Privacy Policy

1. Introduction

This Privacy Policy describes how Starspace Group ("Starspace", "we", "us", or "our"), the operator of SpaceBot ("the Service"), collects, uses, stores, and protects information when you use our Discord bot platform and associated web dashboard. By using the Service, you acknowledge that you have read and understood this Privacy Policy.

SpaceBot operates as a Discord application subject to Discord's Developer Terms of Service and Discord's Developer Policy. We encourage you to also review Discord's Privacy Policy to understand how Discord collects and processes your data.

2. Data Controller

Starspace Group is the data controller responsible for the personal data processed through the Service. For privacy inquiries, you may contact us via the methods described in the Contact section below.

3. Information We Collect

3.1 Information from Discord OAuth2

When you log in via Discord OAuth2, we request the following scopes and receive:

• identify — Your Discord user ID, username, display name, avatar, and discriminator
• guilds — A list of Discord servers (guilds) you are a member of, including your permissions in each

We do not request or receive your email address, password, or private messages through Discord OAuth2.

3.2 Discord Server Data

When SpaceBot is installed and active in a Discord server, we may process:

• Server (guild) metadata: server ID, name, icon, member count, channel count, role count, emoji count, boost count, and boost level
• Event metadata: event types (e.g., member join/leave, role updates, channel changes), actor IDs, actor usernames, target IDs, target names, channel IDs, and channel names
• Command usage and interaction data (slash commands, context menu interactions)
• Member role assignments for permission checking

We do not read or store message content. SpaceBot does not use the Discord MESSAGE_CONTENT privileged intent. Event logs capture metadata about events (such as the fact that a message was sent), but not the content of messages.

3.3 Server Statistics

We periodically record aggregated server statistics (member counts, channel counts, role counts, boost levels) to provide historical analytics in the admin dashboard. These statistics are associated with server IDs, not individual users.

3.4 Automations & Custom Commands

Server administrators may create automations and custom commands through the dashboard. These configurations (trigger conditions, action definitions, response templates) are stored in association with the server ID.

3.5 AI Interactions

If your server uses SpaceBot's AI chat features, conversation messages sent to the bot are processed via Cloudflare Workers AI. These messages are processed in real time and are not persistently stored by us beyond the duration of the conversation session.

3.6 Cookies

We use strictly necessary first-party cookies to maintain your authenticated session:

• discord_user_id — Your Discord user ID
• discord_username — Your Discord username
• discord_global_name — Your Discord display name
• discord_avatar — Your Discord avatar hash
• discord_discriminator — Your Discord discriminator
• discord_access_token — Your OAuth2 access token (used to communicate with Discord's API on your behalf)

These cookies expire after 7 days and are essential for the Service to function. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

3.7 API Keys

Server administrators may generate API keys for programmatic access. These keys are stored securely and are associated with the server and the user who created them.

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b) GDPR) — Processing necessary to provide the Service you have requested, including authentication and dashboard functionality
• Legitimate interests (Art. 6(1)(f) GDPR) — Processing necessary for our legitimate interests in operating, maintaining, and improving the Service, provided these interests are not overridden by your rights
• Consent (Art. 6(1)(a) GDPR) — Where you have given consent, such as when authorizing SpaceBot via Discord OAuth2. You may withdraw consent at any time by revoking SpaceBot's access through your Discord account settings

5. How We Use Your Information

We use the information we collect to:

• Authenticate you and authorize access to your admin dashboard
• Execute automations, custom commands, and webhooks you configure
• Display server statistics, event logs, and analytics
• Enforce permission controls within the Service
• Process AI chat interactions when you use that feature
• Maintain, protect, and improve the Service
• Comply with legal obligations

6. Data Sharing & Third-Party Services

We do not sell, rent, trade, or otherwise share your personal information with third parties for their marketing purposes.

We share data only with the following categories of service providers, strictly as necessary to operate the Service:

• Discord — We communicate with Discord's API to authenticate users, retrieve server data, and perform bot actions. Your data shared with Discord is governed by Discord's Privacy Policy.
• Cloudflare — The Service is hosted on Cloudflare's infrastructure (Cloudflare Workers/Pages and D1 databases). Data processed through Cloudflare is subject to Cloudflare's Privacy Policy.
• Cloudflare Workers AI — If you use AI chat features, conversation data is processed through Cloudflare's AI inference services.

We may also disclose information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of us, our users, or the public.

7. International Data Transfers

The Service is hosted on Cloudflare's global network. Your data may be processed in countries other than your country of residence, including the United States and other jurisdictions where Cloudflare operates edge nodes. Where data is transferred outside the EEA, UK, or Switzerland, we rely on Cloudflare's data processing agreements and appropriate safeguards, including Standard Contractual Clauses (SCCs) where applicable, to ensure adequate protection of your data.

8. Data Retention

• Authentication data — Session cookies expire after 7 days. OAuth2 tokens are not stored server-side beyond the cookie.
• Event logs — Retained for as long as the server remains active on the Service. Server administrators may request deletion.
• Server statistics — Historical statistics are retained for as long as the server remains active. Aggregated statistics may be retained indefinitely.
• Automations & commands — Retained until deleted by the server administrator or until the bot is removed from the server.
• API keys — Retained until revoked by the server administrator or until the bot is removed.

When SpaceBot is removed from a server, server administrators may request complete deletion of all associated data. We will process such requests within 30 days.

9. Data Storage & Security

Data is stored in Cloudflare D1 databases with encryption at rest and in transit. We implement reasonable technical and organizational security measures including:

• Encrypted connections (HTTPS/TLS) for all data in transit
• Access controls and authentication for the admin dashboard
• Role-based permission checks for server data access
• Secure cookie attributes (HttpOnly, SameSite) for session management

Despite these measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

10. Your Rights

10.1 General Rights (All Users)

Regardless of your location, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Remove SpaceBot from your server to stop further data collection
• Revoke SpaceBot's OAuth2 access through your Discord Authorized Apps settings

10.2 European Economic Area, UK & Switzerland (GDPR/UK GDPR)

If you are located in the EEA, UK, or Switzerland, you additionally have the right to:

• Data portability — Receive your personal data in a structured, commonly used, machine-readable format
• Restriction of processing — Request that we restrict processing of your personal data under certain circumstances
• Object to processing — Object to processing based on legitimate interests
• Withdraw consent — Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing
• Lodge a complaint — File a complaint with your local data protection supervisory authority

10.3 California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

• Know — Request disclosure of the categories and specific pieces of personal information we have collected about you
• Delete — Request deletion of your personal information
• Opt-out of sale — We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.
• Non-discrimination — We will not discriminate against you for exercising your privacy rights

10.4 Brazil (LGPD)

If you are located in Brazil, you have the right to:

• Confirm the existence of processing of your data
• Access, correct, or anonymize your data
• Request data portability
• Request deletion of data processed with your consent
• Obtain information about public and private entities with which your data has been shared
• Revoke consent at any time

10.5 Other Jurisdictions

If you are located in another jurisdiction that grants specific privacy rights (including but not limited to Canada under PIPEDA, Australia under the Privacy Act, Japan under APPI, South Korea under PIPA, or other applicable laws), we will respect those rights to the extent required by applicable law. Please contact us to exercise your rights.

10.6 Exercising Your Rights

To exercise any of the above rights, please contact us using the methods in the Contact section below. We will respond to verified requests within 30 days (or the applicable timeframe required by your local law). We may ask you to verify your identity before processing your request.

11. Automated Decision-Making

The Service uses automated processing to execute automations and commands configured by server administrators (e.g., auto-moderation rules, event-triggered actions). These automated processes operate based on rules explicitly set by server administrators and do not involve profiling or automated decision-making that produces legal effects or similarly significant effects on individuals.

12. Children's Privacy

The Service is not directed at, and we do not knowingly collect personal information from, children under the age of 13 (or the minimum age required in your jurisdiction). This aligns with Discord's own age requirements. In the European Economic Area, the minimum age is 16 (or lower if your member state has set a lower age, but no lower than 13). In South Korea, the minimum age is 14.

If we become aware that we have collected personal data from a child below the applicable minimum age without verified parental consent, we will take steps to delete that information promptly. If you believe we have collected data from a child, please contact us immediately.

13. Do Not Track

We do not track users across third-party websites. The Service does not respond to "Do Not Track" (DNT) browser signals because we do not engage in the type of cross-site tracking that such signals are designed to prevent.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes by updating the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to provide additional notice (such as via our GitHub repository or Discord support server). Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

15. Contact

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via:

• GitHub: github.com/starspacegroup/spacebot/issues
• Email: spacebot@starspace.group

For users in the EEA, UK, or Switzerland, you also have the right to lodge a complaint with your local data protection supervisory authority.