Last updated: 2026-05-13
RoMetrics (“we”, “us”) provides analytics and discovery tooling for Roblox experiences. This policy explains what we collect, why, the sub-processors that handle it, and how to remove it. Section numbers below are stable so audit findings and support replies can reference them (e.g. “see Privacy §7”).
email, profile). When you sign in with Roblox we receive only the sub identifier returned by the openidscope — we do not receive your Roblox display name, friends, inventory, or place data through OAuth and we never post on your behalf.We use PostHog (US region) for product analytics. PostHog captures pageviews and autocaptured UI events (clicks, form submissions), web-vitals performance metrics, error events, and a pseudonymous distinct id that we associate with your account id once you are signed in. PostHog’s session-replay capability is enabled on our project; we currently do not sample replays for general traffic, but you should assume that interaction events are recorded for product-improvement purposes. We do not use PostHog for advertising.
When you submit a pitch to the Idea Validator the pitch text is sent to Google (Google AI Studio / Gemini API, US region) for inference and an embedding is generated via OpenAI (US region) for cluster lookup and caching. Pitch text and the resulting verdict are stored in our database for up to 90 days for caching and abuse review. We do not use your pitches to train models, and neither sub-processor uses API inputs to train their foundation models per their published API terms at the time of writing.
We do not sell your data. We do not show third-party ads.
Google OAuth. We request the email and profile scopes only. We read your Google account id, email, name, and profile image to identify your account.
Roblox OAuth. We request the openid scope only. We receive a stable Roblox subject identifier (sub) to identify your account. Roblox does not guarantee a display name or email on this scope and we do not receive one. We never post or modify anything on your Roblox account.
Cloudflare sits in front of the RoMetrics API host api.rometrics.io for DDoS mitigation, TLS termination, and CDN caching. Cloudflare processes request metadata including your IP address, user-agent, and TLS fingerprint to filter abusive traffic. We also use Cloudflare Turnstile on sign-in and on rate-limited endpoints; Turnstile collects browser signals (IP, user-agent, hardware/runtime hints) to produce a bot-likelihood score without using tracking cookies for advertising.
The RoMetrics database and Edge Functions run on a self-hosted Supabase stack physically located in the United States and reached via api.rometrics.io. PostHog (US region) and Resend (US region) likewise process data in the United States. Stripe and Google process data in their respective US regions for our account.
If you access the Service from the European Economic Area, the United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States by us and our sub-processors. Where required, those transfers rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Addendum) and on the EU-US Data Privacy Framework certification of sub-processors that hold one, as supplementary safeguards.
Subject to your local law (GDPR, UK GDPR, CCPA/CPRA, and similar regimes) you may have the right to access, correct, port, restrict, or delete the personal data we hold about you, and to object to certain processing. Email dvitash3414@gmail.com to exercise any of these rights. We respond within 30 days. EU/UK residents may also lodge a complaint with their local data protection authority.
California residents: we do not sell your personal information and we do not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA. Because we do not sell or share, there is no opt-out signal to honor; you may still email us at the address above to exercise any access or deletion right available to you.
All traffic to and from the Service is encrypted in transit using TLS. Data at rest in our Postgres database is encrypted using the platform’s default disk-level encryption, and transactional email to Resend is delivered over SMTP TLS. Access to production systems is limited to the operator. If we become aware of a personal-data breach we will notify affected users and, where required by law, the relevant supervisory authority within 72 hours of becoming aware.
Account data is kept until you delete your account. Validator pitches and AI verdicts are kept for up to 90 days for caching and abuse review. Raw request and abuse logs are kept for up to 90 days. Billing records are kept for as long as required by tax and accounting law (typically 7 years).
We use first-party cookies for authentication session state and a first-party PostHog cookie for product analytics. We do not set third-party advertising cookies. Cloudflare and Turnstile may set short-lived first-party cookies as part of bot protection.
RoMetrics is not directed at children under 13. Do not create an account or sign in if you are under 13. We do not knowingly collect personal data from anyone under 13; if you believe a child has provided us data, email us and we will delete it.
We will update the “Last updated” date when this policy changes. Material changes will be announced in-product.
We rely on the following sub-processors to run the Service. We will update this list (and bump the “Last updated” date at the top of this page) when sub-processors change. The canonical anchor for this list is /privacy#sub-processors.