Privacy Policy

Last updated: January 1, 2025

1. Introduction

OneNext, Inc. ("OneNext," "we," "our," or "us") is committed to protecting the privacy of our customers, visitors, and users. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at onenext.us (the "Site") or use our financial infrastructure platform and related services (collectively, the "Services").

We operate as a B2B financial infrastructure provider, and our Services are designed for business customers. This Privacy Policy applies to both our business customers and individuals who interact with our Site. Please read this policy carefully. If you disagree with its terms, please discontinue use of our Services.

2. Information We Collect

2.1 Information You Provide Directly

When you create an account, request a demo, contact us, or use our Services, we may collect:

  • Business and personal contact information (name, email address, phone number, job title)
  • Company information (company name, business address, EIN/tax identification number)
  • Account credentials (username, password)
  • Payment and billing information (bank account details, payment card information)
  • Identity verification documents (as required for KYB/KYC compliance)
  • Communications you send to us (support requests, emails, chat messages)

2.2 Information Collected Automatically

When you access our Site or use our Services, we automatically collect:

  • Log data (IP address, browser type and version, operating system, pages visited, time and date of visits)
  • Device information (device type, device identifiers, operating system)
  • Usage data (features used, API calls made, transaction volumes)
  • Cookies and similar tracking technologies (see our Cookie Policy for details)

2.3 Transaction Data

As a financial infrastructure provider, we process transaction data on behalf of our customers. This includes payment amounts, counterparty information, transaction timestamps, and related financial data. This data is processed as part of our Services and is governed by our customer agreements in addition to this Privacy Policy.

2.4 Compliance and Verification Data

To comply with applicable financial regulations including the Bank Secrecy Act, FinCEN regulations, and applicable state regulations, we collect information about our customers' businesses, their beneficial owners, and their transaction activity as required by law.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing Services: To operate, maintain, and improve our financial infrastructure platform and related services
  • Account Management: To create and manage your account, verify your identity, and communicate with you about your account
  • Compliance: To comply with applicable laws and regulations, including KYB/KYC, AML, and BSA requirements
  • Fraud Prevention: To detect, prevent, and investigate fraudulent activity, security incidents, and violations of our terms of service
  • Communications: To send you service notifications, product updates, security alerts, and (with your consent) marketing communications
  • Analytics: To understand how our Services are used and to improve them
  • Legal: To comply with legal obligations, resolve disputes, and enforce our agreements

4. How We Share Your Information

4.1 Service Providers

We share information with third-party vendors and service providers who assist us in providing our Services, including cloud infrastructure providers, payment network operators, identity verification services, and analytics providers. These parties are contractually obligated to protect your information and use it only for the purposes for which it was shared.

4.2 Financial Institutions and Payment Networks

To process payments and provide financial services, we share necessary transaction and identity information with banks, payment networks (including The Clearing House RTP network and FedNow), and other financial institutions as required to process transactions on your behalf.

4.3 Regulatory and Legal Requirements

We may disclose your information to law enforcement agencies, regulatory authorities, courts, or other parties when required by law, legal process, or regulation, including disclosures required under the Bank Secrecy Act, FinCEN reporting requirements, or other applicable financial regulations.

4.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the acquiring entity as part of that transaction.

5. Data Security

We implement comprehensive security measures to protect your information, including AES-256 encryption at rest and in transit, SOC 2 Type II certified security controls, PCI DSS Level 1 compliance for payment card data, multi-factor authentication for all administrative access, comprehensive access logging and monitoring, and regular penetration testing by independent security firms.

Despite these measures, no security system is impenetrable. We cannot guarantee the absolute security of your information. In the event of a security breach, we will notify you as required by applicable law.

6. Data Retention

We retain your information for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Financial transaction records are retained for a minimum of seven years as required by applicable financial regulations. Account information is retained for the duration of the customer relationship and for a period after termination as required by law and our legitimate business interests.

7. Your Rights and Choices

Depending on your location, you may have certain rights regarding your personal information:

  • Access: You may request a copy of the personal information we hold about you
  • Correction: You may request that we correct inaccurate personal information
  • Deletion: You may request deletion of your personal information, subject to our legal obligations to retain certain records
  • Portability: You may request a copy of your personal information in a structured, machine-readable format
  • Opt-out: You may opt out of marketing communications at any time by using the unsubscribe link in our emails

To exercise these rights, please contact us at hello@onenext.us. We will respond to your request within 30 days.

8. California Privacy Rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including the right to know what personal information is collected, the right to delete personal information, the right to opt-out of the sale of personal information (we do not sell personal information), and the right to non-discrimination for exercising your privacy rights.

9. International Data Transfers

Our Services are operated in the United States. If you are located outside the US, your information will be transferred to and processed in the US, where privacy laws may differ from those in your country. By using our Services, you consent to this transfer.

10. Children's Privacy

Our Services are not directed to children under 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will delete that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our Site and, for significant changes, by sending you an email notification. Your continued use of our Services after the effective date of the updated policy constitutes your acceptance of the changes.

12. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us at:

OneNext, Inc.
101 California St Suite 2400, San Francisco CA 94111
Email: hello@onenext.us
Phone: +1 415 555 0318

13. EU and UK Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA) or the United Kingdom, you have rights under the General Data Protection Regulation (GDPR) or UK GDPR, as applicable. These rights include: the right of access (to obtain a copy of your personal data), the right to rectification (to correct inaccurate data), the right to erasure ("right to be forgotten"), the right to restrict processing, the right to data portability, the right to object to processing, and rights in relation to automated decision-making and profiling.

To exercise these rights, please contact us at hello@onenext.us. We will respond to your request within one month. We may need to verify your identity before processing your request. If you believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local supervisory authority.

Our legal bases for processing personal data under GDPR include: performance of a contract (processing necessary to provide our Services), compliance with legal obligations (processing required by financial regulations), legitimate interests (fraud prevention, security, and service improvement), and consent (for marketing communications and non-essential cookies).

14. Data Transfers and International Operations

OneNext operates primarily in the United States, and our data infrastructure is based in the United States. If you are located outside the United States and choose to use our Services, please note that your information will be transferred to and processed in the United States. US privacy laws may differ from the privacy laws in your jurisdiction.

For transfers from the EEA or UK to the United States, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission, and on other appropriate transfer mechanisms as required. We implement additional technical and organizational safeguards to protect your data regardless of where it is processed.

Our cloud infrastructure providers maintain data centers in the United States, and our disaster recovery systems may store data in multiple US geographic regions. We do not intentionally route personal data through jurisdictions with inadequate privacy protections.

15. Specific Privacy Protections for Financial Data

Given the sensitive nature of financial data, we have implemented additional protections specifically for financial information collected through our Services:

Financial account data is encrypted using AES-256 encryption at rest. We store financial account numbers only in tokenized form -- the actual account numbers are never stored in our systems after initial verification. Transaction data is processed in isolated, access-controlled environments with strict need-to-know access policies. Financial reports and analyses generated by our system are associated with your account and are never shared with other users or third parties without your explicit consent.

We conduct regular privacy impact assessments for all features that involve processing sensitive financial data. Any new feature that involves access to bank account information, transaction history, or payment data undergoes a formal privacy review before deployment. This review includes an assessment of data minimization (are we collecting only what is necessary?), retention (how long do we need to keep this data?), and access controls (who can access this data and under what circumstances?).