Data Controller: Nebula Technologies
Contact Email: legal@koopa.space
Discord Support: discord.gg/PFGzqGXehh (#support channel)
Website: nebularblx.com

We collect the following categories of personal information:

2.1. Account and Authentication Data

• Discord Account: Discord ID, username, discriminator, email address, profile picture, and Discord roles (collected via Discord OAuth)
• Roblox Account: Roblox user ID and username (collected via Roblox OAuth when you link your account)
• GitHub Account: GitHub username and encrypted OAuth access token (collected via GitHub OAuth when you link your account for code review features)
• Email Address: Discord email address or custom email address you provide, email verification status
• Two-Factor Authentication: TOTP secrets (encrypted), email verification codes, 2FA method preferences
• Account Status: Verification status, ban status, admin status, role assignments

2.2. AI and Service Configuration Data

• AI Settings: AI provider selection (OpenAI, DeepSeek, Groq, Anthropic, Cohere, Mistral), encrypted API keys stored securely
• GitHub Repository Data: Repository names, file contents, code reviews, and statistics when using the Lua Reviewer feature
• User Preferences: Account settings, notification preferences, consent records

2.3. Payment and Transaction Data

• Payment Information: Transaction records, payment confirmations, purchase history, product ownership records
• Payment Methods: Payment method type (processed by third-party providers - PayPal, Google Pay), transaction IDs
• Redeem Codes: Code redemption history and associated product grants

2.4. Product and Service Usage Data

• Product Ownership: Products purchased, access granted, license logs, download history
• Application Data: Application submissions, answers, grading results, attempt records
• Commission Data: Commission requests, status, and related information
• Obfuscation Service: Lua code submitted for obfuscation (processed but not stored long-term)
• Studio Activity: Activity tracking data from Roblox studio plugins (if enabled)

2.5. Technical and Usage Data

• IP Addresses: Collected for security, fraud prevention, and geolocation purposes
• Browser Information: User agent, browser type, version, and capabilities
• Device Data: Device type, operating system, screen resolution
• Location Data: General location information derived from IP address (city, country) for security notifications
• Usage Analytics: Page views, click patterns, session duration, feature usage
• Referral Data: Referral codes, referral relationships, successful referrals

2.6. Communication Data

• Support Communications: Support requests, feedback, and communications with our team
• Email Communications: Sign-in notifications, email verification codes, 2FA codes, application result notifications, security alerts
• Activity Logs: User activity logs, login history, action timestamps

2.7. Cookies and Tracking Technologies

• Essential Cookies: Session cookies, authentication tokens, consent preferences
• Analytics Cookies: Google Analytics cookies for website usage analysis
• Advertising Cookies: Google AdSense cookies for personalized advertising
• Functional Cookies: Cookies that remember your preferences and settings

We collect information through the following methods:

• Directly from You: When you create an account, make a purchase, submit applications, configure settings, or communicate with us
• OAuth Authentication: When you sign in with Discord, link your Roblox account, or link your GitHub account
• Automatically: Through cookies, tracking technologies, and server logs when you use our website
• Third-Party Services: From service providers like Discord, Roblox, GitHub, payment processors, and analytics services
• User Activity: When you use our services, download products, submit code for review, or interact with features

We use your personal information for the following purposes:

4.1. Service Provision and Account Management

• To create and manage your account, authenticate your identity, and provide access to our services
• To process payments, deliver purchased products, and manage product licenses
• To enable GitHub integration for code review features and repository browsing
• To provide AI-powered code review services using your configured AI provider
• To process application submissions and manage application attempts
• To provide obfuscation services for Lua code
• To manage product transfers and referral programs

4.2. Security and Fraud Prevention

• To implement and manage two-factor authentication (2FA) for account security
• To detect and prevent fraud, abuse, unauthorized access, and security threats
• To send security notifications (sign-in alerts, suspicious activity)
• To monitor user activity and enforce our terms of service
• To verify account ownership and prevent account sharing

4.3. Communication

• To send important service updates, notifications, and administrative messages
• To respond to support requests and provide customer service
• To send email verification codes and 2FA codes
• To notify you of application results, commission status, and other service-related communications
• To send security alerts and account activity notifications

4.4. Service Improvement and Analytics

• To analyze usage patterns, improve user experience, and optimize service performance
• To understand how features are used and identify areas for improvement
• To conduct research and development for new features and services
• To personalize your experience and show relevant content

4.5. Legal and Compliance

• To comply with applicable laws, regulations, and legal obligations
• To respond to legal requests, court orders, and government inquiries
• To protect our rights, property, and safety, as well as that of our users
• To enforce our Terms of Service and other agreements
• To maintain records for tax, accounting, and legal compliance purposes

4.6. Marketing and Advertising

• To display personalized advertisements through Google AdSense
• To send promotional communications (with your consent, where required)
• To analyze advertising effectiveness and optimize ad delivery

We process your personal data based on the following legal bases under GDPR and applicable laws:

• Consent: When you provide explicit consent (e.g., for marketing emails, non-essential cookies, GitHub integration, AI features)
• Contractual Necessity: To perform our contract with you (e.g., providing purchased products, processing payments, account management)
• Legitimate Interests: For our legitimate business interests, balanced against your rights (e.g., security, fraud prevention, service improvement, analytics)
• Legal Obligation: To comply with legal requirements (e.g., tax records, legal requests, regulatory compliance)
• Vital Interests: To protect your or others' vital interests in emergency situations

You can withdraw consent at any time where consent is the legal basis. Withdrawal does not affect processing that occurred before withdrawal or processing based on other legal bases.

We retain your personal data for the following periods:

• Account Data: Retained while your account is active. After account deletion, we retain data for 2 years for recovery purposes, then securely delete it unless legal retention requirements apply.
• Payment and Transaction Records: Retained for 7 years to comply with tax regulations, accounting requirements, and financial audit obligations.
• GitHub OAuth Tokens: Retained until you unlink your GitHub account. Tokens are encrypted and stored securely.
• AI Settings: Retained until you clear your AI settings. API keys are encrypted using AES-256-GCM encryption.
• 2FA Data: Retained while 2FA is enabled. TOTP secrets are encrypted and deleted when 2FA is disabled.
• Application Data: Retained for 3 years after application submission or last activity for record-keeping and support purposes.
• Email Verification Codes: Retained for 10 minutes, then automatically deleted.
• Usage Analytics: Retained for 2 years to improve services and identify usage patterns.
• Communication Data: Retained for 3 years for ongoing support and service improvements.
• Activity Logs: Retained for 1 year for security monitoring and fraud prevention.
• Technical Data (IP addresses, logs): Retained for 1 year for security monitoring, then anonymized or deleted.
• Legal Requirements: Some data may be retained longer as required by applicable law (e.g., tax records, legal disputes).

Data Deletion: Upon account deletion request, we will delete your personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention, legal disputes).

We do not sell your personal information. We share data only as described below:

7.1. Service Providers and Data Processors

We share data with trusted third-party service providers who help us operate our services:

• Authentication Services:
  • Discord (OAuth authentication, user profile data)
  • Roblox (OAuth account linking, user verification)
  • GitHub (OAuth authentication, repository access for code review features)
• Payment Processors:
  • PayPal (payment processing, transaction data)
  • Google Pay (payment processing, transaction data)
• Cloud and Infrastructure:
  • Firebase/Google Cloud (database, authentication, hosting - data stored in US, EU, and other regions)
  • Cloudflare R2 (product file storage and content delivery)
• Email Services:
  • Resend (email delivery service for notifications, verification codes, and communications)
• Analytics and Advertising:
  • Google Analytics (website usage analytics, user behavior tracking)
  • Google AdSense (personalized advertising, ad delivery and measurement)
• AI Service Providers: When you use AI features, your code and prompts are sent to your configured AI provider:
  • OpenAI (if you configure OpenAI API key)
  • DeepSeek (if you configure DeepSeek API key)
  • Groq (if you configure Groq API key)
  • Anthropic/Claude (if you configure Anthropic API key)
  • Cohere (if you configure Cohere API key)
  • Mistral AI (if you configure Mistral API key)
  Note: We do not store your AI API keys in plain text - they are encrypted using AES-256-GCM encryption.

7.2. Legal Requirements

• We may disclose information if required by law, court order, or government request
• We may disclose information to protect our rights, property, or safety, or that of our users
• We may disclose information to comply with legal obligations or respond to legal process

7.3. Business Transfers

• In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity
• We will notify you of any such transfer and any changes to data handling practices

7.4. Aggregated and Anonymized Data

• We may share anonymized, aggregated data that cannot identify you for analytics, research, and business purposes
• This data is used to improve services, conduct research, and analyze trends

7.5. Data Processing Agreements

All third-party service providers are contractually obligated to:

• Process data only for specified purposes and in accordance with our instructions
• Implement appropriate security measures to protect your data
• Comply with applicable data protection laws
• Not use your data for their own purposes without your consent

We implement comprehensive security measures to protect your personal information:

• Encryption in Transit: All data transmission is encrypted using TLS 1.3 protocols and HTTPS
• Encryption at Rest: Sensitive data (AI API keys, GitHub tokens, 2FA secrets) is encrypted using AES-256-GCM encryption
• Database Security: Data stored in Firebase with encryption, access controls, and regular security audits
• Access Controls: Multi-factor authentication (2FA), role-based access controls, and principle of least privilege
• Network Security: Firewalls, DDoS protection, intrusion detection, and regular security assessments
• Secure Authentication: OAuth 2.0 with PKCE for secure third-party authentication
• Monitoring: 24/7 security monitoring, automated threat detection, and incident response procedures
• Regular Updates: Regular security updates, patch management, and penetration testing
• Employee Training: Staff training on data protection and security best practices
• Incident Response: We will notify affected users and relevant authorities within 72 hours of any data breach that poses a risk to your rights and freedoms
• Backup and Recovery: Regular backups with encrypted storage and tested recovery procedures

Security Limitations: While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but are committed to protecting your data to the best of our ability.

Under GDPR, CCPA, and other applicable data protection laws, you have the following rights:

9.1. Right of Access

You have the right to request a copy of all personal data we hold about you, including:

• Account information (Discord, Roblox, GitHub data)
• Payment and transaction history
• Product ownership records
• Application submissions and results
• Activity logs and usage data
• Communication records

9.2. Right to Rectification (Correction)

You can correct inaccurate or incomplete personal data through your account settings or by contacting us.

9.3. Right to Erasure (Deletion / "Right to be Forgotten")

You can request deletion of your personal data. We will delete data unless:

• Retention is required by law (e.g., tax records for 7 years)
• Data is necessary for ongoing legal disputes
• Data is needed for legitimate business interests (e.g., fraud prevention)
• Deletion would harm others' rights or interests

9.4. Right to Data Portability

You can request your data in a structured, commonly used, machine-readable format (e.g., JSON) to transfer to another service.

9.5. Right to Restrict Processing

You can request that we restrict processing of your data in certain circumstances (e.g., while disputing accuracy).

9.6. Right to Object

You can object to processing based on:

• Legitimate interests (we will stop unless we have compelling legitimate grounds)
• Direct marketing (we will stop immediately)
• Automated decision-making and profiling

9.7. Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect processing that occurred before withdrawal.

9.8. Right to Lodge a Complaint

You have the right to file a complaint with your local data protection authority if you believe we have violated your privacy rights.

9.9. How to Exercise Your Rights

To exercise your rights, contact us at:

• Email: legal@koopa.space
• Discord: discord.gg/PFGzqGXehh (#support channel)
• Response Time: We will respond to your request within 30 days (or as required by applicable law)
• Verification: We may need to verify your identity before processing requests to protect your privacy
• No Fee: Requests are generally free, unless requests are excessive or unfounded

9.10. CCPA-Specific Rights (California Residents)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected
• Right to Delete: Request deletion of personal information (subject to exceptions)
• Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
• Non-Discrimination: We will not discriminate against you for exercising your privacy rights

We use cookies and similar tracking technologies to enhance your experience and analyze website usage.

10.1. Types of Cookies We Use

Essential Cookies (Required)

• Session cookies for authentication and maintaining your login state
• Security cookies for CSRF protection and secure authentication
• Consent preference cookies to remember your cookie choices
• These cookies are necessary for the website to function and cannot be disabled

Analytics Cookies

• Google Analytics cookies to understand how visitors use our website
• Track page views, user interactions, and site performance
• Help us improve website functionality and user experience
• Require your consent (managed through cookie consent banner)

Advertising Cookies

• Google AdSense cookies for personalized advertising
• Track ad performance and deliver relevant advertisements
• Enable ad measurement and optimization
• Require your consent (managed through cookie consent banner)

10.2. Cookie Management

• Cookie Consent: We use a cookie consent banner for non-essential cookies. You can manage your preferences at any time.
• Browser Settings: You can disable or delete cookies through your browser settings, though this may affect website functionality.
• Opt-Out Tools:
  • Google Analytics: Google Analytics Opt-out
  • Google Ads: Google Ad Settings
  • Network Advertising Initiative: NAI Opt-Out
• Do Not Track: We respect Do Not Track (DNT) signals from your browser, though some third-party services may not honor DNT.
• Local Storage: We use browser local storage to remember preferences and settings (e.g., last sign-in timestamp to prevent duplicate emails).

10.3. Third-Party Tracking

Third-party services (Google Analytics, Google AdSense) may set their own cookies. We do not control these cookies. Please review their privacy policies for information about their cookie practices.

Our services are not directed to children, and we take special care to protect children's privacy:

• Age Requirement: Our services are not intended for children under 13 years of age.
• No Collection from Children: We do not knowingly collect personal information from children under 13. If we discover we have collected data from a child under 13, we will immediately delete it.
• Minors (13-17): Users aged 13-17 may use our services, but we recommend parental supervision. We may require verified parental consent in certain jurisdictions.
• Parental Consent: Where required by law (e.g., COPPA), we require verified parental consent through valid identification (passport, driver's license, or government-issued ID) before collecting data from minors.
• Parental Rights: Parents have the right to:
  • Review the personal information we have collected from their child
  • Request deletion of their child's personal information
  • Refuse further collection or use of their child's information
  • Revoke consent at any time
• COPPA Compliance: We comply with the Children's Online Privacy Protection Act (COPPA) and similar laws in other jurisdictions.
• Contact for Children's Privacy: Parents who wish to exercise their rights regarding their child's data should contact us at legal@koopa.space.

We comply with applicable data protection laws in all jurisdictions where we operate:

• GDPR (EU/UK): We comply with the General Data Protection Regulation for EU and UK residents, including:
  • Lawful basis for processing
  • Data subject rights
  • Data breach notification requirements
  • Data Protection Impact Assessments where required
• CCPA/CPRA (California): We comply with the California Consumer Privacy Act and California Privacy Rights Act, including:
  • Right to know about personal information collected
  • Right to delete personal information
  • Right to opt-out of sale (we do not sell personal information)
  • Non-discrimination for exercising privacy rights
• Other US State Laws: We comply with applicable state privacy laws including Virginia VCDPA, Colorado CPA, Connecticut CTDPA, and Utah UCPA.
• LGPD (Brazil): We comply with Brazil's Lei Geral de Proteção de Dados where applicable.
• Other Jurisdictions: We comply with applicable data protection laws in all jurisdictions where we operate.
• Data Protection Officer: For privacy inquiries, contact us at legal@koopa.space or through Discord support channels.
• Complaints: You may lodge complaints with your local data protection authority:
  • EU: Your local data protection authority (DPA)
  • UK: Information Commissioner's Office (ICO)
  • California: California Attorney General
  • Other jurisdictions: Your local privacy regulator

Your personal data may be transferred to and processed in countries outside your country of residence:

13.1. Transfer Locations

• Primary Storage: United States (Firebase/Google Cloud servers)
• Additional Locations: EU, UK, Canada, and other regions where our service providers operate
• Service Provider Locations:
  • Discord: United States
  • Roblox: United States
  • GitHub: United States and other regions
  • PayPal: United States and global data centers
  • Google Services: United States, EU, and global data centers
  • Resend: United States
  • Cloudflare R2: Global data centers
  • AI Providers: Various locations depending on provider (OpenAI: US, Anthropic: US, etc.)

13.2. Safeguards for International Transfers

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers from EU/UK to countries without adequacy decisions
• Adequacy Decisions: We rely on adequacy decisions where applicable (e.g., EU-US Data Privacy Framework)
• Encryption: All international transfers are encrypted in transit (TLS 1.3) and sensitive data is encrypted at rest (AES-256)
• Data Processing Agreements: All service providers are contractually bound to protect your data and comply with applicable laws
• Compliance: We ensure appropriate safeguards are in place for all international data transfers

13.3. Your Rights Regarding Transfers

• You may request information about specific transfers affecting your data
• You have the right to object to transfers if you believe adequate safeguards are not in place
• You can contact us to learn more about the safeguards we use for international transfers

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements:

• Notification of Changes: We will notify you of material changes via email or prominent website notice at least 30 days before changes take effect
• Material Changes: For material changes (e.g., new data collection, new third-party sharing, changes to your rights), we will:
  • Provide clear notice of what has changed
  • Explain the impact of changes
  • May require you to re-consent to the updated policy
• Continued Use: Continued use of our services after changes constitutes acceptance of the updated policy, unless re-consent is required
• Version History: Previous versions of this policy are available upon request for at least 2 years
• Effective Date: The "Last updated" date at the top indicates when the current version became effective
• Review Regularly: We encourage you to review this policy periodically to stay informed about how we protect your data

For privacy questions, data requests, to exercise your rights, or to report privacy concerns, contact us:

• Legal/Privacy Email: legal@koopa.space
• Discord Support: discord.gg/PFGzqGXehh (#support channel)
• Website: nebularblx.com
• Response Time: We respond to all privacy requests within 30 days as required by law (or sooner where possible)
• Verification: We may need to verify your identity before processing certain requests to protect your privacy

16.1. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects or significantly affects you, except:

• Fraud detection and prevention (to protect your account and our services)
• Content personalization (to improve your experience)
• You have the right to object to automated decision-making and request human review

16.2. Special Categories of Data

We do not intentionally collect special categories of personal data (sensitive data) such as race, ethnicity, political opinions, religious beliefs, health data, or biometric data. If such data is inadvertently collected, we will delete it immediately upon discovery.

16.3. Data Accuracy

We strive to keep your personal data accurate and up-to-date. Please notify us if your information changes or if you notice any inaccuracies. You can update most information through your account settings.

16.4. Links to Other Websites

Our website may contain links to third-party websites. We are not responsible for the privacy practices of external websites. We encourage you to review the privacy policies of any third-party sites you visit.