ExivaBOT Logo
ExivaBOT

Privacy Policy for ExivaBOT

Last updated: January 8, 2026

This Privacy Policy explains how ExivaBOT ("we", "us", "our") collects, uses, and protects your data. We comply with the EU General Data Protection Regulation (GDPR).

1. Data Controller

ExivaBOT (sole proprietorship)

2. Data We Collect

We collect the following data exclusively through Discord OAuth:

2.1. User Account Data

  • Discord User ID
  • Discord username and avatar
  • Discord account email
  • List of Discord guilds you belong to (to determine where the bot can be installed)
  • For guilds where ExivaBOT is installed:
    • Guild channels
    • Guild members list

2.2. Payment Data

  • Tibia character name of the sender
  • Timestamp of the payment
  • Amount of Tibia Coins (TC)

Payment logs are kept for 5 years from the end of the fiscal year in which the transaction occurred, as required by Polish tax law.

2.3. Usage Analytics

We use our own first-party analytics system hosted on our servers. This includes:

  • page views and navigation within the web app,
  • button clicks and form submissions,
  • feature usage patterns.

Our analytics are privacy-focused: we do not use third-party tracking services, do not set tracking cookies, and do not share analytics data with external parties. Analytics data is linked to your authenticated session only.

3. How We Use Your Data

Your data is used to:

  • authenticate you through Discord OAuth,
  • display your Discord servers, channels, and members (only for guilds with the bot installed),
  • provide ExivaBOT features,
  • verify and match your Tibia Coin payments,
  • provide premium access,
  • store payment logs for tax and legal reasons,
  • analyze usage to improve the Service.

4. Legal Basis for Processing

We process your data under:

  • Art. 6(1)(b) GDPR – to provide the Service (authentication, features),
  • Art. 6(1)(c) GDPR – to meet legal and tax obligations (payment logs),
  • Art. 6(1)(f) GDPR – our legitimate interest in understanding how users interact with the Service to improve it (first-party analytics).

5. Data Sharing

We share data only with:

5.1. Discord

Required for authentication and displaying guild data.

5.2. Hosting Provider

  • DigitalOcean (Germany datacenter) – acts as a data processor under a Data Processing Agreement (DPA).

5.3. No Other Sharing

We do not:

  • sell data,
  • share data with advertisers,
  • allow third parties access except those listed above.

6. International Transfers

Data may be transferred outside the EU/EEA by Discord. Discord uses Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure GDPR compliance. Our own servers and analytics are hosted within the EU (Germany).

7. Data Retention

  • User account data: kept until you delete your account.
  • Payment logs: kept for 5 years from the end of the fiscal year in which the transaction occurred, as required by Polish tax law.
  • Analytics data: kept until you delete your account.

8. Security

We use:

  • HTTPS encryption,
  • industry-standard security measures,
  • access control and authentication,
  • regular security audits.

While we implement strong security measures, no system is completely secure. We cannot guarantee absolute security.

9. Children

The Service is intended for users aged 13+ (aligned with Discord's policy).

We do not knowingly collect data from children under 13. If you believe we have collected such data, contact us immediately.

10. Data Subject Rights

You have the following rights under GDPR:

  • Right of access – request a copy of your data
  • Right to rectification – correct inaccurate data
  • Right to erasure – delete your data (except payment logs during retention period)
  • Right to restrict processing – limit how we use your data
  • Right to object – object to analytics or other processing
  • Right to data portability – receive your data in machine-readable format
  • Right to withdraw consent – withdraw consent at any time (where processing is based on consent)
  • Right to lodge a complaint – file a complaint with a Supervisory Authority (in Poland: UODO - uodo.gov.pl)

11. Right to Object (Analytics)

You may object to analytics processing at any time by contacting us at the email below. We will then stop collecting analytics data for your account.

This does not affect:

  • authentication,
  • core features,
  • payment processing,
  • legal obligations.

12. Requests for Data and Deletion

You can request:

  • deletion of your account data,
  • a copy of all collected data (data portability).

What happens when you request deletion:

  • We will delete or anonymize all personal data (Discord ID, username, email, usage data),
  • Except: payment logs, which will be retained for 5 years as required by Polish tax law,
  • Payment logs will be anonymized after the retention period expires.

Send requests to:
office@nerdslabs.co

We will respond within 30 days as required by GDPR.

13. Changes to This Policy

Updates will be posted with a new "Last updated" date.

For material changes, we will notify you via Discord or email at least 7 days in advance.

Continued use of the Service after changes constitutes acceptance of the updated Privacy Policy.

14. Contact

For privacy matters contact:
office@nerdslabs.co

15. Cookies and Tracking Technologies

15.1. What Cookies We Use

Essential Cookies only:

  • Session/authentication cookies: to keep you logged in via Discord OAuth

We do not use any third-party tracking cookies or analytics cookies. Our first-party analytics system does not rely on cookies – it uses your authenticated session to associate usage data with your account.

15.2. No Cookie Consent Banner Required

Because we only use strictly necessary cookies for authentication (which are exempt under GDPR and ePrivacy Directive), we do not display a cookie consent banner.

15.3. Third-Party Cookies

We do not use any third-party analytics or tracking services. No third-party cookies are set by ExivaBOT.

16. Automated Messages and Notifications

ExivaBOT may send you automated messages via Discord, including:

  • payment confirmations,
  • premium access expiration reminders,
  • boss hunt notifications,
  • system announcements.

These messages are part of the core Service and do not require separate consent beyond using the Service.

You can disable non-essential notifications in your ExivaBOT settings.

17. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms:

  • We will notify the Polish supervisory authority (UODO) within 72 hours of becoming aware of the breach,
  • We will notify affected users without undue delay via Discord DM and/or email,
  • The notification will include:
    • nature of the breach,
    • likely consequences,
    • measures taken to mitigate risks,
    • contact point for further information.

If you suspect unauthorized access to your data, contact us immediately at:
office@nerdslabs.co