Privacy Policy
Effective date: April 10, 2026
Nextbatch ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use nextbatch.xyz (the "Service"). We have designed our Service to minimize the personal data we collect and to avoid unnecessary tracking.
1. Information We Collect
Baker Account Information. When you create a Baker account via Clerk, we collect your name and email address. Through the store setup process, we also collect your store name, URL slug, store description, Venmo handle, and an optional banner image. If you connect a Stripe account for online payments, Stripe processes your payment account information directly; we store only a reference to your connected account.
Customer Order Information. When a customer places an order, we collect their name, email address, phone number, the items ordered, the order total, and any notes provided (such as allergy information or pickup preferences).
Changelog Subscribers. If you opt in via the subscribe form on our changelog page, we store your email address along with the page you signed up from. We use it only to send occasional product updates from us, and never share it. You can ask us to remove you at any time by emailing us.
Automatically Collected Information. Our hosting provider Cloudflare receives standard web request data, including IP addresses, as part of routing traffic to our Service. Cloudflare Web Analytics (a cookieless, privacy-first analytics tool) collects aggregate, anonymized page view and performance data; it does not store your IP address or set any cookies.
2. How We Use Your Information
We use your information to:
- Operate the platform and process orders.
- Send order confirmation and status emails to Customers and Bakers (via Resend).
- Authenticate Baker accounts and manage sessions (via Clerk).
- Diagnose and fix bugs and errors (via Sentry).
- Understand how the platform is used so we can improve it (via Axiom server-side event analytics and Cloudflare Web Analytics, which collects only aggregate data).
- Process Baker subscription billing (via Stripe).
- Comply with applicable legal obligations.
3. Legal Bases for Processing (GDPR)
For users in the European Economic Area, we process personal data under the following legal bases:
- Performance of a contract – processing necessary to operate your account, fulfill orders, and deliver the Service.
- Legitimate interests – error tracking (Sentry), server-side analytics (Axiom), aggregate analytics (Cloudflare Web Analytics), and security monitoring, where our legitimate interests are not overridden by your rights.
- Legal obligation – where we are required to process data by law.
4. Third-Party Service Providers
We share your information with the following service providers solely to operate the Service. We do not sell your personal information. We do not share your information with advertisers.
| Provider | Purpose | Data Shared |
|---|---|---|
| Clerk | Baker authentication and session management | Baker name, email, session tokens |
| Resend | Transactional email delivery | Baker and customer name, email address |
| Axiom | Server-side event analytics and application logging | Event data, baker user ID, request metadata |
| Sentry | Error tracking and debugging | Error logs, baker user ID, request metadata |
| Cloudflare | Hosting, CDN, database, and object storage | All request data; stored application data |
| Cloudflare Web Analytics | Aggregate, cookieless page view and performance analytics | Anonymized page view data; no IP address retained |
| Stripe | Baker subscription billing; optional Stripe Connect payments | Baker billing information; connected account data |
5. Cookies and Tracking Technologies
We use a minimal number of cookies and no advertising or third-party tracking technologies.
Strictly Necessary Cookies:
theme– Stores your light/dark mode preference. First-party, functional only. Expires after 1 year. Contains no personal data.- Clerk authentication cookies – HTTPOnly session cookies required for Baker login. Strictly necessary for the Service to function.
Analytics:
- Cloudflare Web Analytics – A cookieless JavaScript beacon automatically injected by Cloudflare. It does not set any cookies, does not store your IP address, and does not fingerprint your browser. It collects only aggregate, anonymized data about page visits and performance.
- First-party page view beacon – Some pages send an anonymous JavaScript event to our own server to count aggregate page views. These events contain only contextual identifiers like a page slug, never a visitor identifier, and they fire only after a visitor signal (a few seconds of visible time or a first interaction such as scroll or tap) so bots and accidental loads aren't counted. No cookies are set.
Because we use no non-essential cookies, no cookie consent banner is displayed. You will not be asked to opt in or out of cookies.
6. Data Retention
- Baker account data: retained until you request account deletion.
- Customer order data: retained for 3 years to support baker recordkeeping, then deleted.
- Application error logs (Sentry): 90 days.
- Server-side analytics events (Axiom): per your Axiom plan configuration.
- Authentication session data (Clerk): per Clerk's data retention policies.
7. Your Privacy Rights
EU / EEA Users (GDPR). You have the right to: access your personal data; correct inaccurate data; request erasure ("right to be forgotten"); restrict or object to processing; receive your data in a portable format; and withdraw consent where processing is based on consent. To exercise any of these rights, contact us at privacy@nextbatch.xyz.
California Residents (CCPA / CPRA). You have the right to: know what personal information we collect and how it is used; request deletion of your personal information; opt out of the sale or sharing of your personal information (we do not sell or share personal information); and not be discriminated against for exercising your rights. To exercise these rights, contact privacy@nextbatch.xyz.
New Hampshire Residents (NH Privacy Act). You have the right to access, correct, delete, and obtain a portable copy of your personal data. We will respond to verifiable requests within 45 days. Contact privacy@nextbatch.xyz.
8. Data Security
We implement technical and organizational measures to protect your information, including TLS encryption for all data in transit and encryption at rest for data stored in Cloudflare's D1 database and R2 object storage. Access to production systems is restricted to authorized personnel only.
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us responsibly at legal@nextbatch.xyz.
9. Children's Privacy
The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If we learn that we have inadvertently collected such information, we will promptly delete it. If you believe we may have collected information from a child under 13, please contact privacy@nextbatch.xyz.
10. International Data Transfers
Your information is stored and processed in the United States on Cloudflare's infrastructure. If you are located in the EU or EEA, Cloudflare's data processing is covered by Standard Contractual Clauses (SCCs) as described in Cloudflare's privacy documentation. For more information, see Cloudflare's Privacy Policy.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 30 days before the changes take effect. The updated policy will be available at nextbatch.xyz/privacy with the revised effective date.
12. Contact Us
For privacy questions or to exercise your rights:
For other legal inquiries: