Privacy Policy

Arriva Corporation ("we", "us", "our", or "the Company") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services, including but not limited to:

• RoAdmin, Licence Manager, RankGun, and other administrative frameworks
• Arriva Connecting Roblox, Cermona Foundation, and other Roblox experiences
• Internal dashboards, APIs, Cloudflare Worker endpoints, and Discord bots
• Our website, support systems, and any other connected tools or services

By accessing or using any Arriva Corporation service, you agree to the terms of this Privacy Policy. If you do not agree, please do not use our services.

We collect several types of information to provide and improve our services:

2.1 Information You Provide Directly:

• Roblox Account Data: Roblox User ID, username, and display name (for authentication, licensing, and entitlement verification)
• Discord Account Data: Discord User ID, username, discriminator, and avatar (for licence linking, verification, and community management)
• Contact Information: Email address (provided voluntarily for support, account recovery, or product updates)
• Payment Information: When purchasing through Stripe, we do not store full payment details. Stripe handles all payment processing in accordance with PCI-DSS standards.
• Support Communications: Any information you provide in support tickets, emails, or Discord messages

2.2 Information Collected Automatically:

• Usage Data: Licence keys, product entitlements, feature usage, API request metadata (timestamps, endpoints called, success/failure status)
• Technical Data: IP addresses, browser type, operating system, device information, and referral URLs
• Server Logs: Error logs, crash reports, and system performance data used for debugging and security monitoring
• Session Data: Authentication tokens, session durations, and activity timestamps

2.3 Information from Third Parties:

• Roblox and Discord may provide us with basic profile information when you authenticate through their platforms
• Firebase may provide analytics and database interaction logs
• Cloudflare Workers may provide request metadata for API security and performance monitoring

For users in the European Economic Area (EEA), we process your personal data under the following legal bases:

• Contractual Necessity: Processing is necessary for the performance of a contract with you (e.g., delivering purchased products, verifying licences)
• Legitimate Interests: We have a legitimate interest in operating, securing, and improving our services, preventing fraud, and ensuring system stability
• Legal Compliance: Processing is necessary to comply with applicable laws and regulations
• Consent: Where you have provided explicit consent (e.g., for marketing communications or optional data collection)

You have the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

We use collected information for the following purposes:

• Service Delivery: Validating licences, authenticating users, managing entitlements, and providing access to products
• Security & Fraud Prevention: Detecting and preventing unauthorised access, abuse, and fraudulent activity
• System Maintenance & Improvement: Debugging errors, optimising performance, and developing new features
• Customer Support: Responding to inquiries, resolving issues, and providing technical assistance
• Legal Compliance: Complying with applicable laws, regulations, and legal processes
• Communication: Sending service updates, security alerts, and (with consent) marketing communications
• Analytics: Aggregated, anonymised data analysis to understand usage patterns and improve our services

We do NOT: Sell your personal data to third parties, use your data for behavioural advertising, or process your data for purposes incompatible with those stated above.

We may share your information in the following circumstances:

5.1 Service Providers: We engage trusted third-party services to support our infrastructure:

• Roblox Corporation — identity verification and in-game services (privacy policy: View Policy)
• Discord Inc. — user verification and community management (View Policy)
• Google Firebase — database and authentication services (View Policy)
• Cloudflare, Inc. — API hosting, security, and performance (View Policy)
• Stripe, Inc. — payment processing (PCI-DSS compliant) (View Policy)
• EmailJS — support ticket email delivery (View Policy)

5.2 Legal Requirements: We may disclose information if required to do so by law, subpoena, or other legal process, or to protect the rights, property, or safety of Arriva Corporation, our users, or others.

5.3 Business Transfers: In the event of a merger, acquisition, or sale of assets, user information may be transferred. We will notify you of any such change.

5.4 With Your Consent: We may share information for other purposes with your explicit consent.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws different from your jurisdiction. We take appropriate safeguards to ensure your data is protected, including:

• Using Standard Contractual Clauses (SCCs) approved by the European Commission
• Ensuring our service providers are GDPR-compliant where applicable
• Implementing robust security measures for data in transit and at rest

By using our services, you acknowledge that your information may be transferred to our facilities and to third parties as described in this policy.

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Retention periods:

• Licence and entitlement data: Retained for the duration of your licence plus a reasonable period thereafter for legal and audit purposes (up to 3 years)
• Support tickets and communications: Retained for up to 2 years from the date of resolution
• Server logs and error reports: Retained for up to 90 days for security and debugging purposes
• Account linkage data (Roblox/Discord): Retained as long as you have an active account with us, or until you request deletion
• Deprecated system data: Minimal historical logs retained for legacy compliance, anonymised where possible

When data is no longer needed, it is securely deleted or anonymised.

Depending on your jurisdiction, you may have the following rights regarding your personal data:

For all users:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your personal data, subject to legal obligations
• Right to Restrict Processing: Request limitation of how we use your data
• Right to Data Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw previously given consent at any time

For California residents (CCPA/CPRA):

• Right to know what personal information is collected, used, shared, or sold
• Right to opt-out of the sale of personal information (Note: We do not sell your data)
• Right to non-discrimination for exercising your privacy rights
• Right to correct inaccurate personal information
• Right to limit use of sensitive personal information

To exercise your rights, please contact us at: privacy@arriva-corporation.com or through our official Discord support channels. We will respond within 30 days as required by applicable law.

Our services are not directed to children under the age of 13 (or under 16 in certain jurisdictions). We do not knowingly collect personal information from children under 13. Roblox itself has age restrictions and parental controls; we rely on Roblox's age verification systems.

If you believe we have inadvertently collected information from a child under 13, please contact us immediately so we can delete such information. Parents or guardians may contact us to request deletion of their child's data.

We implement industry-standard security measures to protect your information:

• Encryption: TLS 1.3 for data in transit, AES-256 for sensitive data at rest
• Access Control: Strict role-based access controls (RBAC) and multi-factor authentication for staff
• Regular Audits: Periodic security assessments, vulnerability scanning, and penetration testing
• Rate Limiting: API rate limits to prevent abuse and brute-force attacks
• Monitoring: Real-time threat detection and automated abuse prevention systems
• Incident Response: Documented breach notification procedures and data recovery plans

While we strive to protect your data, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

We use cookies and similar technologies to enhance your experience:

• Essential Cookies: Required for authentication, session management, and security
• Preference Cookies: Remember your settings and preferences
• Analytics Cookies: Anonymised usage statistics to improve our services (opt-out available)
• Third-Party Cookies: Stripe (payment), Cloudflare (security), and Firebase (analytics) may set their own cookies

You can control cookies through your browser settings. Disabling essential cookies may affect service functionality.

Our services may contain links to third-party websites, products, or services (e.g., Roblox.com, Discord.com, Stripe checkout). We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. We will notify you of material changes by:

• Posting the updated policy on our website with a new "Last Updated" date
• Sending a notice via Discord or email (if you have provided such contact information)
• Displaying a prominent notice within our services

Your continued use of our services after the effective date constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer (DPO): Oliver G., Head of Legal Affairs
Email: dpo@arriva-corporation.com
Privacy Inquiries: privacy@arriva-corporation.com
Discord: Join our official community server and open a support ticket
Mail: Arriva Corporation Legal Department (address available upon request)

For users in the European Economic Area, you also have the right to lodge a complaint with your local supervisory authority.

This Privacy Policy shall be governed by and construed in accordance with the laws of the United Kingdom, without regard to its conflict of law provisions. Any disputes arising under this policy shall be resolved exclusively in the courts of the United Kingdom. For international users, we comply with applicable local data protection laws including GDPR (EU) and CCPA (California).