Public release now available!

Benzy Security logoBenzy Security

Privacy Policy

Last updated: April 26, 2026

This Privacy Policy describes what information the Benzy Security Discord bot, web dashboard at dashboard.benzy.lol, and iOS app (together, the "Service") collect, why we collect it, how we use and store it, and the rights you have over it. By adding the bot to your Discord server, signing in to the dashboard, or using the iOS app, you agree to this Policy.

Who we are
Benzy Security is operated by an individual developer ("we", "us"). The Service is built and maintained by a small team and is not part of any larger organization. There is no parent company, subsidiary, or affiliate.

What data we collect
From your Discord server (the bot)
When the bot is added to your server, it processes the following Discord-provided data so that its moderation and logging features can work:
  • Discord user IDs and usernames of members involved in moderation actions, raid/nuke detection, case management, and reminders
  • Server, channel, and role IDs and names for the guilds the bot has been added to (main server and any sub-servers linked through the "add subserver" flow)
  • Message content, but only when a message matches one of our automated detection rules: raid detection, posting an invite link to a server the bot is not already in, or posting a link whose domain is on your community's blacklist. We do not log or store the contents of normal, non-matching messages.
  • Moderation logs (warnings, kicks, bans, timeouts, quarantines, and the staff member who issued each action and any reason text they typed)
  • Case management data — case titles, summaries, notes, evidence URLs and uploads you choose to attach, participant assignments, and channel transcripts of up to 1,000 messages when you explicitly run the "add transcript" command on a channel
  • Server snapshots (a structural copy of your guild's channels, roles, and permission overwrites, taken every 12 hours) used to revert your server in the event of a nuke incident
  • Quarantine state, sticky message configurations, pending reminders, and suspicious-account flags
  • For SCRP-branded deployments only: verification logs (when a user has completed the verification flow in a server)

From the web dashboard
When you sign in to dashboard.benzy.lol with Discord, the dashboard requests only the "identify" and "guilds" OAuth scopes from Discord. We read your Discord user ID and username, your avatar (for display only), and your list of servers (so we can determine which servers you have moderation access to). We do not request your email address, and Discord does not share it with us.
Your dashboard session is stored in an HttpOnly, Secure, SameSite=Lax cookie. The Discord access token and refresh token are stored only in the encrypted JWT inside that cookie, never exposed to JavaScript in the browser, and never sent to third parties. Sessions expire after 7 days.
We log privileged dashboard actions (settings changes, log rescinds) including the actor's Discord ID, the action, the IP address from the request, and a JSON diff of the change, so a server owner can audit what was changed and when.

From the iOS app
The iOS app authenticates with Discord using the same OAuth flow as the dashboard, with the same "identify" and "guilds" scopes only. The Discord access token and refresh token are stored in the iOS Keychain (device-only, locked when the device is locked) and are never transmitted to any third party.
If you opt in to Face ID, Touch ID, or Optic ID, all biometric matching is performed on-device by iOS. We never receive, see, or store your biometric data — iOS only tells the app whether the unlock attempt succeeded.
The iOS app does not include any third-party analytics SDK, advertising SDK, or crash reporter that transmits data to a third party.

How we use this data
  • To run the moderation, raid/nuke detection, case management, and reminder features you have explicitly enabled in your community settings
  • To populate the dashboard and iOS app for staff members who have moderation access to your community
  • To allow server owners to audit who made which privileged changes through the dashboard
  • To diagnose and fix issues with the Service when they arise
We do not use your data for advertising, profiling, or any commercial purpose other than operating the Service. We do not sell your data. We do not share your data with any third party other than Discord itself, which is necessary for the bot to function.

Where data is stored
The Discord bot itself runs on a private VPS owned by the developer. The website (benzy.lol), dashboard (dashboard.benzy.lol), and the MySQL database that backs all of the above are hosted by Breezehost using their Plesk-managed hosting platform. Both providers are based in the United States.
If you are accessing the Service from outside the United States, you acknowledge that your data is transferred to and processed in the United States.

Third parties
The only third party we share data with is Discord itself, which is unavoidable: the bot, dashboard, and app all need to talk to Discord to function. We do not use any analytics service, advertising network, error tracker, A/B-testing platform, or other SDK that forwards your data anywhere.

How long we keep data
Community data (logs, cases, snapshots, evidence, sticky messages, reminders, etc.) is retained indefinitely while the bot remains a member of any server in your community. When the bot is removed from the last server in a community, all of that community's data is removed from our database via cascade deletion. There is no manual cleanup step.
Dashboard sessions expire after 7 days. iOS app sessions are tied to the validity of your Discord access/refresh tokens; if you opt in to biometric lock, the app additionally requires a fresh biometric unlock at least every 30 days.
Audit log entries (records of dashboard settings changes and log rescinds) are retained for the life of the community for accountability.

Your rights
Wherever you live, you have the right to ask us:
  • What data we hold that relates to you (access)
  • To correct any inaccurate data we hold about you
  • To delete data that relates to you (note that for server-scoped data, the simplest path is for the server owner to remove the bot, which triggers full deletion)
  • For an export of your data in a machine-readable format
  • To restrict or object to certain processing
To exercise any of these rights, contact us through the support Discord linked at the bottom of this page. We will respond within 30 days.
The following regimes apply additional rights or terminology, all of which we honor on request:
  • European Economic Area: General Data Protection Regulation (GDPR)
  • United Kingdom: UK GDPR
  • California: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to opt out of sale (we do not sell data) and the right to non-discrimination
  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Brazil: Lei Geral de Proteção de Dados (LGPD)
  • Australia: Privacy Act 1988
  • South Africa: Protection of Personal Information Act (POPIA)
  • Japan: Act on the Protection of Personal Information (APPI)

Children's privacy
The Service is intended for users 13 years of age or older, in line with Discord's own Terms of Service. We do not knowingly collect data from children under 13. If you believe we have, contact us via the support Discord and we will delete it.

Security measures
  • All web traffic to the website, dashboard, and mobile API is served over HTTPS/TLS
  • Authentication uses Discord OAuth; we never see your Discord password
  • Dashboard access tokens are stored only in server-side encrypted JWTs and are never exposed to client-side JavaScript
  • iOS access and refresh tokens are stored in the iOS Keychain with `kSecAttrAccessibleWhenUnlockedThisDeviceOnly`
  • Optional Face ID / Touch ID / Optic ID lock on the iOS app, with a 15-minute inactivity threshold and a 30-day hard re-authentication window
  • The dashboard validates that the user has the correct Discord permissions on the community's main server before serving any community data
  • All database queries use parameterized statements; the database connection rejects multi-statement queries
  • Strict Content-Security-Policy, HSTS, and other security headers on every dashboard response
  • Per-IP rate limiting on the dashboard API, with lower limits on auth-adjacent endpoints

Links to other websites
The dashboard and case evidence may render links you or your staff have entered. We restrict tappable evidence links to http(s) only, but we do not control the contents of those external sites. Review the privacy policy of any site you visit through such a link.

Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page and post the new version here. Material changes will be announced in the support Discord.

Contact us
For questions, requests, or concerns about this Privacy Policy, contact us through: