Sauna
Privacy Policy
Status Tickets Commands Moderation Leveling Analytics

Privacy Policy

What we collect through the Sauna bot and dashboard, why, and how long we keep it.

Effective date: July 16, 2026

1. Who We Are

Sauna ("Sauna", "we", "us", or "our") provides a Discord bot and an accompanying web dashboard (together, the "Service") that server administrators can add to their Discord servers for ticketing, moderation, leveling, custom commands, and related community-management features. This Privacy Policy explains what information we collect through the Service, how we use it, and the choices available to you.

This Policy applies to the Sauna bot, the dashboard at saunabot.rest, and the status API at status.saunabot.rest. It does not apply to Discord itself, which has its own privacy policy governing your Discord account generally.

2. Information We Collect

2.1 Information you provide by signing in. When you sign in to the dashboard with "Login with Discord," Discord shares with us:

  • Your Discord user ID and username
  • A list of the Discord servers you are an owner or administrator of, limited to servers our bot has been added to (server ID, name, and icon)
  • A short-lived access token, used only to check your permissions and refresh the server list above; we never expose this token to your browser and do not use it to read your messages, direct messages, or friends list

We request only the identify and guilds OAuth scopes. We do not request your email address, and Discord does not share it with us through this login flow.

2.2 Server configuration data. When a server administrator configures the bot, we store the settings they choose, scoped to that server only: ticket categories and role assignments, automod rules, auto-role settings, custom command text, canned responses, and the channel/role IDs the bot needs to operate.

2.3 Moderation records. When a moderator issues a warning, mute, kick, or ban through the bot, we store a case record: the action type, the target member's Discord user ID, the issuing moderator's Discord user ID, the reason text provided, and a timestamp. Case records are capped at 500 per server; older entries are deleted automatically as new ones are added.

2.4 Leveling data. If a server administrator enables leveling, we track each member's accumulated experience points and the timestamp of their last counted message, keyed to their Discord user ID, for that server only. We do not store the content of the messages used to calculate experience.

2.5 Audit log. Where enabled features generate them, we keep a short audit trail per server: message edit/delete events (with the message content truncated to 300 characters) and member join, leave, and role-change events, each tied to the relevant Discord user ID. Entries are capped at 500 per server; older entries are deleted automatically as new ones are added.

2.6 Ticket transcripts. When a support ticket is closed, we generate a transcript of the conversation and deliver it as a file directly to a Discord channel the server administrator has designated. We do not keep a copy of ticket message content on our own servers after the transcript has been generated and delivered.

2.7 Aggregate analytics. We record day-level, server-wide counts (message volume, member count, and command-usage totals) to power the dashboard's analytics charts. These figures are aggregated and are not tied to individual members. Analytics data is retained for 90 days and then deleted automatically.

2.8 Cookies. The dashboard uses a small number of strictly necessary cookies:

  • oauth_state and oauth_redirect — short-lived (5 minutes), used only to complete the Discord sign-in flow securely
  • pirtis.sid — your dashboard session cookie, valid for up to 7 days, marked httpOnly and secure

We do not use advertising, tracking, or third-party analytics cookies.

2.9 Server and technical logs. Like most web services, our hosting and network infrastructure incidentally logs technical information (such as IP address and request timestamps) for security, abuse prevention, and debugging. These logs are not used for profiling or advertising.

3. How We Use Information

We use the information above to operate and provide the bot's features; authenticate you and show you only the servers you administer; let server administrators configure and review their own server's settings; enforce moderation actions and maintain an accountability trail for them; detect and prevent abuse of the Service; and diagnose and fix technical problems.

4. Server Administrators as Controllers

For settings and records that a server administrator configures or generates through the bot on their own server (Sections 2.2–2.6), that administrator determines what data is collected and how it is used on their server, and is responsible for providing their community with any notices, or obtaining any consents, that applicable law requires. We process this data on their behalf, as described in this Policy. For the dashboard sign-in data described in Section 2.1, we act as the data controller.

5. How We Share Information

We do not sell personal data, and we do not share it for advertising purposes. We share information only:

  • With Discord, Inc., as necessary for the bot and OAuth login to function — this is inherent to operating a Discord bot
  • With our hosting and infrastructure providers, solely to run the Service
  • If required by law, legal process, or to protect the rights, safety, or property of Sauna, our users, or others
  • With a successor entity in the event of a merger, acquisition, or sale of assets, subject to this Policy continuing to apply to previously collected data

6. Data Retention

  • Moderation cases and audit log entries: capped at 500 most-recent entries per server; oldest entries deleted automatically
  • Analytics: 90 days, then deleted automatically
  • Dashboard sessions: up to 7 days, held in memory only, and cleared on logout or bot restart
  • Server configuration and leveling data: retained until a server administrator changes or clears it, or until the bot is removed from the server, after which associated server data is deleted within a reasonable period

7. Data Security

We apply reasonable technical and organizational measures to protect the data we hold, including encrypted transport (HTTPS/TLS) for all dashboard and API traffic, httpOnly/secure session cookies, and restricting access to production systems to those who operate the Service. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. International Data Transfers

Our infrastructure may process and store data in countries other than your own. Where personal data originating in the European Economic Area is transferred elsewhere, we take steps intended to ensure it receives an equivalent level of protection.

9. Your Rights

Depending on where you live, you may have rights to access, correct, delete, or export the personal data we hold about you, or to object to or restrict certain processing. If you're an individual member of a server using Sauna and want to exercise these rights over server-specific data (like a moderation case or your leveling stats), we recommend first contacting that server's administrators, since they control that data; you're also welcome to contact us directly and we will assist or route your request appropriately. Dashboard sign-in data (Section 2.1) can be cleared at any time by logging out; you may also contact us to request deletion. If you are in the EEA/UK, you also have the right to lodge a complaint with your local data protection authority.

10. Children's Privacy

The Service is built on top of Discord, which requires users to be at least 13 years old (or the minimum age required in your country). We do not knowingly collect personal data from children below that age. If you believe a child has provided us data in violation of this policy, please contact us and we will remove it.

11. Changes to This Policy

We may update this Privacy Policy as the Service evolves, including to cover new features. If we make material changes, we will update the effective date above and, where appropriate, provide additional notice. Continued use of the Service after a change takes effect means you accept the revised Policy.

12. Contact Us

Questions about this Policy or requests regarding your data can be sent to privacy@saunabot.rest.

Sauna · privacy policy
Privacy Policy Terms of Service