Legal

Privacy Policy

Last updated: January 2025

1. Who We Are

Next Opay is a trading name of Next Oasis Group Ltd, a company registered in England and Wales under company number 14976174.

Registered Office: 15 Rockstone Place, Director Generals House, Southampton, SO15 2EP

Data Protection Officer: privacy@nextopay.co.uk

We act as the Data Controller for personal data you provide when using the Next Opay platform. This Privacy Policy explains how we collect, use, store and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

We collect the following categories of personal data:

Account & Organisation Data

Name, email address, organisation name, role, and contact details provided during registration and account management.

Transaction Data

Payment amounts, giving types, transaction timestamps, confirmation references, and payment status records associated with your account.

Payment Processing Data

Payment processing is handled exclusively by Stripe. We receive limited confirmation data (payment intent IDs, charge references) but never store full card numbers, CVV codes or sensitive authentication data.

Device & Usage Data

IP addresses, browser type, pages visited, session duration and platform interaction data collected for security monitoring and platform improvement.

WhatsApp Contact IDs

WhatsApp phone numbers and contact identifiers processed through SendPulse to facilitate payment bot conversations. These are used solely to deliver the payment service you have requested.

3. How We Use Your Information

We use your personal data for the following purposes:

  • Provide, maintain and improve the Next Opay platform and services
  • Process payments and send transaction confirmations to you and your customers
  • Authenticate users and manage account security
  • Detect and prevent fraud, unauthorised access and other security threats
  • Meet our legal and regulatory obligations
  • Send service communications, including receipts, alerts and system notifications
  • Analyse platform usage to improve our product features

4. Legal Basis for Processing

Under UK GDPR, we rely on the following legal bases to process your personal data:

Contract Performance

Processing necessary to deliver the services you have signed up for and to fulfil our contractual obligations.

Legitimate Interests

Security monitoring, fraud prevention, platform analytics and improving our services — balanced against your rights and interests.

Legal Obligation

Processing required to comply with applicable laws, including financial record-keeping and anti-money laundering requirements.

Consent

Where we ask for your specific agreement — for example, for optional marketing communications. You may withdraw consent at any time.

5. Data Sharing

We do not sell your personal data. We share data only with the following trusted sub-processors to the extent necessary to provide the service:

We never sell, rent or trade your personal data to third parties.

S

Stripe Payment Processing

Processes card payments on our behalf. PCI DSS Level 1 certified. Data processed under Stripe's Privacy Policy.

S

SendPulse WhatsApp Messaging

Delivers WhatsApp bot messages and payment links to your customers on our behalf.

R

Resend Transactional Email

Sends email notifications, receipts and system alerts on our behalf.

V

Vercel Cloud Hosting

Hosts the Next Opay application and infrastructure. Data stored in European data centres where applicable.

6. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this policy or as required by law.

Category

Transaction Records

Retention Period

7 years

Reason

Legal requirement (HMRC financial records)

Category

Account & Organisation Data

Retention Period

Duration of contract + 2 years

Reason

Legitimate interests and legal obligations

Category

WhatsApp Bot Sessions

Retention Period

90 days

Reason

Service delivery and support

Category

Audit Logs

Retention Period

3 years

Reason

Security and fraud prevention

7. Your Rights

Under UK GDPR you have the following rights in relation to your personal data:

Right of Access

Request a copy of the personal data we hold about you.

Right to Rectification

Ask us to correct inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your data where there is no longer a lawful basis to retain it.

Right to Portability

Receive your data in a structured, machine-readable format.

Right to Restriction

Ask us to restrict processing of your data in certain circumstances.

Right to Object

Object to processing based on legitimate interests, including direct marketing.

To exercise any of your rights, contact our Data Protection Officer at privacy@nextopay.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

Next Opay uses essential cookies only. These are strictly necessary for the platform to function — specifically for session management and authentication.

We do not use tracking cookies, advertising cookies or third-party analytics cookies. No cookie consent banner is required as we rely solely on essential cookies.

You can disable cookies in your browser settings, but please note that this may prevent you from logging in to the platform.

9. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

Next Oasis Group Ltd

15 Rockstone Place, Director Generals House

Southampton, SO15 2EP

Email: privacy@nextopay.co.uk