Privacy Policy — Aetlis.io Skins

This page explains what data we collect, why we collect it, and what we do with it. We tried to keep it readable.

1. What we collect

1.1 — Discord login data

When you log in via Discord OAuth, we get:

Discord User ID — your unique Discord account identifier
Username — your Discord display name
Discriminator — stored for legacy reasons, largely deprecated by Discord now
Avatar URL — your profile picture link

We don't have access to your password, email, or DMs. Ever.

1.2 — Session data

Type	Why	How long
`session_token`	Keeps you logged in	24h or until you log out
IP address	Security & abuse prevention	30 days
User agent	Browser compatibility	30 days

1.3 — Content you upload

Skin images — the files you submit (PNG, JPEG, WebP)
Metadata — skin name, upload time, public/private status
Favorites — skins you've saved
Moderation records — accept/reject decisions and any notes attached

1.4 — Discord roles

Our bot checks your roles in the Aetlis.io Discord server to figure out what you can do on the platform:

Admin — full access
Moderator — can review and moderate pending skins
Regular user — upload and browse

Role checks happen at login and when you hit protected endpoints. Results are cached for 30 seconds to avoid hammering the Discord API.

2. How we use it

2.1 — Running the service

Authenticating and identifying you
Showing your username and avatar alongside your skins
Processing uploaded skins through the moderation queue
Managing your favorites and gallery
Enforcing permission levels

2.2 — Moderation

Reviewing content for ToS compliance
Keeping audit logs and moderator leaderboard stats
Detecting and blocking abuse or spam
Enforcing bans

2.3 — Improving things

Monitoring performance and error rates
Understanding how features get used

3. Storage & security

Security measures

All connections over HTTPS/TLS
Session tokens with expiration and secure flags
SQLite database with restricted server access
Uploaded files stored in isolated directories
Role-based access control on both frontend and backend

3.1 — File storage

Uploaded skins are stored in separate directories by status:

/storage/pending/ — awaiting moderation
/storage/accepted/ — approved, assigned random IDs

3.2 — Retention

Data	How long we keep it
User profile (Discord data)	Until deletion or 1 year of inactivity
Accepted public skins	Indefinitely (until deleted or violated)
Pending skins	Until accepted or rejected
Rejected skin files	Deleted immediately on rejection
Rejected skin metadata	Kept for resubmission tracking
Moderation audit logs	90 days
Ban records	Permanent or until manually lifted

4. Third parties

4.1 — Discord

We use Discord's OAuth for login. When you authenticate, you're redirected to Discord's servers — we only receive what you authorize. You can read Discord's own privacy policy at discord.com/privacy.

4.2 — No ads, no selling data

We don't sell your data. We don't share it with advertisers. We don't use any third-party tracking or analytics services. No tracking pixels, no behavioral profiling.

4.3 — Legal stuff

We may share data if the law requires it — court orders, fraud investigations, illegal content, that kind of thing. We'll only do it when we have to.

5. Your rights

5.1 — What you can do

View your data — your skins, favorites, and profile are visible in the app
Download your data — request a JSON export via Discord support
Delete your skins — remove any of your uploads at any time
Delete your account — contact us on Discord and we'll wipe everything

5.2 — Opt-out options

Public visibility — set skins to private when uploading
Sessions — log out anytime to invalidate your token
OAuth access — revoke via Discord's Authorized Apps settings

6. Cookies

We only use essential cookies:

Cookie	Purpose
`session_token`	Keeps you logged in
`oauth_state`	Secures the OAuth flow (temporary)

No third-party cookies. No tracking. No advertising cookies of any kind.

7. Children (COPPA)

Discord requires users to be at least 13, so we do too. If we find out someone under 13 has an account, we delete it. Parents or guardians can contact us through Discord to request removal.

8. International users

The service can be accessed globally. By using it, you agree to your data being processed on our servers in accordance with this policy and applicable data protection laws.

9. Changes

If we update this policy, the date at the top changes and we'll announce anything significant in the Discord server. Continued use means you're okay with the new version.

10. Contact

Privacy questions, data requests, GDPR/CCPA stuff — reach us in the Discord server via the support channel.

11. Compliance

We try our best to comply with GDPR, CCPA, COPPA, and Discord's developer terms. If you think we're falling short somewhere, let us know.