Privacy Policy
LAST UPDATED: JUNE 2026
RoLearn collects only what's needed to run the Service. We never sell your data, never store plaintext passwords, and analytics tracking only runs after you opt in. For the player telemetry our SDK customers send us, we act as a data processor under our DPA.
1. Who We Are & Scope
This Privacy Policy explains how HUBERT.STUDIO LLC ("RoLearn", "we", "us") collects and processes personal data across the RoLearn web platform, the RoLearn mobile app, and the RoLearn Multiplatform SDK (collectively, the "Service").
RoLearn operates in two distinct roles:
- As a controller for data about our own account holders (developers and brand customers) and visitors to our website.
- As a processor for the player-telemetry data that our SDK customers send us about the end-users of their games. For that data, the SDK customer is the controller and our handling is governed by our Data Processing Agreement. This policy describes that processing for transparency, but the customer's own privacy notice governs those end-users.
2. Information We Collect
Account data: When you create an account we collect your email address and a securely hashed password. If you sign in with Google or another social provider (Roblox, Discord, X), we receive your provider account ID, display name, email address, and profile picture. We never store plaintext passwords.
Preferences & workspace data: Tracked games and genres, alert preferences, subscription tier, team/workspace membership, and UI settings, so your experience persists across sessions and devices.
Roblox public data: Publicly available game metrics (concurrent players, visits, likes, favorites, gamepasses) and public creator/group metadata from official Roblox APIs. We do not access private Roblox player accounts.
Usage & activity data: Which features you use, response times, your plan at time of access, and an activity identifier derived from your authentication session. Retained for 30 days, then automatically purged.
Product analytics (consent-based): If you accept analytics cookies, we use PostHog to collect interaction data and session recordings for identified, signed-in users to help us improve the platform. PostHog captures nothing until you opt in via the cookie banner — see our Cookie Policy.
SDK player telemetry (as processor): When our SDK customers integrate RoLearn into their games, we receive event telemetry about their players, including a developer-supplied player identifier, session identifier, coarse country (derived from account region or locale, not precise location), device type and operating system, and in-game behavioral events (sessions, purchases, levels, performance, crashes, and brand-zone interactions). Our SDK actively rejects payloads containing direct identifiers such as email, phone, government IDs, or card numbers. We process this data on our customers' instructions under our DPA.
Public social / earned-media data: For brand-intelligence features we collect publicly available data about creators and posts from platforms such as YouTube, X, TikTok, Instagram, Twitch, and Facebook — including handles, follower counts, and post content. See Section 5 ("Data About Third Parties").
Email subscriptions: If you opt in to email updates, we collect your email address and the signup source.
Mobile app data: If you use the RoLearn mobile app, we may collect a device identifier and (with your permission) a push-notification token to deliver alerts. See Section 11. (Mobile-app specifics are maintained in the app's store privacy disclosures and should be read together with this policy.)
3. How We Use Your Information & Legal Bases
We process personal data for the purposes below. Where the EU/UK GDPR applies, the relevant legal basis is shown; where Vietnam's Personal Data Protection Decree (Decree 13/2023/ND-CP) applies, processing is based on your consent and/or the performance of our contract with you.
- Provide, operate, authenticate, and secure the Service — performance of a contract.
- Deliver alerts and notifications you configure — performance of a contract.
- Process subscription payments — performance of a contract / legal obligation.
- Product analytics and session replay (PostHog) — consent.
- Train and improve ML models using aggregated public Roblox data, not your personal information — legitimate interest.
- Collect public social/creator data for brand intelligence — legitimate interest (see Section 5).
- Send opt-in email updates — consent.
- Prevent abuse and enforce rate limits — legitimate interest.
4. Third-Party Services (Sub-processors)
We rely on the service providers below, each under their own privacy terms. Our current, authoritative list — including data categories and locations — is maintained on our Sub-processors page.
- Roblox Corporation — Source of publicly available game metrics and metadata.
- Google LLC (Sign-in with Google) — Optional account sign-in / linking.
- Google LLC (Google Fonts) — Delivery of the web fonts used across the interface.
- Google LLC (YouTube Data API) — Discovery of public creator videos and channel metrics.
- Lemon Squeezy, LLC — Subscription billing and payment processing.
- Twilio Inc. (SendGrid) — Transactional and opt-in email delivery.
- PostHog Inc. — Product analytics and session replay (consent-gated).
- Functional Software, Inc. (Sentry) — Error monitoring and performance tracing.
- Anthropic PBC (Claude) — AI-generated insights, Dev Lens analysis, RLBot assistant.
- The Constant Company, LLC (Vultr) — Application, API, and background-worker compute hosting.
- Amazon Web Services, Inc. (RDS) — Primary production database hosting (managed PostgreSQL).
- Amazon Web Services, Inc. (S3) — Customer-configured destination for SDK data exports.
- Cloudflare, Inc. — CDN, DDoS protection, and ML-artifact storage (R2).
- Apify Technologies s.r.o. — Collection of public social earned-media (TikTok, Instagram, Facebook).
- Discord Inc. — Internal operations notifications (sales-lead alerts).
- X Corp. (Twitter / X API) — Discovery of public posts and creator metrics.
- Amazon.com, Inc. (Twitch API) — Discovery of public streams and creator metrics.
- Meta Platforms, Inc. (Instagram Graph API) — Discovery of public posts and creator metrics.
5. Data About Third Parties (Creators & Public Posts)
Our brand-intelligence features collect publicly available information about social-media creators and their posts (handles, display names, follower counts, post text and engagement metrics) from public APIs and, for platforms without a public search API, via third-party collection vendors (e.g. Apify). We process this on the basis of legitimate interest in providing market and earned-media intelligence.
If you are a creator and your public data appears in our systems, you have the right to object to this processing and to request access or deletion. Contact [email protected] and we will action verified requests, subject to our legitimate-interest assessment, within 30 days.
6. Data Storage & Security
Data is stored in PostgreSQL with encrypted connections. Passwords are hashed with bcrypt. Authentication uses short-lived, cryptographically signed JSON Web Tokens. SDK data exports are encrypted before delivery to the customer's storage. All traffic between your device and our servers is encrypted via HTTPS (TLS 1.2/1.3).
Authentication storage: On the web, your session is held in HttpOnly cookies (rolearn_access, rolearn_refresh) that JavaScript cannot read, plus a readable CSRF cookie (rolearn_csrf) used only for cross-site-request-forgery protection. On mobile, tokens are stored in the device's secure keystore. See our Cookie Policy for the full list.
7. Data Retention & Deletion
- Usage/activity data: 30 days, then purged.
- SDK player telemetry: retained for a default of 30 days (configurable per customer), then deleted; synthetic test events are pruned within 7 days.
- Public game metrics: hourly resolution for ~3 days, then aggregated into daily summaries; per-platform snapshots retained ~90 days.
- Account data: kept for the life of your account until deletion.
- Email subscriptions: until you unsubscribe.
Request deletion of your account and associated data any time at [email protected]. We process verified deletion requests within 30 days, except where we must retain data to comply with law, resolve disputes, or enforce our agreements.
8. Your Rights
Depending on your location (including under the EU/UK GDPR, California CCPA/CPRA, and Vietnam's PDPD), you may have the rights to access, correct, delete, port, and restrict processing of your personal data, to object to processing based on legitimate interest, and to withdraw consent at any time.
California residents: We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, and we do not use it for cross-context behavioral advertising.
To exercise any right, contact [email protected]. We may need to verify your identity before actioning a request, and we will respond within 30 days. You also have the right to lodge a complaint with your local data-protection supervisory authority.
9. Children & Younger Players
The RoLearn platform and accounts are intended for developers and businesses, and are not directed to children under 13. We do not knowingly create accounts for children under 13.
SDK player telemetry may relate to minors. Because games built on Roblox and similar platforms have audiences that include children, the player telemetry our SDK customers send us may concern minors. We act only as a processor for this data, on the customer's documented instructions. We apply data minimization (our SDK rejects direct identifiers and does not request precise location), we do not sell children's data, and we do not use it for advertising or profiling beyond the analytics the customer commissions. Under our DPA, our SDK customers warrant that they have obtained any consents required under COPPA, the GDPR (including Article 8), and applicable platform rules before sending us player data.
10. International Data Transfers
RoLearn is operated from the Socialist Republic of Vietnam and our servers and several sub-processors are located in the United States. Where we transfer personal data internationally — including out of the EEA/UK — we rely on appropriate safeguards such as Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework, together with any data-transfer assessment required under Vietnam's PDPD. By using the Service you understand your data may be processed in these jurisdictions.
11. Push Notifications & Mobile (Where Available)
If you use the RoLearn mobile app and opt in to push notifications, we store a push-notification token to deliver alerts (e.g. breakout signals, trending alerts, price changes). You can disable notifications at any time in your device settings or in-app. Mobile features such as profiles, direct messages, and content reporting are governed by Section 5 ("User-Generated Content") of our Terms of Service; reports we receive (including the reporter's and reported user's identifiers and context) are retained for safety and enforcement even after content or accounts are removed.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be posted here with a new revision date and, where appropriate, notified by email or in-app. Continued use after changes take effect constitutes acceptance of the updated policy.
13. Contact Us
Questions about this policy or your data? Contact our privacy team at [email protected] or general support at [email protected].