Legal

Privacy Policy

Last updated: March 2025

1. Data Controller

The controller responsible for data processing on this website is:

Cornelia Reise

E-Mail: [email protected]

GDPR Inquiries: [email protected]

Location: Germany

2. Data We Collect

Account Data

  • E-mail address
  • Username
  • Password (stored as a bcrypt hash — we never store plaintext passwords)
  • Avatar (optional)
  • Account creation date

Connected Accounts (optional)

  • Roblox User ID
  • Discord User ID

Security Data

  • IP addresses — used for session IP locking, two-factor authentication (e-mail 2FA is limited to one request per IP), and Roblox server verification via ip-api.com
  • Session tokens and session metadata
  • Two-factor authentication secrets (encrypted)
  • Cloudflare Turnstile CAPTCHA challenge tokens — used for bot protection on authentication forms

Activity Data

  • Activity logs (account events such as creation, plan updates, key redemptions)
  • Chat messages — stored permanently in the database (see Section 6 for retention details)
  • Script content submitted for execution — logged to the database and forwarded to Discord for moderation purposes
  • Script execution logs — stored permanently in the database (see Section 6 for retention details)

AI Chat Data

  • Messages sent to the AI chat assistant — only the message text content is transmitted to Mistral AI (a French/EU AI provider) for processing. No account data or personal information is sent.
  • AI chat session history — cached in Redis with a 1-hour time-to-live (TTL)

Referral Data

  • Referral codes — automatically assigned to your username upon account creation
  • Referral relationships (who referred whom)
  • Referral balance and referral percentage

Financial Data

  • Transaction records (sale ID, e-mail used at checkout, plan tier, amount, payment method)
  • Payment processing is handled entirely by third-party processors (Helio for cryptocurrency, Pandabase for card/CashApp payments, BloxProducts for Robux payments) — we do not store credit card details, cryptocurrency wallet addresses, or other raw payment credentials

Real-Time Connection Data

  • WebSocket connections transmit authentication tokens for session verification and chat messages in real time

Client-Side Storage (Browser)

  • The Exoliner frontend stores the following data in your browser's localStorage: JWT authentication tokens, user profile cache, script editor tabs, theme preferences, and linked Roblox account data
  • This data remains on your device and is not transmitted to our servers unless required for authentication or service functionality

Desktop Application Data

  • The Exoliner desktop client performs automatic update checks against our servers
  • Desktop client binaries are scanned via VirusTotal to provide transparency on malware scanning results — file hashes are transmitted to VirusTotal for this purpose

Analytics Data

  • We use a self-hosted instance of Plausible Analytics, which does not use cookies, does not collect personal data, and does not track individual visitors across sessions

3. How We Use Your Data

  • Providing and maintaining your account and the Exoliner service
  • Authenticating your identity and managing sessions (including WebSocket-based real-time connections)
  • Session IP locking to protect your account from unauthorized access
  • Two-factor authentication (authenticator app or e-mail, with e-mail 2FA limited to one request per IP for abuse prevention)
  • Bot protection via Cloudflare Turnstile CAPTCHA challenges on authentication forms
  • Moderation and enforcement of our Terms of Service, including logging script content to Discord
  • Processing one-time lifetime plan purchases through third-party payment processors
  • Fraud prevention and security monitoring
  • Providing AI-powered chat assistance via Mistral AI (only chat message text content is sent to Mistral's API for processing — no account data or personal information is transmitted)
  • Roblox server verification using IP geolocation (via ip-api.com)
  • Responding to support requests
  • Analyzing usage patterns to improve the service (via privacy-friendly, self-hosted Plausible Analytics)
  • Desktop client update verification and malware transparency scanning (via VirusTotal)

4. Legal Basis (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your account data, sessions, transactions, script execution, and AI chat functionality is necessary to provide the service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): IP logging, session security, activity logs, CAPTCHA verification, script moderation logging, and Roblox server verification are carried out to protect the platform, its users, and prevent abuse.
  • Consent (Art. 6(1)(a)): Where applicable, such as connecting optional third-party accounts (Roblox, Discord) and using the AI chat assistant (which involves transferring chat message text content to Mistral AI in France — no personal data or account information is sent).
  • Legal obligation (Art. 6(1)(c)): Where we are required to retain data by law (e.g. financial transaction records).

5. Third-Party Processors

We use the following third-party service providers to operate Exoliner. All processors are bound by data processing agreements where applicable.

Hetzner Online GmbH

Server hosting · Germany

Cloudflare, Inc.

TLS termination, CDN, DDoS protection · Global (EU data processing)

Cloudflare R2

Encrypted backups · EU region

Cloudflare Turnstile

CAPTCHA / bot protection · Global (EU data processing)

Helio

Cryptocurrency payment processing (Solana) · Global

Pandabase (mypandabase.com)

Card and CashApp payment processing · EU/US

BloxProducts (bloxproducts.com)

Robux payment processing · Global

Resend

Transactional email delivery · US (EU data processing)

Mistral AI

AI chat assistant processing (chat message text only — no personal data) · France (EU)

Plausible Analytics

Privacy-friendly website analytics (self-hosted) · Germany (self-hosted instance)

ip-api.com

IP geolocation for Roblox server verification · Global

VirusTotal

Malware scanning for desktop client updates · Global

Discord

Bot integration, user avatars, community, script moderation logging · US

Roblox Corporation

User lookups, game data, thumbnails · US

6. Data Retention

The following outlines how long different categories of data are retained:

Account Data

Retained for as long as your account exists. Upon account deletion, data is removed from the live database promptly. Residual copies in encrypted rotating backups are purged as the backup rotation cycle completes.

Chat Messages & Script Execution Logs

Stored permanently in the database with no automated cleanup or expiration. These records persist indefinitely, including after account deletion, for moderation and platform integrity purposes.

Sessions

Active sessions are retained while in use. Expired sessions older than 2 days are automatically cleaned up every minute.

AI Chat Sessions

AI chat conversation history is cached in Redis with a 1-hour time-to-live (TTL). After 1 hour of inactivity, the cached session data is automatically deleted. Chat message text content sent to Mistral AI for processing is subject to Mistral's own data retention policies. Mistral AI is headquartered in France and subject to EU data protection regulations. No account data or personal information is included in these transmissions.

Security Logs

IP addresses and session metadata may be retained for a reasonable period after account deletion for fraud prevention and legal compliance.

Financial Transaction Records

Retained as required by applicable tax and commercial law.

Encrypted Backups

Stored on a rotating schedule in EU-region Cloudflare R2. When you request account deletion, backup copies are purged as the backup rotation cycle completes.

Client-Side Storage

Data stored in your browser's localStorage (JWT tokens, user cache, script tabs, theme preferences, Roblox accounts) persists until you clear your browser data or log out.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

  • Right of access (Art. 15): You may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): You may request correction of inaccurate data.
  • Right to erasure (Art. 17): You may request deletion of your personal data. Please note that chat messages and script execution logs are stored permanently and may not be fully erasable (see Section 6).
  • Right to restriction (Art. 18): You may request that we restrict processing of your data.
  • Right to data portability (Art. 20): You may request your data in a structured, machine-readable format.
  • Right to object (Art. 21): You may object to processing based on legitimate interest.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority (in Germany: your state's data protection authority).

To exercise any of these rights, contact us at [email protected].

8. Account & Data Deletion

You may request deletion of your account and associated personal data at any time by contacting us through one of the following channels:

E-Mail

[email protected]

Discord

Open a support ticket

Upon deletion, your account data is removed from the live database. Residual copies in encrypted rotating backups will be purged as the backup cycle completes. Please note that chat messages and script execution logs are retained permanently for moderation purposes and are not removed upon account deletion (see Section 6).

9. Security Measures

  • All connections are encrypted with TLS (via Cloudflare)
  • Passwords are hashed using bcrypt before storage
  • Two-factor authentication secrets are encrypted at rest
  • Session IP locking prevents unauthorized access from unknown locations
  • Backups are encrypted and stored in EU-region Cloudflare R2
  • Infrastructure is hosted on dedicated servers in Germany (Hetzner)

10. Security Vulnerability Disclosure

If you discover a security vulnerability in Exoliner, we encourage you to report it responsibly. Please see our Vulnerability Disclosure Policy for full details.

Security Reports

[email protected]

11. International Data Transfers

Our primary infrastructure is located in Germany (Hetzner). However, some third-party processors process data outside the EU/EEA. The following transfers occur:

Cloudflare (Global, EU data processing)

CDN, TLS termination, DDoS protection, Turnstile CAPTCHA, and R2 backup storage. Cloudflare maintains EU Standard Contractual Clauses (SCCs) and is committed to EU data processing.

Mistral AI (France, EU)

Only chat message text content (your prompts and the AI's responses) is transmitted to Mistral AI's servers in France for processing. No account data, personal information, usernames, e-mail addresses, or other identifiers are sent to Mistral. As Mistral AI is headquartered in France (EU), this does not constitute an international data transfer outside the EEA. We still recommend not including sensitive personal information in your chat messages. Mistral's processing is subject to their own privacy policy and data retention practices.

US-Based Processors

Resend (transactional email), Discord (bot integration, moderation logging), and Roblox Corporation (user lookups, game data) process data in the United States. Where applicable, transfers are covered by EU Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework.

Global Processors

Helio (cryptocurrency payments), BloxProducts (Robux payments), ip-api.com (IP geolocation), and VirusTotal (malware scanning) operate globally. Data shared with these processors is limited to what is strictly necessary for their respective functions.

12. AI Features & Data Processing

Exoliner includes an AI-powered chat assistant. The following disclosures apply to the use of this feature:

  • AI Provider: The AI chat assistant is powered by Mistral AI (Devstral 2 model), a French AI company headquartered in the EU.
  • Data Transmitted: When you use the AI chat, only the text content of your messages is sent to Mistral AI's API for processing and response generation. No account data, personal information, usernames, e-mail addresses, or other identifiers are transmitted to Mistral.
  • Usage Tracking: Each user receives $2.00 USD of free AI credits per month. Token usage (input and output tokens) is tracked to calculate costs against your monthly credit allowance. Credits reset automatically every 30 days.
  • Session Caching: AI chat conversation history is cached server-side in Redis with a 1-hour TTL to maintain context within a session. After 1 hour of inactivity, the cached conversation is automatically deleted.
  • Third-Party Retention: Chat message text content sent to Mistral AI is subject to Mistral's own privacy policy and data retention practices. As an EU-based company, Mistral AI is subject to GDPR. No personal data is included in these transmissions.
  • GDPR Compliance: Mistral AI is headquartered in Paris, France. Data processing occurs within the EU, so no international data transfer outside the EEA is required for the AI chat feature.
  • Recommendation: We strongly recommend that you do not include sensitive personal information, credentials, or confidential data in AI chat messages.

13. Contact

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:

Cornelia Reise

General: [email protected]

Support: [email protected]

GDPR & Data Requests: [email protected]

Legal: [email protected]

Security: [email protected]

This Privacy Policy may be updated from time to time. We will notify users of significant changes. Continued use of Exoliner after changes constitutes acceptance of the updated policy.