Best Disc

Privacy Policy

Last updated: 2026-05-19

This Privacy Policy describes what data Best Disc collects, why we collect it, how it's used, who it's shared with, and the rights you have over it. We try to keep this short and concrete.

1. What we collect

  • Account data via Discord OAuth: your Discord user ID, username, avatar, and email address (from Discord). We do not request a token that grants us message-read access.
  • Listings you create: server/bot metadata, descriptions, tags, banners, screenshots.
  • Engagement: votes, bookmarks, reviews, bids, and generator usage you initiate while signed in.
  • Payments: when you subscribe or win an auction, Stripe collects your card details on our behalf. We store only the Stripe customer/subscription IDs and last-4/brand metadata.
  • Operational data: IP address, user agent, request identifiers, and timestamps for security and abuse-prevention purposes. These are retained in logs for up to 90 days.

2. Why we use it (lawful basis)

  • Contract (operating your account, your listings, your paid features): Article 6(1)(b) GDPR.
  • Legitimate interest (security logs, fraud prevention, aggregate analytics via Plausible): Article 6(1)(f).
  • Consent (PostHog product analytics, AdSense advertising, newsletter): Article 6(1)(a). You can withdraw at any time via the cookie preferences in our footer.
  • Legal obligation (responding to lawful requests, tax/payment records): Article 6(1)(c).

3. Who we share with

  • Stripe, payment processing.
  • Resend, transactional email.
  • Cloudflare R2, hosting your uploads.
  • Sentry, error monitoring (PII allowlisted out of payloads).
  • PostHog, product analytics (consent-gated).
  • Google AdSense, advertising (consent-gated).
  • Plausible Analytics, cookieless aggregate analytics.

We do not sell personal data. We do not share it for cross-context behavioral advertising outside what AdSense does when you have consented.

4. International transfers

Some processors are based in the United States. Where required we rely on the EU–US Data Privacy Framework, Standard Contractual Clauses, or equivalent safeguards.

5. Retention

  • Account data: until you delete your account.
  • Listings: until you remove them or your account is closed.
  • Payment records: as required by law (typically 7 years).
  • Operational logs: up to 90 days.
  • Aggregate analytics: indefinitely (non-identifying).

6. Your rights

If you are in the EEA, UK, California, or a jurisdiction with similar law, you have the right to access, correct, delete, restrict, or port your data, and to object to processing. Exercise these rights from your dashboard (account settings → privacy) or by emailing privacy@bestdisc.org. We respond within 30 days.

7. Children

Best Disc is not directed at children under 13 (or under the age of digital consent in your jurisdiction). If you believe a child has created an account, contact privacy@bestdisc.org and we will delete it.

8. Security

We use TLS in transit, hashed/salted credentials where applicable, OAuth tokens stored encrypted at rest, and we apply OWASP-aligned mitigations across the stack. No system is perfectly secure; report vulnerabilities to security@bestdisc.org.

9. Cookies

See the Cookie Policy for the categories of cookies we set, how to manage them, and how consent flows.

10. Changes

We will notify you of material changes via email or in-app notice at least 14 days before they take effect.

11. Contact

Data controller: privacy@bestdisc.org.

Note: This document is operational policy for the MVP and is pending review by counsel. It does not constitute legal advice.

We use cookies for essential session, security, and analytics tracking. Pick what you want us to use.