Overview

NextUp AI ("NextUp," "we," "us," or "our") is operated by Digital3 Pty Ltd. This Privacy Policy explains how we collect, use, and safeguard your information when you use the NextUp mobile applications (iOS, macOS, watchOS), web application, and related services (collectively, the "Service").

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please do not use the Service.

Information We Collect

Information You Provide

Account information: When you sign in with Apple or Google, we receive your name, email address, and a unique identifier. We do not receive or store your password.
Audio recordings: Audio files you record or upload for transcription. These are processed and then deleted from our servers (see Data Retention below).
Voice characteristics (voiceprints): To tell speakers apart across meetings, we generate and store a mathematical voice embedding for each speaker you label. These are derived from your recordings, stored in encrypted form, and never shared. You can delete them at any time by deleting the associated meeting or your account.
Text content: Action items, notes, project names, tags, transcripts, and other text you create within the Service.
Calendar data: If you connect Google or Microsoft calendar, we access event titles, times, and attendees to provide meeting context. We do not modify your calendar.
Email content (optional): If you connect Gmail or Outlook, we read message subjects and bodies solely to extract action items. Message content is processed in memory and is not stored on our servers.
Approximate location (optional): If you grant location permission on iOS, we use your approximate location to show weather and city name on the Today screen. Location is never stored, shared, or associated with recordings.

Information Collected Automatically

Usage events: We log anonymised interaction events (e.g., "action_created", "recording_started") to improve the product. These events are stripped of personally identifiable information before storage.
Device information: Device model, operating system version, and app version for crash reporting and compatibility.
Push notification tokens: Device tokens for delivering push notifications. These are stored securely and removed when you unregister.

Information We Do Not Collect

We do not store your location. Location is used only in-memory for weather lookup and discarded.
We do not access your contacts, photos, or files beyond what you explicitly share with the app.
We do not use advertising trackers or sell your data to third parties.

How We Use Your Information

Transcription and AI processing: Audio is sent to our servers for transcription and AI-powered summarisation, action extraction, and suggestions.
Sync: Your actions, projects, and settings are synced across your devices via our cloud infrastructure.
Personalisation: We use your accept/reject patterns on AI suggestions to improve future recommendations for your account.
Notifications: To send you reminders and processing completion alerts via Apple Push Notifications.
Billing: To manage your subscription, credit balance, and purchase history.
Support and improvement: To diagnose issues, improve features, and respond to your feedback.

Data Processing and Third-Party Services

We use the following third-party services to process your data. Each service receives only the minimum data necessary for its function:

OpenAI: Receives transcript text for embeddings and image OCR. Audio is never sent to OpenAI. OpenAI does not use API data for training. OpenAI API Data Usage Policy
Anthropic (Claude): Receives transcript text for summarisation, action extraction, and the in-app chat assistant. Anthropic does not use API data for training. Anthropic Privacy Policy
Daily (Pipecat Cloud): Provides the real-time audio transport for the voice assistant. Your microphone audio is streamed over an encrypted WebRTC connection during a voice session. Daily Privacy Policy
Deepgram: Performs speech-to-text for the voice assistant and live meeting transcription. Audio is transcribed in real time and not used for training. Deepgram Privacy Policy
Cartesia: Generates the voice assistant's spoken responses (text-to-speech) from response text. Cartesia Privacy Policy
AssemblyAI: Performs speech-to-text for live meeting transcription. Audio is transcribed in real time and not retained for training. AssemblyAI Privacy Policy
Google Cloud (KMS): We use Google Cloud Key Management Service to encrypt your data at rest with per-user keys. Google Cloud DPA
Modal: Runs our GPU-based meeting transcription (faster-whisper) and speaker diarisation.
Fly.io: Hosts our API and synchronisation backend. Fly.io Privacy Policy
Apple: Handles Sign in with Apple authentication, In-App Purchases, iCloud sync, and Push Notifications.
Google: Handles Sign in with Google authentication and optional Gmail, Calendar, and Drive integrations.
Microsoft: Handles optional Outlook Mail and Calendar integrations.
Stripe: Processes web-based payments. We do not store your credit card details. Stripe Privacy Policy

Data Retention

Audio files uploaded for transcription are processed and deleted from our servers once the transcription job is complete. We do not retain audio recordings beyond the processing window.

Transcribed text, action items, and other content you create are retained as part of your account data for as long as your account is active. Local data on your device is stored in Core Data and optionally synced via iCloud.

Anonymous analytics data is retained for up to 12 months.

Data Storage and Security

Account data, actions, and sync data are stored in a PostgreSQL database hosted on secure infrastructure.
All data in transit is encrypted using TLS (HTTPS).
Sensitive fields — including transcript segments, voiceprints, and AI-generated summaries — are encrypted at rest with per-user keys managed by Google Cloud Key Management Service (AES-256-GCM). When you delete your account, the encryption key is destroyed so remaining ciphertext cannot be recovered.
API authentication uses JWT tokens and shared secrets.
Local data on your device is stored in Core Data and optionally synced via Apple's encrypted iCloud (CloudKit) infrastructure.

Your Rights

You have the right to:

Access all your data within the app at any time
Export your actions and session data
Delete your account and all associated data directly inside the app — go to Settings → Account & Profile → Delete Account. Deletion takes effect immediately; we destroy your per-user encryption key so remaining ciphertext cannot be recovered.
Disable push notifications through your device settings
Disconnect calendar, email, and storage integrations at any time
Request a copy of your data by emailing privacy@nextupai.app

Australian residents have additional rights under the Privacy Act 1988 (Cth) and the Australian Privacy Principles. Residents of the EU, UK, or California have rights under GDPR, UK GDPR, and CCPA respectively, including the right to access, correct, port, and erase personal information. Contact privacy@nextupai.app to exercise these rights.

Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will take steps to delete such information.

International Data Transfers

Your data may be processed in countries other than your country of residence, including the United States (where our cloud infrastructure and AI service providers are located). By using the Service, you consent to such transfers. We ensure that appropriate safeguards are in place as required by applicable law.

Google API Services User Data Policy

NextUp's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, when you connect a Google account to NextUp:

We only use Google user data to provide the user-facing feature you connected the account for. Gmail message content is used to extract action items and summarise meetings; Google Calendar events are read to provide meeting context; Google Drive is used only to store files NextUp creates on your behalf via the per-file drive.file scope.
We do not transfer Google user data to third parties except as necessary to provide or improve the user-facing feature, to comply with law, or as part of a merger or acquisition with prior notice to you.
We do not use Google user data to serve advertisements.
We do not allow humans to read Google user data unless we have your affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with law, or for internal operations where the data has been aggregated and de-identified.
We do not use Google user data to train generalised or third-party AI / ML models. Data sent to AI services for summarisation is processed per-request and is not retained by those providers for model training (covered by their respective data-processing agreements).

Specific Google scopes requested by NextUp:

gmail.readonly — read incoming email metadata and bodies so NextUp can summarise messages and extract action items. NextUp never sends, modifies, archives, or deletes messages in your Gmail account.
drive.file — create and manage only files NextUp creates in your Google Drive. NextUp cannot read or modify any other file in your Drive.
calendar.readonly — read your Google Calendar events to attach meeting context to recordings and surface upcoming meetings. NextUp never creates, modifies, or deletes calendar events.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at privacy@nextupai.app.

Developer: Digital3 Pty Ltd