Neblio

Privacy Policy

Effective: March 14, 2026

Last Updated: March 14, 2026

Neblio Inc. ("Neblio Inc.," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, store, and secure information when you visit any Neblio Inc. website, mobile application, or other online product or service that links to this Privacy Policy (collectively, the "Service"), including "Neblio: Roblox Trading", and describes your rights and choices.

If you do not agree with the practices described in this Privacy Policy, please do not use the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.

1. What This Policy Covers

  • This Privacy Policy applies to personal information we process in our role as a controller, business, or similar role under applicable privacy laws.
  • This Privacy Policy does not apply to websites or services we do not own or control, including third-party games, platforms, single sign-on providers, analytics providers, or other third-party services. Those services have their own privacy practices.

2. Information We Collect

A. Information You Provide Directly

  • Account Information — username, display name, password stored in hashed form, language, and any optional profile details such as an avatar.
  • User Content — images, listings, text, chat messages, trade offers, feedback, or other materials you submit through the Service.
  • Support, Appeals, and Legal Correspondence — information you provide when you contact us for help, submit an appeal, exercise privacy rights, or otherwise communicate with us.

B. Information We Collect Automatically

  • Device and Log Data — IP address, user-agent string, device type, operating system, referring URLs, error logs, timestamps, clickstream data, and the pages or screens you visit.
  • Security and Anti-Fraud Signals — failed login attempts, token identifiers, session-related data, and behavioral patterns flagged by our automated abuse-detection tools.
  • Moderation and Safety Review Data — user reports, moderator notes, review outcomes, and information reasonably necessary to investigate reported content or conduct, including reported images, reported chats, related account activity, and associated metadata.
  • Cookies and Similar Technologies — identifiers and similar technologies set by us or our service providers, including analytics providers such as Google Analytics. See Section 6.

C. Information from Third Parties

  • Single Sign-On Providers — basic profile information such as name, email address, and account identifier from Google, Apple, Discord, or other supported providers when you choose to sign in that way.
  • Connected Game Accounts — public game inventory, avatar, and account identifier if you link an external game account.

We do not intentionally collect or store date of birth. During sign-up, we may ask users to confirm that they meet the minimum age requirements for the Service. We also do not intentionally collect precise geolocation. If we learn that someone registered below the minimum permitted age, we will take steps to remove the account and associated personal data as required by law.

3. Purposes of Processing

We use personal information to:

  • a) create, maintain, and secure your account;
  • b) provide, personalize, maintain, and improve the Service;
  • c) enable social features such as chats, listings, and trade-related interactions;
  • d) detect fraud, prevent abuse, investigate misconduct, investigate child-safety incidents, and enforce our Terms;
  • e) communicate with you about support issues, account matters, policy changes, safety issues, and other service-related matters through the channels we make available;
  • f) generate analytics and usage statistics;
  • g) comply with legal obligations and respond to lawful requests, including obligations relating to child safety, exploitation, and mandatory or voluntary reporting; and
  • h) protect the rights, safety, and security of Neblio Inc., our users, children, and the public.

4. Legal Bases for Processing (EEA/UK Users)

Under the GDPR and UK GDPR, we rely on the following legal bases where required:

  • Performance of a Contract — to provide the Service under our Terms of Service.
  • Legitimate Interests — to secure the Service, prevent abuse, analyze usage, improve the Service, and develop new features, where those interests are not overridden by your rights.
  • Consent — for cookies and similar technologies that are not strictly necessary, where consent is required by law.
  • Legal Obligation — to comply with applicable laws, regulations, legal process, or lawful requests.
  • Vital Interests or Public Interest — in limited circumstances, such as protecting someone’s safety or rights.

5. Disclosure of Information

We do not sell personal information. We also do not share personal information for cross-context behavioral advertising.

We disclose personal information only as described below:

1. Service Providers and Processors

We may disclose information to vendors and service providers that perform services on our behalf, such as cloud hosting, database backups, analytics, customer-support tools, and security services, subject to appropriate contractual safeguards where required.

2. Other Users

Certain information is visible to other users by design, such as your public profile, display name, avatar, listings, and chat messages. Email addresses and IP addresses are not shared publicly.

3. Business Transfers

We may disclose or transfer information in connection with a merger, acquisition, financing, bankruptcy, reorganization, sale of assets, or similar transaction, subject to applicable confidentiality and data-protection obligations.

4. Legal, Safety, and Security

We may disclose information where required by law or where reasonably necessary to protect the rights, property, or safety of Neblio Inc., our users, children, or the public, including to law enforcement, regulators, courts, the National Center for Missing & Exploited Children’s CyberTipline, child-protection organizations, or other authorized parties. This may include disclosure of reported content, chats, account identifiers, IP information, and other relevant records in connection with investigations of suspected child sexual abuse or exploitation, grooming, threats, fraud, or other harmful or unlawful conduct.

6. Cookies & Tracking

Cookies are small data files stored on your device. We use cookies and similar technologies such as:

  • Strictly Necessary Cookies — used for sign-in, session management, security, and core Service functionality.
  • Functional Cookies — used to remember settings and preferences.
  • Analytics Cookies — used by analytics providers such as Google Analytics to understand how the Service is used and to improve performance.

Where required by law, we will present a consent tool that allows you to accept or reject non-essential cookies, including analytics cookies. You can also manage cookies through your browser settings, though some parts of the Service may not function properly if certain cookies are disabled.

7. International Data Transfers

Our servers may be located in the United States, and backups or service providers may process data in other countries. When we transfer personal information from the EEA, UK, or Switzerland to a country that does not provide an adequate level of protection under applicable law, we rely on appropriate safeguards where required, such as:

  • the European Commission’s Standard Contractual Clauses;
  • the UK International Data Transfer Addendum or other approved UK transfer mechanism; and
  • supplementary safeguards such as encryption, access controls, and data minimization.

8. Data Retention

We retain personal information for as long as reasonably necessary for the purposes described in this Privacy Policy, including to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements.

In general:

  • Account Data — retained while your account remains active.
  • Deleted Accounts — personal data is erased or irreversibly anonymized within 30 days after account deletion, except where retention is reasonably necessary for security, fraud prevention, legal compliance, dispute resolution, or similar legitimate purposes.
  • Security Logs — limited security logs, including IP address, user-agent, and timestamps, may be retained for up to 12 months to detect repeat abuse, investigate incidents, and protect the Service.
  • Safety Investigation Records — where content, chats, account activity, or reports are associated with suspected abuse, exploitation, grooming, CSAM, fraud, or other serious policy violations, we may retain relevant information for longer than standard deletion periods as reasonably necessary for investigation, legal compliance, safety enforcement, reporting, dispute resolution, and prevention of repeat abuse.
  • Aggregated or Anonymized Data — may be retained indefinitely where it is no longer personal information.

9. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect personal information, including:

  • encryption in transit using TLS;
  • encryption of backups at rest;
  • role-based access controls;
  • multi-factor authentication for administrative access where appropriate;
  • logging and monitoring for security events; and
  • restricted review environments and access controls for sensitive moderation materials where appropriate.

No internet or electronic storage system is completely secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

10. Your Rights & Choices

A. Rights You May Have

Depending on your jurisdiction, you may have the right to:

  • access the personal information we hold about you;
  • correct inaccurate or incomplete personal information;
  • delete your personal information;
  • restrict or object to certain processing;
  • receive a portable copy of certain personal information; and
  • withdraw consent where processing is based on consent.

B. How to Exercise Your Rights

You may exercise applicable rights through in-app settings or by contacting us at [email protected]. We may take reasonable steps to verify your identity before acting on a request. We will respond within the timeframe required by applicable law.

C. Account Controls

You may update certain account information through your account settings and may delete your account using the controls we make available.

11. Children’s Privacy and Child Safety

The Service is not directed to children under 13 or to users who have not reached the minimum age required by applicable law to use the Service without any legally required consent.

During sign-up, we may ask users to confirm that they meet the applicable minimum age requirements. We do not store date of birth for this purpose.

We maintain child safety and CSAE standards in our Terms of Service that prohibit child sexual abuse and exploitation, including CSAM, grooming, sextortion, and other exploitative conduct. When content or conduct is reported or otherwise flagged for potential child-safety review, authorized moderators and reviewers may review reported images, reported chats, related account activity, and other information reasonably necessary to investigate the report, protect users, enforce our Terms, and comply with applicable law.

To help protect sensitive material and users, such review may be conducted using restricted systems and access controls, including encryption and logging.

If we learn that a user created an account below the minimum permitted age, we will take steps to suspend or remove the account and delete associated personal data as required by law. If, after review, we reasonably believe content or conduct may involve child sexual abuse or exploitation, we may remove content, restrict accounts or features, preserve relevant information, and report the matter to the CyberTipline, law enforcement, or other appropriate authorities where required by law or where we reasonably determine reporting is appropriate.

Parents or guardians who believe that a child has provided personal information to us or used the Service in violation of our age requirements may contact us at [email protected].

12. Third-Party Services & Links

The Service may contain links to or integrations with third-party websites, games, platforms, or services. We do not control their privacy practices and are not responsible for them. Please review the privacy policies of those third parties before using their services.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will post the updated Privacy Policy on the Service and update the "Last Updated" date above. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acknowledgment of the revised Policy, to the extent permitted by law.

14. Contact Us

If you have questions, concerns, requests relating to this Privacy Policy or our privacy practices, or wish to report child-safety concerns, you may contact us at [email protected].

15. Additional Information for California Residents

This section supplements the information above and is provided pursuant to the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA").

A. Categories of Personal Information Collected

We may collect the following categories of personal information:

  • identifiers;
  • commercial information related to listings or trade activity;
  • internet or other electronic network activity information;
  • user-generated content; and
  • inferences drawn from the information above for security, moderation, and service improvement purposes.

B. Sources, Purposes, and Disclosures

We collect personal information from the sources described in Section 2, use it for the purposes described in Sections 3 and 4, and disclose it as described in Section 5.

C. Sensitive Personal Information

We do not knowingly collect sensitive personal information as defined by the CPRA for the purpose of inferring characteristics about consumers.

D. CPRA Rights

California residents may have the right to request:

  • access to specific pieces of personal information and information about our processing practices;
  • deletion of personal information, subject to exceptions;
  • correction of inaccurate personal information;
  • portability of certain personal information; and
  • opt-out of the sale or sharing of personal information, although we do not sell or share personal information for cross-context behavioral advertising.

Requests may be submitted by contacting us at [email protected]. Authorized agents may act on a consumer’s behalf where permitted by law. We will not discriminate against you for exercising your privacy rights.

16. Residents of the EEA/UK — Complaints

If you are located in the EEA or the UK and believe we have not adequately addressed your privacy concern, you may have the right to lodge a complaint with your local supervisory authority. UK residents may contact the Information Commissioner’s Office.

17. Do-Not-Track and Similar Signals

Neblio Inc. does not currently respond to browser "Do Not Track" signals. Where required by applicable law, we will process qualifying browser-based opt-out preference signals in accordance with applicable law.

18. Language

If we provide a translated version of this Privacy Policy and there is any conflict between the translated version and the English version, the English version will control unless applicable law requires otherwise.