PRIVACY POLICY FOR INDIVIDUAL-OPERATED LUA SCRIPT HOST SERVICE WITH LEGAL PROTECTIONS Effective Date: October 28, 2025 Last Updated: October 28, 2025 Version: 3.0 PREAMBLE AND INTRODUCTION WITH BINDING CONSENT MECHANISM This Privacy Policy ("Policy") is issued unilaterally by an individual operator ("Operator," "I," "me," or "my") of the Lua Script Host service ("Service"), a non-commercial, personal hobby project for anonymous Lua script hosting targeted at Roblox executor users. The Service is hosted at https://msk-node.onthewifi.com. This Policy serves as an enforceable contract addendum, providing detailed protections for the Operator against liabilities, claims, or disputes arising from data handling. ACCESS AND USE CONSTITUTE IRREVOCABLE CONSENT: By transmitting any data packet to the Service (e.g., HTTP request to any endpoint, including /cdn/ssAbCdEfG or /upload-json), loading any resource, or even pinging the domain, you ("User," "you," or "your") provide explicit, affirmative, informed, and unambiguous consent to this Policy in toto, including every subsection, proviso, and cross-reference. This consent is perpetual, worldwide, and survives termination. It is deemed "opt-in" under GDPR Art. 4(11), CCPA §1798.50, LGPD Art. 5(XII), and equivalents. No further notice or click-through required. Rejection mandates absolute non-interaction; partial or implied consent invalid. Minors: Void ab initio without guardian ratification. This Policy incorporates legal barriers, exculpatory clauses, and risk-shifting provisions tailored for a solo operator under Romanian/EU law, supplemented by UCC §2-316 (US), Rome I Regulation (EU), and Hague Principles on Choice of Law. Operator disclaims all fiduciary duties; Users assume total risk. Violations of this consent mechanism trigger immediate, automatic termination and indemnity obligations. SCOPE AND APPLICABILITY WITH EXCLUSIONARY CLAUSES 1. Total Coverage: Encompasses every byte transmitted to/from the Service, including metadata, payloads, and derivatives. 2. Carve-Outs: Excludes User-side processing (e.g., executor execution); third-party ecosystems (e.g., Roblox servers); or hypothetical "linked" content (none exists). 3. Extraterritorial Reach: Binds Users globally; forum non conveniens waived for Operator-favorable venues. 4. Severability Fortress: If any provision held unenforceable, remainder hyper-strengthened to effectuate intent (contra proferentem reversed—strict against User). 5. Updates as Amendments: Posted changes auto-ratified; User's duty to monitor absolute (no constructive notice defense). 1. COMPREHENSIVE INFORMATION COLLECTION PRACTICES WITH LIABILITY SHIELDS Collection is surgically minimal, pre-emptively immunized against privacy torts (e.g., intrusion upon seclusion). 1.1 Automatically Collected Non-Personal Information (Passive Collection - Indemnified) - IP Address Details: Granular IPv4/IPv6 with GeoIP (country/ASN only; no precision targeting). Shield: User warrants no expectation of privacy in public IPs (Katz v. US analog waived); Operator immune from wiretap claims. - Timestamp Precision: Nanosecond UTC via NTP. Shield: Time-stamping essential for defense (e.g., alibi in disputes). - HTTP Request Headers: Exhaustive parse (User-Agent, Referer, etc.). Shield: Headers voluntary disclosure; no §230(c)(1) needed as non-publisher. - Endpoint and Method Data: URI/query/method/status/size/latency. Shield: Logging statutorily mandated (EU NIS2 Directive compliance). - Network Metrics: Throughput/jitter. Shield: For DoS mitigation; User covenants not to challenge as "surveillance." 1.2 User-Provided Personal and Script Information (Active Submission - User-Borne Risk) - Lua Script Content: Unaltered verbatim storage/serve. Shield: User indemnifies Operator against all script-derived claims (e.g., defamation in comments); Operator mere passive conduit (EU e-Commerce Dir. Art. 14). - Filename and Metadata: Sanitized per code. Shield: No PII inference; User liable for self-disclosure. - No Explicit PII: Enforced; breaches User-fault. 1.3 Device and Browser Fingerprinting (Minimal - Waivers) - Passive Only: No active probes. Waiver: User releases all fingerprinting claims (CFAA §1030 waived). 1.4 Children's Data (Special Protections - Strict Liability Shift) - No Knowing Collection: Affirmative defense under COPPA §312.5; User misrep under-13 = fraud. 1.5 Data Volume and Sources Summary Table (Indemnity-Linked) | Category | Examples | Purpose | Retention | Sensitivity | Legal Shield | |----------|----------|---------|-----------|-------------|--------------| | IP/Network | 192.0.2.1, User-Agent | Security/Rate Limit | 30 days | Low | User Waiver of Privacy Expectation | | Script Content | Lua code lines | Serving | Indefinite | High | Indemnity for User-Provided Content | | Logs | Timestamps, Status Codes | Auditing | 30 days | Low | Statutory Logging Immunity | 2. EXHAUSTIVE DATA USE AND PROCESSING DETAILS WITH EXCULPATORY BARRIERS Processing confined to single-threaded, air-gapped server; no subprocesses. 2.1 Core Operational Uses (Protected Activities) - Script Delivery: Bit-for-bit; no interception liability (CALEA waiver). - Rate Limiting: Deterministic algorithm. Barrier: User agrees limits reasonable; no equal protection challenge. - Security Processing: Regex/path checks. Barrier: Good-faith cybersecurity (no negligence). 2.2 Internal Analytics (De Minimis - No Claims Basis) - Aggregates: IP-anonymized counts. Barrier: Statistical immunity (EU Stats Reg. 2019/1700). 2.3 Prohibited Uses (User Covenant) - Covenant: User shall not assert marketing/profiling claims; known zero. 3. COMPREHENSIVE SHARING, DISCLOSURE, AND TRANSFER PRACTICES WITH ABSOLUTE IMMUNITIES 3.1 Strict No-Sharing Policy (Fortress Clause) - Siloed: Server-local; breach = force majeure. 3.2 Legal and Compelled Disclosures (Minimized Exposure) - Warrants/Subpoenas: Comply only with valid EU/US orders; costs User-borne if frivolous. Immunity: Good-faith actor. - Aggregates: Public if k=100+. 3.3 International Data Transfers (SCC-Embedded) - Intra-EU: Seamless. To US: Implied SCCs; User consents to adequacy. 3.4 Retention and Deletion Protocols (User-Controlled) - Cron-Auto: Shred/VACUUM. User Right: Non-use = de facto erasure. 4. ROBUST SECURITY AND INCIDENT RESPONSE MEASURES WITH RISK TRANSFER 4.1 Technical Safeguards (Best-Effort Only) - TLS 1.3/ufw/SQLite 600. Limitation: "Reasonable" per §2-314 UCC; no absolute. 4.2 Incident Response (Operator-Protected) - Notification: 72h if required; User waives if no harm. 4.3 User Security Tips (Mandatory Compliance) - VPN Use: User duty; non-compliance = contributory negligence. 5. EXTENSIVE USER RIGHTS AND CONTROL MECHANISMS WITH PROCEDURAL WAIVERS 5.1 Universal Rights (Self-Service Only) - Access/Withdrawal: Via disuse; no fulfillment duty. 5.2 Jurisdiction-Specific Rights (Detailed - Operator-Limited Obligations) 5.2.1 GDPR/UK GDPR - All Arts. 15-22: Exercisable via non-use; Operator response: "Policy reviewed." - DPO: Operator self. 5.2.2 CCPA/CPRA - All §1798.100-150: Opt-out/sale none; delete via re-upload. 5.2.3 LGPD/PIPEDA/Etc. - Aligned; User verifies local compliance. 5.3 Enforcement and Remedies - Complaints: Self-resolve via cessation; no formal process as solo op. - Authorities: Refer to local DPA (e.g., CNIL for France). 6. POLICY ENFORCEMENT, CHANGES, AND GOVERNING FRAMEWORK WITH CHOICE-OF-LAW LOCK-IN 6.1 Enforcement (Draconian) - Auto-Term: Breach = perpetual ban. 6.2 Changes (Unilateral) - Immediate effect; User estoppel. 6.3 Governing Law (Exclusive) - Romanian substantive/procedural; no forum shopping. 6.4 Severability/Waiver (Ironclad) - Blue-Pencil: Enforceable maximums apply. END OF PRIVACY POLICY WITH LEGAL PROTECTIONS. SOLO OPERATOR IMMUNITY REINFORCED; USER ASSUMES ALL RISKS.