Privacy Policy

Last updated: 2025-12-11

This Privacy Policy explains how Susurra (the “Service”, the “Bot”, or “we/us/our”) collects, uses, and protects information when you use our Discord bot and web dashboard, purchase credits or subscriptions, and interact with related features. This policy is designed to support compliance with the Discord Developer Terms of Service and Developer Policy, as well as privacy regulations in relevant jurisdictions. If you do not agree with this policy, please do not use the Service. For questions or data requests, contact: [email protected] References to “guild” mean a Discord server. If we materially change this policy, we will update the “Last updated” date and may announce changes via our website or support channels. This policy is part of our Terms of Service and uses the same defined terms. By using the Service, you represent that you are 13 or older (or the minimum age of digital consent in your jurisdiction, if higher) and have permission to use Discord.

1. Summary of what we collect

• Discord identifiers: user IDs, guild IDs, channel IDs, message IDs, role IDs, emoji IDs, and similar numeric or string identifiers.
• Message content: only from channels explicitly enabled by guild administrators for AI responses and only as needed to generate the response.
• Limited message history: we may temporarily cache up to a configured number of recent messages (default 100) in enabled channels to provide context for AI responses.
• Message metadata: timestamps and author usernames may be included within the cached AI context strictly to improve relevance and continuity.
• Reactions and emojis: when role management is enabled, we process reactions (emoji adds/removes) on configured embeds to grant or remove roles.
• Verification events: if anti-spam verification is enabled, we process verification attempts, including results of a custom CAPTCHA challenge and related timestamps.
• Administrative logs: if a guild log channel is configured, we may send informational embeds (e.g., join/leave, message edit/delete notices) to that channel.
• Billing data: via Stripe, including Stripe customer/subscription IDs, checkout session IDs, and purchase amounts; we may store the linked Discord guild ID and the premium owner’s Discord user ID as metadata.
• Website and support data: basic analytics or server logs (IP address, user agent, timestamps) for security and troubleshooting; Discord OAuth2 identity when you log into the dashboard.
• Configuration data: your guild’s configuration (enabled status, enabled channels, response frequency, max history size, bot nickname, and log channel ID).

2. How we use the information

• Provide AI responses in enabled channels. We use limited, recent message content for prompt context and to generate responses.
• Operate emoji-based role management features in configured channels by monitoring reactions on specific embeds and applying or removing roles accordingly.
• Operate anti-spam verification features, including displaying an embed with instructions and validating a custom CAPTCHA to grant a “verified” role or similar access.
• Provide server administrators a configuration dashboard and optional log messages to assist moderation visibility.
• Prevent abuse, fraud, and spam; ensure the reliability and security of the Service (e.g., rate limiting, auditing anomalous API errors).
• Process payments and manage subscriptions and credits through Stripe, including credit grants upon successful charges.
• Comply with law, enforce our Terms of Service, and respond to lawful requests.

3. Data minimization and retention

• We only process message content from channels explicitly enabled by guild administrators for AI responses or for configured features (e.g., role management/verification embeds).
• AI context cache: message content and minimal metadata are stored in memory cache for up to 24 hours (sliding expiration) and limited to a maximum history size per channel (default 100). This cache is not stored in a long-term database.
• We do not permanently store message content in our database.
• We may store durable configuration data (guild settings, enabled channels, log channel IDs), numeric identifiers (guild/user/channel IDs), and billing metadata (Stripe customer/subscription IDs; premium owner’s Discord user ID).
• Administrative logs are posted to your chosen log channel and are retained by Discord per Discord’s policies; we do not export these logs elsewhere.
• Verification results (pass/fail) and related timestamps may be retained as minimal records to prevent abuse; we aim to retain such records only as long as necessary for operational and security purposes.
• We do not knowingly process or retain direct message (DM) content; the bot’s focus is on configured guild channels.

4. Legal bases

Where applicable (e.g., GDPR), our legal bases include: (a) legitimate interests in operating and securing the Service, preventing abuse, and providing requested functionality; (b) performance of a contract (our Terms) when providing premium features and credits; and (c) compliance with legal obligations. In jurisdictions requiring consent for certain processing, guild administrators opt in by enabling features and channels; users can interact using commands or by abstaining from enabled channels as appropriate.

5. Sharing and third parties

• Discord: We process data via Discord’s APIs as necessary to operate the bot and display content/messages in your guilds.
• Stripe: We use Stripe to process payments; Stripe may process personal data such as billing details per its own privacy policy. We store Stripe IDs and relevant metadata necessary to reconcile purchases and subscriptions.
• LLM/AI provider: We use a local model by default (Ollama). If you configure a third-party LLM provider, message content from enabled channels may be sent to that provider solely to generate responses. Review your configured provider’s privacy terms.
• Hosting and infrastructure providers: We may use cloud or server infrastructure to run the Service and store configuration data.
• Legal and safety: We may disclose information to comply with applicable laws, lawful requests, or to protect rights, property, or safety of users, guilds, and the public.

6. Security

We implement reasonable technical and organizational measures, such as minimizing stored content, limiting retention windows, access controls, and logging anomalies. No system is perfectly secure; users and admins should follow Discord security best practices (e.g., permissions hygiene, avoiding overbroad roles).

7. Your choices and controls

• Guild administrators can enable/disable the bot and select inference channels in the dashboard. They can also set response frequency and a log channel.
• Guild administrators can remove the bot at any time, stopping any further processing in that guild.
• Users may avoid interacting in enabled channels if they do not wish their message content to be processed for AI responses.
• Role management and verification are opt-in features that must be configured by admins; if disabled, no reaction or verification data is processed for that guild.

8. International data transfers

Depending on hosting configuration, data may be processed in the country where our servers run. If you connect to third-party LLMs or services, their servers may be in other regions. Where required, we rely on appropriate transfer mechanisms offered by those providers.

9. Children’s privacy

The Service is not intended for children under 13 or the minimum age of digital consent in your jurisdiction, if higher. Do not use the Service if you are under the applicable age limit.

10. Data subject rights

Subject to your jurisdiction, you may have rights to access, correct, delete, or restrict processing of your personal data. Because we primarily process data under the direction of guild administrators within Discord, please contact your guild admins first. You may also contact us at [email protected] with your Discord user ID and guild ID(s). We may ask for additional verification.

11. Contact

[email protected]

If you are a California resident, you may have additional rights under the CCPA/CPRA. If you are in the EEA/UK, you may have additional rights under the GDPR/UK GDPR. We will honor valid, verifiable requests as required by applicable law.