PRIVACY
POLICY

Account Data: When you sign in with Roblox, we receive your Roblox user ID, display name, username, and profile picture from Roblox's OAuth 2.0 service. With your authorization, we may also read your Roblox inventory through Roblox's API to confirm ownership of products you have purchased. If you verify your account using the bio-code method instead of OAuth, we read your public Roblox profile description to confirm the verification code, and we read your public inventory to confirm product ownership. We do not collect passwords, payment details, or sensitive personal information beyond what Roblox provides.

Product & License Data: Merithic products may collect limited technical data including license identifiers, whitelisted Place IDs, Roblox UserIds or game identifiers, usage patterns, and tamper detection signals. This data is collected solely for license enforcement and product integrity monitoring as described in Section 5 of our Terms of Service.

Usage Data: We may collect basic usage data such as pages visited and actions taken within your account portal. This is used to improve our services and is not shared with third parties for advertising purposes.

Form Submissions: When you submit a form hosted by Merithic, we collect the answers you provide along with a one-way hashed representation of your IP address. The hashed IP is used solely to prevent duplicate submissions to the same form; we do not store your raw IP address for form submissions, and the hash cannot be reversed to identify you.

Discord Account Data: If you verify through Updatr's Discord verification (iVerify), we receive your Discord user ID and username from Discord's OAuth service (with the "identify" scope) and link it to your verified Roblox account. We store this Discord-to-Roblox link so that we can recognize you across Discord servers that use Updatr — to apply your roles automatically, identify you for support and moderation, and keep your roles in sync. We do not read your Discord messages, email, or servers, and we do not post on your behalf. See Section 12 for details.

Your Roblox account information is used solely to authenticate you, manage your licenses and product access, and display your profile within the Merithic platform.

Technical product data is used exclusively for license enforcement, tamper detection, and product integrity monitoring as described in our Terms of Service.

We do not use your data for advertising, marketing profiling, or sale to third parties under any circumstances.

Form submission answers are used only for the purpose stated on the relevant form and may be emailed to our team for review. The hashed IP attached to a submission is used exclusively to enforce a single submission per person and for nothing else.

Account data is stored securely using Supabase, a GDPR-compliant database platform. We implement industry-standard security measures to protect your data from unauthorized access, alteration, or disclosure.

Session data is stored as a signed, HTTP-only cookie on your device and expires after 7 days of inactivity. This cookie is not accessible to JavaScript and cannot be read by third-party scripts.

We do not store Roblox OAuth tokens beyond the initial authentication exchange. Access tokens are used only to retrieve your profile information and are not persisted.

Roblox: We use Roblox's OAuth 2.0 service for authentication. By signing in with Roblox, you are also subject to Roblox's own Privacy Policy and Terms of Use. We are not responsible for data practices of Roblox or any other third-party service.

Supabase: We use Supabase as our database and file-storage provider. Supabase is GDPR-compliant and processes data solely on our behalf in accordance with a data processing agreement.

Luraph: Updatr's optional obfuscation tool sends the code you choose to obfuscate to Luraph, a third-party code-protection service, which processes it on its own servers and returns the protected result. Your use of that tool is also subject to Luraph's terms and privacy practices. We are not responsible for the data practices of Luraph or any other third-party service.

We do not integrate third-party advertising networks, analytics platforms, or data brokers into our services.

We use a single HTTP-only session cookie (ls_session) to keep you signed in. This cookie is not accessible to JavaScript and is cleared when you sign out or after 7 days of inactivity.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies of any kind.

Staff sessions use a separate HTTP-only cookie (ls_staff_session) under the same terms. Both cookies are cryptographically signed and cannot be forged.

Merithic does not sell, rent, or trade your personal information to any third party.

We may disclose information if required by law, court order, or to protect the rights, property, or safety of Merithic, its users, or the public.

In the event of a business transfer or acquisition, user data may be transferred as part of that transaction. You will be notified via a notice on our website prior to any such transfer.

We retain your account data for as long as your account is active or as needed to provide services. License and enforcement records may be retained indefinitely for the purposes of tamper detection and blacklist enforcement.

You may request deletion of your personal data at any time by contacting us via Discord or email. Upon a valid deletion request, all personally identifiable information associated with your account will be permanently removed within 30 days, except where retention is required by law or necessary for ongoing enforcement actions.

Access & Portability: You may request a copy of the personal data we hold about you at any time by contacting our support team.

Correction: If you believe any data we hold about you is inaccurate, you may request a correction through our support channels.

Deletion: You may request deletion of your account and associated personal data as described in Section 7.2. Note that certain enforcement-related records may be retained.

EEA & California Users: Users in the European Economic Area and California may have additional rights under the GDPR and CCPA respectively. Contact Merithic support to exercise applicable rights. Certain data processing necessary for license enforcement cannot be opted out of while actively using our products.

Merithic products are intended for users aged 13 and older in accordance with Roblox's minimum age requirements. Users under 18 require verifiable parental or guardian consent as described in our Terms of Service.

We do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us with personal information, please contact us immediately and we will take steps to delete such information.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Changes will be posted at this URL with an updated revision date.

Continued use of our services after changes are posted constitutes your acceptance of the updated policy. We encourage you to review this policy periodically.

Account Verification: To use Updatr, you verify ownership of a Roblox account through Roblox OAuth or by placing a Merithic–issued code in your Roblox profile bio. For the bio-code method we read your public Roblox profile description (to match the code) and your public inventory (to confirm which products you own). We do not modify your profile or inventory; we only read the public information needed for verification. The temporary verification code is stored in a short-lived signed cookie and discarded once verification completes.

Seller & Studio Data: If you sell on Updatr, we store your studio profile, product listings, uploaded files, pricing, collaborator assignments and their permissions, and the buyers/licenses associated with your products, so we can operate the marketplace, licensing, and auto-update services.

License & Transaction Data: We store records of products you purchase, claim, or are granted, along with the per-user license keys issued to you. Where a seller enables license injection, a key unique to you may be embedded in the product file you download. License and enforcement records may be retained as described in Section 7.

Security Alerts: When a request fails license verification — for example a leaked or mismatched key, a blacklisted user, or a tampered product — we record an alert containing the involved Roblox user IDs, the place ID, the product, and the reason, so sellers can monitor and protect their products.

Code Obfuscation: If you use Updatr's optional obfuscation tool, the source code you submit is sent to a third-party processing provider (such as Luraph) to produce the protected output. That code is processed on the provider's servers subject to the provider's own terms; we do not retain submitted source beyond what is necessary to return your result.

What We Link: Updatr's verification feature connects your Discord account to your Roblox account. When you verify, you sign in with Discord (Roblox OAuth or the bio-code method confirms your Roblox account, and Discord OAuth's "identify" scope confirms your Discord account). We then store a link between your Discord user ID and your Roblox user ID, along with your Roblox username and the method and time of verification.

Why We Store It: We save this Discord-to-Roblox link so we can identify who you are across servers — to automatically apply, remove, and sync your Discord roles and nickname based on your Roblox identity and the products you own, to recognize you the moment you join another server that uses Updatr, and to help server staff and our support team identify accounts for moderation, license grants, and assistance. The link is global to Updatr: verifying once lets every Updatr-enabled server you're in recognize you.

What We Don't Collect: We request only Discord's "identify" scope. We do not access your Discord email, direct messages, message history, or the list of servers you are in, and we never post or act in Discord on your behalf beyond assigning the roles and nickname a server has configured.

Imported Links: For some communities we may import existing Discord-to-Roblox links from third-party verification services (such as Bloxlink) so that already-verified members are recognized without re-verifying. Imported links contain the same Discord and Roblox identifiers described above and are treated identically to links you create directly.

Removing Your Link: You can request removal of your Discord-to-Roblox link at any time by contacting us (Section 13). Removing it stops automatic role syncing and means servers will no longer recognize you until you verify again. Re-verifying with a different Roblox account replaces the link (the latest verification wins).

For any privacy-related questions, data access requests, or deletion requests, contact us at hello@merithic.com or through our Discord server at discord.gg/yRqXUXwr6b.

We aim to respond to all privacy-related inquiries within 14 business days.