Privacy Policy

blight provides Discord account linking via Clerk, persistent authenticated sessions, optional passkey re-authentication, and a dashboard for configuring Discord server automations. This policy describes what personal data is processed in connection with that service and on what legal basis.

For access, deletion, or other data-subject requests, contact us through the public repository at github.com/Bluejutzu/site until a dedicated contact channel is published. A formal controller entity will be named here as soon as the operator structure is finalised.

The categories below correspond to fields actually written to our database, cache, or identity provider. We do not collect data we don't use.

• Discord profile. Your Discord user ID, your global display name, and your avatar. We request the identify, guilds, and email OAuth scopes; email is used only during the OAuth handshake and is not stored by us. Your Discord profile is held in both Clerk (identity provider) and our Convex database.
• Discord OAuth tokens. The access_token returned by Discord is held by Clerk and fetched on demand by our API to enumerate the guilds you administer. We do not persist raw OAuth tokens in our own database.
• Clerk session data. Authentication is managed by Clerk. Clerk issues a signed session JWT stored as an HTTP-only cookie. That cookie is marked Secure in production and uses SameSite=None so the dashboard subdomain can read it. Session lifetime, device management, and passkey credentials are handled by Clerk; you can manage them from the Account page.
• Passkey credentials (only if you register one). Passkey management (credential IDs, public keys, device labels) is handled entirely by Clerk. We never receive your private key.
• Guild metadata. For guilds you administer: Discord guild ID, name, icon hash, and whether our bot is present. Fetched from the Discord API on your behalf and cached transiently in Upstash Redis (see retention).
• Automation configurations.The triggers and action sequences you create in the dashboard, stored per Discord guild — not per user. The list of Discord IDs that have edited a guild's configuration is recorded so co-administrators can see who set up what.
• Operational data.Structured request logs (timestamp, log level, request context). Whether your Discord ID appears in these logs depends on your privacy preference — see the “Operational log consent” section below.
• Privacy preference. Your choice on whether to include your account ID in operational logs is stored in Clerk private metadata and mirrored to our Convex database.

• Account linking, sessions, passkeys, and dashboard functionality: Art. 6(1)(b) GDPR — performance of a contract.
• Rate limiting, abuse prevention, and operational logging: Art. 6(1)(f) GDPR — our legitimate interest in keeping the service available and secure. Where your Discord ID would appear in logs, we first seek your consent (see below); when consent is absent the logs contain only a hashed session reference.
• Inclusion of account ID in operational logs: Art. 6(1)(a) GDPR — consent, freely given and withdrawable at any time from the Privacy Settings page in the dashboard.

Structured request logs are used for debugging and abuse prevention. By default — and when you have not explicitly opted in — your Discord account ID is not included in these logs. A hashed session reference is recorded instead, which cannot be linked back to your identity without access to the session table.

If you choose to opt in, your Discord ID may appear alongside request metadata in logs sent to Axiom (our log processor). This makes it easier for us to investigate issues affecting your account specifically.

You can change this preference at any time from the Privacy Settings page in the dashboard. The setting takes effect on your next request. Withdrawing consent does not erase logs already written; you may request deletion of such logs by contacting us via the repository link above.

Authentication is handled by Clerk. When you sign in with Discord, Clerk performs the OAuth handshake, verifies your identity, and issues a signed session JWT stored as an HTTP-only cookie. The cookie lifetime is controlled by Clerk and is typically 30 days for active sessions.

You can view, revoke, and manage all active sessions and registered passkeys from the Accountpage in the dashboard, which renders Clerk's native account management UI.

Sessions do not make your activity anonymous. All session data is associated with your Discord ID in Clerk and in our backend. Your Discord ID may appear in operational logs if you have opted in (see above); otherwise only a hashed session identifier is logged.

• Clerk session records and cookies:managed by Clerk and subject to Clerk's own retention policy. You can revoke sessions at any time from the Account page.
• Discord OAuth tokens: held by Clerk; removed when you disconnect Discord from your Clerk account or delete your account.
• Passkey credentials: managed by Clerk; you can delete them from the Account page at any time.
• Guild automation data and related server metadata: generally retained for up to 30 days after the bot is removed from that server or the server otherwise becomes inactive, so the setup can be restored if you add the bot back during that window. If there is no renewed use, the server-specific data may be deleted after that period.
• Cached guild list (Upstash Redis): 10 minutes per cache entry.
• Records subject to statutory retention duties: if a specific record must be retained to comply with applicable law, we keep only the required subset for the mandatory period instead of the standard deletion period. Under current German commercial and tax rules, that can mean retention periods of 6, 8, or 10 years, depending on the record type.
• Operational logs: retained according to the retention policy of Axiom, our log processor.

We rely on the following processors. Where personal data leaves the EEA, transfers are covered by an adequacy decision or by Standard Contractual Clauses.

• Discord (Discord Inc., USA) — OAuth identity provider and Bot API used to enumerate guilds and execute your automations.
• Clerk (Clerk Inc., USA) — identity and session management, passkey credential storage, and Discord OAuth token custody.
• Convex (Convex, Inc., USA) — primary application database for users, guild metadata, automations, and privacy preferences.
• Upstash (Upstash, Inc.) — Redis cache for guild lists, permission checks, and rate-limit counters.
• Axiom (Axiom Co., UK) — structured logs and OpenTelemetry traces. Active only when an Axiom token is configured for the deployment. Your Discord ID is only present in Axiom logs if you have opted in via the operational log consent setting.

Under Arts. 15–22 GDPR you may request access, rectification, erasure, restriction, and portability of your personal data, and you may object to processing based on legitimate interests at any time.

The right to erasure is not absolute. If data is no longer needed for the service, we aim to delete it without undue delay, but we may keep data to the extent it is still necessary to comply with a legal obligation or to establish, exercise, or defend legal claims.

You can exercise many of these rights directly from the dashboard: manage active sessions and passkeys via the Account page, remove automation data from guilds you administer, and update your privacy preferences from the Privacy Settings page. To disconnect Discord or delete your Clerk account entirely, use the Account page.

You have the right to lodge a complaint with a data protection supervisory authority, including in your EU member state of habitual residence, place of work, or alleged infringement.