Version 1 · Published 2026-05-16 14:32:16

Privacy Policy

_Last updated: [PUBLISH_DATE]_

This Privacy Policy describes what data the Magnificent Bastages website ("the Service") collects, why we collect it, and what we do with it.

What we collect

From Discord OAuth (when you log in):

  • Discord user ID
  • Discord username and display name
  • Discord avatar URL
  • Email address associated with your Discord account
  • The list of Discord servers you share with us (used only to verify community membership)

We do not receive your Discord password. We do not have ongoing access to your Discord account after the initial authorization.

From your profile editor:

  • Display name (you can override Discord's)
  • Bio
  • Pronouns
  • Timezone

These fields are optional and only used to personalize your experience and (for creators) your public card.

Automatically collected:

  • IP address (used for rate-limiting and security)
  • Session identifiers (cookies)
  • Audit log entries when you perform privileged actions (logging in, profile edits, role changes, etc.) — these contain your Discord ID, action name, timestamp, and IP

From the contact form (if you submit one):

  • Your name and email (as you provide them)
  • The text of your message
  • Your IP address

How we use it

  • To authenticate you and maintain your session
  • To display your public profile (display name, bio, pronouns) to other logged-in users; for creators, to display on the public Creators page
  • To rate-limit abusive behavior
  • To respond to your contact submissions
  • To investigate security incidents (audit log)

What we don't do

  • We do not sell your data
  • We do not share your data with advertisers
  • We do not use third-party analytics or trackers
  • We do not embed third-party social media widgets that report back to those platforms

Who can see your data

  • You: everything we have on you, via your profile page
  • Other logged-in users: your display name, avatar, bio, pronouns, and (for creators) your creator card
  • Site moderators: in addition to the above, masked IP addresses in the audit log
  • Site administrators: full access to all user data, audit logs, and contact messages — but email addresses in the contact inbox are hidden by default and revealed only on explicit click (with audit log entry)

Contact form email visibility

When you submit a contact form, your email is stored in our database but hidden by default in the recipient's inbox view. The recipient must explicitly click "Reveal email" to see it, and each reveal is recorded in our internal audit log. This protects against casual exposure (e.g., screen-sharing).

How long we keep your data

  • Active accounts: data retained as long as the account is active
  • Deleted accounts: anonymized after the 7-day grace period (see Account Deletion below)
  • Audit logs: retained for 12 months for security purposes
  • Contact messages: retained until manually deleted by an administrator

Account deletion

You can delete your account at any time from your profile page. Deletion works in two stages:

1. Grace period (7 days): your account is marked for deletion but data is not yet anonymized. You can cancel by logging in again during this window. 2. Anonymization: after 7 days, your username is replaced with a placeholder, your email and avatar are removed, your bio/pronouns/timezone are cleared, and your account is marked as banned (so it can never be reused). Audit log entries remain but reference the anonymized account.

What is NOT deleted on anonymization:

  • Audit log entries (retained for the audit retention period; references to your old Discord ID remain so security investigations can complete)
  • Contact messages you submitted (retained because they are addressed to MB, but your name/email may be redacted on request)
  • Aggregate statistics (counters of "how many users in role X" etc.)

Data deletion requests for special cases

If you want data deleted that the standard account deletion does NOT remove (for example, requesting redaction of a specific contact message), use the contact form with reason "Support" and explain what you want redacted. We process these requests within 30 days.

Children

The Service is not directed at children under 13. We do not knowingly collect data from children under 13. If you believe we have collected such data, please contact us so we can delete it.

International users

Data is stored on servers in the United States. If you are accessing from another jurisdiction, you consent to the transfer and processing of your data in the US.

Changes

When we make material changes to this Privacy Policy, you will be required to accept the new policy before continuing to use the Service.

Contact

Privacy questions? Use the contact form with reason "Support."

This document is a draft. It has not been reviewed by legal counsel. Before relying on it for any binding purpose, consult an attorney familiar with privacy law in your jurisdiction.