legal
Privacy Policy
Last updated: 2026-06-19.
Who we are
head-mod is an AI-assisted Discord moderation service operated by Ayo Software & Design UG (haftungsbeschränkt), Anemonenweg 1, 47447 Moers-Kapellen, Germany. The data controller for the purposes of the GDPR is the UG, represented by managing director Paul Gößmann (see Imprint). Privacy contact: impressum@ayo-service.de.
Message content handling (Discord MESSAGE_CONTENT intent)
The most common question we get is: do you store and train on Discord message content? Short, plain answers:
- Yes, we store message content outside Discord — but only from channels the bot was invoked in: ticket channels, DM conversations, channels where a user opened a session by mentioning the bot. We do not scrape unrelated channels.
- No, message content is never used to train external AI models. Our AI providers (Google Gemini, OpenAI) operate under their standard API terms, which contractually prohibit training on customer data. We do not run our own model-training pipelines.
- Content is sent to AI providers transiently for each call (intent classification, reasoning, embedding) and is not stored on the provider side beyond what their own policies describe.
- We do use operational data to improve head-mod — see the "Improving the service" section below. This means reviewing stored prompts, responses, classifier decisions, and usage metrics to debug failures, tune prompts and safety gates, and make the product more reliable. This is internal engineering and quality work; it is not the same as training a machine-learning model on your content.
- Where we do persist text — ticket transcripts, channel- session buffers (capped at 200 turns each), DM conversation history (rolling ~2-hour / 200-turn window), profile facts, audit events, AI trace prompts and responses, and knowledge-base entries — retention is documented in the "Retention" section below, and users can request erasure at any time.
What we process
When a server owner invites the head-mod bot, and when users interact with it, we process the following categories of data:
- Discord identifiers — user IDs, guild (server) IDs, channel IDs, role IDs, and message IDs. These are required to address the right channels and apply the right permissions.
- Message content — only messages the bot is invoked on (direct mentions, DMs, ticket channels, channels where an active session is open). The bot does not silently scrape unrelated channels.
- Profile facts — short text notes the AI saves about users when they ask it to remember something (name, pronouns, preferences). PII categories like passwords, government IDs, financial data, and health data are filtered out before storage.
- Moderation history — when the bot takes a moderation action (warn, timeout, kick, ban) or processes a ticket, we record the event with timestamp and actor for audit purposes.
- Usage metrics — AI-call counts, token totals, and cost-per-call (keyed to guild and, for per-user caps, to Discord user ID) so the dashboard can show usage against your plan and so we can enforce abuse limits.
- Diagnostic & trace data — to operate and debug the service we record per-call traces. These can include the full prompt and response of an AI call, classifier verdicts and confidence scores, which knowledge-base entries were retrieved, tool-call arguments and results, latency, and error/reason codes. Traces are keyed to your guild and used for reliability, security, and product-improvement work (see "Improving the service").
- OAuth session — when an administrator signs in to the dashboard via Discord OAuth, we store a signed, httpOnly session cookie (see the Cookies section below).
Lawful basis (Art. 6 GDPR)
- Performance of a contract (Art. 6(1)(b)) — processing required to run the moderation, tickets, knowledge-base, and dashboard features the server owner opted into.
- Legitimate interest (Art. 6(1)(f)) — audit logging, cost metering, basic abuse prevention, and keeping diagnostic/trace data so we can debug, secure, and improve the service (see "Improving the service"). You can object to processing based on legitimate interest at any time (see "Your rights").
- Consent (Art. 6(1)(a)) — for the explicit "remember about user" feature, which only fires when a user asks the bot to remember something.
Improving the service
We use operational data — diagnostic traces, usage metrics, classifier decisions, and, where needed, the actual prompts and responses of AI calls — to keep head-mod working and to make it better over time. Concretely, this means:
- Investigating bugs, errors, and incidents by replaying what the AI actually saw and did on a specific call.
- Measuring quality and tuning prompts, classifiers, and the safety/verifier gates so the bot makes fewer mistakes and unsafe actions.
- Producing aggregated and de-identified statistics (for example, per-model latency, cost, error rates, and feature usage) to monitor reliability and plan capacity.
What we do not do: we do not sell your data, we do not use it for advertising, and we do not feed your content into the training of third-party foundation models. Our use is internal engineering, quality, and security work. Reviews of raw content are limited to staff who need it for these purposes and are logged. Where insights can be derived from aggregated or de-identified data instead of raw content, we prefer that.
Sub-processors
We use the following processors to deliver the service. Each has its own privacy policy; we contract with them on standard GDPR-compliant terms.
| Processor | Purpose | Region |
|---|---|---|
| Discord Inc. | Source platform; OAuth sign-in | USA |
| Cloudflare, Inc. | Hosting, Workers, Durable Objects, Vectorize, D1, R2 | EU edge |
| Google LLC | AI reasoning + intent classification (Gemini) | USA / EU |
| OpenAI, L.L.C. | Content moderation pre-filter; text embeddings | USA |
| Railway Corp. | Hosting for the Discord gateway bot process | USA / EU |
| Stripe Payments Europe Ltd. | Subscription billing (only when a paid plan is purchased) | Ireland |
Transfers to processors outside the EEA rely on the European Commission's Standard Contractual Clauses (SCCs) and, where available, the EU–US Data Privacy Framework. Message content sent to AI providers is processed transiently for the duration of the call and is not used to train provider models, per the providers' enterprise terms.
Retention
- Profile facts and audit-event history are retained while the bot is in the server, and are kept after the bot is removed so that re-inviting it restores your configuration. They are deleted on a verified erasure request from the server owner or the affected user.
- Ticket transcripts are retained as configured per category (default: kept while the ticket exists; deleted when the ticket is deleted).
- DM conversation history is kept as a short rolling buffer (about the last 2 hours or 200 turns) and is cleared after a period of inactivity; it is not a permanent transcript.
- Usage-event records (for billing accuracy and abuse investigation) are retained for up to around 13 months and then anonymised or deleted.
- Diagnostic trace data — including stored AI prompts and responses — is retained on a rolling basis for debugging, security, and product-improvement purposes (we aim to keep full prompt/response blobs for roughly 30 days; aggregated metrics may be kept longer in de-identified form). It is deleted on a verified erasure request.
- Session cookies expire at logout or after the session lifetime (currently 7 days), whichever comes first.
Your rights (Art. 12-22 GDPR)
You have the right to access, correct, delete, restrict, port, or object to the processing of your personal data. To exercise any of these rights, email impressum@ayo-service.de from the address associated with your Discord account, or send a Discord DM to the head-mod bot mentioning the right you wish to exercise. You also have the right to lodge a complaint with your local data-protection authority.
Cookies
head-mod uses only strictly-necessary cookies — a signed, httpOnly session cookie used for dashboard sign-in, and a short-lived OAuth state cookie used to protect the sign-in flow against CSRF. When you open the billing page, our payment processor Stripe also sets and reads its own strictly-necessary cookies for fraud prevention; these are required to take payment securely and are not used by us for analytics or advertising. We set no analytics, advertising, or cross-site tracking cookies, so no cookie banner is shown. We may add an opt-in analytics cookie in the future; if so, this section will be updated and a banner will be added BEFORE such cookies are set.
The dashboard also uses your browser's local storage to remember interface preferences — such as which notices you have dismissed and which chat session a tab was last viewing. This data stays on your device, is strictly functional, and is not used for tracking.
Updates to this policy
We may update this policy as the service evolves. Material changes will be communicated by updating the "Last updated" date at the top, and where appropriate, via a notice in the dashboard.