Privacy Policy

Last Updated: June 2026

1. Information We Collect

1.1 Discord Account Information

Logging in with Discord always gives us:

  • Discord User ID — your unique Discord identifier
  • Discord Username — your display name (publicly visible)
  • Discord Avatar — your profile picture (publicly visible)

If you also choose to join our community Discord server at login, we store your Discord OAuth tokens (access + refresh) in encrypted form. See Section 2.

We never receive your Discord email, password, messages, or DMs.

1.2 Automatically Collected Information

  • IP Address (hashed) — hashed with HMAC-SHA256 before storage. Retained for abuse prevention and ban enforcement: up to 18 months from your last activity, or as long as an active ban references the hash.
  • Session Data — temporary login tokens (expire after 7 days).
  • Page Views — when you open an exploit while logged in, we record one view per exploit tied to your account so each viewer is counted once. See Section 9 for retention and what happens on account deletion.

1.3 User-Generated Content

What you submit — exploits (name, description, media, versions), comments, and votes — is publicly visible and shown alongside your Discord username, unless you enable "hide discord profile" in settings.

2. Discord OAuth

DupeDB uses Discord OAuth for login. At login we ask whether you want to join our community Discord server — your choice determines what we request from Discord:

  • If you join: we request identify and guilds.join, add you to the server, and store your encrypted OAuth tokens so we can re-add you to a successor server if we ever migrate. You can leave the server any time.
  • If you opt out: we request only identify. No server-add, no OAuth tokens stored.

In both cases identify shares only your Discord user ID, username, and avatar. We never see your password, messages, DMs, friends, or other servers. Revoke access any time via Discord → Authorized Apps.

3. How We Use Your Information & Legal Basis

For users in the EEA, UK, or Switzerland, the GDPR Article 6 legal basis is noted per purpose:

  • Provide the Service — display exploits, process submissions, show comments. (Art. 6(1)(b) — contract.)
  • Identify You — show your Discord username and avatar on your contributions. (Art. 6(1)(b) — contract.)
  • Prevent Abuse — detect and block malicious users, hash IPs, enforce bans. (Art. 6(1)(f) — legitimate interests.)
  • Moderation — review and manage user content. (Art. 6(1)(f) — legitimate interests; Art. 6(1)(b) for the submitter.)
  • Community Discord Server (optional) — add you to our server if you grant guilds.join. (Art. 6(1)(a) — consent; withdraw any time by leaving the server or revoking DupeDB in Authorized Apps.)
  • Legal Compliance — respond to lawful requests and protect our rights. (Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests.)

4. Data Storage & Security

  • No passwords stored — Discord handles authentication.
  • Session tokens — cryptographically random.
  • IP hashing — HMAC-SHA256, one-way; we never store raw IPs.
  • OAuth token encryption — Discord tokens are encrypted at rest with AES-256-GCM.
  • Security headers + CSRF protection — standard web hardening; OAuth state tokens prevent CSRF.

No method of internet transmission is 100% secure. We take reasonable precautions but cannot guarantee absolute security.

5. Cookies & Local Storage

DupeDB uses minimal client-side storage:

  • Authentication Token — Stored in browser to maintain your login session
  • User Preferences — May store filter/sort preferences locally

We do not use third-party tracking cookies or advertising cookies.

6. Third-Party Services

We rely on the following third-party services. Each may receive your IP address when your browser connects to them. We do not directly share any other personal information with these providers:

  • Discord — For authentication and the optional community server (subject to Discord's Privacy Policy).
  • YouTube — When users embed YouTube videos in submissions, we use the privacy-enhanced youtube-nocookie.com domain for video playback. Video thumbnails load from img.youtube.com, which may receive your IP address. Subject to Google's Privacy Policy.
  • jsDelivr (cdn.jsdelivr.net) — Public CDN used to load the optional Discord widget on our contact page (only after you choose to load it).
  • WidgetBot — Renders the embedded Discord widget on our contact page (only if you click to load it). Subject to WidgetBot's Privacy Policy.

We do not sell, trade, or share your personal information with third parties for marketing or advertising purposes. We do not use third-party analytics or advertising trackers.

7. Data Sharing

We share information only in these cases:

  • Public content — your submissions, comments, and Discord username/avatar are publicly visible.
  • Legal requirements — when required by law or valid legal process.
  • Protection — to protect our rights, safety, or property.

8. Your Rights

All users have the right to:

  • Access — View your account information and your submissions in the account menu.
  • Revoke Access — Disconnect DupeDB from your Discord account via Discord's "Authorized Apps" settings.
  • Account Deletion — Delete your account under "My Profile" in the account menu. See Section 12 for how account deletion interacts with verified content.

If you are in the EEA, UK, or Switzerland, you also have these rights under GDPR / UK GDPR:

  • Right of access (Art. 15) — Obtain a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — Correct inaccurate or incomplete personal data. Your Discord username and avatar are synced from Discord — update them in Discord and they will refresh on DupeDB.
  • Right to erasure (Art. 17) — Request deletion of your data. You can delete individual comments from "My Comments"; account-level deletion is described in Section 12. Exception: verified sightings can't be self-deleted (they're public affected-server records) — contact us to request removal.
  • Right to restriction (Art. 18) — Request that we limit processing of your personal data in specific circumstances.
  • Right to data portability (Art. 20) — Receive your data in a machine-readable format.
  • Right to object (Art. 21) — Object to processing based on legitimate interests, including our abuse-prevention processing of hashed IP addresses.
  • Right to withdraw consent (Art. 7) — Withdraw consent for any consent-based processing at any time. Withdrawal does not affect the lawfulness of prior processing.
  • Right to lodge a complaint — File a complaint with your local data protection supervisory authority. A list is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

To exercise any right, open a ticket in our Discord #create-ticket channel (fastest) or email contact@dupedb.net. We respond within 30 days and may verify your identity via your Discord-linked account before acting.

9. Data Retention

  • Account Data — Retained while your account is active. Deleted (or pseudonymized — see Section 12) when you delete your account.
  • Session Data — Expires after 7 days.
  • Discord OAuth Tokens — Only stored if you joined the community Discord server at login. When stored: encrypted at rest, cleared if Discord invalidates them (e.g., you revoked DupeDB in Authorized Apps), deleted with your account.
  • IP Address Hashes — Retained for up to 18 months from your last activity, or as long as an active ban references the hash, whichever is longer. We never store raw IP addresses.
  • Public Content (verified) — Retained indefinitely as part of the public archive. Authorship may be pseudonymized after account deletion — see Section 12.
  • View Records — For logged-in viewers, we keep one (account, exploit, timestamp) row per exploit you've opened so the counter is deduplicated. When you delete your account, the account reference on these rows is anonymized (the user link is removed) but the (exploit, timestamp) entries are retained as part of the aggregate per-exploit totals.

10. Children's Privacy

DupeDB is not intended for children. We do not knowingly collect personal information from anyone below the minimum age in their jurisdiction (13 in the US and UK; 13–16 in EEA member states under GDPR Article 8). If you believe a child has provided personal information to us, contact us as described in Section 8 and we will delete the account.

11. International Data Transfers

DupeDB is operated from the United States and hosted on servers in the Netherlands (European Union). For EEA / UK users, your data stays within the EU when stored and processed. For users outside the EU, your data is transferred to and processed in the Netherlands under EU data-protection law.

Where required by GDPR / UK GDPR, we rely on appropriate safeguards for transfers between the EU and US (e.g., Standard Contractual Clauses, the UK IDTA). For details, contact us as described in Section 8.

12. Account Deletion & the Public Archive

You can delete your DupeDB account at any time under "My Profile" in the account menu, or by contacting us as described in Section 8. When you delete your account:

  • Hard-deleted: your comments, replies, unverified sightings, votes, session data, stored OAuth tokens (if any), and any pending exploit submissions.
  • Pseudonymized: your verified exploits and verified sightings stay in the public archive. The displayed author is replaced with "[deleted]" and the user-ID link is removed. The content itself stays under the CC BY 4.0 license you granted at submission.
  • Retained briefly: if you had an active ban, the hashed IP linked to it is kept per Section 9 to prevent evasion.

You can also delete individual comments any time from "My Comments" (verified sightings are the exception — see Section 8). If a specific verified submission or sighting warrants full removal rather than pseudonymization (e.g., it contains personal information), contact us.

13. California Privacy Notice

For California residents: DupeDB is a non-commercial, free service and does not meet the CCPA / CPRA revenue or volume thresholds. We voluntarily commit to:

  • No sale or sharing of personal information (as defined under California law). No cross-context behavioral advertising.
  • Categories collected: identifiers (Discord user ID, username, avatar), internet activity (hashed IP, per-account exploit view records), and user-generated content (submissions, comments, votes). Sources, purposes, and retention are in Sections 1, 3, and 9.
  • Access, deletion, and correction requests — contact us as described in Section 8.
  • No discrimination for exercising these rights.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date.

We encourage you to review this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

DupeDB is operated by Vibe Archives LLC.