NECSTAIDIA

Legal

Privacy Policy

Effective
5 June 2026
Last updated
5 June 2026
Version
1.0

In short

  • We collect the data needed to run your account, the game, and your purchases — and very little else. We run no advertising and no cross-site tracking, and our only analytics is privacy-friendly and cookieless.
  • We never sell your personal data.
  • You have strong rights over your data — access, correction, deletion, and more — and you can delete your account from inside the game or by emailing us.
  • The game is for ages 13+ (16+ in much of the EEA) and is not directed at children.

This summary is provided for convenience only and is not a substitute for the full text below.

1. Who we are (the data controller)

For the purposes of the EU General Data Protection Regulation (GDPR) and other data-protection laws, the controller responsible for your personal data is:

[CHANGE ME — your full legal name, or "Necstaidia S.R.L." once incorporated], trading as Necstaidia
Email: [email protected]
Postal address: [CHANGE ME — registered / postal address; required for EU store trader verification & web-shop sales]

We are a small operator and are not required to appoint a Data Protection Officer, but you can reach our privacy contact at the email above for any question or request about your data.

2. Scope of this policy

This policy covers personal data we process across all of Necstaidia: our website (https://necstaidia.com), our web shop (https://gameshop.necstaidia.com), and the Necstaidia game on PC, iOS, Android, and web. Where you buy through the Apple App Store or Google Play, those stores also process your data as their own controllers under their own privacy policies; where you buy on our web shop, payment is handled by Stripe. This policy explains what we do.

3. What we collect and why

We collect only what we need to provide and protect the Services. The table below summarises the categories of personal data we process, why, the legal basis under the GDPR, and how long we keep it.

CategoryExamplesPurposeLegal basisRetention
Account & identityAccount ID, username, the login method you use (a store sign-in or game account), and the verification token used to link the web shop to your game account.Create and operate your account, authenticate you, and link purchases to the right player.Performance of a contract (GDPR Art. 6(1)(b)).While your account is active, then deleted or anonymised within a reasonable period after account deletion.
Gameplay & progressionCharacters, inventory, currencies (Gems, Gold), items, achievements, quest and event progress, match results and leaderboard standings.Run the game, save your progress, power multiplayer worlds, events, and leaderboards.Performance of a contract (GDPR Art. 6(1)(b)).While your account is active.
Purchases & transactionsWhat you bought, amount, currency, timestamps, subscription status, order and fulfilment (in-game mail) records, and a purchase audit log. We do NOT store full card numbers.Deliver your purchases, manage subscriptions, provide support, prevent fraud, and meet tax and accounting duties.Contract (Art. 6(1)(b)) and compliance with a legal obligation (Art. 6(1)(c)) for tax/accounting records.Transaction and tax records kept for the period required by law (commonly several years); other records while your account is active.
Payment detailsPayment method and billing details you enter at checkout. On the web shop these are handled by Stripe; in the apps they are handled by Apple or Google.Process your payment.Contract (Art. 6(1)(b)). Card data is processed by our payment partners, not stored by us.Held by the payment provider under its own policy; we receive only limited transaction metadata.
Device & technical dataIP address, device and OS type, app/build version, language, crash and diagnostic logs, and security/anti-cheat signals.Keep accounts and worlds secure, detect cheating and abuse, fix bugs, and deliver content reliably.Legitimate interests in security, integrity, and improving the game (Art. 6(1)(f)).Short retention for logs; longer where needed to investigate abuse or security incidents.
Usage analyticsPages and screens viewed, referring site, approximate region (derived from IP, which is not stored), device/browser type, and basic interaction events (e.g. which buttons are clicked). Collected with Umami, a privacy-friendly, self-hosted analytics tool that uses no cookies and no cross-site tracking.Understand in aggregate how the site and game are used so we can improve them. We do not build profiles about you and do not identify you personally.Legitimate interests in measuring and improving our Services (Art. 6(1)(f)).Kept in aggregate form; not tied to your identity.
Community, chat & moderationIn-game and community chat, display names, reports you submit about others, and moderation/enforcement records.Operate multiplayer features, keep players safe, moderate content, and enforce the Community Guidelines and Terms.Legitimate interests in a safe community (Art. 6(1)(f)).Limited period; moderation and safety records may be kept longer.
Support & communicationsYour email address and the contents of support requests or bug reports you send us.Respond to you, resolve issues, and keep a record of the request.Legitimate interests / steps to perform a contract (Art. 6(1)(f) / 6(1)(b)).Kept for as long as needed to handle the request and a reasonable period afterwards.
Marketing (optional)Email address and preferences, only if you opt in to newsletters or updates.Send you the updates or offers you asked for.Consent (Art. 6(1)(a)) — you can withdraw it at any time.Until you unsubscribe or withdraw consent.

We do not use advertising SDKs, ad networks, or cross-site tracking, and we do not build advertising profiles about you. For analytics we use Umami — a privacy-friendly, self-hosted tool that measures aggregate usage without cookies, without cross-site tracking, and without identifying you personally. Because Umami is self-hosted, this data stays with us and is not shared with a third-party analytics provider.

4. Legal bases under the GDPR

We rely on the following legal bases (Article 6(1) GDPR), as shown in the table above:

  • Contract (Art. 6(1)(b)) — to create and run your account, deliver the game and your purchases, and provide support.
  • Legal obligation (Art. 6(1)(c)) — to keep tax, accounting, and transaction records and to respond to lawful requests.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Services and players secure, prevent cheating, fraud, and abuse, debug and improve the game, and run a safe community. We only rely on this basis after weighing it against your rights, and you can object (see your rights below).
  • Consent (Art. 6(1)(a)) — for optional things like marketing emails. You can withdraw consent at any time without affecting processing done beforehand.

5. Children & age

Necstaidia is intended for a general audience and is not directed to children. You must be at least 13 to use the Services, and at least the age of digital consent in your country if you are in the EEA (13–16 depending on the member state; 16 in several, including Romania). Where required, we present a neutral age check and do not encourage anyone to misstate their age.

We do not knowingly collect personal data from children under 13, and our Services are not “directed to children” under the US Children's Online Privacy Protection Act (COPPA). If you are a parent or guardian and believe a child under the applicable age has given us personal data without the required consent, contact us at [email protected] and we will delete it.

6. Who we share data with

We do not sell your personal data. We share it only with service providers who process it on our behalf (our “processors”/sub-processors), and only as needed to run the Services:

ProviderRoleData handledRegion
Heroic Labs (Nakama)Game server, accounts, persistent game state, purchase auditAccount ID, username, gameplay & progression data, purchase records, IP addressSelf-hosted (EU); see hosting note below
StripePayment processing for web-shop purchases (we are merchant of record)Payment card / payment-method data, billing details, transaction recordsUnited States / EU (Stripe Payments Europe)
RevenueCatIn-app purchase & subscription entitlement management (mobile)Pseudonymous app user ID, purchase/subscription receipts, device identifiersUnited States
Apple (App Store)Mobile distribution & in-app purchases on iOS (Apple is merchant of record)Purchase transactions, app analytics you have opted into at the OS levelUnited States / global
Google (Google Play)Mobile distribution & in-app purchases on Android (Google is merchant of record)Purchase transactions, app analytics you have opted into at the OS levelUnited States / global

We may also disclose data where we are legally required to (for example, to authorities responding to a valid legal request), to protect our rights, players, or the Services, or in connection with a business reorganisation or sale, in which case we will protect your data and tell you if your rights change. Each provider above has its own privacy policy, linked from the Cookie & Local Storage Policy and the providers' websites.

7. International data transfers

Some of our providers (such as Stripe, RevenueCat, Apple, and Google) may process data outside the EEA, including in the United States. When we transfer personal data outside the EEA we rely on a lawful transfer mechanism:

  • the EU–US Data Privacy Framework adequacy decision, where the provider is certified under it; and
  • Standard Contractual Clauses approved by the European Commission (with additional safeguards where needed) for any provider not covered by an adequacy decision.

You can ask us for more information about the safeguards that apply to a specific transfer using the contact details below.

8. How long we keep data

We keep personal data only as long as we need it for the purposes above, as summarised in the retention column of the table in section 3. In general, account and gameplay data are kept while your account is active and deleted or anonymised within a reasonable period after you delete your account, except where we must keep certain records longer (for example, transaction and tax records required by law, or information needed to handle a dispute or enforce our Terms).

9. Your rights

If you are in the EEA, UK, or another region with similar laws, you have the right to:

  • Access a copy of your personal data;
  • Rectify data that is inaccurate or incomplete;
  • Erase your data (“right to be forgotten”) in certain circumstances;
  • Restrict or object to certain processing, including processing based on our legitimate interests and any direct marketing;
  • Port data you gave us to another provider, where technically feasible;
  • Withdraw consent at any time where we rely on consent.

To exercise any right, email [email protected]. We respond free of charge and without undue delay, and in any event within one month (extendable by up to two further months for complex requests, in which case we will tell you). We may need to verify your identity first.

10. Account & data deletion

You can delete your account and associated personal data at any time:

  • In the game: open Settings → Account → Delete Account and confirm.
  • On the web (no app needed): email [email protected] from the address linked to your account, or use this page as your deletion request resource, and we will verify and process your request.

Deleting your account removes or anonymises your personal data, except records we are legally required to keep (such as transaction and tax records) and information needed to prevent fraud or abuse. Virtual Items are forfeited on deletion and cannot be restored.

11. Security

We use appropriate technical and organisational measures to protect personal data — including encryption in transit, access controls, and a server-authoritative design that keeps sensitive game and purchase state on our backend rather than on your device. No system is perfectly secure, but we work to protect your data and to detect and respond to incidents.

12. Cookies & local storage

Our sites use only a small number of strictly necessary cookies and local-storage values (such as a secure login/session cookie on the web shop and a theme preference on the website). We do not use tracking or advertising cookies. For full details, see the Cookie & Local Storage Policy.

13. Marketing communications

We only send marketing emails (such as newsletters or offers) if you have opted in. You can unsubscribe at any time using the link in the email or by contacting us, and doing so will not affect any service messages we need to send you (for example, about your purchases or account).

14. US / California privacy rights

If you are a California resident, you may have rights under the California Consumer Privacy Act (CCPA/CPRA), to the extent it applies to us. These include the rights to know, access, delete, and correct your personal information, and to be free from discrimination for exercising them. To exercise these rights, contact us at [email protected].

We do not “sell” your personal information and do not “share” it for cross-context behavioural advertising, as those terms are defined under California law, so we do not provide a “Do Not Sell or Share My Personal Information” link because there is nothing to opt out of. First-purchase and bonus offers (for example, bonus Gems) are price or service differences available to all eligible players and are not financial incentives in exchange for your personal information.

15. Data breaches

If a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours, as required by the GDPR. Where a breach is likely to result in a high risk to you, we will also inform you without undue delay.

16. Changes to this policy

We may update this policy as the Services and the law change. We will post the new version here with an updated effective date and, for material changes, give you additional notice (for example, in the game or by email).

17. Contact & complaints

For any privacy question or request, contact [email protected]. If you are in the EEA and believe we have not handled your data properly, you have the right to lodge a complaint with your local data-protection authority (in Romania, the National Supervisory Authority for Personal Data Processing, ANSPDCP) — though we hope you will contact us first so we can help.

← All legal documents Questions? [email protected]