Privacy Policy

1. Introduction

SummaryBot (“we,” “us,” or “our”) operates the SummaryBot Discord bot, the web dashboard at summarybot.app, and related services (collectively, the “Service”). This Privacy Policy explains how we collect, use, store, and protect your information when you use our Service.

By using the Service, you consent to the data practices described in this policy. If you do not agree with this Privacy Policy, please do not use the Service. We encourage you to read this policy in its entirety and to also review our Terms of Service.

2. Information We Collect

We collect the following categories of information to provide and improve the Service:

2.1 Discord Data

• User IDs: Discord user identifiers for users who interact with the bot or sign in to the dashboard.
• Server (Guild) IDs: Identifiers for Discord servers where the bot is installed.
• Channel Names and IDs: Names and identifiers of channels configured for summarization.
• Message Content: The text content of messages in channels where summarization is enabled. Message content is read for the purpose of generating summaries and is sent to our AI provider for processing.
• User Display Names and Avatars: Used to display user information in the dashboard.

2.2 Integration Data

• OAuth Access Tokens: When you connect third-party services (Trello, Notion), we store OAuth tokens to maintain those connections.
• Webhook URLs: URLs you configure for receiving summary notifications.
• Board and Task Data: Information about Trello boards, Notion databases, and task data retrieved from those services in the course of syncing tasks.

2.3 Bot Feature Data

• Alert Keywords: If you set up smart alerts, we store your keyword patterns and associated Discord user ID to deliver notifications when matching messages appear.
• Board and Task Data: Task titles, descriptions, assignees, and board configurations created through SummaryBot's built-in kanban boards.
• Email Addresses: If you subscribe to daily email digests, we store your email address to deliver scheduled summary emails.

2.4 Dashboard and Account Data

• Authentication Data: Session tokens and authentication cookies used to maintain your dashboard login (via NextAuth).
• Billing Data: Payment-related information processed through Stripe. We do not store your full credit card number on our servers. Stripe handles payment processing in accordance with PCI-DSS standards.

2.5 Automatically Collected Data

• Usage Data: Basic analytics such as feature usage, command invocations, and error logs to help us improve the Service.

3. How We Use Your Data

We use the information we collect for the following purposes:

• AI-Powered Summarization: Message content from configured channels is sent to Google Gemini to generate summaries. Only message text and associated metadata (such as author display names and timestamps) necessary for generating useful summaries are transmitted.
• Task Synchronization: Extracted tasks and action items are synced to Trello and/or Notion when you have authorized those integrations.
• Webhook Delivery: Summary content is sent to webhook URLs you have configured.
• Email Digests: If you subscribe to daily email digests, summary content is compiled and sent to your email address via SendGrid.
• Smart Alerts: If you configure keyword alerts, the bot monitors messages in your server to deliver relevant notifications via Discord DM.
• Dashboard Display: Summary history, server configurations, and integration status are displayed in the web dashboard.
• Service Improvement: Aggregated, anonymized usage data helps us identify and fix issues, improve performance, and develop new features.
• Billing: Processing subscription payments and managing your account through Stripe.

4. Data Storage and Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it:

• Database: Data is stored in PostgreSQL hosted on Supabase, a managed database platform with access controls, authentication, and encryption at rest enabled.
• Token Encryption: Third-party OAuth tokens (Trello, Notion) are encrypted at rest using AES-256-GCM encryption before being stored in our database.
• Transport Security: All data in transit between your browser, the Discord bot, and our servers is encrypted using TLS/HTTPS.
• Access Controls: Access to production systems and data is restricted to authorized personnel and follows the principle of least privilege.

While we implement robust security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

5. Data Retention

Data retention is configurable on a per-server basis by server administrators:

• Default Retention: By default, summary content and associated data are retained indefinitely to provide continuous access to your summary history in the dashboard.
• Configurable Retention: Server administrators can configure a retention period between 7 and 365 days. When a retention period is set, data older than the specified period is automatically purged.
• Raw Message Content: Raw Discord message content is processed in real time for summarization and is not permanently stored by the Service. Only the generated summary content is retained.
• Account Data: Server configuration data and integration credentials are retained for as long as the bot remains installed in the server. Upon removal, this data may be retained for up to 30 days before deletion.

6. Third-Party Services

The Service relies on and integrates with the following third-party services. Each has its own privacy policy governing how they handle your data:

7. Data Sharing

We do not sell, trade, or rent your personal information to third parties. We share your data only in the following circumstances:

• AI Summarization Provider: Message content is sent to Google Gemini solely for the purpose of generating summaries.
• Authorized Integrations: Task data is shared with Trello and/or Notion only when you have explicitly authorized those integrations.
• Email Delivery: If you subscribe to email digests, your email address and digest content are shared with SendGrid for delivery.
• Payment Processing: Billing information is shared with Stripe for processing subscription payments.
• Error Monitoring: Diagnostic error data (stack traces, request metadata) is shared with Sentry for crash reporting and service reliability.
• Legal Requirements: We may disclose your information if required to do so by law, regulation, legal process, or governmental request.
• Protection of Rights: We may disclose information when necessary to protect our rights, your safety, or the safety of others; to investigate fraud; or to respond to a government request.

8. Your Rights and Controls

Server administrators have the following controls over their data:

• Channel Opt-Out: Administrators can exclude specific channels from summarization at any time through the dashboard or bot commands.
• Retention Settings: Administrators can configure data retention periods (7–365 days) to automatically purge older data.
• Data Purge: All server data can be immediately and permanently deleted by using the /privacy purge command. This action is irreversible.
• Disconnect Integrations: Third-party integrations (Trello, Notion) can be disconnected at any time through the dashboard, which revokes stored tokens.
• Email Unsubscribe: You can unsubscribe from daily email digests at any time using the /digest unsubscribe command, which removes your email address from our records.
• Bot Removal: Removing the bot from a Discord server stops all data collection for that server. Configuration data is retained for up to 30 days before automatic deletion.

9. GDPR and Data Protection Rights

If you are located in the European Economic Area (EEA), the United Kingdom, or another jurisdiction with applicable data protection laws, you have certain rights regarding your personal data:

• Right of Access: You have the right to request a copy of the personal data we hold about you.
• Right to Rectification: You have the right to request correction of inaccurate personal data.
• Right to Erasure: You have the right to request deletion of your personal data. Server administrators can exercise this right using the /privacy purge command or by contacting us at [email protected].
• Right to Restrict Processing: You have the right to request restriction of processing of your personal data under certain conditions.
• Right to Data Portability: You have the right to receive your personal data in a structured, machine-readable format.
• Right to Object: You have the right to object to processing of your personal data for certain purposes.

To exercise any of these rights, please contact us at [email protected]. We will respond to your request within 30 days.

10. Cookies and Session Data

The SummaryBot web dashboard uses cookies for the following purposes:

• Session Cookies: We use session cookies (via NextAuth) to authenticate your dashboard sessions. These cookies are essential for the dashboard to function and cannot be disabled while using the dashboard.
• CSRF Protection Cookies: We use cookies to protect against cross-site request forgery attacks.

We do not use advertising cookies or third-party tracking cookies. The dashboard does not include third-party analytics scripts that set cookies.

11. Children's Privacy

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at [email protected] so that we can take appropriate action, including deleting the information.

In accordance with Discord's own Terms of Service, users must meet the minimum age requirement to use Discord, which in turn is a prerequisite for using SummaryBot.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will update the “Last updated” date at the top of this page and, where practicable, provide additional notice through the Service.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of the Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: