Privacy Policy

Last updated: May 20, 2026

This policy describes how Softry OÜ, a company registered in the Republic of Estonia (registration number 14786518, Sepapaja 6, Tallinn 15551) ("we", "us", "our"), collects, uses, and protects your information when you use Next Hand ("the Service"). Softry OÜ is the data controller for the personal data described below.

Information we collect

• Account information — display name, email address, and either a hashed password or an authentication token received from Google Sign-In or Sign in with Apple when you use those options.
• Game data — match history, scores, player ratings, and round-level events generated as you play.
• Purchase information — records of in-app coin purchases (transaction ID, item, timestamp). Payments are processed by Apple or Google; we do not receive your card or full payment details.
• Device data — a per-install device identifier, IP address (and the country derived from it via GeoIP), platform, operating-system version, device model and manufacturer, locale, app build number, whether the device is a physical device or an emulator, and timestamps for first and last connection.
• Gameplay metrics — per-game and total round counts associated with your device, used for ad pacing and analytics.
• Diagnostics and analytics — crash reports, error logs, and basic usage metrics collected through third-party processors to help us diagnose problems and improve the Service.
• Advertising data — when ads are shown, your device's advertising identifier and a limited set of device data are shared with our advertising partner to serve and measure ads.

How we use your information and our legal basis

We process your data under the EU General Data Protection Regulation (GDPR) on the following grounds:

• To provide the Service — account management, matchmaking, leaderboards, syncing game state across your devices, processing in-app purchases. Legal basis: performance of our contract with you (Art 6(1)(b)).
• To keep the Service safe — detecting cheating, abuse, fraud, and breaches of our Terms. Legal basis: our legitimate interests in running a fair platform (Art 6(1)(f)).
• To diagnose problems and improve the Service — crash and error reporting, performance metrics. Legal basis: legitimate interests (Art 6(1)(f)).
• To serve advertising — including frequency capping and measurement. Legal basis: your consent where required (Art 6(1)(a)); otherwise our legitimate interests (Art 6(1)(f)).
• To meet legal obligations — keeping purchase, tax, and accounting records. Legal basis: legal obligation (Art 6(1)(c)).

Information sharing

We do not sell your personal information. Your display name, avatar, and game statistics are visible to other players as part of normal gameplay. We share data with the following categories of processor strictly to operate the Service:

• Cloud hosting and infrastructure providers running our servers.
• Authentication providers when you sign in with Google or Apple.
• App distribution and payment processors (Apple App Store, Google Play) when you purchase coins.
• Analytics and crash-reporting providers.
• Advertising partners (currently Google AdMob).
• Tax, accounting, and legal advisers, where required.

International transfers

Some of our providers — including Google AdMob, Apple, Google Play, and certain analytics services — process data in the United States or other countries outside the European Economic Area. Where we transfer personal data outside the EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses or the EU-US Data Privacy Framework adequacy decision.

How long we keep your information

• Account and profile data — for as long as your account is active.
• Match history and gameplay events — while your account is active; after deletion, retained in anonymised form so other players' match histories and ratings remain consistent.
• Device records — up to 24 months from the device's last connection.
• Server logs (including IP addresses) — up to 90 days for security and debugging, longer where a specific incident requires it.
• Purchase, tax, and accounting records — for the period required by Estonian law (typically up to 7 years from the transaction).
• Records related to abuse, fraud, or violations of our Terms — for as long as needed to enforce them or comply with our legal obligations.

Advertising

The Service displays advertisements provided by Google AdMob. AdMob may use your device's advertising identifier and other device data to deliver and measure ads. On supported platforms we show a consent prompt that lets you choose between personalised and non-personalised ads, and you can reset or limit your advertising identifier at any time in your device settings.

Cookies and local storage

The Service stores small amounts of data on your device to keep you signed in, remember your settings, and operate features such as ad-frequency capping. The web version may use cookies that are strictly necessary for authentication and core functionality; we do not use cookies or local storage for cross-site tracking.

Your rights

If you are in the EEA, the UK, or another jurisdiction with similar laws, you have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — delete your account and associated data (see "Data deletion" below).
• Restriction — ask us to limit certain processing.
• Portability — receive a structured copy of data you have provided to us.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — at any time, where processing is based on consent (for example, personalised ads).

To exercise these rights, contact us at support@nexthand.online from the email address associated with your account.

You also have the right to lodge a complaint with your local data-protection supervisory authority. Our lead authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

Data security

We protect your information with encrypted connections (TLS) for all client-server traffic, hashed and salted passwords (bcrypt), restricted access to production systems, and ongoing monitoring. No method of electronic transmission or storage is completely secure.

Data deletion

You can delete your account and personal data at any time from inside the app at Profile → Edit profile → Delete account, or by following the instructions on our account deletion page. Deletion is typically completed within 30 days. Some data may be retained longer where required by law or for fraud prevention; see "How long we keep your information" above and the deletion page for the full breakdown of what is removed and what is retained.

Children

The Service is not intended for children under 13, and we do not knowingly collect personal data from them. The minimum age at which a child can consent to online services varies between countries. If your country sets a higher minimum age than 13 (for example, 16 in some EU member states), you may use the Service only if you meet that age or your parent or legal guardian has consented to your use.

Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top of this page reflects the current version. We will communicate material changes through the Service or by email.

Contact

For questions about this policy or to exercise your rights, contact us at support@nexthand.online or by post at: Softry OÜ, Sepapaja 6, Tallinn 15551, Estonia.