Security

How we handle your Roblox data.

RoProfit was built around a simple principle: your Roblox login stays on your computer. Our servers never see your password and never see your .ROBLOSECURITY cookie. RoProfit Desktop talks to Roblox locally using the signed-in session inside the app.

No password handling, ever

We sign you in with the official Roblox OAuth flow. You enter your password on roblox.com, not on roprofit.app. We receive only a short-lived access token plus your Roblox user id.

Your .ROBLOSECURITY cookie never leaves your computer

Some Roblox creator analytics data isn't available via Open Cloud and requires a logged-in session. RoProfit Desktop reads it locally in its isolated app browser and sends RoProfit only normalized dashboard rows and aggregated totals.

Read-only by design

RoProfit Desktop does not write to your account. It never purchases, posts, messages, or modifies anything on Roblox. It only reads.

Bearer tokens, hashed at rest

When you connect RoProfit Desktop we issue an opaque bearer token. Only a SHA-256 hash of that token is stored in our database. If our DB ever leaked, an attacker would have hashes, not usable tokens.

Minimal data, retained briefly

We store the bare minimum to power your dashboard: per-day per-game earnings totals, payout split metadata, a profile row, your OAuth tokens, and the hashed desktop token. Data is purged 90 days after you disconnect. You can request earlier deletion from the Settings page.

Reporting a vulnerability

Found a security issue? Email security@roprofit.app with reproduction steps. We'll get back to you within two business days and won't take legal action against good-faith research.

See also: Privacy policy · Docs