Privacy Statement

Effective Date: June 2, 2026

This Privacy Policy explains how Next2 collects, uses, shares, and protects your personal information, and describes your legal rights under applicable U.S. law.

1. Scope & Who We Are

Controller.Next2 (“Next2,” “we,” “us”) is the data controller for personal information collected through the Service. This Policy applies to the Next2 website, mobile app, and all related services.

Scope. This Policy applies to all users of the Service in the United States. If you access the Service from outside the U.S., you acknowledge that your data will be processed in the United States.

2. Information We Collect

2.1 Information You Provide

Account registration: name, email address, phone number, username, password
Profile information: preferences, communication settings
Booking details: reservation information, guest count, dates, special requests
Payment information: billing address (we do NOT store full card numbers)
Communications: messages, reviews, feedback, support requests
Promotions: responses to offers, surveys, or contests

2.2 Information Collected Automatically

Device data: IP address, browser type, operating system, device identifiers
Usage data: pages visited, clicks, search queries, time on platform
Location data: approximate location (city/region) from IP address
Cookies & trackers: session cookies, analytics cookies, preference cookies (see Section 8)
Log files: access times, error logs, referral URLs

2.3 Information from Third Parties

Partner businesses: booking confirmations, redemption data, transaction history
Payment processors: transaction status (not raw card data)
Social login providers: if you choose to log in via a third-party service
Analytics providers: aggregated usage statistics

3. How We Use Your Information

Purpose	Details
Service Delivery	Process bookings, manage accounts, award and redeem Points
Communications	Send confirmations, updates, and service-related notices
Personalization	Tailor content, offers, and recommendations to your preferences
Security	Detect fraud, unauthorized access, and policy violations
Analytics	Understand usage patterns and improve the platform
Legal Compliance	Meet obligations under applicable U.S. federal and state law
Marketing	Send promotional offers (with your consent where required)
Dispute Resolution	Investigate complaints and enforce our Terms of Service

4. Legal Basis for Processing

Contract Performance. Processing is necessary to fulfill our agreement with you (e.g., processing bookings, managing your account).

Legitimate Interests. We process data for fraud prevention, security, and platform improvement, balanced against your rights.

Legal Obligation. We process data to comply with applicable U.S. federal and state law (e.g., tax records, legal holds).

Consent. Where required by law, we obtain your explicit consent before processing (e.g., marketing communications). You may withdraw consent at any time.

5. Information Sharing & Disclosure

We Do NOT Sell Your Data. Next2 does NOT sell your personal information to third parties for their independent marketing purposes.

We may share your information with:

Partner Businesses: to fulfill bookings and reward redemptions you initiate
Payment Processors: to process transactions securely
Service Providers: analytics, hosting, email, customer support — bound by confidentiality obligations
Legal Authorities: when required by law, subpoena, court order, or to protect our legal rights
Business Transfers: in connection with a merger, acquisition, or asset sale (with notice to users)
Safety: to prevent fraud, protect the safety of users, or address security threats

We require all third-party service providers to maintain confidentiality and security standards consistent with this Policy and applicable law.

6. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights:

Right to Know: request disclosure of the categories and specific pieces of personal information we have collected
Right to Delete: request deletion of your personal information, subject to certain exceptions
Right to Correct: request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: we do not sell personal information, but you may opt out of sharing for cross-context behavioral advertising
Right to Limit Use of Sensitive Information: limit our use of sensitive personal information to essential purposes
Right to Non-Discrimination: we will not discriminate against you for exercising your privacy rights

How to Exercise. Submit a verifiable consumer request to: next2.loop@gmail.com. We will respond within 45 days.

Authorized Agent. You may designate an authorized agent to submit requests on your behalf by providing written authorization.

7. Children's Privacy (COPPA)

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from children under 13 without verifiable parental consent, in compliance with the Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from a child under 13 without parental consent, we will take immediate steps to delete such information. Parents or guardians may contact us at next2.loop@gmail.com.

8. Cookies & Tracking Technologies

What We Use. We use cookies, web beacons, and similar technologies to operate the Service, remember your preferences, analyze usage, and deliver relevant content.

Types of cookies we use:

Strictly Necessary: required for the Service to function (cannot be disabled)
Performance/Analytics: help us understand how you use the Service (e.g., Google Analytics)
Functional: remember your preferences and personalize your experience
Marketing: deliver relevant advertisements (only with your consent)

Your Choices. You may control cookies through your browser settings. Disabling certain cookies may affect Service functionality. We honor Global Privacy Control (GPC) signals where required by law.

9. Email Communications (CAN-SPAM Compliance)

We comply with the CAN-SPAM Act. For commercial emails:

We clearly identify ourselves as the sender
We include a valid physical mailing address
We provide a clear and conspicuous opt-out mechanism in every marketing email
We honor opt-out requests within 10 business days
We do not use deceptive subject lines or sender information

Opt-Out. To unsubscribe from marketing emails, click the “Unsubscribe” link in any email, or contact next2.loop@gmail.com. Transactional emails cannot be opted out while your account is active.

10. Data Retention

We retain personal information for as long as necessary to:

Provide the Service and maintain your account
Comply with applicable legal obligations (e.g., tax records: 7 years)
Resolve disputes and enforce our Terms
Maintain security logs (typically 12–24 months)

When data is no longer needed, we delete or anonymize it using commercially reasonable methods. Account data is generally deleted within 90 days of account closure.

11. Data Security

We implement industry-standard technical and organizational security measures, including:

Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
Access controls: role-based access; principle of least privilege
Regular security assessments and penetration testing
Employee security training and confidentiality agreements
Incident response procedures

Data Breach Notification. In the event of a data breach affecting your personal information, we will notify affected users and applicable regulatory authorities in accordance with applicable U.S. state breach notification laws within the required timeframes.

No security system is impenetrable. We cannot guarantee absolute security of your data. You share data at your own risk.

12. Your Privacy Rights & Choices

Depending on your state, you may have the right to:

Access: request a copy of your personal information
Correction: request we correct inaccurate data
Deletion: request we delete your personal information
Data Portability: receive your data in a machine-readable format
Opt-Out of Marketing: unsubscribe from promotional communications
Withdraw Consent: where processing is based on consent
Lodge a Complaint: with your state attorney general or relevant regulatory authority

How to Submit a Request. Email: support@next2.com with subject line “Privacy Rights Request.” We will verify your identity before processing your request.

13. Third-Party Links & Services

The Service may contain links to third-party websites, apps, or services. Next2 is NOT responsible for the privacy practices of third parties. We encourage you to review the privacy policies of any third-party services you access.

14. State-Specific Privacy Rights

In addition to California (CCPA/CPRA), residents of the following states may have additional rights:

Virginia (VCDPA) — rights to access, correct, delete, portability, and opt-out
Colorado (CPA) — opt-out of targeted advertising and profiling
Connecticut (CTDPA) — access, deletion, correction, and opt-out rights
Texas (TDPSA) — access, correction, deletion, and opt-out rights
Other states as applicable under their enacted privacy legislation

To exercise state-specific rights, contact support@next2.com.

15. Financial Information (GLBA)

To the extent Next2 qualifies as a financial institution under the Gramm-Leach-Bliley Act (GLBA), we comply with GLBA's privacy requirements, including providing clear notice of our information-sharing practices, offering opt-out rights for sharing with non-affiliated third parties, and implementing a comprehensive information security program.

16. Changes to This Policy

We may update this Privacy Policy at any time. For material changes, we will notify you by email or prominent in-app notice at least 30 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance. If you do not agree, please stop using the Service and close your account.

17. Contact & Data Protection Inquiries

For privacy questions, requests, or to report a concern: next2.loop@gmail.com