Privacy Policy

OPBrainrots is operated by OPBrainrots LLC, a New Jersey limited liability company, which is the data controller responsible for your personal data under this policy. When you use OPBrainrots.com ("the Site"), we may collect the following information:

• Roblox Username — provided by you so we can deliver purchased items to the correct in-game account.
• Email Address — provided when you contact support, create an account, or subscribe to notifications.
• Discord ID — if you log in via Discord OAuth for account access or admin features.
• Order Information — records of items purchased, order IDs, timestamps, and delivery status.
• Device & Browser Data — IP address and browser user-agent, stored with your order and retained as fraud/chargeback-defense evidence, plus basic analytics collected automatically when you visit the Site.
• Delivery recording — a short screen recording of the in-game trade window (the items being added and the trade completing) is captured as proof of fulfillment. It does not include player avatars, usernames, or chat. A blurred copy may be shown publicly on our site or Discord as delivery proof; the recording is retained for about six months for dispute defense.

We use the information we collect for the following purposes:

• To deliver purchased in-game items to your Roblox account.
• To process and track your orders.
• To respond to support inquiries and resolve disputes.
• To send order confirmations and delivery notifications (if you provided an email).
• To prevent fraud and protect the integrity of our delivery system.
• To improve our Site and services through anonymous usage analytics.

We will never sell your personal information to third parties for marketing or advertising purposes.

All payments on OPBrainrots are processed by a PCI Level 1 certified payment processor — the highest level of security certification in the payments industry.

• Your card details are entered directly into the processor’s secure payment form.
• We never see, store, or have access to your full card number or CVV.
• The processor handles all payment security, encryption, and compliance.
• We only receive a confirmation of whether the payment succeeded or failed, along with a transaction ID.

The active payment processor is disclosed at checkout. For the processor’s own privacy practices, see their privacy policy linked from the checkout page.

The Site uses cookies and similar technologies for the following purposes:

• Session Cookies — to keep you logged in and maintain your cart during your visit.
• Preference Cookies — to remember your theme choice (light/dark mode) and selected Roblox account.
• Security Cookies — Cloudflare Turnstile uses cookies for bot protection on our contact form.

We do not use third-party advertising cookies or tracking pixels. We do not run ads on the Site.

We only share your information with third parties (“processors”) when necessary to operate the Site:

• Our payment processor — payment processing (receives your payment details directly). The active processor is disclosed at checkout.
• Cloudflare — site performance, security, bot protection (Turnstile), and storage of delivery recordings.
• Resend — email delivery for order notifications, support replies, and promotional emails.
• Turso & Upstash — database and cache hosting for your account and order data.
• Anthropic — powers our automated support assistant, which may process the contents of a support ticket you send (and the related order) to draft a reply. Anthropic acts as a processor and does not train on this data.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any other third parties beyond what is listed above.

OPBrainrots sells items for a game commonly played by children. We recognize this responsibility and take the following measures:

• We collect only the minimum information needed to fulfill orders (Roblox username).
• We do not require children to create accounts or provide personal details.
• Payment must be completed by an adult (credit/debit card holder).
• If you are a parent and believe your child has submitted personal information without your consent, please contact us and we will promptly delete it.

We retain your data for as long as necessary to provide our services and fulfill legal obligations:

• Order records — retained for dispute resolution and accounting purposes.
• Delivery recordings — retained as proof of fulfillment.
• Support tickets — retained for as long as the inquiry is active, then archived.
• Account data — retained until you request deletion.

If you wish to have your data deleted, please contact us with your request.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you.
• Correction — request correction of inaccurate data.
• Deletion — request that we delete your personal data.
• Portability — request your data in a portable format.

To exercise any of these rights, email us at [email protected] or use our contact form.

We take reasonable measures to protect your information, including:

• HTTPS encryption on all pages.
• Secure, signed session cookies.
• Payment processing handled entirely by a PCI Level 1 certified processor.
• Cloudflare protection against DDoS and bot attacks.

While we strive to protect your data, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but will notify you promptly in the unlikely event of a data breach.

We may update this Privacy Policy from time to time. When we do, we will revise the "Last Updated" date at the top of this page. Continued use of the Site following any updates constitutes your acceptance of the revised policy.

For questions about this Privacy Policy, please contact us at [email protected].

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent laws:

• Right of access — obtain confirmation that we process your data and request a copy.
• Right to rectification — have inaccurate personal data corrected.
• Right to erasure ("right to be forgotten") — request deletion of your personal data where there is no overriding legitimate interest for us to keep it.
• Right to data portability — receive your personal data in a structured, machine-readable format.
• Right to restriction of processing — ask us to limit how we process your data in certain circumstances.
• Right to object — object to certain types of processing, including direct marketing.
• Right to withdraw consent — where processing is based on your consent, withdraw that consent at any time.
• Right to lodge a complaint — with your local data-protection supervisory authority.

To exercise any of these rights, contact us at [email protected]. We respond to verifiable requests within 30 days as required by GDPR Article 12.

Our legal basis for processing your data is (a) performance of a contract (order fulfillment), (b) legitimate interests (fraud prevention, platform security, analytics improvement), (c) compliance with legal obligations (tax records, AML), and (d) consent (marketing emails, optional cookies).

In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify affected users without undue delay and, where required by law (including GDPR Article 33 and 34), within 72 hours of becoming aware of the breach.
• Provide notice via the email address associated with your account, describing the nature of the breach, the data affected, likely consequences, and steps we are taking to mitigate it.
• Notify the relevant supervisory authorities where required by applicable law.

OPBrainrots is operated from the United States. If you access the Site from outside the U.S., your personal data may be transferred to, processed in, and stored in the United States. Our service providers (e.g. payment processors, email delivery, hosting) may also be located in or transfer data to other jurisdictions.

For data transfers from the EEA, UK, or Switzerland to the U.S., we rely on Standard Contractual Clauses approved by the European Commission as the legal mechanism for transfer where required. Where our service providers are located outside the EEA, we ensure adequate protections are in place by contract.

By using the Site, you consent to these transfers.