Privacy Policy

Effective date: February 27, 2026  ·  Last updated: March 15, 2026

CooperWurks ("we", "us", "our") operates Nextyme, our appointment-scheduling product (the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how it is used, and your rights under the General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data Controller

CooperWurks (company and data controller)
Nextyme (product/service name)
Privacy contact details available through our secure contact form.
Contact: /contact

2. Data We Collect

We collect and process the following categories of personal data:

• Account data: Email address, display name, profile photo (used to create and manage your account).
• Client data: Names, email addresses, and phone numbers of individuals you add as clients. Email and phone are encrypted at rest using AES-256-GCM.
• Appointment data: Appointment titles, dates, times, notes, and status.
• Message logs: Records of SMS, WhatsApp, and Telegram notifications sent on your behalf.
• Authentication data: Hashed login-attempt records (email hashed with SHA-256, IP address truncated to /24 subnet) used for brute-force protection. Retained for 24 hours.
• OAuth data: Provider (Google, Facebook, GitHub), timestamp, and country-level geolocation stored for security anomaly detection. Retained for 30 days.
• Usage analytics (optional): Anonymised feature interaction data via PostHog, collected only with your explicit consent. No names, emails, or appointment content are ever included.
• Device data: Browser/OS type collected automatically as part of normal web server operation.

3. Legal Basis for Processing (GDPR Article 6)

• Contract performance (Art. 6(1)(b)): Account management, appointment scheduling, client data storage, and notifications.
• Legitimate interests (Art. 6(1)(f)): Security logging (brute-force protection, OAuth anomaly detection), abuse prevention.
• Consent (Art. 6(1)(a)): Analytics tracking (PostHog). You may withdraw consent at any time in Settings → Privacy.
• Legal obligation (Art. 6(1)(c)): Audit logs required under GDPR Article 30.

4. How We Use Your Data

• Provide, operate, and improve the Service.
• Send appointment reminder notifications (SMS, WhatsApp, Telegram, email) on your behalf.
• Detect and prevent fraud, brute-force attacks, and account takeovers.
• Comply with legal obligations.
• Respond to data subject access requests (DSARs).

5. Data Retention

• Account & client data: Retained until you delete your account.
• Authentication logs: 24 hours.
• OAuth audit log: 30 days.
• Message logs: 1 year.
• Data access audit log: 90 days.
• Email/phone validation cache: 90 days.
• Webhook events: 90 days.

6. Sub-Processors and Third Parties

We share data only as necessary with the following sub-processors:

• Supabase (database, authentication, edge functions) — primary hosting in EU region where configured.
• Twilio (SMS & WhatsApp notifications, phone validation) — may involve international transfers safeguarded by SCCs.
• Telegram Bot API (optional Telegram notifications for clients who explicitly opt in).
• Resend (transactional email delivery) — processes recipient email addresses for service communications.
• Cloudflare (CDN, Turnstile CAPTCHA) — processes network/security metadata.
• PostHog (opt-in anonymised analytics) — EU-hosted analytics workspace in our configuration.
• ZeroBounce (email address validation) — validation-only processing via EU endpoint where configured.

For the current sub-processor registry and transfer details, contact us via our contact form.

7. International Data Transfers

Some sub-processors may process data outside the EU/EEA. Where this occurs, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses under GDPR Art. 46(2)(c) or adequacy decisions).

8. Regional Disclosures

• GDPR (EU/EEA): This policy serves as our Article 13/14 transparency notice.
• PIPEDA (Canada): For Canadian users, this policy also serves as our transparency notice under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
• CCPA/CPRA (California): California residents have rights to know, delete, and opt out of the sale/share of personal information, subject to applicable exceptions.
• CASL (Canada): For Canadian recipients, appointment reminder/notification emails are sent only after explicit recipient-level opt-in. Consent can be withdrawn per recipient in client records, and SMS recipients can unsubscribe by replying STOP.

9. California Privacy Notice (CCPA/CPRA)

For California residents, we disclose the following:

• Categories of personal information collected: identifiers (name, email, phone), account information, appointment details, and related service records.
• Categories of third parties disclosed to for business purposes: Supabase, Twilio, Resend, PostHog, Cloudflare, and ZeroBounce.
• No sale statement: We do not sell personal information to third parties for monetary consideration.
• Do Not Sell/Share statement: We do not sell personal information for monetary consideration. If this changes, we will provide a clear opt-out mechanism as required by applicable law.
• Non-discrimination: We do not discriminate against users for exercising CCPA/CPRA rights.

10. Your Rights (GDPR Chapter III)

You have the following rights regarding your personal data:

• Access (Art. 15): Request a copy of all data we hold about you. Use the "Download My Data" feature in Settings → Privacy.
• Rectification (Art. 16): Correct inaccurate data via your profile settings.
• Erasure (Art. 17): Delete your account and all associated data via Settings → Privacy → Delete Account.
• Restriction (Art. 18): Request restriction of processing by contacting us.
• Data portability (Art. 20): Download your data as JSON via Settings → Privacy → Download My Data.
• Objection (Art. 21): Object to processing based on legitimate interests by contacting us.
• Withdraw consent: Disable analytics anytime in Settings → Privacy.
• Lodge a complaint: You may lodge a complaint with your local supervisory authority.
• Canada complaint escalation: Canadian users may also file a complaint with the Office of the Privacy Commissioner of Canada (OPC): www.priv.gc.ca.

11. Security

We protect your data using industry-standard measures including:

• AES-256-GCM encryption for client PII (email addresses and phone numbers) at rest.
• HKDF-SHA256 key derivation for encryption keys.
• Row-Level Security (RLS) policies on all database tables enforcing user isolation.
• TLS in transit for all API calls.
• Multi-factor authentication (TOTP) available for all accounts.

12. Cookies

The Nextyme web application uses the following cookies:

• Essential: Session authentication cookie (Supabase auth token) — required for the Service to function.
• Security: Cloudflare Turnstile CAPTCHA — required to prevent abuse on sign-up and sign-in.
• Analytics (optional): PostHog analytics cookie — only set with your explicit consent.

13. Children's Privacy

The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have inadvertently done so, please contact us.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes by updating the effective date above and, where appropriate, by in-app notification.