Next Shell – Privacy Policy

Last updated and effective date: 5 June 2025

TL;DR We collect the minimum personal data needed to run a paid, one-time-fee Next.js starter-kit service, host it entirely in Germany, and never sell your data—ever. What follows are the long-form legal details.

1. Who We Are

Wust, LLC ("Company," "we," "our," or "us") operates the Next Shell website, app, and related services (the "Service"). Privacy contact: [email protected]

We act as the data controller for the personal data described here unless we state otherwise.

2. Scope

This Privacy Policy applies to:

  • wust.co and any sub-domains;
  • nextshell.dev and any sub-domains;
  • the hosted Next.js starter-kit dashboard;
  • customer-support channels (email, in-app chat);
  • marketing communications we send.

It does not cover third-party sites or services you reach via outbound links.

3. The Data We Collect

  1. Account Data

    • Name, email address
    • Source: You provide when signing up or updating your profile

  2. Payment Data

    • Transaction ID, payment status, last 4 digits of card (no full card numbers stored)
    • Source: Received from Stripe, Inc. after checkout

  3. Usage Data

    • IP address, device type, browser, pages viewed, duration, clicks, crash logs
    • Source: Collected via Google Analytics, Umami (self-hosted), server logs, Sentry

  4. Marketing Data

    • Email-open and click metrics
    • Source: Generated by Resend email pixels when you opt in

  5. Support Data

    • Emails, attachments, screenshots
    • Source: Provided by you during support interactions

We do not intentionally collect: sensitive categories (health, biometrics, etc.), data about children, or precise mobile-GPS location.

4. Why We Process Your Data — & Lawful Bases (GDPR)

  1. Create & manage your account, authenticate you, deliver licence

    • Legal basis: Contract (Art. 6 (1)(b))

  2. Process payments, detect fraud

    • Legal basis: Contract & Legitimate interests (Art. 6 (1)(f))

  3. Analyse feature adoption, debug errors, improve UX

    • Legal basis: Legitimate interests – keeping the Service reliable and useful

  4. Send onboarding tips & essential service messages

    • Legal basis: Legitimate interests (you may opt out of non-essential email)

  5. Send newsletters & promos

    • Legal basis: Consent (Art. 6 (1)(a)); you can withdraw anytime

  6. Comply with accounting, tax and other laws

    • Legal basis: Legal obligation (Art. 6 (1)(c))

5. Cookies & Similar Tech

We use:

  1. Essential cookies – keep you logged-in, remember preferences.
  2. Analytics cookies / localStorage – measure traffic (Google Analytics, Umami).
  3. Marketing cookies / email pixels – only if you subscribe to our mailing list.

Cookie consent banner lets EU/UK users opt-in or out of non-essential cookies.

6. Where & How We Store Data

  • Primary hosting: Hetzner, Falkenstein & Nuremberg, Germany.
  • CDN & DDoS mitigation: Cloudflare (may transiently route data through global edge locations). Standard Contractual Clauses (SCCs) apply for any non-EEA transfers.
  • Email & backups: AWS SES & S3 (eu-central-1 ≈ Frankfurt).
  • Other sub-processors: Stripe, Inc. (payments), Resend (emails), Google (Analytics & OAuth), Umami-rs (self-hosted), Sentry (error logging). Each provider is contractually bound to GDPR-level protections and, where required, SCCs or the EU–US Data Privacy Framework.

We do not intentionally store personal data outside Germany except transiently through the above providers' networks.

7. Data Retention

  1. Account & licence data

    • Until you delete your account or 24 months of inactivity, whichever comes first

  2. Usage & analytics logs

    • 180 days

  3. Backups

    • Encrypted; rolled every 30 days

  4. Emails & support tickets

    • 18 months after ticket closure

We may keep minimal records (e.g., invoices) as required by tax or bookkeeping laws (typically 7–10 years).

8. Security Measures

We use reasonable technical and organisational safeguards, including:

  • TLS 1.3 encryption for data in transit
  • AES-256 encryption for backups at rest
  • Cloudflare WAF & rate-limiting
  • Strict SSH key-based server access; least-privilege IAM roles
  • Weekly dependency-security scans & automatic patching

Important: No system is perfectly secure. If we ever detect a breach affecting your personal data, we will notify you and regulators as required by law.

9. Your Privacy Rights

Depending on where you live (EEA/UK/Switzerland, California, etc.) you may have the right to:

  1. Access the personal data we hold about you.
  2. Rectify inaccurate or incomplete data.
  3. Erase data ("right to be forgotten").
  4. Restrict or object to certain processing.
  5. Data portability (receive a machine-readable copy).
  6. Withdraw consent (for marketing/cookies) at any time.
  7. Lodge a complaint with a supervisory authority (e.g. Bayerisches LDI in Germany) if you believe we violate GDPR.

Submit requests via account settings or email [email protected]. We respond within 30 days.

10. Children

The Service is not directed to anyone under 18. We do not knowingly collect children's data. If you believe a minor has provided us personal data, contact us and we will delete it.

11. International Transfers

Where we transfer personal data outside the EEA/UK (e.g., to Stripe, Inc. or Cloudflare in the US), we rely on:

  • An adequacy decision (EU–US DPF) or
  • Commission-approved Standard Contractual Clauses plus supplementary safeguards (encryption, access controls).

12. Information Sharing

We share your data only:

  • With the sub-processors listed in §6, strictly for service delivery.
  • If required by law or valid legal process (after we notify you unless legally forbidden).
  • To defend our rights, property or safety, or that of users or the public.
  • With your explicit consent.

We never sell personal data.

13. Changes to This Policy

We may update this Policy occasionally. For material changes we will:

  1. Post the new version here, and
  2. Email you or display an in-app banner as soon as the change becomes effective.

Continuing to use the Service after the effective date means you accept the revised Policy.

14. Contact & Complaints

Questions, concerns or complaints? Email [email protected] and we'll respond within two business days.

If you are an EEA or UK resident and feel we've not resolved your issue, you can lodge a complaint with your local data-protection authority.

© 2025 Wust, LLC. All rights reserved.

Back to home