Privacy

Last revised: October 19, 2025

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

This privacy policy describes how we might use your information if you:

  • Visit our website at https://bentobot.xyz
  • Use our Discord application(s) (a.k.a. "Discord Bot(s)" — Bento#3548)
  • Engage with us in other related ways ― including any sales, marketing, or events

In this privacy policy, if we refer to:

  • "Website": any website of ours that references or links to this policy
  • "Bot" or "App": any Discord application of ours that references or links to this policy, including any listed above
  • "Service(s)": our Website, Bot, and other related services, including any sales, marketing, or events
  • "Data": any data, content, and information (including personal information) owned, held, used or created by you (or on your behalf) that may be stored using, or processed by, our Services
  • "Discord": Discord Inc. and its related companies
  • "Discord End User": you, as someone who is using Discord-related services according to the Discord privacy policies and terms of service
  • "Discord End User Data": the data you provide to Discord through the Discord App
  • "Discord App": the client(s) (desktop, mobile, web, …) that Discord offers to their End User(s) to access their services
  • "Discord API": the API (Application Programming Interfaces) Discord provides to developers, that enables us to access your Discord End User Data according to the Discord privacy policies and terms of service
  • "Message XP": a number value that increments for every sent message by a Discord End User

The purpose of this privacy policy is to explain to you in the clearest way possible what information we collect, how we use it, and what rights you have in relation to it.

Please read this privacy policy carefully, as it will help you understand what we do with the information that we collect.

What information is collected

We may collect personal information that you voluntarily provide to us when you express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Through our Bot, we may collect personal information related to you that Discord provides to us through the Discord API (in this case, we refer to Discord End User Data).

The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make and the products and features you use within our Service and within the Discord servers that you share with Bento.

By adding Bento or joining a server with Bento, the information we collect may include:

Automatically collected data

  • User ID
  • Username (and discriminator where applicable)
  • Avatar URL
  • Messages for XP (not the content of messages; only that a message event occurred to increment XP)

We do not access or store the content of your Discord messages. Our XP feature only records that a message event occurred; it does not log what was said.

Website login via Discord (OAuth2) & Cookies

When you sign in on our Website using Discord, we receive limited public Discord profile information from Discord: your Discord user ID, username (and discriminator where applicable), and avatar URL. We store these fields in our database to create and maintain your account and to verify your session.

Cookies used for sign-in (strictly necessary):

  • Session cookie: Keeps you logged in and ties your browser session to your account. Set as HTTP-only and Secure with an appropriate SameSite value. Expires on logout or after 7 days of inactivity.
  • CSRF token: Helps protect your account from cross-site request forgery. Expires at the end of the session or after a short period.

We do not set non-essential cookies (such as analytics or marketing) without your consent. If we add such cookies in the future, we will request consent and update this policy and our Cookie notice.

Legal basis: performance of a contract (providing your account) and/or our legitimate interests in providing and securing the Service.

How your information is used

We use personal information collected via our Services for a variety of business purposes described below. We process your personal information for these purposes in reliance on our legitimate business interests, in order to enter into or perform a contract with you, with your consent, and/or for compliance with our legal obligations. We use the information we collect or receive to:

  • Offer our services to you (including Discord End User Data obtained via the Discord API or information you provide directly).
  • Request feedback and contact you about your use of our Services.
  • Send administrative information to you (e.g., product, service and new feature information and/or changes to our terms, conditions, and policies).
  • Protect our Services (e.g., for fraud monitoring and prevention).
  • Enforce our terms, conditions and policies; comply with legal and regulatory requirements; or perform our contract with you.
  • Respond to legal requests and prevent harm (e.g., in response to a subpoena or other legal process).
  • Authenticate Website users via Discord OAuth and maintain sessions.
  • Operate XP and other features without storing message content.

The personal information we process may be used for the following purposes:

  • Discord ID: to identify you across our Services and in relation to your Discord End User Data.
  • Discord OAuth profile fields (username/discriminator where applicable and avatar URL): to create and maintain your Website account and personalize your experience.

We do not access or store Discord message content for our features at this time. If we introduce a feature that requires processing message content in the future, we will update this policy and clearly describe the scope and retention.

Specific use cases:

  • Discord User Profile: Your username, profile picture, and any data related to your Discord user profile is provided via the Discord API based on your Discord ID, only when needed.
  • Statistics: When statistics are provided by our Services, we only keep aggregated and anonymized data in our database.
  • Website Accounts: When you sign in with Discord on the Website, we create an account record containing your Discord user ID, username (and discriminator where applicable), and avatar URL.

How your information may be shared

In short: We only share information with your consent, to comply with laws, to provide you with services, to protect your rights, or to fulfill business obligations.

In general, we have no business needs that justify, nor direct interests in, sharing your information with other entities.

We may process or share your data that we hold based on the following legal bases:

  • Consent: If you have given specific consent to use your personal information for a specific purpose.
  • Legitimate Interests: When it is reasonably necessary to achieve our legitimate business interests.
  • Performance of a Contract: Where we have entered into a contract with you and need to fulfill its terms.
  • Legal Obligations: Where we are legally required to do so to comply with applicable law, governmental requests, judicial proceedings, court orders, or legal processes (including responses to public authorities for national security or law enforcement requirements).
  • Vital Interests: Where necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person, illegal activities, or as evidence in litigation.

Service providers (subprocessors): We use third-party providers to host and deliver our Services. This currently includes Hetzner (infrastructure/database hosting) and Cloudflare (security/CDN). Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards (e.g., Standard Contractual Clauses).

How long information is kept

We will only keep your personal information for as long as it is necessary for the purposes set out in this privacy policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will automatically delete your data if you're out of the scope of our services, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

Website session cookies expire on logout or after 7 days of inactivity. Account records created via Discord sign-in (Discord user ID, username/discriminator where applicable, avatar URL) are kept while your account remains active and are deleted within a reasonable period after account deletion or prolonged inactivity.

How we keep your information secure

We have implemented appropriate technical and organizational security measures designed to protect the security of any personal information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the services within a secure environment.

Examples of measures we implement include:

  • User Identification and Discord End User Data Processing: Wherever possible, the only identification key related to you that is stored on our system is your Discord ID. Your username, message content, data you provide to Discord, etc. is accessed via the Discord API using your Discord ID, while a minimal amount of data is stored in our Services.
  • Encryption at Rest: Data stored by our Services is encrypted at rest using industry-standard algorithms (e.g., AES-256-GCM).
  • Encryption in Transit: Data processed by our Services, or transferred between different components of our infrastructure, is encrypted in transit (e.g., TLS 1.2+).
  • Authentication, Authorization, Auditing: Security measures ensure only authorized users can access stored data.
  • Infrastructure Security: Data is segregated into different components of our infrastructure with technical and organizational measures to minimize the chance of unauthorized access.
  • Operational practices: Role-based access controls, regular security updates, and monitoring appropriate to the scale of our Services.

(Note: We avoid overclaiming specific technologies beyond what we actually use.)

Your privacy rights

If you are a resident in the European Economic Area and you believe we are unlawfully processing your personal information, you have the right to complain to your local data protection supervisory authority. You can find their contact details here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If you are a resident in Switzerland, the contact details for the data protection authorities are available here: https://www.edoeb.admin.ch/edoeb/en/home.html.

If you are a resident in the EEA/UK, you also have the right to request access, correction, deletion, restriction, objection to processing, and data portability. To exercise these rights, contact us using the details below.

Children's privacy

Our Service does not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from anyone under the age of 13 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

Policy updates

We may update this privacy policy from time to time. The updated version will be indicated by an updated "Revised" date and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy policy, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy policy frequently to be informed of how we are protecting your information.

Material changes will include any future introduction of features that process Discord message content.

Data removal

To request your data to be removed, please contact us as described below.

You may also request deletion of your Website account created via Discord sign-in; upon verification, associated profile fields (Discord user ID, username/discriminator where applicable, avatar URL) will be deleted within a reasonable period, subject to backup and legal retention requirements.

Contact us

If you have any questions about this Privacy Policy, you can contact us: