Last updated: June 2026 · Hala Habibi Bot
Effective date: 22 June 2026. This Privacy Policy explains how the Hala Habibi Discord bot, its companion website at halahabibibot.com, and the web dashboard (together, the "Service") collect, use, store, share, and protect information. It also describes the rights you have over your data. By adding, accessing, or using the Service you acknowledge that you have read and understood this Policy. If you do not agree, please do not use the Service and remove the bot from your server.
In this Policy, "we", "us" and "the operator" refer to the individual operator of Hala Habibi. "You" refers to a server owner/administrator who adds the bot, or an end user who interacts with it.
(a) Discord identifiers. Server (guild) IDs, user IDs, role IDs, channel IDs, and message IDs. These are public, numeric Discord identifiers used to attribute features to the right server/user.
(b) Activity & usage data. Message counts and timestamps (not content), voice-channel activity duration, experience points (XP) and levels, command usage events, and similar engagement metrics used for leveling, leaderboards, statistics, and the dashboard.
(c) Feature data you create. Economy balances and transactions (virtual currency only), card-collection records, moderation case logs (reason text entered by moderators, action type, target user ID), reaction-role and announcement configurations, Question-of-the-Day submissions and schedules, and other settings you configure.
(d) Content processed transiently. To deliver certain features the bot must read message events in real time (for example, to count messages or detect commands). Except for the limited fields listed above, this content is processed in memory and not written to long-term storage.
(e) Web dashboard & authentication data. When you sign in via Discord OAuth2, we receive your Discord user ID, username, avatar, and the list of servers in which you have administrative permissions, solely to authenticate you and show servers you may manage. We store a signed, HttpOnly session cookie to keep you logged in. Standard server logs (such as IP address, user-agent, and request times) may be processed transiently for security, abuse-prevention, and diagnostics.
(f) Premium & payment metadata. If a server subscribes to Premium, we store the subscribing server ID, Premium status, start/renewal/expiry timestamps, and the PayPal subscription identifier. We do not receive or store your full payment card number, CVV, or bank details — those are handled exclusively by PayPal.
We use the data above only to: operate and provide the Service and its features; maintain leveling, economy, moderation, logging, and dashboard functionality; authenticate dashboard sessions; provide, bill, and manage Premium subscriptions; prevent abuse, fraud, and security incidents; diagnose and fix problems; respond to your support requests; and comply with legal obligations.
The website uses a single, strictly-necessary authentication cookie for the dashboard. It is cryptographically signed (HMAC), marked HttpOnly and Secure, and uses SameSite protection. It exists only to keep you signed in and is not used for advertising or cross-site tracking. We do not use third-party advertising or analytics cookies.
We do not sell, rent, or trade your personal data. We share data only with service providers strictly necessary to run the Service:
We may also disclose data if required by law, regulation, legal process, or governmental request, or to protect the rights, safety, and security of users, the public, or the operator.
The Service may be operated from, and data processed in, jurisdictions outside your country, including via our hosting and infrastructure providers. Where required, such transfers rely on appropriate safeguards (for example, the providers' standard contractual clauses).
Depending on your location (including the EEA/UK under GDPR and California under the CCPA/CPRA), you may have the right to: access the data we hold about you; correct inaccurate data; request deletion ("right to be forgotten"); restrict or object to processing; data portability; and withdraw consent. California residents have the right to know, delete, and to opt out of the sale of personal information — we do not sell personal information.
How to exercise: remove the bot from a server to stop further collection for that server, or contact us via our support server or the /feedback command to request access or deletion. We aim to respond within 30 days. You also have the right to lodge a complaint with your local data-protection authority.
We retain server and feature data for as long as the bot remains in your server and for a reasonable period afterward to allow recovery and to meet legal/operational needs, after which it is deleted or anonymized. Premium/billing records may be retained longer where required for accounting, tax, or fraud-prevention purposes. You may request earlier deletion as described in Section 9.
We apply reasonable technical and organizational measures, including: storing secrets only in protected environment variables (never in code), TLS/HTTPS for the website, signed HttpOnly/Secure session cookies, network-level DDoS protection and rate limiting, and least-privilege access. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.
The Service is not directed to children under the age required to use Discord (13, or older where local law requires, such as 16 in parts of the EEA). We do not knowingly collect data from children below the applicable age. If you believe a child has provided data, contact us and we will delete it.
We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you.
In the event of a personal-data breach likely to result in a risk to your rights, we will take reasonable steps to mitigate it and, where required by law, notify affected users and/or the relevant authority within the legally mandated timeframe.
We may update this Policy from time to time. Material changes will be reflected by updating the "Effective date" above and, where appropriate, through an in-Service or community notice. Continued use after changes take effect constitutes acceptance.
For privacy questions or to exercise your rights, join our support server or use the /feedback command in any server where the bot is present. For formal data-protection requests we can provide a direct contact channel on request.