Roster's privacy policy fits in a footnote. Here's the long version anyway, so there's nothing to argue about later.
Roster does not collect, log, or transmit any information about you, the accounts you load into it, the games you launch, or how you use the app. The application would still work if you firewalled it from everything except Roblox.
By default there are four outbound destinations Roster ever contacts:
api.accountroster.com), only if you buy Plus: once to bind your licence to a machine, then once per day to re-issue a fresh signed licence file. After that, all licence verification is local.accountroster.com/beacon), on Free installs: a lightweight, anonymous, payload-free ping when the app launches and when a Roblox client is started, so daily-active-machine and launch counts can be tallied server-side. It carries no identifier and nothing about you or how you use the app. Paid (Plus) installs are counted by their daily licence refresh instead, so they don't send it.Roster shows no ads at all - on any tier. There is no ad network, no banner, no pre-launch video, and no third-party advertising tag anywhere in the app. The Free tier is simply feature-limited; Plus unlocks the full app.
If you use the in-app cookie-capture sign-in flow, Roster also embeds Microsoft's WebView2 component to render Roblox's official login pages locally. WebView2 is a Microsoft-controlled rendering engine and is bound by Microsoft's own privacy disclosures for the embedded browser process. We use it only to load roblox.com and the OAuth pages it redirects to; we don't ship any analytics on top of it.
Everything that's "your data" lives in %LOCALAPPDATA%\Roster and never leaves it unless you explicitly export it:
No cloud sync. No "anonymous usage statistics that turn out not to be anonymous." No crash pings. If Roster crashes, the crash dump is written to disk and you can mail it to us if you want; we don't pull it.
For each account in the vault, Roster's refresh loop calls Roblox's web API on that account's behalf. These are the same authenticated endpoints the official site uses, with the cookie from the vault attached. We never proxy game-server traffic and never touch the game client's own sockets.
On an hourly cadence, Roster checks GitHub Releases for the project to see if a newer version is available. The request is unauthenticated. GitHub may log standard server-access information (IP, user-agent) under their own policy; we don't operate that endpoint and we don't see those logs.
If you buy Plus, the desktop app talks to our licensing endpoint twice in distinct shapes:
410 Gone, and that machine drops to the free tier on its own.Roster writes the signed token to %LOCALAPPDATA%\Roster. Between refreshes the app verifies the token entirely offline; you can take a machine off the network for up to 4 days and your licence keeps working before it needs to reach the server again. The fingerprint-binding is why copying the token to another machine doesn't work: the signature is over the fingerprint. Lifetime grants still refresh on the same daily schedule, but their offline token carries a longer expiry - roughly 30 days - before a check-in is required.
On Free installs, Roster pings a lightweight first-party presence beacon at accountroster.com/beacon once per session and once per Roblox launch, so we can count daily-active machines and launches. The request carries no payload and no identifier - no account data, no fingerprint, no usage detail. The server derives a daily-active-user count from a daily-rotating hash of the request's IP address and user-agent (see Aggregate server-side counters below); the raw IP is never stored. Paid (Plus) installs are counted by their daily licence refresh instead, so they never send the beacon.
The billing system runs on Whop. Whop receives your payment details directly and is the merchant of record; Roster's servers never see card information. The information Roster's billing backend keeps in its own KV store is the minimum to make subscriptions work:
Notably absent: any Roblox account information (your Roblox usernames are not sent to the billing system), any usage data, and any device information beyond the opaque fingerprint hash.
We keep daily aggregate counts of requests our own servers were going to receive anyway: how many machines pinged our lightweight first-party presence beacon when the app launched on a given day, how many paid licences performed their daily refresh, and how many times the installer was downloaded through this website's download button. This counting happens entirely on our servers; it adds nothing to what the app transmits, and the app remains telemetry-free.
To avoid counting the same machine twice in one day on the presence beacon, we hash the request's IP address and browser user-agent together with the current date. The hash rotates every day, cannot be reversed back into an IP address, and the raw IP is never stored. Paid refresh events are keyed by a one-way hash of the internal customer ID. No names, email addresses, Roblox accounts, or hardware fingerprints enter the metrics dataset, and nothing in it can reconstruct an individual's history.
Roster asks for your date of birth once, during first-run setup, and stores it only on your machine (in %LOCALAPPDATA%\Roster, alongside the rest of your local data). It is never transmitted to us or to anyone else. We collect it for one reason: to enforce an age gate.
Because the date of birth never leaves your device, there is no server-side record of a user's age for us to delete. Deleting your local Roster data (by uninstalling, or by removing the %LOCALAPPDATA%\Roster folder) removes it. If you believe a child under 13 has nonetheless provided information to us, contact security@accountroster.com and we will address it.
For the Free tier, Roster doesn't hold personal data on its servers, so the rights you'd ordinarily exercise under GDPR, CCPA, or your local equivalent don't have much to attach to. The vault is on your machine; you delete it by uninstalling.
For Plus, the personal data we hold is your email address, your Whop customer/membership ID, and the hardware fingerprint hash of the machine you've bound your licence to. You can ask us to delete that record at any time (which will also deactivate the licence). Email support@accountroster.com. We'll do it within 30 days and confirm in writing.
If we ever change this policy in a way that affects what Roster does or does not transmit, we will announce the change in the next release's changelog, bump the major version of the application, and require explicit re-consent on first launch after the update. There is no scenario in which Roster begins transmitting new information about you without you noticing.
For anything privacy-related: security@accountroster.com. Read by one person, usually within 24 hours.