NextUp logo NextUp Create room

Privacy

Privacy Policy

This privacy policy explains how NextUp handles data. NextUp is a small public personal project for creating private rotation rooms for standups and similar team routines.

Last updated: May 9, 2026

Sensitive data warning

NextUp does not require user accounts, does not use analytics, does not use advertising trackers, and does not intentionally ask you to provide personal data. However, if you enter names or other information into a room, that information may be personal data.

Please do not enter sensitive personal data into NextUp.

1. Who operates NextUp

NextUp is operated by:

Drilon Recica
Email: [email protected]

This email is provided for privacy questions about NextUp. Most room data should be managed directly through the room admin tools. Because NextUp does not have user accounts and does not verify the identity of room members, requests about a specific room may require enough information to identify the room and confirm that the requester is allowed to manage that room.

2. What data NextUp stores

NextUp stores the data needed to run private rotation rooms:

  • room names;
  • member names entered into a room;
  • member badges, colors, and optional display details;
  • room settings such as label type, language, view mode, and access settings;
  • rotation history, such as who was current, skipped, or advanced;
  • hashed passwords, hashed edit tokens, hashed recovery codes, and hashed session tokens;
  • session records with expiry times;
  • password lockout and rate-limit records used for security and abuse prevention.

Passwords, edit tokens, recovery codes, and session tokens are not stored in plaintext.

3. Live presence and cursors

When live room updates are enabled, NextUp may temporarily process:

  • a random system-generated visitor name;
  • a temporary client identifier;
  • cursor position data;
  • live room presence state.

This data is used only to show active visitors and cursor labels in a room. It is kept in server memory only and is not written to the database. It disappears when the visitor disconnects or times out.

4. Cookies and sessions

NextUp uses functional cookies for access control and security.

The main cookies are:

  • nextup_room_session, used for room view, edit, or admin access;
  • nextup_master_session, used only for the private master admin area.

These cookies are HttpOnly session cookies and are required for the service to work. They are not used for analytics or advertising.

Current session durations are:

  • view access: up to 7 days;
  • edit access: up to 24 hours;
  • room admin access: up to 2 hours;
  • master admin access: up to 2 hours.

Because NextUp does not use analytics, advertising, or marketing cookies, there is no cookie consent banner.

5. Why this data is used

NextUp processes this data to:

  • create and operate rotation rooms;
  • show previous, current, and next members;
  • protect rooms with passwords or private edit links when enabled;
  • provide room admin and recovery features;
  • provide live room updates and temporary cursor presence;
  • prevent abuse, brute-force attempts, and repeated invalid requests;
  • maintain the security and reliability of the service.

6. Legal basis

For EU/GDPR purposes, NextUp processes data mainly because it is necessary to provide the service requested by users and because there is a legitimate interest in operating, securing, and maintaining the tool.

Where users enter room names, member names, or similar content, they choose what to enter. NextUp is intended for simple rotation data, not sensitive personal data.

7. What NextUp does not do

NextUp does not:

  • require public user accounts for room members;
  • sell personal data;
  • use advertising trackers;
  • use analytics scripts;
  • use tracking pixels;
  • store plaintext passwords, edit tokens, recovery codes, or session tokens;
  • publish a public directory of rooms;
  • write live cursor positions to the database.

8. Hosting and service providers

NextUp is deployed on a server managed by the operator. The production deployment is intended to run on a Hetzner VPS through Coolify.

If you contact the operator by email, your email will be processed by the email provider used for that mailbox.

NextUp does not intentionally share room data with analytics, advertising, or marketing providers.

9. Retention

Rooms and their current room data remain stored until a room admin or master admin deletes the room.

Rotation event history is used to show recent activity and support room behavior. Old rotation events may be cleaned up automatically.

Session records expire automatically. Expired sessions may be removed when the app starts or when sessions are checked.

Live presence and cursor data is temporary and kept only in memory while visitors are connected.

Security records such as rate limits and password lockouts are kept as needed to protect the service from abuse.

10. Your choices and rights

Room admins can manage most room data directly. They can edit room data, change access settings, regenerate private links, reset recovery codes, and delete rooms.

NextUp does not have public user accounts and does not collect email addresses from room members. This means the operator may not be able to identify a specific person or verify whether a requester is connected to a specific room.

If you have a privacy question or a request that cannot be handled through the room tools, you can contact the operator: [email protected]. Requests about a specific room may require enough information to identify the room and confirm that the requester is allowed to manage that room.

Depending on your location, you may have rights to access, correction, deletion, objection, restriction of processing, or complaint to a data protection authority. These rights may be limited where NextUp cannot identify the requester or connect the requester to specific room data.

11. Security

NextUp uses security measures such as hashed secrets, HttpOnly cookies, origin checks, rate limits, password lockouts, and noindex settings for private pages.

No online service can guarantee perfect security, but NextUp is designed to avoid unnecessary data collection and to avoid storing sensitive secrets in plaintext.

12. Changes

This privacy policy may be updated when NextUp changes how it handles data. The "Last updated" date will be changed when the policy is updated.