Privacy Policy
Last updated: May 24, 2026
GDPR Compliant — Right to be Forgotten guaranteed
This Privacy Policy describes precisely — without marketing language — what data Valiente collects, why each field is stored, how long it is retained, and the exact rights you hold over it. We believe technical transparency is the only honest form of a privacy policy.
1. Data We Collect & Why
The following table maps each data category to its technical purpose. All data is stored in MongoDB Atlas (cloud database, replica set, TLS-encrypted at rest and in transit).
| Category | Data Stored | Why (Legal Basis) |
|---|---|---|
| Identity | Discord User ID, Discord Guild (Server) ID | Required to associate all other data to the correct user/server. No username, email or password is stored — Discord handles authentication. |
| Leveling & XP | XP points, Level, date of last activity update | Powers the /rank card, leaderboard, and role rewards. Contractual necessity: the feature cannot exist without this data. |
| Economy | Coin balance, inventory items, bank balance, work/crime cooldown timestamps | Funds the virtual in-server economy (shop, gambling, transfers). Cooldown timestamps are reset after the cooldown expires. |
| Achievements | Message counts (total/daily/weekly/monthly), voice session minutes, reaction counts, invite counts, command counts, vote count, consecutive voting streak, first seen date | Powers the Achievement System (90 successes across 9 categories). Activity counters are aggregated and never shared outside Valiente. |
| Birthdays | Day and month of birth (year is optional and never required) | Allows the bot to post a birthday message on the configured date. The year is never stored unless explicitly provided. |
| Infractions | Warn reason, moderator ID, timestamp, active/expired status | Moderation history required to enforce /warn, /ban, /mute and related commands. Server admins can purge records at any time via /clearwarns. |
| Tickets | Ticket channel ID, opener User ID, status (open/closed/archived), optional HTML transcript | Necessary to manage the lifecycle of support tickets. Transcripts are only generated and stored if the server admin has explicitly enabled the transcript feature. |
| Server Configuration | Channel IDs (logs, welcome, tickets, birthdays, suggestions…), Role IDs, module toggles, custom prefix, chosen language | Pure configuration data required to operate each module. No personal data is involved — only Discord resource identifiers controlled by server admins. |
| Web Sessions | Encrypted session token containing only your Discord User ID, stored in MongoDB with a 14-day TTL | Keeps you logged into the web dashboard after Discord OAuth2 authentication. Sessions are invalidated on logout and expire automatically. |
| Vote Reminders | User ID, timestamp of next reminder (VIP users only) | Sends a DM reminder 12 hours after voting on Top.gg. Opt-in only — only applies to users registered in the VIP list. |
| Free Games Cache | GamerPower game IDs already announced | Prevents announcing the same free game twice. Contains no personal data — only game identifiers from a public API. |
2. Third-Party Services
Valiente interacts with the following external services. Your personal data is never sold.
- Discord API: Used to send messages, manage roles, fetch guild information, and handle OAuth2 authentication for the dashboard. Governed by Discord's Privacy Policy.
- MongoDB Atlas (cloud.mongodb.com): Database storage. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+). Hosted in a restricted-access Atlas cluster.
- Spotify / YouTube / SoundCloud / Deezer: Public content is streamed for music commands. No personal account data is exchanged with these platforms.
- GamerPower API (gamerpower.com): Public API polled to retrieve free game listings. No personal data is sent.
- Top.gg / Discord Bot List / DiscordThings: Receive vote webhooks containing only your Discord User ID to process rewards and reminders.
- Hugging Face: Used for AI features. Only the text content of the query is sent (no user metadata).
- Cloudflare: The web server is tunneled through Cloudflare for DDoS protection and TLS termination. Cloudflare may log IP addresses per their own privacy policy.
3. Security Measures
Valiente's infrastructure implements the following technical safeguards:
- Transport Security: All HTTP traffic is served over HTTPS via Cloudflare (TLS 1.2+). Cookies are flagged
Secure,HttpOnlyandSameSite=Lax. - Content Security Policy: Helmet.js enforces a strict CSP preventing unauthorized script execution and cross-origin resource loading.
- API Rate Limiting: The public API is limited to 300 requests per 15-minute window per IP to prevent enumeration attacks.
- Access Control: Dashboard API routes are protected by
checkAuth(requires Discord login) andcheckGuildAccess(verifies MANAGE_GUILD or ADMINISTRATOR permissions server-side). - Session Isolation: Sessions store only a Discord User ID. The full profile object is cached in server memory with a 5-minute TTL and never persisted in its entirety.
- Environmental Secrets: All tokens, secrets and API keys are stored exclusively as environment variables — never committed to source code.
4. Data Retention
- Active data (XP, economy, achievements, config): retained as long as Valiente remains on your server or you have an active account.
- Web sessions: expire automatically after 14 days of inactivity.
- Free Games cache: entries older than 30 days are purged automatically.
- Upon deletion request: all personal data is permanently erased within 30 days (see §5).
5. Your Rights (GDPR)
In accordance with GDPR (EU) 2016/679 and Discord's Developer Policy, you have the right to:
- Access: Request a complete export of your data stored by Valiente.
- Rectification: Correct inaccurate data (e.g., a wrong birthday date).
- Erasure ("Right to be Forgotten"): Request full deletion of your data. Server administrators may use
/economy reset,/clearwarns, and similar admin commands. For a global deletion, contact us directly. - Portability: Receive your data in a structured, machine-readable format (JSON).
- Objection: Object to specific processing (e.g., achievement tracking) — individual modules can be disabled by server admins.
All requests are processed within 30 calendar days.
6. Contact
- Email: [email protected]
- Discord: discord.gg/V6fR2RKgU4