Privacy Policy

1. Data We Collect

We collect the following categories of personal data:

Account data

• Email address and password (stored as a secure hash) when you register.
• Name and contact details you add to your buyer or seller profile.

Business listing data

• Company name, industry, country, financial figures, and other information you voluntarily enter when creating a listing.

Transaction and communication data

• Enquiries, offer details, deal messages, contract change requests, and other communications between buyers and sellers on the Platform.
• Ratings and reviews you submit about other users.

Usage data

• Log data such as IP address, browser type, pages visited, and timestamps, collected automatically when you use the Platform.

Legal booking data

• Service type, description of your legal needs, and deal reference submitted when booking a legal advisor.

2. How We Use Your Data

We use your personal data for the following purposes, each with its corresponding legal basis under GDPR:

• To provide the Platform: Creating your account, showing listings, facilitating enquiries and deal communications. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To generate AI-assisted content: Your listing and deal data is processed by Anthropic's API to generate valuations, contract drafts, and clause assessments. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To connect you with legal advisors: Your booking details and deal reference are shared with our third-party legal partners to match you with an appropriate advisor. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).
• To send service communications: Notifications about enquiries, messages, and important account events. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• To improve the Platform: Aggregated, anonymised usage data is used to understand how the Platform is used and improve features. Legal basis: legitimate interests (Art. 6(1)(f) GDPR).
• To comply with legal obligations: Retaining records as required by German tax and commercial law. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

3. Data Storage and Security

Supabase uses industry-standard security measures including encryption at rest and in transit. Password hashes are handled by Supabase Auth using bcrypt. We recommend you use a strong, unique password and enable two-factor authentication where available.

AI processing is carried out via the Anthropic API. Anthropic's data processing agreement is in place and data submitted to Anthropic for processing is not used to train their models under the terms of our API agreement.

We retain your personal data for as long as your account is active, and for a further period of three years after account closure to comply with legal obligations, unless you request earlier deletion.

4. Data Sharing

We share your data only in the following circumstances:

• With other users: Your profile information and listing data is visible to other users as part of normal Platform operation. Private deal communications are visible only to the parties involved.
• With service providers: Supabase (hosting and auth), Anthropic (AI processing), and payment processors, each acting as data processors under appropriate data processing agreements.
• With legal advisors: If you book a legal support session, relevant details are shared with the assigned advisor to enable them to assist you.
• For legal compliance: We may disclose data if required by law, court order, or to protect the rights and safety of our users or third parties.

We do not share your data with advertisers or data brokers, and we do not use your data for targeted advertising.

5. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may ask us to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”): You may request deletion of your personal data, subject to our legal retention obligations.
• Right to restriction: You may ask us to restrict processing of your data in certain circumstances.
• Right to data portability: You may request your data in a structured, machine-readable format.
• Right to object: You may object to processing based on legitimate interests, including for direct communications.
• Right to withdraw consent: Where processing is based on your consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, email us at privacy@nextowner.com. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority — in Germany, this is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI).

6. Cookies

The Platform uses only technically necessary cookies required for authentication (session tokens) and security (CSRF protection). We do not use tracking cookies, analytics cookies, or advertising cookies.

You can control cookies through your browser settings. Disabling session cookies will prevent you from logging in.

7. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the Platform after an update constitutes acceptance of the revised policy.

8. Contact

For privacy-related questions or to exercise your rights, contact our data protection contact at:

privacy@nextowner.com
Bizraze UG (haftungsbeschränkt)
Berlin, Germany