All traffic between the Roblox Studio plugin and our servers uses TLS 1.2+. Your prompts and diffs are never sent unencrypted.
Passwords are hashed with bcrypt before storage. We never log or store passwords in plaintext. Password reset links are time-limited and single-use.
Session data — including prompts, file contents, and diffs — is not used to train AI models. We do not opt you in to any training data programs without your consent.
We collect only what we need to operate the Service. No behavioral fingerprinting, no cross-site tracking, no selling data to advertisers.
Your sessions are isolated per account. No other user can see your prompts, diffs, or history. Sessions are authenticated with signed tokens, not shared IDs.
Found a vulnerability? We welcome responsible disclosure. See the disclosure section below.
Here's the exact data path for an agent run so you know what goes where.
You type your prompt in the plugin panel. It is transmitted over TLS 1.2+ to our API server as authenticated JSON. Your session token is validated on every request.
Our server forwards the conversation context and tool schema to the selected AI provider (Anthropic, OpenAI, or other). This transmission uses the provider's TLS endpoint. Our DPA with each provider prohibits use of session data for model training.
When Wren issues a read_file or list_files tool call, the plugin
reads your local Roblox Studio workspace and sends the result to our server.
We access only what Wren explicitly requests — we have no persistent access to your
Studio workspace outside of an active session job.
Write and modify tool calls are staged on our server as proposed changes. They are displayed as diffs in the plugin. Your approval is required before any change is applied to your Studio workspace.
The completed job — prompt, tool chain, diffs, approval decisions — is stored on our server for the duration of your plan's history retention (7–90 days by plan tier). You can delete any job from the History panel at any time.
ScriptWEAVER's backend is hosted on servers in the continental United States. Data is not transferred outside the US without disclosure. We use a reputable cloud infrastructure provider with physical security, redundancy, and managed patching.
Production database access is restricted to a minimal set of internal services. Human access to production data requires multi-factor authentication and is logged. We follow least-privilege principles: engineers have access only to what their role requires.
We maintain an inventory of third-party dependencies and monitor for known vulnerabilities. Critical dependencies are patched within 72 hours of a disclosed CVE. We avoid dependencies with histories of malicious supply-chain behavior.
In the event of a data breach or security incident, we will notify affected users by email within 72 hours of becoming aware of the incident, as required by applicable law. We will clearly describe what happened, what data was affected, and what we are doing about it.
Wren routes requests to third-party AI model providers. Here's what we require of them.
All AI model providers we use under API agreements prohibit using your session data for training their foundation models without your consent.
We maintain active DPAs with all AI providers that process user data, documenting permitted uses and security obligations.
We select provider endpoints that process data in the United States and document this in our privacy notices.
We appreciate researchers who responsibly disclose security issues. If you've found a vulnerability in ScriptWEAVER's web app, API, plugin, or infrastructure, please email us before public disclosure so we have time to patch it.
Please do not test against user accounts other than your own. Automated scanning tools may trigger rate limiting or temporary account suspension.
If something isn't answered here, we're happy to explain our practices further.