Privacy Policy

📅 Effective: January 1, 2025 🔄 Last updated: May 2025

Summary: We collect only what we need to run the service. We don't sell your data. You can delete your account at any time. Discord OAuth data stays on your device or your Redis instance — not our servers.

Table of Contents

Information We Collect
How We Use Your Information
Data Storage & Security
Discord Integration
Cookies & Local Storage
Data Sharing
Your Rights
Data Retention
Children's Privacy
Changes to This Policy
Contact Us

1. Information We Collect

Account Information

When you register with email and password, we collect your email address, display name, and a hashed version of your password (using scrypt — we never store your plaintext password).

Discord Data

When you sign in with Discord OAuth, we receive from Discord's API: your Discord user ID, username, and email address (if your Discord account has one verified). We do not receive your password or payment information from Discord.

Usage Data

We may collect anonymous usage data such as which dashboard sections are used and command invocation counts. This data does not identify individual users.

Bot Configuration

Configuration you save (bot branding, embed presets, per-server nicknames) is stored in your connected Upstash Redis instance under your control, or in your browser's local storage.

2. How We Use Your Information

To authenticate you and maintain your session across devices
To determine your access tier (Founder, Owner, Staff, Member)
To sync your dashboard workspace and bot configuration to your Redis instance
To send critical service notifications (if notification preferences are enabled)
To improve the platform's reliability and performance

3. Data Storage & Security

User accounts and sessions are stored in your Upstash Redis instance — you control and own this data. We do not have access to your Redis database. If you use the in-memory fallback (not recommended for production), data is stored only for the lifetime of the serverless function instance.

All API routes enforce HTTPS. Passwords are hashed with scrypt. Session tokens are 32-byte cryptographically random values with 30-day TTLs.

4. Discord Integration

VYREX uses Discord's OAuth 2.0 API with the PKCE flow. When you sign in with Discord:

Your Discord access token is stored in your browser's local storage and expires per Discord's TTL
We call GET /users/@me to retrieve your user ID and email
We call GET /users/@me/guilds to show your server list — this data is not persisted server-side
We do not post messages, join servers, or access DMs on your behalf

Your Discord access token is never sent to third parties beyond Discord's own API.

5. Cookies & Local Storage

We use browser localStorage (not cookies) for:

Your session token (vyrex_auth_session_v1)
Dashboard preferences (theme, compact mode, workspace state)
Bot branding configuration (vyrex_bot_branding_v1)
Embed builder presets (vyrex_embed_presets_v1)

No tracking cookies or third-party analytics cookies are set.

We do not sell, rent, or share your personal data with third parties except:

Discord Inc. — for OAuth authentication (you initiate this)
Upstash — your Redis provider stores account/session data on your behalf
Vercel Inc. — hosts the application (serverless functions, static files)
Stripe Inc. — if you enable billing (payment data is handled entirely by Stripe)

All of the above are processors under your control, not controllers of your data.

7. Your Rights

You have the right to:

Access your data — available in Dashboard → Settings → Profile
Correct your data — update your display name and profile in Settings
Delete your account — Settings → Danger Zone → Delete my account (removes all data from Redis immediately)
Export your workspace — Settings → API & Webhooks → Export
Opt out of non-essential notifications — Settings → Notifications

8. Data Retention

Account data is retained until you delete your account. Sessions expire after 30 days of inactivity. Activity logs are kept for up to 90 days by default (configurable). If you delete your account, all associated data is removed from Redis within 24 hours.

9. Children's Privacy

VYREX is not directed to children under 13 (or 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided us data, please contact us immediately.

10. Changes to This Policy

We may update this policy periodically. Material changes will be announced via the dashboard notification system. Continued use of the service after changes constitutes acceptance of the updated policy.

11. Contact Us

Questions about this policy? Open a support ticket or reach us on our Discord server.