Controller
The operator of NXL App (Individual micro-entrepreneur (France)), established in France, is the data controller for personal data processed through NXL App.
Privacy requests: [email protected]. General contact: [email protected].
We are not required to appoint a Data Protection Officer (DPO) under Article 37 GDPR. For all privacy matters, contact the address above.
What we process
- Account (optional): email address, hashed password, email verification status, plan tier (Free / Pro), and account creation date. We send a confirmation link before the account becomes active.
- Riot profile link (RSO, optional): when you claim your profile via Riot Sign-On, we store your PUUID, Riot ID (game name + tag), region, link timestamp, and optional rank-up email preferences.
- Profile analysis:Riot ID, PUUID, ranked match statistics, GPI / Nex Score outputs, loss patterns, coaching locks, and cached match payloads retrieved from Riot's API — including data for profiles you search without an account.
- Saved progress (RSO claim): season goals, pre-game commitments, and related coaching session metadata tied to your linked account.
- Coach: aggregated stats and coaching context from your analysis are sent to our AI providers (Google Gemini on Free, Anthropic Claude on Pro) to generate coaching text. Follow-up chat messages are processed in the request but are not stored as a full conversation history. We store a short session memory per profile (last quick-win summary and focus label) to keep follow-ups coherent, and optional like/dislike ratings with a short response preview for quality monitoring.
- Billing (Pro, optional): Stripe customer and subscription identifiers, billing interval, subscription status, and founder-discount flags. Card details are handled by Stripe — we do not store full payment card numbers.
- Patch newsletter (optional): email address and optional champion/role context used to personalise patch emails.
- Usage analytics: hashed client identifier derived from your IP address (not stored in plain text), coarse page groups, optional profile keys for viewed profiles, and optional user ID when signed in — for service metrics and abuse prevention.
- Technical & security logs: IP address, request metadata, and rate-limit counters for API protection (short-lived in memory or server logs).
- Device (browser): favorite profiles and recent searches in local storage if you use those features; essential httpOnly session and CSRF cookies when signed in.
- Feedback: message content, optional reply email, page URL, and technical logs (e.g. IP) for abuse prevention.
- Automatic bug reports: when a critical client error is shown, we may send page URL, app version, error category, and technical context (no free-text from you) so we can fix issues — hashed IP or account ID when signed in.
Purposes & legal bases
- Provide the service (profile analysis, Coach, Live, History, Progress) — contract when you create an account or subscribe; legitimate interest when you browse without an account.
- Account & Riot link management — contract.
- Subscription billing — contract and legal obligation (tax/accounting records).
- Patch emails — consent (you subscribe; you can unsubscribe at any time).
- Secure the API, prevent abuse, and measure aggregate usage — legitimate interest.
- Improve Coach quality (ratings, admin review) — legitimate interest.
Coach output is generated by AI from your game data. It is coaching assistance, not an automated decision with legal or similarly significant effects under Article 22 GDPR.
Retention
- Account & linked Riot profile: until you delete your account, unlink, or request erasure.
- Cached match data & analyses: rolling retention for service operation (typically up to 90 days unless configured otherwise on the server); coaching stability locks may persist longer while still tied to the same profile window.
- Coach session memory & ratings: until overwritten by a newer session, profile cache purge, or erasure request.
- Billing records: for the duration of the subscription and as required by applicable tax and accounting law.
- Patch newsletter: until you unsubscribe or request deletion.
- Usage events: aggregated retention for internal analytics (admin); raw events are not kept indefinitely.
- Feedback emails:kept in the operator's mailbox according to their email retention practices.
- Server security logs: short rolling window (typically days to weeks).
Recipients & processors
We use the following categories of recipients. We do not sell your personal data.
- Riot Games — API access to public ranked match data.
- Hosting provider (IONOS SARL) — application and database hosting in the EU/EEA where configured.
- Google (Gemini API) — Coach on Free tier.
- Anthropic (Claude API) — Coach on Pro tier.
- Stripe — payment processing and customer portal for Pro subscriptions.
- Brevo — transactional email (verification, password reset, feedback relay, optional patch and rank-up emails).
International transfers
Some processors (Google, Anthropic, Stripe) may process data in the United States or other countries outside the EU/EEA. Where required, transfers rely on appropriate safeguards such as the EU Standard Contractual Clauses and the processor's compliance programme. You may request more information about safeguards via [email protected].
Your rights (GDPR)
Depending on your situation, you may request access, rectification, erasure, restriction, portability, or objection to processing based on legitimate interest. To withdraw consent (e.g. patch emails), use the unsubscribe link or contact us.
Delete your account: sign in and use account deletion when available, or email [email protected]. Deleting your account removes linked Riot data, saved progress, and billing linkage in our database; Stripe may retain payment records under its own legal obligations.
Without an account: searching a Riot ID does not require registration. To remove cached profile data tied to your Riot ID, contact us with your Riot ID and region. Browser local storage can be cleared in your device settings.
You may lodge a complaint with your supervisory authority. In France: CNIL.
Security
We apply technical and organisational measures appropriate to the risk: HTTPS in production, hashed passwords, httpOnly session cookies, CSRF protection, rate limiting, and access controls on infrastructure. No method of transmission or storage is 100% secure; report suspected issues to [email protected].
Last updated: 2026-06-25
