Privacy Policy.

This Privacy Policy explains what personal data we process when you visit exoliner.wtf, create an account, purchase a plan, or use the Exoliner service. It satisfies the information duties under Articles 13 and 14 GDPR. Defined terms (“personal data”, “controller”, “processor”, “processing”) carry the meaning given to them in Article 4 GDPR.

Where this English version conflicts with mandatory provisions of German or EU consumer or data-protection law, those mandatory provisions prevail. Nothing in this policy waives any right you have under those laws.

§ 01 / controller

The controller responsible for the processing described here, within the meaning of Article 4(7) GDPR, is:

Cornelia Reise
Germany
Email (data protection): [email protected]
Email (general): [email protected]

Full provider information including the postal address required under § 5 of the German Digital Services Act (DDG) is published in our Impressum.

§ 02 / data protection officer

We have not appointed a Data Protection Officer because we are not required to do so under § 38 BDSG: we do not permanently employ at least 20 persons engaged in automated processing, we do not perform high-risk processing requiring a Data Protection Impact Assessment as a core activity, and we do not process special categories of data on a large scale. For all data-protection enquiries please write to [email protected].

§ 03 / what we collect

We process the following categories of personal data, broken down by when and why we collect them.

3.1 Account data

• Mandatory at sign-up: email address, chosen username, password (stored only as a salted bcrypt hash — we never see the plaintext)
• Generated automatically: account ID, account creation timestamp, current rank/plan tier, AI-credit balance and monthly reset timestamp
• Optional: profile avatar, two-factor authentication configuration (TOTP secret or e-mail-based 2FA — TOTP secrets are encrypted at rest using AES-GCM with a server-side key), passkeys (FIDO2/WebAuthn credential ID, public key, signature counter)

3.2 Linked third-party identifiers

• Roblox account: Roblox user ID and username (optional; collected when you choose to link a Roblox account so you can target experiences you own)
• Discord account: Discord user ID and username (optional; collected if you sign in with Discord OAuth or link a Discord account)

3.3 Authentication and security data

• IP address of the device used to authenticate (stored as a salted one-way hash on the session record for session-binding and abuse detection)
• Session identifiers and JSON Web Tokens (JWTs)
• Captcha tokens issued by Cloudflare Turnstile (used once and discarded)
• Email-verification, password-reset, and email-2FA codes (short lifetime — see § 07)
• Backup recovery codes, stored only as bcrypt hashes

3.4 Activity and content

• Activity log: account-related events such as account creation, plan upgrades, key redemptions, password resets (kept on the user’s account record)
• Strikes and moderation records: violations of our Usage Rules, including the rule violated, severity, and issuing staff member
• Script content and execution logs: the Luau code you submit for execution, the target experience identifier, the timestamp, and any moderation review status. Script execution history is retained for security review and abuse investigation (see § 07)
• Chat messages: messages you post in the in-app community chat, plus any reactions, replies, and moderation actions taken (mutes, bans, deletions, audit log entries)
• Script-library content: scripts you publish or review on the community script hub, including their text, metadata, and any rating/review you submit
• Support tickets: messages exchanged with our support team via Discord (channel ID, transcript, timestamps)

3.5 Payment data

Payments are processed by Pandabase as an independent payment processor. We do not receive or store your full card number, card expiry, CVV, bank account number, or any other sensitive payment instrument data. From Pandabase we receive only the order metadata we need to provision your plan: order/session identifier, the plan you purchased, the amount and currency paid, the email address used at checkout, the country of the billing address (for VAT determination), and the payment method category (e.g. “card” or “wallet”).

3.6 AI assistant data

When you use the in-app AI assistant we transmit your prompt, the relevant script context you select, and a short conversation history to the model you have selected. The default model is GLM-5.1, which we run on our own self-hosted infrastructure (see § 06.3 below); other models are operated by third-party providers listed in § 06.3. We retain a short cached copy of in-flight conversations in our Redis cache (typically up to one hour) for technical reasons (resumption of broken streams); this cache expires automatically.

3.7 Service-availability and analytics data

• Server logs (HTTP method, path, response status, response time, a truncated user-agent and IP-derived country code) kept for up to 7 days for diagnostics and DDoS analysis
• Aggregate usage statistics from self-hosted Plausible Analytics: pageview path, referrer, country (derived from IP and immediately discarded), and a daily-rotating, salt-hashed visitor identifier that cannot be linked to a person and is not preserved across days. Plausible uses no cookies, no localStorage, and never builds a cross-site profile (see § 08)

3.8 Desktop application

Our optional desktop application checks for updates at start-up and downloads update binaries from our Cloudflare R2 bucket. These update checks transmit your Exoliner account token, the current installed version, and the platform string (e.g. windows-x86_64). We publish a VirusTotal scan identifier for every desktop build so you can independently verify the binary; that scan is performed by VirusTotal on the binary hash, not on you.

§ 04 / purposes and legal bases

We process the data above for the purposes set out below. The applicable legal basis under Article 6(1) GDPR is named for each.

• Providing the service you contracted for — account creation and authentication, executing scripts you submit, the script vault, the AI assistant, the community script hub: Art. 6(1)(b) GDPR — performance of the contract you concluded with us when purchasing a plan or registering an account.
• Account security — IP-bound sessions, two-factor authentication, captcha checks, abuse rate limiting, script-execution logging for moderation: Art. 6(1)(f) GDPR. Legitimate interest: protecting our infrastructure, our paying users, and the Roblox experiences you target from credential theft, automated abuse, and exploit-class script content. Necessity: there is no less intrusive way to bind a session to a device or to gate sign-in against bot traffic without processing the IP address and a captcha token at the authentication point. Balancing: the data we process for these purposes (hashed IP, single-use captcha tokens, session identifier) is minimal, retained for short periods (see § 07), and is information you reasonably expect a SaaS to capture when you authenticate. You can object via Art. 21 GDPR; we will then weigh your specific situation against the security interest.
• Detecting and acting on Usage Rules violations — automated script analysis, the strike system, the community blacklist: Art. 6(1)(f) GDPR. Legitimate interest: enforcing the contractual terms you accepted, protecting third-party Roblox experiences from script abuse run through our platform, and complying with Roblox’s own Terms of Use that we are bound to as a platform that interacts with their service. Necessity: manual review of every script submission is not feasible at our throughput, but every automated flag is subject to human moderator review before any sanction is applied (see § 12). Balancing: a Roblox creator using our platform has a much stronger expectation than a random visitor would that we analyse the scripts they push to live servers — that’s the entire purpose of the service. The narrower interest of users who would prefer their malicious scripts not be flagged is not protectable.
• Payment processing — exchanging order metadata with our payment processor, issuing receipts, processing refunds: Art. 6(1)(b) GDPR for processing the order; Art. 6(1)(c) GDPR in conjunction with § 147 AO for the statutory retention of accounting records.
• Linking optional third-party accounts (Discord, Roblox): Art. 6(1)(a) GDPR — your consent, given when you initiate the OAuth flow. You may withdraw consent at any time by unlinking the account from your dashboard.
• AI-assistant message processing by third-party model providers: Art. 6(1)(b) GDPR when the assistant is part of the plan you purchased; otherwise Art. 6(1)(a) GDPR.
• Service-availability monitoring and Plausible analytics: Art. 6(1)(f) GDPR — our legitimate interest in maintaining and improving the service. We rely on the cookieless, no-personal-data design of Plausible to satisfy § 25(2) Nr. 2 TDDDG; see § 08.
• Email delivery (verification, password reset, security alerts): Art. 6(1)(b) GDPR for transactional messages tied to your account.
• Tax, accounting, and statutory record-keeping: Art. 6(1)(c) GDPR in conjunction with §§ 147, 257 HGB / AO.
• Defending legal claims: Art. 6(1)(f) GDPR — our legitimate interest in establishing, exercising, or defending legal claims, including retention of relevant evidence within the statute-of-limitation period.

§ 05 / is providing data required?

You are not legally obliged to provide us with personal data, but without certain data we cannot perform the contract:

• Without an email and password we cannot create or authenticate your account.
• Without payment-flow data we cannot process your purchase.
• Without script content we cannot execute the scripts you ask us to run.
• Without IP and session metadata we cannot keep your account secure or comply with anti-abuse obligations.

Linking a Discord or Roblox account, using the AI assistant, and publishing scripts to the community hub are all optional. If you do not provide that data the corresponding feature is simply unavailable, but the rest of the service continues to work.

§ 06 / processors and recipients

Pursuant to Article 13(1)(e) GDPR we disclose the recipients (or categories of recipients) of your personal data. We use the following processors. With each we have an Article 28 Data Processing Agreement in place; for processors located outside the European Economic Area, the transfer mechanisms identified below apply.

6.1 Hosting and infrastructure

• Hetzner Online GmbH (Gunzenhausen, Germany) — primary application hosting and database. EU/EEA — no third-country transfer.
• Cloudflare, Inc. (San Francisco, USA, with European edge points-of-presence) — TLS termination, CDN, DDoS protection, Workers, R2 object storage for desktop release binaries, Turnstile captcha. Recipient of: IP addresses, request headers, captcha tokens. Transfer mechanism: Cloudflare is certified under the EU-US Data Privacy Framework (DPF); Standard Contractual Clauses Modules 2 and 3 are incorporated into the Cloudflare Data Processing Addendum as a fallback.

6.2 Payment

• Pandabase, operated by Velta, LLC, a limited liability company organised under the laws of the State of Florida (Florida Document Number L22000456966), with principal place of business at 2125 Biscayne Blvd, Ste 204 #8101, Miami, FL 33137, United States. Production data is processed in data centres in Ashburn, Virginia, United States.
  
  Service: payment processing (cards, digital wallets, regional methods). Pandabase acts as our processor under a Data Processing Addendum dated 9 March 2026. Categories of personal data processed (per Section 3 of that DPA): buyer name, email, billing address, IP address, payment-method details, purchase history, plus device/browser/timestamp metadata. Transfer mechanism: Standard Contractual Clauses per Commission Implementing Decision (EU) 2021/914, incorporated by reference into the Pandabase DPA. Pandabase publishes its sub-processor list inside its DPA and undertakes (Section 5) to give us at least 30 days’ notice before engaging any new sub-processor. The current Pandabase DPA is available at pandabase.io/legal/dpa.

6.3 AI model providers

When you use the AI assistant, the prompt and the script context you select are sent to whichever model you choose:

• GLM-5.1 (self-hosted by us) — the default free model. We operate our own GLM-5.1 inference server on infrastructure we control located in Bangladesh. Because we are the operator of this server, the GLM endpoint is not a third-party processor within the meaning of Art. 28 GDPR; it is our own internal processing carried out on our own hardware in a third country. We do not retain any GLM request, prompt, or response logs on the GLM server itself. The short Redis cache described in § 03.6 (in our primary EU infrastructure) is the only place an in-flight conversation is held, and it expires within one hour. Bangladesh is not a country covered by an EU adequacy decision under Art. 45 GDPR; the legal basis for this transfer is Art. 49(1)(b) GDPR — the transfer is necessary for the performance of the contract concluded with you at your request (your use of the AI assistant feature you selected).
• Anthropic, PBC (San Francisco, USA) — Claude model family (Haiku, Sonnet, Opus). Recipient of: your prompt and selected script context. Anthropic’s default API log retention is 7 days. Transfer mechanism: Anthropic is certified under the EU-US Data Privacy Framework; SCC Module 2 is incorporated into the Anthropic DPA as a fallback. Sub-processor: Google Cloud Platform (TPU inference).
• Mistral AI (Paris, France) — Devstral model. EU/EEA — no third-country transfer.

6.4 Email

• Resend, Inc. (United States) — transactional email delivery (verification, password reset, security alerts, order receipts). Recipient of: your email address, the message contents we sent. Transfer mechanism: Resend is certified under the EU-US Data Privacy Framework; SCCs in the Resend DPA as a fallback.

6.5 Identity and verification

• Discord, Inc. (United States) — Discord OAuth login (if you choose to use it), Discord-bot support tickets, security-alert notifications. Recipient of: Discord user ID, Discord username, content of any support exchange you initiate via Discord. Transfer mechanism: SCCs.
• Roblox Corporation (United States) — Roblox username/ID lookup when you link a Roblox account, and read-only API queries against Roblox public endpoints. Recipient of: Roblox user ID, requested experience IDs. Transfer mechanism: Roblox is certified under the EU-US Data Privacy Framework.
• ip-api.com (operated by John Street Consulting Ltd., United Kingdom) — IP-based country and ASN lookup used to verify that incoming HTTP traffic from Roblox in-game servers originates from a Roblox data centre. Recipient of: the IP address being queried (which is the IP of the Roblox server, not yours as a user). Transfer mechanism: the United Kingdom benefits from a Commission adequacy decision under Art. 45 GDPR (UK adequacy decision in force until June 2031), so no additional safeguard is required.

6.6 Analytics

• Plausible Analytics (operated by Plausible Insights OÜ, Estonia) — self-hosted on EU servers. No personal data leaves our infrastructure for analytics; no cookies.

6.7 Security

• VirusTotal (operated by Google LLC, United States) — malware scanning of desktop release binary hashes. Recipient of: SHA-256 hashes and (where we choose to publish them) binary samples of our own desktop builds. We do not submit any user-uploaded files to VirusTotal. Transfer mechanism: Google is certified under the EU-US Data Privacy Framework.

We do not sell, rent, or otherwise commercialise your personal data. We may disclose data to public authorities where compelled to do so under a binding legal order issued by a competent German or EU body.

§ 07 / retention

We keep personal data only for as long as we need it for the purposes set out in § 04 or as long as we are legally required to. Specific retention periods:

• Account data — for as long as your account exists. Following account deletion, the live record is removed within 30 days; encrypted backups are overwritten on the next rotation cycle (no longer than 90 days).
• Sessions — automatic deletion 3 days after creation (or 31 days if you ticked “remember me”).
• Email-verification codes — automatic expiry after 1 hour.
• Login OTP / password-reset codes — automatic expiry after 10 minutes.
• Captcha sessions — automatic expiry after 10 minutes.
• AI in-flight conversation cache (Redis) — automatic expiry after 1 hour. Third-party model providers may retain their own copies under their own policies (Anthropic: 7 days at time of writing; Mistral AI: see provider’s policy). Our self-hosted GLM-5.1 server retains no logs of prompts or responses.
• Server diagnostic logs — 7 days, then deleted.
• Script-execution logs and chat messages — kept for as long as the account exists and for a reasonable period afterwards (typically 12 months) for moderation and security purposes. Where a strike or blacklist record references a specific script, that record is retained for the limitation period applicable to any related claim.
• Strike, ban, and blacklist records — retained for the duration of the regular limitation period (3 years from the end of the year in which the violation occurred, § 195, § 199 BGB) plus a buffer to allow for appeals.
• Accounting and tax records (invoices, receipts, payment confirmations) — 10 years as required by § 147 AO and § 257 HGB.
• Other contractual correspondence — up to 6 years (§ 257(4) HGB).

Where retention is required by law we restrict processing of the affected data to that legal purpose and otherwise keep it isolated from active service use.

§ 08 / cookies and device storage (TDDDG § 25)

Storing information on, or accessing information already stored on, your terminal device is governed by § 25 of the German Telecommunications and Telemedia Data Protection Act (TDDDG). We use only the following storage, all of which is strictly necessary for a service that you have explicitly requested and therefore covered by § 25(2) Nr. 2 TDDDG:

• jwt (browser localStorage) — your authentication token. Without it you cannot stay logged in.
• user (browser localStorage) — a cached copy of your account profile so the dashboard renders without a round-trip on every navigation.
• theme and a small number of UI-preference keys (browser localStorage) — your chosen colour scheme and editor layout, used purely on your own device.
• Short-lived captcha session keys (set by Cloudflare Turnstile to prevent automated abuse during login).

We do not use advertising cookies, cross-site tracking pixels, social-media plug-ins that load before consent, or any third-party tag manager. Plausible Analytics is configured in cookieless mode; it does not store or read information on your terminal device and therefore does not require consent under § 25 TDDDG.

§ 09 / international data transfers

Several processors named in § 06 — and our own GLM-5.1 inference server — are located outside the European Economic Area. Pursuant to Articles 44–49 GDPR we rely on the following transfer instruments:

• EU-US Data Privacy Framework (DPF) for processors self-certified under the framework operated by the U.S. Department of Commerce — currently Cloudflare, Anthropic, Resend, Roblox, and Google (for VirusTotal).
• Standard Contractual Clauses (SCC) per Commission Implementing Decision (EU) 2021/914 — incorporated into each processor’s Data Processing Agreement (most notably Pandabase, see § 06.2). For DPF-certified processors the SCCs additionally serve as a fallback if the DPF is annulled, suspended, or determined inapplicable to that processor.
• Article 49(1)(b) GDPR derogation for our own self-hosted GLM-5.1 inference server in Bangladesh — the transfer of your prompt and selected script context to that server is necessary to perform the AI-assistant service you have explicitly requested at the point of use, and we operate the server ourselves so no third-party processor relationship exists.

You can request a copy of the SCCs in force for any specific processor by emailing [email protected].

§ 10 / your rights

You have the following rights under the GDPR:

• Right of access (Art. 15 GDPR) — to confirm whether we process personal data about you and obtain a copy of that data plus the information set out in Art. 15(1)(a)–(h).
• Right to rectification (Art. 16 GDPR) — to have inaccurate data corrected and incomplete data completed.
• Right to erasure / right to be forgotten (Art. 17 GDPR) — to have your personal data deleted, subject to the statutory exceptions (in particular our retention obligations under § 147 AO and § 257 HGB and the moderation interest in § 04).
• Right to restriction of processing (Art. 18 GDPR).
• Right to data portability (Art. 20 GDPR) — to receive your account-and-content data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
• Right to object (Art. 21 GDPR) — at any time, based on grounds relating to your particular situation, to processing carried out on the basis of Art. 6(1)(f).
• Right to withdraw consent (Art. 7(3) GDPR) at any time, where processing is based on Art. 6(1)(a) consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
• Right not to be subject to automated decision-making (Art. 22 GDPR) — see § 12 below.

To exercise any of these rights, write to [email protected]. We will respond without undue delay, and in any event within one month of receipt of your request (extendable by two further months for complex or numerous requests, in which case we will inform you within the first month).

§ 11 / right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority — in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.

For Germany, the competent authorities are the data-protection authorities of the federal states (Landesbeauftragte für den Datenschutz) and, for cross-border cases, the Federal Commissioner for Data Protection and Freedom of Information (BfDI). A directory is published at bfdi.bund.de.

§ 12 / automated decision-making and profiling

We do not subject you to decisions producing legal or similarly significant effects based solely on automated processing within the meaning of Art. 22 GDPR.

We do operate automated abuse-detection systems (script analysis for malicious code patterns, rate limiting, geo-IP checks on suspicious sign-ins, automated flagging of script content for human moderator review). These systems do not by themselves issue strikes, bans, or refusals. Where such a system flags activity, a human staff member reviews the flag before any account-level consequence is applied.

§ 13 / users under the age of 18

Exoliner is directed at users who are at least 18 years old, or at least 16 years old with verifiable consent of the holder of parental responsibility. The 18-year baseline reflects German contractual capacity rules (§ 2 BGB) and the 16+parental-consent threshold reflects valid consent to information-society services under Article 8 GDPR (Germany has not lowered the GDPR threshold below 16).

If you are 16 or 17 you may use the service only with the prior consent of the holder of parental responsibility, who must accept these terms on your behalf. If we become aware that we have processed personal data of a person under 16 without verifiable parental consent we will delete the data without undue delay. Parents or guardians who believe a child under their care has registered without their consent should write to [email protected].

§ 14 / security

We apply technical and organisational measures appropriate to the risk of the processing, in line with Art. 32 GDPR: TLS encryption for all transport, salted bcrypt for password storage, AES-GCM encryption for 2FA secrets and other sensitive records, salted IP hashing for session binding, role-based access control for our internal staff tooling, audit logs for moderator actions, dedicated EU-located primary infrastructure, and encrypted, EU-located backups on a rotating retention schedule.

If we become aware of a personal-data breach likely to result in a risk to your rights and freedoms we will notify the competent supervisory authority within 72 hours pursuant to Art. 33 GDPR and notify affected individuals where required by Art. 34 GDPR. To report a vulnerability to us see our Security page.

§ 15 / changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our processing, our processors, or the law. The date of the most recent revision is shown at the top of this page. Substantive changes will be notified to active account holders by email at least 30 days before they take effect; you may object and terminate your account during that notice period.

§ 16 / contact

For all questions about this Privacy Policy, your rights, or our processing activities:

• Data protection: [email protected]
• General support: [email protected]
• Security: [email protected]
• Legal: [email protected]