Kanin's BotBase
HomeStatusDocs

Legal

Privacy Policy

Last updated: May 31, 2026

1. Introduction

This Privacy Policy explains what personal data BotBase (“we”, “us”, or “our”) collects, why we collect it, how we use it, and your rights regarding that data. We are committed to protecting your privacy and processing your data transparently and lawfully.

This policy applies to the BotBase dashboard and the associated Discord bot. If you are a Discord server member who interacts with the bot but has never logged into the dashboard, limited data may still be collected as described below.

2. Data We Collect

We collect the following categories of personal data, depending on how you interact with the Service:

2.1 Discord Account Data (via OAuth 2.0)

When you log in to the dashboard, Discord shares the following data under the OAuth 2.0 scopes identify guilds email:

  • Discord User ID - your unique identifier on Discord
  • Username and display name - your current Discord username and global display name
  • Avatar and banner - CDN hash used to display your profile picture
  • Email address - your Discord account email (we collect but do not send marketing to this address)
  • Email verified status - whether Discord has verified your email
  • Guild (server) list - the servers you are in, used to show which servers you can manage

We do not receive your Discord password. Authentication is handled entirely by Discord.

2.2 Guild (Server) Data

When the bot is added to a Discord server, we store metadata about that server:

  • Server ID, name, and icon
  • Server owner ID and member count
  • Bot join and leave timestamps
  • Configuration settings set by server administrators (moderation rules, level rewards, channel configurations, etc.)

2.3 Member Interaction Data

As users interact with the bot in a server, we may collect:

  • Per-server nickname, server avatar, and server banner (cached from Discord)
  • XP and level data (messages sent, voice time, XP totals) if the levels module is enabled in that server
  • Birthday (month, day, and optionally year) if you set it via the bot or dashboard
  • Form responses (applications, appeals, introductions) if you submit a form in a server using the forms module
  • Staff audit log entries when a staff member performs an action that involves you as the target (e.g. a moderation action)

2.4 Bot Activity Metrics

To power features such as analytics leaderboards and stat channels, the bot records a time-series log of activity events in a local DuckDB database. For each event we store:

  • A timestamp
  • A metric type (e.g. message, voice_join, command_use)
  • Guild ID and channel ID where the event occurred
  • Your Discord user ID
  • A numeric value and optional tags

This data is stored locally on our server and is never shared with third parties. It is included in your data export (see Section 6 - Right to Data Portability) and deleted when you request account erasure.

2.5 Dashboard Preferences

If you use the dashboard, we store your preferences including your chosen theme (light/dark/auto), timezone, and locale.

2.6 Usage Analytics (PostHog)

In production, we use PostHog to collect anonymised usage analytics, including page views, feature interactions, browser type, operating system, device type, and approximate location derived from your IP address. PostHog analytics are only loaded after you accept analytics cookies via the cookie consent banner. If you decline, PostHog is not initialised and no tracking data is sent.

2.7 Error Tracking (Sentry)

We use Sentry for error and performance monitoring on both the bot and the dashboard. When an error occurs, Sentry may capture your Discord user ID, username, guild ID, the command or endpoint being used, and a stack trace. Sentry is configured with send_default_pii=True, which means personally identifying context may be included in error reports. Sensitive values such as tokens, secrets, and cookies are automatically scrubbed before transmission. Sentry is active regardless of cookie preference because it is used for service reliability, not behavioural tracking.

2.8 Session Cookies

We use a server-side session cookie to keep you logged in. This cookie is HttpOnly (not accessible to JavaScript), SameSite=Lax, and expires after two weeks. See our Cookie Policy for details.

3. How We Use Your Data

PurposeData UsedLegal Basis (GDPR)
Authentication and session managementDiscord ID, username, email, guild listContract (Art. 6(1)(b))
Providing bot features (levels, birthdays, moderation, forms)Member interaction data, birthday, XP dataContract (Art. 6(1)(b))
Bot activity analytics (leaderboards, stat channels)Event timestamp, metric type, guild/channel/user IDsLegitimate Interest (Art. 6(1)(f))
Guild configuration and administrationGuild metadata, staff audit logsContract (Art. 6(1)(b))
Error monitoring and service reliabilityUser ID, username, guild ID, stack tracesLegitimate Interest (Art. 6(1)(f))
Usage analytics and product improvementPage views, interactions, device/browser info, IPConsent (Art. 6(1)(a))
Dashboard personalisationTheme, timezone, locale preferencesContract (Art. 6(1)(b))

4. Third-Party Services

We share data with the following third parties as necessary to operate the Service. We do not sell your data to any third party.

  • Discord - OAuth 2.0 authentication. When you log in, Discord shares your profile data with us under Discord's Privacy Policy.
  • PostHog - Usage analytics (analytics consent required). PostHog's Privacy Policy.
  • Sentry - Error and performance monitoring. Sentry's Privacy Policy.

5. Data Retention

We retain data for as long as it is needed to provide the Service or as required by law:

  • Session data - automatically expires after two weeks of inactivity
  • User account data - retained indefinitely until you request deletion (see Section 6 below)
  • Guild data - retained until deleted by a server administrator or by us on request
  • Bot activity metrics - retained indefinitely until account deletion or manual purge by the server operator
  • Sentry events - retained per Sentry's standard retention policy (90 days by default on the free plan)
  • PostHog analytics - retained per PostHog's standard retention policy

6. Your Rights

If you are located in the European Union or otherwise have rights under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15) - Request a copy of the data we hold about you
  • Right to rectification (Art. 16) - Request correction of inaccurate personal data
  • Right to erasure (Art. 17) - Request deletion of your personal data. You can do this immediately via the “Delete My Account” button in Settings.
  • Right to restriction of processing (Art. 18) - Request that we restrict how we process your data in certain circumstances
  • Right to data portability (Art. 20) - Request your data in a structured, commonly used format
  • Right to object (Art. 21) - Object to processing based on legitimate interests
  • Right to withdraw consent (Art. 7(3)) - Withdraw your consent to analytics at any time via the cookie banner or the “Cookie Settings” link in the footer

To exercise any of these rights, contact the service operator. We will respond within 30 days.

If you believe your rights have not been respected, you have the right to lodge a complaint with your local data protection authority. In the EU, you can find your supervisory authority at edpb.europa.eu.

7. Children's Privacy

The Service is not directed to anyone under 16 years of age. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us so we can delete it promptly.

8. Data Security

We implement reasonable technical and organisational security measures to protect your personal data against unauthorised access, loss, or disclosure. These include server-side HttpOnly session cookies, TLS encryption in transit, and automated secrets scrubbing before any data is sent to Sentry.

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly via our Vulnerability Disclosure Policy.

9. International Transfers

This Service is operated from the United States. If you access it from the European Economic Area or other regions with data protection laws, your data may be transferred to and processed in the United States, which may have different data protection standards than your country. By using the Service, you consent to this transfer. We take steps to ensure adequate protections are in place, and your GDPR rights remain intact regardless of where data is processed.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. We encourage you to review this page periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For any privacy-related questions, requests, or concerns, contact us at:

the service operator