Privacy Policy
Last updated: May 19, 2026
1. Introduction
This Privacy Policy describes how NextConvert ("NextConvert", "we", "us", or "our") collects, uses, shares, and protects personal information when you use the website and services available at nextconvert.app (the "Service"). By using the Service, you acknowledge that you have read this Policy. If you do not agree, you must not use the Service.
This Policy should be read together with our Terms of Use.
2. Information We Collect
2.1 Information you provide
- Account data. When you create an account through our authentication provider Clerk, we receive your email address, name, and (if you choose to provide it) profile image. We also store an internal user identifier, your subscription tier, and usage statistics.
- Files you upload. Files you submit to the Service for conversion or other processing are stored temporarily on our infrastructure to perform the requested job. We do not access, inspect, or share the contents of your files except as strictly necessary to provide the Service or to comply with law.
- Communications. If you contact us by email or other channels, we retain the correspondence and any information you choose to provide.
2.2 Information collected automatically
- Anonymous identifier. If you use the Service without signing in, we set an HttpOnly cookie named
__nc_anonthat contains a randomly generated identifier. This cookie lasts up to 30 days and is used solely to enforce free-tier usage limits. It does not contain any directly identifying information. - Server logs. Our servers automatically record request information including IP address, user-agent string, requested path, response status, and timestamp. We use these logs for security, debugging, abuse prevention, and rate limiting.
- Usage metrics. We record information about your jobs such as input duration, output format, job status, and conversion minutes consumed, in order to display your usage and enforce plan limits.
- Analytics. We use Vercel Analytics to measure aggregate page views and performance. The product is configured as a privacy-friendly analytics service and does not use third-party cookies.
2.3 Information from third parties
- Payment data. Subscriptions are processed by Stripe. We do not see or store your full payment card number. We receive and store your Stripe customer ID, subscription status, plan, and the last four digits / card brand for receipts.
- Authentication data. Clerk handles login, sessions, and password management. We receive limited identity claims from Clerk to associate a session with your account.
3. How We Use Information
We use personal information for the following purposes:
- To provide, operate, and maintain the Service, including processing your conversion jobs.
- To create and manage your account, authenticate you, and provide customer support.
- To process payments, manage subscriptions, and prevent fraud.
- To enforce usage limits, rate limits, and the terms of your plan.
- To investigate and prevent abuse, security incidents, and violations of our Terms.
- To analyse usage patterns and improve the performance, reliability, and features of the Service.
- To send you transactional messages such as receipts, account notices, and security alerts.
- To comply with applicable legal obligations and respond to lawful requests from authorities.
4. Legal Bases for Processing (EEA / UK)
If you are located in the European Economic Area or the United Kingdom, we process your personal information on the following legal bases:
- Contractual necessity — to perform our agreement with you (e.g., delivering the Service, processing payments).
- Legitimate interests — to secure the Service, prevent abuse, analyse usage in aggregate, and operate our business, balanced against your rights.
- Legal obligation — to comply with laws applicable to us (e.g., tax and accounting rules).
- Consent — where we ask for and you have given your consent (you may withdraw consent at any time without affecting the lawfulness of prior processing).
5. How We Share Information
We do not sell personal information. We share information only in the following circumstances:
- With service providers who process data on our behalf to operate the Service, under appropriate confidentiality and security obligations (see Section 6).
- For legal reasons — to comply with subpoenas, court orders, or legal process; to enforce our Terms; to detect, prevent, or investigate fraud, security, or technical issues; or to protect the rights, property, or safety of NextConvert, our users, or others.
- Business transfers — in connection with a merger, acquisition, restructuring, or sale of assets. We will notify users of any such change in ownership or control of personal information.
- With your consent — for any other purpose disclosed to you and to which you have agreed.
6. Subprocessors
We rely on the following third-party providers to operate the Service:
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Clerk | Authentication and account management | clerk.com/privacy |
| Stripe | Payment processing and billing | stripe.com/privacy |
| Vercel | Frontend hosting and analytics | vercel.com/legal/privacy-policy |
| Railway | Backend application hosting | railway.com/legal/privacy |
| Supabase | Managed PostgreSQL database | supabase.com/privacy |
| Amazon Web Services (S3) | Temporary object storage for uploaded and output files | aws.amazon.com/privacy |
| Google Fonts | Web typography (Outfit, JetBrains Mono) | policies.google.com/privacy |
7. Cookies and Similar Technologies
We use cookies for two purposes:
- Essential / strictly necessary. Cookies set by Clerk to maintain your authenticated session, and the
__nc_anoncookie described in Section 2.2 to enforce free-tier limits. These cookies are required for the Service to function and cannot be disabled while using the Service. - Analytics. We use Vercel Analytics to understand aggregate usage. This service is configured as cookieless / first-party and does not track you across sites.
You can configure your browser to refuse or delete cookies, but doing so may prevent the Service from functioning correctly.
8. International Data Transfers
Our providers may process personal information in countries other than the one in which you reside, including the United States and the European Union. Where required, transfers of personal information out of the EEA, UK, or Switzerland are made under appropriate safeguards such as the European Commission's Standard Contractual Clauses or equivalent mechanisms provided by the relevant provider.
9. Data Retention
- Uploaded files and processed output: automatically and permanently deleted within 24 hours of upload or job completion.
- Job metadata for anonymous users: retained for up to 7 days.
- Job metadata for authenticated users: retained for up to 30 days.
- Anonymous profiles (free-tier usage trackers): deleted after 60 days of inactivity.
- Account data: retained for the lifetime of your account and for a limited period after deletion to satisfy legal, tax, and accounting obligations.
- Server logs: retained for up to 90 days for security and debugging purposes.
10. Security
We implement industry-standard technical and organisational measures to protect personal information, including TLS encryption in transit, secure cookie attributes (HttpOnly, Secure, SameSite), access controls and least-privilege principles for our infrastructure, and regular patching of dependencies. No system can be guaranteed completely secure, however, and we cannot warrant absolute security of information transmitted to or stored on the Service.
11. Your Rights
Subject to applicable law, you may have the following rights in respect of personal information we hold about you:
- Access — to obtain a copy of the personal information we hold about you.
- Rectification — to ask us to correct inaccurate or incomplete information.
- Erasure — to ask us to delete your personal information.
- Restriction — to ask us to limit how we process your information.
- Objection — to object to processing carried out on the basis of our legitimate interests.
- Portability — to receive your information in a structured, commonly used, machine-readable format.
- Withdraw consent — where processing is based on your consent.
- Lodge a complaint — with your local data protection supervisory authority.
To exercise any of these rights, contact us at support@nextconvert.app. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
12. California Residents (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides you with the rights described in Section 11, as well as the right to non-discrimination for exercising those rights. We do not "sell" or "share" personal information for cross-context behavioural advertising as those terms are defined under California law.
13. Children's Privacy
The Service is not directed to children under 13 (or the higher minimum age required by your jurisdiction to consent to data processing). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will take steps to delete it.
14. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page indicates when changes were made. For material changes, we will use reasonable efforts to notify you (for example, by email or through a notice in the Service) before they take effect. We encourage you to review this page periodically.
15. Contact
Questions or requests regarding this Privacy Policy? Reach us at support@nextconvert.app.
See also our Terms of Use.