Privacy Policy

Last updated: April 25, 2026

This document is available in English only. The English version is legally binding. For questions, contact support@arkanis.gg

1. Introduction

Arkanis ("we", "us", "our") operates the Arkanis Discord bot, web dashboard, and associated services (collectively, the "Service"). This Privacy Policy explains what personal data we collect, how and why we use it, who we share it with, and the rights you have under applicable data protection law — principally the United Kingdom General Data Protection Regulation ("UK GDPR") and, where applicable, the EU General Data Protection Regulation ("EU GDPR").

Data controller. For data we collect about you through the Service, the data controller is the operator of Arkanis. You can contact us at trust@arkanis.gg for any privacy matter, including data subject requests, breach notification, and complaints.

Server administrators as joint controllers. When you interact with Arkanis inside a Discord server, the administrators of that server are joint controllers with us in respect of moderation actions taken against you (strikes, bans, warnings, mutes, case transcripts, role assignments). Server administrators decide why and how their community is moderated; we provide the tooling and infrastructure. Requests to delete moderation records held against you in a specific community should be directed to that server's administrators in the first instance.

By using the Service, you agree to the collection and use of information in accordance with this policy. If you do not agree, please remove the bot from your server, unlink your accounts via the dashboard, and discontinue use of the Service.

2. Data We Collect

We collect only the data necessary to provide and operate the Service:

2.1 Discord Account Data (via Discord OAuth2 and the Discord API)

Discord User ID, username, global name, display name, and avatar URL
The list of Discord servers (guilds) you are a member of (used to scope dashboard access; not stored long-term)
Your roles, nickname, and join date inside servers that use the Service
Discord OAuth2 access and refresh tokens, encrypted at rest
Server (guild) ID, name, icon, member count, channel IDs, and role metadata
Message content in case channels, modmail channels, and panels operated by the bot (for transcripts and support history)
Message content that triggers an AutoMod rule configured by a server administrator (kept for the rule's configured retention)

2.2 Game Identity Data

Collected only when you choose to link or verify a game account.

Steam: Steam ID (SteamID64), Steam display name, Steam profile URL, and Steam avatar (via Steam Web API or Steam OpenID 2.0 sign-in)
Xbox / Microsoft: Xbox User ID (XUID), Xbox Live Gamertag, Microsoft account identifier returned by Microsoft Identity Platform, and Xbox Live access / refresh tokens (encrypted at rest)
Alderon Games: Alderon Games ID and player name (entered manually by the user)
Verification method (manual entry, OAuth, RCON-confirmed) and timestamps
Optional metadata returned by the provider (e.g. token expiry) stored against your linked identity

2.3 Enforcement Data

Strikes, warnings, bans, and mutes issued against you by server staff
Appeal records, decisions, and appeal correspondence
Risk scores calculated based on enforcement history, behavioral patterns, and system-defined heuristics
Audit logs of staff actions taken against your account

2.4 Support Data

Case and modmail conversations (messages, form responses, attachments)
Transcript files generated when cases are closed
Form input you provide when opening a case (subject, description, structured fields)

Support conversations may contain personal or sensitive information you voluntarily provide. Server administrators and authorised staff in your community may access this information through the Service.

2.5 Billing and Payment Data

If you or your server purchases an Arkanis Pro subscription, payments are processed by Stripe Payments Europe, Ltd. ("Stripe"). We do not see, store, or have access to your full payment card number, CVV, or bank credentials. From Stripe we receive and store:

Stripe customer ID, subscription ID, and product / price IDs
Subscription status (active, past due, cancelled), period start and end dates, and trial status
Last four digits of the card and card brand (for display only)
Billing email address
Country and, where required for tax, billing region
Coupon, promotion, or referral codes applied

Your full payment details are governed by Stripe's own privacy policy at stripe.com/privacy.

2.6 Technical Data

IP addresses used to access the web dashboard or bot API (rate limiting, abuse prevention, security investigation)
Browser user-agent and locale
Session identifiers (authentication cookies described in § 5)
Server-side request logs (route, status code, latency, request ID; truncated at 30–90 days unless flagged for security review)

3. Legal Basis for Processing (UK / EU GDPR)

Under the UK GDPR and, where applicable, the EU GDPR, we rely on the following lawful bases:

Contract (Art. 6(1)(b)) — to provide the Service you have requested, including authentication, dashboard access, identity linking, case / modmail processing, and Pro billing.
Legitimate interests (Art. 6(1)(f)) — for security, abuse prevention, rate limiting, audit logging, fraud detection, calculating moderation risk scores for server staff, and improving the reliability of the Service. We have balanced these interests against your rights and consider them proportionate; you can object at any time (see § 9).
Consent (Art. 6(1)(a)) — for optional features such as linking external game accounts (Steam, Xbox/Microsoft, Alderon) and for any future feature that asks you to opt in. You may withdraw consent at any time by unlinking the relevant account.
Legal obligation (Art. 6(1)(c)) — to respond to lawful requests from authorities, comply with tax / accounting requirements for paid subscriptions, and meet our obligations under data protection law.

We do not rely on Art. 9 special category data; if a user voluntarily places special category data into a case channel (for example, health information in a support request), it is processed under the explicit-consent or substantial-public-interest bases as relevant, and you should not include such data unless necessary.

4. How We Use Your Data

We use collected data solely to:

Operate the Discord bot and web dashboard
Authenticate users on the web dashboard via Discord OAuth2
Link and verify player identities across platforms (Discord, Steam, Xbox / Microsoft, Alderon Games)
Manage enforcement actions configured by server staff (strikes, bans, warnings, mutes, appeals)
Provide case and modmail functionality
Enforce AutoMod rules configured by server administrators
Generate transcripts and audit logs for accountability
Compute risk scores as advisory inputs to human moderators
Process Pro subscription payments via Stripe and manage entitlements
Detect, prevent, and respond to abuse, fraud, security incidents, and breaches of these terms
Comply with applicable law and respond to lawful requests

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. We do not use your data for behavioural profiling outside the Service, targeted advertising, or any purpose unrelated to operating the Service.

5. Cookies

We use a small number of cookies, all of which are strictly necessary for the Service to function. We do not use advertising, tracking, or analytics cookies, and we do not require a cookie banner under PECR / ePrivacy because we do not set non-essential cookies.

Authentication session cookie (HTTP-only, secure, SameSite=Lax) — identifies your dashboard session. Expires when the session expires or you log out.
CSRF / OAuth state cookie — used briefly during sign-in to prevent cross-site request forgery and OAuth replay. Set only during the sign-in flow; cleared automatically.
Preference values stored in localStorage (not technically cookies) — UI state such as "you have seen this NEW badge" and your selected dashboard server. These never leave your browser.

6. Data Sharing and Sub-processors

We share data only in the following circumstances and with the following sub-processors:

With server staff — Enforcement data, risk scores, case transcripts, and player identities are visible to authorised administrators and moderators in the Discord server you interact with, as configured by guild permissions. Each server's staff is jointly responsible for handling that data appropriately.
Discord Inc. — for authentication (Discord OAuth2), bot operation (Discord API / Gateway), and message delivery. Governed by discord.com/privacy.
Valve Corporation (Steam Web API and Steam OpenID) — we send Steam IDs to retrieve public profile information (display name, avatar, profile URL). Governed by Valve's Steam Web API Terms of Use and Steam privacy policy.
Microsoft Corporation (Microsoft Identity Platform and Xbox Live Services) — when you choose to verify with Xbox, we redirect you to Microsoft sign-in and exchange the resulting authorisation code for Xbox Live tokens to retrieve your XUID and Gamertag. Governed by the Microsoft Privacy Statement at privacy.microsoft.com and the Xbox Live Terms of Service.
Stripe Payments Europe, Ltd. — processes Pro subscription payments. Stripe acts as an independent controller for payment data. Governed by stripe.com/privacy.
Hosting / infrastructure providers — the Service operates on dedicated server infrastructure controlled by the operator. Database, application, and bot processes run on the same hosted infrastructure; backup snapshots are stored on the same provider with encryption at rest.
Email delivery — transactional emails (password-less sign-in, billing receipts, security notices) may be delivered through a transactional email provider acting as our processor.
Legal requirements — we may disclose data if required by law, court order, or governmental request, or where necessary to protect the rights, property, or safety of Arkanis, our users, or the public.

We do not share data with any other third parties. We will update this list when we add or change a sub-processor.

7. International Data Transfers

Some of the third parties listed above (notably Discord, Microsoft, Valve, and Stripe) are established outside the United Kingdom and the European Economic Area. When personal data is transferred to those parties, we rely on the following safeguards under UK GDPR / EU GDPR:

UK / EU adequacy decisions where they apply
Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), incorporated into our agreements with sub-processors that publish them
The processor's own GDPR / UK GDPR compliance commitments (Data Processing Agreements published by Discord, Microsoft, and Stripe)

If you would like a copy of the relevant transfer safeguards in place, contact trust@arkanis.gg.

8. Data Storage, Security, and Retention

8.1 Storage and Security

Data is stored in a MySQL database hosted on infrastructure controlled by the Service operator. Sensitive credentials (Discord OAuth2 tokens, Xbox Live tokens, RCON passwords, SFTP credentials, third-party API keys) are encrypted at rest using Fernet symmetric encryption with versioned key rotation.

We implement the following security measures:

TLS in transit for all dashboard and API traffic
Encryption at rest for sensitive credentials and OAuth tokens
Shared-secret authentication between internal services (web → API → bot)
Per-IP and per-user rate limiting on public endpoints
Capability-based access control on dashboard actions, scoped per Discord server
Audit logging of staff actions and security-relevant events
Principle of least privilege for service operators

No system is perfectly secure. While we work to protect your data, we cannot guarantee absolute security. If you discover a vulnerability, please report it to trust@arkanis.gg.

8.2 Retention Periods

Active enforcement records (strikes, warnings, mutes): retained per the configured expiry set by the server administrator. After expiry the record is marked inactive but kept in history for accountability.
Bans: retained until removed by the server administrator, the appeal is approved, or the operator deletes the record at the data subject's request (unless retention is required for legal or safety reasons).
Case messages and transcripts: retained while the originating server uses the Service and for up to 12 months after cancellation, then deleted unless the server administrator has requested earlier deletion.
Audit logs: retained for up to 24 months from the event, then aggregated or deleted.
AutoMod event records: retained for the period configured per rule (default 90 days) and aggregated into rule metrics afterwards.
Linked game identities (Steam, Xbox, Alderon): retained while the link exists. Unlinking or guild departure removes the identity from active tables and from external-facing surfaces. We may retain a hashed reference for 90 days afterwards to prevent immediate re-link abuse.
Discord OAuth2 tokens: rotated on each sign-in; expired tokens are deleted within 30 days.
Xbox Live OAuth tokens: kept only as long as the link exists; deleted on unlink.
IP addresses and request logs: 30–90 days for security and abuse-prevention purposes, then deleted, unless flagged for an active investigation.
Billing records: kept for as long as required by tax and accounting law in the jurisdiction of operation (typically 6–7 years).

9. Your Rights

Under the UK GDPR and EU GDPR, you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure ("right to be forgotten") — request deletion of your personal data. Note that enforcement records held by a Discord server's administrators may be retained by that server for moderation purposes; you should contact the relevant administrators directly.
Restriction of processing — request that we stop processing your data while a dispute is resolved.
Data portability — receive your data in a structured, commonly used, machine-readable format.
Object — object to processing based on legitimate interests, including risk scoring and abuse-prevention analysis.
Withdraw consent — for any feature relying on consent, you can withdraw consent at any time without affecting prior lawful processing. Unlink an account at any time from the dashboard, or remove the bot from your server.
Lodge a complaint — you may complain to your data protection supervisory authority. In the UK this is the Information Commissioner's Office (ICO, ico.org.uk). In the EU it is the supervisory authority of your member state.

To exercise any of these rights, contact trust@arkanis.gg. We will respond within 30 days. We may need to verify your identity before fulfilling a request, particularly where it would otherwise allow a third party to access another user's data.

10. Automated Decision-Making and Profiling

Arkanis computes risk scores for users based on their enforcement history within a Discord server, behavioural signals, and configurable heuristics defined by the server's administrators. Risk scores can also feed into automated AutoMod actions configured by server staff (e.g. delete a message, log to a channel, escalate to a human reviewer).

These outputs are advisory and are designed to inform human moderators, not replace them. Server administrators choose whether to act on a flag, and final moderation decisions are made by humans except where the administrator has explicitly enabled an automated action (such as "delete message").

Where an automated action does take place without human review (for example, an AutoMod rule deleting a message), it produces no legal or similarly significant effect on you under UK GDPR Art. 22(1). If you believe an automated action has been taken against you incorrectly, you may appeal to the server's administrators using the in-Service appeal flow, and you may contact us at trust@arkanis.gg for a human review of how the system worked.

11. Data Breach Notification

If we become aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority (in the UK, the ICO) within 72 hours of becoming aware, in accordance with UK GDPR Art. 33. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

12. Children's Privacy

The Service is not intended for individuals under the age of 13, or under the minimum age required by Discord's Terms of Service in your jurisdiction (which is 16 in some EU member states). We do not knowingly collect personal data from children below this age. If we become aware that a child has provided us with personal data, we will delete the data as soon as reasonably practicable.

We comply with the UK Age Appropriate Design Code where applicable. Server administrators in communities that are likely to be accessed by children should configure the Service accordingly and ensure their own privacy notice covers the use of Arkanis.

13. Trademarks and Affiliation

Arkanis is an independent service. Arkanis is not affiliated with, endorsed by, sponsored by, or in any way officially connected to Discord Inc., Valve Corporation, Microsoft Corporation, Alderon Games, or any other game publisher, platform, or storefront referenced in the Service.

Discord, Steam, Xbox, Microsoft, and Path of Titans are trademarks of their respective owners and are used here for descriptive purposes only.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last updated" date. For material changes that meaningfully reduce your privacy rights or expand the data we collect, we will provide reasonable advance notice (typically 30 days) by email to billing contacts and via a notice on the dashboard. Continued use of the Service after the change takes effect constitutes acceptance of the revised policy.

15. Contact and Complaints

For privacy-related inquiries, data subject requests, breach notifications, or complaints, use any channel on our Contact page. Email is the recommended route for formal privacy requests:

trust@arkanis.gg — data subject requests, breach reports, abuse, safety, and legal / DMCA

support@arkanis.gg — general privacy questions and account help

If you are not satisfied with our response, you have the right to lodge a complaint with your data protection supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk).