Privacy Policy

Last updated: May 27, 2025

1. Introduction

Bloxstash (“we”, “us”, or “our”) operates the Bloxstash platform at bloxstash.net (the “Service”). This Privacy Policy explains what personal information we collect, how we use it, and your rights in relation to it. By using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.

Bloxstash is a marketplace and peer-to-peer trade listing platform for BloxStrike in-game items. It allows users to deposit items via our Roblox bot, list items for sale using a platform balance, and post trade advertisements to arrange direct player-to-player exchanges.

2. Information We Collect

2.1 Account & Identity Information

  • Your Roblox user ID and username, obtained through Roblox OAuth when you sign in
  • Your Discord username, obtained through Discord OAuth if you choose to connect your Discord account
  • Your email address, collected at account creation or when you verify your email for withdrawal eligibility
  • Your profile image URL, sourced from Roblox's thumbnail API
  • Your account role and membership status on the platform

2.2 Financial & Transaction Data

  • Store balance and earnings balance held on the platform (denominated in GBP)
  • Stripe customer ID and subscription ID for membership billing
  • Stripe Connect account ID and onboarding status for bank withdrawal payouts
  • Deposit and withdrawal history including item details, values, and timestamps
  • Marketplace purchase and sale records including item name, exterior, float value, sale price, and approximate value (RAP)
  • Crypto payment references via NOWPayments for deposits and withdrawals

We do not store your full card number, CVV, or bank account details. Card processing is handled entirely by Stripe and crypto processing by NOWPayments. We receive only tokenised references.

2.3 Game Item Data

  • Item metadata submitted through our Roblox bot: item name, rarity, exterior condition, float value, serial number, and approximate Roblox asset price (RAP)
  • Trade advertisement details: items offered, items requested, and contact preferences
  • Inventory of items deposited and held on the platform

2.4 Technical & Usage Data

  • IP address, stored against your session record at sign-in and used for fraud prevention and rate limiting
  • Browser user agent string, stored alongside session records
  • Error and diagnostic data collected by our error monitoring service
  • Aggregated, non-identifiable page analytics used to understand platform usage
  • Feedback submissions including content, timestamp, and associated IP address

2.5 Cookies & Local Storage

We use browser cookies to maintain your authenticated session. These are strictly necessary for the Service to function. We also use your browser's localStorage to remember preferences such as favourited items, your shopping cart, and UI settings. No advertising or cross-site tracking cookies are used.

3. How We Use Your Information

  • To create and manage your account and authenticate your identity
  • To operate the marketplace, process item deposits and withdrawals, and record transactions
  • To process payments via Stripe (card deposits, subscriptions, bank payouts) and NOWPayments (crypto deposits and withdrawals)
  • To send email verification codes required for withdrawal eligibility
  • To display your trade advertisements, including your Discord username as contact information, to other users
  • To detect fraud, enforce rate limits, and enforce platform rules including bans
  • To debug errors and monitor platform stability
  • To measure aggregate usage trends and improve the platform
  • To respond to support requests and enforce our Terms of Service

We do not sell your personal data to third parties, use it for advertising, or share it beyond what is described in this policy.

4. Legal Bases for Processing (GDPR)

Where applicable under the UK GDPR or EU GDPR, we rely on the following legal bases:

  • Contract performance — to provide the Service you have signed up for, including account management, marketplace operations, and payment processing
  • Legal obligation — to maintain financial records and comply with applicable law
  • Legitimate interests — to detect and prevent fraud, abuse, and security threats; to monitor platform stability; and to enforce our Terms of Service
  • Consent — where you explicitly opt in to optional features not required to use the Service

5. Information Sharing & Third-Party Services

We do not sell your personal data. We share it only with the following third parties who independently collect or control data as part of delivering the Service:

Stripe

Processes card deposits, membership subscription billing, and bank payouts via Stripe Connect. Stripe independently controls your payment data and may require identity verification documents for Connect accounts under their own KYC obligations. See stripe.com/privacy.

NOWPayments

Processes cryptocurrency deposits and withdrawal payouts. NOWPayments independently handles your crypto transaction data. See their privacy policy at nowpayments.io.

Discord

Used for account sign-in via OAuth and to display your username as contact information on trade advertisements. Your use of Discord is subject to Discord's Privacy Policy.

Roblox

Used for account sign-in via OAuth and as the game platform through which our bot collects and delivers items. Your use of Roblox is subject to Roblox's Privacy Policy.

We also engage service providers for hosting, error monitoring, and email delivery who act as data processors under our instructions. These providers do not use your data for their own purposes and are contractually bound to protect it.

We may also disclose information where required by law, court order, or to protect the rights, property, or safety of Bloxstash, our users, or others.

6. Public Information

Trade advertisements you post are publicly visible to all visitors of the platform, including your Roblox username, the items you offer and request, and your Discord username if provided as contact information. Marketplace listings display item details and pricing. You should not include sensitive personal information in any listing.

7. Data Retention

  • Account data is retained while your account is active and for a reasonable period after deletion to handle any outstanding disputes or legal obligations
  • Financial transaction records (deposits, withdrawals, sales, purchases) are retained for a minimum of 7 years to comply with financial record-keeping requirements
  • Session records including IP addresses are retained for a limited period and then deleted
  • Expired trade advertisements are removed automatically after their time limit expires

8. Your Rights

Depending on where you are located, you may have the following rights regarding your personal data:

  • Access — request a copy of the personal data we hold about you
  • Correction — request that inaccurate data be corrected
  • Erasure — request deletion of your account and personal data, subject to our legal obligations to retain certain financial records
  • Restriction — request that we restrict processing of your data in certain circumstances
  • Data portability — request your data in a structured, machine-readable format where applicable
  • Objection — object to processing based on our legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us through our Discord server (link below). We will respond within 30 days.

9. Age Restrictions & Children's Privacy

The Service is not directed to children under the age of 13. We do not knowingly collect personal information from anyone under 13. If you are under 13, do not use the Service. If we become aware that we have collected personal information from a child under 13, we will delete it promptly. Users between the ages of 13 and 18 should have parental or guardian consent before using the Service, particularly given that it involves real-money transactions.

10. Security

We implement reasonable technical and organisational measures to protect your data, including HTTPS encryption in transit, hashed session tokens, rate limiting on sensitive endpoints, parameterised database queries, and role-based access controls for administrative functions. Passwords are not stored — authentication uses OAuth and email-based verification codes secured with industry-standard hashing. However, no system is completely secure and we cannot guarantee absolute protection against all threats.

11. International Data Transfers

Your data may be processed and stored in countries outside your own, including by the third-party providers listed in Section 5. Where transfers occur from the UK or EEA to third countries, we rely on appropriate safeguards such as standard contractual clauses or adequacy decisions. By using the Service you acknowledge that your data may be transferred internationally.

12. Third-Party Links

The Service may contain links to external websites or services (such as Roblox, Discord, or Stripe). We are not responsible for the privacy practices of those sites. We encourage you to review their privacy policies before providing them with your information.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated by updating the date at the top of this page. Continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

14. Contact

For any questions, concerns, or requests regarding this Privacy Policy or how we handle your data, please contact us through our Discord server.