Privacy Policy

Effective date: 2026-05-05

Draft notice. This document is a draft prepared from internal product and data-architecture notes. It has not been reviewed by counsel. Do not publish to https://nextcatch.app/legal/privacy or paste into App Store Connect / Google Play Console privacy fields until a qualified attorney has reviewed it.

This Privacy Policy describes how TopTech Inc, a Maryland corporation ("Next Catch", "we", "us", or "our"), collects, uses, shares, and protects information when you use the Next Catch mobile application and any related online services (the "Service").

If you have questions about this Policy, contact us at privacy@nextcatch.app or at the postal address in §14.

1. Who We Are

TopTech Inc is the controller of personal data collected through the Service.

TopTech Inc
1451 Rockville Pike, Ste 250 -303
Rockville, MD 20852
United States

Privacy contact: privacy@nextcatch.app

We do not currently have an appointed representative under Article 27 of the GDPR (for the European Economic Area), Article 27 of the UK GDPR (for the United Kingdom), or Article 14 of the revised Swiss Federal Act on Data Protection (for Switzerland). If our processing of personal data of residents in any of those regions reaches a level that requires us to appoint a representative, we will do so and update this Policy accordingly.

2. Information We Collect

We collect only the information needed to operate the Service. The categories below describe everything we collect, when, and why.

2.1 Device identifier

When you first launch the app, we generate a random, installation-scoped identifier (the "Device ID") on your device and send it to our servers. The Device ID lets us route notifications to your device and remember which retailers you have subscribed to, without requiring you to create an account.

The Device ID is not derived from any hardware identifier and is not shared across other apps. It is reset if you reinstall the app.

2.2 Push notification tokens

If you grant the operating-system permission for notifications, we receive a push token issued by Apple Push Notification service (APNs) for iOS or Firebase Cloud Messaging (FCM) for Android. We use this token solely to deliver deal alerts to your device.

2.3 Sign-in identifier (optional)

If you choose to sign in with Apple or Google, we receive the user identifier provided by the respective platform (e.g., the Apple "user" identifier or the Google sub claim). We use this identifier to link your Device IDs across multiple devices and reinstalls so that your subscriptions and Pro entitlement follow you.

We never receive your password.

2.4 Email address (optional)

If you sign in with Apple or Google and grant permission to share your email address, we receive that email address. We use it solely for account recovery and, if you contact us, to respond to your support request. We do not send marketing email.

2.5 Subscriptions, filters, and preferences

We store the set of retailers you have subscribed to in the app, any per-site filters you configure (Pro), and your tier (free or Pro). This information is what the Service uses to decide which alerts to send you.

2.6 Subscription entitlement and purchase receipts

If you subscribe to Pro, Apple or Google issues a purchase receipt to your device. The receipt is forwarded to our subscription-management processor, RevenueCat, which validates the receipt with Apple or Google and tells our servers whether your Pro entitlement is active. We do not receive your full payment-method details (e.g., credit-card number).

2.7 Diagnostic logs

When the app or our servers encounter errors, we log technical diagnostics (stack traces, error codes, request paths, timestamps). These logs may include your Device ID and, if you have signed in, the identifier we associate with your account, so we can trace a specific failure back to the request that caused it. Diagnostic logs are retained for 14 days and then automatically deleted.

2.8 Information we do not collect

We want to be explicit about what we do not collect:

Location. We do not request or collect device location.
Contacts. We do not access your contacts.
Photos, microphone, camera. We do not access these.
Health, biometric, or financial data.
Browsing history outside the app.
Advertising identifiers (IDFA / GAID). We do not call Apple's App Tracking Transparency framework and do not collect IDFA. We do not run advertising of any kind in the Service.
Behavioral or analytics SDKs that profile users.

3. How We Use Information

We use the categories described in §2 only for the following purposes:

Deliver the Service. Route deal alerts to your device, scope retailer subscriptions and filters to your account or device, honor your free or Pro tier.
Authenticate cross-device sync. If you sign in, link your devices to a single account.
Validate Pro entitlement. Confirm with Apple, Google, and RevenueCat that an active Pro subscription is on file.
Support. Respond to questions and trouble reports you send us.
Diagnose and improve the Service. Investigate crashes, errors, and performance issues using diagnostic logs.
Comply with law. Respond to lawful requests from authorities, enforce our Terms, and prevent fraud or abuse.

We do not use any information collected through the Service for advertising, profiling, or sale to third parties.

4. How We Share Information

We share information only with the categories of recipients below, and only as necessary to operate the Service.

Apple Inc. We rely on the Apple App Store for distribution and billing, on Sign in with Apple for authentication, and on Apple Push Notification service (APNs) for notification delivery. Apple receives the data necessary to provide those services, governed by Apple's privacy policy.
Google LLC. We rely on Google Play for distribution and billing, on Sign in with Google for authentication, and on Firebase Cloud Messaging (FCM) for notification delivery. Google receives the data necessary to provide those services, governed by Google's privacy policy.
RevenueCat, Inc. Our subscription-management processor. RevenueCat receives purchase receipts, entitlement state, and a pseudonymous app-user identifier for the purpose of validating Pro status.
Amazon Web Services, Inc. (AWS). Our infrastructure provider. AWS hosts the databases, push-fan-out service, serverless compute, and observability that power the Service. AWS processes data on our instructions under the AWS Data Processing Addendum.
Residential proxy provider. Our scraping pipeline routes outbound requests to retailer websites through a third-party residential proxy. The proxy provider does not receive any user data; it sees only outbound retailer traffic.

A current data-processing agreement (DPA) is on file with each processor that handles personal data.

No sale or sharing for advertising. We do not sell personal information, and we do not share personal information for "cross-context behavioral advertising" as those terms are defined under the California Consumer Privacy Act / California Privacy Rights Act.

Compelled disclosure. We may disclose information when we believe in good faith that disclosure is required by law, lawful process, or to protect the rights, property, or safety of TopTech Inc, our users, or the public.

Corporate transactions. If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or material change in use of your information.

5. International Data Transfers

We are located in the United States, and our infrastructure is hosted in AWS region us-east-1 (Northern Virginia). If you use the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws different from those of your country.

For users in the European Economic Area, the United Kingdom, or Switzerland, transfers are made under the Standard Contractual Clauses incorporated into the AWS Data Processing Addendum and the RevenueCat Data Processing Addendum.

6. Data Retention

We retain personal data only as long as necessary for the purposes described in this Policy.

Account data (Device ID, push tokens, sign-in identifier, subscriptions, filters): retained until you delete your account or stop using the Service.
Diagnostic logs: 14 days.
Billing and purchase records: retained as required by Apple, Google, and applicable tax and financial-records laws (typically several years).

When you delete your account, we delete or de-identify your data within 30 days, except as noted above. Some data may persist in encrypted backups for up to 90 days before being purged.

7. Security

We implement reasonable technical and organizational measures to protect personal data, including:

TLS encryption for all data in transit;
Encryption at rest in AWS;
Scoped, least-privilege access controls for our personnel;
Avoidance of personal data in application logs;
Secure storage of sign-in tokens on your device using Apple Keychain (iOS) and the Android Keystore (Android).

No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

8. Your Rights and Choices

Subject to applicable law, you have the following rights with respect to your personal data. Sections 9 and 10 below describe additional rights for California, EEA, UK, and Swiss residents.

Access. You can request a copy of the personal data we hold about you.
Correction. You can correct most of your personal data directly in the app's settings; for the rest, email us.
Deletion. You can delete your account at any time from Settings → Account → Delete Account in the app. The deletion flow described in §17 of our Terms of Service applies.
Portability. You can request an export of your data in a portable format.
Restriction or objection. You can ask us to restrict or stop processing your data, where applicable law gives you that right.
Withdraw consent. Where processing is based on consent (for example, your sign-in), you may sign out at any time in Settings → Account. Signing out revokes the link between your Apple/Google identifier and our servers.
Notifications. You can change OS-level notification permission and per-retailer subscriptions at any time in the app's Settings or your device's system settings.

To exercise any right not handled in-app, email privacy@nextcatch.app. We respond within 30 days. We may need to verify your identity (for example, by confirming control of the email address on file) before fulfilling the request.

You also have the right to lodge a complaint with a supervisory authority or attorney general's office. We would prefer the chance to address your concern first; you can reach us at privacy@nextcatch.app.

9. California Privacy Rights (CCPA / CPRA)

This section applies to California residents and supplements the rest of this Policy.

Categories of personal information collected. In the past 12 months, we have collected the following categories of personal information, as defined by the CCPA:

Identifiers — Device ID, push tokens, optional Apple/Google user identifier, optional email.
Commercial information — Subscription history, Pro entitlement.
Internet or other electronic-network activity information — In-app interactions necessary to operate the Service (e.g., retailer subscription toggles).

We do not collect any other CCPA category, including: protected classifications, biometric information, geolocation data, sensory data, professional or employment information, education information, or inferences drawn from any of the foregoing.

Sources. Information comes directly from you, your device, Apple, Google, and RevenueCat (for purchase receipts).

Purposes. As described in §3.

Recipients. As described in §4.

Sales and sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising. We do not run advertising in the Service.

Your rights. California residents have the right to know, correct, delete, and limit our use of sensitive personal information (we collect none), and the right to non-discrimination for exercising any of these rights. To exercise your rights, use the in-app deletion path or email privacy@nextcatch.app.

Authorized agents. You may use an authorized agent to submit a request on your behalf; we will require written proof of authorization and may verify your identity directly.

10. EEA, UK, and Swiss Privacy Rights (GDPR)

This section applies to residents of the European Economic Area, the United Kingdom, and Switzerland and supplements the rest of this Policy.

Lawful bases. We process your personal data on the following legal bases:

Performance of a contract (GDPR Art. 6(1)(b)) for the data needed to deliver the Service: Device ID, push tokens, retailer subscriptions, filters, purchase receipts, entitlement state.
Consent (Art. 6(1)(a)) for optional sign-in via Apple or Google and for the email address shared during sign-in. You may withdraw consent by signing out.
Legal obligation (Art. 6(1)(c)) for retention of billing and tax records.
Legitimate interests (Art. 6(1)(f)) for diagnostic logging, fraud prevention, and the security of the Service. Our interest is balanced against your rights and freedoms.

Your rights. You have the rights described in §8, plus the right to lodge a complaint with the data-protection authority of your country of residence. A directory of EU authorities is available at https://edpb.europa.eu/.

International transfers. As noted in §5, transfers from the EEA, UK, or Switzerland to the United States are made under the Standard Contractual Clauses.

Automated decision-making. We do not engage in automated decision-making that produces legal or similarly significant effects.

11. Children's Privacy

The Service is not directed to children under the age of 13, and is not directed to children under the age of 16 in the European Economic Area or the United Kingdom. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without the consent of a parent or guardian, we will delete it.

If you are a parent or guardian and believe a child has provided us with personal information, please contact us at privacy@nextcatch.app.

12. Third-Party Services

The Service relies on services operated by third parties, each with its own privacy policy. We encourage you to review them:

Apple Inc. — https://www.apple.com/legal/privacy/
Google LLC — https://policies.google.com/privacy
RevenueCat, Inc. — https://www.revenuecat.com/privacy/
Amazon Web Services, Inc. — https://aws.amazon.com/privacy/

The retailers monitored by the Service operate their own websites and privacy policies. When you tap through from a deal alert to a retailer's website, that retailer's policy applies, not ours.

13. Changes to This Policy

We may update this Policy from time to time. The current version is always available at https://nextcatch.app/legal/privacy. The Effective date at the top indicates when this Policy was last revised. Material changes will be notified to you in advance through an in-app notice, an email to the address (if any) associated with your account, or both. Non-material changes (typos, clarifications, formatting) are recorded in the changelog without separate notice.

14. Contact

For privacy questions, requests, or complaints:

TopTech Inc
Attn: Privacy
1451 Rockville Pike, Ste 250 -303
Rockville, MD 20852
United States

Email: privacy@nextcatch.app

Changelog

2026-05-05 — Initial version.