SpackBot

Legal

Privacy Policy

Last updated: 2026-05-16

This Privacy Policy explains how SpackBot(operated by Spackmod, hereafter “we”, “us”) collects, uses, retains and discloses information when you use our Discord moderation bot, our dashboard at bot.spackmod.com, and our public API at api.bot.spackmod.com(together, the “Service”).

1. Data controller

Spackmod is the data controller. For any privacy-related request, contact [email protected].

2. Personal data we process

We process the minimum data required to deliver moderation, threat intelligence and billing:

  • Discord identifiers: user IDs, guild IDs, channel IDs, role IDs. These are public Discord “snowflakes” — never names, email addresses or content of private DMs.
  • Moderation events: type of detected threat (e.g. URL, FILE, SPAM, PHISH, HONEYPOT, RAID), timestamp, and a SHA-256 hash of the offending content. We never store message bodies in plaintext.
  • Dashboard authentication: Discord OAuth profile (id, username, avatar, list of guilds where you are administrator). Stored in a session JWT that expires after 30 days.
  • Audit log: every privileged action you perform from the dashboard (BAN, FEDERATE, module toggles, panic mode, RBAC changes) — recording your Discord ID, the target, the action, the originating IP and User-Agent. Retained for legal/security purposes.
  • Billing: Stripe customer ID and subscription ID for guilds with a paid license. Card data is held by Stripe — we never see it.
  • Operational logs: HTTP request metadata (path, status, latency). No request body is logged. Retained 14 days for incident response.

3. Legal bases (GDPR Art. 6)

  • Performance of a contract — to provide the moderation service to a server.
  • Legitimate interest — to detect and prevent abuse, spam, raids, phishing, and to maintain audit logs against fraud.
  • Legal obligation — to retain billing records as required by tax law.
  • Consent — for any optional analytics, only when explicitly granted via the cookie banner.

4. Federation (cross-server threat sharing)

When a Discord user triggers a high-confidence threat in any server protected by SpackBot (e.g. honeypot, polymorphic raid pattern), their Discord user ID is added to a shared Global Threat Registry. Other protected servers may auto-ban that user upon join. The registry stores only the Discord user ID, the reason code, and the timestamp — no message content. Entries expire after 30 days. You may request removal at any time via the deletion flow described below.

5. Data retention

  • Threat logs: 90 days rolling, then aggregated and anonymised.
  • Dashboard audit log: 1 year (security/legal forensics), then pseudonymised.
  • Global federation: 30 days.
  • Billing records: 10 years (Italian tax law, art. 2220 c.c.).
  • Operational request logs: 14 days.

6. Recipients and processors

We share personal data only with sub-processors strictly necessary to operate the Service:

  • Discord Inc. — gateway/API for bot operation (USA, SCC).
  • Stripe Payments Europe Ltd. — payment processing (Ireland, EU).
  • OVH SAS — hosting (France, EU).
  • Cloudflare Inc. — DDoS protection & TLS termination (USA, SCC).

We never sell personal data to third parties for advertising.

7. International transfers

Where data is transferred outside the EEA (Discord, Cloudflare in the US), we rely on the EU Standard Contractual Clauses and supplementary safeguards.

8. Your rights (GDPR Art. 15–22)

You have the right to:

  • Access your data — download a JSON export from your dashboard at any time.
  • Rectification — change your Discord profile to update what we see.
  • Erasure — request permanent pseudonymisation from your dashboard. Threat-log statistics are preserved in an aggregated form that cannot be linked back to you.
  • Restriction / objection — write to [email protected].
  • Lodge a complaint with the Italian Garante per la Protezione dei Dati Personali (garanteprivacy.it).

Self-service GDPR tools are available in your dashboard at /account/privacy. Both export and deletion are immediate and audited.

9. Security

Data is encrypted in transit (TLS 1.3). Database backups are encrypted at rest. Access to production systems is restricted to two authenticated administrators and audited. Bot tokens and webhook secrets are stored as environment secrets and rotated at least annually.

10. Cookies

We use only strictly necessary cookies for authentication (the NextAuth session cookie and a CSRF token). No analytics, no advertising, no third-party tracking cookies. Therefore no consent banner is shown.

11. Children

SpackBot is not directed to anyone under 13 (Discord’s minimum age). We do not knowingly collect data from children under 13.

12. Changes

We may update this Policy. Material changes will be announced on the dashboard at least 14 days in advance.

13. Contact

Privacy enquiries: [email protected]
Postal: Spackmod, via the address listed in Terms of Service.