Logo

Privacy Policy

Effective date: 10/10/2025

1. Introduction

Welcome to The Next Layer

The Next Layer, operated by Ourfires LTD ("us", "we", or "our"), a company registered in the United Kingdom (Company House Registration Number: 10271109), operates https://www.thenextlayer.co (hereinafter referred to as "Service" or "Website").

Our Privacy Policy governs your visit to https://www.thenextlayer.co, explains how we collect, safeguard, and disclose information that results from your use of our Service, and sets out your rights under UK data protection law.

We use your data to provide and improve our Service. By using our Service, you agree to the collection and use of information in accordance with this policy. Unless otherwise defined in this Privacy Policy, the terms used have the same meanings as in our Terms and Conditions.

Our Terms and Conditions ("Terms") govern all use of our Service and together with this Privacy Policy constitute your agreement with us ("agreement").

Data Controller: Ourfires LTD, 41 Devonshire Street, London, England W1G 7AJ, United Kingdom.

2. Definitions

SERVICE means the https://www.thenextlayer.co website and associated client portal operated by The Next Layer (Ourfires LTD).

PERSONAL DATA means data about a living individual who can be identified from that data (or from that data and other information either in our possession or likely to come into our possession).

USAGE DATA is data collected automatically, either generated by the use of the Service or from the Service infrastructure itself (for example, the duration of a page visit, pages viewed, or user interactions).

COOKIES are small files stored on your device (computer or mobile device) that help us provide and improve our Service.

DATA CONTROLLER means a natural or legal person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed. For the purpose of this Privacy Policy, we (Ourfires LTD) are the Data Controller of your data.

DATA PROCESSORS (OR SERVICE PROVIDERS) means any natural or legal person who processes data on behalf of the Data Controller. We use the services of various Service Providers to process your data more effectively.

DATA SUBJECT is any living individual who is the subject of Personal Data.

USER is the individual using our Service. The User corresponds to the Data Subject, who is the subject of Personal Data.

UK GDPR means the UK General Data Protection Regulation, as incorporated into UK law by the Data Protection Act 2018.

ICO means the Information Commissioner's Office, the UK's independent supervisory authority for data protection.

Under UK GDPR, we process your personal data on the following legal bases:

Contract Performance: Processing necessary to perform our contract with you (providing design services, managing your subscription, processing payments).

Legitimate Interests: Processing necessary for our legitimate interests (improving our services, marketing to existing clients, preventing fraud, website analytics) where such interests are not overridden by your rights.

Consent: Where you have explicitly consented to processing (e.g., marketing cookies, newsletter subscriptions).

Legal Obligation: Where we are required to process data to comply with UK law (e.g., tax records, financial regulations).

4. Information Collection and Use

We collect several different types of information for various purposes to provide and improve our Service to you.

5. Types of Data Collected

5.1 Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you ("Personal Data"). Personally identifiable information may include, but is not limited to:

  • Email address
  • First name and last name
  • Company name and business information
  • Payment information (processed by our payment processor)
  • Phone number (if provided for booking or support)
  • Any information you provide through our client portal or communication channels
  • Cookies and Usage Data

We may use your Personal Data to:

  • Provide and maintain our Service
  • Process your subscription and payments
  • Communicate with you about your projects, account, and services
  • Send you administrative information, updates, and support messages
  • Improve our Service and user experience

Marketing Communications: With your consent, we may use your Personal Data to contact you with newsletters, marketing or promotional materials, and other information that may be of interest to you. You may opt out of receiving any, or all, of these communications from us by following the unsubscribe link in any email or by contacting us at support@thenextlayer.co.

5.2 Usage Data

We may also collect information that your browser sends whenever you visit our Service or when you access the Service by or through a mobile device ("Usage Data").

This Usage Data may include information such as:

  • Your computer's Internet Protocol address (IP address)
  • Browser type and version
  • The pages of our Service that you visit
  • The time and date of your visit
  • The time spent on those pages
  • Unique device identifiers
  • Operating system
  • Referring website
  • User interactions and behaviour on our Website
  • Other diagnostic data

When you access the Service with a mobile device, this Usage Data may include information such as:

  • The type of mobile device you use
  • Your mobile device unique ID
  • The IP address of your mobile device
  • Your mobile operating system
  • The type of mobile Internet browser you use
  • Unique device identifiers
  • Other diagnostic data

5.3 Tracking & Cookies Data

We use cookies and similar tracking technologies to track activity on our Service and hold certain information.

Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies such as beacons, tags, pixels, and scripts are also used to collect and track information and to improve and analyse our Service.

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our Service, and some features may not function properly.

Types of Cookies We Use:

Essential Cookies (Strictly Necessary):

  • Authentication cookies: customer_id and customer_email - Used to keep you logged into your account (HttpOnly, Secure, SameSite: Lax, 7-day expiration)
  • Supabase session cookies: Manages your secure authentication session
  • Theme preference cookies: Stores your display preferences (managed by next-themes)

These cookies are essential for the Service to function and cannot be disabled without affecting functionality.

Analytics Cookies (With Your Consent):

  • PostHog cookies: ph_[project_key]_posthog - Stores anonymized analytics data to help us understand how users interact with our Service. Data is processed on EU servers.
  • Ahrefs Analytics cookies: Tracks website traffic and performance metrics

Advertising/Marketing Cookies (With Your Consent):

  • Facebook Pixel cookies: _fbp, _fbc and related cookies - Used for advertising, remarketing, and measuring ad performance
  • Google Ads cookies: Used for advertising campaigns and conversion tracking

Managing Cookies:

You can control and manage cookies in various ways:

Please note that refusing cookies may impact your experience and functionality of our Service.

6. Use of Data

The Next Layer uses the collected data for various purposes:

  1. To provide, maintain, and improve our Service
  2. To manage your subscription and process payments
  3. To communicate with you about your projects, deliverables, and account
  4. To provide customer support and respond to your requests
  5. To send administrative information, including updates to our Terms and Conditions or Privacy Policy
  6. To allow you to participate in interactive features of our Service (such as the client portal)
  7. To monitor usage of our Service and analyze trends
  8. To detect, prevent, and address technical issues, fraud, or security vulnerabilities
  9. To gather analysis and valuable information to improve our Service
  10. To personalize and improve your experience
  11. To manage and fulfill our contractual obligations to you, including billing and collection
  12. To provide you with notices about your subscription, including expiration and renewal notices
  13. With your consent, to provide you with news, special offers, portfolio showcases, and information about our services
  14. To enforce our Terms and Conditions and protect our rights and property
  15. For any other purpose with your consent or as permitted by law

7. Retention of Data

We will retain your Personal Data only for as long as necessary for the purposes set out in this Privacy Policy and to comply with our legal obligations.

Subscription Data: We retain your personal and account data for the duration of your active subscription and for up to 7 years after termination to comply with UK financial and tax regulations.

Usage Data: Usage Data is generally retained for shorter periods (typically 12-24 months) for internal analysis, except when used to strengthen security, improve functionality, or when we are legally required to retain data for longer periods.

Marketing Data: If you opt out of marketing communications, we retain your email address on a suppression list to honor your preferences.

Project Files: We retain project files and deliverables during your active subscription and for a reasonable period after cancellation (typically 90 days) to facilitate service continuity or re-activation.

You have the right to request deletion of your Personal Data at any time, subject to our legal obligations to retain certain information.

8. Transfer of Data

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of the United Kingdom where data protection laws may differ from those of the UK.

International Data Transfers:

We use several service providers located outside the UK and European Economic Area (EEA), primarily in the United States. These transfers are made in accordance with UK GDPR requirements through one or more of the following safeguards:

  1. Adequacy Decisions: Where the UK government has determined that a country provides adequate protection for personal data
  2. Standard Contractual Clauses (SCCs): We use International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved by the UK ICO
  3. Data Processing Agreements: We have data processing agreements with all service providers that process personal data on our behalf

Service Providers and Data Locations:

US-Based Service Providers:

  • Stripe (Payment Processing) - United States
  • Resend (Email Communications) - United States
  • Vercel (Website Hosting) - United States (with global CDN)
  • Facebook/Meta (Advertising) - United States
  • Google (Advertising) - United States
  • Cal.com (Booking/Scheduling) - United States

EU-Based Service Providers:

  • PostHog (Analytics) - Processed on EU servers (https://eu.i.posthog.com)
  • Supabase (Client Portal & File Storage) - EU hosted

Other International Service Providers:

  • Ahrefs (Analytics) - Singapore

Your consent to this Privacy Policy followed by your submission of such information represents your agreement to these transfers.

We take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy. No transfer of your Personal Data will take place to an organization or country unless there are adequate controls in place, including the security of your data and other personal information.

9. Disclosure of Data

We may disclose Personal Data that we collect, or you provide, in the following circumstances:

9.1 Disclosure for Law Enforcement

Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g., a court, government agency, or law enforcement).

9.2 Business Transaction

If we or our subsidiaries are involved in a merger, acquisition, asset sale, or bankruptcy, your Personal Data may be transferred as part of that transaction. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

9.3 Service Providers

We share your Personal Data with third-party service providers who perform services on our behalf, including:

  • Payment processing (Stripe)
  • Email communications (Resend)
  • Website hosting and infrastructure (Vercel)
  • Analytics (PostHog, Ahrefs)
  • Advertising and marketing (Google Ads, Facebook)
  • Client portal and file storage (Supabase)
  • Scheduling and bookings (Cal.com)

These service providers have access to your Personal Data only to perform specific tasks on our behalf and are obligated not to disclose or use it for any other purpose. They are bound by contractual obligations to keep Personal Data confidential and secure.

9.4 Other Disclosures

We may disclose your information:

  • To our subsidiaries and affiliates
  • To contractors and service providers we use to support our business
  • To fulfill the purpose for which you provide it
  • For the purpose of including your company's logo or work in our portfolio (as permitted by our Terms and Conditions)
  • For any other purpose disclosed by us when you provide the information
  • With your consent
  • To comply with legal obligations or protect our rights

10. Security of Data

The security of your data is important to us. We implement appropriate technical and organizational measures to protect your Personal Data against unauthorized access, alteration, disclosure, or destruction.

Our security measures include:

  • Encryption of data in transit using SSL/TLS
  • Secure authentication systems with HttpOnly and Secure cookies
  • Access controls and authentication requirements for our systems
  • Regular security assessments and updates
  • Secure hosting with reputable providers
  • Employee training on data protection and security

However, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security. You are responsible for maintaining the confidentiality of your account credentials.

11. Your Data Protection Rights Under UK GDPR

Under UK GDPR and the Data Protection Act 2018, if you are a resident of the United Kingdom, you have the following data protection rights:

11.1 Right of Access

You have the right to request copies of your Personal Data. We may charge a reasonable fee or refuse requests that are manifestly unfounded or excessive.

11.2 Right to Rectification

You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.

11.3 Right to Erasure (Right to be Forgotten)

You have the right to request that we erase your Personal Data, under certain conditions (e.g., if the data is no longer necessary for the purpose it was collected, or you withdraw consent).

11.4 Right to Restrict Processing

You have the right to request that we restrict the processing of your Personal Data, under certain conditions.

11.5 Right to Object

You have the right to object to our processing of your Personal Data, under certain conditions (particularly for direct marketing or processing based on legitimate interests).

11.6 Right to Data Portability

You have the right to request that we transfer the data we have collected to another organization, or directly to you, in a structured, commonly used, and machine-readable format.

Where we rely on consent to process your Personal Data, you have the right to withdraw your consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.

11.8 Right to Lodge a Complaint

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF United Kingdom Telephone: 0303 123 1113 Website: https://ico.org.uk/

11.9 Exercising Your Rights

To exercise any of these rights, please contact us at support@thenextlayer.co. We will respond to your request within one month. We may ask you to verify your identity before responding to such requests.

Please note that we may not be able to provide certain aspects of our Service without some necessary data. If you request deletion of data necessary for providing our Service, you may no longer be able to use the Service.

12. California Privacy Rights (For US Residents)

12.1 California Consumer Privacy Act (CCPA)

If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA).

Your Rights Include:

Right to Know: You can request information about the personal information we have collected about you in the past 12 months, including:

  • Categories of personal information collected
  • Categories of sources from which we collected personal information
  • Business or commercial purpose for collecting or selling personal information
  • Categories of third parties with whom we share personal information
  • Specific pieces of personal information we have collected

Right to Delete: You can request that we delete personal information we have collected from you, subject to certain exceptions.

Right to Opt-Out of Sale: We do not sell your personal information to third parties for monetary consideration.

Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

How to Exercise Your Rights:

To exercise your California privacy rights, contact us at:

You may be asked to verify your identity before we process your request. You may designate an authorized agent to make a request on your behalf.

12.2 California Online Privacy Protection Act (CalOPPA)

According to CalOPPA:

  • Users can visit our site anonymously
  • This Privacy Policy link is easily accessible on our website homepage
  • Users will be notified of any Privacy Policy changes on this page
  • Users can change their personal information by emailing us at support@thenextlayer.co

Do Not Track Signals: We honor Do Not Track (DNT) signals. We do not track, plant cookies, or use advertising when a DNT browser mechanism is in place. You can enable or disable Do Not Track by visiting the Preferences or Settings page of your web browser.

13. Service Providers

We employ third-party companies and individuals to facilitate our Service ("Service Providers"), provide the Service on our behalf, perform Service-related functions, or assist us in analyzing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

Our Service Providers Include:

13.1 Payment Processing

Stripe - Payment processing and subscription management Privacy Policy: https://stripe.com/privacy Stripe adheres to PCI-DSS standards to ensure secure handling of payment information. We do not store or collect your payment card details directly; this information is provided directly to Stripe.

13.2 Website Hosting & Infrastructure

Vercel - Website hosting and content delivery Privacy Policy: https://vercel.com/legal/privacy-policy

Supabase - Client portal, authentication, and file storage (EU-hosted) Privacy Policy: https://supabase.com/privacy

13.3 Email Communications

Resend - Transactional email delivery Privacy Policy: https://resend.com/legal/privacy-policy

13.4 Scheduling & Booking

Cal.com - Appointment scheduling and calendar integration Privacy Policy: https://cal.com/privacy

14. Analytics

We use third-party Service Providers to monitor and analyze the use of our Service.

14.1 PostHog

PostHog is a product analytics platform that helps us understand how users interact with our Service.

Key Information:

You can opt out of PostHog tracking through our cookie consent settings.

14.2 Ahrefs

Ahrefs provides website analytics and SEO monitoring services.

Key Information:

15. Behavioral Remarketing

We use remarketing services to advertise to you after you have visited our Service. We and our third-party vendors use cookies to inform, optimize, and serve ads based on your past visits to our Service.

15.1 Google Ads (Google AdWords)

Google Ads remarketing service is provided by Google LLC.

How to Opt Out:

15.2 Facebook Pixel / Meta Ads

Facebook remarketing service is provided by Meta Platforms, Inc.

How to Opt Out:

You can also opt out through:

Our Service may contain links to other websites that are not operated by us. If you click a third-party link, you will be directed to that third party's site.

We strongly advise you to review the Privacy Policy of every site you visit. We have no control over and assume no responsibility for the content, privacy policies, or practices of any third-party sites or services.

17. Children's Privacy

Our Service is not intended for use by anyone under the age of 18 ("Children" or "Minors").

We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us at support@thenextlayer.co.

If we become aware that we have collected Personal Data from children without verification of parental consent, we will take steps to remove that information from our servers promptly.

18. Changes to This Privacy Policy

We may update our Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of any material changes by:

  • Posting the new Privacy Policy on this page
  • Updating the "Effective date" at the top of this Privacy Policy
  • Sending you an email notification (for material changes)
  • Displaying a prominent notice on our Service

Your Continued Use: Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the revised policy. We encourage you to review this Privacy Policy periodically for any changes.

Material Changes: For material changes that significantly affect your rights or how we use your data, we will provide at least 30 days' notice before the changes take effect and may require your explicit consent where required by law.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

The Next Layer by Ourfires LTD Data Protection Contact

Email: support@thenextlayer.co Website: https://www.thenextlayer.co/ Postal Address: 41 Devonshire Street, Ground Floor London, England W1G 7AJ United Kingdom

For Data Protection Inquiries: Please clearly state "Data Protection Request" or "Privacy Inquiry" in your subject line to ensure prompt handling.

Response Time: We will respond to your inquiry within one month of receipt. In complex cases, we may extend this period by a further two months, and we will inform you of any such extension.

20. Supervisory Authority

If you have concerns about how we handle your personal data or wish to lodge a complaint, you have the right to contact the UK's supervisory authority:

Information Commissioner's Office (ICO) Wycliffe House, Water Lane Wilmslow, Cheshire SK9 5AF United Kingdom

Telephone: 0303 123 1113 Website: https://ico.org.uk/ Report a concern: https://ico.org.uk/make-a-complaint/

This Privacy Policy is effective as of 10/10/2025 and governs the collection, use, and protection of your personal information when you use The Next Layer's services.

Last Updated: 10/10/2025