Privacy Policy

Effective date: April 22, 2026

NextNote ("NextNote," "we," "us," or "our") is a product of Apex Studio. This Privacy Policy explains what information we collect when you use nextnote.to, our dashboard, and any related APIs (together, the "Service"), how we use it, who we share it with, and the choices you have.

NextNote is a sales operating system for agencies and outbound teams. To provide that service, we store the prospect data you upload, the call and voicemail activity you generate, and — if you connect them — data from third-party accounts like Google Calendar and Gmail.

1. Information we collect

1.1 Information you give us

Account information — name, email address, hashed password, and any profile details you add.
Billing information — handled by Stripe. We store the last 4 digits of your card and your Stripe customer ID; we never see or store full card numbers.
Prospect and pipeline data — contacts, phone numbers, emails, notes, tags, appointments, and any files you upload.
Voice and audio — voicemail recordings you upload or record through the browser, and inbound/outbound call metadata (not call content) from our phone network.
Support communications — messages you send to our support chat or email.

1.2 Information from connected services

Google (Calendar + Gmail send + profile) — if you connect your Google account, we receive an OAuth refresh token and use it to read and write calendar events, send emails on your behalf, and display your Google profile name and email. We store the refresh token encrypted at rest.
Telecom carrier — phone numbers you purchase or port through NextNote, verified caller IDs, and the delivery status of voicemail drops and calls.
ElevenLabs / Retell — AI agent configurations, conversation transcripts, and call recordings associated with voice agents you build.

1.3 Information collected automatically

Usage telemetry — pages viewed, features used, errors encountered.
Device and log data — IP address, browser type, OS, and referring URL.
Cookies — a session cookie (encrypted via iron-session) to keep you signed in. We do not use third-party advertising cookies.

2. Google User Data — Limited Use disclosure

NextNote's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, data obtained through Google OAuth is used only to:

Display your Google profile (name, email, avatar) inside NextNote so you can confirm which account is connected.
Read, create, update, and delete events on calendars you authorize, to power appointment booking and rescheduling.
Send emails from your Gmail address when you explicitly trigger a send (e.g., an appointment confirmation).

We do not:

Transfer Google user data to third parties except as needed to provide the Service, to comply with applicable law, or as part of a merger or acquisition.
Use Google user data to serve advertising.
Allow humans to read Google user data unless (a) we have your explicit consent for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with law, or (d) the data has been aggregated and anonymized for internal operations.
Use Google user data to develop, improve, or train generalized or non-personalized AI or machine-learning models.

3. How we use your information

Provide, operate, and maintain the Service.
Authenticate you and keep your account secure.
Process payments and manage credit balances.
Send operational emails (receipts, security notices, product updates you can unsubscribe from).
Power AI features you request — generating websites, summarizing notes, drafting receptionist scripts, parsing uploaded files.
Detect abuse, fraud, and violations of our Terms of Service.
Improve the Service (aggregated/anonymized analytics only — not Google user data).

4. How we share your information

We share personal information only with the sub-processors below, each bound by a data-processing agreement:

Supabase — primary database, authentication, and file storage.
Vercel — application hosting and serverless functions.
Stripe — payment processing.
Telecom carrier — phone number provisioning, voice calls, voicemail delivery.
ElevenLabs — AI voice agents and text-to-speech.
Deepgram — speech-to-text transcription for voice features.
Retell AI — optional AI voice agent runtime (only if you configure it).
Anthropic — Claude models used for AI features (website generation, receptionist drafting, summarization, support assistant).
Google — Calendar and Gmail APIs, only with your explicit OAuth consent.
Resend — transactional email delivery.

We may disclose information to comply with a lawful request (subpoena, court order, etc.), to protect the rights, property, or safety of NextNote, our users, or the public, or in connection with a corporate transaction such as a merger or acquisition (in which case we'll notify affected users in advance).

We do not sell your personal information.

5. Data retention

Account data is retained for as long as your account is active.
Deleted prospects, notes, and recordings are purged from primary storage within 30 days and from backups within 90 days.
Billing records are retained for at least 7 years to comply with tax and accounting laws.
You can delete your account at any time from Dashboard → Settings → Danger Zone. Upon deletion we erase or irreversibly anonymize your personal data on the schedule above.

6. Your rights

Depending on where you live, you may have the right to:

Access, correct, or delete your personal information.
Export a portable copy of your data.
Object to or restrict certain processing.
Withdraw consent at any time for OAuth-connected services (disconnect them in Settings → Integrations, or revoke at myaccount.google.com/permissions).
Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email privacy@nextnote.to. We respond within 30 days.

7. Security

Data in transit is encrypted with TLS 1.2+.
Data at rest is encrypted by our cloud providers (Supabase/AWS).
OAuth refresh tokens and API keys you supply are encrypted at the application layer using a dedicated key.
Passwords are hashed with industry-standard algorithms — we can never see your plaintext password.
Access to production systems is restricted to authorized personnel and logged.

No system is 100% secure. If we become aware of a breach affecting your data, we will notify you in line with applicable law.

8. Children

NextNote is not directed to anyone under 18. We do not knowingly collect personal data from minors. If you believe a child has given us their data, email us and we'll delete it.

9. International transfers

NextNote is operated from the United States. If you are located outside the US, your information will be transferred to and processed in the US and other countries where our sub-processors operate. We rely on standard contractual clauses or other appropriate safeguards where required.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced by email to your account address and/or a prominent notice in the dashboard at least 14 days before they take effect. Your continued use after the effective date constitutes acceptance of the revised policy.

11. SMS messaging and toll-free communications

NextNote sends transactional SMS messages from a NextNote-owned toll-free number to users who have provided and verified their personal phone number inside the dashboard. These messages relate to your account and the activity you generate inside the Service — examples include links to AI-generated client websites you have created, prospect activity notifications, security alerts, and confirmations of actions you initiated. We do not send marketing or promotional SMS messages.

Opt-in. You opt in to SMS by entering your phone number in Settings and completing a one-time-code verification step. We will not text you until that verification is complete. Message frequency varies based on your activity in the Service. Message and data rates may apply.

Opt-out. Reply STOP to any NextNote SMS message at any time to immediately unsubscribe. Reply HELP for help, or email support@nextnote.to. After you opt out, we will not send further SMS messages from that toll-free number.

Sharing. We do not share your phone number, your SMS opt-in data, or the contents of messages we send you with third parties for their marketing or promotional purposes. Phone numbers and message metadata are shared only with our telecom carrier (Twilio) for the sole purpose of delivering the messages you have opted into, and with the sub-processors listed in Section 4 to operate the Service.

12. Contact

Questions, requests, or concerns? Email privacy@nextnote.to or write to:

Apex Studio — NextNote
Privacy Team
support@nextnote.to