Privacy Policy

Last updated: February 8, 2026

1. Introduction

Onbaby LLC ("we," "us," or "our") operates Nasara ("rostud.io"). This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our platform.

2. Information We Collect

Account Information

  • Email address, display name, and profile picture (via Auth0 authentication)
  • Google or Discord account data if you use social login (name, email, avatar)
  • Account creation date and login history

Roblox Account Data

  • Roblox User ID, username, display name, and avatar URL (via Roblox OAuth)
  • This data is collected only when you explicitly link your Roblox account
  • We do not access your Roblox inventory, games, or other private data

Project & Usage Data

  • Chat messages and prompts you send to the AI
  • Script contents and instance hierarchy synced from Roblox Studio via the plugin
  • AI-generated code and outputs
  • Generation counts, token usage, and feature usage metrics

Technical Data

  • IP address, browser type, device information
  • Plugin session tokens and connection metadata
  • Error logs and performance data

3. How We Use Your Information

  • Provide the service: Process your prompts through AI models, sync code with Roblox Studio, manage your projects and chat history
  • Authentication: Verify your identity and manage account access via Auth0
  • Usage enforcement: Track generation counts to enforce free-tier limits and prevent abuse
  • Improve the platform: Analyze aggregated, anonymized usage patterns to improve AI quality and user experience
  • Communication: Send transactional emails (welcome, usage alerts, security notices)

4. AI Processing

Your prompts and project data are sent to third-party AI providers (including Google and Anthropic via OpenRouter) for code generation. Key points:

  • AI providers process your data to generate responses and do not use it to train their models
  • We send only the minimum context necessary (recent chat messages, relevant script contents)
  • We do not sell your prompts or generated content to third parties

5. Data Storage & Security

  • Data is stored in a PostgreSQL database hosted by a managed cloud provider
  • All data in transit is encrypted via TLS/HTTPS
  • Plugin session tokens are stored as hashed values
  • Authentication is handled by Auth0, a SOC 2 Type II certified provider
  • We implement rate limiting and input validation to protect against abuse

6. Cookies & Local Storage

We use cookies and browser storage for:

  • Authentication cookies: Maintain your login session (essential, set by Auth0)
  • Preference storage: Remember UI settings like theme and cookie consent (localStorage)

We do not use advertising or third-party tracking cookies. You can clear cookies at any time through your browser settings, though this will log you out.

7. Third-Party Services

We share data with the following third-party services as necessary to operate the platform:

ServicePurposeData Shared
Auth0AuthenticationEmail, name, login events
OpenRouterAI model routingChat prompts, script context
Roblox OAuthAccount linkingRoblox user profile
Database hostData storageAll platform data

8. Data Retention

  • Account data is retained while your account is active
  • Chat history and project data are retained until you delete them or your account
  • Usage metrics may be retained in anonymized, aggregated form after account deletion
  • We delete your personal data within 30 days of account deletion, except where retention is required by law

9. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate personal data
  • Delete your account and associated data
  • Export your data in a portable format
  • Unlink your Roblox account at any time from settings
  • Revoke plugin sessions at any time from settings

To exercise these rights, visit your account settings or contact us at the email below.

10. Children's Privacy

Nasara is not intended for children under 13. We do not knowingly collect data from children under 13. If we become aware that we have collected such data, we will delete it promptly. Users aged 13-17 must have parental or guardian consent to use the service.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

12. Contact Us

For privacy-related questions or requests, contact us at privacy@onbaby.io.