Privacy Policy

Last updated: May 16, 2026

This Privacy Policy explains how NextBill ("we," "us," "our") collects, uses, stores, and shares information about you when you use our website and services at nextbill-nti.com. We comply with the Philippines' Data Privacy Act of 2012 (Republic Act 10173) and its Implementing Rules and Regulations.

1. Who we are

NextBill is an online bill-splitting service operated by Nextcore Technology Inc., a domestic corporation registered in the Philippines (TIN 686-391-731-00000, BIR RDO 039 — South Quezon City). Our registered office is at 17E Floor, Atherton Place Condominium, Tomas Morato cor. Roces Ave., Laging Handa, 1103 Quezon City, NCR, Philippines.

Nextcore Technology Inc. is the data controller for the information described below. You can reach us at support@nextbill-nti.com.

2. Information we collect

We collect only what we need to run the service:

  • Account information: your name, email address, and a one-way hash of your password (we never store your password in readable form). Optionally, the name and email of an inviter if you joined via invitation.
  • Bill data: the title, description, currency, subtotal, tax, service charge, participant names and emails, and split mode for each bill you create. Plus your record of who has been marked paid.
  • Group data: the name, description, default currency, and member list of any groups you own or join.
  • Payment information (Pro subscribers only): we do not store your full card number, expiry, or CVC. These fields are sent directly to our payment processor (PayMongo). We store only the PayMongo customer ID and subscription ID associated with your account, plus subscription state (plan, period end).
  • Session data: a signed session cookie identifying you while logged in, and a current session ID that allows us to enforce single-active-session security.
  • Email verification + password reset tokens: short-lived random tokens used to confirm your email or reset your password.
  • Operational metadata: request IP addresses and timing used for rate limiting; standard server logs that may include IP address, user agent, and request path.

3. How we use your information

  • To operate the bill-splitter, calculate shares, and send receipt and reminder emails to the addresses you specify.
  • To authenticate you, verify your email, and let you reset your password.
  • To process subscription payments and grant or revoke Pro features.
  • To prevent abuse (rate limiting, fraud detection, single-session enforcement).
  • To respond to your support requests.
  • To comply with legal obligations.

4. Who we share information with

We use a small number of trusted subprocessors. We never sell your information to anyone, and we share only what is necessary for each service to do its job.

  • Neon (Postgres database hosting): stores your account, bill, group, and subscription state. Data is stored in encrypted form at rest.
  • Vercel (application hosting): runs the NextBill application and handles incoming HTTPS traffic.
  • PayMongo (payment processing — Philippines customers): processes card payments and recurring charges for Pro subscriptions billed in PHP. Card details are submitted directly to PayMongo and never reach our servers in readable form. PayMongo's privacy policy applies to the information they receive.
  • Paddle (payment processing — international customers): processes card, Apple Pay, Google Pay, and PayPal charges for Pro subscriptions billed in USD. Paddle acts as the Merchant of Record: they are the seller from a billing/tax perspective and handle global VAT/sales tax. Your name, email, card details, and billing address are sent directly to Paddle; their privacy policy applies.
  • Microsoft Azure Communication Services (email): sends transactional emails (bill shares, reminders, invitations, password resets, email verification).
  • Upstash (rate-limit cache): stores short-lived identifiers (such as IP addresses or email hashes) to enforce rate limits on sensitive endpoints.

We may also disclose information when legally required (court order, subpoena, government request) or to protect the rights, property, or safety of NextBill, our users, or the public.

5. Cookies and similar technologies

We use a single first-party cookie named nextbill_session to keep you logged in. It is HTTP-only, secure (in production), and SameSite=lax. We do not use third-party advertising or tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar trackers.

6. Email communications

We send transactional emails (account verification, password resets, bill shares you initiate, payment notifications). We do not send marketing or promotional emails. You can stop receiving transactional emails by deleting your account or by ceasing to use the service.

7. Data retention

We retain your account and the bills, groups, and subscription history associated with it for as long as your account remains active. If you delete your account or request deletion under section 8 below, we will remove your personal data from our database within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention purposes (e.g. payment records held under BIR requirements).

8. Your rights under the Data Privacy Act

You have the right to:

  • be informed of how we process your personal data;
  • access a copy of the data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data, subject to legal retention requirements;
  • object to processing or withdraw consent (where applicable);
  • file a complaint with the National Privacy Commission (privacy.gov.ph).

To exercise any of these rights, email support@nextbill-nti.com. We will respond within 30 days.

9. Security

We protect your data with industry-standard measures: HTTPS for all traffic, bcrypt-hashed passwords, signed session cookies, single-active session enforcement, rate limiting on authentication endpoints, and encrypted database storage at rest. No system is perfectly secure; if we ever experience a data breach affecting your personal information, we will notify you and the National Privacy Commission as required by law.

10. Children's privacy

NextBill is not directed at children under 13, and we do not knowingly collect personal data from them. If you believe a child has provided us with information, please contact us so we can delete it.

11. International data transfers

Our subprocessors operate globally and may process data in regions outside the Philippines (typically the United States, the EU, and Singapore). We rely on contractual safeguards offered by each subprocessor to ensure your data continues to be protected at a comparable standard.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will change the "Last updated" date at the top, and for material changes we will email account holders.

13. Contact us

Questions, requests, or concerns: support@nextbill-nti.com.