NoxBot Privacy Policy & Data Compliance

Last Updated: March 1, 2026
Effective Date: March 1, 2026
Data Controller: Vibhas Dutta
Contact: helpdeskprojectx1@gmail.com

1. Introduction

This Privacy Policy explains how NoxBot ("the Bot", "we", "us", "our") collects, uses, stores, shares, and protects information when you interact with our Discord bot. This document is designed to satisfy the requirements of:

Discord Terms of Service (effective September 29, 2025)
Discord Developer Terms of Service (effective July 8, 2024) and Discord Developer Policy
Google Gemini API Additional Terms of Service (effective December 18, 2025)
EU General Data Protection Regulation (GDPR) (Regulation 2016/679)
US Privacy Laws including CCPA/CPRA and COPPA (as amended June 23, 2025)

By using NoxBot in any Discord server, you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller Information

Field	Details
Controller Name	Vibhas Dutta
Contact Email	helpdeskprojectx1@gmail.com
Discord Support	https://discord.gg/8GT69je84T
Website	https://noxbot.tech
Country of Operation	India

For GDPR purposes, the data controller is responsible for determining the purposes and means of processing personal data collected through NoxBot.

3. What Data We Collect

3.1 Data Collected Automatically from Discord

When NoxBot operates in a Discord server, it may access and process the following data provided by the Discord API:

Data Type	Description	Purpose
Discord User ID	Your unique Discord snowflake identifier	User identification, memory association, analytics
Discord Username / Display Name	Your username or server nickname	Conversation context, chat history attribution
Guild (Server) ID	Unique identifier for the Discord server	Server configuration, per-guild data isolation
Channel ID	Unique identifier for the channel	Chat history tracking, feature routing
Message Content	Text content of messages sent in bot-enabled channels	AI chat responses, automod analysis, report processing
Message Attachments	Images attached to messages in bot channels	Image analysis via AI (when applicable)
Server Roles	Role information for permission checks	Command access control, staff role verification
Server Events	Scheduled events data	Event announcement features

Per Discord Developer Policy Section 15: API Data is only accessed, requested, or used as necessary to provide the bot's stated functionality.

3.2 Data Derived by AI Processing

NoxBot uses AI to extract and store contextual information from conversations:

Data Type	Categories	Retention
User Memories	Profile (timezone, language), Preferences (communication style), Interests (hobbies, games), Activity patterns, Relationships (mentioned friends), Achievements, History (birthdays, goals), Expertise (skills)	Permanent until user requests deletion
Server Memories	Knowledge (FAQs, rules, resources), Events (tournaments, game nights), Moderation (warnings, violations), Culture (traditions, community vibe)	Knowledge/Culture: Permanent · Events: 180 days · Moderation: 90 days

Important: Per Discord Developer Policy Section 21, message content obtained through the APIs is not used to train machine learning or AI models. NoxBot sends messages to the Google Gemini API solely for real-time inference (generating responses, analysis, fact extraction) — not for model training.

3.3 Data Generated by Bot Operations

Data Type	Description	Retention
Chat History	Last 50 messages per channel, last 30 per user (cross-server)	24 hours (auto-expires)
Warning Records	Moderation warnings issued to users	Until manually cleared by server staff
Ticket Transcripts	Support ticket content and metadata	30 days after closure (auto-deleted via TTL)
Analytics Data	Aggregated usage counts (messages, commands, violations) per guild	Daily/Monthly/Total aggregates
Automod Logs	Violation records, action taken	Per violation tracking in guild config (max 10 per user)
Report Data	User reports including AI analysis	Stored in guild-specific logs
Payment Records	Premium subscription transactions	Payment orders: 15 minutes · Payment history: as required by law

3.4 Data We Do NOT Collect

❌ We do not collect passwords or authentication tokens
❌ We do not collect email addresses (unless voluntarily provided for support)
❌ We do not collect IP addresses
❌ We do not collect direct messages (DMs) unless the bot is explicitly messaged
❌ We do not collect voice or audio data
❌ We do not collect data from channels where the bot is not present or enabled
❌ We do not collect protected health information, financial information, or other sensitive information (per Discord Developer Policy Section 16)
❌ We do not knowingly collect data from persons under 13 years of age (per Discord Developer Policy Section 16)
❌ We do not sell, license, or commercialize any API Data (per Discord Developer Policy Section 18)

4. How We Use Your Data

4.1 Core Bot Functionality

Use Case	Data Used	Legal Basis (GDPR)
AI Chat Responses	Message content, chat history, user memories	Legitimate Interest / Consent
Automod (Content Moderation)	Message content, violation history, server rules	Legitimate Interest
Report Processing	Reported user's messages, violation history	Legitimate Interest
Ticket System	Ticket content, user ID	Contract Performance
AI Announcements	Source/target channel messages	Legitimate Interest
Event Announcements	Server event data	Legitimate Interest
Memory System	Conversation content → extracted facts	Consent
Web Search	User-provided search queries	Contract Performance
Weather Lookup	User-provided location string	Contract Performance

4.2 Operational Purposes

Analytics: Aggregated, non-personally-identifiable usage statistics per server (message counts, command usage, violation counts). Per Discord Developer Policy Section 15, any API Data used for improvement is aggregated or de-identified so it cannot be associated with or used to identify any individual.
Rate Limiting: Temporary tracking of request frequency per user/server to prevent abuse.
Premium Tier Enforcement: Checking subscription status to unlock/restrict features.

4.3 What We Do NOT Use Data For

❌ Targeted advertising — Prohibited by Discord Developer Policy
❌ Selling data to third parties — Prohibited by Discord Developer Policy Section 18
❌ Sharing data with ad networks or data brokers — Prohibited by Discord Developer Policy Section 17
❌ Contacting users outside Discord — Prohibited by Discord Developer Policy
❌ Profiling users or their relationships — Prohibited by Discord Developer Policy Section 16
❌ Training ML/AI models on message content — Prohibited by Discord Developer Policy Section 21
❌ Commercializing API Data — Prohibited by Discord Developer Policy Section 18

5. Third-Party Services & Data Sharing

NoxBot integrates with the following third-party services. Each service has its own privacy policy and terms.

5.1 Google Gemini API (AI Processing)

Aspect	Details
Service	Google Gemini API (gemini-2.0-flash, gemini-embedding-001)
Data Sent	Message content, conversation history, system prompts
Purpose	Chat responses, automod analysis, memory extraction, report analysis, announcement relevance scoring
Google's Data Use (Paid API)	Google does NOT use your prompts or responses to improve its products. Prompts/responses are processed under the Data Processing Addendum for Products Where Google is a Data Processor. Google logs data for a limited period solely for detecting violations of their Prohibited Use Policy.
Google's Data Use (Unpaid API)	Google MAY use submitted content and generated responses to provide, improve, and develop Google products and ML technologies. Human reviewers may read, annotate, and process API input and output.
EU/EEA/UK Users	Per the Gemini API Terms: for users in the European Economic Area, Switzerland, or the United Kingdom, the Paid Services data terms apply to all services, even those offered free of charge. Google does NOT use your data for model training regardless of tier.
Terms	Gemini API Additional Terms of Service

Critical: NoxBot does NOT train any AI models. We send data to Google Gemini API for real-time inference only. Per Discord Developer Policy Section 21, we do not use message content to train machine learning or AI models.

5.2 Google Custom Search API

Aspect	Details
Service	Google Custom Search JSON API
Data Sent	User-provided search queries only
Purpose	Web search functionality when users ask NoxBot to search the internet
Retention	Search queries are not stored by NoxBot beyond the immediate response
Terms	Google API Terms of Service

5.3 WeatherAPI.com

Aspect	Details
Service	WeatherAPI.com REST API
Data Sent	User-provided location strings (city names, coordinates, zip codes)
Purpose	Current weather, forecasts, and historical weather data
Retention	Location queries are not stored by NoxBot
Terms	WeatherAPI.com Terms

5.4 Data Storage Providers

Provider	Data Stored	Encryption
Google Firebase / Firestore	Guild configs, tickets, warnings, analytics, payment history	Encrypted at rest and in transit
Qdrant Cloud	Long-term memory vectors (user + server memories)	Encrypted at rest and in transit
Redis (Upstash or similar)	Short-term chat history, cooldown states, rate limits	Encrypted in transit

Per Discord Developer ToS Section 5(c): We use commercially reasonable efforts to protect data, including encryption at rest and administrative/technical safeguards.

5.5 Data Sharing Summary

Per Discord Developer ToS Section 5(b), we share API Data only:

With Service Providers (Google, Qdrant, Redis provider) who agree in writing to use data solely for NoxBot's functionality
When required by applicable laws or regulations
When a user expressly directs the sharing of their data

We do NOT:

Share data with advertisers, ad networks, or data brokers (per Policy Section 17)
Sell, license, or commercialize any API Data (per Policy Section 18)
Share individual user data with third parties beyond what is described in this policy

6. Data Storage & Security

6.1 Data Retention Schedule

Data Category	Storage	Retention Period	Auto-Deletion
Chat History (per channel)	Redis	24 hours	✅ TTL-based
Chat History (per user)	Redis	24 hours	✅ TTL-based
Guild Configuration	Firestore	Until bot is removed from server	Manual
Support Tickets	Firestore	30 days after closure	✅ Firebase TTL
Payment Orders	Firestore	15 minutes	✅ Firebase TTL
Payment History	Firestore	Duration required by law	Manual
Warning Records	Firestore	Until cleared by staff	Manual
Analytics (Daily)	Firestore	Rolling daily aggregates	Overwritten
Analytics (Monthly)	Firestore	Rolling monthly aggregates	Overwritten
User Memories (Long-term)	Qdrant	Until user requests deletion	On request
Server Memories — Knowledge	Qdrant	Permanent	On request
Server Memories — Culture	Qdrant	Permanent	On request
Server Memories — Events	Qdrant	180 days	✅ Expiry filter
Server Memories — Moderation	Qdrant	90 days	✅ Expiry filter
Automod Violation Logs	Firestore	Max 10 entries per user	Oldest trimmed

Per Discord Developer ToS Section 5(b): We promptly delete API Data when retaining it is no longer necessary for stated functionality, when a user requests deletion, or when Discord requests deletion.

6.2 Security Measures

Per Discord Developer ToS Section 5(c), we implement the following security measures:

Encryption in Transit: All data transmitted between NoxBot and cloud services uses TLS/SSL encryption
Encryption at Rest: Firestore, Qdrant Cloud, and Redis providers encrypt stored data at rest
Access Control: Firestore Security Rules restrict document access. API keys and credentials are stored as environment variables, never committed to code
Data Isolation: Guild data is strictly isolated — one server cannot access another server's data. User memories are isolated per user ID
Credential Security: All developer credentials (API keys, tokens) are treated as confidential information and kept encrypted (per Discord Developer ToS Section 5(c))
Cache Management: In-memory caches have size limits (max 1,000 guilds) and TTL (30 minutes) to prevent excessive data retention
Incident Reporting: In the event of unauthorized access to API Data, we will promptly notify Discord and affected users as required by applicable laws (per Discord Developer ToS Section 5(a))

7. AI-Specific Disclosures

7.1 How AI Processes Your Messages

When you interact with NoxBot's AI features:

Input: Your message content is sent to the Google Gemini API along with:
- Recent conversation history (up to 50 messages from the channel)
- Relevant long-term memories about you and the server
- Server-specific configuration (rulebook, moderation rules)
- System instructions (bot personality and behavior guidelines)
Processing: Google Gemini processes the input and generates a response. Under paid API terms:
- Your data is NOT used to train Google's AI models
- Your data is NOT reviewed by human annotators for product improvement
- Prompts/responses are logged for a limited period solely for abuse detection
Memory Extraction: After a response, a separate background process may analyze the conversation to extract notable facts (e.g., "User mentioned they live in Tokyo"). These facts are:
- Classified into predefined categories (profile, interests, preferences, etc.)
- Stored as vector embeddings in Qdrant (not as raw conversation text)
- Associated with your Discord User ID and the Guild ID
Output: The AI response is sent back to you in Discord

Clarification per Discord Developer Policy Section 21: We do NOT use message content obtained through the Discord APIs to train machine learning or AI models. Data sent to Google Gemini API is for real-time inference only — generating responses, analyzing content, and extracting facts. Google (under paid terms) also does not use this data for model training.

7.2 Automod AI Processing

When automod is enabled in a channel:

Message content is analyzed by Google Gemini for policy violations
The AI considers the message context, server rules, and the user's violation history
No message content is permanently stored by automod — only the violation record (category, action taken, timestamp) is saved

7.3 Report AI Processing

When a user report is filed:

Recent messages from the reported user are gathered from the Discord channel
These messages, along with the report reason and user's violation history, are sent to Google Gemini for analysis
The AI provides a severity assessment and recommended action
The analysis summary is logged to the server's report channel

7.4 AI Limitations

NoxBot's AI may occasionally produce inaccurate, incomplete, or inappropriate responses
AI-generated moderation recommendations are advisory — server staff retain final decision-making authority
Memory extraction is probabilistic and may occasionally record inaccurate information
Users can request deletion of any memories the AI has stored about them (see Section 8.3)

8. Your Rights

8.1 Rights Under GDPR (EU/EEA/UK Users)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights:

Right	Description	How to Exercise
Right of Access	Request a copy of all personal data we hold about you	Contact us (see Section 17)
Right to Rectification	Request correction of inaccurate personal data	Contact us (see Section 17)
Right to Erasure	Request deletion of your personal data ("right to be forgotten")	Contact us (see Section 17)
Right to Restrict Processing	Request limitation of data processing	Contact us (see Section 17)
Right to Data Portability	Receive your data in a machine-readable format	Contact us (see Section 17)
Right to Object	Object to processing based on legitimate interest	Contact us (see Section 17)
Right to Withdraw Consent	Withdraw consent at any time where processing is consent-based	Contact us (see Section 17)
Right to Lodge a Complaint	File a complaint with your local Data Protection Authority	See your country's DPA website

Response Time: We will respond to all data rights requests within 30 days of receipt.

8.2 Rights Under CCPA/CPRA (California Users)

California residents have the following additional rights:

Right to Know: What personal information is collected, used, and shared
Right to Delete: Request deletion of personal information
Right to Opt-Out of Sale: We do NOT sell personal information — this right is automatically respected
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
Right Regarding Automated Decision-Making: Right to opt out of automated decision-making technology used for significant decisions

8.3 How to Exercise Your Rights

You can exercise your data rights by:

Discord Support Server: Contact us in our support server (https://discord.gg/8GT69je84T)
Email: Send a request to helpdeskprojectx1@gmail.com
Server Administrators: Can clear user warnings via /warns clear @user

Per Discord Developer ToS Section 5(b), when a user requests data deletion, we will promptly delete the applicable API Data. We may need to verify your identity (Discord User ID) before processing requests.

9. Discord Compliance

9.1 Discord Terms of Service (effective September 29, 2025)

Requirement	Our Compliance
Users must be at least 13 years old (Section 2)	✅ We do not knowingly collect data from users under 13
Third-party services must follow Discord's Terms (Section 6)	✅ NoxBot complies with all Discord Terms, Community Guidelines, Developer ToS, and Developer Policy
No scraping without written consent (Section 9)	✅ NoxBot only accesses data through official Discord APIs
No commercializing content/data obtained from Discord (Section 9)	✅ We do not sell, license, or commercialize any data

9.2 Discord Developer Terms of Service (effective July 8, 2024)

Requirement	Our Compliance
Provide a privacy policy (Section 5a)	✅ This document serves as our privacy policy
Comply with global privacy laws (Section 5a)	✅ We address GDPR, CCPA/CPRA, and COPPA requirements
Only use API Data for stated functionality (Section 5b, Policy 15)	✅ All data is used solely for bot features described herein
Delete data when no longer necessary or on user request (Section 5b)	✅ We implement auto-deletion (TTL) and honor deletion requests
Encrypt data at rest (Section 5c)	✅ All storage providers encrypt data at rest
No sharing API Data with ad networks or data brokers (Policy 17)	✅ We never share data with advertisers or data brokers
No selling, licensing, or commercializing API Data (Policy 18)	✅ We never sell or commercialize user data
No using message content to train ML/AI models (Policy 21)	✅ We do NOT train any models — Gemini API is used for inference only
No collecting data from users under 13 (Policy 16)	✅ We rely on Discord's own age gate (min age 13)
No collecting sensitive data (Policy 16)	✅ We do not collect health, financial, or other sensitive information
No profiling users or their relationships (Policy 16)	✅ Memories are for personalization, not profiling or marketing
Report security incidents promptly (Section 5a)	✅ We will notify Discord and users of any data breach
Delete all API Data upon termination (Section 9b)	✅ Upon discontinuation, all cached/stored data will be deleted
No targeted advertising (Policy)	✅ NoxBot does not serve advertisements
No contacting users outside Discord with API Data (Policy)	✅ We never contact users outside of Discord

10. Google Gemini API Compliance

Per the Gemini API Additional Terms of Service (effective December 18, 2025):

Requirement	Our Compliance
Age requirement: 18+ for API developers	✅ Bot developer is 18+
API Clients must not be directed to users under 18	⚠️ Discord requires minimum age 13; NoxBot is a general-purpose server bot, not directed at minors specifically
Comply with Prohibited Use Policy	✅ NoxBot does not generate illegal content, CSAM, or harmful content
Do not misrepresent AI as human	✅ NoxBot is clearly identified as a bot in Discord
Do not reverse-engineer or extract model data	✅ We only use the API as intended
Available regions only	✅ Bot operates only in available regions
EU/EEA/UK: Must use Paid Services	✅ EU/EEA/UK users' data is processed under Paid Service terms per Gemini API Terms

11. Children's Privacy (COPPA Compliance)

NoxBot is not directed at children under the age of 13.

Discord's own Terms of Service (Section 2) require users to be at least 13 years old
We do not knowingly collect personal information from children under 13 (per Discord Developer Policy Section 16)
If we become aware that we have collected data from a child under 13, we will take immediate steps to delete that information
Under the updated COPPA Rule (effective June 23, 2025), we do NOT use children's data for AI training, behavioral advertising, or profiling
Server administrators are responsible for ensuring their Discord server complies with age-appropriate content guidelines

Note regarding Gemini API Age Requirement: The Gemini API Terms require that API Clients are not directed towards individuals under 18. NoxBot is a general-purpose Discord bot not specifically directed at any age group. We rely on Discord's own age verification (minimum age 13) and recommend server administrators configure appropriate content settings.

If you believe a child under 13 has provided personal information to NoxBot, please contact us immediately.

12. International Data Transfers

NoxBot's infrastructure may process data in regions outside your country of residence:

Service	Potential Data Location
Google Firestore	Google Cloud regions (US, EU, or as configured)
Qdrant Cloud	Cloud provider regions (configurable)
Redis Provider	Cloud provider regions (configurable)
Google Gemini API	Google's processing infrastructure (may be stored transiently in any country where Google maintains facilities, per Gemini API Terms)
Google Search API	Google's processing infrastructure
WeatherAPI	WeatherAPI.com servers

For EU/EEA/UK Users: Where data is transferred outside the EU/EEA, we rely on:

Google: Standard Contractual Clauses (SCCs), Data Processing Addendum, and Google Controller-Controller Data Protection Terms
Qdrant/Redis Providers: Standard Contractual Clauses or adequacy decisions where applicable
Per Discord Developer ToS Section 11, we ensure all international data transfers comply with applicable laws

13. Data Breach Notification

In the event of a personal data breach:

Discord Notification: We will promptly notify Discord and provide requested information regarding any unauthorized access or use of API Data (per Discord Developer ToS Section 5(a))
EU/EEA/UK Users: We will notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach (GDPR Article 33). If the breach poses high risk to your rights, we will also notify affected users (GDPR Article 34)
California Users: We will notify affected users in accordance with California Civil Code § 1798.82
All Users: We will post a notice in our support server and take immediate steps to mitigate the breach

14. Changes to This Policy

When we update this Privacy Policy:

The "Last Updated" date at the top will be revised
Material changes will be announced in our Discord support server
Continued use of NoxBot after changes constitutes acceptance of the updated policy
For significant changes affecting how we process your data, we will provide at least 30 days' notice

15. Legal Basis for Processing (GDPR)

For users in the EU/EEA/UK, we process personal data under the following legal bases:

Processing Activity	Legal Basis	GDPR Article
AI chat responses	Legitimate Interest	Art. 6(1)(f)
Memory extraction & storage	Consent (implied by using AI features)	Art. 6(1)(a)
Automod content analysis	Legitimate Interest (server safety)	Art. 6(1)(f)
Report processing	Legitimate Interest (community protection)	Art. 6(1)(f)
Ticket system	Contract Performance	Art. 6(1)(b)
Analytics (aggregated)	Legitimate Interest (service improvement)	Art. 6(1)(f)
Payment processing	Contract Performance	Art. 6(1)(b)
Warning system	Legitimate Interest (server safety)	Art. 6(1)(f)

Legitimate Interest Assessment: We have conducted a balancing test for each legitimate interest activity and determined the processing is necessary and does not override user rights, given data minimization, user awareness of bot presence, proportionate retention with auto-deletion, and opt-out availability.

16. Cookies & Tracking

NoxBot is a Discord bot and does not use cookies or web tracking technologies. The NoxBot website (if applicable) has its own separate cookie/privacy policy.

17. Contact Us

For any privacy-related questions, data access requests, or concerns:

Method	Details
Email	helpdeskprojectx1@gmail.com
Discord	https://discord.gg/8GT69je84T
Website	https://noxbot.tech

For EU/EEA/UK users wishing to lodge a complaint, you may also contact your local Data Protection Authority (DPA).

18. Summary — What We Store, What We Use, What AI Processes

What We Store

Category	Specific Data	Where	How Long
Guild Config	Moderation settings, channels, staff roles, wordlists, AI rulebook, ticket config, subscription tier	Firestore	Until bot removal
Chat History	Recent messages (role, content, author, timestamp)	Redis	24 hours
User Memories	AI-extracted facts (interests, preferences, profile)	Qdrant	Permanent / on request
Server Memories	AI-extracted facts about the community	Qdrant	90–180 days or permanent
Tickets	Ticket content, user ID, status, timestamps	Firestore	30 days post-closure
Warnings	Warning reason, source, timestamp, issuer	Firestore	Until cleared
Analytics	Aggregated counts per guild	Firestore	Daily/Monthly rolls
Payments	Transaction records	Firestore	As required by law

What We Use It For

Data	Used For
Discord User ID	Identify users, associate memories, track warnings
Message Content	Generate AI responses, moderate content, extract memories
Chat History	Provide conversational context to AI
User Memories	Personalize AI responses across sessions
Server Memories	Maintain community context for moderation and chat
Guild Config	Apply server-specific bot settings
Analytics	Monitor usage, enforce tier limits, bot performance

What AI (Google Gemini) Processes

Data Sent to AI	Purpose	Retained by Google?
User message text	Generate contextual response	Paid: logged briefly for abuse detection only
Chat history (up to 50 msgs)	Conversation context	Paid: logged briefly for abuse detection only
User/server memories	Personalization context	Paid: logged briefly for abuse detection only
System instructions	Bot personality / behavior	Paid: logged briefly for abuse detection only
Reported user messages	Moderation analysis	Paid: logged briefly for abuse detection only
Channel messages	Automod content analysis	Paid: logged briefly for abuse detection only
Announcement content	Relevance scoring	Paid: logged briefly for abuse detection only
Conversation extracts	Memory fact extraction	Paid: logged briefly for abuse detection only

Under Google's paid API terms: Your data is NOT used to train Google's AI models. It is NOT reviewed by human annotators. It is logged for a limited period solely for detecting violations of Google's Prohibited Use Policy. For EU/EEA/UK users, these paid terms apply regardless of the tier being used.