Privacy Policy — Server Assistant

Effective date: May 9, 2026 Last updated: May 9, 2026

This privacy policy describes how the Server Assistant Discord bot (“the Bot”) collects, uses, and stores information when installed in a Discord server (“the Service”).

Who is responsible

The Bot is operated by the individual or organisation hosting it (the “Operator”). For the canonical hosted instance, contact information is available in the Bot’s support server, linked from its profile and listing on the Discord App Directory.

What the Bot stores

The Bot stores the minimum data necessary to provide its features. All data is stored locally on the Operator’s hosting infrastructure and is not transmitted to third parties except as described below.

Per-guild configuration

When a server owner runs /setup, the Bot stores:

• Discord server (guild) ID
• Selected staff-chat channel ID
• Selected log channel ID
• Discord role IDs mapped to the Bot’s permission tiers
• Server settings (embed colour, bot nickname, default timezone, anti-raid thresholds, etc.)
• AI provider selection (shared / BYO key / disabled)

Per-user moderation history

When staff members issue warnings, notes, or moderation actions, the Bot stores:

• The Discord user ID of the affected member
• A timestamp
• The Discord user ID of the staff member who issued the action
• The reason text
• The action type (warn, note, ban, etc.)

Warnings are persistent until manually removed by staff. Notes are persistent until manually removed.

Audit log

The Bot maintains a rolling audit log of the most recent 500 staff actions across all guilds. Each entry contains:

• Timestamp
• Acting staff member’s user ID and tag
• Action type and parameters (truncated to 500 characters)
• Result status (executed, denied, pending approval, etc.)
• Guild ID

Scheduled tasks

When staff schedule a reminder or recurring task, the Bot stores:

• Task ID, creator’s user ID, target channel ID, and guild ID
• Scheduled timestamp
• Command text (truncated to a reasonable length)
• Created-at timestamp

These are deleted automatically when the task fires or is cancelled.

Encrypted secrets

The Bot stores the following credentials encrypted at rest using Fernet symmetric encryption:

• Discord bot token
• AI provider API keys (xAI Grok, OpenAI, etc.)
• Per-guild AI keys (when server owner provides their own)
• YouTube API key (if YouTube notifier feature is in use)

The encryption key is stored separately on the Operator’s host and not transmitted.

Local telemetry (anonymous)

The Bot maintains anonymous, local-only counters:

• Number of automod blocks per guild
• Number of warnings issued
• Number of new members seen
• Number of AI features invoked

These counts are never transmitted off the host. They are used solely by the Operator to inform feature decisions. No PII is included.

What the Bot does NOT store

The Bot does not store:

• Message content beyond the request that triggered an action (truncated to 500 characters in the audit log)
• User direct messages or private conversations
• Voice channel recordings, transcripts, or metadata
• User avatars, banners, or media beyond what is generated by /imagine
• Email addresses, phone numbers, or any out-of-band contact information

Third-party data sharing

The Bot may transmit certain data to third-party AI providers when AI features are used. This is only when explicitly invoked by staff (e.g., /report, AI-assisted reports via right-click menu, /imagine):

• xAI Grok (https://x.ai) — message content from the staff member’s request, plus surrounding-message context (~20 messages) when generating moderation reports.
• OpenAI (https://openai.com) — same scope as xAI when OpenAI is selected as the chat provider.
• OpenAI / Stability AI / Pollinations.ai — text prompts only, when /imagine is used. No user metadata is transmitted.

Each AI provider has its own privacy policy governing how they handle transmitted data. The Bot does not store the responses received from these providers beyond posting them to the requesting channel.

No data is sold or shared with advertising networks, analytics services, or third parties beyond the AI providers strictly required to fulfil a request.

Data retention

• Configuration and settings: retained until the Bot is removed from a server, at which point it is wiped on the next event handler call.
• Encrypted secrets: wiped immediately when the Bot is removed from a server (on_guild_remove).
• Warnings and notes: retained indefinitely until manually removed by staff. A future /wipe-server-data command will streamline this.
• Audit log: rolling window of 500 entries; older entries are automatically purged.
• Scheduled tasks: deleted when fired or cancelled.

Right to erasure

Server owners can request deletion of all data associated with their guild by:

1. Removing the Bot from their server (this wipes the encrypted secrets vault entries automatically).
2. Contacting the Operator via the support server to request manual deletion of warnings, notes, and audit log entries scoped to that guild.

Individual users wishing to have their personal moderation history erased should contact the server owner first; if the server owner is unresponsive, contact the Operator directly.

Data security

• All sensitive credentials are stored encrypted at rest using AES-128 (via Fernet).
• The encryption master key is restricted to file owner read/write only on POSIX systems.
• The Bot does not expose any public network endpoints beyond Discord’s gateway connection.
• The Operator is responsible for securing the host machine and following Discord’s bot token security guidelines.

Children’s privacy

The Bot does not knowingly collect data from children under 13. Discord requires all users to be at least 13 years of age (or higher in some jurisdictions). If you become aware that a child has provided personal information to the Bot, contact the Operator and the data will be deleted.

Changes to this policy

This privacy policy may be updated to reflect changes in the Bot’s features. The “Effective date” at the top of this document indicates the most recent revision. Server owners are notified of material changes via the Bot’s release announcements.

Contact

For questions, concerns, or data requests, contact the Operator via the support server linked from the Bot’s profile.