Privacy Policy

Last updated: April 7, 2026

Plain-language summary: Xattix uses Discord data only to protect servers from impersonation and scam behavior.

We do not sell member data.
We use public profile signals such as names, avatars, bios, and account age for security checks.
Server owners can use privacy export and deletion workflows described below.
Security records are retained only where needed for fraud prevention, compliance, or audit history.

1. What We Do

Xattix is a Discord bot that protects servers from impersonation attacks. We detect users who copy staff names, profile pictures, and bios to scam your members.

Export or delete data

Use /privacy export for a JSON copy of your stored data.
Use /privacy delete to queue deletion where legally permitted.
Email support@xattix.com if Discord access is unavailable.

Security practices

Security events and audit records are retained only where needed for protection and compliance.
Payment data is handled by Stripe, not stored by Xattix.
Vulnerability reports can be sent to the contact in security.txt.

2. Data We Collect

We only collect data necessary to provide our security service:

Data	Purpose	Database Table
Discord User IDs	Identify users for blacklist lookups	`scammer_blacklist`, `whitelist`
Usernames & display names	Impersonation name matching	`scammer_blacklist`
Avatar perceptual hashes	Detect stolen profile pictures (images not stored)	`avatar_cache`
Bio text	Detect copied bios	`bio_cache`
Consent records	Track DM opt-in status	`consent_records`
OAuth2 Tokens (Optional)	Manage Global Consent via Linked Roles	`oauth_tokens`
Guild settings	Server configuration	`guild_settings`
Alert history	Admin review of impersonation alerts	`alert_history`
Subscription data	Billing management (Stripe customer ID, plan status)	`subscriptions`
Roleless warnings	Track members warned before roleless cleanup	`roleless_warnings`
Join audit log	Portal join verification history	`join_audit_log`
Portal lockouts	Rate-limit failed portal verification attempts	`portal_lockouts`
Access codes	One-time codes for Identity-Bound Join Portal	`access_codes`

3. What We Don't Collect

Message content — We never read or store messages
Email addresses — Unless you contact us directly
Payment card data — We store your Stripe customer ID and subscription status for billing, but never store card numbers or payment methods. All payment processing is handled by Stripe.
IP addresses — Not stored beyond rate limiting

4. Third-Party Services

The table below lists external third-party vendors whose services we integrate with. Self-hosted infrastructure (such as our analytics tool) is not a third party and is documented in the Website Analytics subsection below.

Service	Purpose	Privacy Policy
Discord API	Bot functionality	discord.com/privacy
Stripe	Payment processing	stripe.com/privacy

We never sell, trade, or share your data with advertisers or data brokers.

Website Analytics

This website uses Umami Analytics, a privacy-first, open-source analytics tool that we self-host on our own infrastructure. Umami does not use cookies and does not track users across sites. We use it only for aggregate website statistics such as page views, referrer, and country. For country-level statistics, the visitor IP address may be processed transiently to derive coarse geolocation, but we do not store the IP address as part of our analytics data. We do not use Umami analytics to identify individual visitors, and all analytics data stays on our servers and is never shared with third parties. You can review Umami’s data practices at umami.is/privacy. Standard browser privacy extensions (e.g. uBlock Origin) will block this script if you prefer no analytics at all.

5. Direct Messages (DMs)

Xattix uses a strict opt-in consent model:

DMs are only sent to users who explicitly provided consent. You can consent per-server via a button/registration, or globally by verifying our Global Consent Linked Role on your Discord Profile.
DMs contain security alerts about impersonation actions
Every DM includes information about revoking consent
Revoke consent at any time via the consent button, revoking the OAuth app in Discord User Settings, or by leaving the server

6. Data Retention

Data Type	Retention
Guild settings & consent	Deleted when bot is removed from server
Resolved alerts	Auto-deleted after 90 days
Avatar & bio caches	Refreshed periodically
Global blacklist	Retained for cross-server security (legitimate interest)
Payment records	As required by Stripe and applicable law
Roleless warnings & join audit log	Deleted when bot is removed from server
Portal lockouts & access codes	Deleted when bot is removed from server

7. When Bot is Removed

We immediately delete all server-specific data: settings, roles, whitelist, alerts, consent records, and local blacklist. The global blacklist is retained to protect other communities.

8. Your Rights

Data deletion: Use the /privacy delete slash command to instantly queue your data for deletion across all tables, or email support@xattix.com.

Data export: Use the /privacy export command to instantly generate a JSON copy of all data tied to your Discord ID, or email us.

Consent revocation: Use the bot's consent button, remove the authorized app in your Discord User Settings, or email us.

9. Children's Privacy

We do not knowingly collect data from users under 13. Discord requires all users to be at least 13.

10. Changes

Updates will be posted here with an updated date.

11. Contact

support@xattix.com