Privacy Policy

This notice describes how NextGen Interns LLC (“we,” “NextGen”) collects and uses personal information when students, interns, and employers interact with the NextGen Interns platform (the “Service”).

Privacy contact: privacy@nextgeninterns.com.

The Service is not intended for children under 13. Accounts are available only to users 13 or older. If we learn a child under 13 has provided personal information without verifiable parental consent, we delete the account and data promptly.

Parents or guardians who believe their child has registered may request deletion by emailing privacy@nextgeninterns.com.

We collect the following categories of personal information, each tied to a specific purpose described in the next section:

• Account information — name, email address, hashed password (if applicable), and any profile details you choose to provide. Collected when you create an account and when you update it.
• Authentication data — login tokens, OAuth identifiers from third-party identity providers (e.g. Google), and session identifiers. Collected during sign-in and session maintenance.
• Usage and product telemetry — pages visited, features used, time spent, device type, browser, approximate location inferred from IP. Collected via first-party analytics and server logs during your interaction with the Services.
• Content you submit — text, files, prompts, configurations, and any other material you upload or type into the Services. Collected when you use features that store or process your input.
• Communications — emails, support conversations, feedback, and survey responses. Collected when you contact us or respond to outreach.
• Billing and payment information — if you purchase a paid plan, we receive limited billing metadata (plan, amount, status) from Stripe. Full card details are collected and stored by Stripe, not by us.
• Technical data — IP address, user-agent string, cookies (see our Cookie Policy), and crash or error diagnostics.

We do not knowingly collect special-category data (health, biometric, political affiliation, religion, sexual orientation, etc.). If you share this information unsolicited, we delete it on detection and notify you.

We process your personal information for the following purposes, each grounded in one of the six legal bases set out in Article 6 of the GDPR:

Where we rely on legitimate interest, we have conducted a balancing test between our interest and your rights. You may object to this processing at any time by emailing privacy@nextgeninterns.com.

• School-provided information (institution, major, graduation year) is used solely to match candidates with relevant employers.
• Resume and profile data are visible to employers you apply to, and only to them.
• We never sell student data. Employer access is revocable by the student at any time.
• If you are 13–17, you may use the Service with the knowledge of a parent or guardian.

Depending on your location and applicable law, you have the following rights with respect to your personal information. To exercise any of these, email privacy@nextgeninterns.com. We respond within 30 days (GDPR) or 45 days (CCPA) and will not discriminate against you for exercising any right.

GDPR rights (EU / UK residents):

• Access (Art. 15) — obtain a copy of the personal data we hold about you.
• Rectification (Art. 16) — correct inaccurate or incomplete data.
• Erasure (Art. 17) — request deletion where no overriding legal basis requires retention.
• Restriction of processing (Art. 18) — limit how we use your data in specific circumstances.
• Data portability (Art. 20) — receive your data in a structured, machine-readable format.
• Objection (Art. 21) — object to processing based on legitimate interest or direct marketing.
• Withdraw consent (Art. 7(3)) — at any time, without affecting the lawfulness of processing before withdrawal.
• Lodge a complaint (Art. 77) — with your national supervisory authority. The lead authority for NextGen Interns LLC is the data protection authority of our establishment (see GDPR Art. 56).
• Not be subject to solely automated decision-making (Art. 22) — we do not make decisions that produce legal or similarly significant effects solely by automated means without human review.

CCPA/CPRA rights (California residents):

• Right to know what categories of personal information we collect, the sources, purposes, and third parties we share with.
• Right to access a copy of the specific pieces of personal information we hold about you.
• Right to delete personal information we have collected, subject to legal exceptions (e.g. fraud prevention, tax records, active transactions).
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing — we do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioural advertising.
• Right to limit use of sensitive personal information — we do not use sensitive personal information beyond what is necessary to provide the Services.
• Right to non-discrimination — we will not deny service, charge different prices, or provide a different level of service as a consequence of exercising your CCPA rights.

To submit a CCPA request, email privacy@nextgeninterns.com. We verify identity via the email address on file plus one additional data point before processing deletion or access requests. Authorized agents may submit requests on your behalf with written authorization.

If you are enrolled at a US school that has partnered with NextGen, information shared with us under that partnership may be governed by the Family Educational Rights and Privacy Act (FERPA). We treat such information as confidential educational records and share it only as permitted by the school's directory information policy.

Processor categories:

• Infrastructure: Vercel (hosting), Supabase (database).
• Communications: Email provider [LIST — Resend or Postmark], Slack for ops.
• Payments: [IF EMPLOYERS ARE CHARGED: Stripe — otherwise state "No payment processing"].
• AI: [IF USED FOR MATCHING — Anthropic / OpenAI under enterprise no-training agreements].
• Background verification: [IF USED — Checkr or similar; list here].

Active accounts: data retained while account is active. Inactive (90+ days): account data archived, no longer shown to employers. Deleted: all personal information removed within 30 days except records we must retain by law (tax, dispute records).

NextGen Interns LLC is based in the United States. If you access the Services from the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to, stored in, and processed in the United States and potentially other countries where our service providers operate.

For transfers of EEA / UK / Swiss personal data to the United States and other third countries, we rely on the following safeguards under GDPR Chapter V:

• Standard Contractual Clauses (SCCs) approved by the European Commission in its Implementing Decision (EU) 2021/914, with our sub-processors where applicable.
• UK International Data Transfer Addendum (IDTA) or the UK's approved transfer mechanism, where UK data is involved.
• EU-US Data Privacy Framework (DPF) where a processor is certified (e.g. cloud vendors listed on the DPF List maintained by the US Department of Commerce).
• Supplementary measures including encryption in transit and at rest, access controls, and contractual obligations on sub-processors.

You can request a copy of the relevant SCCs or DPF certification details by emailing privacy@nextgeninterns.com.

We use TLS 1.2+ encryption in transit, at-rest encryption, and row-level access controls. We disclose material breaches to affected users within 72 hours per GDPR and any stricter timelines required by US state law.

This section applies to California residents and supplements the general rights described above. It reflects California Civil Code §§ 1798.100 et seq. (CCPA as amended by CPRA).

Categories of personal information we collect and disclose. In the last 12 months, we have collected the following CCPA-defined categories:

• Identifiers (name, email, IP address, device identifiers).
• Commercial information (subscription status, transaction history).
• Internet or network activity (browsing, usage logs, interactions with the Services).
• Inferences drawn from the above (usage patterns, preferences).
• Professional or employment-related information (if you provide it in your profile).

We disclose these categories to service providers (infrastructure, payments, email, AI processors) solely to deliver the Services. We do not sell personal information for monetary consideration and do not share it for cross-context behavioural advertising.

Do Not Sell or Share My Personal Information. Because we do not sell or share as those terms are defined in the CCPA, no opt-out is required. You may still submit an opt-out preference signal (GPC); we will honour it as a request to cease any future sharing.

Minors (under 16). Where the Services involve users under 16, we obtain affirmative consent from the user (13–15) and verifiable parental consent for users under 13 before any sale or sharing, consistent with CCPA and COPPA. See our separate COPPA-specific disclosures.

How to exercise CCPA rights. Email privacy@nextgeninterns.com with the subject line "CCPA Request." We will verify your identity and respond within 45 days (extendable once by 45 additional days with notice).

We may update this policy as the Service evolves. Material changes are emailed to the address on your account at least 14 days before taking effect.