Privacy Policy

Effective May 4, 2026 (updated May 15, 2026 — added the Classement (Ranking) feature: a new event type where the admin defines a list of subjects and criteria, and members rate each subject on each criterion. Consequences: a new SurveyRating table (0-10 score per subject/criterion/voter triple) added to the data inventory; cascade-deleted on /account delete; aggregates visible to everyone, individual ratings reserved for T&S — same model as Contest votes. Updated May 10, 2026 — clarification that only PodiumBot's Trust & Safety team can consult individual vote details (who voted what); server admins only see aggregates on their dashboard. Use case: investigating a report (brigading, removal appeal), legal basis Art. 6(1)(f). Updated May 10, 2026 — top 3 podium images of closed contests are now kept indefinitely as a public archive; on /account delete, they are anonymised rather than deleted. Updated May 5, 2026 — added the self-service /account export and /account delete commands; corrected the AWS Rekognition region listed in the processors table: eu-west-1 Ireland instead of eu-west-3 Paris; added the Discord API-data breach notification procedure; clarifications on GlobalUserBan and SubmissionRemovalLog retention; added §8.8 California residents CCPA/CPRA notice)

Welcome. This policy explains, in plain terms, what data PodiumBot collects about you, why, how long we keep it, and how you can control it. We tried to make it readable — not a legal wall of text. If anything is unclear, write to us: contact@podiumbot.app.

PodiumBot is a Discord bot that lets communities run two types of events: Contests (best burger, best cat, best meme — image submissions, voting, automatic podium), and Classements / Rankings (the admin defines a list of subjects and criteria, members rate each subject on each criterion, the bot publishes a live ranking that updates on every vote). It's an online service, and online services process personal data. Here's how we handle it.

1. Data Controller

The data controller, within the meaning of the General Data Protection Regulation (GDPR, EU Regulation 2016/679), is the company that publishes and operates PodiumBot:

  • Legal form: Société par Actions Simplifiée (SAS), incorporated under French law
  • SIREN: 102 311 636
  • Share capital: €500.00
  • Registered office: 254 rue Vendôme, 69003 Lyon, France
  • Website: https://podiumbot.app
  • Contact: contact@podiumbot.app

When you use the bot on your Discord server, or sign in to podiumbot.app via Discord OAuth, this company decides why and how your data is processed — and is therefore responsible to you and to the French data protection authority (CNIL).

2. Data Protection Officer (DPO)

We have not designated a DPO. At our scale (PodiumBot is pre-launch, the team is small, we don't process special-category data within the meaning of GDPR Article 9, and we don't conduct large-scale systematic monitoring), appointing a DPO is not mandatory under GDPR Article 37.

That said, you always have a dedicated contact for any privacy question:

contact@podiumbot.app

Tag your subject line with [Privacy] so we route it as priority.

3. What data we collect

We try to collect only what's strictly needed to run the service. Here's the exhaustive list, broken down by source.

3.1 Data from Discord OAuth (signing in to podiumbot.app)

When you log in to our website via Discord, Discord sends us:

  • Your Discord user ID (snowflake — the public ID Discord assigns you)
  • Your Discord username and your global_name
  • Your avatar hash (so we can show your avatar in the dashboard)
  • The list of Discord servers you belong to — only to figure out which ones you can administrate. This list is transient: we read it, use it for display, and never store it in our database.
  • An OAuth access token issued by Discord — it lives only inside your encrypted session cookie, never in our database.

3.2 Data from bot interactions on Discord

When you use PodiumBot on a Discord server, we record:

  • The Discord server ID (snowflake) where the bot is invited
  • The server name (only to display it in the dashboard)
  • For each contest: its name, description, allowed-roles configuration, start/end schedules, channel ID where the contest is published
  • For each submission: the image (uploaded via Discord, then re-uploaded to Cloudflare R2 so it stays available after the Discord URL expires), title, optional description, author's Discord user ID. Before storage, every image is automatically scanned by AWS Rekognition to detect prohibited content (explicit nudity, violence, hate symbols, drugs). If the server admin has marked the channel as NSFW (Discord's native flag), the scan is disabled for submissions in that channel. No analysis data is retained — only the binary verdict (accepted / rejected) is used to allow or block the upload. In addition, images served from Cloudflare R2 are scanned by Cloudflare's CSAM Scanning Tool (PhotoDNA / NCMEC hashes), which automatically detects and blocks child sexual abuse material.
  • For each contest vote: the rating (0 to 10), the voter's Discord user ID, the submission ID. Server admins do not see individual vote details — their moderation dashboard only shows aggregates (average, vote count, ranking). Only PodiumBot's Trust & Safety team can review who voted what, and only as part of a moderation incident investigation (suspected brigading, appeal of a removal).
  • For each per-contest ban: the reason, who blocked, when
  • For each Classement created: its name, description, the list of subjects (short label, defined by the admin), the list of criteria (short label, defined by the admin), the channel ID where the live embed is published.
  • For each Classement rating: the value (0 to 5), the voter's Discord user ID, the subject ID, the criterion ID. Same access rules as Contest votes: aggregates visible to everyone (per subject × criterion average shown in the live Discord embed), individual ratings reserved for T&S.

3.3 Data from Discord App Subscriptions

If your server subscribes to PodiumBot Pro (€3.99/month), Discord sends us:

  • The subscription status for the server (active / cancelled / expired)
  • The plan tier (Free / Pro)
  • Renewal / expiry dates

We never see your payment method, card number, billing address, or any banking data. Discord is the merchant of record for all PodiumBot subscriptions — Discord collects the payment, Discord handles the payment data, and Discord's privacy policy applies to that flow. We just receive the signal "this server has paid, give them Pro features".

3.4 Data we generate ourselves

  • An encrypted, signed session cookie (AES-256, sealed with iron-webcrypto), 7-day lifetime
  • A language preference cookie (fr or en)
  • Server logs (request paths, HTTP status codes, hashed IP) kept for 30 days for debugging and security

That's it. No tracking, no advertising profiling, no fingerprinting, no third-party analytics.

4. Purposes and legal basis

For each processing activity, here's what we do it for and which GDPR legal basis (Article 6) we rely on.

Purpose Data used Legal basis (GDPR Art. 6)
Sign you in to podiumbot.app and show you the servers you administrate Discord OAuth, session cookie Performance of contract (Art. 6(1)(b))
Let you create and manage contests on your server Server ID, contest configuration Performance of contract (Art. 6(1)(b))
Let members submit entries and vote Image, title, Discord ID, vote Performance of contract (Art. 6(1)(b))
Publish the podium when the contest ends Submissions + votes Performance of contract (Art. 6(1)(b))
Enforce contest rules (per-contest bans) Reason, moderator, timestamp Legitimate interest (Art. 6(1)(f)) — moderation
T&S internal investigation of a report (suspected brigading, appeal of a removal) Per-submission vote list: voter's Discord user ID + rating Legitimate interest (Art. 6(1)(f)) — service security and contest integrity
Automatically scan submitted images to block prohibited content Image (transitory, not retained by the moderation service), binary verdict Legitimate interest (Art. 6(1)(f)) — security, legal compliance
Enable / disable Pro features based on subscription Discord subscription status Performance of contract (Art. 6(1)(b))
Secure the service, detect abuse, debug Server logs, hashed IP Legitimate interest (Art. 6(1)(f)) — security
Remember your preferred language Locale cookie Legitimate interest (Art. 6(1)(f)) — functional

We do not market. No newsletter, no advertising, no data resale. So there is no consent-based marketing processing — there's nothing to consent to, because we won't be soliciting you.

5. Who we share your data with (sub-processors)

PodiumBot relies on technical providers — these are sub-processors within the meaning of GDPR Article 28. None of them uses your data for their own purposes; they process it solely to deliver the service to PodiumBot, under a Data Processing Agreement (DPA).

Sub-processor Role Country Transfer mechanism
Discord Inc. Authentication, bot gateway, DMs, App Subscriptions, image hosting transit USA Standard Contractual Clauses (SCCs) — incorporated by reference in Discord's DPA
Cloudflare, Inc. Workers (web app hosting), R2 (image storage), DNS, registrar USA / global edge DPA + Standard Contractual Clauses
Neon, Inc. Managed PostgreSQL (our database, EU-Central / Frankfurt region) USA (parent), EU hosting DPA + Standard Contractual Clauses
Hetzner Online GmbH VPS hosting the bot's gateway client Germany EU only — no transfer outside EU
GitHub, Inc. Source code hosting USA No user data flows there
Amazon Web Services, Inc. (AWS Rekognition) Automated submission moderation (transitory analysis, no retention) EU (eu-west-1 Ireland region) DPA + Standard Contractual Clauses

We don't sell, rent, or assign personal data to third parties for commercial purposes. Period.

6. International transfers (outside the EU)

Some of our sub-processors are headquartered in the United States (Discord, Cloudflare, Neon). Whenever data may be transferred outside the EU, we rely on the Standard Contractual Clauses (SCCs) approved by the European Commission (Decision 2021/914), incorporated into each provider's DPA.

To minimize transfers in practice:

  • The Cloudflare R2 buckets where submission images are stored are configured in the EU jurisdiction: the actual image bytes do not leave the European Union.
  • The Neon database lives in the EU-Central region (Frankfurt, Germany): contest content, votes, and configuration stay in the EU.
  • The Hetzner VPS running the bot is in Germany: no transfer outside the EU for the bot layer.
  • Discord, however, is a US platform — that's not something we can change. But by using Discord, you've already accepted Discord's privacy policy, which covers those transfers under their own SCCs.

If you'd like more details on the safeguards in place for transfers, write to us.

7. How long we keep your data

Category Retention period
Active user account (you log in or use the bot) As long as your account / bot session is active
Server configuration (contests, settings, roles) As long as the bot is in the server
Submissions (non-podium) and votes for a contest Until the contest is deleted, or until you delete your account (/account delete)
Top 3 podium images of a closed contest Kept indefinitely as a public archive of the contest. If you delete your account while one of your submissions was in a podium, the image stays but is anonymised (no link to your Discord ID anymore)
Inactive accounts (no interaction with the bot for 2 years) Automatically purged
Session cookies 7 days rolling
Locale cookie 1 year
Server logs (logs, hashed IP) 30 days
Backups (rolling) 30 days

When you remove the bot from a server, all data tied to that server (contests, submissions, votes, bans, stored images) is automatically deleted within seconds of the bot leaving. This wipe is triggered by the Discord GUILD_DELETE event on the bot side. If you'd like to delete only your personal data within a server with other users' data (rather than wiping the whole server), just write to us.

8. Your rights

GDPR gives you seven rights over your data. Here's what each one means in practice and how to exercise it.

8.1 Right of access (Art. 15)

You can pull a full copy of every piece of data we hold about you yourself, with no email and no waiting period.

Command: /account export, on any server where PodiumBot is present. The bot replies to you directly in Discord with an ephemeral JSON file (only you can see it — no one else on the server gets a peek). The export is keyed on your Discord ID and includes:

  • Your user profile as we store it
  • Every submission you've ever made (title, description, the R2 image URL, metadata, parent contest)
  • Every contest vote you've cast (rating, target submission, contest, timestamp)
  • Every Classement rating you've given (value 0-5, subject, criterion, classement, timestamp)
  • Every contest and Classement you've created, with full configuration (name, description, schedules, channel, settings; for Classements: the list of subjects and criteria)
  • Every report you've filed on other submissions
  • Every per-contest ban that targets you (reason, moderator, timestamp)

This is the same JSON that doubles as your portability format (see §8.5).

If for some reason you can't access a server with the bot, email us at contact@podiumbot.app from the address linked to your Discord account (or otherwise prove your Discord identity). We respond within 30 days.

8.2 Right to rectification (Art. 16)

Your Discord profile (username, avatar) is the source of truth: we don't keep a frozen copy on our side, we fetch this info from Discord on the fly. So if you change your username or avatar on Discord, it updates on PodiumBot automatically.

If a piece of data you entered through the bot is inaccurate (submission title, description), you can edit it yourself via the bot's commands, or write to us.

8.3 Right to erasure / "right to be forgotten" (Art. 17)

You can wipe all of your data yourself, with no email and no waiting.

Command: /account delete, on any server where PodiumBot is present. The bot shows you a summary of exactly what's about to disappear and asks for an interactive confirmation (a button to click). Until you click, nothing is touched. Once confirmed, the deletion is immediate and final — no grace period, no trash bin, no undo.

What gets deleted on confirmation:

  • Every non-podium submission you've made, in every contest, on every server
  • The R2 images attached to those submissions (the files are erased from object storage, not just dereferenced)
  • Every contest vote you've cast
  • Every Classement rating you've given (cascade onDelete: Cascade on userId). The Classement's subjects and criteria stay intact; the ranking is just recomputed without your contribution on the next refresh.
  • Every report you've filed on other submissions
  • Your User row in our database — so no trace of your Discord ID remains on our side

Special case — winning entries (top 3 of a closed contest): the image and metadata (title, description) are kept as a public archive of the contest, but the link to your Discord ID is severed — the Submission.userId row is set to null and the image is no longer attributed to you (an "anonymous" label is shown instead of the mention). This retention is justified by the archival legitimate interest under Art. 17(3)(d) (historical value of the leaderboard for the server's community) and by PodiumBot's public commitment to participants: a podium win stays visible for life. If you want these images actually deleted (not just anonymised), email us at contact@podiumbot.app — we'll handle the request case by case.

Special case — contests and Classements you created: they stay in place. A contest or Classement belongs to the server (its community), not to the person who originally created it. The createdById link that tied you to them is anonymised (set to null). They carry on as events with no identified author.

Special case — bans against you: if a moderator banned you from a specific contest (ContestBan) or if our Trust & Safety team issued a cross-server ban after a serious incident (GlobalUserBan), those rows are not deleted. This is an explicit carve-out under GDPR Art. 17(3)(c): we have a legitimate interest in keeping a banned user from coming back clean simply by deleting their account and re-joining. We keep only the targeted Discord ID, the reason, and (for the global ban) which moderator issued it — nothing else.

Special case — moderation audit log: when a participation is removed (by yourself, by a guild moderator, or by our T&S team), we keep an entry in the SubmissionRemovalLog table with: when it happened, the source of the removal (self / guild admin / superadmin / T&S), the reason if one was given, and the Discord IDs of the author and the remover. This row survives /account delete for the same Art. 17(3)(c) reason — we need to be able to answer "who removed this and why" later, especially when a former user disputes a moderation action. The submission's actual content (image, title, description) is gone — only the audit metadata remains.

If you can't reach the command for some reason (e.g. the bot is no longer on any server where you are), email us at contact@podiumbot.app. We'll perform the deletion manually within 30 days, except where a legal obligation requires us to retain something specific.

Note: if you participated in a public contest that's already finished, the podium message may remain visible on the Discord server even after we've deleted your data on our side — we don't control display on Discord's end. But the underlying data is gone from our systems.

8.4 Right to restriction of processing (Art. 18)

You can ask us to freeze processing (not delete, but stop using) — for example while we verify a rectification request. Just write to us.

8.5 Right to data portability (Art. 20)

The JSON produced by /account export (see §8.1) is structured, machine-readable, and directly reusable to move your data to another service. It's our default portability format — covering both your right of access and your right to portability through a single command.

8.6 Right to object (Art. 21)

You can object to processing based on legitimate interest (moderation, security). In practice, since we have no "marketing" legitimate interest and the only relevant processing is moderation and security, objecting often amounts to leaving the service — but you can always reach out and we'll look into your case.

8.7 Right to lodge a complaint with the supervisory authority

If you're not satisfied with our response, you can complain to the French data protection authority:

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France www.cnil.fr

But please try us first — we act in good faith and take every request seriously.

8.8 California residents (CCPA / CPRA notice)

If you're a resident of California, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights over your personal information. Most of these rights are already covered by the GDPR sections above (access, deletion, correction, portability) — we apply them uniformly regardless of where you live. In addition:

  • We do not "sell" your personal information as that term is defined in California Civil Code §1798.140(t), and we do not "share" your personal information for cross-context behavioural advertising as defined in §1798.140(ah). We have not done so in the preceding 12 months and have no plans to start.
  • We have not received any opt-out signal (Global Privacy Control) because there's nothing to opt out of in the first place — but we honour GPC headers if you set them.
  • No discrimination: we won't degrade your experience or charge you more for exercising any of these rights.
  • Sensitive personal information: we don't process the categories defined as "sensitive" under CPRA (precise geolocation, racial/ethnic origin, religious beliefs, health, sexual orientation, etc.) — except your Discord user ID, which is technically a unique identifier.

To exercise any of these rights, use the same channels listed in §8.1 / §8.3 (/account export, /account delete, or email contact@podiumbot.app).

9. Security

We take security seriously, because a data leak is bad for everyone. Concrete measures:

  • HTTPS everywhere, TLS 1.3 enforced via Cloudflare
  • All secrets in environment variables, never committed to source code
  • Encrypted session cookies (iron-webcrypto, AES-256 sealed)
  • No passwords stored — authentication is fully delegated to Discord OAuth
  • TLS-encrypted database connections, IP-restricted at the Neon level
  • SSH access to the VPS via key only, password authentication disabled, fail2ban + UFW in place
  • Automatic security updates (unattended-upgrades on Linux)
  • Regular encrypted backups, 30-day retention

No system is 100% bulletproof, but we do our best, and in the event of a data breach we follow both the legal and the contractual procedure:

  • Notification to the CNIL within 72 hours (GDPR Art. 33)
  • Notification of affected individuals if the risk to their rights and freedoms is high (GDPR Art. 34)
  • Notification to Discord Inc. of any unauthorised access to data obtained through the Discord API, as required by Section 5 of the Discord Developer Terms of Service ("API Data")
  • Postmortem published on podiumbot.app once the incident is contained

10. Cookies

PodiumBot uses only functional cookies. No tracking cookies, no analytics cookies, no advertising cookies. That's why you didn't see an "Accept / Reject" banner — there's nothing to accept beyond what's strictly necessary.

Name Type Purpose Lifetime Legal basis
pb_session Functional — strictly necessary Keep your session open on podiumbot.app after Discord OAuth login; AES-256 encrypted 7 days Performance of contract (Art. 6(1)(b)) — consent-exempt
pb_locale Functional Remember your language preference (fr or en) 1 year Legitimate interest (Art. 6(1)(f)) — consent-exempt

You can delete these cookies anytime via your browser, but without pb_session you'll be logged out, and without pb_locale the language will fall back to the one detected from your browser.

11. Children

PodiumBot is built on top of Discord. Discord's Terms of Service require a minimum age of 13 years (and 16 years in some EU countries — e.g. France, for GDPR consent of minors without parental consent). We rely on the age check Discord performs at signup: if you can use Discord, you can use PodiumBot.

We don't knowingly collect data from people below the minimum age. If you're a parent or guardian and you believe a child too young is using our service, write to us at contact@podiumbot.app — we'll take appropriate action (data deletion).

12. Changes to this policy

The service evolves, the law evolves, so this policy may evolve too. When we make material changes (a new sub-processor that changes an international transfer, a new purpose, a longer retention period…), we'll let you know:

  • By email, if we have an address to reach you
  • In-app on podiumbot.app and/or via a Discord bot announcement
  • With a 30-day notice before material changes take effect

For minor changes (rewording, URL update, typo fix), we simply update the "Effective…" date at the top of this page.

The history of previous versions is available on request at contact@podiumbot.app.

13. Contact and remedies

For any question, rights request, or just curiosity:

Email: contact@podiumbot.app Tag your subject with [Privacy] so we handle it fast.

Postal address: 254 rue Vendôme, 69003 Lyon, France

To file a complaint with the French supervisory authority:

CNIL — 3 Place de Fontenoy, TSA 80715, 75334 PARIS CEDEX 07, France https://www.cnil.fr

Thanks for using PodiumBot. We work hard to keep this service simple, clean, and respectful of your privacy.

© 2026 PodiumBot·Join the support Discord·Terms·Privacy

PodiumBot is an independent project. Discord and the Discord logo are trademarks of Discord Inc. — we are not affiliated with, sponsored by, or endorsed by Discord.