Privacy Policy | NextOnCall

Notice: This Privacy Policy is currently a draft pending legal review. The terms below describe our intended practices; please contact us at contact@nextoncall.com for any specific privacy questions while review is in progress.

NextOnCall (“we,” “us,” “the Service”) is operated by Next on Call, LLC (“the Company”). This Privacy Policy explains what personal information the Service collects, how we use it, who we share it with, and the choices and rights you have. By using NextOnCall you accept this Policy. If you don’t agree, please don’t use the Service.

If you have questions, contact us at contact@nextoncall.com.

1. Who is covered

NextOnCall is a B2B SaaS platform. Two kinds of people interact with us:

Account administrators — people who sign up at nextoncall.com to manage on-call routing for their team. They use the web dashboard.
Providers — on-call personnel (e.g. healthcare providers, technicians) added to an account by an administrator. Providers use the mobile app and may answer routed calls.

This Policy covers both groups. Where we say “you,” we mean either group unless we specify.

If your organization is a HIPAA-Covered Entity and uses the Service to handle calls that may involve Protected Health Information (PHI), the Company acts as a Business Associate. A separate Business Associate Agreement (BAA) governs that relationship and supplements this Policy.

2. What we collect

2.1 Information you provide

Account profile data — first name, last name, role, email address (administrators only), phone number.
Authentication credentials — for administrators, a one-way hashed password (we never see or store the plaintext). For providers, no password — we authenticate via SMS one-time code sent to the registered phone number.
Schedule data — on-call shift assignments.
Coverage and swap requests — text notes you provide when asking another provider to take or trade a shift.
Caller notes — free-text notes you choose to attach to incoming calls during or after a call.
Billing details — for paying accounts, billing address. We use a third-party payment processor (Stripe) to handle card data; we do not store full card numbers on our servers.

2.2 Information collected automatically

Mobile push notification token — when you allow notifications on the mobile app, we store a device-specific token issued by Apple, Google, or Expo so we can deliver alerts.
Call metadata — for every call routed through the Service: caller phone number, destination number, the provider’s number it was forwarded to, call status (answered/missed/busy/failed), call duration in seconds, and timestamp.
SMS metadata — when we send a one-time login code, we record the destination number, time sent, and delivery status.
Authentication tokens and session data — opaque tokens we issue when you log in, plus standard server logs (IP address, timestamp, user agent) for security and abuse prevention.
Device characteristics — operating system, app version, language preference. Used to render the app correctly and triage support tickets.

2.3 We do not record call audio

NextOnCall does not record the content of voice calls. We log that a call happened and how long it was. The audio is brokered by Twilio in real time and we do not store it.

2.4 Children

NextOnCall is not intended for use by anyone under 16 years of age, and we do not knowingly collect data from anyone under that age.

3. How we use the information

We use what we collect to:

Provide the core service — routing calls and SMS to whoever is on call; sending shift-start, swap-request, and incoming-call notifications.
Authenticate you — verifying SMS one-time codes; issuing API tokens; preventing brute-force attempts.
Operate the platform — billing, customer support, troubleshooting, security monitoring.
Improve the product — analyzing aggregated, de-identified usage to understand which features matter and what’s slow or broken.
Comply with legal obligations — responding to lawful requests, defending against fraud, complying with tax law.

We do not use your personal data to train any AI model. We do not sell your personal data. We do not share data with advertisers.

4. Who we share information with

We share data only with the following categories of recipients, only to the extent each one needs to do their job:

Recipient	What they receive	Why
Twilio Inc.	Phone numbers, call status, SMS contents (one-time code messages)	Voice routing and SMS delivery
Expo / Apple Push (APNs) / Google FCM	Push notification tokens, the notification payload (alert title and body — kept minimal, never PHI)	Push delivery to your device
Stripe (paying accounts)	Billing email, address, payment method	Subscription billing
Our hosting provider	All application data at rest	Hosting and database
Lawful authorities	Whatever a valid court order or subpoena compels	Legal compliance

We require each of these to handle data appropriately. Where applicable, we have signed standard data processing addenda and (for HIPAA-covered usage) Business Associate Agreements with the providers that support them.

5. How long we keep it

Account data — for as long as your account is active, plus 30 days after account closure for recovery.
Call metadata — 2 years from the date of the call.
SMS one-time codes — 15 minutes from generation, then deleted regardless of whether they were used.
Push notification tokens — until you log out, uninstall the app, or the token expires. Cleared server-side on logout.
API tokens — until expiry (30 days) or logout, whichever is sooner.
Caller notes — for as long as the associated call record exists.
Billing records — 7 years, as required by tax law.
Server logs — 90 days.

After the retention window, we either delete the data or de-identify it so it can no longer be tied to you.

6. Your rights

Subject to applicable law, you can ask us to:

Access the personal data we hold about you.
Correct information that’s wrong.
Delete your data (“right to be forgotten”).
Export your data in a portable format.
Restrict or object to certain processing.
Withdraw consent where we relied on consent (e.g. push notifications).

To exercise any of these, email contact@nextoncall.com. We aim to respond within 30 days.

7. Push notifications and Critical Alerts

The mobile app uses push notifications to deliver shift-start alerts and incoming-call escalations. You control these in two places:

Your device’s system settings — turn off “Allow notifications” for the NextOnCall app at any time.
In-app preferences — the app’s Settings screen has toggles for Push Notifications, Override Volume, Dark Mode, and shift-start lead time.

On iOS, NextOnCall uses Critical Alerts for shift-start and incoming-call notifications only. Critical Alerts can play a sound and bypass Do Not Disturb / silent mode, because missing an on-call notification can result in delayed care. We never use Critical Alerts for routine messages. iOS asks you to grant Critical Alerts permission separately from regular notifications and you can revoke it at any time in Settings.

8. Security

We use industry-standard measures to protect your data, including:

All web traffic over HTTPS with TLS 1.2+.
Passwords stored using a one-way hash (bcrypt).
API tokens stored only as SHA-256 hashes server-side; the raw token is shown to you once at issuance.
On the mobile app, the Bearer token is stored in the OS-provided keychain (iOS Keychain / Android Keystore).
Database access restricted to the application server.
Regular security review of dependencies and configuration.

No system is perfectly secure. If we ever experience a data breach that affects you, we’ll notify you and the relevant authorities as required by law.

9. Cookies and similar technologies

The web dashboard uses session cookies (PHPSESSID) to keep you logged in. We do not use third-party advertising or tracking cookies. The mobile app does not use cookies.

10. HIPAA and Business Associate Agreements

If your organization is a HIPAA-Covered Entity and may transmit Protected Health Information (PHI) through NextOnCall (for example, by including PHI in caller notes), the Company acts as a Business Associate.

We will sign Business Associate Agreements with HIPAA-Covered Entities on request. Where a BAA is in place, the BAA’s terms govern the handling of PHI in addition to this Policy, and conflicts between the two are resolved in favor of the BAA.

We follow the HIPAA Security Rule’s administrative, technical, and physical safeguards for all PHI we touch. Push notification payloads are deliberately PHI-free — they include only the alert type and shift identifier, never patient identifiers or call content.

11. Changes to this Policy

We’ll update this Policy as the Service changes. The “Last updated” date at the top reflects the most recent change. If we make a material change, we’ll notify you via email (for administrators) and an in-app banner (for providers) at least 14 days before it takes effect.

12. Contact

If you have any questions about this Policy or want to exercise your rights:

Email: contact@nextoncall.com