Privacy Policy
Privacy Policy for AttendiBot, operated by SartoLabs LLC.
Effective date: July 2, 2026. This Privacy Policy applies to AttendiBot when operated by SartoLabs LLC on our hosted infrastructure.
See also our Terms of Service, Privacy Policy, and Cookie Policy.
1. Introduction
SartoLabs LLC ("we," "us," or "our") operates AttendiBot, a Discord voice channel attendance tracking service with optional cryptographic signing, leaderboards, and a web-based admin dashboard (collectively, the "Service").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our website, sign in to the admin dashboard, interact with the Discord bot on servers where it is installed, or use our public session verification tools.
By using the Service, you acknowledge that you have read this Privacy Policy. If you do not agree, please do not use the Service.
2. Data controller
For AttendiBot instances hosted and operated by SartoLabs LLC, we act as the data controller (or "business" under applicable US state privacy laws) for personal information processed through our infrastructure.
SartoLabs LLC30 N St Ste. N, Sheridan, WY 82801, United States
[email protected]
+1 (307) 289-4991
3. Definitions
- Personal Data — information that identifies or can reasonably be linked to an individual, such as a Discord user ID combined with activity records.
- Processing — any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.
- Server Administrator — a Discord user with Manage Server or Administrator permission who configures AttendiBot for a Discord server.
- End User — any Discord user whose voice channel presence is tracked on a server where the bot is installed.
- Service — the AttendiBot Discord bot, web dashboard, verification tools, and related infrastructure operated by SartoLabs LLC.
4. Information we collect
We collect the following categories of information:
4.1 Discord account and authorization data
When a Server Administrator signs in to the web dashboard via Discord OAuth, we receive and process:
- Discord user ID, username, and avatar image URL
- Discord guild (server) IDs, names, icons, and permission flags for servers you manage
- A Discord access token used to verify permissions (stored in your session)
We request OAuth scopes identify and guilds only. We do not request your Discord email address through OAuth.
4.2 Voice session metadata
When AttendiBot is active on a Discord server, we collect metadata about voice channel presence. This includes:
- Discord user IDs, guild IDs, and voice channel IDs
- Join, leave, and channel-move timestamps
- Session duration and accumulated attendance seconds
- Mute and deafen state flags (used for fairness rules only)
- Ed25519 cryptographic signatures and payload hashes for completed sessions
We do not record, store, transmit, or process voice audio, voice packets, recordings, or speech transcripts. AttendiBot tracks presence metadata only.
4.3 Cryptographic and configuration data
- Ed25519 signing keypairs generated per server, with private keys encrypted at rest using AES-256-GCM
- Server configuration: tracked channels, tracking mode, reset schedules, fairness settings, log destinations, subscription tier, verified role rules
- Admin-configured outbound webhook URLs and secrets (Pro/Enterprise tiers)
4.4 Cookies and similar technologies
We use cookies and local storage for authentication, dashboard preferences, and (with your consent) analytics. See our Cookie Policy for details.
4.5 Server logs
Our servers automatically record technical logs that may include Discord user IDs, guild IDs, IP addresses, browser user agents, request timestamps, and error messages. These logs are used for security, debugging, and service reliability.
4.6 Analytics (with consent)
If you consent to analytics cookies, we use Plausible Analytics to collect anonymous pageview statistics and custom events (such as invite clicks and verifier usage). Plausible does not use cross-site tracking cookies.
5. Information we do not collect
- Voice audio, recordings, or speech content
- Discord message content or direct messages
- Payment card numbers or financial account details (we do not process payments today)
- Precise geolocation data
- Health, biometric, or government ID data
6. How we use information
We use Personal Data solely to:
- Provide voice attendance tracking, leaderboards, and period archives
- Generate and verify Ed25519-signed session records
- Operate the admin dashboard and authenticate Server Administrators
- Deliver tier-gated features such as exports, webhooks, and verified roles
- Post attendance logs to Discord channels configured by Server Administrators
- Maintain service security, prevent abuse, and troubleshoot errors
- Respond to support requests and legal obligations
- Analyze aggregated website usage (only where you have consented to analytics cookies)
We do not sell Personal Data. We do not use voice session metadata for advertising, profiling for third-party marketing, or cross-context behavioral advertising.
7. Legal bases for processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, we process Personal Data on the following legal bases:
- Performance of a contract — processing necessary to provide the Service you or your Server Administrator requested
- Legitimate interests — security monitoring, fraud prevention, service improvement, and enforcement of our Terms of Service, balanced against your privacy rights
- Consent — non-essential cookies and analytics, which you may withdraw at any time via our cookie settings
- Legal obligation — where required to comply with applicable law, regulation, or valid legal process
8. How we share information
We may share Personal Data with the following categories of recipients:
- Discord Inc.— platform integration, OAuth authentication, and bot API operations. Discord's privacy policy applies to data processed on Discord's platform.
- Infrastructure providers — cloud hosting and database services that store and process data on our behalf under contractual confidentiality and security obligations.
- Plausible Analytics — optional, consent-gated website analytics.
- Google Fonts— typography may be delivered via Google's font service when you load our website (subject to Google's terms and privacy policy).
- Server Administrator-configured destinations — when a Server Administrator configures Discord log channels or outbound webhooks, attendance metadata (including Discord user IDs and session details) is sent to those destinations. The Server Administrator is responsible for the privacy practices of those third parties.
- Legal and safety disclosures — when required by law, court order, or to protect the rights, property, or safety of SartoLabs LLC, our users, or the public.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to continued protection of Personal Data.
We do not sell or share Personal Data for cross-context behavioral advertising.
9. International data transfers
SartoLabs LLC is located in the United States. If you access the Service from outside the US, your Personal Data may be transferred to, stored in, and processed in the United States or other countries where our service providers operate.
Where required by applicable law, we implement appropriate safeguards for international transfers, such as Standard Contractual Clauses approved by the European Commission or equivalent mechanisms.
10. Data retention
- Active voice sessions — retained in real time until the session ends, then moved to completed session records.
- Completed sessions and period archives — retained until deleted by a Server Administrator or upon termination of the Service for that server, unless a longer period is required by law.
- Dashboard session cookies — retained per Auth.js session configuration.
- Server logs — retained for a reasonable operational period, typically not exceeding 90 days unless needed for security investigations.
- Analytics data— retained per Plausible Analytics' policies when enabled.
Subscription tiers may limit the number of archived leaderboard periods available in the dashboard, but underlying session records are not automatically purged unless explicitly deleted.
11. Security
We implement administrative, technical, and organizational measures designed to protect Personal Data, including:
- TLS encryption for data in transit
- AES-256-GCM encryption for signing private keys at rest
- Access controls limiting dashboard access to authorized Discord administrators
- Short-lived internal authentication tokens for API requests
- No storage of voice audio or message content
No method of transmission or storage is completely secure. We cannot guarantee absolute security.
12. Your privacy rights
Depending on your location, you may have the following rights regarding your Personal Data. We will respond to verified requests within 45 days (or as required by applicable law).
12.1 EEA, UK, and Switzerland (GDPR / UK GDPR)
- Access a copy of your Personal Data
- Rectify inaccurate Personal Data
- Erasure ("right to be forgotten") in certain circumstances
- Restrict or object to processing in certain circumstances
- Data portability where processing is based on consent or contract
- Withdraw consent at any time (without affecting prior lawful processing)
- Lodge a complaint with your local supervisory authority (e.g., your EU member state DPA or the UK ICO)
12.2 California (CCPA / CPRA)
California residents have the right to:
- Know what Personal Information we collect, use, and disclose
- Request deletion of Personal Information, subject to exceptions
- Request correction of inaccurate Personal Information
- Opt out of the sale or sharing of Personal Information — we do not sell or share Personal Information for cross-context behavioral advertising
- Not receive discriminatory treatment for exercising privacy rights
To exercise California privacy rights, email [email protected] with the subject line "California Privacy Request."
12.3 Other US state privacy laws
Residents of Virginia, Colorado, Connecticut, Utah, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and opt out of certain processing. Contact us at [email protected] to exercise applicable rights.
12.4 How to submit a request
Email [email protected] or call the phone number listed in Section 2. We may need to verify your identity before fulfilling a request. End Users whose attendance is tracked on a Discord server may also contact the Server Administrator, who may have independent obligations regarding member data.
13. Do Not Sell or Share My Personal Information
SartoLabs LLC does not sell Personal Data and does not share Personal Data for cross-context behavioral advertising as defined under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).
Because we do not engage in such sale or sharing, no opt-out mechanism is required. If our practices change, we will update this policy and provide any legally required opt-out method.
14. Children's privacy
The Service is not directed to children under 13 years of age. Discord's Terms of Service require users to be at least 13. We do not knowingly collect Personal Data from children under 13. If you believe we have collected such data, contact us at [email protected] and we will promptly delete it.
15. Server Administrator responsibilities
Discord Server Administrators who install and configure AttendiBotmay act as independent data controllers (or businesses) with respect to their server members' attendance data, particularly when they:
- Configure which voice channels are tracked
- Post attendance logs to Discord channels visible to members
- Configure outbound webhooks to third-party systems
- Export attendance data for their own purposes
Server Administrators are responsible for providing any required notices to their server members and for ensuring their use of AttendiBot complies with applicable privacy laws.SartoLabs LLC processes data on behalf of and at the direction of Server Administrators for the core tracking functionality.
16. Self-hosted deployments
AttendiBot may be self-hosted by third parties. When an operator other than SartoLabs LLC hosts the Service, that operator is the data controller for Personal Data processed on their infrastructure. This Privacy Policy applies to instances operated by SartoLabs LLC on attendibot.com and our production infrastructure.
17. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where practicable, provide notice through our website or support channels. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.
18. Contact us
For privacy questions, data subject requests, or complaints, contact:
SartoLabs LLC30 N St Ste. N, Sheridan, WY 82801, United States
[email protected]
+1 (307) 289-4991
See also our Terms of Service, Privacy Policy, and Cookie Policy.
Change log
Effective July 2, 2026
- Initial Privacy Policy covering Discord voice attendance data.
- GDPR and CCPA rights, retention, and data subject request instructions.
- Subprocessor disclosures for hosting, analytics, and authentication providers.