⚠ DEV / TEST INSTANCE — changes here do not affect the live bot. Switch to goofbot.gyneric.net for production.
D Dev GoofBot Dev build
Dashboard Docs What's new Demo
Log in with DiscordLog in
📝 Draft policies — pending legal review. These policies are working drafts. Until legal review is complete and any final changes are published, GoofBot will operate under the terms written below to the extent they are consistent with applicable law. We will update these documents as the review concludes; material changes will be announced on the dashboard and reflected in the version + last-updated date at the top of each page.
DRAFT v0.1-draft

Privacy Policy

Last updated 2026-04-27. This is a working draft pending legal review. Some controller/contact fields are placeholders and will be completed after review.

1. Overview

This Privacy Policy explains what data GoofBot collects, why we collect it, how long we keep it, and the rights you have over it. It applies to the GoofBot Discord bot, the dashboard at goofbot.gyneric.net, and the Twitch integrations associated with the bot.

2. What we collect

We collect only what is needed to operate the features you or your server admin enables.

  • Discord identifiers — your user ID, the guild ID, channel IDs, role IDs. We do not collect your real name, email, or phone number from Discord.
  • Discord OAuth tokens — encrypted at rest, used to read /users/@me/connections (if you grant the connections scope) and to identify you on the dashboard.
  • Twitch identifiers — your Twitch user ID and login when you link Twitch to your Discord account, plus encrypted OAuth tokens for the scopes you grant.
  • Message logs (opt-in only) — when a server administrator enables message logging, message content, author ID, channel, timestamp, and (for deleted messages) the ID of the moderator or bot that deleted them are stored. Retained 90 days then pruned. If the administrator additionally enables private-thread monitoring, the bot auto-joins private threads in your server and these logs cover messages posted there too — server members may not be aware a bot is in private threads, so administrators are responsible for disclosing this to their community.
  • Twitch chat logs (opt-in only) — chat messages from channels watched by a guild that has chat logging enabled.
  • Points, XP, currency, and loyalty balances — earned via configured per-server rules.
  • Ticket transcripts — content of channels created via the ticket system, accessible to mod roles in that guild.
  • Custom commands, tags, embeds, schedules, and other content authored on the dashboard.
  • Per-guild settings configured by administrators (channel IDs, role IDs, toggles, numeric values).
  • Birthday data (opt-in) — month, day, and timezone if you set them via /birthday set. GoofBot does not request or store birth years.
  • Audit log of state-changing actions on the dashboard.
  • Session and CSRF cookies, plus theme and density preference cookies.

3. How we use the data

Data is processed only to operate the features you or your server admin enables — moderation, levelling, points, custom commands, ticket workflows, Twitch alerts, dashboard editing, abuse prevention. We do not sell or rent your data, and we do not use it for advertising or profiling beyond what is needed to deliver the bot's features.

3A. Aggregated and anonymous information

We may create aggregated or anonymized statistics about how GoofBot is used, such as feature adoption, command counts, error rates, or performance trends. These summaries do not identify individual users and may be used to improve the service, plan capacity, publish product updates, or explain feature usage to server administrators.

4. Lawful basis for processing (GDPR / EU/EEA users)

Where the GDPR applies, we rely on (a) performance of contract with the server administrator who configured the bot, (b) legitimate interest in providing and securing the service, and (c) your consent for opt-in features such as message logging and birthday tracking. You can withdraw consent for opt-in features by asking your server administrator to disable them or by removing the bot from your server.

4A. Controller and regional notices

GoofBot is operated from the United States. The final legal operator name, mailing address, privacy contact, and any required EU/UK representative are pending legal review and will be filled in before the policy is finalized. Until then, privacy questions can be sent to [email protected] or raised in the official GoofBot Discord at https://discord.gg/ZWJ7VSYWYX. EU, EEA, UK, and California rights are summarized in this Policy and explained in more detail in the GDPR Privacy Notice.

5. Subprocessors

We rely on the following third-party services to operate. Each handles only the data needed for their role.

  • Discord — authentication, messaging, slash commands, guild metadata, monetization (when premium tiers are live).
  • Twitch — authentication, Helix API for stream and user data, IRC for chat bridging, EventSub for real-time events.
  • Hostinger — VPS hosting (database, application servers, Caddy reverse proxy).
  • Cloudflare — DNS for goofbot.gyneric.net and devgoofbot.gyneric.net; proxied traffic only at the edge.
  • Off-host backup destination — encrypted nightly snapshots of databases, retained per the schedule below, stored on a Proxmox LXC container we operate.

6. Retention

We keep data only as long as needed for the purpose it was collected.

  • Message logs (including private-thread messages when monitoring is enabled, and deletion-executor IDs): 90 days, then pruned automatically.
  • Twitch chat logs: 90 days.
  • Ticket transcripts: retained until the guild administrator deletes them.
  • Per-guild settings: retained until the bot is removed from the guild or the administrator clears them.
  • User links (Discord ↔ Twitch): retained until you unlink via /link remove or revoke our application.
  • Web sessions: 30 days from last use, then expired.
  • Audit log: retained indefinitely unless an administrator requests deletion (audit logs are themselves a legal-compliance record for moderation actions).
  • Backups: 7 daily / 4 weekly / 12 monthly, plus manually-labelled snapshots retained until the operator deletes them.
  • Payment records (when premium is live): retained for the period required by applicable tax and accounting law (typically 7 years in the EU and US).

7. Your rights

Depending on your jurisdiction (GDPR for the EU/EEA/UK, CCPA for California, comparable laws elsewhere), you may have the following rights regarding your personal data.

  • Access — request a copy of the personal data we hold about you.
  • Rectification — request correction of inaccurate data.
  • Erasure / 'right to be forgotten' — request deletion of your data, subject to legitimate exceptions (e.g. moderation audit logs, legal retention requirements).
  • Restriction of processing — ask us to limit how we use your data while a request is being investigated.
  • Portability — request your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — for opt-in features, you can withdraw at any time.

8. How to exercise your rights

Server administrators can clear most per-guild data via the dashboard's "reset section" buttons or by removing the bot from their server. For requests covering personal data tied to your individual account (Twitch link, points, XP, birthday, tickets, or message logs authored by your Discord ID), contact [email protected] or open a ticket in the official GoofBot Discord at https://discord.gg/ZWJ7VSYWYX. We will respond within 30 days, or sooner where required by law.

9. Children's data

GoofBot is not directed at users under 16. We do not knowingly collect personal data from anyone below that age. The 16+ threshold is set globally to satisfy the strictest jurisdiction in which we operate (GDPR Article 8). If a parent or guardian believes their child has provided data to us, contact us using the address in section 8 and we will delete it.

10. Security

OAuth tokens and other sensitive fields are encrypted at rest. The dashboard uses HTTPS exclusively (HSTS enabled at the proxy). Sessions are bound to per-session CSRF tokens. Backups are stored off-host on infrastructure we operate. Owner-tier dashboard surfaces are gated behind TOTP. No system is fully secure; if you suspect a vulnerability, please report it privately rather than disclosing publicly.

11. Data location

Application servers and primary databases are located in the European Union (Hostinger). Off-host backups are stored on infrastructure we operate that may be located in the European Union or the United States. Discord, Twitch, and Cloudflare process data globally per their own policies.

12. Changes to this Policy

Material changes will be announced on the dashboard and in the bot changelog at least 14 days before they take effect. The version number and last-updated date at the top of this page reflect the current revision. Earlier revisions are available on request.