Last updated: 17 May 2026 (initial policy)
What's Next? is operated by Joe Houghton (joe.houghton@gmail.com, houghtonphoto.com). The service gives you AI-powered recommendations for books, TV, films, and podcasts.
Data controller and processor: Joe Houghton (sole operator). For any questions about how your data is handled, contact joe.houghton@gmail.com.
Email address. Used to identify you across visits and to send the 6-digit verification code that proves you control the email. We don't store passwords — sign-in is by one-time code only. Legal basis: performance of a contract (we can't deliver personalised recommendations without an account).
Titles you've liked, disliked, or want to avoid; genres and platforms you prefer. This is the core data that makes recommendations useful. It's stored on your account and sent to Anthropic's Claude API to generate new suggestions. You can delete it at any time.
Items you've added to your queue, marked as completed, or rated. Used to personalise future recommendations and (on paid plans) to produce your weekly digest.
When you use the Send Feedback button, we store your message, the URL you were on, up to four optional screenshots, and an optional contact email if you want to be notified when your suggestion lands.
Account data is kept for as long as you have an account. Inactive accounts (no sign-in for 24 months) are automatically deleted; you'll receive a warning email 30 days before deletion. You can delete your account at any time by emailing joe.houghton@gmail.com.
Feedback messages are kept until the suggestion is shipped or dropped from the roadmap. Screenshots attached to feedback are deleted after 12 months.
GDPR erasure logs are retained after deletion but contain only hashed identifiers — no readable email addresses or names.
We use the following third-party services. All process data within the EU or under appropriate safeguards.
Hosts the web application and serverless API routes. EU regions used.
Stores all structured data (accounts, taste profiles, queue, history). Frankfurt region.
Sends transactional emails (verification codes, weekly digest, deletion warnings). Paris-headquartered, EU-hosted.
Powers the AI recommendations engine. Your taste data and queue are sent to Anthropic's Claude API to generate suggestions. No data is used to train Anthropic's models under their API terms.
Provides cover art, metadata, and cast information for films and TV. No personal data is sent to TMDB.
Under GDPR you have the following rights. To exercise any of them, email joe.houghton@gmail.com.
If you're unhappy with how your data is handled, you may also lodge a complaint with the Data Protection Commission (Ireland) at dataprotection.ie or the supervisory authority in your country of residence.
What's Next? uses one strictly necessary session cookie to keep you signed in. We don't set advertising or tracking cookies. The feedback form uses your browser's localStorage to remember your contact email so you don't have to retype it — this stays on your device and is never sent except in the feedback submission itself.
All data is transmitted over HTTPS. We don't use passwords — sign-in is by a one-time 6-digit code valid for 10 minutes, stored as a SHA-256 hash. The plaintext only ever exists in the email. All API keys are stored in encrypted Vercel environment variables.
What's Next? is intended for users aged 16 and over. By registering you confirm you meet this age requirement.
We'll update this page when material changes happen. Significant changes are announced on the roadmap and by email to all account holders.
For any privacy-related questions or to exercise your rights: joe.houghton@gmail.com