Privacy Policy

NextStep AI Inc. (“NextStep,” “we,” “us”) builds AI-native learning tools for higher education institutions. This Privacy Policy describes how we collect, use, and protect information when you visit our marketing website at nextstep.com, request a demo, contact our team, or apply for a job.

Student data we process on behalf of partner institutions is governed by the Data Processing Addendum (DPA) executed with each institution and our FERPA Compliance Policy, not this policy. Institutions remain the data controller for student education records; NextStep acts as a school official under FERPA.

We share information only with vendors who provide services on our behalf, under written agreements that include confidentiality, breach notification, and data-return obligations. Critical and high-risk vendors are reviewed under our Vendor & Third-Party Risk Policy and provide independent assurance such as SOC 2 Type 2.

We may disclose information when required by law, to protect the rights and safety of NextStep, our users, or the public, or in connection with a corporate transaction (with notice where required).

NextStep maintains a SOC 2 Type 2 program covering Security and, where applicable, Confidentiality and Availability. Controls include encryption in transit and at rest, least-privilege access, MFA on administrative access, vulnerability management, monitored production environments, and an incident response program.

No system is perfectly secure. We work to protect your information with industry-standard controls and continuous improvement.

We keep information for as long as needed to fulfill the purposes described in this policy and to meet legal, accounting, or reporting requirements. Marketing inquiries are retained while a relationship is active and for a reasonable period afterward. Application materials are retained per our hiring policy. Institutional data is returned or destroyed at contract end per the DPA and our Retention & Secure Disposal policy.

Depending on your jurisdiction, you may have rights to access, correct, delete, or port personal information we hold about you, and to object to or restrict certain processing. We will respond within the timeframes required by applicable law.

You can submit a deletion request using the form below, or contact us using the email link in the footer. For Student Education Records, requests should be directed to your institution, which controls those records. We will support the institution's response.

On confirmation of unauthorized access to or disclosure of Student Education Records, we notify the affected institution within 72 hours. Where breaches involve personal information of Washington residents, individual notifications follow RCW 19.255 and are issued no later than 30 days after discovery, in coordination with the institution.

The marketing site is intended for adult higher-education audiences and is not directed at children under 13. The NextStep product itself is deployed by institutional partners under contracts that govern student data handling, including FERPA and, where applicable, COPPA-aligned controls.

NextStep is headquartered in the United States and processes data in the United States. By using the marketing site, you understand that information will be transferred to and processed in the U.S. under U.S. law.

We may update this policy from time to time. Material changes will be reflected by updating the “Last updated” date at the top of this page and, where appropriate, by additional notice. Continued use of the site after the effective date constitutes acceptance of the updated policy.

For privacy questions, deletion requests, or complaints, use the form above or the contact email in the site footer. NextStep AI Inc., Seattle, Washington, USA.