◈ Legal

Privacy Policy

Effective April 18, 2026 · Initial version

This is the complete and honest list of what data RosettaScript collects, why we collect it, who we share it with, and how you can get rid of it. We're a small team building a focused tool — we don't want any more of your data than we need to run the service, and we've tried to write this in plain English rather than legalese.

01 Who we are

RosettaScript is operated by Cloudbridge, LLC, a limited liability company registered in the State of Texas, USA, doing business as GridBridge Labs. We're the data controller for any information you provide to RosettaScript at rosettascript.com, at dev-api.rosettascript.com, or through our in-world vendor terminals in Second Life.

For anything privacy-related — questions, corrections, deletion requests, or complaints — reach us at info@gridbridgelabs.com. We're based in Austin, Texas; our mailing address is available on request.

02 Data we collect

We collect only what we need to run the service. Here's the full list.

Account data

Email address, from your Google account via Firebase Authentication when you sign in. Used to identify your account and, rarely, to contact you about it.
Display name, if Google provides one.

Avatar data (if you use the in-world vendor)

Second Life avatar key — a UUID stable to your SL identity — so we can credit L$ purchases to the right account.
Avatar display name, as shown on purchase receipts and your history page.

Conversion data

The LSL source you submit for conversion.
The SLua output we produce (Tier 1 mechanical and/or Tier 2 AI-refined).
Line-by-line explanations returned by the AI for Tier 2 conversions.
Timestamps, line counts, and token counts for each conversion — so we can show you your history and track our own API cost.

Payment data

Stripe customer, session, and payment-intent IDs — pointers we use to correlate a payment with your account.
Tier and amount for every purchase.
L$ transaction IDs and amounts for in-world purchases.
We never receive or store your credit card number — Stripe processes that on their side and shows us only the identifiers we need.

Technical data

IP address, logged on every API request for security, abuse prevention, and debugging. Server logs are rotated after 90 days.
Device fingerprint hash — a SHA-256 hash of browser locale, screen dimensions, timezone, and CPU core count. Computed in your browser; only the 64-character hash is sent to us. Used to detect repeated signup-bonus claims from the same device.
Firebase authentication session tokens, which keep you signed in. Managed by Firebase.

What we don't collect

Location data beyond the coarse approximation your ISP exposes via IP.
Tracking pixels, advertising identifiers, or cross-site cookies.
Biometric or health data.
Credit card numbers.
Analytics about which pages you visit or how you use the site, beyond what Firebase Auth itself logs to keep sessions working.

03 How we use it

To run the conversion service. We have to see your LSL to convert it, and we store your conversions so you can re-download them later.
To process payments. We pass purchase-related identifiers to Stripe so they can charge your card. For L$ purchases, we verify the amount server-side and credit your account.
To prevent abuse. Signup-bonus grants, rate limits, and duplicate-payment detection rely on IP and fingerprint data.
To support you. When you email us at info@gridbridgelabs.com, we may look up your account to help.

We do not use your data to train AI models, sell advertising, build marketing profiles, or share it with third parties beyond the processors listed below.

04 Third-party processors

When you use RosettaScript, these companies may process your data on our behalf. Each is bound by their own privacy policies; we direct data to them only as needed to run the service.

Processor	What we send	Why
Google Firebase Google LLC, USA	Email, auth tokens, session metadata	Authentication — signing you in via your Google account
Stripe Stripe, Inc., USA	Email, payment amount, product selected	Credit card payment processing for USD Pro-tier purchases
Anthropic Anthropic, PBC, USA	Your LSL source and our Tier 1 SLua output (Tier 2 conversions only)	AI-powered refinement via the Claude API
Postmark ActiveCampaign, LLC, USA	Email address (future — not currently wired)	Transactional email (receipts, account notifications)

About Anthropic and Claude. When you run a Tier 2 conversion, your LSL source and our Tier 1 output are sent to Anthropic's Claude API so the model can produce a more idiomatic SLua refinement. Anthropic's current API policy does not use API-submitted data for model training. If that policy changes, we'll update this notice and let you know.

05 Data retention

Conversion history: kept indefinitely. It's part of the product — you can return to rosettascript.com/history at any time and re-download past outputs. If you want it deleted, see §6.
Account data (email, avatar key): kept as long as your account is active. On deletion, removed within 30 days.
Payment records: kept for at least 7 years where required by tax and accounting law. Stripe also retains its own copy on its own schedule.
Server logs (requests, IPs): rotated after 90 days.
Signup-bonus metadata (fingerprint hash, IP at signup): kept for 2 years to support abuse detection across multiple accounts.

06 Your rights

Regardless of where you live, you can:

Access — email us and we'll send you everything we have on your account in a readable format.
Delete — email us and we'll remove your account, conversion history, payment pointers (where legally permitted), and related metadata.
Export — your conversion history is already downloadable directly from the site via Copy, Download .lua, and Download report buttons.
Correct — email us if anything is wrong.
Object or restrict — we mostly only process data to operate the service, but if you have a specific concern, email us and we'll work it out.

We respond to rights requests within 30 days. No charge. Reach us at info@gridbridgelabs.com.

07 Cookies & tracking

The only cookies RosettaScript sets are Firebase Authentication session cookies, which keep you signed in. They're first-party, expire when you sign out or after Firebase's session timeout, and aren't used for tracking.

We do not set tracking cookies, third-party cookies, ad cookies, Google Analytics, Facebook Pixel, or any advertising SDKs. Because we don't track you, we don't specifically honor or reject "Do Not Track" signals — there's nothing to turn on or off.

08 California / GDPR

California residents (CCPA / CPRA): we do not sell your personal information. We don't rent, trade, or otherwise monetize it beyond sending it to the service processors listed in §4. You have the rights described in §6, enforceable under California law. You may designate an authorized agent to make requests on your behalf.

EU / UK residents (GDPR / UK GDPR): you have the same rights in §6 plus the right to lodge a complaint with your local data protection authority. Our legal basis for processing is the performance of a contract (running the conversion service you signed up for) and legitimate interest (preventing abuse). Processing happens in the USA; by using the service you consent to that transfer.

09 Contact

Privacy questions, complaints, or data-rights requests:

Email: info@gridbridgelabs.com
Company: Cloudbridge, LLC dba GridBridge Labs
Address: Austin, Texas, USA (mailing address available on request)

We're a small team. Expect a human reply within a few business days.

10 Changes to this policy

We'll post updated versions here and bump the "Effective" date at the top. For material changes — new processors, different retention, new data categories, anything that meaningfully changes what we do with your data — we'll also notify you by email or via an in-app banner before the change takes effect.