Privacy Policy

Last Updated: February 20, 2026

This Privacy Policy explains how Belfry ("we", "us", or "our") collects, uses, stores, and protects your information when you use our Discord bot and web services. By using Belfry, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Discord User Information

When you authenticate with Belfry through Discord OAuth2, we collect:

  • Discord User ID - Your unique Discord identifier (stored as primary key)
  • Username - Your Discord username
  • Discriminator - Your Discord discriminator (if applicable)
  • Avatar URL - Your Discord profile picture URL
  • Access Token - OAuth2 access token (encrypted, not exposed in API responses)
  • Refresh Token - OAuth2 refresh token (encrypted, not exposed in API responses)
  • Token Expiration - When your access token expires

1.2 Discord Server (Guild) Information

When Belfry is added to your Discord server, we collect:

  • Guild ID - Your server's unique Discord identifier
  • Guild Name - Your server's name
  • Guild Icon - Your server's icon URL
  • Member Count - Total number of members in your server
  • Guild Permissions - Your permissions within the server (to determine access levels)
  • Channel IDs - IDs of channels where events are posted or configured
  • Role IDs - IDs of roles used for RSVP, guest passes, or giveaway requirements

1.3 Event Data

When you create or interact with events, we store:

  • Event Details - Title, description, start/end times, location (channel ID or text)
  • Host User ID - Discord ID of the event creator
  • Discord Event ID - If synced with Discord's native scheduled events
  • Banner URL - Event banner image URL (if provided)
  • Visibility Settings - Public, internal, or private
  • Access Control - Capacity limits, role requirements, guest pass settings
  • Attendee Count - Number of RSVPs
  • Linked Channel ID - Channel where event notifications are sent

1.4 RSVP and Attendee Data

When you RSVP to an event, we store:

  • User ID - Your Discord user ID
  • Event ID - The event you're attending
  • Guild ID - The server where the event is hosted
  • RSVP Status - Going, interested, not going, pending, approved, rejected, waitlisted
  • Origin - How you joined (internal, guest pass, Discord native event)
  • Ticket Code - Unique ticket code for check-in (if applicable)
  • Ticket Usage - Whether your ticket has been used
  • Join Timestamp - When you RSVPed
  • Custom Responses - Answers to custom RSVP questions (if configured)

1.5 Giveaway Data

When you participate in giveaways, we store:

  • Giveaway Details - Title, description, prize, winner count, start/end times
  • Host User ID - Discord ID of the giveaway creator
  • Entry User IDs - Discord IDs of all participants
  • Winner User IDs - Discord IDs of selected winners
  • Requirements - Role requirements, account age, server age minimums
  • Channel and Message IDs - Where the giveaway is posted
  • Entry Timestamps - When users entered

1.6 Audit Logs

For security and moderation purposes, we log:

  • Action Type - Create, update, delete, approve, reject, etc.
  • User ID - Who performed the action
  • Guild ID - Which server the action occurred in
  • Target Type and ID - What was affected (event, giveaway, attendee, etc.)
  • Changes - What was modified (before/after values)
  • Metadata - Additional context about the action
  • Timestamp - When the action occurred

1.7 Analytics and Statistics

We collect aggregated, anonymized statistics:

  • Event Statistics - Total events, attendees, RSVPs, check-ins
  • Guild Statistics - Total events hosted, giveaways run, unique attendees
  • User Statistics - Events attended, events hosted, giveaways won/entered
  • Engagement Metrics - RSVP rates, attendance rates, popular event times

1.8 Technical Data

We automatically collect:

  • API Request Logs - Request method, URL, status code, response time (via Fastify logger)
  • Error Logs - Error messages and stack traces for debugging
  • Gateway Secret - For bot-to-API authentication (not user-facing)

2. How We Use Your Information

2.1 Core Functionality

  • Authenticate users and verify permissions
  • Create, manage, and display events
  • Process RSVPs and manage attendee lists
  • Generate and validate tickets and guest passes
  • Run giveaways and select winners
  • Send notifications via Discord DMs and channels
  • Sync with Discord's native scheduled events
  • Manage waitlists and capacity limits

2.2 Communication

  • Send event reminders and notifications
  • Notify users of RSVP status changes (approved, rejected, waitlisted)
  • Send guest pass invitations
  • Announce giveaway winners
  • Provide event updates and changes

2.3 Analytics and Improvement

  • Generate analytics dashboards for server administrators
  • Track engagement metrics and attendance patterns
  • Improve bot performance and features
  • Identify and fix bugs
  • Understand usage patterns to prioritize new features

2.4 Security and Moderation

  • Maintain audit logs for accountability
  • Detect and prevent abuse
  • Enforce giveaway requirements (account age, server age, roles)
  • Verify user permissions before allowing actions

3. Data Storage and Security

3.1 Database

All data is stored in a MongoDB database with the following security measures:

  • Encryption at Rest - Database is encrypted
  • Access Control - Database access is restricted to authorized services only
  • Sensitive Field Protection - Access tokens and refresh tokens are marked with select: false and never exposed in API responses
  • Secure Connections - All database connections use TLS/SSL

3.2 API Security

  • JWT Authentication - User sessions are managed with JSON Web Tokens
  • Gateway Secret - Bot-to-API communication requires a secret key
  • HTTPS Only - All API requests must use HTTPS
  • CORS Protection - Only authorized origins can access the API
  • Rate Limiting - Protection against abuse and DDoS attacks
  • Helmet.js - Security headers to prevent common vulnerabilities

3.3 Data Retention

  • Active Data - Stored indefinitely while you use Belfry
  • Past Events - Event data is retained for analytics and historical records
  • Audit Logs - Retained for 90 days for security purposes
  • Deleted Servers - When Belfry is removed from a server, guild-specific data may be retained for up to 30 days before permanent deletion

4. Data Sharing and Disclosure

4.1 We DO NOT Sell Your Data

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

4.2 Discord Platform

We interact with Discord's API to provide our services:

  • Sending messages and embeds to Discord channels
  • Creating and managing Discord scheduled events
  • Assigning and removing roles
  • Creating temporary invite links for guest passes
  • Fetching user and guild information via OAuth2

4.3 Public Event Discovery

If you mark an event as "Public" and enable event discovery, the following information is visible to all Belfry users:

  • Event title, description, and banner
  • Start and end times
  • Guild name and icon
  • Attendee count
  • Guest pass availability

4.4 Legal Requirements

We may disclose your information if required by law, court order, or government request, or to protect our rights, property, or safety.

5. Your Rights and Choices

5.1 Access and Portability

You can request a copy of your data by contacting us. We will provide your data in a machine-readable format (JSON).

5.2 Correction

You can update your Discord profile information through Discord. Changes will be reflected in Belfry on your next login.

5.3 Deletion

You can request deletion of your data by:

  • Contacting us at privacy@belfry-app.org
  • Removing Belfry from all servers you manage
  • Revoking OAuth2 authorization in Discord settings

Note: Some data may be retained in anonymized form for analytics or as required by law.

5.4 Opt-Out of Notifications

Server administrators can disable DM notifications in guild settings. You can also block Belfry's DMs through Discord.

6. Children's Privacy

Belfry is intended for users who meet Discord's minimum age requirement (13+ in most regions, 16+ in the EU). We do not knowingly collect information from children under these ages. If you believe we have collected information from a child, please contact us immediately.

7. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

8. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by posting a notice in our Discord support server or updating the "Last Updated" date. Continued use of Belfry after changes constitutes acceptance of the updated policy.

9. Contact Us

If you have questions about this Privacy Policy or want to exercise your rights, contact us:

Summary

We collect Discord user and server information necessary to provide event management services. Your data is stored securely, never sold, and you can request deletion at any time. We only share data with Discord's API to provide bot functionality and with other users when you make events public.

← Back to Home