nextsaas.ai Logo

Privacy

January 2026

§ 1 Controller

(1) Responsible Entity

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of member states as well as other data protection regulations is:

Sascha Rahn - nextsaas.ai

Lagerstr. 6b

82178 Puchheim

Germany

Email: info@nextsaas.ai

Web: https://nextsaas.ai

VAT ID: DE289645555

(2) Data Protection Officer

The appointment of a data protection officer is not legally required for our company. For questions regarding data protection, please contact us directly at info@nextsaas.ai.

§ 2 Overview of Processing Activities

(1) Types of Data Processed

  • Master data (e.g. name, company)
  • Contact data (e.g. email address)
  • Content data (e.g. message texts, inquiries)
  • Usage data (e.g. visited pages, access times)
  • Meta/communication data (e.g. IP addresses, device information)

(2) Categories of Data Subjects

  • Visitors and users of the website
  • Interested parties and beta applicants
  • Communication and business partners
  • Newsletter subscribers

(3) Purposes of Processing

  • Provision of the website and its content
  • Processing of closed beta registrations
  • Sending newsletters (with consent)
  • Answering inquiries
  • Security measures and abuse prevention
  • Reach measurement and website optimization

§ 3 Legal Basis

We process personal data only in compliance with applicable data protection regulations, in particular the GDPR. Processing is based on the following legal grounds:

Art. 6(1)(a) GDPR – Consent

The data subject has given consent to the processing of their personal data for one or more specific purposes.

Application: Newsletter subscription, closed beta registration

Art. 6(1)(b) GDPR – Contract Performance

Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Application: Beta access, customer communication

Art. 6(1)(f) GDPR – Legitimate Interests

Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Application: Website provision, security, analytics

§ 4 Recipients of Personal Data

As part of our business operations, we work with various service providers who may receive access to personal data:

RecipientPurposeLocation
Vercel Inc.Hosting, Analytics, Speed InsightsUSA
Resend Inc.Transactional emailsUSA
The Rocket Science Group LLCNewsletter (Mailchimp)USA
Upstash Inc.Rate limitingUSA

Data processing agreements (DPA) according to Art. 28 GDPR have been concluded with these service providers, insofar as they act as processors.

§ 5 Third Country Transfer (USA)

(1) Transfer to the USA

Some of our service providers are based in the USA. The USA is considered a third country without an adequacy decision from the EU Commission for all companies. However, for companies certified under the EU-US Data Privacy Framework (DPF), there is an adequate level of data protection.

(2) Legal Basis for Transfer

EU-US Data Privacy Framework (DPF)

Vercel and Mailchimp are certified under the EU-US Data Privacy Framework. The certification can be verified at dataprivacyframework.gov.

Standard Contractual Clauses (SCCs)

For Resend and Upstash, EU Standard Contractual Clauses according to Art. 46(2)(c) GDPR have been agreed upon. These provide appropriate safeguards for the protection of your data.

(3) Risks of Third Country Transfer

Despite the measures taken, it cannot be ruled out that US authorities may gain access to the data when transferred to the USA, without equivalent legal remedies being available as in the EU.

§ 6 Data Subject Rights

You have the following rights under the GDPR regarding your personal data:

Right of Access (Art. 15 GDPR)

You have the right to obtain information about your personal data stored with us.

Right to Rectification (Art. 16 GDPR)

You have the right to have inaccurate or incomplete data corrected or completed.

Right to Erasure (Art. 17 GDPR)

You have the right to request the deletion of your data, provided there are no legal retention obligations.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request the restriction of processing of your data.

Right to Data Portability (Art. 20 GDPR)

You have the right to receive your data in a common, machine-readable format.

Right to Object (Art. 21 GDPR)

You have the right to object at any time, on grounds relating to your particular situation, to processing of your data which is based on Art. 6(1)(f) GDPR.

Right to Withdraw Consent (Art. 7(3) GDPR)

You have the right to withdraw consent given at any time with effect for the future. The lawfulness of processing carried out until withdrawal remains unaffected.

Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. The supervisory authority responsible for us is:

Bavarian State Office for Data Protection Supervision (BayLDA)

Promenade 18

91522 Ansbach

Germany

Phone: +49 (0) 981 180093-0

Email: poststelle@lda.bayern.de

Web: https://www.lda.bayern.de

To exercise your rights, please contact info@nextsaas.ai.

§ 7 Retention Period

Personal data is only stored for as long as necessary for the respective purpose or as long as legal retention obligations exist.

Data TypeRetention PeriodJustification
Closed beta registrations24 months after product launchPre-contractual measures, contract initiation
Server logs (Vercel)30 daysSecurity, error analysis
Email logs (Resend)90 daysDelivery confirmation, troubleshooting
Newsletter dataUntil withdrawalConsent (Art. 6(1)(a))
Rate limiting data24 hoursTechnical protection against abuse
Analytics dataAggregated, anonymizedNo personal reference

After the retention period has expired, the data will be deleted, provided there are no legal retention obligations.

§ 8 Data Security

We implement appropriate technical and organizational measures (TOMs) in accordance with Art. 32 GDPR to protect your data:

  • Encryption: All data transmissions are made via TLS 1.3 (HTTPS)
  • Access Control: Restricted access to personal data
  • Rate Limiting: Protection against automated attacks and abuse
  • Security Headers: CSP, HSTS, X-Frame-Options to protect against web security risks
  • Regular Updates: Software updates and security patches
  • Service Provider Selection: Use of established providers with high security standards

§ 9 Cookies

(1) Cookie-Free Operation

This marketing website uses no cookies for tracking or analytics. We rely on privacy-friendly alternatives.

(2) Technically Necessary Cookies

Should technically necessary cookies be used in the future (e.g. for session management in a customer portal), this will be based on Art. 6(1)(f) GDPR (legitimate interest). Separate consent is not required for these.

(3) Your Browser Settings

You can prevent the storage of cookies through settings in your browser. For more information, please refer to your browser's help section.

§ 10 Newsletter (Mailchimp)

(1) Newsletter Content

With our newsletter we inform you about product news, updates and offers related to nextsaas.ai.

(2) Double Opt-In

Newsletter registration is done via a double opt-in procedure. After entering your email address, you will receive a confirmation email. Only after clicking the confirmation link will you be added to our newsletter distribution list.

(3) Data Processed

  • Email address (required)
  • Time of registration and confirmation
  • IP address at registration (for verification purposes)

(4) Newsletter Service Provider

Newsletter delivery is performed via Mailchimp, a service of The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

Mailchimp is certified under the EU-US Data Privacy Framework. Mailchimp privacy policy: https://mailchimp.com/legal/privacy/

(5) Legal Basis

Processing is based on your consent in accordance with Art. 6(1)(a) GDPR.

(6) Withdrawal of Consent

You can withdraw your consent at any time and unsubscribe from the newsletter. Every newsletter email contains an unsubscribe link. Alternatively, you can send us an email at info@nextsaas.ai.

§ 11 Closed Beta Registration

(1) Purpose of Processing

The closed beta form serves for registration for early access to nextsaas.ai as well as communication regarding the product launch.

(2) Data Processed

Required Information:

  • Email address
  • Name

Optional Information:

  • Company/organization
  • Experience level (Developer/Agency/Startup)
  • Additional information (free text field)

(3) Legal Basis

Processing is based on your consent in accordance with Art. 6(1)(a) GDPR as well as for the performance of pre-contractual measures in accordance with Art. 6(1)(b) GDPR.

(4) Obligation to Provide

The provision of required information (email, name) is necessary to participate in the closed beta program. Without this information, registration is not possible. The optional information serves for better prioritization and is voluntary.

(5) Retention Period

The data will be deleted 24 months after the official product launch, unless a contractual relationship is established.

§ 12 Transactional Emails (Resend)

(1) Purpose of Processing

For sending transactional emails (e.g. confirmation emails, notifications) we use the email service Resend.

(2) Service Provider

Resend Inc.
2261 Market Street, #5039, San Francisco, CA 94114, USA

EU Standard Contractual Clauses (SCCs) have been agreed upon with Resend. Privacy policy: https://resend.com/legal/privacy-policy

(3) Data Processed

  • Recipient email address
  • Email content
  • Metadata (sending time, delivery status, opens with consent)

(4) Legal Basis

Processing is carried out for contract performance in accordance with Art. 6(1)(b) GDPR or for the purposes of legitimate interests in accordance with Art. 6(1)(f) GDPR.

(5) Retention Period

Email logs are stored for 90 days to prove delivery and resolve technical issues.

§ 13 Hosting and Server Logs (Vercel)

(1) Hosting Service Provider

This website is hosted by Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA.

Vercel is certified under the EU-US Data Privacy Framework. Privacy policy: https://vercel.com/legal/privacy-policy

(2) Server Logs

With every access to our website, information is automatically collected (server logs):

  • IP address (shortened)
  • Date and time of access
  • Requested URL
  • Referrer URL
  • Browser type and version
  • Operating system

(3) Legal Basis

The collection of server logs is carried out for the purposes of legitimate interests in accordance with Art. 6(1)(f) GDPR. Our legitimate interest lies in the technical provision of the website and ensuring IT security.

(4) Retention Period

Server logs are stored for a maximum of 30 days and then automatically deleted.

§ 14 Vercel Analytics

(1) Description and Scope

We use Vercel Analytics and Vercel Speed Insights to analyze website usage and performance.

(2) Privacy-Friendly Features

  • No cookies: Vercel Analytics works completely without cookies
  • Anonymization: No personal data is stored
  • Aggregated data: Only statistical metrics (page views, loading times)
  • GDPR compliant: No consent banner required

(3) Legal Basis

The use is based on our legitimate interests in accordance with Art. 6(1)(f) GDPR. Our interest lies in optimizing our website.

Further information: Vercel Analytics Privacy Policy

§ 15 Rate Limiting (Upstash)

(1) Purpose of Processing

To protect against abuse (e.g. spam, DDoS attacks), we use rate limiting based on IP addresses.

(2) Service Provider

Upstash Inc.
Delaware, USA

EU Standard Contractual Clauses (SCCs) have been agreed upon with Upstash. Privacy policy: https://upstash.com/trust/privacy.pdf

(3) Data Processed

  • Hashed IP address
  • Request counter
  • Request time window

(4) Legal Basis

Processing is carried out for the purposes of legitimate interests in accordance with Art. 6(1)(f) GDPR. Our interest lies in protecting our infrastructure from abuse.

(5) Retention Period

The data is automatically deleted after a maximum of 24 hours (TTL – Time to Live).

§ 16 Changes to This Privacy Policy

We reserve the right to amend this privacy policy to adapt it to changed legal situations or when changes to our service occur.

The current version can be viewed on our website at https://nextsaas.ai/privacy. The date of the last update can be found at the beginning of this statement.

In case of significant changes affecting your rights, we will inform you – if possible – by email.

§ 17 Contact

For questions about data protection or to exercise your data subject rights, please contact:

Sascha Rahn - nextsaas.ai

Lagerstr. 6b

82178 Puchheim

Germany

Email: info@nextsaas.ai

Web: https://nextsaas.ai