Data Processing Agreement
LAST UPDATED: JUNE 2026
This DPA governs personal data that SDK and Enterprise customers send RoLearn to process on their behalf. If you integrate the RoLearn SDK or run an Enterprise/Brand workspace, you should review and accept this DPA below.
1. Parties & Roles
This Data Processing Agreement ("DPA") forms part of the agreement between HUBERT.STUDIO LLC ("Processor", "RoLearn") and the customer that integrates the RoLearn Multiplatform SDK or an Enterprise/Brand workspace ("Controller", "Customer").
For personal data that the Customer transmits to RoLearn about the end-users of the Customer's games or properties (including player identifiers, session data, coarse country, device/OS, and in-game events) — "Customer Personal Data" — the Customer is the controller and RoLearn is the processor. RoLearn processes Customer Personal Data only on the Customer's documented instructions.
2. Subject Matter & Duration
3. Nature & Purpose of Processing (Annex I)
Categories of data subjects: end-users / players of the Customer's games, who may include minors.
Categories of personal data: developer-supplied player identifier, session identifier, coarse country (account-region/locale-derived; not precise geolocation), device type, operating system, and in-game behavioral events. RoLearn's SDK rejects payloads containing direct identifiers (email, phone, government IDs, payment card numbers).
Purpose: game analytics, performance/crash diagnostics, retention and monetization metrics, brand-activation measurement, and Customer-configured data export.
4. Processor Obligations
- Process Customer Personal Data only on the Customer's documented instructions, including for transfers, unless required by law (in which case RoLearn will notify the Customer where permitted).
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement the technical and organizational security measures in Section 6.
- Assist the Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting its security, breach-notification, and data-protection-impact-assessment obligations.
- Make available information necessary to demonstrate compliance and allow for audits as set out in Section 8.
5. Sub-processors
The Customer provides general authorization for RoLearn to engage the sub-processors listed on our Sub-processors page. RoLearn imposes data-protection obligations on each sub-processor no less protective than those in this DPA and remains responsible for their performance. RoLearn will give the Customer a mechanism to receive notice of intended changes and a reasonable period to object.
6. Security Measures (Annex II)
- Encryption in transit (TLS 1.2/1.3) and encryption of data exports prior to delivery.
- Access controls, least-privilege, and role-based permissions for internal systems.
- Data minimization at ingest (rejection of direct-identifier fields) and bounded retention.
- Logging, monitoring, and error tracking; regular backups with tested restore.
- Network isolation between the public-data pipeline and Customer Personal Data stores.
7. International Transfers
8. Audit
9. Return & Deletion
10. Children’s Data
The Customer acknowledges that Customer Personal Data may relate to minors. The Customer warrants that it has obtained and maintains all consents and authorizations required to collect and share such data with RoLearn, including under COPPA, the GDPR (including Article 8 parental consent where applicable), and the rules of any platform on which the Customer’s game operates (e.g. Roblox). RoLearn will not sell children’s data, will not use it for advertising or profiling beyond the analytics the Customer commissions, and applies data minimization as described above.
11. Liability
Accept the DPA for your organization
Sign in with your workspace owner account to review and accept this document for your organization.