Privacy Policy
1. Who we are
NextStep is a Europe-based workflow tool for guided decisions, checklists and evaluation forms. For privacy questions, contact us at legal@nextstep.center.
For the purposes of this Privacy Policy, “NextStep”, “we”, “us” and “our” refer to the operator of the NextStep website and app.
2. What this policy covers
This policy explains how we process personal data when you visit our website, request a demo, create or use an account, import or run workflows, submit checklist or evaluation records, or otherwise communicate with us.
3. Personal data we process
Depending on how you use NextStep, we may process:
- Contact details: name, work email, company/team information and messages submitted through the demo request form.
- Account data: email address, name, role, password hash and account settings.
- Workflow data: process names, questions, options, outcomes, checklist items, evaluation criteria and imported JSON content.
- Submission data: decision paths, checklist completions, subject or reference IDs, evaluation reviewed IDs, Y/N criteria results and comments.
- Technical data: basic server logs, IP address, browser information, timestamps and security/session data.
4. Purposes and legal bases
We process personal data for the following purposes:
- Providing the service: to create accounts, authenticate users, run workflows, store submissions and show records. Legal basis: performance of a contract or steps before entering into a contract.
- Responding to demo requests: to contact you about NextStep. Legal basis: legitimate interest or pre-contractual communication.
- Improving and securing the service: to debug, prevent misuse, maintain availability and improve functionality. Legal basis: legitimate interest.
- Legal and administrative obligations: to keep records where required by law. Legal basis: legal obligation.
5. AI-assisted flow creation
If AI-assisted creation is enabled, users may provide process notes, examples, support cases or other content so that a workflow can be drafted. Users should avoid submitting unnecessary personal data and should remove sensitive information unless it is required for the intended workflow. Where third-party AI providers are used, we will process such content only for the purpose of generating or improving the requested workflow configuration, subject to the applicable provider and contract settings.
6. Cookies and similar technologies
NextStep may use essential cookies or similar technologies for login sessions, security and core functionality. If analytics, marketing cookies or non-essential tracking are introduced, we will update this policy and, where required, request consent.
7. Sharing personal data
We do not sell personal data. We may share personal data with service providers that help us host, maintain, secure or operate NextStep, or when required by law. Service providers must process personal data only according to our instructions and appropriate safeguards.
8. International transfers
We aim to use European or GDPR-compatible infrastructure where practical. If personal data is transferred outside the European Economic Area, we will use appropriate safeguards such as adequacy decisions, standard contractual clauses or other legally recognized mechanisms.
9. Retention
We keep personal data only for as long as necessary for the purposes described in this policy, including providing the service, maintaining records, resolving disputes, meeting legal obligations and enforcing agreements. Account, workflow and submission data may remain stored while the relevant account or workspace is active. Demo request data is kept only as long as needed to respond and manage commercial follow-up.
10. Your rights
Subject to applicable law, you may have the right to request access, correction, deletion, restriction, portability or objection to processing of your personal data. Where processing is based on consent, you may withdraw consent at any time. You also have the right to lodge a complaint with a competent data protection authority.
11. Security
We use reasonable technical and organizational measures to protect personal data, including access control, password hashing, role-based permissions and secure hosting practices. No system is completely secure, so users should also protect their account credentials and avoid importing unnecessary sensitive data.
12. Customer and workspace data
When an organization uses NextStep for its internal workflows, that organization is responsible for deciding what content is entered into the service and who may access it. Admin users may be able to view workflow configurations and submissions within their workspace.
13. Children
NextStep is not intended for children and should not be used by anyone under the age required to enter into a valid contract or use business software in their jurisdiction.
14. Changes to this policy
We may update this Privacy Policy from time to time. The latest version will be posted on this page with an updated date.
15. Contact
For privacy requests or questions, contact legal@nextstep.center.