DiscoList

Privacy Policy

Last updated: June 8, 2026

Effective date: June 8, 2026

1. Introduction and Identity of the Controller

DiscoList ("DiscoList", "we", "us", or "our") operates the website located at https://discolist.xyz and the associated Discord bot and tools (collectively, the "Service").

DiscoList is the data controller responsible for your personal data as defined under the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable data protection laws. For any privacy-related matters, you may contact us via our contact form.

This Privacy Policy explains what personal data we collect, why we collect it, how we use and store it, who we share it with, and what rights you have over it. Please read this policy carefully before using our Service.

2. Data We Collect and How We Collect It

2.1 Data You Provide When Signing In

DiscoList uses Discord OAuth2 for authentication. When you sign in with Discord, Discord provides us with the following data from your Discord account, subject to the OAuth2 scopes you authorise:

  • Your Discord User ID (a unique numeric identifier)
  • Your Discord username and discriminator (if applicable)
  • Your Discord display name / global name
  • Your Discord avatar hash (used to display your profile picture)
  • Your Discord banner hash (if set)
  • Your email address (if you grant the email scope)
  • A list of Discord servers (guilds) you are a member of with admin or manage permissions (used only to verify server ownership during connect and DiscoLaunch flows — not stored)

We store your Discord User ID, username, display name, avatar URL, and email address in our database to create and maintain your DiscoList account. Your Discord access token is stored in a short-lived, httpOnly, secure cookie for the duration of your session and is used only to verify server permissions on your behalf.

2.2 Data Generated Through Your Use of the Service

  • Server listings: If you connect or list a Discord server, we store the server name, guild ID, icon, invite code, member count, description, category, and any other details you provide.
  • Server backups: When you use the /backup save command, we store a snapshot of your Discord server's roles, channels, and categories. This data is associated with your guild ID and stored securely in our database.
  • Votes and reviews: We store the votes and reviews you submit, linked to your DiscoList user ID and the relevant server.
  • Favourites: If you favourite a server, we store that association.
  • Notifications: We store notification records relevant to your account activity.
  • DiscoLaunch deployments: When you deploy a template via DiscoLaunch, we store a record of the deployment including the server name, guild icon, template used, and result status.

2.3 Technical and Usage Data

We collect standard server-side logs which may include IP addresses, browser user-agent strings, and request timestamps for the purpose of security, abuse prevention, and debugging. IP addresses are not stored in plain text in our primary database and are used only for rate-limiting and security purposes.

We do not use any third-party analytics services (such as Google Analytics). We do not use advertising networks or tracking pixels.

2.4 Discord Bot Data

Our Discord bot is present in servers you connect to DiscoList. The bot may process the following data when commands are executed:

  • The Discord username and ID of the user who issued a slash command
  • The guild ID and guild name of the server where the command was used
  • Server structure data (roles, channels, categories) when creating or restoring a backup
  • Message content in channels where the Message Content privileged intent is enabled (for backup purposes only, where explicitly configured)

The bot does not log or store message content by default unless the backup feature is explicitly used. Data processed by the bot is governed by this Privacy Policy and by Discord's own Privacy Policy and Developer Terms of Service.

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases under Article 6 of the GDPR:

  • Contractual necessity (Art. 6(1)(b)): Processing your Discord account data, server listings, backups, and usage records is necessary to provide you with the Service you have requested.
  • Legitimate interests (Art. 6(1)(f)): We process technical and usage data to maintain security, prevent abuse, debug the Service, and improve its functionality. Our legitimate interests do not override your rights.
  • Consent (Art. 6(1)(a)): Where we request your consent for optional data processing (such as storing message content for backup purposes), we will ask for explicit consent before processing. You may withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)): We may process and retain data to comply with applicable legal obligations, including law enforcement requests made through proper legal channels.

4. Cookies and Local Storage

We use the following cookies on DiscoList:

discolist_sessionStrictly Necessary
30 days · httpOnly · Secure

Stores your session identifier to keep you signed in. Required for the Service to function.

discolist_userStrictly Necessary
30 days · Secure

Stores your username and avatar for client-side display in the navigation bar. Not used for tracking.

discord_access_tokenStrictly Necessary
Session · httpOnly · Secure

Stores your Discord OAuth2 access token for server permission verification. Expires when your Discord session expires.

discord_oauth_stateSecurity
Short-lived · httpOnly · Secure

CSRF protection token used during the OAuth2 login flow. Deleted immediately after authentication completes.

We do not use advertising cookies, third-party tracking cookies, or analytics cookies. No cookie consent banner is required for strictly necessary cookies under the ePrivacy Directive and GDPR.

5. How We Use Your Data

We use your personal data for the following purposes:

  • To authenticate you and maintain your account session
  • To display your profile, avatar, and username across the Service
  • To process and display your server listings on the discovery page
  • To store and manage server backups on your behalf
  • To power the voting, review, favourites, and notification systems
  • To verify you have the required permissions on Discord before allowing server-related actions
  • To provide server owners with aggregate analytics about their listings
  • To detect, investigate, and prevent abuse, fraud, and violations of our Terms of Service
  • To comply with legal obligations and respond to lawful requests from authorities
  • To communicate with you about your account or our Service (only when necessary)

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

6. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data to any third parties for marketing purposes. We share data only as follows:

  • Supabase (database and authentication infrastructure): Our database is hosted on Supabase, which processes data on our behalf as a data processor. Supabase is GDPR-compliant and operates under a Data Processing Agreement. Data may be stored in EU or US regions depending on project configuration.
  • Cloudflare (CDN, DDoS protection, and tunnel):All web traffic passes through Cloudflare's network. Cloudflare may process IP addresses and request metadata for security and performance purposes. Cloudflare is GDPR-compliant and operates as a data processor under a DPA.
  • Discord Inc.:Our Service uses the Discord API and OAuth2. When you sign in or use our bot, data is exchanged with Discord under their own Privacy Policy and Developer Terms. We are bound by Discord's Developer Policy regarding the use and storage of data obtained through their API.
  • Law enforcement: We may disclose personal data to law enforcement or government authorities if required to do so by law, court order, or legal process, or if we believe disclosure is necessary to protect the rights, property, or safety of DiscoList, our users, or others.

Any third party that processes data on our behalf is bound by appropriate data protection agreements and is required to process data only on our documented instructions.

7. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where Supabase and Cloudflare infrastructure may be located. Where such transfers occur, we ensure adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Reliance on the EU-U.S. Data Privacy Framework where applicable

You may request information about the specific safeguards applied to your data transfers by contacting us.

8. Data Retention

We retain your personal data for the following periods:

  • Account data (username, avatar, email): Retained until you delete your account or request deletion.
  • Server listings: Retained until you remove the server from DiscoList or delete your account.
  • Server backups: Retained until you delete them manually or delete your account.
  • Votes and reviews: Retained until you delete them or delete your account. Aggregate statistics may be retained after deletion.
  • Server logs and security data: Retained for up to 90 days for security and abuse prevention purposes.
  • DiscoLaunch deployment records: Retained for up to 12 months, then automatically purged.

After the applicable retention period, data is securely deleted or anonymised. In some cases, we may retain anonymised or aggregated data (which cannot identify you) for statistical or analytical purposes indefinitely.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction, including:

  • TLS/HTTPS encryption for all data in transit
  • Encrypted storage of sensitive credentials and tokens
  • httpOnly and Secure flags on all session cookies
  • CSRF protection during authentication flows
  • Server-side permission checks before all data-modifying operations
  • Supabase Row Level Security (RLS) policies to restrict database access
  • Rate limiting to prevent brute-force and abuse

No method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your data using commercially acceptable means, we cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay as required under GDPR Article 33 and 34.

10. Discord API Data and Developer Policy Compliance

DiscoList uses the Discord API and is bound by Discord's Developer Policy and Developer Terms of Service. In compliance with those policies:

  • We only request Discord OAuth2 scopes that are strictly necessary to provide the Service (identify, email, guilds).
  • We do not use Discord data to train machine learning models.
  • We do not sell or monetise Discord user data.
  • We do not share Discord user data with third parties except as described in this policy.
  • We store only the minimum necessary Discord user data required to provide and improve the Service.
  • Discord user data obtained via the API is used solely to provide features directly to the user who authorised access.
  • We use the Message Content privileged intent only where the user's server has explicitly enabled message backups, and only to provide the backup functionality to that server owner.
  • You may revoke DiscoList's access to your Discord account at any time via Discord's Authorized Apps settings. Revoking access will invalidate your DiscoList session.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Because DiscoList requires a Discord account for authentication, and Discord requires users to be at least 13 years old, users under 13 are not permitted to use the Service.

If you are a parent or guardian and believe your child under 13 has provided us with personal data, please contact us immediately and we will take steps to delete such data.

12. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the GDPR and applicable data protection law:

  • Right of access (Art. 15): You have the right to obtain confirmation of whether we process your personal data, and to receive a copy of that data along with information about how it is processed.
  • Right to rectification (Art. 16): You have the right to request correction of inaccurate or incomplete personal data we hold about you.
  • Right to erasure / "right to be forgotten" (Art. 17): You have the right to request deletion of your personal data where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent (where consent is the legal basis).
  • Right to restriction of processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.
  • Right to object (Art. 21): You have the right to object to processing of your personal data where we rely on legitimate interests as the legal basis.
  • Rights related to automated decision-making (Art. 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects on you. We do not engage in such processing.
  • Right to withdraw consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us via our contact form. We will respond to your request within 30 days. We may need to verify your identity before processing your request. You will not be charged a fee for exercising your rights unless your request is manifestly unfounded or excessive.

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO). In Ireland, this is the Data Protection Commission (DPC).

13. California Privacy Rights (CCPA)

If you are a California resident, you may have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, disclose, or sell; the right to request deletion of your personal information; and the right not to be discriminated against for exercising your privacy rights.

We do not sell personal information as defined under the CCPA. To exercise your CCPA rights, please contact us via our contact form.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this page.

We encourage you to review this policy periodically. Your continued use of the Service after any changes constitutes your acceptance of the updated policy. If we make changes that materially affect your rights or the way we process your data, we will make reasonable efforts to notify you directly.

15. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us using our contact form. We aim to respond to all privacy-related enquiries within 30 days.

DiscoList is not affiliated with, endorsed by, or sponsored by Discord Inc. Discord is a trademark of Discord Inc.