You shipped your Next.js app. Maybe it is a SaaS product, an internal tool, a personal blog, or a side project you built over the weekend. Either way, if it has users and it touches the internet, it almost certainly collects some form of personal data. And that means you need a privacy policy.
This is not just a legal formality. GDPR fines can reach 4% of annual global revenue. CCPA violations cost up to $7,500 per intentional violation. Apple and Google reject apps without privacy policies. And even if you never face a regulator, users are increasingly privacy-conscious — a missing or vague privacy policy erodes trust before someone even signs up.
The good news: writing a privacy policy for a Next.js app is not as painful as it sounds. You need to understand what data your app collects, which regulations apply, and what to disclose. This guide walks you through all of it.
What data does a typical Next.js app collect?
Most developers underestimate how much data their Next.js application touches. Even a "simple" app with no database can collect personal information through hosting, analytics, and third-party scripts. Let us break it down.
If you deploy on Vercel (and most Next.js apps do), you likely have Vercel Analytics or Speed Insights enabled. Vercel Analytics collects page views, referrer information, country, device type, operating system, and browser. Speed Insights tracks Core Web Vitals like LCP, FID, and CLS. While Vercel's approach is privacy-focused (no cookies, no cross-site tracking), it still processes visitor data on their servers. That is a data processing activity you must disclose.
If your app has user accounts, you are collecting personal data. With Auth.js (formerly NextAuth), this typically includes email addresses, names, profile pictures from OAuth providers like Google or GitHub, session tokens stored in cookies or your database, and account identifiers from each provider. Even a "Sign in with GitHub" button means you are processing the user's GitHub email and profile information.
Next.js API routes (or Server Actions in the App Router) that handle contact forms, feedback widgets, or waitlist signups collect whatever the user types in — names, emails, messages, and potentially more. This data often ends up in a database, a third-party service like Resend for email, or both.
If you have added Google Analytics, Sentry, PostHog, Hotjar, Intercom, or any other third-party script to your layout.js or _app.js, each of those services collects data independently. Google Analytics tracks page views, events, demographics, and sets cookies. Sentry captures stack traces, request URLs, IP addresses, and browser information. PostHog can record entire user sessions. Each service needs its own disclosure in your privacy policy.
Even if you do not explicitly set cookies, your app probably uses them. Auth.js stores session tokens in cookies by default. Next.js middleware might set cookies for locale preferences or feature flags. Third-party scripts set their own tracking cookies. Cookies that identify users or track behavior require informed consent under GDPR — and your privacy policy must list them.
Key sections your privacy policy must include
A compliant privacy policy is not just a wall of legal text. It needs to be organized into specific sections that regulators and users expect to find. Here is what you need:
List every category of personal data your app processes: names, email addresses, IP addresses, device information, usage data, payment details. For each category, explain the purpose. "We collect your email address to send you account notifications and password reset links" is specific and useful. "We collect data to improve our services" is not.
Under GDPR, you need a legal basis for each processing activity. The most common ones for Next.js apps are: consent (user opted in to marketing emails or non-essential cookies), contract performance (processing needed to provide your service, like authentication), legitimate interest (analytics for improving your product, security monitoring). Map each data type to its legal basis.
Name every third-party service that receives user data. Vercel (hosting and analytics), Stripe (payments), Sentry (error tracking), your email provider, your database host. For each, state what data they receive, why, and link to their privacy policy. Users have the right to know exactly who handles their data.
List all cookies your app sets — first-party and third-party. For each cookie, describe its name, purpose, type (session or persistent), and expiration. If you use localStorage or sessionStorage to store user preferences or tokens, disclose that too. Under GDPR, non-essential cookies require prior consent.
Under GDPR, users can request access to their data, rectification of inaccurate data, erasure ("right to be forgotten"), data portability, restriction of processing, and they can object to processing. Under CCPA, California residents have the right to know what data you collect, to delete their data, to opt out of data sales, and to not be discriminated against for exercising these rights. Your policy must explain how users can exercise each right and how long you take to respond (GDPR: 30 days; CCPA: 45 days).
State how long you keep each type of data. Account data might be retained until the user deletes their account. Analytics data might be aggregated and anonymized after 26 months. Server logs might be purged after 90 days. Avoid vague statements like "as long as necessary." Specific timeframes build trust and satisfy regulators.
Provide a way for users to reach you about privacy concerns. An email address is the minimum. If you are subject to GDPR and process data at scale, you may need to appoint a Data Protection Officer (DPO) and list their contact details. Include your business name, address, and the supervisory authority users can complain to.
GDPR vs CCPA: What applies to you?
The two regulations developers encounter most often are the European Union's General Data Protection Regulation (GDPR) and California's Consumer Privacy Act (CCPA). Here is a quick comparison to help you figure out what applies to your Next.js app.
- Applies if you have any users in the EU/EEA, regardless of where your company is based
- Requires explicit consent for non-essential cookies and tracking
- Requires a legal basis for every data processing activity
- Users have broad rights: access, rectification, erasure, portability, objection
- Fines: up to 20 million euros or 4% of global annual revenue
- You must respond to data requests within 30 days
- Applies if you have California users and meet revenue or data thresholds ($25M+ revenue, 100K+ consumers, or 50%+ revenue from selling data)
- Does not require opt-in consent, but must offer opt-out
- Requires a "Do Not Sell My Personal Information" link if you sell data
- Users can request: know, delete, opt-out, non-discrimination
- Fines: up to $7,500 per intentional violation
- You must respond to data requests within 45 days
In practice, if your Next.js app is publicly accessible, GDPR almost certainly applies to you — EU visitors can land on your site from a search engine or a shared link. CCPA is more targeted, but if your app grows, you will likely cross those thresholds. The safest approach is to comply with both from the start. It is not much extra work, and it avoids the scramble later.
Common Next.js services that need disclosure
Most Next.js apps rely on a handful of popular services. Each one processes user data and needs to be mentioned in your privacy policy. Here is what the most common ones collect:
A common mistake is only disclosing the services you explicitly integrated. But if your hosting provider (Vercel) or your database provider (PlanetScale, Supabase, Neon) processes request data like IP addresses, those count too. Audit your package.json and your environment variables — if a service has an API key, it is probably processing user data.
Here is a quick way to check what your app sends data to. Look at your environment variables:
Every line in that file points to a service that needs a disclosure in your privacy policy.
The fast way: Generate it in 2 minutes
Writing a privacy policy from scratch is tedious. You have to research the legal requirements, figure out the right wording, make sure you cover every service and every regulation, and keep it all updated as your app changes. Lawyers charge $500 or more for a custom policy. Subscription services like Termly or iubenda charge $10 to $15 per month — for a document.
That is why we built Pliqo. It is a free privacy policy generator designed for developers. The wizard takes about 2 minutes:
- Step 1: Choose your product type (website, SaaS, or mobile app)
- Step 2: Enter your company and website details
- Step 3: Select the data types you collect (we pre-populate common ones)
- Step 4: Pick your third-party services from a list of 30+ (Vercel, Stripe, Sentry, PostHog, and more)
- Step 5: Choose your jurisdictions (GDPR, CCPA, or both)
- Step 6: Review and download in HTML, Markdown, or plain text
The generated policy covers all the sections described in this article — data collection purposes, legal bases, third-party disclosures, cookie details, user rights, retention periods, and contact information. It is specific to your stack, not a generic template.
Conclusion
Do not skip the privacy policy. It does not matter if your Next.js app is a weekend project or a funded startup — if it collects any user data (and it almost certainly does), you need one. The consequences of not having a privacy policy range from losing user trust to facing regulatory fines.
The requirements are straightforward: disclose what you collect, why you collect it, who you share it with, and what rights users have. Cover your Vercel hosting, your authentication provider, your analytics, your error tracking, and every other service that touches user data.
You can spend hours writing it from scratch, pay a lawyer, or generate one with Pliqo in 2 minutes. The important thing is that you have one — and that it is accurate, complete, and easy for your users to find.