therealdevshop CREATOR MARKETPLACE
Sign In

Privacy Policy

Last updated: July 2026 (v1.0 of our consent terms — see the Cookie Policy)

The Real Dev Shop ("we," "us," or "our") is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

When you sign in via Roblox OAuth or Discord OAuth, we receive:

  • Your user ID from the respective platform
  • Your display name and avatar URL
  • Your email address (if provided by the OAuth provider)

We also collect:

  • Purchase and order history
  • Store and product data you create as a seller
  • IP addresses and user agents for security and rate limiting
  • Download access logs for fraud prevention

2. Data We Do NOT Collect

  • Passwords — we use OAuth only
  • Payment card details — handled entirely by PayPal
  • Your Roblox or Discord password

3. How We Use Your Data

  • To provide the service (purchases, downloads, seller payouts)
  • To verify your identity for OAuth sessions
  • To send transactional notifications (order confirmations, payout updates)
  • To detect fraud and enforce our Terms of Service
  • To handle payment disputes and chargebacks — which may include automatically revoking download access to the affected products (see our Refund Policy)
  • To improve the Platform based on aggregate usage patterns

4. File Storage

All product files and images are stored in Cloudflare R2. Files are served via signed, expiring URLs — they cannot be accessed without a valid purchase. We never store product files on our web servers.

5. Cookies and Sessions

We use the following cookies. Full detail — including duration and how to change your preferences — is in our Cookie Policy.

  • PHPSESSID (strictly necessary) — keeps you logged in and protects forms with a CSRF token. HttpOnly, Secure, SameSite=Lax. No consent required.
  • rds_vid (functional) — prevents the same browser from inflating a product's view count within an hour. Persisted for 30 days only if you grant functional consent; otherwise it is limited to your current browser session. HttpOnly, Secure, SameSite=Lax.
  • trds_consent_token (functional) — remembers your cookie preference choice before you've created an account, so we don't ask again on every visit. 12 months, HttpOnly, Secure, SameSite=Lax.

If you grant analytics consent, we also set trds_aid — an anonymous identifier used to give sellers aggregate traffic insights for their store (visitor counts, referrer/ device/country breakdowns). It is never linked to your account or shown to a seller in a way that identifies you, and is deleted immediately if you withdraw analytics consent. We do not currently use any marketing or advertising cookies.

You can review or change your choices at any time on the Cookie Preferences page.

6. Lawful Basis for Processing

Where GDPR, UK GDPR, or POPIA apply, we rely on the following lawful bases:

  • Contract — account creation, order processing, seller payouts.
  • Legitimate interest — session management, download logs and fraud prevention, rate limiting, and the rds_vid anti-abuse view counter when functional consent has not been declined.
  • Consent — the persistent (30-day) version of rds_vid once you explicitly decline functional consent and later opt back in, and any future analytics or marketing processing.
  • Legal obligation — retaining order and tax-relevant records.

7. Third Parties

  • PayPal — payment processing (buyer checkout, refunds, chargebacks). Subject to PayPal's Privacy Statement.
  • Wise / PayPal — seller payout processing.
  • Cloudflare — CDN, DDoS protection, R2 file storage. Subject to Cloudflare's Privacy Policy.
  • Roblox / Discord — OAuth login only. We do not share your data back with these platforms.
  • Supabase — database hosting. Data is stored in their managed PostgreSQL service.
  • Resend — transactional email delivery (order confirmations, payout updates, support replies).

We do not sell your personal data to any third party. Some of these providers may process data outside your country of residence; where required, transfers rely on the provider's standard contractual clauses or an applicable adequacy decision.

8. Data Retention

DataRetention
Account dataDuration of account, plus 30 days after deletion
Order records7 years (legal/accounting obligation)
Download logs2 years (fraud prevention)
Cookie consent records7 years (legal compliance — kept even after account deletion, with the account link removed)
Raw analytics events (consent-gated)30 days rolling, then deleted — only aggregated, non-personal totals are kept after that
Session data30 days of inactivity

You may request deletion of your account and associated personal data by contacting support — legal retention requirements may prevent full deletion of order and consent records.

9. Your Rights

Depending on your location, you may have some or all of the following rights over your personal data:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — correct inaccurate data (your display name is editable in account settings).
  • Erasure — request deletion of your account and personal data, subject to the retention schedule above.
  • Restriction — ask us to limit processing of your data in certain circumstances.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest, including by withdrawing cookie consent at any time on the Cookie Preferences page.
  • CCPA/CPRA (California) — the right to know, delete, and opt out of the sale or sharing of personal information. We do not sell or share personal information; see "Do Not Sell or Share My Personal Information" in the footer.
  • POPIA (South Africa) — equivalent rights of access, correction, and deletion. Our Information Officer can be reached through the Platform's support channel.

To exercise any of these rights, contact us through the Platform. We will respond within the timeframe required by applicable law (GDPR: 30 days; CCPA: 45 days; POPIA: a reasonable time).

10. Security

We implement industry-standard security measures: HTTPS-only, HttpOnly session cookies, CSRF protection on all forms, prepared SQL statements to prevent injection, and rate limiting on all API endpoints. However, no system is 100% secure.

11. Children

The Platform is not directed at children under 13 (or the minimum age required by your jurisdiction). If you believe a child has provided us with personal data without appropriate consent, contact us so we can remove it.

12. Contact

Privacy concerns? Contact us through the Platform or via email listed in your account settings.