Privacy

No telemetry. No analytics.
No payloads off-box.

Roster's privacy policy fits in a footnote. Here's the long version anyway, so there's nothing to argue about later.

Effective: 19 May 2026 · Version 1.1 · Publisher: The Roster Project · Governing law: Commonwealth of Australia (does not displace your local mandatory consumer protections)

The short version

Roster does not collect, log, or transmit any information about you, the accounts you load into it, the games you launch, or how you use the app. The application would still work if you firewalled it from everything except Roblox.

By default there are three outbound destinations Roster ever contacts (a fourth is added only if you turn on the optional, opt-in bandwidth sharing for extra accounts described below):

  1. Roblox's web API, to refresh your accounts. Same hosts your browser would hit.
  2. The Roster update channel (GitHub Releases), to check whether a newer version exists.
  3. The Roster licensing endpoint (api.accountroster.com), only if you buy Plus or Pro: once to bind your licence to a machine, then once per day to re-issue a fresh signed licence file. After that, all licence verification is local.

The Free and Plus tiers additionally show two first-party ad placements: a banner in the workspace side rail (rendered continuously while you're in the app) and a single video ad before each Roblox launch. Both are loaded inside an embedded Microsoft WebView2 surface against pages served from our own site (accountroster.com) - Roster's own promotions and placements from sponsors we partner with directly. No third-party ad network or tracking SDK is involved; rendering a placement contacts only accountroster.com, which sees the same standard HTTP context any web request carries (your IP address and user-agent). If you click a sponsor's placement, it opens that sponsor's website in your default browser, where that sponsor's own privacy policy governs what they collect. Pro removes both placements.

If you use the in-app cookie-capture sign-in flow, Roster also embeds Microsoft's WebView2 component to render Roblox's official login pages locally. WebView2 is a Microsoft-controlled rendering engine and is bound by Microsoft's own privacy disclosures for the embedded browser process. We use it only to load roblox.com and the OAuth pages it redirects to; we don't ship any analytics on top of it.

What stays on your machine

Everything that's "your data" lives in %LOCALAPPDATA%\Roster and never leaves it unless you explicitly export it:

  • Your account list, usernames, aliases, notes, and per-account settings.
  • The encrypted vault (DPAPI + optional Argon2id).
  • The refresh log and audit log.
  • Window-layout presets, group memberships, private-server links.
  • Per-account playtime sessions.
  • Your master password, only as an Argon2id-derived key, only in process memory, only while the vault is unlocked.

No cloud sync. No "anonymous usage statistics that turn out not to be anonymous." No crash pings. If Roster crashes, the crash dump is written to disk and you can mail it to us if you want; we don't pull it.

What touches the network

1 / Roblox APIs

For each account in the vault, Roster's refresh loop calls Roblox's web API on that account's behalf. These are the same authenticated endpoints the official site uses, with the cookie from the vault attached. We never proxy game-server traffic and never touch the game client's own sockets.

2 / Update channel

On an hourly cadence, Roster checks GitHub Releases for the project to see if a newer version is available. The request is unauthenticated. GitHub may log standard server-access information (IP, user-agent) under their own policy; we don't operate that endpoint and we don't see those logs.

3 / Licensing endpoint (Plus and Pro)

If you buy Plus or Pro, the desktop app talks to our licensing endpoint twice in distinct shapes:

  • Activation - each time you paste your activation code on a machine. The call sends your code and a hardware fingerprint hash derived from stable Windows identifiers (a hash, not the raw values), and the server returns an Ed25519-signed licence token bound to that fingerprint. If your licence was previously bound to a different machine, the server rebinds it to the new one. The previous machine's daily refresh will then come back as 410 Gone, and that machine drops to the free tier on its own.
  • Daily refresh - once per day after activation, the app sends your customer ID plus the fingerprint hash and receives a re-issued licence token with a fresh expiry. This is what lets the app keep working through a renewal cycle without you doing anything.

Roster writes the signed token to %LOCALAPPDATA%\Roster. Between refreshes the app verifies the token entirely offline; you can take a machine off the network for a full renewal cycle and your licence keeps working. The fingerprint-binding is why copying the token to another machine doesn't work: the signature is over the fingerprint. Lifetime grants skip the daily refresh entirely.

4 / Extra accounts (opt-in bandwidth sharing)

Off by default. Nothing in this section happens unless you choose it. On the Free and Plus tiers you may opt into sharing a little idle bandwidth to unlock 2 extra accounts (raising the free-tier cap from 3 to 5). In exchange, Roster shares a small amount of your connection's idle bandwidth as a residential peer on the Bright Data network, using the Bright SDK. This does not remove ads - you'll still see the two ad placements whether or not you enable it; only Pro removes ads.

How the consent works:

  • Explicit, separate opt-in. Bright SDK shows its own consent screen describing exactly what is shared. Nothing is shared until you press agree on that screen; declining (or simply never enabling bandwidth sharing) leaves the feature completely inert.
  • 18+ only. The option is offered only to users who recorded a date of birth of 18 or older at first run.
  • Opt out anytime. Toggle bandwidth sharing back off in Settings, or use the SDK's own opt-out. Sharing stops immediately and your free-tier cap returns to 3.
  • Lifecycle-bound. Sharing only runs while Roster is open; it stops when you close the app. There is no always-on background service left running.
  • What Bright Data sees. Per Bright SDK's disclosures, the only data retained to document your consent is your IP address, stored to evidence the opt-in under GDPR/CCPA. Bright SDK does not read your Roblox data, your vault, or your activity in Roster; it routes third-party public-web requests through your connection's idle capacity. Bright Data's own practices are governed by its privacy policy.

If you never enable bandwidth sharing, the Bright SDK never initializes and none of the above applies.

If you pay for Plus or Pro

The billing system runs on Whop. Whop receives your payment details directly and is the merchant of record; Roster's servers never see card information. The information Roster's billing backend keeps in its own KV store is the minimum to make subscriptions work:

  • Your email address (forwarded by Whop on successful checkout, so we can send the activation code).
  • A Whop customer/membership ID (so renewals work).
  • Subscription tier, status, and the next renewal date Whop reports.
  • The hardware fingerprint hash of the machine you've bound your licence to, and the activation timestamp.

Notably absent: any Roblox account information (your Roblox usernames are not sent to the billing system), any usage data, and any device information beyond the opaque fingerprint hash.

Aggregate server-side counters

We keep daily aggregate counts of requests our own servers were going to receive anyway: how many machines loaded the Free/Plus ad pages on a given day, how many paid licences performed their daily refresh, and how many times the installer was downloaded through this website's download button. This counting happens entirely on our servers; it adds nothing to what the app transmits, and the app remains telemetry-free.

To avoid counting the same machine twice in one day on the ad pages, we hash the request's IP address and browser user-agent together with the current date. The hash rotates every day, cannot be reversed back into an IP address, and the raw IP is never stored. Paid refresh events are keyed by a one-way hash of the internal customer ID. No names, email addresses, Roblox accounts, or hardware fingerprints enter the metrics dataset, and nothing in it can reconstruct an individual's history.

What we will never do

  • Add product analytics to the desktop app, even "anonymous" ones. The app sends nothing about how you use it; the only counting that exists is the aggregate server-side counters described above.
  • Add crash telemetry that uploads automatically.
  • Sell, share, or rent your email address.
  • Phone home from a paid install for any reason after the one-time activation, beyond the daily licence refresh.
  • Use cookies on this website. There are no cookies. There is no JavaScript that talks to a third party.
  • Integrate any third-party advertising, analytics, or bandwidth-sharing SDK in the desktop app that runs without your choice. The Free/Plus ad surfaces are first-party - they load our own pages and embed no third-party ad SDK. The only bundled SDK of this kind is the Bright SDK that powers the opt-in bandwidth sharing for extra accounts (inert unless you turn it on), and it does nothing on the Pro tier. (Microsoft's WebView2 is a Windows rendering component - it hosts the Roblox sign-in flow and, on Free/Plus, the two first-party ad surfaces - and is not itself an advertising or analytics SDK.)

Your rights, briefly

For the Free tier, Roster doesn't hold personal data on its servers, so the rights you'd ordinarily exercise under GDPR, CCPA, or your local equivalent don't have much to attach to. The vault is on your machine; you delete it by uninstalling.

For Plus and Pro, the personal data we hold is your email address, your Whop customer/membership ID, and the hardware fingerprint hash of the machine you've bound your licence to. You can ask us to delete that record at any time (which will also deactivate the licence). Email [email protected]. We'll do it within 30 days and confirm in writing.

If you're on the Free or Plus tier and you click a sponsor's placement, what that sponsor does once you're on their website is covered by their own privacy policy.

If you turned on the opt-in bandwidth sharing for extra accounts, your consent is recorded by Bright SDK (your IP address is retained solely to evidence that opt-in under GDPR/CCPA) and is revocable at any time by turning bandwidth sharing off in Settings.

Changes to this policy

If we ever change this policy in a way that affects what Roster does or does not transmit, we will announce the change in the next release's changelog, bump the major version of the application, and require explicit re-consent on first launch after the update. There is no scenario in which Roster begins transmitting new information about you without you noticing.

Contact

For anything privacy-related: [email protected]. Read by one person, usually within 24 hours.