NextSchool

Privacy Policy

Last Updated: April 2, 2026 — See what changed

1. Who We Are

NextSchool is operated from Ontario, Canada. We are committed to protecting your privacy and ensuring transparency about how we collect, use, and manage your personal information.

Contact: privacy@nextschool.ca

NextSchool operates in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's federal privacy law that governs how private sector organizations handle personal information.

2. What Data We Collect — Parents

When you use NextSchool, we collect the following information:

  • Family Profile Information: Child's name, age/grade, interests, learning needs, learning style, location, budget preferences, school priorities, and dealbreakers
  • Account Information: Your name, email, and password
  • Chat History: Conversations with our AI consultant, including your responses and our recommendations
  • Usage Data: Schools you've shortlisted, notes you've written, comparisons you've made, and pages you've visited

Important: We collect information about children as provided by their parent or guardian. Children do not directly create accounts or use the platform.

3. What Data We Collect — Schools

When school administrators claim and manage their profiles, we collect:

  • Claimant Information: Full name, role at school, school email, and verification documents (for verification purposes)
  • School Profile Data: Tuition, programs offered, photos, admissions dates, contact information, and other details you provide to display publicly

4. How We Use Data

We use your data for these specific purposes:

Parent Data:

  • Provide personalized school recommendations
  • Maintain your conversation history
  • Improve our matching algorithms
  • Help you manage your shortlist and notes

School Data:

  • Display your school's public profile
  • Support your profile management and updates
  • Process inquiries from parents

Aggregated/Anonymized Data:

  • Improve service quality and recommendations
  • Develop new features
  • Generate analytics and insights

Critical Privacy Commitment: Parent family profiles are NEVER shared with schools unless you explicitly initiate contact (such as sending an inquiry).

5. Children's Data

We take children's privacy seriously. Here's how we protect it:

  • We collect information about children only as provided by their parent or guardian
  • Children do not use the platform directly and do not create accounts
  • Parents can request access to, correction of, or deletion of their child's information at any time
  • We do not sell or share children's personal information with third parties
  • For children under 13, we rely on the parent/guardian's consent as the account holder

6. Data Sharing and Disclosure

Here's how we handle your data:

What We Don't Share:

  • We do NOT share family data with schools (unless you initiate an inquiry)
  • We do NOT sell personal data to any third party

What We May Share:

  • Anonymized, aggregated analytics with schools (no personal information included)
  • Data with sub-processors listed below, who process information on our behalf under data processing agreements
  • Information if required by law, court order, or government request

Our Sub-Processors

The following companies process personal data on our behalf. Each operates under a data processing agreement with NextSchool and is prohibited from using your data for any purpose beyond what we instruct.

AI Inference — OpenRouter (United States)

Purpose: Generating personalized school recommendations through our AI consultant.

Data transmitted: Pseudonymized conversation content including educational preferences (child's grade, learning style, school priorities). We replace names with placeholders and reduce location to city/region level before transmission — your child's name, specific medical diagnoses, and precise address are not sent to OpenRouter.

Retention by OpenRouter: Prompts are used for inference only and are not retained for training without explicit consent. See OpenRouter's Privacy Policy.

ServiceCountryPurposeData Shared
StripeUnited StatesPayment processingEmail address, subscription status
ResendUnited StatesTransactional email deliveryName, email address
SentryUnited StatesError monitoring and performanceAnonymized error events — emails and IP addresses are stripped before transmission
VercelUnited StatesPlatform hosting and edge networkIP address (in transit only); page view metrics with your consent
Google Analytics / AdsUnited StatesAnalytics and conversion measurementAnonymized events (with your consent); hashed email only on purchase and only with your explicit ad consent
SupabaseUnited StatesDatabase and authenticationAll data stored by NextSchool (encrypted at rest, AES-256)

7. Data Retention

We retain personal information only as long as necessary for the stated purpose. The table below summarizes our retention schedule.

Data CategoryRetentionNotes
Account & family profileUntil account deletionPermanently deleted on request
Conversation historyUntil account deletionPermanently deleted on request; per-conversation delete available
System logs (API, errors)30–90 daysAutomatically deleted; PII scrubbed before storage
Search logsAnonymized at 30 days, deleted at 90 daysUser identity removed after 30 days; query data deleted at 90 days
Consent recordsUntil account deletionRetained for compliance purposes; included in your data export

Account Deletion: When you delete your account, all personal data is permanently removed from our systems. Data held by third-party sub-processors (Stripe, Sentry, etc.) is subject to their own retention policies.

8. Cookies and Tracking

We use cookies to:

  • Authentication and Session Cookies: Keep you logged in and secure
  • Analytics Cookies: Understand how you use our platform to improve your experience

You can control cookies through your browser settings. Disabling some cookies may affect platform functionality.

9. Your Rights Under PIPEDA

Under PIPEDA, you have the right to:

  • Access Your Information: Request to see what personal data we hold about you
  • Request Correction: Ask us to correct inaccurate or incomplete information
  • Withdraw Consent: Withdraw your consent for us to use your data (though this may limit your use of NextSchool)
  • File a Complaint: Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy has been violated

To exercise any of these rights, contact us at privacy@nextschool.ca with your request.

10. CASL Compliance

NextSchool complies with Canada's Anti-Spam Legislation (CASL):

  • Marketing and promotional emails are sent only with your express consent, which you may grant or revoke at any time in your account settings
  • Transactional emails (account confirmation, booking reminders, etc.) do not require marketing consent
  • All emails include our sender identity, registered address, and a functional unsubscribe link
  • Unsubscribe requests are processed immediately — you will not receive further commercial emails after clicking unsubscribe
  • Your consent history is recorded and available in your data export

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws.

When we make material changes, we will notify you by updating the "Last Updated" date and, for significant changes, by email or through a notice in the platform. For changes that affect how we process children's information or introduce new third-party data sharing, we will require you to re-acknowledge the updated policy before continuing to use NextSchool.

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please reach out:

Privacy Officer:

privacy@nextschool.ca

We will respond to access, correction, and deletion requests within 30 days. You may also file a complaint with the Office of the Privacy Commissioner of Canada.

General Questions:

Visit our Contact Page

Policy Changelog

A record of material changes to this policy. Minor wording clarifications are not listed.

April 2, 2026

  • Named all sub-processors explicitly (OpenRouter, Stripe, Resend, Sentry, Vercel, Google)
  • Added disclosure that AI recommendations involve transmission of pseudonymized conversation content to OpenRouter (US)
  • Clarified that names, specific medical diagnoses, and precise addresses are not transmitted to AI providers
  • Added detailed data retention schedule by category
  • Updated CASL section: unsubscribe is immediate, not "10 business days"
  • Added explicit consent checkboxes at signup (granular opt-in for marketing and analytics)
  • Added server-side consent audit trail

February 20, 2026

Initial privacy policy published.