Privacy Policy

Your privacy matters. This Privacy Policy explains how Fido collects, uses, protects, and handles your personal information in compliance with GDPR and other data protection regulations.

1. Information We Collect

1.1 Verification Data

When you complete the verification process, we collect:

Data Type	Purpose	Storage
Discord User ID	Identify your account	Permanent (until revoked)
Username & Display Name	Display purposes	Permanent (until revoked)
IP Address Hash	Duplicate detection	Permanent (hashed with SHA-256)
OAuth Tokens	API access (if needed)	Until token expiry or revocation
Server Membership	Verification eligibility	Permanent (until revoked)
Verification Timestamp	Audit trail	Permanent (until revoked)

1.2 IP Address Protection

🔐 Important Security Measure: We DO NOT store your IP address in plain text. Instead, we create a cryptographic hash (SHA-256) which cannot be reversed to obtain your original IP address. This hash is only used to detect potential duplicate accounts.

1.3 OAuth Permissions

During verification, you grant us the following Discord OAuth2 scopes:

identify — Read your Discord username and user ID
guilds — View which servers you're in
guilds.join — (Optional) Add you to backup servers if needed

2. How We Use Your Information

2.1 Primary Uses

Verification: Confirm you're a legitimate user and grant server access
Security: Detect and prevent abuse, spam, or unauthorized access
Server Management: Manage roles and permissions
Compliance: Meet legal obligations and respond to valid requests

2.2 Duplicate Detection

We use IP address hashes to identify when multiple accounts verify from the same location. This helps us:

Detect potential ban evasion
Identify coordinated spam attacks
Maintain community integrity

When duplicates are detected, server administrators are notified but your actual IP address is never disclosed.

3. Revoking Access & Data Deletion

3.1 Using Bot Commands (Recommended)

The recommended way to revoke your verification is through the /verification revoke command. This:

Revokes your OAuth tokens from both Discord and our end
Permanently deletes all your verification data from our database
Removes your verified role
Sends you a data export before deletion

3.2 Manual Deauthorization (NOT Recommended)

⚠️ Critical: If you deauthorize Fido through Discord Settings → Authorized Apps, this only removes the connection on Discord's side. It does NOT delete your verification data from our database (user ID, username, IP hash, and tokens remain stored). Always use /verification revoke instead to ensure complete data deletion.

3.3 Rejoining the Server

If you are still verified: Rejoining the server will automatically restore your verified role — no re-verification needed.
If you deauthorized the bot: You will be required to go through the full verification process again. The bot cannot grant your role without valid authorization.

4. Alt Account Detection & IP Privacy

4.1 How It Works

During verification, we create a one-way cryptographic hash (SHA-256) of your IP address and compare it to existing records. If multiple accounts verify from the same IP hash, server staff are notified.

4.2 Your IP Is Never Visible

🔐 We literally cannot see your IP address. The SHA-256 hash is a one-way function — it cannot be reversed. Not by us, not by staff, not by anyone. The hash is used only for comparing against other hashes. We take your privacy extremely seriously.

4.3 What Staff See

When a potential alt is detected, staff are shown:

The hashed value (not your IP)
Which other verified accounts share the same hash
Whether any matched accounts belong to banned users (potential ban evasion)

Staff will always review context before taking any action. Shared networks (households, schools, VPNs) may trigger alerts — this alone does not result in punishment.

4.4 Ban Evasion Detection

If your IP hash matches a previously banned user, staff will receive a prominent alert. This is to protect the community from users who have been removed for serious rule violations and attempt to return on new accounts.

5. Data Storage and Security

3.1 Where We Store Data

Your verification data is stored in a dedicated MongoDB database separate from other bot data. This isolation provides an additional security layer.

3.2 Security Measures

Encryption: Database connections use TLS encryption
Access Control: Strict access controls limit who can view verification data
Hashing: IP addresses are hashed with SHA-256 before storage
Isolation: Verification database is separate from main bot database
Token Security: OAuth tokens are stored securely and revoked when no longer needed

3.3 Data Retention

We retain your verification data until you:

Revoke your verification using /verification revoke
Leave the server permanently (data may be retained for security purposes)
Request deletion through server administrators

6. Your Rights (GDPR Compliance)

4.1 Right to Access

You can request a copy of your data at any time using the /verification requestdata command. This provides a JSON export containing all stored information (except sensitive tokens).

4.2 Right to Deletion

You can delete all your verification data using the /verification revoke command. This will:

Export your data (sent via DM if possible)
Revoke all OAuth tokens
Remove your verified role
Permanently delete your data from our database

4.3 Right to Rectification

If your data is inaccurate, you can revoke and re-verify to update it.

4.4 Right to Object

You can object to data processing by not completing verification or by revoking your verification.

4.5 Data Portability

Your data export is provided in JSON format, making it easily portable to other systems.

7. Data Sharing

5.1 Third-Party Services

We share minimal data with:

Discord: Through their official API for verification purposes
HCaptcha: For bot protection (they have their own privacy policy)

5.2 We DO NOT

Sell your data to third parties
Share your data for marketing purposes
Provide your data to data brokers
Use your data for advertising

5.3 Legal Disclosure

We may disclose information if required by law, such as:

Valid court orders or subpoenas
Law enforcement requests with proper legal authority
Protection of our rights or safety of others

8. Cookies and Tracking

Our verification system does not use cookies. However:

Discord's OAuth process may use cookies (see Discord's Privacy Policy)
HCaptcha uses cookies for fraud detection (see HCaptcha's Privacy Policy)

9. Children's Privacy

Fido is intended for users 13 years and older (Discord's minimum age). We do not knowingly collect information from children under 13. If we discover such collection, we will delete the information immediately.

10. International Data Transfers

Your data may be processed in different countries. We ensure appropriate safeguards are in place for international transfers in compliance with GDPR and other regulations.

11. Changes to Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting. We will notify users of significant changes through Discord announcements.

12. Contact and Questions

For privacy-related questions or concerns:

Contact server administrators through Discord
Use /verification requestdata for data inquiries
Use /verification revoke for deletion requests

13. Your Choices

You have full control over your data:

Don't verify if you don't want to share data
Request your data anytime (24-hour cooldown)
Delete your data anytime with /verification revoke
Review this policy before verifying

14. Data Breach Notification

In the unlikely event of a data breach affecting your personal information, we will:

Notify affected users within 72 hours
Report to relevant authorities as required by law
Take immediate action to secure systems
Provide guidance on protective measures

Summary: We collect minimal data necessary for verification, protect it with strong security measures, never sell it, and give you complete control over it. Your privacy is our priority.

Back to Verification