Roster's privacy policy fits in a footnote. Here's the long version anyway, so there's nothing to argue about later.
Effective: 15 May 2026 · Last updated: 17 May 2026
Roster does not collect, log, or transmit any information about you, the accounts you load into it, the games you launch, or how you use the app. The application would still work if you firewalled it from everything except Roblox.
There are three outbound destinations Roster ever contacts:
api.accountroster.com), only if you buy Pro: once to bind your licence to a machine, then once per day to re-issue a fresh signed licence file. After that, all Pro verification is local.Free tier additionally loads the AdsJumbo SDK for two ad surfaces: a banner in the workspace side rail (rendered continuously while you're in the app) and a single video ad before each Roblox launch. AdsJumbo's servers see your IP and whatever device/ad-context information the SDK reports. Pro removes both placements and never loads the SDK.
Everything that's "your data" lives in %LOCALAPPDATA%\Roster and never leaves it unless you explicitly export it:
No cloud sync. No "anonymous usage statistics that turn out not to be anonymous." No crash pings. If Roster crashes, the crash dump is written to disk and you can mail it to us if you want; we don't pull it.
For each account in the vault, Roster's refresh loop calls Roblox's web API on that account's behalf. These are the same authenticated endpoints the official site uses, with the cookie from the vault attached. We never proxy game-server traffic and never touch the game client's own sockets.
On an hourly cadence, Roster checks GitHub Releases for the project to see if a newer version is available. The request is unauthenticated. GitHub may log standard server-access information (IP, user-agent) under their own policy; we don't operate that endpoint and we don't see those logs.
If you buy Pro, the desktop app talks to our licensing endpoint twice in distinct shapes:
410 Gone, and that machine drops to the free tier on its own.Roster writes the signed token to %LOCALAPPDATA%\Roster. Between refreshes the app verifies the token entirely offline; you can take a machine off the network for a full renewal cycle and Pro keeps working. The fingerprint-binding is why copying the token to another machine doesn't work: the signature is over the fingerprint. Lifetime grants skip the daily refresh entirely.
The billing system runs on Whop. Whop receives your payment details directly and is the merchant of record; Roster's servers never see card information. The information Roster's billing backend keeps in its own KV store is the minimum to make subscriptions work:
Notably absent: any Roblox account information (your Roblox usernames are not sent to the billing system), any usage data, and any device information beyond the opaque fingerprint hash.
For the Free tier, Roster doesn't hold personal data on its servers, so the rights you'd ordinarily exercise under GDPR, CCPA, or your local equivalent don't have much to attach to. The vault is on your machine; you delete it by uninstalling.
For Pro, the personal data we hold is your email address, your Whop customer/membership ID, and the hardware fingerprint hash of the machine you've bound your licence to. You can ask us to delete that record at any time (which will also deactivate the licence). Email support@accountroster.com. We'll do it within 30 days and confirm in writing.
If you're on the Free tier and you want to know what AdsJumbo does with the ad impression, that's covered by AdsJumbo's own privacy policy.
If we ever change this policy in a way that affects what Roster does or does not transmit, we will announce the change in the next release's changelog, bump the major version of the application, and require explicit re-consent on first launch after the update. There is no scenario in which Roster begins transmitting new information about you without you noticing.
For anything privacy-related: security@accountroster.com. Read by one person, usually within 24 hours.