NEROBAY

Privacy Policy

Last updated: March 9, 2026

This Privacy Policy describes how VisualTech Studio ("we", "the Operator") collects, uses, and protects your personal data when you use Nero Bay ("the Service", "the Game"), available at nerobay.online.

We comply with the General Data Protection Regulation (GDPR — EU Regulation 2016/679) and applicable Romanian data protection legislation.

1. Data Controller

  • Controller: VisualTech Studio
  • Headquarters: Romania
  • Contact email: contact@nerobay.online

2. Personal Data Collected

2.1 Data provided directly by you

  • Email address — at registration (email/password or OAuth)
  • Username — chosen during character creation
  • Password — stored encrypted (bcrypt hash), not in plain text
  • OAuth information — Discord/Google account ID (if using social authentication)

2.2 Automatically collected data

  • IP address — for security, rate limiting, and abuse prevention
  • User Agent — browser and device type
  • Session data — session duration, last activity, device used
  • Gameplay data — in-game actions, progress, virtual transactions, character statistics
  • Push notification tokens — if you enable notifications (Firebase Cloud Messaging)

2.3 Payment data

  • Payments are processed by Stripe (PCI DSS compliant processor).
  • We do not store your card data (card number, CVV, expiration date).
  • We only store: Stripe customer ID, transaction history, and subscription status.

3. Purpose of Data Processing

PurposeLegal Basis (GDPR)
Account creation and managementArt. 6(1)(b) — Contract performance
Providing the game serviceArt. 6(1)(b) — Contract performance
Payment processingArt. 6(1)(b) — Contract performance
Sending push notificationsArt. 6(1)(a) — Consent
Security and fraud preventionArt. 6(1)(f) — Legitimate interest
Chat moderationArt. 6(1)(f) — Legitimate interest
Analytics and service improvementArt. 6(1)(f) — Legitimate interest
Service communicationsArt. 6(1)(b) — Contract performance

4. Data Sharing

We do not sell your personal data. We only share it with:

  • Stripe — payment processing (USA, EU Standard Contractual Clauses)
  • Firebase / Google Cloud — push notifications (USA, EU SCCs)
  • Railway — infrastructure hosting (USA/EU)
  • Discord — if you use Discord authentication (USA, EU SCCs)
  • Cloudflare — CDN and asset storage (global, EU SCCs)
  • Resend — transactional email delivery (USA, EU SCCs)

All data processors are selected for their GDPR compliance and use Standard Contractual Clauses (SCCs) for international data transfers.

5. Data Storage and Security

  • Data is stored on secure servers (PostgreSQL on Railway, Redis for cache).
  • Passwords are encrypted with the bcrypt algorithm.
  • Communications are protected via HTTPS/TLS.
  • Database access is restricted through firewall and authentication.
  • Sessions automatically expire after 30 days of inactivity.
  • We implement rate limiting and brute-force attack protection.

6. Retention Period

  • Active account data: for the duration of the account's existence
  • Deleted account data: deleted within 30 days of the deletion request
  • Security logs: retained for a maximum of 90 days
  • Payment data: retained per tax obligations (5 years)
  • Chat messages: retained for a maximum of 90 days
  • Expired sessions: automatically deleted periodically

7. Your Rights (GDPR)

Under GDPR, you have the following rights:

  • Right of access — you can request a copy of your data
  • Right to rectification — you can correct inaccurate data
  • Right to erasure ("right to be forgotten") — you can request deletion of your account and data
  • Right to restriction of processing — you can limit how we use your data
  • Right to data portability — you can request your data in a structured format
  • Right to object — you can object to processing based on legitimate interest
  • Right to withdraw consent — for push notifications, at any time from settings

To exercise your rights, contact us at contact@nerobay.online. We will respond within 30 days.

8. Data Visible to Other Players

The following information is publicly visible in the game:

  • Character name, level, faction, and gang
  • Character statistics and equipment
  • Messages in global and gang chat
  • Leaderboard positions
  • Online/offline status

Your email address, IP, and payment data are never visible to other players.

9. Minors

Nero Bay is not intended for persons under 18 years of age. We do not knowingly collect data from minors. If you discover that a minor has created an account, contact us for its deletion.

10. International Transfers

Data may be transferred and processed outside the European Economic Area (EEA), particularly in the USA (Stripe, Firebase, Railway). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Policy Changes

We may update this Policy periodically. Significant changes will be communicated through in-game notification and/or email. The date of the last update is displayed at the top.

12. Supervisory Authority

If you believe that the processing of your data violates GDPR, you have the right to file a complaint with the National Supervisory Authority for Personal Data Processing (ANSPDCP):

  • Website: dataprotection.ro
  • Email: anspdcp@dataprotection.ro

13. Contact

For any questions regarding data privacy:

  • Email: contact@nerobay.online
  • Operator: VisualTech Studio, Romania