Next Surplus
Privacy PolicyTerms of Service

Privacy Policy

Next Surplus

Effective Date: July 1, 2026

Last Updated: July 1, 2026

Next Surplus ("Next Surplus," "we," "us," or "our") operates app.nextsurplus.com (the "Service"). This Privacy Policy describes how we collect, use, store, and share your information when you use our Service.

By using the Service, you agree to the collection and use of information as described in this policy. If you do not agree, do not use the Service.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Name and email address
  • Company name and mailing address
  • Phone number (optional)
  • Company logo (optional)
  • Password (hashed, never stored in plain text)

1.2 Payment Information

When you subscribe to the Service, payment is processed by Stripe, Inc. We do not store your credit card number, CVV, or full card details on our servers. We receive and store your Stripe customer ID, subscription status, and billing history metadata. See Stripe's privacy policy at https://stripe.com/privacy for details on how Stripe handles your payment data.

1.3 Lead and Case Data

You may enter or import data about property owners, surplus funds cases, and related records ("Lead Data") into the Service. This data may include:

  • Property owner names, mailing addresses, phone numbers, and email addresses
  • Property addresses, parcel numbers, and county/state information
  • Surplus fund amounts, recovery fee percentages, and claim details
  • Case notes, activity logs, and stage history
  • Documents uploaded to the Service

Lead Data is your data. We process it solely to provide the Service to you. We do not sell, share, or use Lead Data for advertising or any purpose unrelated to providing the Service.

1.4 Gmail Data (Via Google OAuth)

If you connect your Gmail account, we request the following Google OAuth scopes:

  • gmail.readonly, to sync and display your email inbox within the Service
  • gmail.send, to send emails on your behalf from within the Service
  • userinfo.email and userinfo.profile, to identify your Google account

What we access: Email messages, subject lines, sender/recipient addresses, timestamps, and message bodies for emails synced to your inbox view within the Service.

What we store: Email metadata and message content are cached in our database to enable inbox search and display. Emails are associated with your user account and your organization.

What we do not do: We do not use your Gmail data for advertising, market research, or any purpose other than displaying and sending email within the Service. We do not share your Gmail data with third parties except as required to provide the Service (e.g., our database hosting provider).

Google API Services User Data Policy Compliance: Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

  • We only use Gmail data to provide and improve the email features of the Service
  • We do not transfer Gmail data to third parties except as necessary to provide the Service, as required by law, or as part of a merger/acquisition with adequate data protections
  • We do not use Gmail data for serving advertisements
  • We do not allow humans to read your Gmail data unless you provide affirmative consent for specific messages, it is necessary for security purposes (e.g., investigating abuse), it is necessary to comply with applicable law, or our use is limited to internal operations and the data has been aggregated and anonymized

1.5 Usage Data and Analytics

We collect anonymized usage data through PostHog to understand how the Service is used. This includes:

  • Pages visited and features used
  • Session duration and frequency
  • Browser type, device type, and screen resolution
  • Referring URL

We do not use this data to identify individual users or for advertising purposes.

1.6 Error Monitoring

We use Sentry for error monitoring. When an application error occurs, Sentry may capture:

  • The error message and stack trace
  • Browser and device information
  • The URL where the error occurred

Error data does not include your Lead Data, email content, or payment information.

2. How We Use Your Information

We use collected information to:

  • Provide, maintain, and improve the Service
  • Process your subscription payments
  • Send transactional emails (account confirmations, password resets, billing receipts, system notifications)
  • Display your synced Gmail inbox within the Service and send emails on your behalf
  • Monitor for errors and improve reliability
  • Respond to your support requests
  • Comply with legal obligations

We do not use your information for advertising, profiling, or automated decision making.

3. How We Share Your Information

We share your information only with the following categories of service providers, solely to operate the Service:

ProviderPurposeData Shared
Supabase (database and authentication)Data storage, user authenticationAll account and Lead Data (encrypted in transit and at rest)
Stripe (payments)Subscription billingEmail, name, payment method (handled by Stripe directly)
Resend (transactional email)System notifications, invitesRecipient email addresses, email content
Google (Gmail API)Email sync and sendingOAuth tokens, email content sent through the Service
Vercel (hosting)Application hostingRequest logs (IP addresses, URLs)
PostHog (analytics)Usage analyticsAnonymized usage events
Sentry (error monitoring)Error trackingError messages, stack traces, browser info

We do not sell your personal information to any third party. We do not share your information with advertising networks, data brokers, or information resellers.

We may disclose your information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect the rights, property, or safety of Next Surplus, our users, or the public.

4. Data Storage and Security

Your data is stored in Supabase managed PostgreSQL databases hosted in the United States. We implement the following security measures:

  • All data is encrypted in transit (TLS 1.2+) and at rest (AES 256)
  • Row Level Security policies enforce tenant isolation, each organization can only access its own data
  • Passwords are hashed using bcrypt
  • Stripe webhook signatures are verified to prevent tampering
  • API keys and secrets are stored as environment variables, never in source code

No system is 100% secure. While we implement commercially reasonable security measures, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us at support@nextsurplus.com.

5. Data Retention

  • Account data: Retained for the duration of your subscription.
  • Lead Data: Retained for the duration of your subscription. You may export Lead Data at any time using the export features within the Service.
  • Gmail data: Cached email data is deleted when you disconnect your Gmail account.
  • Payment records: Billing history is retained by Stripe per their retention policy. We retain billing metadata (subscription status, invoice references) for accounting purposes as required by law.
  • Analytics data: Anonymized usage data may be retained indefinitely for product improvement.
  • Error logs: Retained for 90 days, then automatically deleted.

6. Your Rights

6.1 All Users

You have the right to:

  • Access your personal information by contacting us
  • Correct inaccurate personal information through your account settings or by contacting us
  • Export your Lead Data via CSV export within the Service
  • Disconnect your Gmail account at any time through Settings, which stops syncing and deletes cached email data

6.2 California Residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

  • Right to Know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions.
  • Right to Correct: You may request correction of inaccurate personal information.
  • Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross context behavioral advertising, so there is nothing to opt out of.
  • Right to Non Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise these rights, email us at support@nextsurplus.com. We will verify your identity and respond within 45 days.

6.3 Google Account Data

You may revoke the Service's access to your Google account at any time through your Google Account permissions page at https://myaccount.google.com/permissions. Revoking access will stop email syncing and disable email sending through the Service.

7. Multi Tenant Architecture

The Service is a multi tenant platform. Each organization's data is logically isolated from other organizations using row level security policies in our database. No organization can view, access, or modify another organization's data through the Service.

8. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us at support@nextsurplus.com and we will delete it promptly.

9. Cookies and Tracking

The Service uses essential cookies for authentication and session management. These cookies are necessary for the Service to function and cannot be disabled.

If analytics are enabled (PostHog), we use a cookie consent banner to obtain your consent before placing analytics cookies. You may decline analytics cookies without affecting your use of the Service.

We do not use advertising cookies, tracking pixels, or retargeting technologies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last Updated" date. For significant changes, we will notify you via email or an in app notification. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or want to exercise your privacy rights:

Next Surplus
Email: support@nextsurplus.com
Website: https://app.nextsurplus.com

Next Surplus

support@nextsurplus.com