Privacy Policy

Last updated: 5 May 2026

Next Pair (the "Service") is operated by Piotr Klosinski Web and Mobile Development ("we", "us"), a sole proprietorship registered in Poland. This policy explains what personal data we collect when you use nextpair.ai, why we collect it, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR).

1. What we collect

Conversations with the advisor

When you chat with the Next Pair advisor, we store the messages you send and the responses we generate. If you create an account, conversations are linked to your account; if you use the Service without an account, conversations are stored against an anonymous session identifier.

Conversations are public by default. Every conversation has a URL that can be shared, and anyone with the link can view it. When a conversation produces a shoe recommendation, an additional public page is also created (at nextpair.ai/picks/...) and may be indexed by search engines such as Google and Bing. The conversation transcript is collapsed under the recommendation but remains accessible on that page.

What this means for you. Anything you type into a chat — including details some users may consider sensitive (injuries, body weight, location) — may be visible to anyone who has the URL and may be indexed by search engines. If you do not want a particular detail to be public, do not include it in the chat.

Future controls. Once user accounts are introduced, you will be able to mark individual conversations as unlisted (still viewable with the link but excluded from search engines) or private (only visible to you when signed in), and to delete conversations entirely. Until those controls ship, contact us at hello@nextpair.ai to have a specific conversation taken down.

Account information (only if you create an account)

If you sign in, we store the identifier returned by the sign-in provider (e.g. email address). We do not store passwords; authentication is handled by the provider.

Server logs

Our web server records standard request metadata: IP address, timestamp, requested URL, user agent, and HTTP status. Logs are used for security, debugging, and abuse prevention. We do not link server logs to advertising or marketing profiles.

Aggregated traffic data (Cloudflare Web Analytics)

We use Cloudflare Web Analytics to understand aggregate site traffic — pageviews, country, referrer, and Core Web Vitals. It is cookieless and does not track individual visitors: IP addresses are hashed at Cloudflare's edge and not stored, and no fingerprinting is performed. Cloudflare acts as a processor on our behalf. See Cloudflare's analytics privacy notice.

What we do not collect

• We do not run cookie-based or visitor-tracking analytics (no Google Analytics, Plausible, Mixpanel, or similar profile-building products).
• We do not use advertising cookies.
• We do not sell or share personal data with data brokers.

2. Why we process this data (legal basis)

• Performance of a contract / pre-contractual steps (Art. 6(1)(b) GDPR) — processing your messages to generate recommendations is the core of the Service you requested.
• Legitimate interest (Art. 6(1)(f) GDPR) — operating server logs for security and abuse prevention; reviewing aggregated, de-identified conversation data to improve recommendation quality.
• Consent (Art. 6(1)(a) GDPR) — for any optional features that require it (e.g. email updates, if introduced in future). You can withdraw consent at any time.

3. Who we share data with

LLM provider

To generate responses, we send your conversation content to Anthropic, PBC ("Anthropic"), our LLM provider, in the United States. Anthropic processes the content to return a response and does not use it to train its models on this API tier. See Anthropic's privacy policy for details. Transfers to the United States rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.

Hosting

The Service is hosted on infrastructure provided by Hetzner Online GmbH in Germany (EU). Hetzner acts as a processor on our behalf.

Affiliate networks (when affiliate links are active)

If you click an outbound link to a retailer (e.g. Zappos via CJ Affiliate), the affiliate network may set a cookie on the destination site to attribute the click. We do not receive your purchase details — only aggregate commission reports. See our affiliate disclosure.

4. International transfers

As described above, conversation content is processed in the United States by Anthropic. Hosting is in the EU (Germany). Where transfers outside the EEA occur, they are governed by the EU-US Data Privacy Framework and/or Standard Contractual Clauses adopted by the European Commission.

5. How long we keep data

• Conversations: retained while your account exists; for anonymous sessions, retained up to 12 months and then deleted or anonymised. Deleting a conversation also removes its public /picks/ page (the URL returns "410 Gone").
• Server logs: retained up to 90 days, then rotated.
• Account data: retained while your account is active. On deletion request, removed within 30 days, except where retention is required by law (e.g. tax records).

6. Your rights under GDPR

You have the right to:

• Request access to your personal data (Art. 15)
• Request correction of inaccurate data (Art. 16)
• Request erasure of your data (Art. 17)
• Request restriction of processing (Art. 18)
• Receive your data in a portable format (Art. 20)
• Object to processing based on legitimate interest (Art. 21)
• Withdraw consent at any time, where processing is based on consent

To exercise any of these rights, email hello@nextpair.ai. We will respond within one month.

You also have the right to lodge a complaint with the Polish supervisory authority, the Urząd Ochrony Danych Osobowych (UODO), at uodo.gov.pl.

7. Cookies

The Service currently uses only strictly necessary cookies (session identifier, security tokens). These do not require consent under EU rules. We will update this policy and add a consent banner before introducing any non-essential cookies.

8. Children

The Service is not directed at children under 16 and we do not knowingly collect their personal data. If you believe a child has provided us with personal data, contact us and we will delete it.

9. Changes to this policy

We may update this policy as the Service evolves. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated via the Service or by email to account holders.

10. Contact

For privacy questions or to exercise your rights, contact us at hello@nextpair.ai.