← Back to RoSearch

Privacy Policy

Last updated: March 21, 2026

1. Data Controller

RoSearch
Email: contact@rosearch.gg

We are the data controller responsible for your personal data under the EU General Data Protection Regulation (GDPR) and, where applicable, the California Consumer Privacy Act (CCPA).

2. Data We Collect

We collect and process the following categories of personal data:

Category	Data Points	Legal Basis (Art. 6 GDPR)
Account data	Username, email address, hashed password (PBKDF2-SHA256)	Art. 6(1)(b) — performance of contract
Roblox OAuth data	Roblox user ID, display name, avatar URL	Art. 6(1)(b) — performance of contract
Google OAuth data	Email address, name, avatar URL	Art. 6(1)(b) — performance of contract
Discord webhook URLs	Webhook endpoint URL you provide	Art. 6(1)(b) — performance of contract
Scan configurations	Campaign names, filter settings	Art. 6(1)(b) — performance of contract
Scan results	Game data returned by scans	Art. 6(1)(b) — performance of contract
Technical data	IP address, browser type, access timestamps	Art. 6(1)(f) — legitimate interest (security, abuse prevention, rate limiting)
Payment data	Processed by Stripe; we store only Stripe customer ID and subscription status	Art. 6(1)(b) — performance of contract

We do not store plaintext passwords. Passwords are hashed using PBKDF2-SHA256 with unique salts before storage.

3. How We Use Your Data

• To provide, operate, and maintain the RoSearch scanning service.
• To authenticate your identity and manage user sessions.
• To process payments and manage subscriptions via Stripe.
• To deliver scan results to your configured Discord webhook.
• To enforce rate limits, prevent abuse, and maintain platform security.
• To comply with legal obligations.

4. Data Processors

We share personal data with the following third-party processors, each operating under a data processing agreement:

• Stripe, Inc. (San Francisco, USA) — Payment processing. Receives your payment details directly. See Stripe's Privacy Policy.
• Roblox Corporation (San Mateo, USA) — OAuth authentication. Receives authentication tokens during login. See Roblox Privacy Policy.
• Google LLC (Mountain View, USA) — OAuth authentication. Receives authentication tokens during login. See Google Privacy Policy.
• Discord Inc. (San Francisco, USA) — Webhook delivery. Receives scan result data you choose to send. See Discord Privacy Policy.
• Hosting provider (Germany) — Server infrastructure. Data is stored on servers located in Germany.

5. International Data Transfers

Your data is stored on servers located in Germany (EU). When data is transferred to processors in the United States (Stripe, Roblox, Google, Discord), these transfers are protected by:

• The EU-US Data Privacy Framework (DPF), where the processor is certified, or
• Standard Contractual Clauses (SCCs) adopted by the European Commission, together with supplementary measures where required.

You may request a copy of the applicable safeguards by contacting us at contact@rosearch.gg.

6. Data Retention

Data Type	Retention Period
Account data	Until you delete your account, or 12 months after last login if account is inactive
Roblox / Google OAuth data	Until you delete your account or unlink the provider
Scan configurations	Until you delete them or delete your account
Scan results	90 days from scan date, then automatically deleted
Discord webhook URLs	Until you remove them or delete your account
IP addresses and access logs	30 days, then automatically deleted
Payment records (Stripe IDs)	7 years after last transaction (legal obligation for tax/accounting)
Session cookies	24 hours (automatic expiry)

7. Your Rights Under GDPR (Articles 15–22)

As a data subject, you have the following rights. To exercise any of them, contact us at contact@rosearch.gg. We will respond within 30 days.

• Right of access (Art. 15): Request a copy of all personal data we hold about you.
• Right to rectification (Art. 16): Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17): Request deletion of your personal data. You can also delete your account directly from the dashboard settings.
• Right to restriction of processing (Art. 18): Request that we limit how we process your data in certain circumstances.
• Right to data portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON or CSV).
• Right to object (Art. 21): Object to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds.
• Right not to be subject to automated decision-making (Art. 22): See Section 10 below.

You also have the right to withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing before withdrawal.

8. Cookies

RoSearch uses a single session cookie that is strictly necessary for the operation of the service:

• Name: session
• Purpose: Authentication and session management
• Type: httpOnly, Secure, SameSite
• Duration: 24 hours
• Category: Strictly necessary

We do not use any tracking cookies, analytics cookies, advertising cookies, or third-party cookies. Because this cookie is strictly necessary for providing the service you requested, consent is not required under Art. 5(3) of the ePrivacy Directive.

9. Data Security

We implement appropriate technical and organisational measures to protect your data, including:

• Encryption in transit (TLS/HTTPS for all connections)
• Password hashing with PBKDF2-SHA256 and unique salts
• httpOnly, Secure session cookies to prevent XSS-based session theft
• CSRF token protection on state-changing requests
• Rate limiting and IP-based abuse prevention
• Server located in Germany with access controls

10. Automated Decision-Making

RoSearch does not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you, as described in Art. 22 GDPR.

11. Children's Data

RoSearch is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16. If you are under 16, do not use this service. If we become aware that we have collected data from a child under 16 without parental consent, we will delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at contact@rosearch.gg.

12. California Residents — CCPA Rights

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

• Right to know: You may request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share data.
• Right to delete: You may request deletion of your personal information, subject to certain exceptions.
• Right to opt-out of sale: We do not sell your personal information. We have not sold personal information in the preceding 12 months.
• Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at contact@rosearch.gg. We will verify your identity before processing your request. You may also designate an authorized agent to make a request on your behalf.

Categories of personal information collected (past 12 months): Identifiers (username, email, IP address), internet activity information (access logs), commercial information (subscription status), and Roblox/Google account information obtained via OAuth.

13. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with a data protection supervisory authority. A list of EU data protection authorities is available at edpb.europa.eu.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the service at least 30 days before the changes take effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of the service after the effective date constitutes acceptance of the updated policy.

15. Contact

For any questions or requests regarding this Privacy Policy or your personal data, contact us at:
contact@rosearch.gg