally in accordance with its data transfer mechanisms.
  • Resend Inc. — provides transactional email delivery (booking confirmations and reminders). Customer email addresses are shared with Resend solely for the purpose of sending emails triggered by a booking.
  • Vercel Inc. — provides hosting and edge infrastructure for the Nextro web application. Vercel may process request metadata (such as IP addresses) as part of its logging.
  • Google LLC / Firebase Analytics — used to collect anonymised usage data about how businesses interact with the platform. Only activated after you accept cookies via the cookie consent banner. Governed by the Google Privacy Policy.
  • Meta Platforms, Inc. — Meta Pixel is used to track page visits on the Nextro marketing site for advertising attribution and audience analytics. Only activated after you accept cookies. Governed by the Meta Privacy Policy. We do not share Customer personal data with Meta.
  • Google LLC / reCAPTCHA — Google reCAPTCHA v3 is used on account registration and sign-in pages to detect and prevent automated abuse. reCAPTCHA v3 operates invisibly and uses browser signals and cookies to generate a risk score. We rely on legitimate interests as the legal basis. Governed by the Google Privacy Policy.

We do not sell personal data to third parties. Non-essential tracking tools (Firebase Analytics, Meta Pixel) are only activated after explicit cookie consent.

6. Data retention

We retain personal data for as long as necessary to fulfil the purposes described above:

  • Business account data: retained for the duration of the account and for up to 7 years after account closure for financial and legal compliance purposes.
  • Booking and Customer data: retained for up to 7 years to support tax records and potential dispute resolution, unless a shorter period is required or Businesses request earlier deletion.
  • Authentication logs and technical data: retained for up to 90 days for security and incident investigation purposes.

When data is no longer required, it is securely deleted or anonymised.

7. Your rights under UK GDPR

Depending on the circumstances, you may have the following rights in relation to your personal data:

  • Right of access: to receive a copy of the personal data we hold about you.
  • Right to rectification: to have inaccurate or incomplete data corrected.
  • Right to erasure: to have your data deleted in certain circumstances (“right to be forgotten”).
  • Right to restriction: to restrict our processing of your data in certain circumstances.
  • Right to data portability: to receive your data in a structured, machine-readable format.
  • Right to object: to object to processing based on legitimate interests.
  • Rights related to automated decision-making: we do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, contact us at admin@nextroapp.com. We will respond within one calendar month. We may need to verify your identity before fulfilling a request.

8. Security

We implement appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data storage (via Firebase), HTTPS encryption in transit, access controls, and httpOnly authentication cookies.

No system can guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to individuals, we will notify affected individuals and the Information Commissioner's Office (ICO) as required by UK GDPR.

9. International data transfers

Some of our processors (including Google/Firebase and Vercel) may transfer or store data outside the UK or EEA. Where such transfers occur, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner, adequacy decisions, or the UK International Data Transfer Agreement (IDTA).

10. Cookies

We use cookies and similar technologies on Nextro. For full details, please see our Cookie Policy.

11. Right to complain to the ICO

If you believe we have handled your personal data unlawfully or have not addressed your concerns satisfactorily, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113

12. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will post the revised policy on this page with an updated “Last updated” date. For material changes, we will take reasonable steps to notify you.

13. Contact

For any privacy-related questions or to exercise your data rights, contact us at: admin@nextroapp.com
NEXTROUK LTD, Company No. 17276330, England and Wales.
8 Rodington Fields, Shrewsbury, SY4 4FE.

We use performance cookies to improve Nextro. Cookie policy