1. Who are we?
SlakBot is a free Discord bot developed and operated by Luca as a private individual (Netherlands). This policy covers the SlakBot Discord bot and the website at slakbot.nl.
Under GDPR I am the data controller. SlakBot is not a legal entity β it's a hobby project of a private individual.
Contact for privacy requests (in order of preference):
- π§ Email:
privacy@slakbot.nl(formal channel, response within 30 days) - π¬ Discord:
discord.gg/d9cpruNpyX(faster, no guarantee during holidays)
2. What data do we collect?
2.1 Discord user data
When you use SlakBot in a server or log in to the web panel, we store:
- Discord user ID (numeric ID, no email or password)
- Username (to display in mod log, leveling, tickets, etc.)
- Avatar URL (for display in the web panel)
- Server IDs where you are an admin (for proper access)
2.2 Server-specific data
Per Discord server we store:
- Server ID and name
- Configuration settings (channel IDs, role IDs, embed colors, templates)
- Moderation history (warns, kicks, bans, mutes β including moderator + user)
- Leveling data (XP per user per server)
- Economy data (balance, daily streak)
- Tickets and suggestions
- Custom commands
- Stream goal progress (aggregate) β and, if the optional Twitch link is used, watch time, chat activity and redemptions per linked viewer (see Β§2.7)
2.3 Security data (anti-scam)
For anti-scam protection we store:
- Hashes (SHA-256) of analysed images β to detect the same scam image without re-scanning
- Scam attempts (user, type, timestamp) for mod-log purposes
Important: OCR scanning runs 100% locally on our server via Tesseract.js. Images are never sent to Google, OpenAI or any other external AI service. We only store a hash, not a copy of the image.
2.4 Web panel data
- Login history (user, IP address, browser, timestamp) β for security monitoring
- Session cookies (to keep you logged in)
We use no tracking cookies, no Google Analytics, no ad networks and no third-party trackers.
2.5 Website analytics (cookieless)
To see which pages are visited, we count anonymous page views first-party on our own server β no Google Analytics, no external trackers. We only record the page name and (if you arrive from another website) the referring domain. We use no cookies for this, store no IP addresses, and respect Do Not Track. There is no way to identify you as a person.
When you click one of our /go/ marketing links we store a one-way hash
of IP+browser (no readable IP address) β solely to count clicks and prevent double counting.
2.6 What we do NOT store
- β Content of private messages (DMs)
- β Messages in channels where the bot isn't active
- β Passwords (we use Discord OAuth β we never see your password)
- β Email addresses
- β Phone numbers
- β Payment card or bank details β the bot is free; billing for the paid Custom Bot service happens outside the bot. Note: with donation integrations (StreamElements/Streamlabs) we do process the donor name and amount as supplied by that service
2.7 Twitch link & chatbot data (optional)
Servers can link SlakBot to Twitch (sub roles, stream alerts and β in closed beta β the Twitch chatbot). This link is fully optional: if you don't use it, nothing in this section is collected. If you do link, we process:
- Twitch user ID + username, linked to your Discord ID β for coins, roles and perks across both platforms
- Encrypted Twitch OAuth tokens (of the streamer and of the bot account; AES-encrypted) β to read sub status, send chat messages and receive events
- Subscription status (sub tier) β cached and refreshed ~every 15 minutes, for subβrole sync
- Watch time and chat activity β minutes watched and message counts per Twitch account, including viewers who haven't linked yet (so that history can be claimed later); automatically deleted after 12 months
- Bits, sub, gift and raid events β who, how much and when, for alerts and coin rewards
- Redemptions β a log of loyalty-shop purchases and Channel Points redemptions
- Link tokens β the one-time !koppel links are valid for 15 minutes and expire automatically
What we don't do: Twitch chat messages are not stored permanently
(only a short-lived in-memory buffer of at most 5 minutes for moderation tools) and we never see
your Twitch password. You can unlink at any time (!ontkoppel in Twitch chat or
/ontkoppel-twitch in Discord) β this immediately deletes your link and tokens.
The anti-scam promise above (OCR 100% local) is entirely separate from this data flow.
3. Why do we collect this data?
We use your data solely to run the bot:
| Data | Purpose |
|---|---|
| User ID + name | Display in mod log, leaderboards, tickets |
| Server config | Bot knows which channels, roles, templates to use |
| Warnings + mod log | Mods can review history |
| Leveling XP | Calculate levels, show /rank and /top |
| Economy balance | Power /daily, /balance, /shop |
| Login log | Bot owner sees who logs into the panel (security) |
| Image hashes | Anti-scam: scan same image only once |
4. Who do we share data with?
We never share your personal data with third parties for commercial purposes.
| Sub-processor | Purpose | Data sent |
|---|---|---|
| Discord Inc. (US) Privacy | Bot platform β to execute commands and post messages | User ID, server ID, message content (bot responses) |
| EU host | Server hosting β where bot + database runs | All data stored on this EU server (encrypted disk) |
| YouTube/TikTok | Stream alerts | Channel handle you configure (public) |
| Twitch (Amazon, US) | Live alerts, clips and (optional) chatbot & account link β Helix API + EventSub | Without the link: public channel names only. With the optional Twitch link (Β§2.7): Twitch user IDs, subscription status, bits/sub/gift/raid events and messages the bot posts in your Twitch chat. OAuth tokens are stored encrypted; the link can be cancelled per member |
5. Your GDPR rights
Under GDPR you have the right to:
- Access β request a copy of all data we have about you
- Rectification β request correction of incorrect data
- Erasure β request deletion ("right to be forgotten"). This covers your Discord data and, if applicable, your Twitch link, tokens, coins, watch time, redemptions and supporter history
- Portability β receive your data in a machine-readable format
- Object β object to processing
- File a complaint with the Dutch DPA (Autoriteit Persoonsgegevens)
Send requests to privacy@slakbot.nl. Requests are handled manually β you'll get a response within the statutory 30 days (we aim for 14); deletion or export is not instant/self-service.
6. Retention
- Server config + leveling + economy β as long as the bot is in your server + 30 days after removal
- Warns + mod log β as long as the server exists (for mod history)
- Login history (panel) β 12 months, then automatically deleted
- Anti-scam image hashes β indefinite (anonymised, no user link)
- Anti-scam attempts β 6 months, then automatically deleted
- Bot errors + broadcasts β 30 days / 12 months respectively
- TwitchβDiscord link + tokens β until unlinked (tokens deleted immediately) or 30 days after bot removal
- Twitch watch time + chat activity β 12 months, then automatically deleted
- Redemptions (loyalty shop / Channel Points) β as long as the link/server exists + 30 days
- Supporter history (donations: name + total) β as long as the server exists; deleted on request
- Link tokens (!koppel links) β 15 minutes, single-use
- Coins / economy balance β until an economy reset by the server admin, or until deletion
Server admins can reset the economy (coins and watch time) at any time or on a schedule. Earned coins are not guaranteed and have no monetary value β see the terms.
7. Security
- EU VPS with encrypted disk
- HTTPS everywhere (TLS 1.3)
- Discord OAuth β we never see your password
- All integration tokens β StreamElements/Streamlabs and Twitch OAuth tokens (streamer + bot account) β are stored AES-encrypted; without the encryption key the system refuses to run
- Regular backups (encrypted)
- Security disclosure:
security@slakbot.nl/ security.txt
8. Children
SlakBot is intended for users aged 16 and over. Under the Dutch implementation of the GDPR (art. 8), children under 16 need parental consent for processing of their data β Discord's own ToS requires 13+, but for our EU processing we apply the stricter GDPR threshold. We don't knowingly process data from children below that age. Found a child using our service? Email privacy@slakbot.nl and we'll delete.
SlakBot includes games using a virtual, non-redeemable currency (e.g. /gamble, /blackjack and, in Twitch chat, !roulette/!duel). These are entertainment only: there is no real stake and no cash prize, so they don't qualify as gambling under Dutch law β but we advise server admins to disable these games for young audiences. See the terms.
9. Changes to this policy
If we change this policy materially, we'll announce it in our Discord support server and via this page (with a new version number at the top).
10. Questions
Email privacy@slakbot.nl or Join de support server.