Home / Privacy

Privacy Policy

Last updated: May 31, 2026. This policy explains what VerifyUGC collects, why we collect it, who we share it with, how long we keep it, and the rights you have over your data.

VerifyUGC ("VerifyUGC", "we", "us", or "our") is operated by Modulix Solutions LLC (trading as VerifyUGC / PineFruit.dev). We provide trust and safety infrastructure for the user-generated-content (UGC) creator economy across platforms including Roblox, Fortnite/UEFN, and Minecraft. This policy covers our website at verifyugc.dev and its subdomains, our public and authenticated REST API, our Discord bot, and our browser extension (together, the "Service").

For the purposes of applicable data protection law (including the GDPR and UK GDPR), VerifyUGC is the data controller for personal data processed through the Service. You may contact our privacy team at any time at privacy@verifyugc.dev.

1. Information We Collect

Account information. When you create a VerifyUGC account, we collect your email address, a securely hashed password (we never store your password in plain text), the handle and display name you choose, and optionally a profile avatar and short bio.

Linked platform accounts. If you use OAuth to connect a third-party platform account for sign-in or identity verification, we receive a limited set of profile data from that provider and store it linked to your VerifyUGC account. We request only the minimum OAuth scopes needed. The table below summarizes what we receive from each supported provider.

Provider	Data received	Purpose
Discord	User ID, username, discriminator (legacy tag), global display name, avatar hash, and email address (if granted by you)	Sign-in, identity verification, Discord bot integration, linking your VerifyUGC profile to your Discord identity
Google	Google Account ID, display name, profile picture URL, and email address	Sign-in, identity verification
GitHub	GitHub user ID, username (login), display name, avatar URL, and primary email address (if public or granted)	Sign-in, identity verification for developer accounts
Twitch	Twitch user ID, display name, login name, profile picture URL, and email address (if granted)	Sign-in, identity verification for streaming-platform creators
X (Twitter)	X user ID, username (handle), display name, and profile picture URL	Sign-in, identity verification, public profile linking
Roblox	Roblox user ID, username, display name, and thumbnail/avatar URL (via Roblox open OAuth or verified-link flow)	Identity verification as a Roblox creator; blacklist and trust-score linking for Roblox-ecosystem users
Epic Games / UEFN	Epic Account ID, display name, and linked platform identifiers returned by the Epic Games authorization flow	Identity verification as a UEFN/Fortnite creator; blacklist and trust-score linking for UEFN-ecosystem users

We do not receive your password for any linked platform. Because linked accounts establish your verified identity, they are permanent and cannot be unlinked on demand; to remove a connected account you submit a removal request from your dashboard (or contact privacy@verifyugc.dev), which our team reviews. Approved removals delete our stored copy of that provider's data subject to the safety-related retention described in Section 5.

API keys. When you generate a developer API key, we store a one-way hash of the key (not the key itself), together with creation metadata (date, plan tier, label you assign), usage counters, and last-used timestamps. The actual key value is displayed to you exactly once at creation and is never stored in recoverable form on our servers.

Content you submit. Reports, supporting evidence files, reviews, appeal submissions, completed-deal records, and — for map sellers — island listing and DMCA certification data. This content may contain information about other people that you choose to include as part of a report or evidence package.

Third-party lookups. To operate the shared blacklist, watchlist, and trust-score system, we process platform identifiers (such as Roblox user IDs, Discord user IDs, or Epic Account IDs) that you or other users submit or query. A watchlist entry may exist for a platform identifier that has no corresponding VerifyUGC account.

Security and usage data. To secure the Service and prevent abuse, we process technical data including IP address, HTTP request metadata (method, path, user-agent, referrer), authentication timestamps, and rate-limit counters. This data is transient in nature and is used solely for security and operational integrity — not for advertising, profiling, or behavioral analytics.

Payment data. If you subscribe to a paid plan, payment processing is handled entirely by Stripe, Inc. Card numbers, CVV codes, and full card data are entered directly with Stripe through their hosted payment elements and never reach or transit our servers. We store only: a Stripe Customer ID, a Stripe Subscription ID, your current plan tier and billing cycle, and subscription status. We do not store your full card number, expiry, or security code.

Browser extension. Our browser extension contacts only verifyugc.dev servers. It sends the public creator identifier you are viewing (for example, a Roblox username or user ID visible on the page, or a handle you type into the extension) in order to return blacklist status, verification status, or trust-score information. These lookup requests are received and logged by our servers as standard API calls — including the identifier queried, a timestamp, and your IP address — subject to our standard security-log retention (see Section 5). The extension does not track your browsing history, does not communicate with any third-party analytics services, does not set cookies, and does not store personal data locally on your device beyond what your browser requires to run the extension.

What we do not collect. We do not operate third-party advertising trackers or behavioral analytics (no Google Analytics, Meta Pixel, or equivalent). We do not collect precise geolocation data, biometric data, or facial recognition data. We do not collect or store payment card numbers, bank account details, or government-issued identification numbers.

2. How We Use Your Information

We use the information described in Section 1 to:

Create, authenticate, and maintain your account;
Operate and deliver the blacklist, watchlist, trust-score, verification, and creator-directory features;
Propagate blacklist and safety data to participating communities through the API and Discord bot;
Receive, process, and resolve reports, reviews, and appeals;
Provide and secure developer API access;
Process subscription payments through Stripe;
Send transactional email — including account verification, password reset, billing receipts, security alerts, and appeal-decision notifications — via Resend;
Detect, investigate, and prevent fraud, abuse, ban evasion, and security incidents;
Maintain the integrity of the shared trust network and prevent re-listing of removed identifiers under new accounts; and
Comply with applicable legal obligations and respond to lawful requests from authorities.

Automated decision-making and trust scores. VerifyUGC computes trust scores algorithmically based on signals including account age and history, linked platform verification level, number and nature of completed deals, community reviews, and presence or absence of blacklist/watchlist entries. These scores influence how your profile is displayed to other users and may affect your discoverability within the Service. This constitutes automated decision-making that may produce legal or similarly significant effects for you as a creator.

Under Article 22 of the GDPR, EEA and UK users have the right not to be subject to a decision based solely on automated processing that produces significant effects, and the right to obtain human review of such decisions. If you believe your trust score is incorrect or unfairly computed, you may request human review by submitting an appeal through the appeals portal or by emailing appeals@verifyugc.dev or privacy@verifyugc.dev. We will conduct a human review as part of the appeals process described in our Terms of Service.

Legal bases for processing (EEA and UK users). We process personal data on the following legal bases under the GDPR / UK GDPR:

Contract (Article 6(1)(b)): Processing necessary to perform our agreement with you — including operating your account, the blacklist, trust scores, and developer API access.
Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests in operating a community trust and safety network, preventing abuse and fraud, and securing the Service, where those interests are not overridden by your rights and freedoms. We conduct balancing tests for each legitimate-interest processing activity and can provide copies on request.
Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable laws, including tax and financial record-keeping requirements and responses to lawful governmental requests.
Consent (Article 6(1)(a)): Where required, we process data on the basis of your consent — for example, certain optional account-linking features. You may withdraw consent at any time; withdrawal does not affect the lawfulness of prior processing. To withdraw consent, submit a removal request for the relevant account from your dashboard or contact privacy@verifyugc.dev.

3. How Information Is Shared

Public by design. Certain information is intentionally public so that the trust network can function: your public creator profile, display name, verification status, trust score, linked platform identifiers you have set to public, and any accounts you have voluntarily made visible appear on the site and through the API. Blacklist and watchlist status for a queried identifier is queryable by any user of our public API, browser extension, or Discord bot. Before linking any platform account or submitting any information, please consider what you wish to make public.

Service providers (data processors). We engage the following third-party service providers, who process data on our behalf under contractual data-processing arrangements:

Vendor	Role	Data shared
Cloudflare, Inc.	Hosting, CDN, edge network, D1 relational database, KV store, R2 object storage	All personal data in transit and at rest; Cloudflare processes all requests that reach the Service. Cloudflare acts as a sub-processor for stored data and as an independent data controller for its own network security functions (e.g., DDoS mitigation logs).
Stripe, Inc.	Payment processing and subscription management	Billing information entered at checkout, subscription status, and payment method metadata. Stripe is an independent data controller for payment data under its own privacy policy.
Resend, Inc.	Transactional email delivery	Your email address and the content of transactional messages (account verification, password reset, billing receipts, security alerts, appeal decisions). We do not send marketing email through Resend.

Each provider is subject to contractual obligations, including — where applicable — Standard Contractual Clauses or other transfer mechanisms for international data transfers (see Section 8).

Third-party login providers. When you use OAuth sign-in or link a platform account, a minimum set of your data is exchanged with the relevant provider to complete the authentication and verification flow, as described in Section 1. Each provider operates under its own privacy policy and acts as an independent data controller for data it holds.

Legal and safety disclosures. We may disclose personal data to courts, law enforcement agencies, regulatory bodies, or other governmental authorities where required by applicable law, valid legal process, or where we reasonably believe disclosure is necessary to enforce our Terms of Service, prevent fraud or abuse, or protect the rights, safety, or property of our users, the public, or VerifyUGC.

Business transfers. If VerifyUGC or Modulix Solutions LLC is involved in a merger, acquisition, asset sale, financing, corporate reorganization, or insolvency proceeding, personal data held by us may be transferred to a successor entity as part of that transaction. We will provide notice of any such transfer through the Service or by email to affected users, and any successor will be bound to honor this policy or will provide users with a new privacy notice before any material changes take effect.

We do not sell your personal data. We do not sell, rent, or share your personal information for cross-context behavioral advertising. This statement applies to "selling" and "sharing" as defined under the CCPA/CPRA and other applicable state privacy laws.

California "Shine the Light" disclosure. California Civil Code Section 1798.83 permits California residents to request information about disclosures of personal information to third parties for their direct marketing purposes. VerifyUGC does not disclose personal information to third parties for their direct marketing purposes. California residents may direct inquiries to privacy@verifyugc.dev.

4. Cookies and Analytics

We use a single strictly-necessary session cookie to keep you signed in while you use the Service:

Name: vugc_session
Purpose: Maintains your authenticated session
Attributes: HttpOnly, Secure, SameSite=Lax
Duration: 30 days from issuance, or until you sign out

Cloudflare, our hosting and CDN provider, may set its own security and performance cookies (such as __cf_buid and __cflb) as part of its DDoS mitigation and bot-management functions. These cookies are set by Cloudflare's network layer and are not under our direct control. Cloudflare's use of these cookies is governed by Cloudflare's Privacy Policy.

Privacy-preserving analytics. To understand aggregate traffic patterns — such as page views, popular pages, and referring sources — we use Cloudflare Web Analytics. Cloudflare Web Analytics is privacy-first by design: it sets no cookies, writes nothing to your browser's local storage, does not fingerprint your device, and does not track or identify individual visitors or follow you across other websites. It records only aggregated, non-identifying measurements. We do not use Google Analytics, Meta Pixel, advertising trackers, behavioral-analytics SDKs, or any cross-site tracking technology.

Because the only cookie we set is the strictly-necessary vugc_session sign-in cookie above, and our analytics provider is entirely cookieless, we do not display a cookie-consent banner. If we add any non-essential cookies in the future, we will update this policy and, where required by law, obtain your prior consent first.

5. Data Retention

We retain personal data for as long as necessary to fulfil the purposes described in this policy, to comply with our legal obligations, and to operate the trust and safety network effectively. The table below sets out our standard retention periods by data category.

Category	Retention period
Account and profile data	For the life of the account, plus 3 years following account closure (to support legal defense, fraud prevention, ban-evasion detection, and trust network integrity). After 3 years, profile data is permanently deleted or pseudonymized.
Linked platform accounts (OAuth data)	Until an approved removal request unlinks the account, or you delete your VerifyUGC account, at which point the linked-account data is deleted, subject to safety-related exceptions below.
Security and access logs (IP, request metadata)	90 days from collection, then automatically purged.
Session records	30 days from issuance, or until you sign out, whichever is earlier.
Payment and billing records	As required by applicable financial regulations and tax law, typically 7 years from the date of the transaction.
Active blacklist entries and supporting evidence	For the life of the blacklist entry, plus up to 3 years following removal of the entry, to support ban-evasion prevention, re-listing decisions, and defense of legal claims.
Watchlist entries	Until the entry is removed by the submitter, overturned on appeal, or administratively removed by VerifyUGC.
Appeal records (submissions, evidence, decisions)	3 years from the date of final resolution of the appeal.
Transactional email logs (Resend)	90 days from sending, then purged from Resend's systems per their retention policy; our internal records of email events (delivered/bounced/opened) are retained for 90 days.
API key hashes and metadata	Until the key is revoked or the account is deleted, at which point the hash is deleted. Usage counters and rate-limit records are purged after 90 days of key inactivity.

Account deletion. When you delete your account through your dashboard or by request to privacy@verifyugc.dev, we will remove your public profile, display name, avatar, linked platform accounts, and associated personal content within 45 days, subject to the safety-related and legally-required exceptions in this table. Certain aggregated or pseudonymized data derived from your account may be retained in our system statistics after deletion in a form that cannot reasonably be linked back to you.

Safety-related retention. Platform identifiers linked to active or recently-removed blacklist entries may be retained beyond account deletion to prevent ban evasion and to maintain the integrity of the trust network. Where we retain such data after deletion, we retain the minimum necessary and pseudonymize all personal profile fields not required for trust and safety purposes.

6. Security

We implement technical and organizational measures designed to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

Passwords are hashed using PBKDF2 with a per-user salt before storage; we never store recoverable passwords;
Sensitive tokens and credentials (such as OAuth refresh tokens) are encrypted at rest using AES-256-GCM;
All database queries use parameterized statements to prevent SQL injection;
All data in transit is protected by TLS with strict HSTS headers; the Service is served exclusively over HTTPS;
HTTP security headers including Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy are enforced on all responses;
Access to production systems is restricted to authorized personnel and logged;
API keys are hashed immediately on creation; the plaintext value is never stored.

Data breach notification. In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected users as required by Article 34 of the GDPR, to the extent such notification is required by applicable law. For users not covered by mandatory individual breach-notification laws, VerifyUGC will provide notification where it determines, in its reasonable judgment, that notification is warranted, within a timeframe deemed appropriate under the circumstances. For security concerns or to report a vulnerability, please see our security.txt.

7. Your Rights and Choices

All users. Regardless of where you are located, you can access, download, and delete much of your personal data directly from your account dashboard. You may update your profile information, submit a removal request for any connected platform account, revoke API keys, and delete your account at any time. For requests that cannot be fulfilled through the dashboard, contact privacy@verifyugc.dev. We will respond to verifiable requests within 45 days (or as required by applicable law).

EEA and UK users — GDPR/UK GDPR rights. If you are located in the European Economic Area or the United Kingdom, you have the following rights with respect to your personal data:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.
Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.
Right to erasure / right to be forgotten (Art. 17): You may request deletion of your personal data, subject to our legal retention obligations and safety-related retention described in Section 5.
Right to restriction of processing (Art. 18): You may request that we restrict processing of your personal data in certain circumstances.
Right to data portability (Art. 20): You may request a machine-readable copy of personal data you provided to us where processing is based on consent or contract.
Right to object (Art. 21): You may object to processing based on legitimate interests. We will cease that processing unless we demonstrate compelling legitimate grounds that override your interests.
Rights related to automated decision-making (Art. 22): You have the right to request human review of automated trust-score decisions, as described in Section 2.
Right to lodge a complaint: You have the right to lodge a complaint with your national data protection supervisory authority. For UK users, this is the Information Commissioner's Office (ICO) at ico.org.uk. For EU users, it is your national DPA (a list is available at edpb.europa.eu).

To exercise any of these rights, contact privacy@verifyugc.dev. We may need to verify your identity before processing certain requests.

California users — CCPA/CPRA rights. If you are a California resident, you have the following rights under the California Consumer Privacy Act (as amended by the CPRA):

Right to know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the purposes for collection, and the categories of third parties to whom we disclose it.
Right to access: You may request a copy of the specific personal information we have collected about you in the preceding 12 months.
Right to delete: You may request deletion of personal information we have collected about you, subject to legal exceptions.
Right to correct: You may request correction of inaccurate personal information.
Right to opt out of sale or sharing: We do not sell or share personal information as defined under the CCPA/CPRA. No opt-out mechanism is currently required, but we will honor any opt-out request you send.
Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted under the CCPA/CPRA without your consent.
Right to non-discrimination: We will not discriminate against you for exercising any CCPA/CPRA right.

The table below describes the categories of personal information we collect, as defined under the CCPA:

CCPA category	Examples from our Service	Collected?
Identifiers	Email address, username, platform user IDs (Roblox, Discord, Epic, etc.), API key hash, IP address	Yes
Internet or other electronic network activity information	Security logs, API usage counters, request metadata, browser extension lookup logs	Yes
Commercial information	Subscription plan tier, billing status, Stripe customer ID, transaction history	Yes
Inferences drawn from personal information	Trust scores computed from account signals and community submissions	Yes
Sensitive personal information (as defined by CPRA)	None — we do not collect government IDs, precise geolocation, biometric data, financial account numbers, health/medical data, racial/ethnic origin, or communications content	No

We do not sell any of these categories and have not done so in the preceding 12 months. To submit a California rights request, contact privacy@verifyugc.dev. We will respond within 45 days (with a possible 45-day extension for complex requests).

8. International Data Transfers

VerifyUGC operates on Cloudflare's global network. As a result, your data may be processed in the United States and in other countries where Cloudflare operates data centers. Our other processors — Stripe and Resend — are also US-based entities that may process data in the United States and other jurisdictions.

For users located in the European Economic Area, the United Kingdom, or Switzerland, transfers of personal data to processors in the United States or other countries without an EU adequacy decision are made pursuant to the European Commission's Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914 for controller-to-processor transfers) or equivalent transfer mechanisms recognized under applicable law (including the UK International Data Transfer Addendum). Cloudflare, Stripe, and Resend each participate in applicable data-transfer frameworks and/or have agreed to SCCs for EEA/UK data transfers under their respective data processing agreements.

If you would like a copy of the applicable transfer safeguards or information about how to access them, please contact privacy@verifyugc.dev.

9. Children and Minimum Age

The Service is not directed to children under 13 years of age, and we do not knowingly collect personal data from children under 13. If we learn that we have collected personal data from a child under 13 without verifiable parental consent, we will delete that data promptly. Users between 13 and 17 may use the Service with the consent of a parent or legal guardian, as described in our Terms of Service.

Parental access and deletion requests. If you are a parent or legal guardian and believe your minor child has created a VerifyUGC account or provided us with personal data without appropriate consent, you may submit a verified request to privacy@verifyugc.dev to access, correct, or delete that data. To protect against unauthorized requests, we will ask you to verify your identity and your relationship to the minor before processing the request. We will respond within 45 days of receiving a complete, verified request.

Safety-related processing of minor identifiers. Because VerifyUGC processes platform identifiers submitted by community members for trust and safety purposes, some of those identifiers may relate to minor users on gaming platforms such as Roblox. We process such identifiers solely for trust and safety purposes — to protect the community from scammers and bad actors — and not for any commercial purpose. Any person (including a parent on behalf of a minor) who believes an identifier has been incorrectly listed may submit a removal request through our standard appeals process at appeals@verifyugc.dev. Where the subject of a listing is a verified minor and the basis for listing is not substantiated, we will give heightened weight to the removal request.

10. Third-Party Platforms

VerifyUGC is an independent service and is not affiliated with, endorsed by, or sponsored by Roblox Corporation, Epic Games, Inc., Discord, Inc., Microsoft Corporation (Minecraft), Google LLC, GitHub, Inc., Twitch Interactive, Inc., X Corp., or any other platform. When you interact with those platforms — for example, by linking an account or by visiting a third-party site linked from ours — those platforms' own privacy policies govern the data they hold about you. We encourage you to review each provider's privacy policy before linking your account.

11. Changes to This Policy

We may update this Privacy Policy at any time in our sole discretion to reflect changes in our data practices, applicable law, or our services. When we do, we will revise the "Last updated" date at the top of this page. We may, but are not required to, provide advance notice of changes. Where we choose to provide notice, we may do so by email to your registered address, by a notice on the Service, or by any other means we deem appropriate. Your continued use of the Service following the posting of any revised Privacy Policy constitutes your binding acceptance of the changes, regardless of whether you received notice. If you do not agree to the revised policy, your sole remedy is to stop using the Service and delete your account.

12. Contact and Data Requests

For questions about this Privacy Policy, to exercise your data rights, or to submit a data deletion or access request:
privacy@verifyugc.dev

For security vulnerability disclosures:
security.txt

For blacklist and watchlist appeals (including removal requests by or on behalf of minors):
appeals@verifyugc.dev

Cookie & analytics disclosure (the short version). VerifyUGC uses Cloudflare Web Analytics — privacy-preserving, cookieless, and with no cross-site tracking. We run no advertising trackers and no behavioral-analytics pixels. The only cookie we set is the strictly-necessary sign-in cookie described in Section 4. Trust scores, verification status, and activity data are collected and stored only as described in this policy.