Legal

Privacy Policy

Last updated February 2026

NextVisit is a service operated by NextVisit ("NextVisit," "we," "us," or "our"). We take privacy seriously and only collect the data we need to run the product. This policy explains what we collect, why, and what your rights are.

1. Who this policy applies to

Two groups of people are covered here:

  • NextVisit customers — the businesses (and their team members) who sign up for a trial or paid plan.
  • End customers — the appointment clients of those businesses who receive follow-up messages sent through NextVisit.

For end customers, the business you booked with is the data controller and NextVisit is a data processor. Requests to access, correct, or delete end-customer data should be directed to the business you have an appointment with; we'll help them fulfill your request.

2. What we collect

From NextVisit customers we collect:

  • Business name, contact name, email, phone (optional), business type.
  • Password (stored only as a bcrypt hash — we never see or store the plaintext).
  • Payment information via Stripe. Card numbers never touch our servers.
  • Product usage: which pages you visit inside Studio, which templates you edit, which integrations you connect.
  • Content you configure: your business name, sender name, booking link, review link, message templates.

From end customers of our customers, we process:

  • Name, email address, phone (optional), notes provided by the business.
  • Appointment history: service, time, source (manual entry or Square sync).
  • Message delivery status (sent, opened via optional Resend metadata, unsubscribed).

3. How we use it

  • To deliver the NextVisit service — sending scheduled follow-up messages, syncing with your booking system, drafting templates with AI when you request it.
  • To communicate with you: welcome emails, product updates, security alerts, invoices.
  • To keep the service secure: rate limiting, brute-force protection, fraud prevention.
  • To improve the product using aggregate, anonymized usage data.

We do not sell your data or your customers' data. We do not run ad networks or share personal data with data brokers. We do not train our AI provider's models on your data (see subprocessors below).

4. Subprocessors

We use a small set of trusted vendors to operate the service. Each is bound by a data processing agreement.

  • MongoDB Atlas — encrypted database hosting.
  • Resend — transactional email delivery.
  • Stripe — payments and subscription billing.
  • Square — appointment sync (only if you choose to connect it).
  • Anthropic (via Emergent LLM key) — AI-drafted templates. Requests are sent per session; Anthropic does not train models on API traffic.

5. Data retention

  • Active accounts: we retain data for as long as the account is active.
  • Canceled accounts: customer + appointment data is deleted within 90 days of cancellation. Billing records are retained for 7 years for tax compliance.
  • Unsubscribed end customers: we retain the record indefinitely so we never accidentally re-send to them.

6. Your rights

Depending on where you live (GDPR, CCPA, and similar), you have the right to access, correct, port, or delete the personal data we hold about you, and to object to certain kinds of processing. Email brooke@bookyournextvisit.com with your request and we'll respond within 30 days.

7. Data Processing Agreement (DPA)

Enterprise customers or EU-based businesses that need a signed DPA can request one by emailing brooke@bookyournextvisit.com. We'll countersign and return within one business day.

8. Security

See our Security page for details on encryption, authentication, and incident response.

9. Changes to this policy

If we make material changes, we'll email active account owners at least 30 days before the change takes effect.

10. Contact

Questions? Email brooke@bookyournextvisit.com or use the contact form.

Made with Emergent