1. Data Controller

The data controller is the publisher of DiSkribe (see Legal Notice). Servers are hosted in France within the European Union.

2. Data We Collect

• Discord identity: Discord ID, username, avatar URL, email — provided via Discord OAuth.
• Patreon link (optional): Patreon ID, pledge amount, OAuth tokens — only if you link.
• Usage data: chat sessions, messages, token usage, feedback, reports, file attachments you upload.
• Technical data: IP address (logged short-term), user-agent, request timing.

3. Lawful Basis

• Contract performance (Art. 6.1.b GDPR): account, chat history, quota tracking.
• Legitimate interest (Art. 6.1.f): security, abuse prevention, basic analytics.
• Consent (Art. 6.1.a): Patreon linking, optional cookies.

4. Retention

• Account data: until you delete your account.
• Chat history: until you delete the session or the account.
• Logs: 30 days, then anonymised or deleted.
• Consent records: 5 years (legal evidence).

5. Your Rights (Articles 15–22 GDPR)

• Access & portability: download all your data as JSON from your Account page.
• Rectification: edit your profile from your Account page.
• Erasure ("right to be forgotten"): delete your account from your Account page; cascading deletion is performed within 30 days.
• Restriction & objection: contact us via the email below.
• Complaint: lodge a complaint with the CNIL (French DPA).

6. Sharing & Sub-processors

We share data with the following processors strictly to deliver the Service:

• AI model providers (configuration-dependent — SCCs in place where applicable): your prompt and conversation history are sent to the configured AI inference provider(s) for response generation. By default this is Google Gemini API; additional providers may be enabled by the administrator. These providers do not use API data to train their models.
• Discord (USA — SCCs): authentication.
• Patreon (USA — SCCs): pledge verification (only if linked).

7. Security

Data is stored in a SQLite database on the EU-hosted server. Transport is TLS-only. OAuth tokens are stored server-side and not exposed to the browser. API keys for AI providers are encrypted at rest.

8. Cookies

We use only strictly necessary cookies for authentication and CSRF protection. See the Cookie Policy.

9. Minors

The Service is not directed at children under 16. If you believe a child has created an account, contact us for immediate deletion.

10. Contact

DPO / Privacy contact: [email protected]