← Rosco

Privacy Policy

Last updated: 2026-05-11

Rosco helps you build Roblox games using AI. To do that we need to store some of your data. This page explains exactly what we collect, why, who we share it with, and what you can do about it. Plain English, no lawyer-speak.

What we collect

• Account info. Your email and a display name from GitHub or Google OAuth. We do not see your OAuth password.
• Chat content. Messages you send to Rosco and the AI's responses, so we can show your history and so the AI has context.
• Studio activity. The tool calls Rosco makes against your Roblox Studio (read, write, create, delete). We log these for debugging and abuse prevention.
• Usage events. Per-request metadata like model used, tokens consumed, and approximate cost. Used to enforce monthly limits.
• IP addresses. Logged at signup, on every AI request, and on plugin connections. Used to detect abuse (botting, mass account farming) and to enforce IP bans when abuse is detected.
• Payment metadata. If you subscribe, Stripe stores your customer ID and subscription state. We store the Stripe customer ID and your plan tier. We never see or store your card number.
• Attachments. Images and files you upload to a chat are stored in our private storage bucket, accessible only by you and our service role.

What we do with it

• Provide the service (run AI requests, render your chat history, route tool calls to your Studio plugin).
• Enforce monthly usage limits and your subscription tier.
• Detect and block abuse — pairing-code brute force, account farming, banned-IP signup attempts.
• Send transactional emails (signup confirmation, password reset, alerts you opt into).
• Comply with legal obligations and respond to lawful requests.

We do not sell your data, share it with advertisers, or use it to train external AI models.

Who we share it with

Rosco is built on third-party infrastructure. Your data flows through:

• Supabase — database, authentication, file storage. supabase.com/privacy
• Vercel — web hosting and edge network. vercel.com/legal/privacy-policy
• OpenRouter — AI gateway that forwards your prompts to Anthropic and Google. openrouter.ai/privacy
• Anthropic (for Claude models) and Google (for Gemini models). These providers receive your chat content when you choose their model.
• Stripe — payment processing. Stripe receives your name, email, and card details directly; we never touch them. stripe.com/privacy
• Resend — transactional email delivery. resend.com/legal/privacy-policy
• GitHub / Google — OAuth providers when you sign in.

How long we keep it

• Account data: as long as your account exists.
• Chat attachments: 30 days, then automatically deleted by a cron job.
• Banned IPs and abuse-prevention logs: indefinitely. We need them to keep blocking known bad actors.
• Stripe records: as long as required by tax/accounting law (typically 7 years).

Your rights

You can:

• Access what we have on you — email us at support@roscostudio.dev.
• Delete your account and all associated data, except billing records we're legally required to keep. Email the same address.
• Correct inaccurate data — email or update via the in-app settings.
• Cancel your subscription anytime from the Billing settings inside Rosco. Stripe handles the actual cancellation.

If you're in the EU/UK, you have additional rights under GDPR (portability, objection to processing). Same email address.

Cookies and local storage

Rosco uses your browser's localStorage to keep you signed in across sessions and to remember preferences (selected AI model, reasoning level, current conversation). We do not use third-party advertising or analytics cookies.

Children

Rosco is not directed at children under 13. If you're a parent and believe your child has signed up, email us and we'll delete the account.

Changes to this policy

We'll update this page when material things change and post the new "Last updated" date at the top. If the changes are significant, we'll email you.