Privacy Policy

NextStep ("we", "us", "our") is operated by the legal entity that owns the NextStep brand (the "Company"). We act as the data controller for personal data processed when you use the NextStep website and mobile apps (the "Service"). For privacy questions, write to privacy@nextstep.app. Our EU/UK representative and (where required) our Data Protection Officer will be appointed and disclosed in this section before general availability in those regions.

This Privacy Policy applies to the NextStep website at nextstep.app (and its subdomains) and to the NextStep mobile applications for iOS and Android. It does not cover third-party websites, employer career pages, job boards, calendar tools or other external services that you may interact with through links inside the Service. Those services have their own privacy policies — please read them separately.

We collect the following categories of personal data:

• —Account data — email, password hash, account creation timestamp, language preference, country, marketing-email opt-in.
• —Profile data — name, current and target job title, years of experience, location, salary range, public social-profile URLs you choose to share.
• —Resume content — text and structured fields of every resume you create or upload, including work history, education, skills, certifications and links.
• —Job-search content — jobs you save to the tracker, application status, notes, contacts, scheduled interviews.
• —Voice recordings — audio you submit to the voice resume and the interview rehearsal modules, together with the transcripts generated from those recordings.
• —Usage data — pages viewed, features used, in-product events (such as "ran ATS check" or "completed onboarding step 3") and aggregated session telemetry.
• —Device data — IP address, user-agent string, device type, operating-system version, app version, time zone and a pseudonymous device identifier.
• —Payment data — billing address, last four digits of payment card, plan, currency, taxes. We do not see or store the full card number; this is handled exclusively by our payment processor.
• —Communications — support tickets, in-app feedback, replies to our transactional emails.

We collect personal data directly from you (when you sign up, fill in your profile, upload a resume, record voice, save a job or send a support request) and automatically when you use the Service (usage and device data). If you sign in with Google or Apple, we also receive the email address and basic profile information you authorise that provider to share with us.

We process your personal data for the purposes listed below. Where the EU/UK GDPR applies, our legal basis is shown in brackets:

• —To provide the Service — creating resumes, running analyses, tracking jobs, generating coaching nudges (performance of a contract, Art. 6(1)(b) GDPR).
• —To process payments, calculate taxes and prevent fraud (performance of a contract; legal obligation; our legitimate interest in fraud prevention).
• —To send transactional messages such as billing receipts, security alerts and trial reminders (performance of a contract; legitimate interest).
• —To improve the Service through aggregated, pseudonymised analytics and through evaluation of model-output quality (legitimate interest; you can object at any time).
• —To send optional marketing emails about new features (only with your explicit consent; you can withdraw it any time from Settings).
• —To comply with legal obligations such as tax, accounting and lawful requests from authorities (legal obligation).

When you submit voice recordings (voice resume, interview rehearsal, pronunciation drills), we transcribe the audio to text and process the transcript to generate feedback. We do not use your voice for biometric identification or voiceprint matching. By default, voice recordings are stored for up to 90 days so you can replay them; you can delete any recording from Settings, after which it is removed from our systems within 24 hours.

We process the text of your resumes and jobs through third-party large-language-model providers in order to generate the analyses and suggestions you ask for. By contract, those providers may not train their models on data we send through their APIs and they retain our prompts only for the period strictly necessary to detect abuse (typically up to 30 days).

NextStep uses AI to generate suggestions, scores, drafts and recommendations. These are advisory tools — a human (you) makes the final decision about which resume to send, which job to apply to and how to answer in an interview. We do not make solely automated decisions that produce legal or similarly significant effects on you. We do not screen you in or out of any job, employer or opportunity, and the Service is not used by employers to evaluate candidates.

We share personal data only with the categories of recipients listed below, and only to the extent strictly necessary to operate the Service:

• —Cloud hosting and database providers — to store your data and run our infrastructure.
• —Authentication and sign-in providers — to verify your identity (including Google and Apple if you use social sign-in).
• —Payment processor — to process subscriptions, taxes, chargebacks and refunds where applicable.
• —AI and large-language-model providers — to generate analyses, scores, drafts, transcriptions and coaching messages.
• —Email and push-notification providers — to deliver transactional and (with consent) marketing messages.
• —Customer-support tools — to handle your support tickets.
• —App-store providers (Apple, Google) — for in-app purchases, receipt verification and crash reports.
• —Professional advisers, auditors, regulators and law-enforcement authorities — where strictly required by law.

We do not sell personal data and we do not share personal data for cross-context behavioural advertising. An up-to-date list of named sub-processors is available on request at privacy@nextstep.app.

Our infrastructure runs primarily in the European Union and the United States, and some of our providers operate globally. When personal data is transferred outside the EEA, the UK or any other jurisdiction with restricted transfers, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions where they exist, or the EU–US Data Privacy Framework where the recipient is certified. A copy of the relevant safeguards is available on request.

We keep personal data only for as long as we need it:

• —Account, profile, resumes, jobs and analyses — for as long as your account is active.
• —Voice recordings — up to 90 days from upload, or until you delete them earlier.
• —Billing records — up to 7 years, as required by tax and accounting law.
• —Security and abuse-prevention logs — up to 12 months.
• —Marketing-email engagement data — until you withdraw consent.

When you delete your account, we delete or anonymise your personal data within 30 days, except where law requires us to keep specific records longer (for example, billing records).

We use industry-standard safeguards including TLS 1.2+ in transit, AES-256 at rest, role-based access controls, audit logging, principle-of-least-privilege for our staff, periodic security reviews and a documented incident-response process. No system is perfectly secure: we will notify you and the competent supervisory authority of any personal-data breach as required by law and without undue delay.

Depending on where you live, you may have the right to: access your data; correct inaccurate data; delete your data; restrict or object to processing; receive your data in a portable format; withdraw consent (without affecting the lawfulness of prior processing); and lodge a complaint with your supervisory authority. You can exercise most of these rights directly from Settings (export, correct, delete). For anything else, email privacy@nextstep.app — we will respond within 30 days.

The Service is not directed at children. You must be at least 16 years old in the EEA and the UK, at least 18 in India, or at least 13 with verifiable parental consent in the United States (under COPPA) to use NextStep. We do not knowingly collect personal data from anyone below the applicable minimum age. If you believe we have, contact privacy@nextstep.app and we will delete it.

We use only the cookies and similar local-storage items strictly necessary to run the Service: an authentication session cookie, a language-preference cookie and a CSRF-protection cookie. We do not use marketing, advertising, retargeting or third-party analytics cookies on the Service. We do not embed third-party tracking pixels.

If you are a California resident, you have all the rights described in section 12 plus: the right to know what personal information we collect and how we use it; the right to request deletion; the right to correct inaccurate information; the right to opt out of any "sale" or "sharing" of personal information; the right to limit the use of sensitive personal information; and the right not to be discriminated against for exercising any of these rights. We do not sell personal information and we do not share it for cross-context behavioural advertising. To exercise your CCPA rights, email privacy@nextstep.app or use the in-app tools in Settings.

We may update this policy as the Service evolves. For material changes we will notify you by email and via an in-app banner at least 30 days before the new version takes effect. Non-material changes (typos, clarifications, sub-processor refresh) are effective on publication. The "effective" date at the top of this page always reflects the current version.

Privacy questions and rights requests: privacy@nextstep.app. EU/UK and EEA users have the right to lodge a complaint with their local data-protection authority. Our EU/UK representative will be appointed and disclosed in this section before we make the Service generally available in those regions.