Privacy Policy

This policy explains how M-Sport Equipment Ltd (“we”, “us”) processes personal data when you use the NextBaller storefront. It is provided under Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Controller identity and contact

M-Sport Equipment LtdEleftherias 77 Shop No. 1, 7102 Aradippou, CyprusVAT CY10442302YReg. HE 454228General contact: info@nextballer.euPrivacy enquiries: info@nextballer.eu

We have not designated a Data Protection Officer under Article 37 GDPR because our processing does not meet the criteria set out in that Article. You may still address any privacy matter to the privacy contact above.

2. Data we collect

  • Identity and contact — name, e-mail address, telephone number, shipping address, year of birth (for the 18+ check at signup).
  • Account and preferences — hashed password (handled by our authentication provider, not stored in plaintext), apparel and footwear sizes, preferred brands, marketing opt-in flag, consent timestamps.
  • Order and billing — items ordered, order totals, VAT data, invoice records, shipping and delivery details, payment-method token (the card number itself is processed by Stripe and never stored by us).
  • Subscription — Stripe customer and subscription identifiers, membership status, renewal dates.
  • Consent and legal records — timestamped acceptance of Terms and Privacy Policy (Art 7(1) GDPR, demonstrable consent); marketing-consent source; Article 16(m) digital-service waiver for the subscription; right-of-withdrawal requests and their reasons.
  • Technical and diagnostic — if, and only if, you have accepted analytics cookies, Sentry collects error traces and session-replay data that may include IP address, user-agent, rough location, and redacted DOM interactions. This data is not collected until you grant consent, and can be revoked via cookie settings.

3. Purposes of processing and legal bases

Article 13(1)(c) GDPR requires us to tell you both why we process your data and the legal basis under Article 6(1) that permits us to do so.

PurposeLegal basis
Create and manage your account; authenticate you.Performance of a contract, Art 6(1)(b).
Process, ship, and invoice your orders.Performance of a contract, Art 6(1)(b); and legal obligation, Art 6(1)(c).
Maintain accounting and invoice records.Legal obligation, Art 6(1)(c) (EU VAT Directive 2006/112/EC Art 244; Cypriot VAT Act).
Operate the membership subscription (billing, renewal, cancellation).Performance of a contract, Art 6(1)(b).
Send operational e-mails (order confirmations, subscription receipts, withdrawal acknowledgements).Performance of a contract, Art 6(1)(b); and legal obligation, Art 6(1)(c) (durable-medium confirmations under Directive 2011/83/EU Art 8(7)).
Send marketing e-mails.Consent, Art 6(1)(a). Separate opt-in at signup; revocable at any time.
Error tracking and session-replay diagnostics via Sentry.Consent, Art 6(1)(a). Not loaded unless you have accepted analytics cookies.
Detect and prevent fraud, abuse, and payment chargebacks.Legitimate interests, Art 6(1)(f) — protecting the integrity of our service and the financial interests of both parties. The balancing test concludes that, given the narrow scope (payment events and account abuse signals), your fundamental rights are not overridden.
Respond to legal requests; exercise or defend legal claims.Legal obligation, Art 6(1)(c); and legitimate interests, Art 6(1)(f).

4. Recipients and processors

We share personal data with the following processors, each acting under a written data processing agreement (Art 28 GDPR):

  • Supabase — authentication and primary database. Hosted in the EU (eu-west-1, Ireland).
  • Stripe Payments Europe, Ltd. (Ireland) — card payment processing, subscription billing, Stripe-hosted customer portal. Payment card data is processed under PCI-DSS; we only receive tokenised references. Stripe may transfer data to Stripe, Inc. (United States) under the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
  • Resend — transactional e-mail delivery (order confirmations, subscription receipts, withdrawal acknowledgements, password resets). Transfers to the United States are covered by Standard Contractual Clauses.
  • Vercel Inc. — application hosting and edge delivery. Transfers to the United States are covered by Standard Contractual Clauses; EU-originating requests are routed to EU edge regions where possible.
  • Functional Software, Inc. (Sentry) — diagnostic error capture and session replay, loaded only on analytics consent. Transfers to the United States are covered by Standard Contractual Clauses.
  • Bunny.net — EU-hosted font delivery and static asset CDN. No personal data is transferred outside the EU.
  • Carrier partners — the shipping carrier you select at checkout receives your name, shipping address, and contact phone to deliver the order.
  • Competent authorities — where required by law (for example, tax audits, law-enforcement requests with proper legal basis).

We do not sell personal data and we do not use it for third-party advertising.

5. Transfers outside the EEA

Some of our processors (Stripe, Resend, Vercel, Sentry) have parent entities in the United States. Where your data is transferred outside the European Economic Area, such transfer is protected by one or more of the following mechanisms under Chapter V GDPR:

  • EU-US Data Privacy Framework certification (where the processor is self-certified).
  • European Commission Standard Contractual Clauses (Decision (EU) 2021/914).
  • Where necessary, supplementary technical and organisational measures (encryption in transit and at rest, access controls).

Copies of the safeguards are available on request from the privacy contact above.

6. Cookies and similar technologies

We set a small number of cookies on your browser. All of them are first-party (set by the NextBaller site itself); we do not set third-party advertising or tracking cookies. The categories below follow the European Data Protection Board's Guidelines 03/2022 on cookie banners.

6.1 Essential cookies (no consent required)

Strictly necessary to provide the service you have requested, on the ePrivacy Directive 2002/58/EC Art 5(3) exception. These load before, and independently of, the consent banner.

NamePurposeExpiryNotes
sb-<project>-auth-token
(and related Supabase session cookies)		Keeps you signed in across page loads. Required for any logged-in feature (account, orders, checkout, store credit).Session + refresh token (rotates)First-party. HTTP-only. Set by our authentication provider Supabase.
nb-consentStores your decision on the cookie banner (accepted / rejected non-essential cookies) so we don't ask again on every page.12 monthsFirst-party. Readable by client JavaScript (the consent UI needs to read it).
nextballer_inviteTemporarily holds a friend's referral code when you arrive on the site via an invite link, so we can apply it when you sign up. Cryptographically signed to prevent tampering.24 hoursFirst-party. HTTP-only. Only set if you arrive via an invite link.

6.2 Analytics cookies (consent required)

We use Sentry for error tracking and optional session replay. Sentry is loaded only after you accept on the consent banner, under Art 6(1)(a) GDPR and Art 5(3) ePrivacy. In our default configuration Sentry does not write its own cookies — it reads nb-consenton page load to decide whether to initialise, and uses in-page session storage (not cookies) to correlate replay frames within a single browsing session.

6.3 Cookies we do not set

For transparency: we do not set advertising or cross-site-tracking cookies, we do not embed third-party social-media pixels, and we do not use a separate cart cookie (carts are stored server-side keyed to your account). Server actions are protected against cross-site requests using the request-origin check built into Next.js, not a cookie-based CSRF token. If this list ever grows, this page is updated before the new cookie ships.

You can revisit or change your consent choice at any time using the “Cookie settings” link in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal (Art 7(3) GDPR).

7. Retention periods

  • Account data — retained for as long as your account is active. On account deletion we anonymise the profile row (see section 9 below) and remove personally identifying fields.
  • Orders and invoices — retained for seven (7) years after the end of the tax year in which the transaction occurred, under EU VAT Directive 2006/112/EC Art 244 and the Cypriot VAT Act. This retention overrides account-deletion requests for these specific records (Art 17(3)(b) GDPR).
  • Consent and marketing records — retained for the duration of the consent and for up to three years after withdrawal, as evidence of demonstrable consent (Art 7(1) GDPR).
  • Error and session-replay data (Sentry) — retained for up to 90 days by the processor, then deleted.
  • Support correspondence — retained for up to three years to handle follow-up enquiries and defend potential claims.

8. Your rights

Under the GDPR you have the following rights, which you may exercise by writing to info@nextballer.eu:

  • Right of access (Art 15) — obtain a copy of the personal data we hold about you. A self-service export is available in Account → Security.
  • Right to rectification (Art 16) — correct inaccurate or incomplete data. Most fields are editable from your account.
  • Right to erasure (Art 17) — request deletion. Also available self-service; retention under Art 17(3)(b) still applies to invoice records.
  • Right to restriction (Art 18).
  • Right to data portability (Art 20) — structured, commonly used, machine-readable format. Delivered as JSON by the self-service export.
  • Right to object (Art 21) — especially to processing based on legitimate interests.
  • Right to withdraw consent (Art 7(3)) — for any processing based on consent (analytics cookies, marketing e-mails). Does not affect the lawfulness of processing before withdrawal.
  • Right not to be subject to solely automated decisions with legal or similarly significant effects (Art 22) — see section 10 below; in practice we do not carry out such processing.
  • Right to lodge a complaint with a supervisory authority (Art 77) — you may complain to the Cypriot data-protection authority: Office of the Commissioner for Personal Data Protection, or to the authority in the EU/EEA country where you live or work.

A consolidated contact surface covering privacy, product-safety, and consumer-dispute channels is available on our Legal and safety contact page.

9. Account deletion and anonymisation

When you delete your account (Account → Security → Delete account) we:

  1. Cancel any active subscription with Stripe so billing stops immediately.
  2. Anonymise your profile row: name, phone and address fields are nulled; the e-mail is replaced with a non-routable marker of the form deleted-<uuid>@deleted.local; consent timestamps are retained as evidence required for Art 7(1) until their own retention period ends.
  3. Delete your Supabase authentication record so you can no longer log in.
  4. Retain the anonymised row as an opaque foreign-key target for orders and invoices held under the Art 17(3)(b) compliance exemption.

10. Automated decision-making

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you. Payment-fraud screening performed by Stripe may decline transactions; in those cases, you can retry or choose another payment method, and you can always ask us to review the outcome manually by writing to the privacy contact above.

11. Children

The NextBaller service is intended for adults. Signup requires a declared year of birth confirming you are at least 18 years old. We do not knowingly collect personal data from children; if you believe a minor has registered, contact us at the privacy address above and we will delete the account.

12. Data provision: statutory or contractual

The identity, contact, and shipping data we collect are necessary to enter into and perform the sales contract with you; we cannot process an order without them. The year-of-birth check is necessary to verify eligibility for the service. All other data (marketing consent, analytics consent, preferred brands, apparel size) are optional; declining them does not prevent you from using the service.

13. Changes to this policy

We may update this policy to reflect changes in our processing, the law, or our service. Material changes will be communicated by e-mail and by a notice on the site before they take effect. The “Last reviewed” date below indicates the most recent change.

14. Related documents

Last reviewed: April 2026