SYNTHET Privacy & Security Policy

Effective Date: February 10, 2026

Last Updated: February 10, 2026

legal.privacy.intro

legal.privacy.introAlt

1) Who We Are (Controller Details)

  • Legal Entity: SYNTHET Establishment
  • CR: 7053656109
  • Registered Address: Building No. 3702, Ali Ibn Abi Abdullah St., Al Narjis District, Riyadh 13343, Kingdom of Saudi Arabia
  • Privacy Contact: [email protected]
  • Support: [email protected]

For certain processing activities, we act as a data controller (e.g., billing/account administration). For others, we process data on behalf of Guild administrators (e.g., guild configuration storage) as needed to provide the Service.

2) Key Privacy Commitments (No Ambiguity)

  • Data minimization: We collect only what is necessary to operate the Service, secure it, provide support, handle billing, and comply with legal obligations.
  • No selling of data: We do not sell personal data.
  • No ad targeting using Discord data: We do not disclose Discord data to ad networks or data brokers.
  • Strict access control: All access to restricted data is role-based and logged.
  • Security by default: Encryption, least privilege, and audit trails are mandatory across layers.
  • Dispute handling is minimized: We retain only limited billing evidence required to investigate issues and defend disputes/chargebacks, under strict access controls.

3) Definitions

  • Personal Data: Any data that can identify an individual directly or indirectly (PDPL concept).
  • Discord Data: Data obtained via Discord APIs (user IDs, guild IDs, etc.). Discord imposes restrictions on retention and use.
  • Guild/Server: A Discord server where the bot is installed.
  • Billing Evidence (Limited): Minimal transaction identifiers and reconciliation artifacts required to resolve billing issues and defend payment disputes.

4) What We Collect (Strict Allowlist)

We operate a PII Allowlist Registry internally. If data is not in the allowlist, it is not stored.

4.1 Discord Identifiers and Technical Basics (Required)

  • Discord User ID (numeric)
  • Discord Guild (Server) ID (numeric)
  • Discord Role/Channel IDs (where needed for configuration)
  • Bot command interaction metadata (timestamp, guild ID, command name, success/failure code)
  • OAuth authorization tokens (stored as provider tokens; scoped; revocable)

4.2 Configuration Data (Guild Settings)

We store only the configuration required to deliver enabled features, e.g.:

  • module enable/disable flags
  • rule sets, thresholds, templates, schedules
  • RBAC mappings (capabilities per role) for your guild dashboards

4.3 Billing and Subscription Data (If You Purchase)

We store only the minimum billing data required to operate subscriptions and comply with accounting/tax obligations:

  • plan, term, status (active/past_due/canceled)
  • provider customer/subscription IDs (tokens)
  • invoice IDs, invoice numbers
  • VAT rate and amounts, currency, timestamps
  • payment method tokens only (never full card numbers)

If required for invoice delivery or payment routing, we may collect:

  • billing email (only when necessary; otherwise not stored)

4.3.1 Dispute/Chargeback Evidence (Minimal, Strict)

If there is a billing dispute/chargeback or billing investigation, we may retain limited transaction evidence required to:

  • reconcile payments,
  • verify entitlement history, and
  • defend against fraud/disputes.

This limited evidence may include:

  • provider transaction IDs, customer/subscription IDs
  • invoice/receipt identifiers
  • timestamps, amounts, currency, VAT amount/rate
  • dispute/chargeback status and provider reason codes
  • webhook event IDs, idempotency keys, and non-sensitive processing outcomes (success/failure, correlation IDs)

We do not store full card numbers (PAN) or CVV. Payment details are handled by the payment provider(s).

4.4 Support Data (If You Contact Us)

  • your Discord user ID and guild ID
  • ticket content you submit (free text, attachments you choose to provide)
  • diagnostic references (request IDs, timestamps, non-sensitive logs)

4.5 What We Do Not Collect (Hard Prohibitions)

We do not intentionally collect or store:

  • Discord private message content for analytics/ads
  • full payment card data (PAN/CVV)
  • national ID/iqama, passport data
  • full address or phone number unless legally mandated and explicitly declared
  • message content unless required by a feature you explicitly enable and Discord permissions allow (see Section 5)

Discord developer rules also prohibit scraping and retaining data longer than needed.

5) How We Use Data (Purpose Limitation)

We use data strictly for:

  • Providing the Service: executing commands, applying settings, generating configured messages, operating modules
  • Security & abuse prevention: rate limiting, detecting suspicious admin actions, protecting servers
  • Billing & compliance: subscription activation, entitlement enforcement, invoicing/VAT records where applicable
  • Support & troubleshooting: resolving issues and improving reliability
  • Product improvement (non-PII): aggregated metrics (e.g., total commands run per day) without identifying individuals
  • Dispute handling: investigating billing issues and defending charge disputes/chargebacks using minimal billing evidence only

We do not use Discord data for advertising or unrelated purposes.

6) Legal Bases and PDPL Alignment

Where applicable, processing is based on one or more of:

  • performance of a contract (providing the Service you request)
  • legitimate interest (security, fraud prevention, service reliability), balanced with user rights
  • consent (where required, e.g., optional features)
  • legal obligation (tax invoicing, accounting retention, dispute handling where required)

PDPL establishes obligations for controllers, protections for individuals, and conditions for processing and transfer.

7) Data Sharing (Who We Share With)

We share data only with:

  • Payment providers / MoR for checkout, billing, fraud checks (tokens and billing metadata only)
  • Infrastructure vendors (hosting, storage, monitoring) strictly to operate the Service
  • Legal/Compliance if required by law, regulator, or court order
  • Discord implicitly via API calls required to execute bot actions on your guild

7.1 Disputes/Chargebacks

If a dispute/chargeback occurs, we may provide limited transaction evidence to the payment provider, MoR, or card network as required to investigate and respond to the dispute. This disclosure is limited to what is necessary and is not used for marketing.

We do not sell personal data and do not share Discord data with ad networks/data brokers.

8) Cross-Border Data Transfers (KSA)

If personal data is transferred outside the Kingdom of Saudi Arabia, we will apply safeguards consistent with PDPL cross-border transfer principles and, where applicable, SDAIA's contractual transfer frameworks (e.g., Standard Contractual Clauses).

We will disclose hosting regions and transfer posture in the Dashboard or Trust page as part of transparency.

9) Data Retention (Minimize by Default)

We retain personal data only as long as necessary for:

  • service delivery
  • security/abuse prevention
  • billing/accounting compliance
  • dispute handling

9.1 Default retention rules (baseline)

  • Configuration: while the bot remains installed and the feature is enabled
  • Security audit logs: limited retention, then archived; access restricted
  • Webhook payloads: short-lived storage for reconciliation only
  • Invoices/accounting artifacts: retained per legal/accounting requirements; kept minimal

9.2 Dispute/Chargeback evidence retention (Hard, minimized)

When a billing dispute/chargeback or investigation occurs, we may retain limited billing evidence (as defined in Section 4.3.1) for the minimum period required to:

  • resolve the dispute,
  • comply with provider/card network rules, and
  • satisfy legal/accounting obligations.

Controls:

  • stored in restricted-access billing/security vaults
  • access is role-based and logged
  • unnecessary fields are excluded; sensitive fields are redacted where possible
  • evidence is deleted or minimized after the dispute window closes, subject to mandatory legal retention

Discord's own policies emphasize not retaining data longer than necessary for app operation.

10) Your Rights and Controls

Depending on your jurisdiction (including KSA PDPL), you may have rights such as:

  • access and correction
  • request deletion where applicable
  • withdraw consent for optional features
  • object to certain processing (where legally applicable)

Practical controls:

  • disable modules (stops future processing for that module)
  • remove the bot from your guild (stops processing except limited retention required for security/accounting/disputes)
  • contact [email protected] for requests

11) Security Measures (What We Actually Do)

We implement layered security controls, including:

11.1 Encryption

  • TLS in transit for all web/API traffic
  • encryption at rest for restricted fields
  • key rotation support (versioned keys)

11.2 Access Control / RBAC

  • customer dashboards governed by guild RBAC
  • operator portal governed by separate operator RBAC/ORBAC
  • least privilege default; deny-by-default for sensitive actions

11.3 Audit Logging

  • all privileged actions logged (who/what/when/outcome/correlation ID)
  • redaction of restricted fields from logs

11.4 Webhook and Payment Security

  • signed webhooks verified
  • idempotent ingestion to prevent replay abuse
  • anomaly detection for out-of-order billing events

11.5 Secure Development Practices

  • dependency vulnerability monitoring
  • environment separation (dev/stage/prod)
  • secrets stored in managed secret stores; no secrets in repo
  • rate limiting and abuse controls on critical endpoints

12) Operator Access and Internal Controls

Operator tools are the most sensitive. Therefore:

  • mandatory MFA for operator accounts
  • short session TTLs
  • strict separation between customer RBAC and operator RBAC
  • time-boxed overrides with dual audit trail
  • "break-glass" accounts stored and controlled under special policy

Billing evidence and dispute artifacts are restricted to the smallest possible operator group and are always audited.

13) Children / Age-Restricted Use

The Service is intended for use by users who can legally consent under applicable law and Discord's rules. Discord may apply its own safety and age verification processes.

14) Incident Response

If we detect a security incident involving restricted data:

  • contain and remediate
  • rotate keys/tokens as needed
  • notify affected parties where legally required
  • preserve evidence in a restricted incident vault (access-controlled)

15) Changes to This Policy

We may update this Policy. Material changes will be notified via the Dashboard or website with an updated "Last Updated" date.

16) Contact