NextStation
Sign InGet Started

Privacy Policy

Last updated: June 2, 2026 · Effective: June 2, 2026

NextStation ("we," "us," or "our") operates the NextStation mobile and web application. This policy explains how we collect, use, store, and protect your information, and your rights regarding that information.

Information We Collect

Information You Provide

  • • Email address and password (account registration), or Google account (OAuth sign-in)
  • • Name, military branch, rank category, and pay grade
  • • PCS move details: origin/destination locations, dates, orders information
  • • Questionnaire responses about your move situation
  • • Documents and files you voluntarily upload, which may include military orders, receipts, weight tickets, lease agreements, damage claim letters, HHG inventory photos, and other PCS-related documents. These files may contain personally identifiable information (PII) such as your name, military service number, unit assignment, and financial data.
  • • Photos taken or selected from your device via the HHG Inventory and document upload features
  • • Support messages and feedback you submit
  • • Payment information (processed by Stripe — we do not store card numbers)

Information Collected Automatically

  • • Device type, operating system, and browser
  • • App usage data: pages visited, features used, session duration
  • • IP address (used for security and fraud prevention only)
  • • Error logs and crash reports

Children's Privacy (COPPA)

NextStation is not directed to children under 13. We do not knowingly collect personal information from anyone under 13. If you believe we have inadvertently collected such information, contact us at [email protected] and we will delete it promptly.

How We Use Your Information

  • • To create and manage your account
  • • To generate personalized PCS task checklists based on your profile
  • • To power your timeline, budget tracker, and document vault
  • • To process payments and manage your plan
  • • To send transactional emails (account confirmation, password reset, receipts)
  • • To provide customer support
  • • To improve the platform through aggregated, anonymized usage analytics
  • • To comply with legal obligations

We do not sell, rent, or trade your personal information to third parties for marketing purposes. Ever.

Data Sharing and Third Parties

We share your data only with:

Supabase — Our database and authentication provider. Data is stored in the United States with encryption at rest and in transit.
Stripe — Payment processing for Pro and Family plan purchases. Stripe handles all card data; we only receive a payment token and transaction status.
Google — Optional OAuth sign-in. If you choose to sign in with Google, we receive your name and email address from Google. We do not receive your Google password.
Resend — Transactional email delivery (account confirmation, password reset, deadline alerts, weekly digest). Resend receives your email address and the content of emails sent on your behalf. No marketing data is shared.
OpenAI — Powers the move debrief summary generated when you mark a move as complete. Aggregated move context (task completion counts, dates, locations) is transmitted to OpenAI to generate a summary. We do not send your name, email, or rank to OpenAI. OpenAI's data retention policies apply to submitted content.
PostHog — Product analytics. We use PostHog to understand how users navigate the app (pages visited, features used, funnel completion). PostHog receives your anonymized user ID, session data, and feature interaction events. No document contents, move details, or financial data are sent to PostHog. You can opt out by enabling Do Not Track in your browser.
Cloudflare — Web hosting, CDN, and DDoS protection.
Law enforcement — Only when required by valid legal process (subpoena, court order) or to protect safety.

Data Security

  • • All data is encrypted in transit (TLS 1.2+) and at rest (AES-256)
  • • Row-Level Security (RLS) ensures you can only access your own data
  • • Passwords are hashed using bcrypt and never stored in plain text
  • • We conduct regular security reviews and promptly patch vulnerabilities

No system is 100% secure. In the event of a data breach affecting your personal information, we will notify you within 72 hours via email as required by applicable law.

File and Document Storage

Files and photos you upload are stored in a private, encrypted storage bucket provided by Supabase (AWS S3 infrastructure). Files are not publicly accessible — they can only be accessed by your authenticated account.

Supabase holds SOC 2 Type 2 certification, meaning it has been independently audited for security, availability, and confidentiality. All files are encrypted at rest (AES-256) and in transit (TLS 1.2+).

We do not scan, analyze, or share the contents of your uploaded files with any third party, except as required by valid legal process. Uploaded files are never used to train AI models.

What to know about uploading sensitive documents:

  • • Military orders may contain your full SSN — you may redact it before uploading
  • • You are in control of what you upload and can delete individual files at any time from the Documents section
  • • Deleting your account permanently removes all uploaded files immediately

Data Retention

We retain your data for as long as your account is active. When you delete your account:

  • • Your profile, moves, tasks, and calendar data are deleted immediately
  • • All uploaded files and documents are permanently deleted from storage immediately
  • • Payment records are retained for 7 years as required by tax law (name, amount, date only — no card data)
  • • Anonymized, aggregated analytics data (no PII) may be retained indefinitely

You can delete individual files at any time without deleting your account, from the Documents section of the app.

Your Rights and Choices

You have the right to:

  • Access — Request a copy of your personal data
  • Correct — Update inaccurate or incomplete information via Settings
  • Delete — Delete your account and data via Settings → Account → Delete Account
  • Portability — Request an export of your data in a machine-readable format
  • Opt out — Unsubscribe from marketing emails at any time
  • CCPA — California residents may request disclosure of data sharing and opt out of any future sale of personal information

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

Cookies and Tracking

We use only essential cookies required to maintain your authenticated session and preferences. We do not use third-party advertising cookies, tracking pixels, or behavioral advertising. You can clear cookies at any time through your browser settings; this will sign you out.

International Users

NextStation is operated in the United States. If you access the service from outside the US (including OCONUS military installations), your data will be transferred to and processed in the United States. By using NextStation, you consent to this transfer.

Contact Us

For privacy-related questions, data requests, or concerns:

We may update this Privacy Policy periodically. Material changes will be communicated via email or an in-app notice at least 14 days before taking effect. Your continued use after the effective date constitutes acceptance.