Privacy Policy

This policy explains how M-Sport Equipment Ltd (“we”, “us”) processes personal data when you use the NextBaller storefront. It is provided under Articles 13 and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

1. Controller identity and contact

We have not designated a Data Protection Officer under Article 37 GDPR because our processing does not meet the criteria set out in that Article. You may still address any privacy matter to the privacy contact above.

2. Data we collect

• Identity and contact — name, e-mail address, telephone number, shipping address, year of birth (for the 18+ check at signup).
• Account and preferences — hashed password (handled by our authentication provider, not stored in plaintext), apparel and footwear sizes, preferred brands, marketing opt-in flag, consent timestamps.
• Order and billing — items ordered, order totals, VAT data, invoice records, shipping and delivery details, payment-method token (the card number itself is processed by Stripe and never stored by us).
• Subscription — Stripe customer and subscription identifiers, membership status, renewal dates.
• Member tier and qualification — your current tier, the path on which you qualified (tenure or spend), the date the tier was attained, and snapshots of the qualification inputs (months of tenure, count of qualifying paid orders, and cumulative cash spent on orders) recorded at attainment. Derived from your subscription history and order history; updated by a nightly recompute.
• Achievements — for each achievement badge you have unlocked under the programme described in clause 11.7 of our Terms: the achievement code, the date it was awarded, and a reference to the credit-ledger row that issued the corresponding reward (where the achievement carries one).
• Referral programme — your personal referral code; the inbound referral code (if any) you redeemed at signup; the link between your account and the sender's; and issuance, payout, expiry, or reversal events on the referral row.
• Consent and legal records — timestamped acceptance of Terms and Privacy Policy (Art 7(1) GDPR, demonstrable consent); marketing-consent source; Article 16(m) digital-service waiver for the subscription; right-of-withdrawal requests and their reasons.
• Technical and diagnostic — if, and only if, you have accepted analytics cookies, Sentry collects error traces and session-replay data that may include IP address, user-agent, rough location, and redacted DOM interactions. This data is not collected until you grant consent, and can be revoked via cookie settings.

3. Purposes of processing and legal bases

Article 13(1)(c) GDPR requires us to tell you both why we process your data and the legal basis under Article 6(1) that permits us to do so.

4. Recipients and processors

We share personal data with the following processors, each acting under a written data processing agreement (Art 28 GDPR):

• Supabase — authentication and primary database. Hosted in the EU (eu-west-1, Ireland).
• Stripe Payments Europe, Ltd. (Ireland) — card payment processing, subscription billing, Stripe-hosted customer portal. Payment card data is processed under PCI-DSS; we only receive tokenised references. Stripe may transfer data to Stripe, Inc. (United States) under the EU-US Data Privacy Framework and/or Standard Contractual Clauses.
• Resend — transactional e-mail delivery (order confirmations, subscription receipts, withdrawal acknowledgements, password resets). Transfers to the United States are covered by Standard Contractual Clauses.
• Vercel Inc. — application hosting and edge delivery. Transfers to the United States are covered by Standard Contractual Clauses; EU-originating requests are routed to EU edge regions where possible.
• Functional Software, Inc. (Sentry) — diagnostic error capture and session replay, loaded only on analytics consent. Transfers to the United States are covered by Standard Contractual Clauses.
• Bunny.net — EU-hosted font delivery and static asset CDN. No personal data is transferred outside the EU.
• Carrier partners — the shipping carrier you select at checkout receives your name, shipping address, and contact phone to deliver the order.
• Competent authorities — where required by law (for example, tax audits, law-enforcement requests with proper legal basis).

We do not sell personal data and we do not use it for third-party advertising.

Within-platform disclosures. If you sign up using a friend's referral code, your name and a partially-masked e-mail address are visible to your referrer in their referral dashboard so they can track whether their referrals have completed. This is an internal disclosure between two users of the NextBaller platform, not a transfer to an external recipient or processor. Your physical address, payment details, order contents, and any other personal data are never shared with your referrer.

5. Transfers outside the EEA

Some of our processors (Stripe, Resend, Vercel, Sentry) have parent entities in the United States. Where your data is transferred outside the European Economic Area, such transfer is protected by one or more of the following mechanisms under Chapter V GDPR:

• EU-US Data Privacy Framework certification (where the processor is self-certified).
• European Commission Standard Contractual Clauses (Decision (EU) 2021/914).
• Where necessary, supplementary technical and organisational measures (encryption in transit and at rest, access controls).

Copies of the safeguards are available on request from the privacy contact above.

6. Cookies and similar technologies

We set a small number of cookies on your browser. All of them are first-party (set by the NextBaller site itself); we do not set third-party advertising or tracking cookies. The categories below follow the European Data Protection Board's Guidelines 03/2022 on cookie banners.

6.1 Essential cookies (no consent required)

Strictly necessary to provide the service you have requested, on the ePrivacy Directive 2002/58/EC Art 5(3) exception. These load before, and independently of, the consent banner.

6.2 Analytics cookies (consent required)

We use Sentry for error tracking and optional session replay. Sentry is loaded only after you accept on the consent banner, under Art 6(1)(a) GDPR and Art 5(3) ePrivacy. In our default configuration Sentry does not write its own cookies — it reads nb-consenton page load to decide whether to initialise, and uses in-page session storage (not cookies) to correlate replay frames within a single browsing session.

6.3 Cookies we do not set

For transparency: we do not set advertising or cross-site-tracking cookies, we do not embed third-party social-media pixels, and we do not use a separate cart cookie (carts are stored server-side keyed to your account). Server actions are protected against cross-site requests using the request-origin check built into Next.js, not a cookie-based CSRF token. If this list ever grows, this page is updated before the new cookie ships.

You can revisit or change your consent choice at any time using the “Cookie settings” link in the site footer. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal (Art 7(3) GDPR).

7. Retention periods

• Account data — retained for as long as your account is active. On account deletion we anonymise the profile row (see section 9 below) and remove personally identifying fields.
• Orders and invoices — retained for seven (7) years after the end of the tax year in which the transaction occurred, under EU VAT Directive 2006/112/EC Art 244 and the Cypriot VAT Act. This retention overrides account-deletion requests for these specific records (Art 17(3)(b) GDPR).
• Consent and marketing records — retained for the duration of the consent and for up to three years after withdrawal, as evidence of demonstrable consent (Art 7(1) GDPR).
• Error and session-replay data (Sentry) — retained for up to 90 days by the processor, then deleted.
• Support correspondence — retained for up to three years to handle follow-up enquiries and defend potential claims.
• Referral records — retained for the longer of (i) two years after the referral row reaches a terminal status (paid, rejected, or expired), or (ii) the standard order-record retention period if the row is linked to a qualifying order. Retention beyond account closure is grounded in Art 17(3)(e) GDPR (defence of legal claims, including clawback disputes) and Art 17(3)(b) where the row is FK-linked to an invoice.

8. Your rights

Under the GDPR you have the following rights, which you may exercise by writing to info@nextballer.eu:

• Right of access (Art 15) — obtain a copy of the personal data we hold about you. A self-service export is available in Account → Security.
• Right to rectification (Art 16) — correct inaccurate or incomplete data. Most fields are editable from your account.
• Right to erasure (Art 17) — request deletion. Also available self-service; retention under Art 17(3)(b) still applies to invoice records. If you exercise erasure while you have a pending or paid referral row attached to your account, we anonymise your identifiers on the referral row but retain the row for the period set out in section 7 (referral records). The masked information your referrer sees is removed at the moment of anonymisation.
• Right to restriction (Art 18).
• Right to data portability (Art 20) — structured, commonly used, machine-readable format. Delivered as JSON by the self-service export.
• Right to object (Art 21) — especially to processing based on legitimate interests.
• Right to withdraw consent (Art 7(3)) — for any processing based on consent (analytics cookies, marketing e-mails). Does not affect the lawfulness of processing before withdrawal.
• Right not to be subject to solely automated decisions with legal or similarly significant effects (Art 22) — see section 10 below; in practice we do not carry out such processing.
• Right to lodge a complaint with a supervisory authority (Art 77) — you may complain to the Cypriot data-protection authority: Office of the Commissioner for Personal Data Protection, or to the authority in the EU/EEA country where you live or work.

A consolidated contact surface covering privacy, product-safety, and consumer-dispute channels is available on our Legal and safety contact page.

9. Account deletion and anonymisation

When you delete your account (Account → Security → Delete account) we:

1. Cancel any active subscription with Stripe so billing stops immediately.
2. Anonymise your profile row: name, phone and address fields are nulled; the e-mail is replaced with a non-routable marker of the form deleted-<uuid>@deleted.local; consent timestamps are retained as evidence required for Art 7(1) until their own retention period ends.
3. Delete your Supabase authentication record so you can no longer log in.
4. Retain the anonymised row as an opaque foreign-key target for orders and invoices held under the Art 17(3)(b) compliance exemption.

10. Automated decision-making

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects concerning you or similarly significantly affect you. Payment-fraud screening performed by Stripe may decline transactions; in those cases, you can retry or choose another payment method, and you can always ask us to review the outcome manually by writing to the privacy contact above.

The nightly member-tier recompute and the achievement-badge detection described in section 3 are automated processes, but they do not produce decisions with legal or similarly significant effect within the meaning of Article 22 GDPR: the only outcome is the issuance of a store-credit conditional discount (a small, reversible benefit) and a position on a public-facing tier ladder. You can request a manual review of any tier or badge outcome by writing to the privacy contact above; the underlying inputs (your tenure, your qualifying orders, your cumulative cash spend, and your referral activity) are visible in your account and are derived from records you can audit.

11. Children

The NextBaller service is intended for adults. Signup requires a declared year of birth confirming you are at least 18 years old. We do not knowingly collect personal data from children; if you believe a minor has registered, contact us at the privacy address above and we will delete the account.

12. Data provision: statutory or contractual

The identity, contact, and shipping data we collect are necessary to enter into and perform the sales contract with you; we cannot process an order without them. The year-of-birth check is necessary to verify eligibility for the service. All other data (marketing consent, analytics consent, preferred brands, apparel size) are optional; declining them does not prevent you from using the service.

13. Changes to this policy

We may update this policy to reflect changes in our processing, the law, or our service. Material changes will be communicated by e-mail and by a notice on the site before they take effect. The “Last reviewed” date below indicates the most recent change.

14. Related documents

• Terms of service
• Right of withdrawal
• Accessibility statement