Privacy Policy

1. Introduction

Welcome to Discovrd ("we," "us," or "our"). We're committed to protecting your privacy and being transparent about how we collect and use data. This Privacy Policy explains what information we collect, how we use it, and your rights under privacy laws including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Discovrd is a curated Discord server and bot discovery platform that helps users find high-quality Discord communities and tools. We're based in Ontario, Canada, and operated by Deckhand Software.

2. Information We Collect

2.1 Information You Provide Directly

When you use Discovrd, you may provide:

• Account Information via Discord OAuth: Discord username, Discord ID, email address, avatar URL
• User-Generated Content: Server reviews, bot reviews, ratings, comments, reports
• Contact Form Submissions: Name, email, subject, message when you contact us
• Bookmarks and Preferences: Saved servers/bots, browsing preferences
• Payment Information: Stripe processes payments for premium listings (we don't store payment card details)

2.2 Information We Collect from Discord

When you authenticate with Discord or when we fetch server/bot data, we collect:

• Discord Server Information: Server name, description, icon, banner, member count, online count, invite codes
• Discord Bot Information: Bot name, invite URL, avatar (if available)
• Public Discord Profile: Your public Discord username, discriminator, and avatar when you log in

We comply with Discord's Developer Terms of Service and only access data necessary to provide our service.

2.3 Automatically Collected Data

When you use Discovrd, we automatically collect:

• Page views and navigation: Pages visited, time spent, servers/bots explored
• Click tracking: Interactions with listings, join buttons, and UI elements
• Advanced interaction tracking:
  • Impressions: When server/bot listings become at least 50% visible in your viewport
  • Position tracking: Where items appear in search results, category pages, and lists
  • Time on page: How long you spend viewing listing detail pages
  • Context tracking: Which page and list you're viewing when interacting with content
• Technical information: Browser type, device type, screen resolution, referring URL
• Session data: Session tokens, authentication state

Why we collect this data: Impression, time-on-page, and interaction data helps us understand which content resonates with users, improve our recommendation algorithms, and optimize the platform's ranking systems. This data is analyzed in aggregate to identify trends and improve user experience.

2.4 Cookies and Similar Technologies

We use cookies and local storage for:

• Essential cookies: Session management, authentication, cookie consent preferences
• Preference cookies: Dark mode, language preferences, bookmarked content
• Analytics cookies: Google Analytics or similar tools
• Advertising cookies: Google AdSense/Ad Manager

See our Cookie Notice for detailed information.

3. How We Use Your Information

We use collected data for:

• Service delivery: Displaying curated server/bot listings, personalized recommendations
• User accounts: Authentication, profile management, saved content
• User-generated content: Displaying reviews, ratings, and user feedback
• Quality assurance: Reviewing flagged content, moderating submissions, maintaining quality standards
• Communication: Responding to contact form submissions, support requests, automated notifications
• Premium features: Processing premium listing purchases via Stripe
• Platform improvement: Understanding usage patterns, identifying popular content, improving ranking algorithms
• Security monitoring: Logging security events, preventing fraud, detecting suspicious activity
• Performance optimization: Caching user and session data (encrypted) for faster page loads
• Legal compliance: Meeting legal obligations, preventing abuse, enforcing terms

3.1 Email Communications

We send the following types of automated emails via Resend (our email service provider):

Email service provider: Resend (https://resend.com/legal/privacy-policy)

From addresses: noreply@discovrd.org, notifications@discovrd.org

Email metadata retention: Email logs (sent/delivered/bounced status) retained for 1 year for troubleshooting. Email content stored in your account activity history.

Opting out: You cannot opt out of essential emails. To stop all communications, you must delete your account. Submission-related and review-related emails are inherent to using the platform and cannot be individually disabled.

4. Third-Party Services

We use the following third-party services that may collect data:

5. How We Share Your Information

We may share your information in the following circumstances:

• Public content: Reviews, ratings, and comments you post are publicly visible
• Service providers: Discord, Stripe, Cloudflare, Upstash as described above
• Legal requirements: When required by law, court order, or government request
• Business transfers: In the event of a merger, acquisition, or sale of assets
• Consent: With your explicit consent for specific purposes

We do not sell your personal information to third parties.

6. Data Retention

We retain data for different periods based on the type of information and legal requirements. Our system uses "soft deletion" for most content, meaning deleted items are hidden from public view but retained for moderation and appeals.

6.1 Account Data

• Active accounts: Retained while your account is active
• Account deletion request: When you request account deletion:
  • 30-day grace period: Your account is soft-deleted (hidden but recoverable)
  • After 30 days: Email and password hash are anonymized (irreversible)
  • Your user ID and public content (reviews, ratings) remain for data integrity
  • Complete hard deletion: Available upon request for EU/CA users (see Section 7.4)

6.2 User-Generated Content

• Active content (servers, bots, reviews): Retained indefinitely while active
• Deleted by user: Soft-deleted (hidden from public view, but retained for moderation/appeals for 90 days)
• Deleted by moderation: Soft-deleted with deletion reason and admin ID tracked. Retained for 90 days for appeals, then available for complete removal upon request
• Complete removal: EU/CA users can request complete hard deletion under GDPR/CCPA (see Section 7.4)

6.3 Other Data Types

• Session data: Retained for 30 days for security purposes
• Security logs (login attempts, account lockouts): Retained for 1 year for fraud prevention and incident response
• Email metadata: Sent/delivered/bounced status retained for 1 year for troubleshooting
• Contact form submissions: Retained for 2 years after resolution, then deleted
• Payment data: Stripe retains per their policies; we store transaction IDs for 7 years (legal requirement for accounting)
• Analytics data (page views, clicks, impressions): Retained for 365 days, then deleted
• Cached data (Redis): Short-term caching only (minutes to hours), encrypted with AES-256-GCM

6.4 Why Soft Delete?

We use soft deletion (hiding content instead of immediately erasing it) for important reasons:

• Appeal period: Users can appeal moderation decisions within 90 days
• Data integrity: Maintaining referential integrity (e.g., reviews stay linked to servers even if soft-deleted)
• Abuse prevention: Prevents bad actors from deleting evidence of ToS violations
• Audit trail: Tracking who deleted what and why for accountability

Important: Soft-deleted content is not publicly visible and doesn't appear in search results. Only you (and admins for moderation) can see soft-deleted content with the deletion reason. EU/CA users have the right to request complete hard deletion at any time (see Section 7.4).

7. Your Privacy Rights

7.1 GDPR Rights (EU Users)

You have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Limit how we process your data
• Portability: Receive your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Opt out of optional data processing at any time

7.2 CCPA Rights (California Users)

You have the right to:

• Know: What personal information we collect and how it's used
• Delete: Request deletion of your personal information
• Opt-out: Opt out of the "sale" of personal information (we do not sell data)
• Non-discrimination: Equal service regardless of privacy choices

7.3 Canadian Users (PIPEDA)

You have the right to:

• Access: Know what personal information we hold about you
• Correction: Challenge the accuracy of your data
• Withdrawal: Withdraw consent (may affect service availability)

7.4 How to Exercise Your Rights

To exercise any of these rights, contact us via our contact form. We'll respond within 30 days and may need to verify your identity to process your request.

Response timeline: We respond to all requests within 30 days. Complex requests may take up to 60 days with notification.

Identity verification: We may request additional information to verify your identity before processing requests that involve access to or deletion of your data.

No fees: Exercising your privacy rights is free. We may charge a reasonable fee for manifestly unfounded or excessive requests.

8. Data Security

8.1 Security Measures

We take reasonable measures to protect your data:

• HTTPS encryption for all data transmission
• Secure database storage with access controls
• Regular security audits and updates
• Password hashing using bcrypt
• Session token encryption
• Minimal data collection (privacy by design)

However, no internet transmission is 100% secure. We cannot guarantee absolute security.

8.2 Security Event Logging

To protect your account and detect fraud, we log the following security events:

• Login attempts: Successful and failed login attempts (timestamp, IP address, user agent)
• Account lockouts: When accounts are temporarily locked due to multiple failed login attempts (5 attempts in 15 minutes triggers a 1-hour lockout)
• CSRF token failures: Invalid or missing CSRF tokens that could indicate attack attempts
• Rate limit violations: Excessive requests that trigger our rate limiting protections
• Suspicious activity: Unusual patterns that may indicate unauthorized access attempts

Data logged for security events:

• Timestamp of the event
• IP address (anonymized after 90 days)
• User agent (browser/device information)
• Event type and outcome
• User ID (if applicable)
• Session ID (if applicable)

Retention period: Security logs are retained for 1 year for fraud prevention, incident response, and compliance with security best practices. After 1 year, logs are automatically deleted.

Access and use: Security logs are only accessed for legitimate security investigations, incident response, or compliance audits. Logs are not used for marketing or analytics purposes.

Legal basis (GDPR): Security logging is based on our legitimate interest in protecting user accounts and preventing fraud (GDPR Article 6(1)(f)).

9. International Data Transfers

Discovrd is hosted on servers that may be located in various countries. When you use our service, your data may be transferred to and processed in countries outside your own, including the United States (Discord, Stripe, Cloudflare servers). We ensure such transfers comply with applicable data protection laws and use appropriate safeguards (e.g., Standard Contractual Clauses).

10. Children's Privacy

Discovrd is designed for users aged 13 and older (in compliance with Discord's age requirements and COPPA). We do not knowingly collect data from children under 13. If you believe we've collected data from a child under 13, please contact us via our contact form and we'll delete it promptly.

11. User-Generated Content Privacy

When you post reviews, ratings, or comments:

• Your Discord username and avatar are publicly visible with your content
• Content is publicly accessible and may be indexed by search engines
• You can edit or delete your content at any time through your profile
• We may retain deleted content for moderation/legal purposes for up to 90 days
• We moderate content according to our Community Guidelines

12. Discord API Compliance

When you use Discord OAuth to log in, we request the following scopes:

• identify: Access your Discord username, ID, and avatar
• email: Access your Discord account email address

We comply with Discord's Developer Terms of Service and API policies. We do not request access to your Discord servers, messages, or other private information beyond what's necessary for authentication.

Server and bot information displayed on Discovrd is fetched from Discord's public APIs using invite codes. We cache this data to improve performance but refresh it periodically to maintain accuracy.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" (DNT) signals. Currently, we do not respond to DNT signals, but you can manage cookie preferences through our consent banner when analytics/advertising are implemented.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We'll post the updated policy with a new "Last updated" date. Significant changes will be communicated via a notice on our homepage or via email if you have an account.

15. Contact Us

For questions about this Privacy Policy or to exercise your privacy rights:

16. Supervisory Authority

If you're in the EU/EEA and believe we've violated GDPR, you have the right to lodge a complaint with your local data protection authority. Canadian users can contact the Office of the Privacy Commissioner of Canada.