← NextCrimeWersja polska

NextCrime service document

Privacy Policy

Version dated 13 July 2026. In case of discrepancies, the Polish version prevails.

The controller of personal data of Users of the NextCrime service (https://next-crime.pl) is NEXT REAL Sp. z o.o., registered office: ul. Gdańska 13, 50-334 Wrocław, Polska, KRS 0001242343, NIP 8982334148, REGON 544812952 (the "Controller"). Data protection contact: kontakt@next-crime.pl.

1. Data we process

  • Account data: e-mail address, account identifier and — when signing in with Google — the profile name, identifier and e-mail address provided by Google.
  • Gameplay data: progress in Cases, submitted answers, number of attempts, play time, in-game events (e.g. stage completion).
  • Newsletter sign-up data: the e-mail address provided to receive information about new Cases, together with the date and source of consent. You can sign up for the newsletter without creating an Account.
  • Purchase data: order identifier, purchased Case, amount, currency, payment status. We do not process payment card data — it is handled exclusively by the payment operator (Paddle or Stripe).
  • Technical data: IP address, device and browser type, approximate location (country), server logs.
  • Correspondence: the content of messages sent to the Service's contact addresses.

2. Purposes and legal bases

  • operating the Account and providing the Service, including saving progress — Art. 6(1)(b) GDPR (contract),
  • handling purchases and access to paid Cases — Art. 6(1)(b) GDPR, and for accounting records Art. 6(1)(c) GDPR (legal obligation),
  • handling complaints and correspondence — Art. 6(1)(b) and (f) GDPR,
  • statistics and analysis of the use of the Service (conversion, engagement) and ensuring security — Art. 6(1)(f) GDPR (legitimate interest),
  • transactional e-mails (confirmations, account notifications) — Art. 6(1)(b) GDPR; marketing communications — only with separate consent, Art. 6(1)(a) GDPR.

3. Recipients of data

We entrust data to processors used to operate the Service:

  • Supabase (database infrastructure and authentication),
  • Vercel (hosting),
  • Google (Sign in with Google),
  • Resend (e-mail delivery),
  • Paddle or Stripe (payment processing; Paddle may act as an independent controller in its merchant-of-record role),
  • the Controller's accounting and legal service providers.

Data may be transferred outside the European Economic Area (in particular to the USA) only under valid transfer mechanisms: an adequacy decision (EU-US Data Privacy Framework) or standard contractual clauses.

4. Retention

  • Account data — for the duration of the Account and up to 12 months after deletion (defence of claims),
  • purchase and accounting data — 5 years from the end of the tax year (tax law),
  • in-game analytics events — up to 24 months, then in aggregated form,
  • correspondence — up to 24 months after the matter is closed.

5. Your rights

Users have the right of access, rectification, erasure, restriction of processing, data portability, the right to object to processing based on legitimate interest, and the right to withdraw consent at any time (without affecting prior processing).

You can delete your Account together with all related data (progress, entitlements, newsletter sign-up) yourself in the „Your account” section. You can unsubscribe from the newsletter at any time — via the link in each message or by contacting the Administrator.

Other requests may be sent to kontakt@next-crime.pl. Users also have the right to lodge a complaint with a supervisory authority; in Poland this is the President of the Personal Data Protection Office (PUODO, ul. Stawki 2, 00-193 Warsaw).

Providing data is voluntary but necessary to create an Account and make purchases.

6. Cookies and localStorage

The Service uses cookies and the browser's localStorage for the following purposes:

  • essential — maintaining the signed-in User's session (Supabase authentication cookies),
  • functional — saving game progress on the device (localStorage), also for Users who are not signed in,
  • analytical — an anonymous device identifier (localStorage) used to measure engagement and conversion; the identifier is not combined with data from other services or shared with advertising networks.

The Service does not use third-party advertising networks or marketing cookies. Users can delete cookies and localStorage in browser settings; this may result in the loss of locally saved progress.

7. Automated decision-making

The Controller does not make decisions based solely on automated processing that produce legal effects for Users. Engagement analysis serves statistics and development of the Service only.

8. Changes to this policy

Registered Users will be informed of material changes to this policy by e-mail or by a notice in the Service. The current version is always available in the Service.