Privacy Policy

MMO Maid ("we", "us", "our") operates a multi-tenant Discord bot management platform. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data.

1. Information We Collect

1.1 Discord OAuth2 Data

When you log in, we request the following Discord OAuth2 scopes:

• identify — your Discord user ID, username, display name, and avatar
• guilds — a list of Discord servers you belong to (ID, name, icon, your permissions)

We do not request access to your Discord messages, direct messages, friend list, email address, or any message content.

1.2 Server & Plugin Data

When you select a server and use the dashboard, we store:

• Server membership and role assignments (who can manage which servers)
• Plugin configuration and enabled/disabled state per server
• Server analytics: aggregated member activity, message counts, voice session durations, and command usage

1.3 Payment Information

Payments are processed by Stripe. We send your Discord user ID and billing period to Stripe as metadata. We never receive, store, or have access to your full credit card number, CVV, or bank details. Stripe is PCI-DSS Level 1 compliant.

1.4 IP Addresses

Your IP address is processed for rate limiting (preventing abuse) and audit logging (recording admin actions). We do not use IP addresses for advertising, tracking, or profiling.

1.5 Information We Do Not Collect

• Discord message content or DMs
• Email addresses (not included in our OAuth scopes)
• Passwords or password hashes
• Device fingerprints or advertising identifiers
• Location data beyond IP-derived country (for rate limiting only)

2. How We Use Your Information

• Authentication — verify your identity and display your servers
• Access control — enforce who can manage plugins, view analytics, and configure bots
• Service operation — run bot commands, deliver plugin functionality, process events
• Analytics — provide server owners with aggregated activity dashboards
• Billing — process subscription payments for premium features via Stripe
• Security — rate limiting, CSRF protection, audit logging of admin actions

3. Cookies & Local Storage

3.1 Cookies

Name	Purpose	Type	Duration
session	Authenticated session (OAuth token, active server, CSRF token)	Essential	Browser session

The session cookie is cryptographically signed, HttpOnly, SameSite=Lax, and Secure in production. We do not use tracking, advertising, or third-party cookies.

3.2 Local Storage

Key	Purpose	Duration
mmo_sidebar_hidden	Sidebar collapse preference	Until cleared
mmo_cookie_ok	Cookie consent choice (timestamp or "declined")	12 months

4. Third-Party Services

Service	Purpose	Data Shared
Discord	OAuth login, bot API	User ID, server list via OAuth
Stripe	Payment processing	Discord user ID, billing period as metadata
Plausible	Anonymized analytics (optional)	None — cookieless, no IP tracking
jsDelivr CDN	Chart libraries	Your IP (standard CDN request)

Fonts are self-hosted — no requests are made to Google or any external font provider.

5. Data Storage & Security

• Encryption in transit: HTTPS with HSTS (HTTP Strict Transport Security)
• Encryption at rest: Sensitive values (bot tokens) encrypted using AES-256
• Session security: CSRF with timing-safe HMAC; session fixation prevention on login
• Infrastructure: Docker containers, non-root user, Content Security Policy
• Rate limiting: Per-IP to prevent brute-force and abuse

6. Data Retention & Deletion

• Account data: retained while active; updated from Discord on each login
• Server analytics: retained for the server's registration lifetime (aggregated, no message content)
• Audit logs: retained indefinitely for security and compliance
• Payment records: retained as required by financial regulations
• Session data: cleared on logout; OAuth tokens expire automatically

To request deletion, email privacy@mmomaid.com with your Discord user ID. We will process requests within 30 days.

7. Server Analytics & Audit Logging

The bot collects aggregated analytics for server owners: member activity, message volume (counts only), voice session durations, and command usage. This data is partitioned per-server and visible only to authorized roles.

All admin actions are logged with actor ID, action, and timestamp for security and accountability.

8. Marketplace Plugins & Data Isolation

Third-party plugins run in sandboxed Docker containers with no network access, read-only filesystems, and strict resource limits. Plugin data storage is isolated per-plugin and per-server. We review plugins before publication but are not responsible for third-party plugin behavior beyond sandboxing.

9. Children's Privacy

The Service is not intended for users under 13 (or the minimum age required by Discord). We do not knowingly collect data from children. Contact us if you believe a child has provided data.

10. Your Rights

GDPR (EU/EEA/UK)

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion ("right to be forgotten")
• Portability — receive data in machine-readable format
• Restriction — limit processing
• Objection — object to processing based on legitimate interests
• Withdraw consent — via "Cookie Settings" or by contacting us

Legal basis: legitimate interest (operating the Service) and contract performance (features you use).

CCPA (California)

We do not sell personal information. You may request disclosure or deletion by contacting us.

11. Data Breach Notification

We will notify affected users within 72 hours of becoming aware of a breach, report to relevant authorities as required, and describe the nature, data affected, and mitigation steps.

12. Changes to This Policy

Material changes will be communicated via a notice on the Service. Continued use after changes constitutes acceptance.

13. Contact

• Privacy: privacy@mmomaid.com
• Support: support@mmomaid.com

EU/EEA users may lodge complaints with their local data protection authority.

← Back to home