Legal
Privacy Policy
Last updated: April 22, 2026
1. Who we are
KrulHub is a script hosting and obfuscation service for Roblox executor users. We do not operate as a registered business entity. This policy describes what data the service collects, why, and how long it is retained.
2. What we collect
Different features collect different data. Nothing here is collected for analytics, profiling, or sale.
Public scripts (no login)
- Anonymous hit counter — per-script request count and daily run total. No user identity is attached to the counter itself.
- Cloudflare request metadata — IP, timestamp, and datacenter are handled by Cloudflare's edge per their own privacy policy. KrulHub does not log per-request IPs for public script fetches.
Discord login (optional, required for the user obfuscator)
- Discord account data — your Discord user ID, username, and avatar hash are obtained via Discord OAuth when you sign in at
/obfuscate. Used only to identify your session and to check membership in the KrulHub Discord server.
- Session token — an opaque random token is generated and stored server-side for the duration of your login window.
- Your obfuscated scripts — when you use the obfuscator, the input Lua and resulting output are saved to your per-account slots so you can retrieve them later. Scripts are keyed to your Discord ID and are not visible to other users.
Ro-Clothes community submissions
- Submitted bundles — when you press "Submit Bundle" in the Ro-Clothes Roblox script, the submission contains the bundle payload, your Roblox UserId, your Roblox display name, your script version, the request IP, and a timestamp. This is held in the moderation queue until reviewed.
- Approved bundles — if an approved bundle is published to the community library, the submitter's UserId and display name remain attached to the submission record (the published chunk itself contains only the bundle data, not submitter fields).
Real-time avatar sync (opt-in)
- Per-server state — if you enable Avatar Sync in the Ro-Clothes script, your Roblox UserId, display name, current bundle, script version, Roblox placeId, and Roblox jobId (server instance UUID) are published to a short-lived endpoint so other opted-in users in the same server can render your bundle. State is ephemeral and expires 300 seconds after your last publish.
Moderation & administration
- Roblox UID ban list — stored only when an administrator bans a user for abuse of submission or avatar-sync endpoints.
- Admin action log — administrator IP, action name, and timestamp are recorded when a privileged action is performed (script rename, chunk upload, submission approve/reject, etc.).
We do not collect device fingerprints, run-time telemetry from scripts, or any analytics beyond what is listed above.
3. Why we collect it
- Hit counter — to display script popularity indicators on the homepage.
- Discord account data — to authenticate the user obfuscator and verify community membership. No Discord data is used for anything else.
- User obfuscator scripts — so you can recall previous obfuscation outputs across sessions.
- Submitted bundles — to moderate community content and publish approved bundles.
- Avatar sync state — to let other opted-in users in the same Roblox server render your bundle in real time.
- Ban list — to enforce UID-level bans against abuse.
- Admin action log — administrative accountability and abuse investigation.
4. How long we keep it
- Hit counter — stored indefinitely as aggregate counters; no per-request logs.
- Discord session — expires and is deleted when you log out or when the session token's TTL elapses.
- User obfuscator scripts — retained per account until you delete them or ask for removal. A small number of recent slots are kept; older outputs are overwritten.
- Submitted bundles — pending submissions are retained until reviewed. Approved submission records are retained indefinitely (linked to published community chunks). Rejected and spam-marked submissions are retained for audit.
- Avatar sync state — 300 seconds after your last publish. Refreshed on every publish; auto-deleted when you stop publishing.
- Ban list — until manually lifted by an administrator. Temporary auto-bans (e.g. for submission spam) expire on their own TTL.
- Admin action log — 30 days.
5. Who can access it
Submission contents, the ban list, and admin logs are accessible only to administrators holding the operator's admin token. Your own Discord session and user-obfuscator scripts are scoped to your Discord ID and are not visible to other users. Avatar-sync entries are visible to anyone who knows a given Roblox placeId:jobId pair — in practice, only users inside that specific Roblox server instance. No data is sold, shared, or disclosed to third parties.
6. Third-party services
- Cloudflare — Workers, KV, and R2 host the entire service. Cloudflare may log request metadata (IP, timestamp, datacenter) per their policy.
- Discord — used for OAuth login and community membership checks. Your Discord account data is governed by Discord's own privacy policy.
- Roblox — the avatar-sync feature fetches Roblox user and asset thumbnails and (for moderation previews) temporarily creates/deletes outfit entries on bot accounts owned by the operator. No end-user Roblox credentials are ever requested or stored.
7. Cookies & browser storage
kh_session — set when you sign in via Discord. HttpOnly, Secure, SameSite=Lax. Holds an opaque session token only; cleared on logout or when it expires.kh_oauth_init — short-lived anti-CSRF cookie set only during the Discord OAuth redirect flow. Deleted immediately after login completes.- sessionStorage (admin dashboard) — holds the admin Bearer token for the current browser tab. Cleared when the tab closes.
No tracking or analytics cookies are set.
8. Your rights & data removal
You can delete your own user-obfuscator scripts directly from the obfuscator portal. For removal of a submitted Ro-Clothes bundle, a community publish record, or your Discord session data, contact the operator via the KrulHub Discord server. Avatar-sync state requires no action — disable the toggle in the script and it expires within 300 seconds.
9. Security
All public and admin endpoints are rate-limited. Admin routes require a secret Bearer token. Public scripts are obfuscated and encrypted server-side, with per-request keying for the stub. All data is stored in Cloudflare KV or R2 with no external database. Traffic is TLS-only.