ProteXProteX

Privacy Policy

Last Updated: November 14, 2025

Overview

This Privacy Policy describes how ProteX ("the Service", "we", "us") collects, uses, and stores your information when you use our website and services.

Information We Collect

Authentication Data

When you sign in with Discord OAuth, we collect:

  • Discord User ID: Unique identifier assigned by Discord
  • Username: Your Discord username
  • Email Address: Your Discord account email (if provided)
  • Profile Image: Your Discord avatar URL
  • OAuth Tokens: Access and refresh tokens for authentication (stored securely)
  • Guild Membership: List of Discord servers you have "Manage Server" permission in (used for server configuration access)
  • Guild Roles: Your role permissions in Discord servers (used to verify configuration access)

Public Profile Data

Your profile information is publicly visible to all visitors at /users and /users/{userId}:

  • Username: Your display name
  • Profile Image: Your avatar/profile picture
  • Role: Your assigned role (e.g., Administrator, Manager, Partner, User)
  • Badges: Achievement badges earned based on your role and contributions
  • Discord ID: Your Discord account identifier (if connected)
  • Account Creation Date: When you first created your account
  • Social Media Links: Optional links you choose to add (GitHub, Twitter, Bluesky, Email)
  • Activity Statistics: Aggregated data about your reports over the last 30 days
  • Block History: If you have been blocked, details about active and past blocks

Session Data

  • Session Tokens: Unique identifiers for your login sessions
  • Session Expiration: Timestamp for session validity
  • User Agent and IP Address: For security and rate limiting purposes

Block Data

For users added to the block system, we store:

  • Discord User ID: Unique identifier
  • Username: Discord username at time of blocking
  • Reason: Explanation for blocking (if provided)
  • Status: Whether the entry is active or inactive
  • Expiration Date: When temporary blocks expire (if applicable)
  • Timestamps: Creation and update dates for accountability

Report Data

When you submit a report through our website, we collect and store:

  • Reporter Information: Your Discord User ID and username
  • Reported User Information: Target user's Discord User ID and username
  • Report Content: Reason and detailed description
  • Evidence: Links or additional information (optional)
  • Report Status: Current state (pending, denied, or reviewed)
  • Timestamps: Creation and last update dates

Guild (Server) Configuration

For Discord servers configured in our system, we store:

  • Guild ID: Unique Discord server identifier
  • Guild Name: Server name (for display purposes)
  • Guild Icon: Server icon URL
  • Channel IDs: Broadcast and error log channel configurations
  • Action Settings: Configured moderation actions (NONE, KICK, or BAN)
  • Timestamps: Creation and last update dates

User Guild Data

For servers you have "Manage Server" permission in, we store:

  • Guild ID: Unique Discord server identifier
  • Guild Name: Server name at time of data collection
  • Guild Icon: Server icon URL
  • Configuration Status: Whether ProteX is configured for this server
  • Timestamps: When guild data was first collected and last updated

API Key Data

When you create and manage API keys through our dashboard, we collect:

  • API Key: The generated secure key (stored hashed for security)
  • Key Name: Custom name you provide for identification
  • Timestamps: Creation, update, and last used dates
  • Usage Statistics: Request count and rate limit reset timestamps
  • Permissions: Assigned permissions for the API key
  • Suspension Status: Whether the key is suspended or requires force reset
  • Associated User: Linked to your Discord User ID for management

API Activity Logs

When you use API keys, we log:

  • Activity Type: The type of API request made
  • API Key: The key used (stored hashed)
  • Timestamp: When the request was made
  • Metadata: Additional context about the request
  • IP Address and User Agent: For security monitoring

We retain the 100 most recent activity logs per user for security and debugging purposes.

Badge Data

When badges are assigned to your account, we store:

  • Badge Information: Badge name, description, icon, color
  • Assignment Date: When the badge was assigned
  • Display Order: Your custom ordering of badges on your profile
  • Auto-Assignment Rules: Whether badge was auto-assigned based on role

Social Media Links

When you add social media links to your profile, we store:

  • GitHub: Your GitHub username or profile URL
  • Twitter: Your Twitter/X handle
  • Bluesky: Your Bluesky handle
  • Email: Your preferred contact email (if different from Discord email)

These links are displayed publicly on your profile page.

Data Request Records

When you request your personal data export, we store:

  • Request ID: Unique identifier for the request
  • Status: Current state (PENDING, APPROVED, REJECTED, COMPLETED)
  • Request Date: When you submitted the request
  • Approval/Rejection Data: Admin who processed it, their name, timestamp, and reason (if rejected)
  • Completion Date: When the data was successfully exported
  • Expiration Date: When the download link expires (48 hours after approval)

Data Export Tokens

When a data request is approved, we create:

  • Secure Token: Randomly generated 64-character token for download link
  • Expiration Date: 48 hours after token creation
  • Usage Status: Whether the token has been used (one-time use only)
  • Associated Request: Link to the original data request

Email Audit Logs

When administrators send emails through our system, we log:

  • Sender Information: Admin/Manager user ID and name
  • Recipient Type: Whether email was sent to ALL users or SPECIFIC users
  • Recipient IDs: User IDs of specific recipients (if applicable)
  • Recipient Count: Number of emails successfully sent
  • Subject: Email subject line
  • Message: Full email content
  • Timestamp: When the email was sent

How We Use Your Information

Authentication and Account Management

  • Authenticate your identity via Discord OAuth
  • Maintain your login sessions
  • Display your profile information in the dashboard and on your public profile page
  • Associate your actions (reports) with your account
  • Publicly display your profile in the community directory at /users

Public User Profiles

  • Display your profile information publicly to all visitors
  • Show your username, role, badges, Discord ID, and social media links
  • Display your activity statistics and block history on your profile page
  • Enable community members to search for and view user profiles
  • Allow other users to learn more about community members

Block System

  • Track blocked users and their status
  • Maintain historical records for accountability
  • Generate anonymized statistics for transparency
  • Support temporary and permanent restrictions

Report System

  • Process user reports submitted through our website
  • Track report status and resolution (pending, denied, reviewed)
  • Display your submitted reports in your dashboard
  • Enable administrators to review and act on reports
  • Maintain accountability and transparency

Server Management

  • Verify your "Manage Server" permission in Discord servers
  • Allow you to configure ProteX settings for servers you manage
  • Fetch and display available text channels for configuration
  • Store your server-specific moderation preferences
  • Enable or disable ProteX features per server
  • Track which servers you have access to for configuration purposes

API Key System

  • Authenticate API requests to the blocked endpoint
  • Track API key usage for rate limiting (100 requests per minute per key)
  • Update last used timestamps for each API call
  • Monitor for abuse or unauthorized access
  • Provide key management (create, regenerate, delete) in your dashboard
  • Log API activity for security auditing

Badge System

  • Display earned badges on your public profile
  • Auto-assign badges based on your role (e.g., Administrator, Partner)
  • Allow manual badge assignment by administrators
  • Enable badge ordering customization on your profile
  • Track badge assignment history

Email Communication System

  • Allow administrators and managers to send system announcements
  • Send custom emails to all users or specific users
  • Deliver data export download links via email
  • Maintain audit logs of all emails sent for transparency and accountability

Data Request and Export System (GDPR Compliance)

  • Process your requests to access your personal data
  • Generate comprehensive data exports in JSON format
  • Provide secure, time-limited download links via email
  • Track request status and approval workflow
  • Ensure one-time use and expiration of download tokens
  • Export includes: profile, accounts, sessions, API keys, API activity, guilds, socials, badges, and data request history

Documentation System

  • Provide public documentation at /docs fetched from GitHub repository (NexusProjectsEU/documentation)
  • Stream real-time documentation updates via Server-Sent Events (SSE)
  • Enable community members to learn about ProteX features
  • No personal data is collected or stored for documentation viewing

Partner System

  • Display active partner organizations at /partners and via API
  • Show partner information (name, description, logo, links)
  • Feature selected partners for visibility
  • Rate limit public API access (30 requests per minute per IP)
  • No personal data is collected or stored for partner display

Analytics and Statistics

  • Generate aggregated, anonymized public statistics
  • Track platform usage trends over time
  • Rate limit API requests to prevent abuse
  • Monitor system health and performance

Data Retention

  • User Accounts: Retained while you have an active account; deleted upon account deletion request
  • Session Data: Automatically expired based on session lifetime; cleaned up periodically
  • Active Block Entries: Retained while active or until manually removed
  • Inactive Block Entries: Retained for historical records and statistics
  • Reports: Retained indefinitely for accountability and audit purposes
  • Guild Configuration: Retained while the server is configured in our system
  • User Guild Data: Retained while you have access to the guild; updated on each login
  • API Keys: Retained until deleted by you; masked in data exports for security
  • API Activity Logs: Retained for 100 most recent activities per user for security purposes
  • Badges: Retained while assigned to your account; assignment history retained indefinitely
  • Social Media Links: Retained while you have them configured; deleted when removed
  • Data Requests: Retained indefinitely for compliance and audit purposes
  • Data Export Tokens: Retained for 48 hours after approval; marked as used after download
  • Email Audit Logs: Retained indefinitely for transparency and accountability

Data Sharing

We do NOT sell or share your personal data with third parties for marketing purposes. Your information is used solely for:

  • Service functionality and moderation
  • Authentication via Discord OAuth
  • Internal statistics and analytics
  • Communication with Discord's API for authentication
  • Communication with GitHub's API for documentation fetching
  • Email delivery for data exports and system announcements

Public Statistics

We display aggregated, anonymized statistics publicly on our website via our /api/profile/stats endpoint, including:

  • Total number of blocked users
  • Total number of active block entries
  • Total number of reports submitted
  • Number of protected guilds (Discord servers)
  • Block and report trends over the last 30 days

Important: These statistics do NOT contain any personally identifiable information such as usernames, user IDs, or specific details about individuals. All data is aggregated by day and anonymized.

Public Partner Information

We display partner organization information publicly at /partners and via /api/profile/partners, including:

  • Partner name, description, logo
  • Website, Discord, and GitHub links
  • Featured status
  • No personal user data is included in partner information

Who Can Access Your Data

  • You: Can view your own profile, submitted reports, block status, API keys, badges, social links, and manage server configurations in your dashboard. Can request your complete data export once per week.
  • Public (All Visitors): Can view and search user profiles at /users and /users/{userId}, including:
  • Your username, profile image, role, and badges
  • Your Discord ID (if connected to your account)
  • Your social media links (if you have added them)
  • Your account creation date
  • Your activity statistics (reports over last 30 days)
  • Your block history (if applicable)
  • Server Managers: Can view and configure ProteX settings for Discord servers where they have "Manage Server" permission
  • System Administrators: Have full access to all stored data for system maintenance and moderation
  • System Managers: Can send emails to users and view email audit logs
  • Discord: Receives authentication requests and OAuth token exchanges as part of the login process
  • ProteX Bot: Accesses guild configuration data to enforce moderation actions on configured servers
  • API Users: Authenticated API calls only return block status for specific Discord IDs; no personal data is shared beyond what's requested

IMPORTANT: By creating an account, you consent to your profile information being publicly accessible. This includes visitors who are not logged in to the Service.

Your Rights

Access Your Data

You can access your personal data at any time by:

  • Viewing your dashboard at /dashboard when logged in
  • Viewing your public profile at /users/{yourUserId} (same view as others see)
  • Seeing all your submitted reports and their status
  • Checking if you appear in any block entries
  • Managing your API keys at /dashboard/apikey
  • Managing your social media links in your account settings
  • Viewing your badge collection and ordering them
  • Requesting a complete data export (GDPR compliance)

Data Export (GDPR Compliance)

You can request a complete export of your personal data:

  • Submit a request once per week via your dashboard
  • Admin reviews and approves/rejects your request
  • Upon approval, receive a secure download link via email (expires in 48 hours)
  • Download link is single-use only for security
  • Export format: Comprehensive JSON file including all your data

Your data export includes:

  • Profile information and authentication data
  • Social media links and badges
  • API keys (masked for security) and recent API activity
  • Guild/server associations
  • Data request history
  • Export metadata and timestamps

Data Deletion

You may request:

  • Deletion of your account and associated authentication data
  • Removal of your personal information (subject to legitimate operational needs such as accountability and audit requirements)
  • Removal from the public user directory
  • Deletion of your API keys
  • Removal of your social media links

Note: Deleting your account will remove your profile from the public directory, but some data (such as historical reports, block entries, and email audit logs) may be retained for accountability purposes as described in the Data Retention section.

To exercise deletion rights, contact us through Discord.

Report System Rights

  • You can submit up to 5 open reports at a time
  • You can view the status of all your reports (pending, denied, reviewed)
  • You cannot report yourself or bot accounts
  • False or abusive reports may result in penalties

Data Security

We implement industry-standard security measures to protect your data:

  • Encrypted Authentication: OAuth tokens and session data are securely stored
  • Database Security: Data is stored in a secure PostgreSQL database with restricted access
  • HTTPS: All web traffic is encrypted via HTTPS
  • Access Control: Database and system access is restricted to authorized administrators
  • Rate Limiting: API endpoints are rate-limited to prevent abuse (100 requests per minute per API key)
  • Session Management: Automatic session expiration and secure session tokens
  • API Key Security: Keys are hashed and stored securely; usage is logged for anomaly detection
  • Token Security: Data export tokens are cryptographically secure (64 characters), single-use, and time-limited (48 hours)
  • Webhook Verification: GitHub webhooks are verified using HMAC-SHA256 signatures

Changes to This Policy

We may update this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy. Material changes will be communicated with 30 days notice.

Third-Party Services

Our service uses:

  • Discord OAuth: For authentication, subject to Discord's Privacy Policy and Terms of Service
  • better-auth: For session management and OAuth integration
  • PostgreSQL Database: For secure data storage (via Prisma ORM)
  • Discord API: For fetching server information, channels, and managing permissions
  • GitHub API: For fetching public documentation content from NexusProjectsEU/documentation repository
  • Discord Webhooks: For posting GitHub commit notifications (no personal data sent)

When you sign in with Discord, you authorize us to access your Discord profile information, guild membership, and role permissions as described in this policy.

When you visit our documentation pages, we fetch content from GitHub's public repository using their API. No personal data is collected or shared with GitHub beyond standard API request metadata.

Application Form Data

When you submit applications through our application forms system, we collect:

  • Applicant Information: Your user ID and username
  • Form Data: The specific form you're applying to (title, description)
  • Field Responses: Your answers to all form fields (text, selections, dates, etc.)
  • Submission Status: Current state (PENDING, UNDER_REVIEW, ACCEPTED, REJECTED, WITHDRAWN)
  • Review Information: Reviewer ID and name (if reviewed), review timestamp, review decision
  • Timestamps: When you submitted the application and when it was last updated

How We Use Your Information

Application System

  • Process job/role applications submitted through our application forms
  • Track application status and review progress
  • Enable administrators and managers to review and respond to applications
  • Display your submitted applications in your dashboard
  • Enforce role-based restrictions (excluded roles cannot submit applications)
  • Maintain accountability and audit trail for all applications
  • Generate statistics on form usage and submission rates

Who Can Access Your Data

  • You: Can view all your submitted applications and their current status in your dashboard
  • Form Managers: Staff members with roles specified in "Allowed Roles" can view and review all submissions for that form
  • System Administrators: Have full access to all application forms, submissions, and configuration

Data Retention

  • Application Forms: Retained while active; form configuration retained even after deactivation for historical purposes
  • Application Submissions: Retained indefinitely for accountability, audit purposes, and historical records
  • Application Responses: Retained indefinitely; linked to submissions and cannot be deleted separately
  • Form Fields: Retained while in use; fields with existing responses cannot be deleted to maintain data integrity

Application System Rights

  • You can submit applications to forms where your role is not excluded
  • You can view the status of all your applications (pending, under review, accepted, rejected, withdrawn)
  • You cannot submit applications if your role has been excluded from that specific form
  • You can only have one pending application per form at a time
  • You must wait 3 days between submissions to the same form
  • Applications cannot be edited once submitted

Contact

For questions, concerns, or data requests regarding this Privacy Policy, please contact us through our Discord Server.