Privacy Policy

AGREEMENT TO PRIVACY POLICY

1. INFORMATION WE COLLECT

We may collect information about you in a variety of ways:

1.1 Personal Data

Personally identifiable information, such as your Discord User ID, username, discriminator, email address, and profile avatar, that you voluntarily give to us when you register with the Service or configure moderation settings or subscribe to premium services.

1.2 Information Collected Through Discord

When you authorize our Discord bot via Discord OAuth, we collect:

• Discord Account Information: User ID, username, discriminator, email address, profile avatar URL
• Guild (Server) Information: Server IDs and names where you have admin permissions, server member counts, basic statistics, channel names and IDs, role information
• User Roles and Permissions: Role assignments, permission levels, administrative access rights

1.3 Derivative Data

Information our servers automatically collect when you access the Service, such as your IP address, browser type, operating system, access times, and pages viewed.

1.4 Service Configuration Data

• Moderation Settings: Rules and parameters for content moderation
• Anti-Raid Configuration: Account age filters, join rate limits, whitelisted users
• Automod Rules: Custom rules, trigger words, action configurations
• Channel Configurations: Moderation log channels, announcement channels
• Moderation Case Notes: Notes and context for moderation actions

1.5 Financial Data

Payment information (credit card details) collected when you purchase services. We store only very limited financial information. All financial information is stored by our payment processor, Stripe.

1.6 Bot Activity Data

• Server Events: Member join/leave events, voice state changes, channel/role modifications
• Moderation Actions: Warnings, mutes, kicks, bans, case metadata, multi-server moderation synchronization records (when configured)
• User Account Information: Account creation dates, avatar status, username patterns
• Webhook Management: Encrypted Discord webhook URLs (AES-256-CBC), webhook usage statistics (message counts, timestamps), role-based access control permissions

2. HOW WE USE YOUR INFORMATION

We use information collected about you via the Service to:

• Provide and Maintain the Service: Authentication, bot functionality, moderation rules, anti-raid protection, dashboard analytics
• Process Transactions: Premium payments, billing, receipts, fraud detection
• Communicate With You: Service announcements, support responses, policy changes, notifications
• Improve Our Service: Usage analysis, new features, testing, troubleshooting
• Marketing Communications: With your consent, special offers, newsletters (opt-out available)
• Security and Legal Compliance: Fraud prevention, Terms enforcement, legal compliance
• Analytics and Performance: Statistical data, usage trends, performance reports

3. DISCLOSURE OF YOUR INFORMATION

We may share information we have collected about you in certain situations:

3.1 By Law or to Protect Rights

If we believe the release of information is necessary to respond to legal process, investigate violations, or protect rights, property, and safety.

3.2 Third-Party Service Providers

3.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you of any such change.

4. DATA RETENTION

We retain your personal information for as long as necessary to fulfill the purposes outlined in this Privacy Policy.

You may request deletion of your data at any time. We will respond within 30 days and complete deletion within 60 days, except where retention is required by law.

5. SECURITY OF YOUR INFORMATION

We use administrative, technical, and physical security measures to protect your personal information:

• Encryption: TLS/SSL for data in transit, encryption at rest for sensitive data, AES-256-CBC with IV for webhook URLs and sensitive credentials
• Authentication Security: OAuth 2.0, httpOnly and Secure cookie flags, automatic token refresh
• Access Controls: RBAC for internal systems and webhook management, MFA for admin access, audit logging, granular permission controls
• Network Security: Firewalls, intrusion detection, DDoS protection via Cloudflare, rate limiting (30 requests per 60 seconds per webhook)
• Database Security: Encrypted connections, activity monitoring, regular backups, sensitive data encrypted before storage
• Application Security: Input validation, XSS/CSRF protection, security updates, webhook URL verification and guild ownership validation
• Monitoring: 24/7 security monitoring, incident response procedures, automated rate limit enforcement

While we have taken reasonable steps to secure your personal information, no security measures are perfect. You are responsible for maintaining the secrecy of your authentication credentials.

6. INTERNATIONAL DATA TRANSFERS

Your information may be transferred to and processed in countries outside your country of residence, including the United States.

Legal Safeguards:

• EU/EEA (GDPR): Standard Contractual Clauses (SCCs), adequacy decisions, supplementary measures
• United Kingdom (UK GDPR): UK IDTA or UK Addendum to SCCs
• Switzerland: Swiss-approved contractual clauses
• Brazil (LGPD): Contractual clauses and technical safeguards per ANPD requirements

By using our Service, you consent to the transfer of your information to countries outside your country of residence.

7. COOKIES AND TRACKING TECHNOLOGIES

For detailed information about how we use cookies, please see our Cookie Policy.

Cookie Types We Use:

• Strictly Necessary Cookies: access_token, refresh_token, session_id, csrf_token (cannot be disabled)
• Functional Cookies: user_preferences, theme_preference, dashboard_settings (can be customized)
• Analytics Cookies: Not currently used
• Marketing Cookies: Not currently used

You can manage cookie preferences through our cookie consent banner or browser settings.

8. YOUR PRIVACY RIGHTS

Depending on your location, you may have certain rights regarding your personal information.

8.1 European Union / EEA (GDPR)

• Right to Access: Request copies of your personal data
• Right to Rectification: Correct inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Limit processing of your data
• Right to Data Portability: Receive data in portable format
• Right to Object: Object to processing based on legitimate interests
• Right to Withdraw Consent: Withdraw consent at any time
• Right to Lodge a Complaint: File complaint with local DPA

8.2 California (CCPA/CPRA)

• Right to Know: Request information about data collection and use
• Right to Delete: Request deletion of personal information
• Right to Correct: Request correction of inaccurate data
• Right to Opt-Out: Opt-out of sale/sharing (we do not sell data)
• Right to Limit Use of Sensitive Information: Limit use of sensitive data
• Right to Non-Discrimination: No discrimination for exercising rights

8.3 Canada (PIPEDA)

• Right to Access: Access personal information we hold
• Right to Correction: Correct inaccurate information
• Right to Withdraw Consent: Subject to legal/contractual restrictions
• Right to File a Complaint: Lodge complaint with Privacy Commissioner of Canada

8.4 Other Jurisdictions

Similar rights available under:

• Brazil (LGPD), UK (UK GDPR), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA)

9. CHILDREN\u0027S PRIVACY

We do not knowingly solicit information from or market to children under the age of 13 (or 16 in the EEA).

If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately. We will take steps to remove such information.

10. THIRD-PARTY LINKS AND SERVICES

The Service may contain links to third-party websites and services not operated by us. We have no control over and assume no responsibility for third-party content, privacy policies, or practices.

Third-Party Services:

• Discord platform and communities
• Stripe payment processing
• Social media platforms
• External tools and integrations

We recommend reviewing the privacy policies of any third-party services you visit. Our Service integrates with Discord, which is governed by Discord\u0027s Terms and Privacy Policy.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons.

How We Notify You:

• Update the "Effective Date" at the top
• Email notification (for material changes)
• Prominent notice on our Website
• Notification in your dashboard upon next login

Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. LEGAL BASIS FOR PROCESSING (GDPR)

If you are in the EEA or UK, we process your personal data based on:

• Consent (Article 6(1)(a)): Discord OAuth authorization, premium subscriptions, marketing communications
• Contractual Necessity (Article 6(1)(b)): Providing the Service, processing transactions, maintaining your account
• Legitimate Interests (Article 6(1)(f)): Service improvement, fraud detection, security, usage analysis
• Legal Obligation (Article 6(1)(c)): Compliance with laws, legal processes, tax/accounting records

You have the right to object to processing based on legitimate interests. Contact us to exercise this right.

14. DATA PROTECTION OFFICER

For inquiries specifically related to GDPR compliance and data protection:

Our DPO is responsible for overseeing data protection strategy, ensuring GDPR compliance, serving as point of contact for data subjects and supervisory authorities, and conducting Data Protection Impact Assessments.

15. SUPERVISORY AUTHORITY

If you are in the EEA, UK, or Canada, you have the right to lodge a complaint with your local supervisory authority:

We encourage you to contact us first so we can address your concerns directly.

16. CALIFORNIA PRIVACY RIGHTS

16.1 Categories of Personal Information Collected (Past 12 Months)

16.2 Sale or Sharing of Personal Information

16.3 Retention Periods

Active accounts: While account is active; Transactions: 7 years; Auth tokens: 7-30 days; Moderation logs: 3 years

17. ADDITIONAL STATE-SPECIFIC RIGHTS

To exercise these rights, contact us at support@hawkcraftstudios.com with your verification information.

18. AUTOMATED DECISION-MAKING

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you within the meaning of GDPR Article 22.

Automated Systems We Use:

• Content Moderation: Based on your configured rules (you have full control)
• Anti-Raid Detection: Based on parameters you set (protective measures)
• Fraud Detection: For payment processing (necessary for security)

You can configure, disable, adjust, review, and override automated rules at any time. We do not use personal data to create profiles that result in decisions with legal or similarly significant effects.

19. DATA BREACH NOTIFICATION

In the event of a data breach that poses a risk to your rights and freedoms, we will:

19.1 Internal Response

• Contain the breach and prevent further unauthorized access
• Assess scope and affected data
• Investigate the cause
• Document the breach
• Remediate vulnerabilities

19.2 Notification to Authorities

• GDPR (EU/UK): Notify supervisory authority within 72 hours
• CCPA (California): Comply with California breach notification laws
• Other Jurisdictions: Comply with applicable requirements

19.3 Notification to Affected Individuals

If the breach results in high risk, we will notify you without undue delay via:

• Email to your account address
• Prominent notice on our Website
• Notification in your dashboard
• Discord bot announcement

The notification will include: nature of the breach, affected data, contact information, likely consequences, measures taken, and recommendations for your protection.