Privacy Policy
Effective date: July 1, 2025 · Last updated: July 1, 2026
1. Introduction and Data Controller
WhatBlox ("we", "us", "our") operates the website accessible at whatblox.com (the "Service"). This Privacy Policy explains how we collect, use, store, and share personal data in accordance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable legislation.
For inquiries regarding this policy or to exercise your rights, contact us via the project repository or support channels designated by the operator.
2. Personal Data We Collect
We collect the following categories of personal data:
- Account identifiers. Roblox OAuth identifiers, Roblox user ID, username, and profile avatar URL provided by Roblox when you authenticate via our OAuth integration.
- User-generated content. Game submissions, reviewer messages, votes, comments, reviews, and playlist data you create on the Service.
- Technical and log data. IP addresses, browser type, device identifiers, operating system, pages visited, referral URLs, and timestamps, collected automatically when you access the Service.
- Cookies and tracking data. Session tokens, authentication cookies, and analytics identifiers (see Section 7 – Cookies).
We do not collect payment information, government identification, or sensitive personal data as defined under Article 9 GDPR.
3. Legal Basis for Processing (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data on the following legal bases under Article 6 GDPR:
- Performance of a contract (Art. 6(1)(b)). Authentication, game submission, voting, and playlist functionality required to deliver the Service.
- Legitimate interests (Art. 6(1)(f)). Service security, abuse prevention, platform integrity, and product analytics, where such interests are not overridden by your rights.
- Compliance with legal obligations (Art. 6(1)(c)). Retention of records required by applicable law.
- Consent (Art. 6(1)(a)). Analytics cookies and non-essential tracking, where consent is explicitly obtained.
4. How We Use Your Data
We use your personal data for the following purposes:
- Authenticating your account and maintaining your session;
- Publishing and moderating game submissions, votes, comments, and reviews;
- Detecting and preventing fraudulent activity, abuse, or Terms of Service violations;
- Measuring usage metrics and improving the Service;
- Complying with applicable legal obligations.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal data. We may share data with:
- Infrastructure providers. Supabase, Inc. (database, authentication, and storage) and Vercel, Inc. (hosting) act as data processors under appropriate data processing agreements.
- Analytics providers. Google LLC (Google Analytics / Google Tag Manager) under standard contractual clauses.
- Legal authorities. Where required by law, court order, or regulatory mandate.
6. Data Retention
We retain account-related data for as long as your session remains active and as long as necessary to fulfil the purposes described in this policy. User-generated content (submissions, votes, comments) is retained for operational and trust-and-safety purposes. You may request deletion in accordance with Section 8. Anonymised or aggregated data not linked to an individual may be retained indefinitely for analytical purposes.
7. Cookies and Tracking Technologies
We use the following categories of cookies:
- Essential cookies. Session tokens and authentication cookies required for the Service to function. These cannot be disabled.
- Analytics cookies. Google Analytics and Google Tag Manager for traffic measurement. These are subject to your consent where required by law.
You may control non-essential cookies through your browser settings or applicable consent mechanisms.
8. Your Rights
Subject to applicable law and your jurisdiction, you may have the following rights:
- Access (Art. 15 GDPR / CCPA). Request a copy of the personal data we hold about you.
- Rectification (Art. 16 GDPR). Request correction of inaccurate personal data.
- Erasure (Art. 17 GDPR / CCPA "right to delete"). Request deletion of your personal data, subject to legal retention obligations.
- Restriction (Art. 18 GDPR). Request that we restrict processing of your personal data in certain circumstances.
- Data portability (Art. 20 GDPR). Receive your data in a structured, machine-readable format.
- Objection (Art. 21 GDPR). Object to processing based on legitimate interests.
- Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
To exercise any of these rights, contact us through the channels listed in Section 9. We will respond within the timeframes required by applicable law (generally 30 days under GDPR).
9. Contact and Complaints
For privacy-related requests or concerns, contact the WhatBlox operator through the project repository or designated support channels. If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority (e.g., the CNIL for France, the ICO for the United Kingdom).
10. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be indicated by an updated "Last updated" date at the top of this page. Continued use of the Service after such changes constitutes your acceptance of the revised policy.