BuxyBuxy

Privacy Policy

Last Updated: May 19, 2026

1. Introduction

Buxy ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you access our website and application (the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Data Controller

The data controller responsible for your personal data is Andrea, contactable at support@buxyapp.com.

3. Data We Collect

We collect information that identifies, relates to, describes, or could reasonably be linked to you ("Personal Data").

  • Account Data: Roblox username, Roblox user ID, display name, and avatar URL. If you link an OAuth provider (Google, Discord), we store the associated email address.
  • Technical Data: IP address, browser type, device information, operating system, and access times.
  • Usage Data: Offer completions, survey responses, reward history, transaction records, and quest progress.
  • Device Fingerprint: We use FingerprintJS to generate a unique device identifier for fraud prevention. This does not collect personal information but creates a hash based on browser and device characteristics.
  • Cookies & Local Storage: We use cookies and similar technologies to manage authentication, track activity, store preferences, and analyze usage. See our Cookie Policy for details.

4. How We Use Your Data

We process your data for the following legitimate business purposes:

  • Service Delivery: To provide, operate, and maintain the Service, including processing transactions, rewards, and Robux redemptions via Roblox gamepasses.
  • Authentication: To verify your identity using Supabase Auth with secure httpOnly cookies.
  • Fraud Prevention: To detect and prevent fraudulent activities, including the use of VPNs, multi-accounting, bots, and device manipulation, using FingerprintJS and server-side analysis.
  • Error Tracking: To monitor and fix technical issues using Sentry (under legitimate interest — essential for service reliability).
  • Analytics: To analyze usage patterns and improve user experience using Google Analytics and PostHog (with your consent). PostHog may record anonymized session replays to help us identify usability issues — all text inputs are masked by default.
  • Push Notifications: To send you optional web push notifications (daily bonuses, reward reminders) via Webpushr. You can subscribe or unsubscribe at any time through your browser settings.
  • Communication: To send you security alerts and administrative messages related to your account.

5. Sharing Your Data (Third Parties)

Offerwall Partners: We share your User ID and IP address with third-party offerwall partners — currently Kiwiwall, Timewall, TheoremReach, and CPX Research — to attribute rewards to your account when you complete offers and surveys. Without this data sharing, reward tracking is impossible. By using these features, you explicitly consent to this data transfer.

We may also share data with:

  • Infrastructure Providers: Supabase (authentication, database, realtime), Cloudflare (CDN, hosting, DDoS protection, Turnstile CAPTCHA).
  • Analytics Providers: Google Analytics and PostHog (only with your consent via our cookie banner). PostHog session replays mask all text inputs and elements marked as private.
  • Push Notifications: Webpushr (processes a push subscription token to deliver browser notifications). No personal data beyond the browser-generated token is shared.
  • Error Tracking: Sentry (processes error data including IP address and browser info for debugging).
  • Fraud Prevention: FingerprintJS (device fingerprinting, under legitimate interest — essential for protecting the reward system).
  • Legal Authorities: If required by law or to protect our rights (e.g., responding to a subpoena).

6. Data Retention

We retain your data for the following periods:

  • Account Data: Until you request deletion or after 12 consecutive months of inactivity, at which point your account and associated data will be permanently deleted.
  • Transaction History: 24 months after account deletion, retained for fraud dispute resolution.
  • Security Logs (IP, device): 6 months, for fraud detection purposes.
  • Analytics Data: 26 months (Google Analytics default retention period).
  • Support Communications: 12 months after resolution.

7. International Data Transfers

Your information, including Personal Data, is processed at our operating offices and in any other places where the parties involved in the processing are located. This means your data may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where data protection laws may differ from those in your jurisdiction.

8. Your Rights (GDPR & CCPA)

Depending on your location, you may have the following rights regarding your personal data:

  • Right to Access: You can request copies of your personal data.
  • Right to Rectification: You can request that we correct any information you believe is inaccurate.
  • Right to Erasure ("Right to be Forgotten"): You can request that we erase your personal data, subject to certain exceptions (e.g., legal retention requirements).
  • Right to Restrict Processing: You can request that we restrict the processing of your personal data.
  • Right to Data Portability: You can request that we transfer the data we have collected to another organization, or directly to you.
  • Right to Withdraw Consent: You can withdraw your consent for analytics cookies at any time via our cookie banner.

To exercise any of these rights, please contact us at support@buxyapp.com. We will respond within 30 days.

9. Data Security

We use administrative, technical, and physical security measures to help protect your personal information. Authentication tokens are stored in httpOnly, Secure cookies and are never exposed to client-side JavaScript. All data in transit is encrypted via HTTPS. However, no electronic transmission over the Internet can be guaranteed to be 100% secure.

10. Children's Privacy

Our Service is not intended for anyone under the age of 16. We do not knowingly collect personally identifiable information from anyone under 16. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us at support@buxyapp.com and we will take steps to remove that information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this page periodically for any changes.

12. Contact Us

If you have questions or comments about this policy, or wish to exercise your data rights, please contact us at support@buxyapp.com.