Privacy Policy

Last updated: February 23, 2026 | Effective: March 14, 2026

1. Introduction

Phosphor Technologies operates Supervisor, an AI-powered content moderation service. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our services. We are committed to transparency and compliance with the UK General Data Protection Regulation (UK GDPR).

Our servers are self-hosted and located in the United Kingdom. We operate as a sole proprietor under UK law.

2. Information We Collect

2.1 Account and Authentication Information

When you create an account through OAuth providers, we collect:

  • Email address (from OAuth provider)
  • Username, display name, and profile information
  • OAuth provider identifiers (Discord ID, Google ID, or GitHub ID)
  • Profile pictures and avatar URLs
  • Account creation and last login timestamps

2.2 API Usage and Credit Tracking

To provide and bill for our services, we collect:

  • API key usage counts and timestamps
  • Credits consumed per API request
  • Bytes of content processed per request
  • AI model type used (Observer, Sentinel, or Arbiter)
  • Credit transaction history and transaction types
  • Subscription tier and renewal dates

2.3 Discord Bot Data Collection

When you use our Discord bot for automated moderation, we collect:

  • Discord Guild (Server) Information: Guild ID, name, owner ID, configured channels, and role lists
  • Message Content: The bot accesses message content to perform moderation analysis. Messages are sent to our backend API for AI processing
  • Message History: Up to 50 previous messages from the same author may be collected for contextual analysis, depending on your configuration
  • User Identifiers: Discord user IDs, usernames, and assigned roles
  • Moderation Configuration: Channel selections, enabled labels, moderation actions, excluded/included roles, and alert channel settings

The Discord bot discloses this data collection during setup. Message content is processed in real-time. Raw message text is not permanently stored for standard moderation requests, but moderator feedback actions may trigger creation of anonymised/synthetic derived dataset entries (see Section 4 for details).

2.4 Technical and Usage Information

We automatically collect technical information:

  • IP addresses (collected for rate limiting on demo endpoints)
  • Browser type and user agent
  • Request timestamps and response times
  • Error logs and debugging information
  • Application performance metrics

2.5 Payment Information

We use Stripe to process payments. We store:

  • Stripe customer IDs and payment intent IDs
  • Payment amounts, currency, and transaction status
  • Transaction dates and descriptions
  • Subscription plan selections

We do not store complete credit card numbers or full payment card details. This information is handled directly by Stripe according to their Privacy Policy.

2.6 Content Processing

Regarding content submitted for moderation:

  • Text content is processed in real-time by our AI models
  • Raw text content is not permanently stored after standard moderation processing
  • Moderation scores are temporarily cached (see Section 4.5)
  • Only aggregated statistics (bytes processed, model used) are retained for billing
  • If moderator feedback is submitted on flagged content, the original message may be processed transiently to generate an anonymised/synthetic derived moderation dataset record
  • Anonymised/synthetic derived dataset records may be retained for service improvement and dataset curation (see Section 4.7)

3. How We Use Your Information

We process your personal data under the following legal bases:

3.1 Contract Performance

To provide our services to you, we use your information to:

  • Authenticate your identity and manage your account
  • Process API requests and return moderation results
  • Track credit usage and enforce usage limits
  • Process payments and manage subscriptions
  • Provide customer support and respond to inquiries

3.2 Legitimate Interests

To operate and improve our services, we:

  • Analyze usage patterns to improve AI model accuracy
  • Monitor system performance and detect technical issues
  • Detect and prevent fraud, abuse, and security threats
  • Debug errors and maintain service reliability

3.3 Legal Obligations

We may process data to:

  • Comply with UK tax and accounting requirements (HMRC)
  • Respond to valid legal requests and court orders
  • Enforce our Terms of Service

3.4 Consent

With your explicit consent, we may:

  • Send you service updates and feature announcements (when email service is implemented)
  • Use feedback you provide to improve our services

4. Data Retention

We retain different types of data for different periods based on legal requirements and operational needs:

4.1 Account Data

Retention: Until account deletion

Your account information (email, Discord ID, OAuth data) is retained for as long as your account remains active. You can request account deletion at any time through your dashboard settings.

4.2 OAuth Tokens

Retention: Until account deletion

Discord OAuth access and refresh tokens are stored in our database to enable Discord integration features. These tokens are deleted when you delete your account.

4.3 Payment and Billing Records

Retention: At least 5 years after the transaction

Under UK tax law (HMRC requirements for sole traders), we must retain payment records, invoices, and transaction history for a minimum of 5 years from the 31 January deadline following the relevant tax year.

4.4 Application Logs

Retention: Indefinite

Application logs (containing error messages, system events, and debugging information) are currently retained indefinitely. We are working on implementing automated log rotation policies.

4.5 Temporary Content Caching

Retention: 24 hours

To improve performance, moderation scores are cached in Redis for 24 hours using SHA-256 hashes of the content (not the actual text). This prevents duplicate processing of identical content. The cache automatically expires after 24 hours.

4.6 Moderated Content

Retention: Not stored

For standard moderation requests, raw text content submitted for moderation is processed in memory and is not written to disk or stored in our database. The content exists only during the API request lifecycle.

4.7 Anonymised/Synthetic Feedback Datasets

Retention: Indefinite (currently)

When moderator feedback is submitted on flagged content, we may generate and store an anonymised/synthetic derived text record with identifying details removed or generalised. These records are used for moderation dataset curation, testing, and service improvement. We aim not to store raw message text in these datasets. These records are currently retained until deleted or reprocessed as part of dataset maintenance.

5. Data Sharing and Disclosure

We do not sell or rent your personal information to third parties.

5.1 Service Providers

We share data with the following third-party service providers:

5.2 Legal Requirements

We may disclose your information if required to:

  • Comply with valid legal processes (court orders, subpoenas, warrants)
  • Respond to requests from law enforcement or government authorities
  • Protect our legal rights and property
  • Investigate and prevent fraud, security incidents, or abuse
  • Protect the safety and rights of our users and the public

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or dashboard notice before your data is transferred and becomes subject to a different privacy policy.

6. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

6.1 Technical Measures

  • Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS (Transport Layer Security)
  • Encryption at Rest: Database data is stored with encryption
  • API Key Security: API keys are hashed using Argon2 before storage (we cannot retrieve your original API key)
  • JWT Authentication: Session tokens use cryptographic signatures with 24-hour expiration
  • Rate Limiting: Automated abuse prevention through request rate limiting
  • Access Controls: Database and system access restricted to authorized personnel only

6.2 Organizational Measures

  • Self-hosted infrastructure in the UK with physical security controls
  • Regular system monitoring and log review
  • Incident response procedures for security breaches
  • Regular software updates and security patches

6.3 Limitations

While we strive to protect your data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. If you discover a security vulnerability, please report it to privacy@phosphor.gg.

7. Your Rights Under UK GDPR

Under UK GDPR, you have the following rights regarding your personal data:

7.1 Right of Access

You can request a copy of all personal data we hold about you. This includes account information, usage history, and credit transactions.

7.2 Right to Rectification

You can update inaccurate or incomplete personal information through your dashboard settings or by contacting us.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your account and associated personal data. Note that we must retain payment records for 5 years to comply with UK tax law (HMRC requirements).

7.4 Right to Data Portability

You can request to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV).

7.5 Right to Object

You can object to processing of your personal data where we rely on legitimate interests as our legal basis.

7.6 Right to Restrict Processing

You can request that we temporarily restrict processing of your data in certain circumstances (e.g., while we verify data accuracy).

7.7 Rights Related to Automated Decision-Making

Our AI moderation system makes automated decisions about content (flagging, deletion). Under Article 22 of UK GDPR, you have the right to:

  • Be informed when automated decision-making is used
  • Receive an explanation of the decision
  • Contest the decision

Current Limitation: We do not currently offer a formal appeal process for automated moderation decisions. We are working on implementing a human review mechanism. In the meantime, you can contact us to discuss specific moderation decisions.

7.8 How to Exercise Your Rights

To exercise any of these rights, please email us at privacy@phosphor.gg with:

  • Your full name and registered email address
  • A description of your request
  • Proof of identity (to prevent unauthorized access)

We will respond to your request within 30 days (one month) as required by UK GDPR.

8. Cookies and Tracking Technologies

We use cookies and similar technologies for:

8.1 Essential Cookies

Required for the service to function:

  • Authentication and session management (JWT tokens)
  • Security and fraud prevention
  • Load balancing and performance optimization

8.2 Analytics

We use the following services for analytics:

  • Cloudflare Analytics: Website traffic and performance metrics
  • Google Search Console: Search appearance and indexing data
  • Bing Webmaster Tools: Search engine indexing data

8.3 Cookie Control

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from using certain features of our service (e.g., staying logged in).

9. International Data Transfers

Our servers are located in the United Kingdom, and we are a UK-based sole proprietor. Your data is processed and stored within the UK.

Some of our third-party service providers (Stripe, Cloudflare, Google, Microsoft, Discord, GitHub) may transfer data internationally. These providers implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office
  • Adequacy decisions by the UK government
  • Compliance with UK GDPR requirements for international transfers

If you are located outside the UK and use our services, your data will be transferred to and processed in the UK.

10. Children's Privacy

Our services are not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13.

Discord requires users to be at least 13 years old. By using our Discord bot integration, you represent that you meet Discord's age requirements.

If you are a parent or guardian and believe we have collected information from a child under 13, please contact us immediately at privacy@phosphor.gg, and we will delete such information.

11. Third-Party Links and Services

Our website and service may contain links to third-party websites, services, or integrations (such as OAuth providers and Discord). We are not responsible for the privacy practices of these external parties.

We encourage you to review the privacy policies of any third-party services you use:

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements.

12.1 Notification of Material Changes

If we make material changes to how we process your personal data, we will notify you by:

  • Displaying a prominent notice in your dashboard
  • Updating the "Last updated" date at the top of this policy
  • Sending email notifications (once email service is implemented)

12.2 Your Acceptance

Continued use of our services after changes to this policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you should discontinue use of our services and may request account deletion.

12.3 Review Recommendation

We recommend reviewing this Privacy Policy periodically to stay informed about how we protect your information.

13. UK-Specific Information

13.1 Legal Basis for Processing

We process your personal data under UK GDPR based on:

  • Contract: Processing necessary to provide our services
  • Legitimate Interests: Fraud prevention, security, and service improvement
  • Legal Obligation: UK tax and accounting compliance (HMRC)
  • Consent: Optional communications and analytics

13.2 ICO Registration

We are registered with the UK Information Commissioner's Office (ICO) as a data controller under the Data Protection Act 2018.

13.3 Complaints to the ICO

You have the right to lodge a complaint with the UK Information Commissioner's Office if you believe we have not handled your personal data appropriately:

14. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know what personal information is collected
  • Right to know whether personal information is sold or disclosed (we do not sell personal information)
  • Right to opt-out of the sale of personal information (not applicable - we do not sell data)
  • Right to deletion of personal information
  • Right to non-discrimination for exercising CCPA rights

To exercise these rights, contact privacy@phosphor.gg.

15. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all privacy inquiries within 30 days.