Privacy Policy
Effective Date: January 11, 2026
Last Updated: January 11, 2026
Introduction
Welcome to Nexlog. We are committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our TCG (Trading Card Game) team performance tracking application.
Nexlog is a multi-tenant SaaS application designed for competitive Magic: The Gathering teams to track match results, analyze performance statistics, manage decks, coordinate card borrowing, and organize tournaments.
Please read this Privacy Policy carefully. By using Nexlog, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our service.
Information We Collect
We collect information that you provide directly to us, information collected automatically when you use our service, and information from third-party sources.
Information You Provide Directly
When you create an account, join a team, or use our services, you may provide us with:
- Account information: Email address, password, first and last name, display name
- Profile information: Avatar/profile picture, timezone, country, bio
- Team profile: Jersey name, jersey number, t-shirt size (optional, use for team admin)
- Social links: Twitter/X, Twitch, YouTube, Instagram URLs (optional, displayed on public team pages)
- Team information: Team name, description, logo, banner image, website, Discord server, social media handles
- Match data: Match results, game records, deck information, venue details, play/draw decisions, mulligan counts, turn counts, life totals
- Deck information: Deck names, archetypes, card lists, deck notes
- Card borrowing data: Card requests, loan records, wishlists
- Tournament and event data: Event names, dates, locations, participant lists, RSVPs
- Custom form responses: Data submitted through team-created custom forms
- Communication preferences: Notification settings, email preferences
Information Collected Automatically
When you access or use Nexlog, we automatically collect certain information:
- Session information: IP address, device type (mobile/desktop/tablet), browser name and version, operating system
- Geographic location: Derived from IP address (city and country level)
- Activity data: Login times, last activity timestamps, session duration
- Security information: Two-factor authentication status, trusted devices, login attempts
- Usage analytics: Pages visited, features used, performance statistics viewed
Information from Third Parties
We may receive information about you from third-party services we integrate with:
- Stripe: Payment processing information (we do not store full credit card numbers)
- Team invitations: When you are invited to join a team, we receive your email address from the inviting team member
How We Use Your Information
We use the information we collect for various purposes, including:
To Provide and Maintain Our Services
- Create and manage your account
- Process team memberships and invitations
- Record and analyze match results and game statistics
- Manage deck collections and track performance
- Facilitate card borrowing between team members
- Organize tournaments and team events
- Generate analytics and performance reports
To Communicate With You
- Send team invitations and membership notifications
- Notify you about card loan requests and returns
- Remind you about upcoming events and tournaments
- Send important service updates and security alerts
- Respond to your inquiries and support requests
For Security and Protection
- Verify your identity and prevent fraud
- Monitor for suspicious activity and unauthorized access
- Maintain session security and manage trusted devices
- Enforce our Terms of Service and protect user safety
To Improve Our Services
- Analyze usage patterns to improve user experience
- Debug and fix technical issues
- Develop new features based on user needs
- Monitor service performance and reliability
For Billing and Payments
- Process subscription payments and seat upgrades
- Generate and send invoices
- Manage subscription status and billing cycles
- Handle refunds and billing disputes
Legal Basis for Processing (GDPR)
For users in the European Economic Area (EEA), we process your personal data based on the following legal grounds:
- Contract Performance: Processing necessary to provide our services under our Terms of Service (account management, team features, match tracking)
- Legitimate Interests: Processing for our legitimate business interests, such as fraud prevention, security, service improvement, and analytics, where your rights do not override these interests
- Consent: Where you have given explicit consent for specific processing activities (e.g., optional marketing communications)
- Legal Obligations: Processing required to comply with legal requirements (e.g., tax records for payments)
How We Share Your Information
We do not sell your personal information. We may share your information in the following circumstances:
Within Your Teams
When you join a team, certain information is shared with other team members:
- Your display name, profile picture, and bio
- Your match results and performance statistics
- Your deck information (within team deck sharing features)
- Card borrowing activity (requests, loans, wants)
- Event participation and RSVPs
Public Team Pages
If your team has enabled a public team page, the following may be publicly visible:
- Team roster with member names and optional social links
- Staff members and their titles
- Team achievements and sponsors
- Team media gallery
Service Providers
We share information with trusted third-party service providers who assist us in operating our service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment information, billing address |
| Resend | Transactional emails | Email address, name, notification content |
| Pusher | Real-time notifications | User ID, team ID, notification events |
| Neon (PostgreSQL) | Database hosting | All application data (encrypted at rest) |
| Vercel | Application hosting | Access logs, request data |
| Redis/Upstash | Caching and queues | Session data, cached responses |
Legal Requirements
We may disclose your information when required by law or in response to valid legal requests, such as:
- Court orders, subpoenas, or legal process
- Requests from law enforcement or regulatory authorities
- Protection of our legal rights or defense against legal claims
- Prevention of fraud or other illegal activities
Business Transfers
If Nexlog is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal data.
Data Retention
We retain your personal data for as long as necessary to provide our services and fulfill the purposes described in this Privacy Policy.
| Data Type | Retention Period | Notes |
|---|---|---|
| Account data | Until account deletion | Required for service provision |
| Match history | Duration of team membership | Part of team analytics |
| Session logs | 90 days | Security monitoring and debugging |
| Inactive sessions | Automatically cleaned after 24 hours | For session management |
| Payment records | 7 years | Legal/tax compliance requirements |
| Deleted account data | 30 days after deletion request | Recovery period, then permanent deletion |
When you delete your account or leave a team, we will delete or anonymize your personal data, except where we are required to retain it for legal obligations.
Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.
- Encryption: All data is encrypted in transit (TLS 1.3) and at rest
- Authentication: JWT-based authentication with short-lived access tokens (15 minutes) and longer refresh tokens (7 days)
- Two-Factor Authentication: Optional TOTP-based 2FA for enhanced account security
- Password Security: Passwords are hashed using industry-standard algorithms (never stored in plain text)
- Session Management: Active session monitoring with ability to revoke sessions and trusted devices
- Access Control: Role-based access control (RBAC) limiting data access to authorized team members
- Multi-Tenancy Isolation: Complete data isolation between teams prevents cross-tenant data access
- Regular Security Updates: We regularly update our infrastructure and dependencies to address security vulnerabilities
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.
Your Rights
Depending on your location, you may have the following rights regarding your personal data:
For EEA Residents (GDPR)
- Right to Access: Request a copy of your personal data
- Right to Rectification: Request correction of inaccurate data
- Right to Erasure: Request deletion of your data (with certain exceptions)
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interests
- Right to Withdraw Consent: Withdraw consent where processing is based on consent
For California Residents (CCPA)
- Right to Know: Request disclosure of personal information collected, used, and shared
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information, so this right does not apply
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
Exercising Your Rights
To exercise any of these rights, you can:
- Use the account settings in Nexlog to update or delete your information
- Contact us at george@flexslot.gg with your request
- Delete your account through the account settings page
We will respond to valid requests within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
International Data Transfers
Your information may be transferred to and processed in countries other than your country of residence. Our service providers operate in the United States and other jurisdictions.
For transfers from the EEA, we rely on Standard Contractual Clauses approved by the European Commission, or other lawful transfer mechanisms, to ensure adequate protection of your personal data.
Children's Privacy
Nexlog is not intended for children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at george@flexslot.gg, and we will take steps to delete such information.
Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of material changes by:
- Posting the updated Privacy Policy on this page with a new effective date
- Sending an email notification to the address associated with your account
- Displaying a prominent notice within the application
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Email:
george@flexslot.ggFor GDPR-related inquiries, you may also contact our Data Protection Officer at george@flexslot.gg.
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.