
Effective from: 1 June 2026
This policy explains what personal data we process when operating the game NOXURA (noxura.app), why, on what legal basis, and what rights you have. We process only the minimum needed to run the Service. We never sell your data.
The data controller is [FILL IN NAME / COMPANY], Company ID: [FILL IN], registered seat [FILL IN ADDRESS] (the “Controller”).
Contact for data protection matters: [FILL IN E-MAIL]. The Controller has not appointed a Data Protection Officer (DPO), as it is not legally required.
Game data: chosen name, faction, lineage (who bit whom), in-game stats (MOC, Krev, Heat), activity. A bite link is anonymous by default.
Account data (optional): an e-mail, if you provide one to secure and recover your account.
Payment data: handled solely by Stripe. We never see or store your full card number — only a transaction reference, amount and what was bought.
Technical data: IP address, device/browser type, and browser local storage (player id, chosen language) needed for the app to work.
Providing the Service / performing the contract — Art. 6(1)(b): account creation and management, game mechanics, payments.
Legitimate interest — Art. 6(1)(f): security, fraud and abuse prevention, basic analytics and improvement, aggregated (non-identifying) statistics.
Legal obligation — Art. 6(1)(c): accounting and tax records for payments.
Consent — Art. 6(1)(a): only if you opt in to e-mails or allow optional cookies. Consent can be withdrawn at any time.
We use necessary local storage and cookies for the app to function (session, player id, language) — these do not require consent under § 89 of Act 127/2005.
Optional (analytics/marketing) cookies are used only with your consent, which you can withdraw any time in your browser settings.
We disclose data only to processors acting on our instructions: Supabase (database & hosting), Netlify (hosting & CDN), Stripe (payments), and an e-mail provider for account recovery.
Your public name and public game activity are intentionally visible to other Players — that is the essence of the game.
Some processors (e.g. Supabase, Netlify, Stripe) may process data on servers outside the EU, notably in the USA. Such transfers are safeguarded by EU Standard Contractual Clauses (SCC) and/or the EU-US Data Privacy Framework, or an adequacy decision.
Game and account data are kept while your account exists. After deletion we remove or anonymise personal data, except data we must keep by law.
Accounting and tax records of payments are kept for the legally required period (generally 10 years under Czech accounting and VAT law).
You have the right to: access (Art. 15), rectification (Art. 16), erasure / “right to be forgotten” (Art. 17), restriction (Art. 18), portability (Art. 20), objection to processing based on legitimate interest (Art. 21), and withdrawal of consent.
We do not carry out automated decision-making or profiling with legal effects under Art. 22 GDPR.
Exercise your rights by e-mail at [FILL IN E-MAIL]; we respond within one month at the latest. You can also delete your account anytime in Settings.
The Service is intended for persons over 18. We do not knowingly process data of persons under 18. If we discover otherwise, we delete the data.
We use encryption in transit (HTTPS), access controls and appropriate technical and organisational measures. No system is perfectly secure, but we take measures proportionate to the risks.
You have the right to lodge a complaint with a supervisory authority. In the Czech Republic this is the Office for Personal Data Protection (ÚOOÚ), Pplk. Sochora 27, 170 00 Prague 7, www.uoou.cz.
We may update this policy. Material changes will be announced in the Service or by e-mail. The current version is always available on this page.
In case of conflict between language versions, the Czech version prevails. Questions: [FILL IN E-MAIL].