# Privacy Policy — [PBST - Pokemon TCG BST UK] (Discord Bot)
**Last updated:** May 2026
This Privacy Policy explains what data the [PBST - Pokemon TCG BST UK] Discord bot ("the Bot", "we", "us") collects, why it collects it, how it is stored, and the rights users have over it. This policy applies specifically to the Bot's operation, separately from any general server rules or community privacy policy.
1. Who We Are
The Bot is a moderation, engagement, and utility bot developed and operated by an individual based in the United Kingdom. For the purposes of the UK General Data Protection Regulation (UK GDPR), we are the data controller for personal data processed by the Bot.
**Contact:** [samwelbst@outlook.com]
2. Data We Collect and Why
The Bot only collects data required to provide its moderation, community, and engagement features on servers where it is added. We do not collect data through any channel other than normal Discord bot operation (slash commands, message events, member events, button/interaction clicks).
| Category | Data Collected | Purpose |
|---|---|---|
| **Identity** | Discord user ID, username, and cached display name history | Required to associate actions/records with a user; username caching lets logs remain readable if a user changes their name |
| **Moderation records** | Warnings (reason, moderator, timestamp), bans/kicks/timeouts, mod action log, bot audit log | Enforcing server rules, providing moderation history to staff |
| **Roles** | Roles held, timed role assignments and expiry, persistent role snapshots (restored if a user leaves and rejoins) | Automating role management; preventing users from evading temporary bans/roles by leaving and rejoining |
| **Engagement/reputation** | XP and level, reputation score and history,| Powering the leveling, reputation, and community-engagement features |
| **Giveaways** | Giveaway entries, eligibility checks (roles/tags at time of entry) | Running and verifying fair giveaway draws |
| **Tickets** | Ticket messages, form answers, transcripts, claim/assignment records | Providing a support/ticket system and retaining a record of the interaction in case of disputes |
| **Birthdays** | Birthday date (day/month, no year required) if voluntarily provided | Sending birthday announcements if the user opts in |
| **Message-derived data** | Hashes/snapshots used for repost detection, swear-word/blocked-link detection, and stock-alert monitoring | Content moderation (spam/repost prevention, blocked-link enforcement, community alerts) — see Section 3 for scope |
| **Server statistics** | Aggregated, non-identifying channel/guild activity stats (message counts, join/leave counts per day) | Server health reporting and moderation insight; where user-level daily stats exist, they are used only to support moderation/engagement features above |
| **Reminders/scheduled content** | Reminder text and scheduling data set by a user via commands | Delivering reminders back to the user who created them |
We do **not** collect payment details, private message content outside the server, or any data outside the servers the Bot is added to.
3. Message Content Intent — Scope of Use
The Bot uses Discord's Message Content Intent strictly for the following automated, non-human-reviewed checks as messages are sent:
- Detecting blocked website links (for silent removal)
- Detecting profanity for the swear-jar feature
- Detecting duplicate/reposted content (repost detection)
- Reading custom prefix commands
- Monitoring specific designated channels for stock/restock alert keywords (opt-in feature, specific channels only)
Message content is **not** logged in bulk, is **not** read outside of these specific automated checks, and is **not** used for any purpose beyond the features listed above. Full message content is only retained where necessary (e.g., ticket transcripts, which a user creates voluntarily) and is deleted per the retention schedule in Section 5.
4. Server Members Intent — Scope of Use
The Bot uses Discord's Server Members Intent to:
- Detect when a member joins or leaves (to apply/restore roles, run new-account safety checks, and detect impersonation attempts)
- Detect username/nickname changes (impersonation detection)
- Verify a member's current roles at the time of giveaway entry/draw and role-panel interactions
This intent is not used to build follower/member lists for any purpose outside the features above, and member data is not shared or exported outside the Bot's own database.
5. Data Retention
We keep data only as long as necessary for the purpose it was collected:
**Automatically deleted after 30 days** (via a nightly automated cleanup process):
- Bot audit log entries
- Moderation action logs (warnings older than 30 days are removed from active logs)
- Ticket transcripts and closed ticket records
- Repost-detection records
- Daily/hourly server and channel statistics
- Message-drop/detection records
- Completed giveaway entries (after the giveaway has ended and been drawn)
- Reminder records (once delivered)
- New-joiner automation records
**Retained indefinitely (until removed by request or by leaving the server)** — required for the features to function correctly over time:
- Persistent role records (needed to detect users re-joining to evade a ban/restriction)
- XP, levels, and reputation scores (progression features that are expected to persist)
- Active/scheduled giveaways and their configuration
- Active timed-role assignments (until they expire)
- Birthdays (only if voluntarily provided; deleted immediately on request)
- Server/bot configuration (channels, roles, settings — not personal data)
- Custom commands (not personal data)
Any user may request full deletion of their personal data at any time (see Section 8), which is actioned immediately rather than waiting for the 30-day cycle.
6. Data Storage and Security
- All data is stored in a PostgreSQL database, accessed only by the Bot and its administrator.
- Data in transit between the Bot and Discord, and between the Bot and its database, is encrypted (TLS).
- Data at rest is protected via host-level encryption and access controls; the database is not publicly accessible and requires authenticated access.
- Access to the underlying data is restricted to the Bot's owner/administrator. Server moderators only see data surfaced through normal Bot commands (e.g., warning history), not raw database access.
- No system can be guaranteed 100% secure, but we take reasonable, industry-standard steps to protect the data we hold.
7. Data Sharing
We do not sell personal data. Data may be shared only with:
- **Discord**, as the platform the Bot operates on (subject to [Discord's Privacy Policy](https://discord.com/privacy))
- **Server moderators/administrators**, who can view moderation-relevant data (warnings, tickets, audit logs) as part of their role
- **Legal authorities**, only if legally required to comply with a valid request
8. Your Rights (UK GDPR)
If you have interacted with the Bot on a server where it is active, you have the right to:
- **Access** the personal data we hold about you
- **Request correction** of inaccurate data
- **Request deletion** of your data ("right to be forgotten")
- **Object to or restrict** certain processing
**How to exercise these rights:** Contact us at [samwelbst@outlook.com] with your Discord user ID. Deletion requests are actioned via our internal data-erasure tool, which permanently removes all records tied to your user ID across every table described in Section 2, and are typically completed within a few days (and always within one month, per UK GDPR).
You also have the right to lodge a complaint with the UK's data protection regulator, the Information Commissioner's Office (ICO), at [ico.org.uk](https://ico.org.uk).
9. Children's Privacy
The Bot is not directed at, and does not knowingly collect data from, children under 13 (or the minimum age required by Discord's Terms of Service in your region). If we become aware that we have inadvertently collected data from a child under this age, we will delete it promptly.
10. Automated Decision-Making
Certain Bot features act automatically based on predefined rules set by server administrators (e.g., automatically applying a role on join, automatically removing a message containing a blocked link, or automatically flagging a possible impersonation attempt for moderator review). These automated actions:
- Are based on transparent, configurable rules — not opaque profiling
- Do not make final punitive decisions without human oversight for significant actions (e.g., impersonation flags are routed to human moderators for review, not auto-banned)
- Can always be reviewed or reversed by a server moderator/administrator
11. International Data Transfers
Some third-party services we rely on (Discord, X, Amazon) may process data outside the United Kingdom. These providers are responsible for ensuring appropriate safeguards for international data transfers under applicable data protection law.
12. Changes to This Policy
We may update this policy as the Bot's features change. Material changes will be reflected with an updated "Last updated" date at the top of this document. Continued use of the Bot after changes constitutes acceptance of the revised policy.
13. Contact
For any privacy questions, data requests, or concerns about how the Bot handles your data, contact: **[samwelbst@outlook.com]**
