Privacy Policy

Introduction

NEXTRIX STUDIOS (“Company,” “we,” “us,” or “our”) is committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this Privacy Policy or our practices with regard to your personal information, please contact us at [email protected].

This Privacy Policy describes how we collect, use, store, disclose, and otherwise process your personal information when you visit and use https://nextrixstudios.org (the “Site”) and all associated services including the community forum, digital product shop, blog, Discord bot, and related features (collectively, the “Service”). Please read this policy carefully, as it will help you understand what we do with the information that we collect.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must immediately discontinue use of the Service. We reserve the right to update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Site. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

1. Information We Collect

We collect personal information that you voluntarily provide to us when you register on the Site, express interest in obtaining information about us or our products and services, when you participate in activities on the Site (such as posting in forums or purchasing products), or otherwise when you contact us.

1.1 Information You Provide Directly

The personal information that we collect depends on the context of your interactions with us and the Service, the choices you make, and the products and features you use. The personal information we collect may include the following:

• Email address — collected upon registration and used for account authentication, transactional communications, and (where consented) marketing communications.
• Password — collected upon email/password registration. Passwords are hashed using bcrypt and are never stored in plaintext. We cannot retrieve your password.
• Display name / username — chosen by you at registration or updated in your profile settings.
• Profile information — including optional avatar/profile picture, biography, and social links you choose to add to your public profile.
• Forum posts and replies — content you submit to the community forum, including text and any embedded media.
• Shop purchase details — including products purchased, order amounts, and purchase timestamps. Full payment card details are never stored by us.
• Contact form messages — content of messages you submit through our Contact page.
• Support tickets and communications — emails, chat messages, or other communications you send to us.
• Application submissions — information you provide when applying to join our team or partner program.

1.2 Discord OAuth Data

If you choose to link or authenticate through your Discord account, we collect the following information from Discord's API with your consent:

• Discord User ID (a unique identifier used to link your Discord account to your NEXTRIX account).
• Discord username and discriminator (e.g., username#1234 or the current username format).
• Discord email address (used if you register via Discord OAuth and no email is already on file).
• Discord avatar URL (used to display your Discord avatar as your profile picture if no custom avatar is set).

We do not collect Discord messages, server membership lists, friend lists, direct messages, or any other Discord data beyond the above. You may unlink your Discord account at any time in your account settings.

1.3 Roblox OAuth Data

If you choose to link or authenticate through your Roblox account, we collect the following information from Roblox's API with your consent:

• Roblox User ID (a unique identifier used to link your Roblox account to your NEXTRIX account).
• Roblox username (used for display purposes on your profile and for verification).
• Roblox display name (the display name associated with your Roblox account, if different from username).
• Roblox avatar thumbnail URL (used to display your Roblox avatar on your profile, if no other avatar is set).

We do not collect Roblox inventory, game history, Robux balance, friend lists, private messages, or any other Roblox data beyond the above. You may unlink your Roblox account at any time in your account settings.

1.4 Payment Information

All payment processing is handled by Stripe, Inc. When you make a purchase, your payment card number, CVV, and banking details are transmitted directly to and stored by Stripe. We do not receive or store your full payment card information. We receive from Stripe only the following limited payment confirmation data:

• A Stripe Customer ID and Stripe Payment Intent ID for the transaction.
• Last four digits of the payment card used.
• Card brand (e.g., Visa, Mastercard).
• Payment status (succeeded, failed, refunded).
• Amount charged and currency.
• Billing postal code (where provided, for fraud prevention).

This data is used solely to maintain purchase records, provide you with purchase history, and process refund requests. Stripe's handling of your payment data is governed by Stripe's Privacy Policy at stripe.com/privacy.

1.5 Automatically Collected Information

When you visit the Site or use the Service, we automatically collect certain information about your device and usage. This information does not identify you personally, but may be combined with other information to do so. The automatically collected information includes:

• Log data: IP address, browser type and version, operating system, referring/exit URLs, date and time of access, pages viewed, and clickstream data.
• Device information: device type, operating system version, browser language, screen resolution, and time zone.
• Usage data: features accessed, actions taken within the Service (e.g., forum posts created, products viewed, purchases made), session duration, and error reports.
• Cookies and similar tracking technologies: session tokens, authentication cookies, preference cookies, and anti-abuse tokens (see Section 8 for details).

1.6 Cloudflare Turnstile Data

We use Cloudflare Turnstile on registration and certain form submission pages to protect against automated bot submissions. Cloudflare Turnstile collects certain device and browser signals (such as screen properties, mouse movements, timing data, and JavaScript execution patterns) to assess whether the visitor is human. This data is processed by Cloudflare, Inc. in accordance with their Privacy Policy at cloudflare.com/privacypolicy. We receive only a verification token indicating whether the challenge was passed; we do not receive the underlying Turnstile signals.

1.7 Uploaded Media & Content

If you upload media files (such as avatar images or other content) through the Service, those files are stored in Cloudflare R2 object storage. Cloudflare R2 is a cloud storage service operated by Cloudflare, Inc. Files are stored with access controls and are served via secure, time-limited signed URLs where applicable. We store metadata associated with uploads (such as file name, size, MIME type, upload timestamp, and the user ID of the uploader) in our database.

1.8 Information from Third Parties

In addition to the information described above, we may receive information about you from third-party sources, such as:

• Social platforms: When you connect your Discord or Roblox account as described in sections 1.2 and 1.3.
• Payment processors: Transaction confirmation data from Stripe as described in section 1.4.
• Security services: Fraud signals, bot detection results, or abuse reports from Cloudflare or similar services.

2. How We Use Your Information

We use personal information collected via our Site and Service for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we rely on next to each purpose listed below.

2.1 Account Management & Service Provision

• To create and manage your account and authenticate you.
• To process your purchases and deliver digital products.
• To provide customer support and respond to inquiries.
• To facilitate linked account features (Discord and Roblox integration).
• To manage your profile, preferences, and account settings.
• To process applications submitted through the Apply system.

2.2 Service Improvement & Analytics

• To understand how users interact with the Service and identify areas for improvement.
• To monitor and analyze usage trends and technical performance.
• To diagnose and troubleshoot bugs, errors, and technical issues.
• To develop new features, products, and services.

2.3 Safety, Security & Legal Compliance

• To detect, investigate, and prevent fraudulent transactions, unauthorized access, and other prohibited activities.
• To enforce our Terms of Service and Community Guidelines.
• To respond to legal process, court orders, law enforcement requests, and regulatory inquiries.
• To protect the rights, property, or safety of NEXTRIX STUDIOS, our users, or the public.
• To verify user identity and prevent the creation of fraudulent accounts.

2.4 Communications

• To send transactional emails including account verification codes, password reset links, purchase receipts, and service notifications. These communications are required for the operation of the Service and cannot be opted out of while you have an active account.
• To send you marketing, promotional, and informational emails about new features, products, or offers — only where you have opted in or where permitted by applicable law. You may unsubscribe at any time via the link in any marketing email or by contacting us.

2.5 Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and United Kingdom, our legal bases for processing personal information are:

• Contract Performance: Processing necessary to fulfill our contract with you (e.g., account creation, purchase fulfillment, service delivery).
• Legitimate Interests: Processing necessary for our legitimate business interests, including security, fraud prevention, service improvement, and dispute resolution, provided these interests are not overridden by your rights.
• Legal Obligation: Processing required to comply with applicable law.
• Consent: Processing based on your explicit consent, which you may withdraw at any time without affecting prior processing.

3. Disclosure of Your Information

We may share your information in the following situations:

3.1 Service Providers (Third-Party Vendors)

We share your data with third-party vendors and service providers that perform services on our behalf and require access to your information to provide those services. Our primary service providers are:

• Stripe, Inc. — Payment processing. Stripe processes payment card data and returns transaction confirmation. Stripe is PCI DSS Level 1 certified. Privacy Policy: stripe.com/privacy
• Brevo (formerly Sendinblue) — Transactional and marketing email delivery. Your email address, first name/username, and email content are transmitted to Brevo to deliver emails on our behalf. Privacy Policy: brevo.com/legal/privacypolicy
• MongoDB, Inc. — Cloud database hosting (MongoDB Atlas). Our primary application database is hosted on MongoDB Atlas, which may store your account data, forum posts, purchase records, and other application data. Privacy Policy: mongodb.com/legal/privacy-policy
• Cloudflare, Inc. — CDN, DDoS protection, and R2 object storage. Cloudflare serves as our CDN and security layer and hosts uploaded media files. Network traffic passes through Cloudflare infrastructure. Privacy Policy: cloudflare.com/privacypolicy
• Discord, Inc. — OAuth authentication (optional). Used only when you choose to link your Discord account. Privacy Policy: discord.com/privacy
• Roblox Corporation — OAuth authentication (optional). Used only when you choose to link your Roblox account. Privacy Policy: en.help.roblox.com/hc/en-us/articles/115004630823

We only share information with service providers that have appropriate data protection agreements in place and that are bound to handle your information in a manner consistent with this Privacy Policy.

3.2 Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company. In such an event, we will use reasonable efforts to require that the successor entity honor the commitments made in this Privacy Policy.

3.3 Legal Requirements

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal processes. We may also disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, and illegal activities, or as evidence in litigation in which we are involved.

3.4 With Your Consent

We may disclose your personal information for any other purpose with your explicit consent.

3.5 Aggregate & De-identified Data

We may share aggregate or de-identified information that does not identify you personally, for purposes such as analytics, industry research, or reporting, without restriction.

4. Data Retention

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information. Our general retention periods are:

• Account data (email, username, profile): Retained for the lifetime of your account plus up to 30 days after account deletion, to allow for any chargeback or dispute resolution.
• Purchase records and transaction history: Retained for 7 years following the transaction date to comply with Canadian tax and accounting requirements, even if your account is deleted.
• Forum posts and public contributions: May be retained after account deletion in anonymized form (author replaced with [Deleted User]) unless you specifically request deletion of content and we are not legally required to retain it.
• Uploaded media: Retained until you delete it or your account is deleted.
• IP address and log data: Retained for 90 days for security and abuse prevention purposes, then purged.
• Email communications: Retained for as long as necessary to resolve the matter, typically no longer than 2 years.
• Support tickets: Retained for up to 2 years following resolution.

5. Security of Your Information

We implement appropriate technical and organizational security measures designed to protect the security of any personal information we process. These measures include:

• Password hashing using bcrypt with an appropriate cost factor — passwords are never stored in plaintext.
• Transport Layer Security (TLS 1.2+) for all data in transit between your browser and our servers.
• AES-256 encryption for sensitive data at rest where applicable.
• Access controls: Only authorized personnel have access to personal data, and access is granted on a least-privilege basis.
• Database security: MongoDB Atlas provides encryption at rest and network isolation for database storage.
• Cloudflare DDoS protection and Web Application Firewall (WAF) to protect against common web attacks.
• Rate limiting on authentication and API endpoints to prevent brute-force and abuse.
• Regular security reviews of our codebase and dependencies.
• Secure, short-lived signed URLs for media files stored in Cloudflare R2 where access control is required.

Despite our best efforts, no method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security. You use the Service at your own risk. In the event of a data breach affecting your rights and freedoms, we will notify you in accordance with applicable law.

6. International Data Transfers

NEXTRIX STUDIOS is operated from the Province of Quebec, Canada. Our servers and service providers may be located in multiple jurisdictions, including Canada, the United States, and the European Union. Your information may be transferred to, stored in, and processed in these jurisdictions, which may have different data protection laws than your country of residence.

For users in the European Economic Area (EEA), United Kingdom, and Switzerland, we ensure that transfers of personal data to countries not deemed adequate by the European Commission are made with appropriate safeguards, including Standard Contractual Clauses (SCCs) adopted by the European Commission, where required. Our key data processors — Stripe, Cloudflare, MongoDB, and Brevo — either operate under SCCs or participate in equivalent frameworks.

By using the Service, you consent to the transfer of your information to Canada and other jurisdictions as described in this section.

7. Cookies & Tracking Technologies

We use cookies and similar tracking technologies (collectively, “Cookies”) to collect and store certain information when you use the Service. A cookie is a small data file stored on your browser or device.

7.1 Types of Cookies We Use

• Strictly Necessary Cookies: These are required for the Service to function. They include session cookies that maintain your logged-in state, authentication tokens (JWT stored in HTTP-only cookies), and CSRF protection tokens. You cannot opt out of these cookies while using the Service.
• Functional Cookies: These remember your preferences such as your selected color theme (light/dark mode). They are not essential but improve your experience.
• Security Cookies: These include the Cloudflare Turnstile verification token and similar anti-bot/CSRF cookies used to protect the Site from automated attacks.
• Analytics Cookies (if applicable): We may use anonymized, aggregate analytics to understand usage patterns. If we use third-party analytics tools, we will disclose this and provide opt-out options.

7.2 Managing & Disabling Cookies

You can control cookies through: (1) our Cookie Consent Banner, where you can accept or decline non-essential cookies; (2) your browser settings, which allow you to block or delete cookies from specific sites. Please note that disabling strictly necessary cookies will prevent you from logging in and using core features of the Service.

7.3 Do Not Track Signals

Most web browsers and some mobile operating systems include a “Do Not Track” feature or setting you can activate to signal your preference not to have data about your online browsing activities monitored and collected. At this stage no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

8. Your Privacy Rights

Depending on where you live, you may have certain rights regarding your personal information. To exercise any of these rights, please contact us at [email protected] with “Privacy Rights Request” in the subject line. We will respond to verified requests within 30 days (or within the timeframe required by applicable law). In complex cases, we may extend this period by an additional 30 days with prior notice.

8.1 Rights Available to All Users

• Right to Access: You may request a copy of the personal information we hold about you.
• Right to Correction: You may request that we correct inaccurate or incomplete personal information about you.
• Right to Deletion: You may request the deletion of your account and associated personal data. Certain data may be retained for legal compliance purposes (e.g., purchase records for tax compliance).
• Right to Data Portability: You may request that we export your personal data in a structured, commonly used, machine-readable format (e.g., JSON).
• Right to Opt-Out of Marketing: You may unsubscribe from marketing emails at any time via the unsubscribe link in any email or by contacting us.

8.2 European Economic Area & UK (GDPR & UK GDPR)

In addition to the rights above, EEA and UK residents have the right to:

• Right to Restrict Processing: Request that we restrict the processing of your personal data in certain circumstances.
• Right to Object: Object to processing based on our legitimate interests, including profiling. We will cease processing unless we have compelling legitimate grounds that override your interests.
• Right to Withdraw Consent: Withdraw consent at any time where we are processing on the basis of consent, without affecting the lawfulness of processing prior to withdrawal.
• Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority. For EEA users, this is typically the data protection authority in your country of residence. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk.

8.3 California Residents (CCPA / CPRA)

California residents have the following additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business or commercial purposes for collecting it, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell personal information to third parties for monetary consideration. We do not share personal information with third parties for cross-context behavioral advertising.
• Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information beyond what is necessary to provide the Service.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise California privacy rights, contact us at [email protected] with “California Privacy Rights” in the subject line. We will respond within 45 days.

8.4 Other Jurisdictions

If you are a resident of Canada (including Quebec under Law 25), Australia, Brazil (LGPD), or other jurisdictions with applicable privacy laws, you may have additional or equivalent privacy rights under those laws. We are committed to honoring your rights regardless of jurisdiction. Please contact us to discuss your specific rights and how to exercise them.

9. Children's Privacy

The Service is not directed to children under the age of 13, or under 16 for users in the European Economic Area. We do not knowingly collect personal information from children under these ages.

If you are under 13 years of age (or under 16 in the EEA), you are not permitted to register for or use the Service. If we learn that we have collected personal information from a child under the applicable age without parental or guardian consent, we will take reasonable steps to delete that information as quickly as possible.

If you believe that we might have collected information from a child without appropriate parental consent, please contact us immediately at [email protected]. Parents and guardians who wish to review, correct, or delete personal information collected from their child should contact us at the same address.

We do not knowingly market to children. If we become aware that any marketing communications have been received by a child under the applicable age, we will promptly cease such communications and delete the child's information from our marketing lists.

10. Third-Party Links & Services

The Site and Service may contain links to third-party websites, plugins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our Site or Service, we encourage you to read the privacy policy of every website you visit.

Our Service integrates with the following third-party platforms, each of which has its own privacy policy:

• Discord — discord.com/privacy
• Roblox — en.help.roblox.com/hc/en-us/articles/115004630823
• Stripe — stripe.com/privacy
• Brevo (email) — brevo.com/legal/privacypolicy
• Cloudflare — cloudflare.com/privacypolicy
• MongoDB Atlas — mongodb.com/legal/privacy-policy

11. Data Breach Notification

In the event of a security breach that compromises your personal information and is likely to result in a risk to your rights and freedoms, we will notify you and the applicable supervisory authority as required by applicable law. For EEA/UK users, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach where feasible. For users in Canada, we will comply with the notification requirements of the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec Law 25.

Notifications will be sent to the email address associated with your account and will include: (1) a description of the nature of the breach; (2) the categories and approximate number of individuals concerned; (3) the categories and approximate number of personal data records concerned; (4) the likely consequences of the breach; and (5) the measures taken or proposed to address the breach.

12. Automated Decision-Making & Profiling

We do not make solely automated decisions (including profiling) that produce legal effects concerning you or similarly significantly affect you. Decisions regarding account suspension, content removal, or ban enforcement are reviewed by human moderators. Automated tools may flag content for review, but final determinations are made by humans.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to our practices, applicable laws, or for other operational, legal, or regulatory reasons. When we update the policy, we will revise the “Effective Date” at the top of this page. For material changes that significantly affect how we use your data, we will provide you with prominent notice, such as by sending an email notification or displaying a banner on the Site.

We encourage you to review this Privacy Policy periodically to stay informed about our data practices. Your continued use of the Service following the posting of changes constitutes your acceptance of those changes.

14. Contact Us & Data Protection

If you have questions or comments about this Privacy Policy, wish to exercise your privacy rights, or want to report a privacy concern, please contact us by one of the following methods:

We will make every reasonable effort to address your concerns. If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority in your jurisdiction. For EEA users, this is the data protection authority in your country of residence. For Quebec residents, this is the Commission d'accès à l'information (CAI) at cai.gouv.qc.ca.

Last Reviewed: May 6, 2026  ·  Version: 1.1