Privacy Policy
The Real Dev Shop ("we," "us," or "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.
1. Data We Collect
When you sign in via Roblox OAuth or Discord OAuth, we receive:
- Your user ID from the respective platform
- Your display name and avatar URL
- Your email address (if provided by the OAuth provider)
We also collect:
- Purchase and order history
- Store and product data you create as a seller
- IP addresses and user agents for security and rate limiting
- Download access logs for fraud prevention
2. Data We Do NOT Collect
- Passwords — we use OAuth only
- Payment card details — handled entirely by PayPal
- Your Roblox or Discord password
3. How We Use Your Data
- To provide the service (purchases, downloads, seller payouts)
- To verify your identity for OAuth sessions
- To send transactional notifications (order confirmations, payout updates)
- To detect fraud and enforce our Terms of Service
- To handle payment disputes and chargebacks — which may include automatically revoking download access to the affected products (see our Refund Policy)
- To improve the Platform based on aggregate usage patterns
4. File Storage
All product files and images are stored in Cloudflare R2. Files are served via signed, expiring URLs — they cannot be accessed without a valid purchase. We never store product files on our web servers.
5. Cookies and Sessions
We use the following cookies. Full detail — including duration and how to change your preferences — is in our Cookie Policy.
PHPSESSID(strictly necessary) — keeps you logged in and protects forms with a CSRF token. HttpOnly, Secure, SameSite=Lax. No consent required.rds_vid(functional) — prevents the same browser from inflating a product's view count within an hour. Persisted for 30 days only if you grant functional consent; otherwise it is limited to your current browser session. HttpOnly, Secure, SameSite=Lax.trds_consent_token(functional) — remembers your cookie preference choice before you've created an account, so we don't ask again on every visit. 12 months, HttpOnly, Secure, SameSite=Lax.
If you grant analytics consent, we also set trds_aid — an anonymous
identifier used to give sellers aggregate traffic insights for their store (visitor counts, referrer/
device/country breakdowns). It is never linked to your account or shown to a seller in a way that
identifies you, and is deleted immediately if you withdraw analytics consent. We do not currently use
any marketing or advertising cookies.
You can review or change your choices at any time on the Cookie Preferences page.
6. Lawful Basis for Processing
Where GDPR, UK GDPR, or POPIA apply, we rely on the following lawful bases:
- Contract — account creation, order processing, seller payouts.
- Legitimate interest — session management, download logs and fraud prevention,
rate limiting, and the
rds_vidanti-abuse view counter when functional consent has not been declined. - Consent — the persistent (30-day) version of
rds_vidonce you explicitly decline functional consent and later opt back in, and any future analytics or marketing processing. - Legal obligation — retaining order and tax-relevant records.
7. Third Parties
- PayPal — payment processing (buyer checkout, refunds, chargebacks). Subject to PayPal's Privacy Statement.
- Wise / PayPal — seller payout processing.
- Cloudflare — CDN, DDoS protection, R2 file storage. Subject to Cloudflare's Privacy Policy.
- Roblox / Discord — OAuth login only. We do not share your data back with these platforms.
- Supabase — database hosting. Data is stored in their managed PostgreSQL service.
- Resend — transactional email delivery (order confirmations, payout updates, support replies).
We do not sell your personal data to any third party. Some of these providers may process data outside your country of residence; where required, transfers rely on the provider's standard contractual clauses or an applicable adequacy decision.
8. Data Retention
| Data | Retention |
|---|---|
| Account data | Duration of account, plus 30 days after deletion |
| Order records | 7 years (legal/accounting obligation) |
| Download logs | 2 years (fraud prevention) |
| Cookie consent records | 7 years (legal compliance — kept even after account deletion, with the account link removed) |
| Raw analytics events (consent-gated) | 30 days rolling, then deleted — only aggregated, non-personal totals are kept after that |
| Session data | 30 days of inactivity |
You may request deletion of your account and associated personal data by contacting support — legal retention requirements may prevent full deletion of order and consent records.
9. Your Rights
Depending on your location, you may have some or all of the following rights over your personal data:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data (your display name is editable in account settings).
- Erasure — request deletion of your account and personal data, subject to the retention schedule above.
- Restriction — ask us to limit processing of your data in certain circumstances.
- Portability — receive your data in a machine-readable format.
- Objection — object to processing based on legitimate interest, including by withdrawing cookie consent at any time on the Cookie Preferences page.
- CCPA/CPRA (California) — the right to know, delete, and opt out of the sale or sharing of personal information. We do not sell or share personal information; see "Do Not Sell or Share My Personal Information" in the footer.
- POPIA (South Africa) — equivalent rights of access, correction, and deletion. Our Information Officer can be reached through the Platform's support channel.
To exercise any of these rights, contact us through the Platform. We will respond within the timeframe required by applicable law (GDPR: 30 days; CCPA: 45 days; POPIA: a reasonable time).
10. Security
We implement industry-standard security measures: HTTPS-only, HttpOnly session cookies, CSRF protection on all forms, prepared SQL statements to prevent injection, and rate limiting on all API endpoints. However, no system is 100% secure.
11. Children
The Platform is not directed at children under 13 (or the minimum age required by your jurisdiction). If you believe a child has provided us with personal data without appropriate consent, contact us so we can remove it.
12. Contact
Privacy concerns? Contact us through the Platform or via email listed in your account settings.