Safety & Security

Last updated: July 15, 2026

BloxPilot is designed to add server and social tools to Roblox without asking for your Roblox password or authentication cookies. This page explains the boundaries users should expect and how to report a problem safely.

Never share Roblox credentials with BloxPilot

BloxPilot does not ask for, collect, or store Roblox passwords, browser cookies, or .ROBLOSECURITY values. Do not send those secrets in a support email, screenshot, diagnostic file, or security report.

Optional account-based Pro access uses Roblox's authorization page and the minimum identity scope. BloxPilot receives the permanent numeric Roblox user ID after authorization; OAuth access and refresh tokens are discarded or revoked after that identity check and are not stored in the subscription database.

Payments stay on Stripe

Checkout, payment-method changes, invoices, and cancellation are handled on Stripe-hosted pages. BloxPilot does not receive or store full card numbers, card security codes, or bank-login credentials. Open billing pages from BloxPilot settings, and check the address before entering payment information.

Local data and browser permissions

The extension stores settings, history, watchlists, cached feature data, and diagnostics in the browser profile. Permissions are used to run requested BloxPilot features on supported Roblox pages, call the Roblox endpoints those features need, show optional notifications, and connect to the BloxPilot subscription service. BloxPilot does not use these permissions to sell browsing history or build an advertising profile.

Use BloxPilot settings to turn optional features off, clear supported local histories and caches, or limit notifications. Uninstalling the extension stops it from running, although the browser may retain extension data according to the browser's own removal behavior.

Analytics boundaries

BloxPilot's analytics are limited to product milestones and bounded website engagement described in the Privacy Policy. The website holds only a recent-activity timestamp in memory to avoid counting idle visible tabs; it does not record cursor coordinates, clicked-element details, key values, scroll position, page text, query strings, Roblox usernames, friend graphs, passwords, authentication cookies, or complete browsing URLs.

Raw analytics events are retained for 180 days and then deleted. Analytics requests pass through Cloudflare's delivery and security layer, which processes ordinary request metadata such as IP address and request headers. For website page views only, the Worker may retain Cloudflare's country and first-level state, province, or region for aggregate audience reporting; other website and all extension events are not location-enriched. Regions are hidden for groups under three distinct website visitors. This location is approximate and can be affected by VPNs or network routing. BloxPilot does not retain the request IP address, city, coordinates, or full request headers, and the site does not request GPS or browser-geolocation access.

Extension telemetry is not enriched with country or region and sends no client location. It is off by default on supported Chromium builds and begins only after the user opts in from BloxPilot's Storage & Privacy settings. Firefox product telemetry remains disabled so this release adds no Firefox analytics data-collection permission. Turning extension telemetry off clears queued events without changing features, billing, or subscription access. The analytics-only ID is separate from the subscription and billing credential.

Server information is decision support

Server region, distance, latency, score, player count, age, and availability signals can be incomplete or change. BloxPilot helps compare available choices; it cannot guarantee a particular server, network route, ping, or game performance. Do not treat an estimate as a safety or availability guarantee.

Protect younger players

If you manage a younger player's browser, review BloxPilot's permissions, notification settings, local-data controls, and optional Pro access together. Keep browser-store and Stripe account access under the control of the responsible account holder, and never share Roblox credentials with an extension or support contact.

Report a security concern

Email customerreplytemplates@gmail.com with the subject BloxPilot security report. Include the browser, BloxPilot version, affected page or feature, approximate time, steps to reproduce, and the impact you observed. Remove unrelated personal information and never include passwords, full card details, private keys, access tokens, or Roblox authentication cookies.

For a suspected vulnerability, give BloxPilot reasonable time to investigate before publishing details that could put users at risk. For an immediate Roblox-account concern, use Roblox's official account-security and support channels.

Independent product

BloxPilot is independent and is not affiliated with, endorsed by, sponsored by, or officially partnered with Roblox, RoPro, RoGold, Microsoft, Google, Stripe, or another third party. Product and company names belong to their respective owners.