Privacy Policy

This Privacy Policy explains how SIVARO processes personal data when you use the SIVARO Discord bot and the related website.

1. Controller (Art. 4(7) GDPR)

Sebastian Witte
Marktstraße 38
63924 Kleinheubach
Germany
Email: contact@sivaro.studio

2. Scope of this policy

This policy applies to:

• the SIVARO Discord bot (commands, profile setup, matchmaking interactions, moderation features)
• the SIVARO web settings page (account-linked profile/preferences editing via secure short-lived tokens)
• operational/admin tooling required to run and secure the service

3. Data categories we process

3.1 Discord account and identity data

• Discord user ID (required to run account-related features)
• Discord display name (for display and usability)
• Discord account creation timestamp (checked during onboarding to enforce the minimum account-age gate)
• Discord locale data where available (for language/UX)

3.2 Profile and preference data you provide

• Display name, age (18+), optional gender, optional bio
• Platforms you play on, play style, online times, traits
• Game preferences and user-added games (from IGDB-based search selection)
• Search filters and matching preferences (e.g., age range, preferred genders, languages, platforms)

3.3 Matchmaking and interaction data

• Likes, skips, matches, reports, and related timestamps
• Daily usage counters for product limits/abuse prevention

3.4 Premium, referral, and anti-abuse data

• Premium status fields (e.g., premium end date, lifetime flag) in our service database
• Discord entitlement identifiers/state required to validate premium access
• Purchase-related reference metadata from Discord where required for entitlement validation, fraud checks, and support handling
• No full payment instrument data (e.g., card number, bank account details) is stored by SIVARO for Discord-native purchases
• Referral relations and reward events (referrer/referred IDs, timestamps, anti-abuse outcomes)
• Ban/moderation records and moderation history for enforcement and security

3.5 Website security/session data

• Short-lived web login tokens for settings access
• Settings session cookie and server-side session state (required for authenticated settings usage)
• CSRF protection tokens/validation data for state-changing requests
• Technical request logs and rate-limit metadata (IP/time/path), where needed for security and troubleshooting

3.6 Uploaded profile image processing

• Uploaded image files (subject to format/size validation), stored for profile display
• Image processing metadata (e.g., conversion/normalization steps, status flags)

3.7 Service analytics and operational metrics

• Aggregated action counters in time buckets (for operations/capacity monitoring)
• No message content is stored in these aggregate metrics

3.8 Guild (server) operational tracking

• Guild ID, guild name, preferred locale, member count snapshots, join/leave timestamps, and join/leave counters
• User-to-guild association data (user ID + guild ID + first/last-seen timestamps + active-state flag) for server-first matching and server-level feature operation
• This data is used for bot operations, support, abuse/security analysis, and aggregated server-level usage insights
• No message content is required or stored for these server-level insights

3.9 Third-party API requests

• Game search requests are sent to IGDB (Twitch) for game metadata lookups
• Discord is used as the platform provider and, for premium purchases, as entitlement/payment provider

4. Purposes and legal bases (Art. 6 GDPR)

• Service operation and core matchmaking functions: Art. 6(1)(b) GDPR (performance of contract / pre-contractual steps)
• Server-first matching and aggregated server-level insights: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR
• Security, moderation, anti-abuse, and fraud prevention: Art. 6(1)(f) GDPR (legitimate interests)
• Technical operation, diagnostics, reliability, and capacity planning: Art. 6(1)(f) GDPR
• Compliance with legal obligations (where applicable): Art. 6(1)(c) GDPR
• Consent-dependent processing (if explicitly required in specific flows): Art. 6(1)(a) GDPR

5. Storage duration

• Profile/preferences and interaction data: generally until account deletion via /delete_me (or manual deletion request)
• Settings web tokens/sessions: short-lived by design (currently around 10 minutes) and automatically expired/cleaned
• Premium entitlement and payment-reference metadata: retained as long as needed to provide premium access, prevent fraud/abuse, resolve support cases, and satisfy applicable legal retention duties
• Reports/moderation/audit: retained as long as required for moderation, abuse prevention, and legal defense
• Referral and anti-abuse records: may be retained after profile deletion where required to prevent fraud/circumvention and enforce reward limits
• Ban records: may be retained after profile deletion to enforce bans and prevent ban evasion
• Aggregated metrics: retained as non-content operational counters
• Guild operational and user-guild association data: retained for bot operations, server-first matching, analytics, and abuse/security review unless deletion is required by law

6. Recipients / processors

We do not sell personal data. Data is processed only where needed to provide and secure the service.

• Hosting provider: STRATO AG (Germany) – server location: Germany
• Discord: platform provider; may process data under its own responsibility; for Discord-native premium purchases, Discord handles checkout/payment processing and refund workflows under Discord terms
• IGDB (Twitch): game metadata provider for game search

Please also review third-party privacy notices, especially Discord and Twitch/IGDB.

7. International transfers

If third-party providers process data outside the EU/EEA, transfers may occur under applicable safeguards (e.g., adequacy decisions or standard contractual clauses), depending on provider setup.

8. Your rights

You have rights under GDPR, including:

• Access to your personal data (Art. 15 GDPR)
• Rectification (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing based on legitimate interests (Art. 21 GDPR)
• Withdraw consent at any time (Art. 7(3) GDPR), if processing is based on consent

You can delete your profile and most associated user data via /delete_me. This includes user-guild association data used for server-first operation. Referral, anti-abuse, moderation, and ban-enforcement records may remain where necessary for legitimate security purposes. For Discord-native purchases, payment-related customer rights requests (e.g., refund/payment disputes) must be addressed to Discord as checkout/payment provider.

To exercise your rights, contact: contact@sivaro.studio.

9. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

10. Age restriction

SIVARO is intended for users aged 18 or older. If you believe a minor provided data, please contact us and we will review and delete data where required.

11. Changes to this policy

We may update this policy when service functionality or legal requirements change. The version and “Last updated” date on this page indicate the currently applicable version.