Privacy Policy

How we protect your information and your rights.

1.Introduction and Scope

NextCalm Inc. ("Company," "we," "us," "our," or "NextCalm") is committed to protecting the privacy and security of your personal information. This Privacy Policy ("Policy") explains our policies and practices regarding the collection, use, disclosure, and protection of your information when you access and use the NextCalm mobile application and associated website (collectively, the "Service").

This Policy applies to all users of the Service, regardless of their location. By accessing or using NextCalm, you acknowledge that you have read this Policy and agree to its terms.

2.Information We Collect

2.1Information You Provide Directly

Account Registration: Email address, username, and encrypted password. We collect only your username and subscription details - nothing more.
Subscription Information: Billing address, subscription tier, and transaction history (processed by third-party payment processors).
Customer Support: Information in support inquiries and communications.
Vault Content: All vault information is encrypted end-to-end with AES-256 before transmission. We have zero access to your vault. We cannot decrypt, view, or access any stored information under any circumstances.

2.2Information Collected Automatically

Device information, usage analytics, log data (access timestamps, IP addresses), location data (general geographic location only, not GPS), and performance metrics.

2.3Information from Third Parties

Payment processors provide transaction confirmations. App stores provide installation and update information. Analytics providers may provide usage patterns.

3.Legal Basis for Processing

Contract performance, legal compliance, legitimate interests (fraud prevention, security), and consent.

4.Use of Information

We do NOT use vault content for any purpose. We do NOT use information for targeted advertising or sell to third parties.

Providing and maintaining the Service
Processing subscriptions and billing
Sending transactional communications
Customer support
Detecting fraud and preventing abuse
Analyzing usage to improve the Service
Security monitoring and threat detection
Meeting legal and regulatory obligations

5.Data Security and Encryption

5.1End-to-End Encryption

AES-256 encryption, PBKDF2 key derivation, encryption on your device before transmission, keys stored only on your device.

5.2Zero-Knowledge Architecture

Data encrypted before leaving your device, servers store only encrypted data, we never have encryption keys, we cannot decrypt your vault even in response to legal requests.

5.3Infrastructure Security

Secure data centers, network security, TLS 1.2+ encryption, access controls, regular security audits, encrypted backups in geographically distributed locations.

5.4Compliance

SOC 2 Type II, ISO 27001, OWASP compliance.

6.Data Retention and Deletion

Account Deletion: Immediate deactivation, permanent vault deletion from live systems, backup deletion within 30 days, account information deleted after 90 days. Deletion is irreversible.

Vault Content: Retained during account. Deleted upon account deletion.
Account Information: Retained for 90 days after deletion for recovery window.
Payment Records: 7 years (tax requirement)
Usage Logs: 12 months
Security Logs: 24 months

7.Data Sharing and Disclosure

7.1Data We Do NOT Share

We do NOT sell, rent, share vault content, use for targeted advertising, provide to data brokers, or monetize your information.

7.2Service Providers

Limited information (email and subscription only) shared with cloud providers, payment processors, support platforms under strict data processing agreements.

7.3Legal Disclosures

Court orders, subpoenas, government requests, regulatory inquiries. Note: We cannot provide decrypted vault content as we have no access to encryption keys. We notify you when legally permissible.

7.4Business Transfers

Information may transfer in merger, acquisition, or bankruptcy. You will be notified.

7.5Aggregated Data

De-identified, aggregated statistics may be shared for research and analytics.

8.Your Privacy Rights and Choices

8.1All Users

Right of access, right to correct information, right to delete your account, right to data portability, right to withdraw consent, right to opt out of promotional communications.

8.2European Economic Area (GDPR)

Right of access, rectification, erasure ("right to be forgotten"), restriction, data portability, objection, automated decision-making rights. Data Protection Officer: dpo@nextcalm.com

8.3California (CCPA/CPRA)

Right to know, delete, opt-out, non-discrimination, limit use, correct. Submit requests to privacy@nextcalm.com with "CCPA Request" in subject. Response within 45 days.

8.4Canada (PIPEDA)

Right to access, correct, understand usage, withdraw consent.

8.5Brazil (LGPD)

Right to access, correct, anonymize, delete, portability, object.

8.6Other Jurisdictions

Compliance with Australia Privacy Act, Japan APPI, South Korea PIPA, Singapore PDPA.

9.Children's Privacy

NextCalm is not intended for individuals under 18. We do not knowingly collect information from children under 18. We will immediately delete any information from minors and terminate their accounts.

10.International Data Transfers

Information may be transferred internationally. For EEA/UK/Switzerland transfers, we use Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions as appropriate safeguards.

11.Cookies and Tracking Technologies

Essential cookies (required), performance cookies, analytics cookies (can be disabled), preference cookies. You can control cookies via browser settings.

12.Third-Party Links and Services

We are not responsible for third-party privacy practices. Review their policies before providing information.

13.Security Incident Notification

In case of breach affecting personal information (not vault, which is encrypted): notification within 30 days, details of incident, resources to monitor your account, notification to regulatory authorities as required.

14.Policy Updates and Changes

Updates will be communicated via email, website notice, or app notification. Material changes may require consent. Continued use constitutes acceptance.

15.Contact Us and Rights Requests

Email: privacy@nextcalm.com
Data Protection Officer: dpo@nextcalm.com
For Rights Requests: Email with "Privacy Request" in subject, include full name and email, provide identity verification if required. Response within 30-45 days.

16.Definitions

Personal Information: Any information relating to an identified or identifiable person.
Processing: Collection, use, storage, or deletion of data.
Data Controller: Entity determining processing purposes (NextCalm).
Data Processor: Entity processing data on controller's behalf.
End-to-End Encryption: Encryption between sender and recipient.
Zero-Knowledge: System where providers cannot access user data.

17.Regulatory Compliance

Compliant with GDPR, CCPA/CPRA, LGPD, PIPEDA, Australian Privacy Act, Japanese APPI, South Korean PIPA, Singapore PDPA, and all applicable privacy laws.

18.Entire Agreement

This Policy, Terms & Conditions, and referenced documents constitute the entire agreement regarding personal information processing.

19.Governing Law

Governed by applicable law. Local privacy laws apply to your rights.

20.Questions and Feedback

Questions about this Policy? Contact privacy@nextcalm.com and we will respond promptly.

Version 1.0 | Effective January 2026

This Privacy Policy is subject to periodic review and updates.