Privacy Policy
Last updated: July 11, 2026
1. What We Collect
When Guild Ledger is active in your server, it may store the following data associated with your guild:
- Guild ID — identifies your Discord server
- User IDs — identifies who performed or was the target of a logged action (e.g. moderator, ban target, form submitter)
- Event metadata — timestamps, event type, channel ID, and role IDs associated with moderation actions
- Approval form responses — field values submitted by users through guild-configured approval forms
- Ledger entries — financial records created by guild administrators
- Server nickname history — old and new nickname values at the time of a change (only when the server administrator has enabled the nickname-logging flag, which is off by default)
- Poll votes — when you vote in a poll created with the bot, your User ID and the option you chose are stored to enforce one-vote-per-member and to tally results
- Administrator contact email — optional; a server administrator may provide a contact email address through the bot's
/configmenu. It is used only for service emails about that server's Pro subscription (see Sections 2 and 4) and can be viewed, changed, or cleared at any time in the same menu
Message content is notstored unless the server administrator has explicitly enabled message-content logging in the privacy settings of the bot's /config menu. Nickname history and message content are controlled by separate flags with separate legal bases (see Section 6).
2. How We Use It
Collected data is used solely to operate the features you configure: audit logging, approval workflows, polls, and the per-guild ledger. Data is never sold, rented, or shared with third parties for marketing or analytics purposes.
If a server administrator has provided a contact email address, we use it only to send service emails about that server's Pro subscription — a welcome message when Pro is activated and a notice when a subscription is ending. We do not send marketing email.
3. Data Retention
Audit log entries are stored with a configurable TTL (default: 7 days) and are automatically deleted from our database when they expire. Server administrators on the paid plan may extend retention up to 365 days; if a paid subscription lapses, newly written entries revert to the 7-day window. Guild configuration (including approval form definitions and, if provided, the administrator contact email) is retained until you remove the bot from your server or request deletion; the contact email can also be cleared individually at any time via /config.
Records of decided approval requests and moderation actions are retained for a minimum of 90 days regardless of the configured audit-log window, to preserve a usable accountability trail (see Section 6). Pending (undecided) approval requests expire on a shorter schedule.
Approval and moderation decision records may retain the User ID of the staff member who made the decision (reviewer) after the applicant's personal data has been erased. This identifier is retained to preserve audit trail integrity and is processed under the legitimate interests basis described in Section 6. It is not retained indefinitely — it expires on the same schedule as other approval records.
Ledger entries are retained for a server-configurable period (default: 1 year). Where the server administrator has designated the server as one that keeps financial records subject to statutory record-keeping obligations, a minimum retention floor of 7 years applies to ledger entries, and those records cannot be deleted on demand within that period. Servers that have not opted in to this compliance mode are not subject to the floor and may configure shorter retention. Audit-log entries that document ledger transactions (e.g. a record that an entry was created, voided, or disputed) follow the ledger retention period rather than the general audit-log window, so the accountability trail matches the lifetime of the financial records it describes.
Poll vote records are retained for 90 days after the poll closes, then automatically deleted.
4. Third Parties & International Transfers
We use the following service providers (subprocessors) to operate Guild Ledger:
- Amazon Web Services (AWS)— all stored data described in Section 1 is held in AWS DynamoDB (and related AWS queueing/monitoring services) in the us-east-1 region (United States), encrypted at rest. AWS's privacy practices are described at aws.amazon.com/privacy.
- Resend— our email delivery provider. Resend receives only the administrator contact email address and the server name, and only when an administrator has chosen to provide an email address, solely to deliver the subscription service emails described in Section 2. Resend's privacy practices are described at resend.com/legal/privacy-policy.
- top.gg(bot directory) — we send top.gg only an aggregate server count; no personal data is sent. If you vote for Guild Ledger on top.gg, top.gg notifies us of your User ID so the vote can be acknowledged, under top.gg's own privacy policy.
Operator-configured webhooks.A server administrator may configure the bot to deliver event notifications (which can include User IDs and event metadata) to external webhook URLs of their choosing. Those deliveries happen at the server operator's direction, and the operator — as the data controller for their server — is responsible for the endpoints they configure. If your server uses this feature, ask your server administrator where notifications are sent.
International transfers. Our providers process data in the United States. Where UK/EU GDPR applies to your data, transfers to these providers rely on recognized safeguards such as the EU-U.S. Data Privacy Framework and/or Standard Contractual Clauses, as offered by the relevant provider.
Beyond the providers listed above and any webhooks your server administrator configures, no other third party receives your data. We do not sell data or share it with any third party for marketing, advertising, or analytics purposes.
5. Your Rights
Under the UK GDPR and EU GDPR, you have the right to access, rectify (correct), or request erasure of personal data held about you, the right to restrict processing, the right to data portability where it applies, and — where processing is based on legitimate interests — the right to object. Server administrators can action a member's erasure request directly through the Data Management section of the bot's /config menu, which supports both per-user erasure and server-wide deletion; individual users may also contact us directly at the address below to exercise any of these rights.
Removing the bot from your server stops all future data collection. We will respond to access and deletion requests within one month of receipt, as required by Art. 12(3) UK/EU GDPR. Note that some data may be retained where an exemption applies (e.g. financial records subject to statutory retention obligations in servers that have opted in to financial compliance mode, or audit trail records necessary to defend against a legal claim); if we rely on an exemption, we will tell you which one.
You also have the right to lodge a complaint with a data-protection supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EU, the supervisory authority of your member state. We would appreciate the chance to address your concern first, but you may contact your authority at any time.
6. Legal Bases for Processing
Processing activities and their legal bases under Art. 6 UK/EU GDPR:
- Audit logging (event metadata, User IDs) — Legitimate interests (Art. 6(1)(f)): server operators have a legitimate interest in maintaining records of moderation activity for accountability and dispute resolution. This is the core function of the bot.
- Nickname history — Legitimate interests (Art. 6(1)(f)): where the server administrator has opted in to nickname logging, retaining historical display-name values is necessary for accurate moderation records (e.g. identifying who a moderation action was taken against when the user has since changed their name). Nicknames are publicly visible to all server members and constitute identity-display metadata, not private communication content. This processing is separate from and not subject to the message-content logging flag. A Legitimate Interests Assessment for this processing is available on request.
- Message content — Legitimate interests (Art. 6(1)(f)): only where the server administrator has explicitly enabled content logging. Disabled by default.
- Approval form responses — Legitimate interests (Art. 6(1)(f)): processing form submissions is necessary to operate the approval workflow configured by the server administrator.
- Reviewer ID on decided records — Legitimate interests(Art. 6(1)(f)): retaining the User ID of the staff member who decided an approval request preserves the integrity of the moderation audit trail and allows the server operator to demonstrate accountability for consequential decisions. The moderator's identifier in a professional-capacity action is low-sensitivity and is not retained indefinitely. A Legitimate Interests Assessment is available on request.
- Ledger financial records — Legitimate interests (Art. 6(1)(f)): maintaining the transaction ledger the server administrator has configured. Where the administrator has designated the server as subject to statutory financial record-keeping obligations, extended retention of ledger records is processed under Legal obligation (Art. 6(1)(c)) — that obligation falls on the server operator keeping the records, and Guild Ledger retains the data on their behalf for the statutory period.
- Poll votes (User ID, chosen option) — Legitimate interests(Art. 6(1)(f)): storing who voted and for what is necessary to prevent duplicate voting and to produce an accurate, auditable tally for the server's poll. Vote records are subject to erasure requests under Section 5.
- Administrator contact email (subscription service emails) — Legitimate interests (Art. 6(1)(f)): sending service communications about the Pro subscription for a server whose administrator has voluntarily provided a contact address. The address is provided directly by the administrator, is used for no other purpose, and can be cleared at any time via
/config, which stops these emails.
7. Changes to This Policy
We may update this policy at any time. Continued use of the bot after changes are posted constitutes your acceptance of the revised policy.
See also our Terms of Service.