Privacy Policy
ROBA Platform
Last Updated: October 3, 2025
Effective Date: October 3, 2025
Table of Contents
Introduction and Controller Identity
Information We Collect
How We Use Your Information
How We Share Your Information
Data Retention
Data Security and Breach Notification
Your Rights and Choices
Regional Privacy Rights
International Data Transfers
Children's Privacy
Third-Party Links and Services
Blockchain and Tokenization
Updates to This Privacy Policy
Contact Us
Specific Data Practices
Cookies and Similar Technologies (Detailed)
1. Introduction and Controller Identity
Welcome to ROBA. This Privacy Policy explains how RobaLabs ("RobaLabs," "we," "us," or "our"), collects, uses, discloses, and protects your personal information when you use our robotics development platform and related services ("Service").
We are committed to protecting your privacy and being transparent about our data practices. Please read this policy carefully.
Data Protection Officer: dpo@roba.com
2. Information We Collect
2.1 Information You Provide
Account Information
Name and username
Email address
Password (encrypted)
Profile information (bio, profile picture, affiliations)
Payment information (processed by third-party payment processors)
User Content
Robotics models, algorithms, and code
Simulation worlds and 3D assets
Datasets and evaluation packs
Documentation, technical reports, and descriptions
Videos and demonstration materials
Comments, forum posts, and community contributions
Challenge Submissions
Source code and implementation details
Benchmark results and evaluation metrics
Technical documentation and approach explanations
Demonstration videos
Communications
Messages sent through our platform
Support requests and feedback
Survey responses
2.2 Information Collected Automatically
Usage Data
Pages visited and features used
Time spent on platform
Simulation sessions and compute usage
Marketplace browsing and transaction history
Challenge participation and performance
Template and asset downloads
Device and Technical Information
IP address
Browser type and version
Operating system
Device identifiers
Referring/exit pages
Date and time stamps
Cookies and Tracking Technologies
We use the following types of cookies:
Essential cookies: Required for authentication and core functionality
Preference cookies: Remember your settings and choices
Analytics cookies: Help us understand usage patterns (non-essential)
Performance cookies: Optimize platform performance (non-essential)
Google Analytics
We use simple Google Analytics to understand usage. In the EEA/UK, analytics only runs after you consent in Cookie Settings.
In the EEA/UK, we only set non-essential cookies (analytics, marketing) after your consent. You can manage your choices anytime via Cookie Settings.
Consent Records: We log your cookie consent choices and preferences, including the date, time, and categories you accepted or declined. You may review and update your choices at any time through our Cookie Settings panel.
2.3 Information from Third Parties
Authentication Providers: When you sign in with third-party services (Google, GitHub, etc.)
Payment Processors: Transaction confirmation and payment status
Educational Institutions: Verification of student/educator status (with consent)
Enterprise Partners: For enterprise accounts and integrations
3. How We Use Your Information
We use collected information for the following purposes, as detailed in Section 8 (Legal Bases):
3.1 Service Provision
Create and manage your account
Provide access to simulation, templates, and Creator Hub
Process marketplace transactions and royalty payments
Administer challenges and distribute rewards
Calculate reputation scores and leaderboard rankings
Facilitate talent pool and matchmaking services
3.2 Communication
Send service-related notifications
Respond to support requests
Notify you about challenges, updates, and opportunities
Send marketing communications (with consent)
Deliver educational content and course materials
3.3 Improvement and Development
Analyze usage patterns to improve the Service
Develop new features and capabilities
Conduct research and analytics
Test and optimize platform performance
Debug technical issues
3.4 Security and Fraud Prevention
Detect and prevent fraudulent submissions
Protect against spam and abuse
Enforce our Terms of Service
Verify identity for substantial rewards (KYC)
Maintain platform integrity
3.5 Legal and Compliance
Comply with legal obligations
Respond to lawful requests from authorities
Enforce our rights and protect our interests
Resolve disputes
4. How We Share Your Information
4.1 Public Information
Certain information is publicly visible by default:
Your username and profile information (unless set to private)
User Content you choose to make public
Challenge submissions and rankings on leaderboards
Marketplace listings
Community forum posts and comments
Reputation scores and badges
You control the visibility of much of this information through your privacy settings.
4.2 With Other Users
When you participate in challenges or share content
When enterprises search the talent pool (controlled access)
When you collaborate on projects
4.3 With Service Providers
We use third-party vendors to host the Service, process payments, send emails, and provide analytics. They may only use your information to perform services on our behalf. We do not publish a sub-processor list at this time.
4.4 With Enterprise Partners
For enterprise pilots and collaboration opportunities
When you apply for jobs through our talent pool
For co-branded challenges and sponsored competitions
4.5 For Legal Reasons
We may disclose information when required by law or when we believe disclosure is necessary to:
Comply with legal process or government requests
Enforce our Terms of Service
Protect the rights, property, or safety of RobaLabs, users, or the public
Prevent fraud or security threats
4.6 Business Transfers
In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will provide notice before your information is transferred and becomes subject to a different privacy policy.
4.7 With Your Consent
We may share information for purposes not described in this policy with your explicit consent.
4.8 Selling and Sharing of Personal Information
We do not sell your personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as defined by the CCPA/CPRA.
5. Data Retention
We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy. See Section 8 (Annex) for retention periods by data category.
Account Information: Retained while your account is active and for 90 days after closure for operational purposes, then 7 years for legal compliance
User Content: Retained according to your settings; deleted content may persist in backups for up to 90 days
Transaction Records: Retained for accounting and legal compliance (typically 7 years)
Analytics Data: Aggregated and anonymized analytics may be retained indefinitely
You may request deletion of your information subject to legal and operational requirements.
6. Data Security and Breach Notification
6.1 Security Measures
We implement technical and organizational measures to protect your information:
Encryption in transit (TLS/SSL)
Encryption at rest for sensitive data
Access controls and authentication
Regular security audits and penetration testing
Employee training on data protection
Incident response procedures
Identity verification for high-value transactions (KYC)
KYC Data: For large payouts, substantial rewards, or enterprise verification, we may collect government-issued ID images or numbers via a trusted verification provider. We store only what is necessary, encrypt KYC data at rest, apply strict access controls, and delete non-required artifacts after verification is complete per our retention schedule (typically 7 years for compliance, then purged).
6.2 Breach Notification
In the event of a data breach that affects your personal information, we will provide timely notification as required by applicable law, including information about the nature of the breach and steps you can take to protect yourself.
6.3 Security Reports and Responsible Disclosure
To report security vulnerabilities, please contact: security@roba.com
Safe Harbor: We authorize good-faith security research within the following scope:
Testing your own accounts or with explicit permission from account owners
Not accessing, modifying, or exfiltrating other users' data
Not performing denial-of-service attacks or degrading service performance
Reporting findings privately to security@roba.com before public disclosure
We will not pursue legal action against researchers who comply with this policy and act in good faith.
However, no system is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.
7. Your Rights and Choices
7.1 Access and Correction
You may access and update your account information through your profile settings.
7.2 Data Portability
You may request a copy of your data in a structured, machine-readable format (JSON or CSV).
7.3 Deletion
You may request deletion of your account and associated data. Some information may be retained for legal compliance as described in Section 5.
7.4 Marketing Communications
You may opt out of marketing emails by clicking "unsubscribe" in any marketing email or adjusting your communication preferences in your account settings.
7.5 Cookies
You may control cookies through your browser settings or our Cookie Settings panel. Note that disabling essential cookies may affect platform functionality.
In the EEA/UK, we only set non-essential cookies (analytics, marketing) after your consent. You can manage your choices anytime via Cookie Settings.
7.6 Privacy Settings
You may adjust visibility and sharing settings for your profile, content, and marketplace listings in your account preferences.
7.7 Do Not Track
We currently do not respond to Do Not Track browser signals.
7.8 Objection to Processing
You may object to certain processing activities, particularly those based on legitimate interests. Contact privacy@roba.com to exercise this right.
8. Regional Privacy Rights
8.1 European Users (GDPR)
If you are in the European Economic Area or United Kingdom, you have the following rights:
Right to access your personal data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restrict processing
Right to data portability
Right to object to processing
Right to withdraw consent at any time (where processing is based on consent)
Right not to be subject to automated decision-making (see Section 8.5 below)
Right to lodge a complaint with your local supervisory authority
Response Times: We respond to GDPR/UK GDPR requests within 1 month (extendable by 2 months where necessary for complex requests). We will inform you of any extension and the reasons for the delay.
Legal Bases for Processing
We process your data based on:
Contract (Art. 6(1)(b) GDPR): Performance of our contract with you
Legitimate interests (Art. 6(1)(f) GDPR): Service improvement, fraud prevention, security (see summary of legitimate interests assessments below)
Consent (Art. 6(1)(a) GDPR): Marketing communications, non-essential cookies
Legal obligations (Art. 6(1)(c) GDPR): Compliance with law, tax reporting
Legitimate Interests Summary:
Analytics and service improvement: We have a legitimate interest in understanding how users interact with our platform to improve functionality and user experience. This is balanced against minimal privacy impact through aggregation and pseudonymization.
Fraud prevention and security: We have a legitimate interest in protecting our platform, users, and business from fraud, abuse, and security threats. This is essential for platform integrity.
Reputation scoring: We have a legitimate interest in maintaining quality standards and recognizing contributor achievements. This is balanced by transparent criteria and the ability to contest decisions.
8.2 California Users (CCPA/CPRA)
California residents have the following rights:
Right to know what personal information is collected, used, shared, or sold
Right to delete personal information (subject to exceptions)
Right to correct inaccurate personal information
Right to opt out of the sale or sharing of personal information (we do not sell or share)
Right to limit use of sensitive personal information (where applicable)
Right to non-discrimination for exercising privacy rights
How to Exercise Your Rights:
Email: privacy@roba.com
Verification Process: We will verify your identity using your email address and account information. For deletion requests, we may require additional verification to prevent fraud.
Appeals Process: If we deny your request, you may appeal by replying to our response email or contacting privacy-appeals@roba.com within 30 days. We will respond to appeals within 45 days.
Response Times: We respond to CCPA/CPRA requests within 45 days (extendable once by an additional 45 days where reasonably necessary for complex requests). We will inform you of any extension and the reasons for the delay.
Authorized Agents: You may designate an authorized agent to make requests on your behalf by providing written authorization or power of attorney.
See Annex: CPRA Personal Information Categories (Section 8.6 below) for detailed disclosures.
Notice at Collection: California residents receive this Privacy Policy at or before the point of collection. A link to this notice appears anywhere we collect personal information.
8.3 Other U.S. State Privacy Laws
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws have similar rights. Contact privacy@roba.com to exercise your rights.
8.4 Other Jurisdictions
We comply with applicable privacy laws in all jurisdictions where we operate.
8.5 Automated Decision-Making and Profiling
We do not make decisions with legal or similarly significant effects on you solely by automated means. We compute Reputation Scores from objective signals including:
Challenge performance and rankings
Community contributions and asset quality
Asset adoption and usage metrics
User feedback and peer reviews
Impact: Reputation Scores may influence:
Eligibility for higher-tier challenges
Marketplace asset discoverability
Enterprise pilot opportunities
Governance participation rights
These are community and platform-level impacts, not legal or similarly significant effects under GDPR.
Your Rights: Where profiling influences eligibility or discoverability, you may contest a decision or request human review by contacting reputation-review@roba.com. We will respond within 30 days with an explanation and, where appropriate, a manual review of your score.
Transparency: The specific algorithms and weightings used in Reputation Scores are documented in our Help Center.
8.6 Annex: Data Processing Summary Tables
Table 1: GDPR Data Processing Summary
Category | Purposes | Legal Basis | Retention |
Account data (name, email, password) | Account creation, authentication, support | Contract (Art. 6(1)(b)) | Life of account + 90 days, then 7 years for legal compliance |
User Content (models, code, datasets) | Service provision, marketplace, challenges | Contract (Art. 6(1)(b)) | Per user settings; up to 90 days in backups after deletion |
Usage data (pages visited, features used) | Service improvement, analytics, security | Legitimate interests (Art. 6(1)(f)) | 24 months, then aggregated/anonymized |
Telemetry (simulation sessions, performance) | Benchmarking, service improvement, research | Legitimate interests (Art. 6(1)(f)); Consent where required | 12 months or until aggregated/anonymized |
Transaction records | Payment processing, accounting, compliance | Contract (Art. 6(1)(b)); Legal obligation (Art. 6(1)(c)) | 7 years |
Marketing preferences | Updates, announcements, promotional communications | Consent (Art. 6(1)(a)) | Until consent withdrawn |
Challenge submissions | Evaluation, rewards, marketplace listings | Contract (Art. 6(1)(b)) | Life of marketplace listing |
Reputation data | Quality standards, contributor recognition | Legitimate interests (Art. 6(1)(f)) | Life of account + 90 days |
KYC data (ID verification) | Identity verification for payouts, compliance | Legal obligation (Art. 6(1)(c)); Contract (Art. 6(1)(b)) | 7 years after verification, then deleted |
Table 2: CPRA Personal Information Categories
Category | Examples | Collected? | Sources | Business Purposes | Disclosed to | Retention |
Identifiers | Name, email, username, IP address | Yes | Directly from you; automatically | Account management, communication, security | Service providers, payment processors | Per Table 1 |
Internet/network activity | Browsing history, pages visited, simulation sessions | Yes | Automatically | Service improvement, analytics, fraud prevention | Service providers (analytics) | 24 months |
Geolocation (general) | IP-based location (city/country) | Yes | Automatically | Content delivery, compliance, fraud prevention | Service providers | 24 months |
Professional/employment info | Optional profile fields (employer, role) | Yes | Directly from you | Talent pool, matchmaking | Enterprise partners (with permission) | Life of account |
User Content | Code, models, datasets, documentation | Yes | Directly from you | Service provision, marketplace, challenges | Other users (per visibility settings) | Per user settings |
Inferences | Reputation scores, skill assessments | Yes | Derived from activity | Quality standards, challenge eligibility | Other users (public scores) | Life of account + 90 days |
Sensitive PI (account credentials) | Password (encrypted) | Yes | Directly from you | Authentication | Not disclosed (encrypted at rest) | Life of account |
Sensitive PI (government IDs for KYC) | ID images, ID numbers (where required) | Yes (for high-value payouts) | From you via verification provider | Identity verification, compliance | Verification provider only | 7 years, then deleted |
Commercial information | Purchase history, marketplace transactions | Yes | From transactions | Payment processing, seller payouts | Payment processors | 7 years |
Sale or Sharing: We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising.
How to Opt-Out: Although we do not sell or share, you can control data use through your Privacy Settings or by contacting privacy@roba.com.
9. International Data Transfers
RobaLabs operates globally. Your information may be transferred to and processed in countries other than your country of residence, including the United States, where data protection laws may differ.
We implement appropriate safeguards for international transfers, including:
Standard Contractual Clauses approved by the European Commission (for EEA transfers)
UK Addendum to Standard Contractual Clauses (for UK transfers)
Adequacy decisions where available
10. Children's Privacy
Our Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn we have collected information from a child under 13, we will delete it promptly.
GDPR Compliance: For users in the EEA/UK, the age of digital consent varies by country (13-16). If you are under your country's age of digital consent, you may only use the Service with verifiable parental consent. We implement age-appropriate safeguards as required by local law.
Parental Rights: Parents or guardians may contact privacy@roba.com to review, modify, or delete their child's information.
11. Third-Party Links and Services
Our Service may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
12. Blockchain and Tokenization
From launch, rewards and certain platform utilities are delivered via RoboToken (ticker: $ROBA). We do not offer “credits,” and there is no phased credits→token model.
12.1 Token Use and Airdrops
Rewards: Challenge completions and other qualifying activities may receive Roba Token airdrops.
Utility: Roba Token may be used for licensing and royalty payments, challenge rewards, federated learning incentives, and other utilities we introduce over time.
Transparency: We will provide in‑product disclosures where additional token features are added.
12.2 On‑chain Transparency and Wallets
Public ledgers: Certain transactions may be recorded on a public blockchain. Blockchain transactions are public and generally permanent.
Wallets: Wallet addresses may be linked to your account. We do not take custody of your wallets or private keys unless expressly stated for a specific product governed by separate terms. You are responsible for safeguarding your wallet credentials.
Finality: Gas fees are non‑refundable. On‑chain transactions are generally irreversible; we cannot unwind them. In the event of forks, protocol changes, or airdrops, we may support, map, or ignore such events at our discretion.
12.3 Compliance and Eligibility
AML/KYC: We may require identity verification (KYC) for substantial rewards or as required by law. Where applicable, we may collect and transmit originator/beneficiary information for token transfers to comply with AML/CFT “Travel Rule” requirements and may decline or block transactions lacking required information.
Jurisdictions: Airdrops and token features may be limited in some jurisdictions.
Taxes: Token rewards or airdrops may be taxable. You are responsible for reporting and paying any taxes. Where required, we may issue tax forms and/or withhold amounts.
Regulatory notes:
US: We may exclude, geoblock, or require additional steps for U.S. persons to comply with applicable securities and commodities laws.
EEA (MiCA): Any token‑related services to EEA users will comply with MiCA/CASP obligations or be limited until authorized. Risk factors and complaints handling will be provided in a MiCA white paper where applicable.
UK (FCA promotions): Token communications to UK users will comply with FCA financial promotions rules, including required risk warnings, cooling‑off, and approval where applicable.
12.4 Verifiable Licensing (Optional)
If you opt in to verifiable licensing:
License terms and attestations may be cryptographically signed.
Provenance metadata may be publicly trackable on‑chain or in distributed systems.
Royalty distributions may be automated through smart contracts.
You control which assets use verifiable licensing.
13. Updates to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or other factors.
For material changes, we will notify you by:
Posting the updated policy with a new "Last Updated" date
Sending email notification at least 30 days in advance
Displaying a prominent notice on the Service
Your continued use of the Service after the effective date constitutes acceptance of the updated policy. If you do not agree, you may close your account before the changes take effect.
14. Contact Us
For questions, concerns, requests, or to exercise your privacy rights:
Email: privacy@roba.com
Data Protection Officer: dpo@roba.com
Upon request, we can provide this Privacy Policy in accessible formats (large print, screen-reader-optimized, etc.)—contact privacy@roba.com.
15. Specific Data Practices
15.1 Telemetry and Robot Data
When you use our simulation or connect real robots:
We collect telemetry data including robot states, sensor readings, performance metrics, and operational parameters
Configuration controls: You can adjust telemetry collection levels (off / basic / detailed) in your Settings
This data is used for benchmarking, evaluation, service improvement, and research
Enterprise-only visibility: Certain sensitive provenance metadata is only shared with enterprise customers for compliance purposes
Telemetry data is aggregated and anonymized for research after 12 months, at which point it becomes irreversibly anonymized and no longer constitutes personal data
15.2 Model Cards and Provenance
To support transparency and governance:
We track provenance metadata for models and assets (training data sources, performance metrics, intended use, version history)
Model cards include standardized documentation for enterprise compliance
Visibility: Public for marketplace listings; enterprise-only for proprietary or sensitive assets
This metadata may be shared with enterprise customers for procurement, quality management, and regulatory compliance
15.3 Reputation and Scoring
Your Reputation Score is calculated from:
Challenge performance (rankings, completion rates)
Community contributions (frequency, quality)
Asset quality and marketplace adoption
User feedback and peer reviews
Transparency: The criteria and relative weightings are documented in our Help Center.
Impact: Reputation data may be visible to other users, enterprise partners, and may influence challenge eligibility and marketplace discoverability.
Your Rights: You may contest your score or request human review (see Section 8.5).
15.4 Talent Pool and Matchmaking
If you opt into the Talent Pool:
Your profile, skills, achievements, and portfolio may be searchable by verified employers and enterprise partners
You control what information is visible through granular privacy settings
We may facilitate introductions with hiring partners based on matching criteria
We do not share your contact information without your explicit consent
You can opt out at any time via your Privacy Settings
16. Cookies and Similar Technologies (Detailed)
16.1 Types of Cookies
Cookie Type | Purpose | Duration | Consent Required (EEA/UK)? |
Essential | Authentication, security, core functionality | Session / 1 year | No |
Preference | Remember settings (language, theme) | 1 year | No |
Analytics | Usage patterns, performance monitoring | 2 years | Yes |
Marketing | Promotional communications, campaign attribution | 1 year | Yes |
16.2 Managing Cookies
Cookie Settings Panel: Accessible from all pages
Browser Settings: Most browsers allow you to block or delete cookies
Opt-Out Tools: Google Analytics Opt-Out Browser Add-On, Network Advertising Initiative opt-out
16.3 Consent Mechanism (EEA/UK)
Upon your first visit from the EEA/UK, you will see a cookie banner with options to:
Accept all cookies
Reject non-essential cookies
Customize preferences by category
We will only set non-essential cookies after you provide consent. We log your consent choices (timestamp, categories accepted) and provide a granular Cookie Settings panel accessible from all pages where you may review, modify, or withdraw consent at any time.
Thank you for trusting RobaLabs with your information. We are committed to protecting your privacy while building the future of open robotics development.
