Privacy Policy

Last updated: May 2026

Wobby ("the bot", "the service") is a Discord security bot that screens members joining Discord servers. This policy explains what personal data is collected during verification, who it is shared with, how long it is kept, and your rights.

1. Who Controls Your Data

The administrator of the Discord server you joined configured and operates Wobby for their community. They are the data controller for verification records collected in their server. Wobby operates as a data processor on their behalf.

2. Legal Basis for Processing

We process personal data on the basis of legitimate interests (Art. 6(1)(f) GDPR) — specifically, the legitimate interest of Discord server communities in protecting themselves from ban evasion, bot accounts, and coordinated abuse. For EU/EEA residents, you have the right to object to processing on this basis (see Section 8).

3. What Data Is Collected

When you complete the verification flow, the following is collected and stored:

• Discord user ID and username
• IP address — used to detect VPNs, proxies, Tor exit nodes, and datacenter connections
• Browser fingerprint — screen resolution, GPU renderer and vendor (WebGL), a canvas rendering hash, CPU core count, device memory, colour depth, timezone, language, browser plugins, and user agent string. These signals are used to detect virtual machines and emulated environments.
• Submitted username — the online handle you enter during verification; used for social account scanning if enabled by the server administrator
• Risk score, verdict, and supporting analysis — the outputs of the automated assessment, including any AI-generated analysis
• Geolocation — city, region, and country derived from your IP address
• Social account scan results — publicly visible profiles associated with the submitted username (see Section 5)

4. IP Lookup — Third-Party Services

Your IP address is sent to one or more of the following services to determine whether it belongs to a VPN, proxy, Tor network, or hosting provider. These services receive only your IP address:

• iplocate.io (primary)
• ip-api.com (fallback)
• ipapi.co (fallback)
• proxycheck.io (fallback)

5. Social Account Scanning (OSINT)

If enabled by the server administrator, the username you provide is searched across public social platforms to find linked accounts. This is done by making HTTP requests directly to those platforms — no data is submitted to them beyond the username in the URL. Platforms checked include (but are not limited to): X/Twitter, Instagram, GitHub, Reddit, Twitch, YouTube, Steam, Lichess, Chess.com, HackerNews, Keybase, npm, SoundCloud, and others.

Profile bios retrieved from GitHub, Reddit, HackerNews, and Lichess may be sent to AI language model providers (see Section 6) for threat analysis.

Scan results — the list of discovered public profiles — are stored in the database and visible to the server's administrators.

6. AI Analysis — Third-Party Providers

After OSINT scanning, your Discord username, submitted username, and the text of any public bios found may be sent to AI language model providers for automated threat analysis (e.g. detecting ban-evasion patterns or flagged content). The providers used are:

• Google LLC — Gemini API (United States)
• Groq, Inc. — Groq API (United States)

Data is sent solely for the purpose of generating a moderation risk assessment. It is not used to train these providers' models under their standard API terms.

7. Cross-Server Alt Detection

If your IP address was previously associated with another Discord account verified by Wobby — even on a different server — an automated alert may be sent to the staff of the server you are joining. This alert identifies potential alternate accounts based on shared connection data. The specific server where the original verification occurred is not disclosed to staff.

8. Data Retention

Verification records, including IP addresses, browser fingerprints, and scan results, are currently retained for as long as the server administrator uses Wobby. There is no automated deletion schedule at this time. If you would like your records deleted, contact the server administrator or submit a request to us at the address in Section 10.

9. Data Security

All data is stored in a PostgreSQL database with access restricted by server. Administrators of Server A cannot view verification records from Server B. Admin access to each server's dashboard requires authentication (Discord OAuth or a per-server password).

10. Your Rights

Depending on your jurisdiction — including the EU/EEA under GDPR and the UK under UK GDPR — you may have the right to:

• Access a copy of the personal data held about you (Art. 15)
• Erasure of your personal data (Art. 17)
• Correction of inaccurate data (Art. 16)
• Objection to processing based on legitimate interests (Art. 21)
• Restriction of processing in certain circumstances (Art. 18)

To exercise any of these rights, contact us at the address below. We will respond within 30 days.

11. Contact

For privacy requests or questions: privacy@wobby.app