Privacy Policy

1. Who we are

Nexsteps ("Nexsteps", "we", "us" or "our") is a UK-based software-as-a-service (SaaS) platform that helps schools, churches, clubs, charities, and similar organisations manage programmes for children, young people, staff, and volunteers. We are committed to protecting the privacy and security of personal data in line with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018.

Nexsteps acts primarily as a data processor on behalf of the organisations that use our service. For the purposes of this Privacy Policy, the organisation that has a subscription to Nexsteps (for example, a school, church, club or charity) is usually the data controller responsible for deciding how and why personal data is processed.

If you have questions about this Privacy Policy, you can contact us at:

• Email: privacy@nexsteps.dev

2. Our role and your organisation's role

When an organisation (for example, a school, church, club, or charity) uses Nexsteps, that organisation is the data controller for most of the personal data stored in and processed through the platform. Nexsteps acts as a data processor, processing personal data on the organisation's documented instructions in accordance with our contract and this Privacy Policy.

This means that if you are a parent/guardian, child, staff member, volunteer, or other individual whose data is entered into Nexsteps by an organisation, you should first contact that organisation if you wish to exercise your data protection rights or have questions about how your data is used.

3. Categories of data we process

The exact data processed in Nexsteps will depend on how each organisation uses the platform. In general, the following categories of data may be processed:

Organisation account and contact data

• Organisation name, address and contact details
• Primary contact details (for example, safeguarding lead, administrator)
• Billing contact details and account configuration

Staff and volunteer user data

• Names and contact details (such as email address)
• Role within the organisation (for example, admin, teacher, volunteer)
• Login identifiers and activity within the service (for audit and security)

Child and young person data

• Basic identifying information (for example, name, date of birth, group/class)
• Attendance records and session history
• Pastoral and safeguarding-related notes and concerns, where recorded by authorised staff in line with the organisation's policies
• Additional information the organisation chooses to record (for example, allergies)

Parent and guardian data

• Names and contact details (such as email address and phone number)
• Relationship to the child or young person
• Communication preferences and records of messages sent

Uploaded media and documents

• Files, photos or other media uploaded by the organisation (for example, lesson resources, consent-related documents), usually only where appropriate consent has been obtained by the organisation

Billing and subscription data

• Billing contact details and subscription plan information
• Limited payment-related information processed through our payment provider (Stripe), such as billing address and the last four digits of a payment card
• Invoice and transaction history

Technical and usage data

• Log data (for example, IP address, browser type, device identifiers)
• Usage information about how the platform is accessed and used
• Diagnostic and analytics information (for example, using a privacy-conscious analytics provider such as PostHog configured for EU/UK processing)

4. Lawful bases for processing

For processing where Nexsteps is the data processor, the data controller (your organisation) is responsible for identifying and documenting the appropriate lawful basis under UK GDPR. Typically, the following lawful bases may apply:

• Contract – where processing is necessary for the performance of a contract between the organisation and Nexsteps, or between the organisation and its staff/volunteers or parents/guardians (for example, providing access to the platform and managing attendance).
• Legitimate interests – where processing is necessary for the organisation's legitimate interests, balanced against the rights and freedoms of the individuals (for example, maintaining security logs, internal reporting and planning).
• Legal obligation – where processing is necessary for the organisation to comply with a legal duty (for example, certain safeguarding, child protection or record-keeping requirements).
• Consent – in some cases, especially for optional communications or use of photos and media, the organisation may rely on consent from parents/guardians or staff.

Nexsteps may also process limited data as an independent controller in order to operate and improve our service (for example, account-level contact and billing information, service analytics and security logging). In those cases we generally rely on contract and/or legitimate interests as our lawful bases.

5. How we use personal data

We use personal data, on behalf of organisations and for our own purposes, to:

• Provide and operate the service – including creating and managing user accounts, recording attendance, managing rotas and sessions, and facilitating communication between staff and parents/guardians.
• Support safeguarding workflows – allowing authorised staff to record and manage appropriate safeguarding and pastoral notes in accordance with their own policies and legal obligations.
• Provide customer support – responding to support requests, fixing issues and helping organisations use Nexsteps effectively.
• Maintain security and integrity – including access control, authentication, audit logging, monitoring for misuse, and protecting against fraud or unauthorised access.
• Improve and develop the platform – analysing usage patterns in an aggregated or pseudonymised form to improve performance, features and usability.
• Handle billing and account management – managing subscriptions, processing payments via Stripe, and sending service-related notices.
• Comply with legal obligations – responding to lawful requests from regulators or law enforcement where required.

6. Data retention

As data processor, Nexsteps retains personal data in line with each organisation's configuration and documented instructions. In general:

• Organisations control how long children's records, attendance data and safeguarding-related information are retained, subject to their legal obligations and internal policies.
• Nexsteps provides tools to support data export and deletion on request from the organisation.
• Following termination of a customer's subscription, we will work with the organisation to export data where required and then delete or irreversibly anonymise personal data from our active systems after a defined period, subject to any legal retention obligations.
• Some minimal records (for example, invoices and basic account history) may be retained for a longer period where required for accounting, tax or legal purposes.

7. Security measures

We take appropriate technical and organisational measures to protect personal data processed through Nexsteps, including:

• Role-based access control – access to data is restricted based on user roles (for example, admin, staff, safeguarding roles) and the site (tenant) they belong to.
• Tenant isolation – data for each customer organisation is logically separated so that users can only access data for their own site(s), subject to their permissions.
• Secure transmission – all data in transit between users and our platform is encrypted using industry-standard HTTPS/TLS.
• Secure hosting – we use reputable cloud infrastructure providers (such as AWS or equivalent) in appropriate regions, with hardened configurations and access controls.
• Access controls and logging – administrative access to production systems is restricted to authorised personnel and actions are logged for audit purposes.
• Backups and resilience – regular backups and resilience measures are in place to protect against data loss and service outages.

8. Subprocessors and third-party services

We use carefully selected subprocessors and third-party services to help deliver the Nexsteps platform. These providers may process personal data on our behalf. Key categories include:

• Authentication provider – for example, Auth0, which manages secure authentication of users.
• Cloud hosting and storage – such as Amazon Web Services (AWS) or an equivalent cloud provider, used to host our application, databases and stored files.
• Payment processor – Stripe, used to handle subscription billing and payment processing on our behalf. Stripe processes payment card data in accordance with PCI-DSS.
• Email delivery provider – such as Resend or Amazon SES, used for sending transactional and service-related emails.
• Analytics provider – a privacy-conscious analytics platform such as PostHog, configured to respect UK/EU data protection requirements and, where possible, minimising the use of directly identifiable personal data.

We maintain appropriate data processing agreements with our subprocessors and take steps to ensure they provide suitable safeguards for personal data. A current list of subprocessors is available on request from customer organisations.

9. International data transfers

Our primary hosting locations are intended to be within the UK and/or European Economic Area (EEA). However, some of our subprocessors may process data in other countries, including outside the UK and EEA (for example, where support teams or infrastructure are based overseas).

Where personal data is transferred outside the UK/EEA, we will ensure that appropriate safeguards are in place, such as:

• An adequacy decision from the UK government or European Commission in respect of the destination country; and/or
• Standard contractual clauses or other appropriate contractual safeguards approved under UK GDPR.

10. Data subject rights

Under UK data protection law, individuals have a number of rights in relation to their personal data, including:

• Right of access – to obtain a copy of the personal data held about them.
• Right to rectification – to have inaccurate or incomplete data corrected.
• Right to erasure – in certain circumstances, to have personal data deleted (" the right to be forgotten").
• Right to restriction of processing – in certain circumstances, to restrict how their data is used.
• Right to data portability – in some cases, to receive their data in a structured, machine-readable format and have it transmitted to another controller.
• Right to object – to certain types of processing, including processing based on legitimate interests and, where applicable, direct marketing.

Where Nexsteps is acting as a data processor, individuals should direct any requests to exercise these rights to the relevant organisation (data controller). We will support our customers in responding to such requests in line with our contractual obligations.

Individuals also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if they are unhappy with how their personal data is being handled:

• Website: https://ico.org.uk
• Telephone: 0303 123 1113 (within the UK)

11. Contacting us about privacy

If you have any questions about this Privacy Policy or how we handle personal data, please contact us at:

• Email: privacy@nexsteps.dev

We may update this Privacy Policy from time to time to reflect changes to our services, legal obligations or best practice. When we do so, we will update the "Last updated" date at the top of this page and, where appropriate, notify customers of material changes.