Skip to content

Privacy Policy

This Privacy Policy explains how Bloxed.gg collects, uses, and protects your personal data, and the rights you have.

Bloxed.gg ("the Platform") is operated by Opinify AB ("we", "us", "our"), a company registered in Sweden. This Privacy Policy describes how we collect, use, store, and protect your personal data when you use our Platform.

We process your data in accordance with the General Data Protection Regulation (GDPR) and applicable Swedish data protection laws.

By using the Platform, you acknowledge that you have read and understood this Privacy Policy.

The data controller responsible for your personal data is Opinify AB, a company registered in Sweden. You can reach us for data protection inquiries through our Contact page.

When you create an account, you sign in with Roblox using Roblox's official OAuth 2.0 service. We receive limited profile information from Roblox: your Roblox user ID, username, display name, and avatar URL. Roblox does not share your email address with us by default. We do not receive or store your Roblox password. Authentication is handled entirely by Roblox.

You may optionally add an email address to your Bloxed.gg account for security alerts and account recovery. We also store your email verification status and a timestamp of when you last signed in.

When you use the Platform, we may store your favorites (games, codes, items), trade advertisements, code submissions, comments, notifications, code votes, account activity history, and language preference. These are associated with your account and, where appropriate, displayed publicly alongside your Roblox display name and avatar.

When you sign in, we create a session record that includes your user agent string (browser and device info), IP address, and a human-readable device name. This data enables the "Active Devices" feature so you can see and revoke sessions on other devices. Sessions expire after 30 days.

When you sign in or take audited account actions (such as email changes, sign-ins from new devices, or role changes), we record your IP address, User-Agent string, and approximate country derived from the IP. This information is used to protect your account, detect fraud, and investigate abuse. The legal basis for this processing is legitimate interest under Article 6(1)(f) GDPR.

We store your cookie consent choices and communication preferences. We use cookies and similar technologies as described in our Cookie Policy.

We use your personal data to provide and operate the Platform. This includes creating and managing your account, displaying your favorites, trade ads, and code submissions, recording your code votes, and delivering notifications.

We may apply account restrictions (muting, banning, or role changes) when content or activity violates our Terms of Service. Restrictions are recorded with a reason and a moderator identifier so we can review and reverse them on appeal.

We analyze usage patterns via Cloudflare Web Analytics, a privacy-focused service that does not use cookies and does not collect personal data, to improve functionality, performance, and user experience.

We display advertisements through Google AdSense. Google may use cookies to serve ads based on your prior visits to our Platform or other websites. AdSense is loaded only when you consent to marketing cookies; otherwise non-personalized ads are served. See our Cookie Policy for the full breakdown.

We send essential service notifications such as account security alerts and Terms changes. Any future marketing communications will only be sent with your explicit opt-in consent.

We detect and prevent spam, abuse, fake code submissions, and unauthorized access. This includes rate limiting, minimum content length requirements, and automated detection measures.

We fulfill our legal obligations under applicable laws and respond to lawful requests from authorities.

We do not sell your personal data. We never have and never will.

We may share limited data with service providers who are bound by data processing agreements. Cloudflare provides our hosting, CDN, DDoS protection, and database infrastructure. Cloudflare processes requests globally but does not use your data for their own purposes beyond providing the service. Roblox processes your authentication data during the OAuth sign-in flow according to Roblox's own privacy policy. We only receive the profile data described above. Google AdSense processes advertising data as described in their privacy policy.

Cloudflare Web Analytics processes aggregated, anonymized usage data. It does not use cookies, does not collect personal data, and does not track users across sites.

We may disclose your data if required by law, court order, or to protect the rights, safety, or property of Opinify AB, our users, or the public. If Opinify AB is involved in a merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your data becomes subject to a different privacy policy.

We use cookies and similar technologies to operate the Platform. For a detailed breakdown of each cookie we use, including its purpose and duration, please see our Cookie Policy.

In summary, we use essential cookies for authentication and security, functional cookies for your language preference, vote dedup, and dismissed banners, and marketing cookies for referral tracking and Google AdSense. Our analytics do not use cookies.

We retain your personal data only as long as necessary for the purposes described in this Privacy Policy.

Account data is retained for as long as your account is active. We use soft deletion - upon account deletion, your data is marked as deleted and permanently removed within 30 days.

Published content (trade ads, code submissions, comments) remains on the Platform while your account is active. Upon account deletion, this content is either deleted or anonymized (author information removed) depending on its type and value to other readers. Comments and code submissions may be retained but displayed as authored by "Deleted user".

Active sessions, including device info and IP address, are retained for up to 30 days or until revoked. Revoked sessions are cleaned up within 30 days.

Security-related information, including IP addresses and User-Agent strings on refresh tokens and audited account events, is retained for up to 90 days. After 90 days IP addresses are deleted or anonymized; non-identifying device metadata (approximate country, device label) may be retained for the "Active Devices" interface while your account is active.

Email verification codes expire automatically and are single-use. IP-based security logs for rate limiting and abuse detection are retained for up to 90 days.

You may request deletion of your data at any time (see Your Rights below).

When you delete your Bloxed.gg account:

  • Immediately: Your account is hidden across the entire site. Other users will see you as "Deleted user" on any comments or contributions you've made. You are logged out on every device, and any email verification codes are removed.

  • 30-day grace period: Your data is preserved for 30 days so you can change your mind. Sign back in with the same Roblox account within that window and everything will be restored - your favorites, trade ads, comments, notifications, and activity history.

  • After 30 days: We permanently anonymize your personal information - email address, country, locale, and all scraped Roblox profile data (username, display name, avatar, stats). Your private data (favorites, notifications, trade ads, activity logs, IP records) is permanently deleted.

  • What stays: Comments, code submissions, and support tickets you contributed remain on the site but display as authored by "Deleted user." We keep this content because it has value to other readers.

  • Permanent block: The Roblox identity you used to sign in is permanently blocked from creating a new Bloxed.gg account. If you want to return after the 30-day window, you must sign up with a different Roblox account.

Under the GDPR, you have the following rights regarding your personal data.

You can request a copy of the personal data we hold about you, including your account data, favorites, trade ads, comments, votes, session history, and consent preferences (Article 15). You can request correction of inaccurate or incomplete data, or update your display name and preferences directly in your account settings (Article 16).

You can request deletion of your personal data (Article 17). We will comply unless we have a legal obligation to retain it. You can request your data in a structured, commonly used, machine-readable format (Article 20).

You can request that we restrict processing of your data in certain circumstances (Article 18). You can object to processing based on legitimate interests, and we will cease processing unless we have compelling legitimate grounds (Article 21).

Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. You can manage cookie consent via our cookie banner and communication preferences in your account settings.

To exercise any of these rights, contact us at [email protected] or through our Contact page. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local data protection authority.

The Platform is hosted on Cloudflare's global network, which means your data may be processed in countries outside the European Economic Area (EEA). Cloudflare maintains EU-adequate data protection measures and participates in approved transfer mechanisms.

Roblox (operated by Roblox Corporation in the United States) processes authentication data outside the EEA during the OAuth sign-in flow. Google (Google AdSense) may also process advertising data outside the EEA. Both operate under their own data transfer safeguards.

We ensure that any international transfer of personal data is subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or adequacy decisions where applicable.

The Platform is not intended for individuals under the age of 13, in line with Article 8 GDPR as implemented in Sweden. We do not knowingly collect personal data from children under 13. If we become aware that we have collected data from a child under 13, we will take steps to delete that data promptly.

If you believe a child under 13 has provided us with personal data, please contact us at [email protected] or through our Contact page.

We implement appropriate technical and organizational measures to protect your personal data, including:

  • OAuth-only authentication for public users - we use Roblox OAuth exclusively, so we never see, receive, or store user passwords.
  • All data is transmitted over HTTPS/TLS.
  • Authentication tokens are stored in httpOnly cookies, inaccessible to JavaScript.
  • Cloudflare provides DDoS mitigation, WAF, and bot management.
  • Account deletion is reversible within a grace period before permanent removal.
  • Internal access to personal data is restricted to authorized personnel on a need-to-know basis.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security but will notify you and relevant authorities of any data breach in accordance with GDPR requirements.

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date and, where appropriate, notify you via a prominent notice on the Platform.

We encourage you to review this Privacy Policy periodically. Your continued use of the Platform after changes constitutes acceptance of the updated policy.

For legal inquiries, contact us at [email protected]