Privacy Policy

Controller: Roflow ("Roflow," "we," "us," or "our") is the data controller for personal information collected through our software, website, and services.

Website: https://roflow.co

Contact: privacy@roflow.co (for privacy requests and legal notices)

This Privacy Policy applies to all users of Roflow. By using our services, you agree to the collection and use of information as described in this policy. If you do not agree, please discontinue use of our services.

a) Information You Provide

• Roblox OAuth Authentication: When you sign in with your Roblox account, we receive your Roblox username, user ID, and profile information as authorized by Roblox OAuth. We do not collect or store your Roblox password.
• Billing Information: Payment details are processed directly by third-party payment providers. We do not receive or store your credit card numbers, banking information, or other sensitive payment data.
• Account Preferences: Settings and preferences you configure for your Roflow account.
• Communications: Content of messages you send us via support, feedback forms, or email.

b) Information Collected Automatically

• Usage Data: Feature usage patterns, session duration, commands executed, and interaction metrics.
• Technical Data: IP address, device type, operating system, browser version, error logs, crash reports, and performance diagnostics.
• Cookies: We use essential cookies for authentication and site functionality (see Section 8).

c) Project Data (Optional)

When you use cloud sync or collaboration features, we may store project files, source code, version history, and sharing settings. This data is stored securely and only accessible to you and collaborators you authorize.

We do not intentionally collect sensitive personal information. Our services are intended for users 13 years or older, or 16 years or older in the EEA/UK (see Section 10).

We use personal information to:

• Provide, operate, maintain, and improve Roflow features and services;
• Process authentication via Roblox OAuth and manage download access;
• Respond to support requests and communicate product updates;
• Analyze usage patterns to guide product development;
• Detect and prevent fraud, abuse, security incidents, and technical issues;
• Send marketing communications (you may opt-out at any time);
• Comply with legal obligations and enforce our Terms of Use.

We do not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will update this policy and provide required opt-outs.

We share personal information with:

• Service Providers: Third-party vendors who host, process, analyze, or transmit data on our behalf under strict confidentiality and data protection obligations (e.g., cloud hosting, payment processing, analytics, AI services);
• Business Transfers: Potential acquirers, successors, or partners in the event of a merger, acquisition, or corporate restructuring;
• Legal Requirements: Authorities when required by law, court order, or to protect rights, safety, and security.

We do not sell personal information to third parties. We carefully vet service providers to ensure they maintain strong privacy and security standards.

We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce agreements.

When you delete your account, we will delete or de-identify your personal information within 30 days, unless retention is required for legal, security, or audit purposes. Inactive accounts may be deleted after 24 months of inactivity.

We implement reasonable administrative, technical, and physical safeguards to protect personal information:

• Encryption in transit (TLS 1.3) and at rest (AES-256);
• Strict access controls and multi-factor authentication;
• Regular security audits and vulnerability assessments;
• Secure, SOC 2 compliant cloud infrastructure.

No method of transmission or storage is 100% secure. While we use commercially reasonable means to protect your data, we cannot guarantee absolute security.

Depending on your location, you may have rights under applicable data protection laws (GDPR, CCPA/CPRA, and similar regulations) to:

• Access: Request a copy of your personal information in a portable format;
• Correct: Request correction of inaccurate or incomplete information;
• Delete: Request deletion of your personal information (subject to legal exceptions);
• Opt-Out: Unsubscribe from marketing emails or withdraw consent at any time;
• Object/Restrict: Object to or restrict certain processing activities;
• Port: Receive your data in a machine-readable format;
• Lodge a Complaint: File a complaint with your data protection authority (EEA/UK).

To exercise these rights, email privacy@roflow.co. We will verify your request and respond as required by law (typically within 30 days). Authorized agents may submit requests in jurisdictions that permit them.

California Residents

Under the CCPA/CPRA, California residents have additional rights. We do not sell or share personal information for cross-context behavioral advertising, nor do we use sensitive personal information for purposes requiring opt-out rights.

• Essential Cookies: Required for authentication, security, and core functionality. These cannot be disabled.
• Analytics Cookies: Help us understand usage patterns and improve the product. Non-essential analytics cookies require consent in certain jurisdictions (EEA/UK).
• Functional Cookies: Remember your preferences and settings.

You may control cookies through your browser settings. Disabling certain cookies may limit functionality. We provide cookie controls where legally required, and you can withdraw consent at any time.

Do Not Track

There is currently no industry standard for responding to Do Not Track (DNT) signals. We do not respond to DNT browser settings at this time.

Roflow is operated from Canada. If you access our services from outside Canada, your information may be transferred to, stored, and processed in Canada or other countries.

Where required by law, we use appropriate safeguards for cross-border data transfers, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

Our services are intended for individuals 13 years or older (16 years or older in the EEA/UK). We do not knowingly collect personal information from children below the applicable age of digital consent.

If you believe a child has provided us with personal information, contact privacy@roflow.co and we will promptly delete it. For users aged 13-18, we recommend obtaining parental consent before using features involving payments or data sharing.

We may update this Privacy Policy to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

• Update the "Last Updated" date above;
• Notify you via email or in-app notice;
• Obtain consent if required by law.

We encourage you to review this policy periodically to stay informed about how we protect your information.

For privacy questions, requests, or legal notices, email privacy@roflow.co.

For general support inquiries, visit our Support Center.