PRIVACY POLICY

This page describes what data the Last Wave leaderboard site collects, why it collects it, how it's stored, and how you can have it removed. The site is operated by Molyi. Last Wave the game runs on Roblox; this policy covers the leaderboard website only. Roblox's own privacy policy governs your interaction with the game client and Roblox's own services.

What we collect

Two paths add data to our systems.

From playing the game

Every completed or abandoned run pushed by the game server stores your Roblox user ID, your display name at the time of the run, the run's loadout (weapon, trait, passives, augments, items), per-player aggregate counters (damage dealt, kills, time alive, level reached, etc.), the active difficulty and modifiers, and placement within your party. We also store the two-letter Roblox locale region code your account is set to, so flags can be shown on leaderboard rows. We don't collect chat content, voice data, IP addresses, or any data about devices.

From signing in with Roblox

When you click "Sign in" on the website and complete the Roblox OAuth flow, we receive and store only your Roblox user ID, your display name, and your bidirectional friends list. The friends list powers the "Friends" filter on leaderboards. We also check your role rank in the moderator Roblox group to decide whether you can access the moderation dashboard. We do not receive your email, your date of birth, your payment information, or your private friend or followers details.

A session cookie (httpOnly, Secure, SameSite=Lax) is set on your browser containing an opaque random identifier. The cookie itself contains no personal data; the identifier maps server-side to the data above. Sessions expire automatically after 30 days of inactivity.

How we use it

• Render public leaderboards, run details, and player profiles.
• Power the "Friends" and "Me" leaderboard filters when you're signed in.
• Gate the moderation dashboard to accounts with the appropriate role rank in the moderator group.
• Identify and remove cheating runs and players, with a mod-side audit trail.

We don't run third-party analytics on the website, don't embed ad trackers, and don't sell your data. See the "Third-party services" section below for the limited set of external services we do forward data to.

Third-party services

Two external services receive data from the website:

• Roblox public APIs. When you sign in or browse a profile, the website queries Roblox's public endpoints to fetch avatar thumbnails, your group rank in the moderator group, and your friends list. These queries identify you by your Roblox user ID. They're sent directly to Roblox and are governed by Roblox's own privacy policy.
• Discord webhook (moderation only). When a moderator takes action (hiding a run, banning a player, deleting data, etc.), a single message is posted to a private Discord channel for audit transparency. The message contains the action type, the actor moderator's identifier, the target player's user ID and display name (or the target run ID), and the optional reason. No regular gameplay or leaderboard data is sent to Discord. If the webhook is unconfigured the notification is skipped.

How long we keep it

• Sessions: 30 days from your most recent visit; deleted immediately when you sign out.
• Run records and leaderboard entries: kept indefinitely so historical leaderboards stay intact.
• Cached friends list (server-side): refreshed on each sign-in; deleted with your session.
• Moderation actions (audit log): kept indefinitely for accountability.

Your rights

• Sign out: Use the "Sign out" option in the top-right menu after signing in. This deletes your session immediately.
• Delete your run history: Email the contact below requesting deletion. We'll remove every run record tied to your Roblox user ID. The action is irreversible.
• Disconnect the OAuth app: Revoke the app's authorization on Roblox's side at any time. The next time you visit the site we'll have no friend list or rank cached for you.

Where data lives

All site data is stored on Cloudflare's edge infrastructure (D1 SQLite for run records, Workers KV for sessions). We don't maintain backups outside Cloudflare and don't transfer data to non-Cloudflare regions.

Children

The Last Wave game follows Roblox's own age policies. The website is open to anyone who can sign in via Roblox, which requires a 13+ Roblox account for OAuth authorization per Roblox's terms. We don't knowingly collect data from children under that limit through the website.

Changes

Updates to this policy are posted on this page. The "Last updated" date at the top reflects the most recent change.

Contact

For privacy questions or to request deletion of your data, email molyiez@gmail.com. For general support, the Last Wave Discord is linked in the footer.