Miyū Privacy Policy

§1. General information and data controller

§1.1. This Privacy Policy describes how personal data is processed in connection with Miyū services: the Miyū Discord bot, https://miyubot.xyz/, the configuration dashboard, Premium, Global Chat, and the Miyū Support Server.
§1.2. The data controller under the GDPR is the Miyū project Operator (the team responsible for developing and operating Miyū).
§1.3. Privacy and data rights contact: https://miyubot.xyz/, a ticket or private message on the Miyū support server. Contact persons: bleckus, milkylena.
§1.4. The Operator does not require data beyond what is necessary to use Discord, the website, or bot features. Voluntary data (e.g. in reports) is provided at the user's own responsibility.
§1.5. Starting to use Miyū services (including sign-in, adding the bot, dashboard, payments, Premium subscriptions, or donations) means automatic acceptance of this Policy and the Terms — without a separate checkbox, unless law requires another form of consent.
§1.6. Continued use after policy updates means acceptance of the new version where no separate consent is required by law.

§2. Scope of services covered

§2.1. This policy covers data processed on the Miyū support Discord server operated by the Operator.
§2.2. It covers data processed by the Miyū bot on user guilds, including settings, moderation logs, statistics, Premium, Global Chat, and related modules.
§2.3. It covers data collected via miyubot.xyz (Discord OAuth login, sessions, payments, catalog, forms).
§2.4. Discord, Stripe, and other providers process data under their own terms — the Operator uses them as technical tools.

§3. Legal bases for processing

§3.1. Contract or pre-contract steps (Art. 6(1)(b) GDPR) — e.g. bot features, Premium, website account.
§3.2. Legitimate interests (Art. 6(1)(f) GDPR) — security, moderation, abuse prevention, service improvement, claims, technical analytics.
§3.3. Legal obligation (Art. 6(1)(c) GDPR) — e.g. tax/accounting, responses to authorities.
§3.4. Consent (Art. 6(1)(a) GDPR) — where explicitly required. Consent may be withdrawn without affecting lawfulness of processing before withdrawal.
§3.5. The Operator may refuse or limit requests that conflict with service security or third-party rights, within the limits of law.

§4. What data is processed

§4.1. Discord identifiers: user ID, guild ID, channel IDs, roles, permissions (as required by the feature).
§4.2. Discord profile data from the API: display name, username, avatar, banner (if available), locale.
§4.3. Service content: messages on channels handled by the bot (commands, Global Chat, logs, tickets, bug reports), attachments sent to the bot or site.
§4.4. Configuration data: module settings, embeds, automation, anti-raid, economy, Premium links, trial history.
§4.5. Technical data: IP address (web logs), browser headers, session/cookie IDs, timestamps, application error logs.
§4.6. Payment and billing data — see §6.
§4.7. The Operator does not intentionally collect special category data under Art. 9 GDPR. If provided by the user, processing is limited to what is necessary to handle the report.

§5. Purposes of processing

§5.1. Providing and maintaining the Miyū bot and web dashboard.
§5.2. Premium, payments, server assignment, and digital benefits.
§5.3. Moderation, security, anti-raid, abuse detection, platform-wide bans.
§5.4. Support tickets, user contact, and incident resolution.
§5.5. Technical analytics, debugging, and product development.
§5.6. Claims, legal defence, and cooperation with authorities where required.

§6. Payments, subscriptions and billing data

§6.1. Starting a payment (Stripe Checkout, Customer Portal, donation, server/account Premium) means consent to process data necessary for the transaction, including Stripe identifiers, payment status, amounts, currency, dates, customer/subscription IDs, and linkage to the Discord account.
§6.2. Full card details are processed only by Stripe as an independent payment provider/controller — the Operator does not store them.
§6.3. Payment data is processed to perform the Premium contract, billing, subscription handling, legally required refunds, fraud and chargeback prevention, debt recovery, and defence of the Operator's claims.
§6.4. The Operator may retain transaction history and account/guild linkage for tax/accounting periods and longer if needed to defend against claims or payment abuse.
§6.5. Erasure requests do not cover data whose retention is required by law or the Operator's legitimate interests (e.g. proof of payment, preventing repeat abuse).
§6.6. In case of chargeback, fraud, or Terms violations, the Operator may share necessary data with Stripe and authorities.
§6.7. Contractual payment and Premium rules are in Terms §8: https://miyubot.xyz/en/terms

§7. Retention periods

§7.1. Data is kept only as long as needed for the purposes in §5 and §6, unless a longer period is required by law.
§7.2. Technical logs may be deleted automatically after a set period (e.g. 30–90 days) unless needed for abuse investigation.
§7.3. Guild configuration may remain until the bot is removed or deletion is requested; minimal audit logs may be retained.
§7.4. After Premium ends, billing data is retained as described in §6.4.

§8. Recipients and processors

§8.1. Discord Inc. — communication platform.
§8.2. Stripe — online payments (subscriptions, donations); see §6.
§8.3. Hosting/infrastructure provider (database, files, backups) — in the EU or with appropriate transfer safeguards.
§8.4. Personal data is not sold. Sharing occurs only for the purposes in §5, §6, or when required by law.
§8.5. Transfers outside the EEA only with GDPR safeguards (e.g. standard contractual clauses).

§9. Who has access to data

§9.1. Authorised Operator team members (administration, guardians, support) — only as needed for their role.
§9.2. Discord — under Discord's policy and user permissions on the platform.
§9.3. Stripe — for payment processing (§6).
§9.4. Third parties do not have access unless the user publishes data themselves or law requires disclosure.

§10. Your rights (GDPR)

§10.1. Rights of access, rectification, erasure, restriction, portability, and objection — within Arts. 15–21 GDPR.
§10.2. Right to lodge a complaint with your supervisory authority (in Poland: UODO).
§10.3. Submit requests via §1.3 (bleckus, milkylena). The Operator responds within 30 days (extendable for complex cases).
§10.4. The Operator may refuse erasure or limit requests when data is needed for claims, abuse investigation, Premium contract performance, payment records (§6), or legal obligations.
§10.5. Deleting your Discord account or leaving a server does not automatically erase all Operator database records — a separate request may be required where permitted by law.

§11. Cookies and similar technologies

§11.1. miyubot.xyz may use essential cookies for login (Discord OAuth session), security (CSRF), and language preference.
§11.2. Analytics/marketing cookies — only if implemented; the site will be updated accordingly.
§11.3. You may restrict cookies in your browser; this may prevent use of the dashboard.

§12. Data security

§12.1. The Operator applies organisational and technical measures appropriate to the scale of the service (access control, HTTPS, backups).
§12.2. The bot and site do not store Discord passwords or full card details.
§12.3. No system is 100% secure — use of the service is at the user's risk within the limits allowed by law.
§12.4. In case of a personal data breach, the Operator will take remedial action and notify authorities/users when required.

§13. Minors

§13.1. Miyū is intended for users who meet Discord's minimum age in their country.
§13.2. The Operator does not knowingly process data of children below the required age; such data may be deleted if discovered.

§14. Policy changes

§14.1. This policy may be updated; the last update date is shown on the site.
§14.2. Material changes may be announced on the support server or homepage.
§14.3. Continued use (including payments) after publication means automatic acceptance where law does not require another form of consent.

§15. Contact

§15.1. Privacy and GDPR requests: https://miyubot.xyz/ or the Miyū support server — bleckus, milkylena.
§15.2. Terms and Premium: https://miyubot.xyz/en/terms
§15.3. The Operator aims to respond within a reasonable time; abuse/security reports take priority.