Legal
Privacy Policy
Last updated: January 2025
1. Who We Are
Next Opay is a trading name of Next Oasis Group Ltd, a company registered in England and Wales under company number 14976174.
Registered Office: 15 Rockstone Place, Director Generals House, Southampton, SO15 2EP
Data Protection Officer: privacy@nextopay.co.uk
We act as the Data Controller for personal data you provide when using the Next Opay platform. This Privacy Policy explains how we collect, use, store and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Information We Collect
We collect the following categories of personal data:
Account & Organisation Data
Name, email address, organisation name, role, and contact details provided during registration and account management.
Transaction Data
Payment amounts, giving types, transaction timestamps, confirmation references, and payment status records associated with your account.
Payment Processing Data
Payment processing is handled exclusively by Stripe. We receive limited confirmation data (payment intent IDs, charge references) but never store full card numbers, CVV codes or sensitive authentication data.
Device & Usage Data
IP addresses, browser type, pages visited, session duration and platform interaction data collected for security monitoring and platform improvement.
WhatsApp Contact IDs
WhatsApp phone numbers and contact identifiers processed through SendPulse to facilitate payment bot conversations. These are used solely to deliver the payment service you have requested.
3. How We Use Your Information
We use your personal data for the following purposes:
- Provide, maintain and improve the Next Opay platform and services
- Process payments and send transaction confirmations to you and your customers
- Authenticate users and manage account security
- Detect and prevent fraud, unauthorised access and other security threats
- Meet our legal and regulatory obligations
- Send service communications, including receipts, alerts and system notifications
- Analyse platform usage to improve our product features
4. Legal Basis for Processing
Under UK GDPR, we rely on the following legal bases to process your personal data:
Contract Performance
Processing necessary to deliver the services you have signed up for and to fulfil our contractual obligations.
Legitimate Interests
Security monitoring, fraud prevention, platform analytics and improving our services — balanced against your rights and interests.
Legal Obligation
Processing required to comply with applicable laws, including financial record-keeping and anti-money laundering requirements.
Consent
Where we ask for your specific agreement — for example, for optional marketing communications. You may withdraw consent at any time.
5. Data Sharing
We do not sell your personal data. We share data only with the following trusted sub-processors to the extent necessary to provide the service:
We never sell, rent or trade your personal data to third parties.
Stripe — Payment Processing
Processes card payments on our behalf. PCI DSS Level 1 certified. Data processed under Stripe's Privacy Policy.
SendPulse — WhatsApp Messaging
Delivers WhatsApp bot messages and payment links to your customers on our behalf.
Resend — Transactional Email
Sends email notifications, receipts and system alerts on our behalf.
Vercel — Cloud Hosting
Hosts the Next Opay application and infrastructure. Data stored in European data centres where applicable.
6. Data Retention
We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law.
Category
Transaction Records
Retention Period
7 years
Reason
Legal requirement (HMRC financial records)
Category
Account & Organisation Data
Retention Period
Duration of contract + 2 years
Reason
Legitimate interests and legal obligations
Category
WhatsApp Bot Sessions
Retention Period
90 days
Reason
Service delivery and support
Category
Audit Logs
Retention Period
3 years
Reason
Security and fraud prevention
7. Your Rights
Under UK GDPR you have the following rights in relation to your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Ask us to correct inaccurate or incomplete personal data.
Right to Erasure
Request deletion of your data where there is no longer a lawful basis to retain it.
Right to Portability
Receive your data in a structured, machine-readable format.
Right to Restriction
Ask us to restrict processing of your data in certain circumstances.
Right to Object
Object to processing based on legitimate interests, including direct marketing.
To exercise any of your rights, contact our Data Protection Officer at privacy@nextopay.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
Next Opay uses essential cookies only. These are strictly necessary for the platform to function — specifically for session management and authentication.
We do not use tracking cookies, advertising cookies or third-party analytics cookies. No cookie consent banner is required as we rely solely on essential cookies.
You can disable cookies in your browser settings, but please note that this may prevent you from logging in to the platform.
9. Contact Us
If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:
Next Oasis Group Ltd
15 Rockstone Place, Director Generals House
Southampton, SO15 2EP
Email: privacy@nextopay.co.uk