Privacy Policy

1. Who we are

KrulHub is an open-source script hosting platform for Roblox executor users, plus a self-service Lua obfuscation portal (/obfuscate) for users obfuscating their own scripts. We do not operate as a registered business entity. This policy describes what data the service collects, why, and how long it is retained.

2. What we collect

Different features collect different data. Nothing here is collected for analytics, profiling, or sale.

Public scripts (no login)

• Anonymous hit counter — per-script request count and daily run total. No user identity is attached to the counter itself.
• Cloudflare request metadata — IP, timestamp, and datacenter are handled by Cloudflare's edge per their own privacy policy. KrulHub does not log per-request IPs for public script fetches.

Discord login (optional, required for the user obfuscator)

• Discord account data — your Discord user ID, username, and avatar hash are obtained via Discord OAuth when you sign in at /obfuscate. Used only to identify your session and to check membership in the KrulHub Discord server.
• Session token — an opaque random token is generated and stored server-side for the duration of your login window.
• Your obfuscated scripts — when you use the obfuscator, the input Lua and resulting output are saved to your per-account slots so you can retrieve them later. Scripts are keyed to your Discord ID and are not visible to other users.

Ro-Clothes community submissions

• Submitted bundles — when you press "Submit Bundle" in the Ro-Clothes Roblox script, the submission contains the bundle payload, your Roblox UserId, your Roblox display name, your script version, the request IP, and a timestamp. This is held in the moderation queue until reviewed.
• Approved bundles — if an approved bundle is published to the community library, the submitter's UserId and display name remain attached to the submission record (the published chunk itself contains only the bundle data, not submitter fields).

Real-time avatar sync (opt-in)

• Per-server state — if you enable Avatar Sync in the Ro-Clothes script, your Roblox UserId, display name, current bundle, script version, Roblox placeId, and Roblox jobId (server instance UUID) are published to a short-lived endpoint so other opted-in users in the same server can render your bundle. State is ephemeral and expires 300 seconds after your last publish.

Diagnostics telemetry (opt-in, default off)

• Default OFF. Nothing is uploaded unless you explicitly enable "Send Anonymous Diagnostics" in the Ro-Clothes script's diagnostics panel. Disabling clears the pending queue.
• What is sent — event names (e.g. install.chunk_fail, hd.apply_throw, capture.spoof_detected), the script version (e.g. V4.3.520.0524), the executor name reported by identifyexecutor(), the platform class (Desktop / Mobile / Console / unknown), a UNIX timestamp, and small structured fields describing the error (e.g. file path, error code, durations, counts — capped at 4 KB per event).
• What is NOT sent — Roblox usernames or display names, chat content, anything you typed, accessory or catalog IDs you own, place names, the Roblox jobId, your IP, or any identifier that can link an event to a real person.
• Anonymous install ID — on first enable the script generates a random UUIDv4 ("install ID") and persists it locally in RClothesLerp/Settings.json. The install ID is NOT derived from your Roblox UserId, your Discord ID, or any account identifier; it only lets us tell that two events came from the same installation. You can rotate it by deleting Settings.json from your executor's workspace folder.
• Previewability — the script's "View Pending" button lists the exact events queued for upload before they are sent. Nothing is sent without your action.
• Storage — accepted events are stored in a Cloudflare R2 bucket keyed by date and install-ID prefix. Only KrulHub administrators can read them; aggregates rendered in the admin dashboard truncate the install ID to its first 8 characters.
• Local-only logs — a local diagnostic log at RClothesLerp/diagnostics.log is written regardless of the toggle for self-diagnostic purposes. The log never leaves your machine unless you copy it.

Moderation & administration

• Roblox UID ban list — stored only when an administrator bans a user for abuse of submission or avatar-sync endpoints.
• Admin action log — administrator IP, action name, and timestamp are recorded when a privileged action is performed (script rename, chunk upload, submission approve/reject, etc.).

We do not collect device fingerprints, automatic crash dumps, or any data tying telemetry to a real person. Diagnostics telemetry (above) is the only opt-in script-side data stream; it is disabled by default.

3. Why we collect it

• Hit counter — to display script popularity indicators on the homepage.
• Discord account data — to authenticate the user obfuscator and verify community membership. No Discord data is used for anything else.
• User obfuscator scripts — so you can recall previous obfuscation outputs across sessions.
• Submitted bundles — to moderate community content and publish approved bundles.
• Avatar sync state — to let other opted-in users in the same Roblox server render your bundle in real time.
• Diagnostics telemetry (opt-in) — to find and fix bugs in the Ro-Clothes script across executor / platform / version combinations we can't reproduce locally. Aggregates only; no per-user analysis.
• Ban list — to enforce UID-level bans against abuse.
• Admin action log — administrative accountability and abuse investigation.

4. How long we keep it

• Hit counter — stored indefinitely as aggregate counters; no per-request logs.
• Discord session — expires and is deleted when you log out or when the session token's TTL elapses.
• User obfuscator scripts — retained per account until you delete them or ask for removal. A small number of recent slots are kept; older outputs are overwritten.
• Submitted bundles — pending submissions are retained until reviewed. Approved submission records are retained indefinitely (linked to published community chunks). Rejected and spam-marked submissions are retained for audit.
• Avatar sync state — 300 seconds after your last publish. Refreshed on every publish; auto-deleted when you stop publishing.
• Diagnostics telemetry (opt-in) — raw R2 objects retained until manually purged by an administrator. Aggregates cached in KV expire after 5 minutes to 4 hours depending on the query window. You can stop further uploads at any time by toggling off the diagnostics switch in the script.
• Ban list — until manually lifted by an administrator. Temporary auto-bans (e.g. for submission spam) expire on their own TTL.
• Admin action log — 30 days.

5. Who can access it

Submission contents, the ban list, and admin logs are accessible only to administrators holding the operator's admin token. Your own Discord session and user-obfuscator scripts are scoped to your Discord ID and are not visible to other users. Avatar-sync entries are visible to anyone who knows a given Roblox placeId:jobId pair — in practice, only users inside that specific Roblox server instance. No data is sold, shared, or disclosed to third parties.

6. Third-party services

• Cloudflare — Workers, KV, and R2 host the entire service. Cloudflare may log request metadata (IP, timestamp, datacenter) per their policy.
• Discord — used for OAuth login and community membership checks. Your Discord account data is governed by Discord's own privacy policy.
• Roblox — the avatar-sync feature fetches Roblox user and asset thumbnails and (for moderation previews) temporarily creates/deletes outfit entries on bot accounts owned by the operator. No end-user Roblox credentials are ever requested or stored.

7. Cookies & browser storage

• kh_session — set when you sign in via Discord. HttpOnly, Secure, SameSite=Lax. Holds an opaque session token only; cleared on logout or when it expires.
• kh_admin — set when an operator signs into the admin dashboard. HttpOnly, Secure, SameSite=Strict. Holds a time-windowed derived token only; cleared on logout or after 8 hours.
• kh_oauth_init — short-lived anti-CSRF cookie set only during the Discord OAuth redirect flow. Deleted immediately after login completes.

No tracking or analytics cookies are set.

7.5. Global chat & direct messages

Anonymity: the chat layer is anonymous by design. We do not collect any personally identifiable information when you register a chat UID — no email, no real name, no Roblox UserId, no Discord ID. The 8-character UID you pick is the only public identifier; the secret you generate is stored on your machine and used only to sign your requests.

What we record: every message you send (global room and direct messages) is recorded server-side in a Cloudflare Durable Object's persistent storage. We keep them so other participants can read them, so moderators can review reports, and so the global ring can serve recent history to people who join mid-conversation. Each record contains: the message text, your UID, your chosen nickname at send time, and a UNIX timestamp.

Soft delete: when you delete one of your own messages, the text is blanked on the way out to other participants but a tombstone is retained server-side for moderation history.

Moderation access: the operator and any delegated moderators can read the full global ring, the full message history of any direct-message conversation, and the report queue. Moderators can temp-mute, hard-ban, wipe the global ring, or wipe a specific DM conversation.

Anti-spam metadata: per-UID send timing and sustained-volume counters are tracked in memory only; they are forgotten when the chat service restarts and are not written to persistent storage. The registration rate-limit counter is keyed by IP, scoped to one hour, and expires automatically.

Typing pings: a "typing" indicator is broadcast while you compose a message. It contains your UID and chosen nickname only and expires within seconds after you stop typing.

Reports: if you report another user's message, your UID, the reported message text, and your stated reason are added to a moderator-only queue capped at 200 entries (oldest dropped past that).

What we do NOT do: we do not link your chat UID to your Roblox UserId, to your Discord OAuth identity (if any), or to your IP address in any persistent store. IP is touched only at the rate-limit layer and is never written into a chat record.

Retention: messages persist until either you (for your own messages) or a moderator deletes them, or until the global ring rotates a message out the back of its capped buffer. Mod-issued temporary mutes expire automatically; hard bans persist until manually lifted.

8. Your rights & data removal

You can delete your own user-obfuscator scripts directly from the obfuscator portal. For removal of a submitted Ro-Clothes bundle, a community publish record, or your Discord session data, contact the operator via the KrulHub Discord server. Avatar-sync state requires no action — disable the toggle in the script and it expires within 300 seconds.

Diagnostics telemetry: toggle off the "Send Anonymous Diagnostics" switch in the Ro-Clothes script to stop further uploads — this is immediate. To delete telemetry already received, share the first 8 characters of your install ID (visible in the script's "View Pending" panel) with the operator on Discord and we will purge matching R2 objects. We don't have a way to map an install ID back to a person, so removal requests must come from the install owner.

Chat: you can soft-delete your own messages from inside the chat UI — the text is blanked for everyone immediately. For a hard delete (including removal of the tombstone), or for deletion of a full DM conversation, share your chat UID with the operator on Discord. We will only act on requests that come from someone who can sign with that UID's secret, since we have no other way to verify ownership of an anonymous UID.

9. Security

All public and admin endpoints are rate-limited. Admin routes require a secret Bearer token. Public scripts are open source and shipped from R2 with a per-request consent stub. All data is stored in Cloudflare KV or R2 with no external database. Traffic is TLS-only.

10. Contact

Questions or removal requests? Reach the operator through the KrulHub Discord server.