Privacy Policy

Last Updated: January 2025

This Privacy Policy explains how Clocky ("we", "us", "our") collects, uses, and protects your information when you use our Discord bot.

Overview

Our commitment

We are committed to protecting your privacy and being transparent about data practices. This policy explains:

  • What data we collect
  • Why we collect it
  • How we use it
  • How long we keep it
  • Your rights and choices

Key principles

Transparency: We tell you exactly what data we collect and why.

Minimal collection: We only collect data necessary to provide our service.

User control: You control your data and can delete it anytime.

Security: We use industry-standard security measures to protect your data.

GDPR compliance: We fully comply with GDPR and similar privacy regulations.

Who this applies to

This policy applies to anyone who:

  • Uses Clocky commands in Discord
  • Has data stored by Clocky
  • Administers a Discord server with Clocky installed

Data Collection

What data we collect

User identification:

  • Discord User ID (numerical identifier assigned by Discord)
  • Discord username (for display purposes only)
  • Server membership (which Discord servers you use Clocky in)

Work session data:

  • Check-in timestamps (when you run /checkin)
  • Check-out timestamps (when you run /checkout)
  • Session duration (calculated from timestamps)
  • Server ID (which Discord server the session occurred in)

Break data:

  • Break start timestamps
  • Break end timestamps
  • Break duration (calculated from timestamps)

Settings & preferences:

  • Leaderboard visibility preference (public or private)
  • Timezone preference (if configured)

Subscription data (if applicable):

  • Subscription tier (Free, Premium, Pro, Lifetime)
  • Billing cycle (monthly, annual)
  • Payment status (active, canceled, past due)
  • Payment processor ID (Stripe customer ID - no card details)

What we DO NOT collect

We do not collect:

  • ❌ Discord passwords
  • ❌ Payment card details (handled by Stripe)
  • ❌ Message content from Discord
  • ❌ Voice chat data
  • ❌ Private messages (DMs)
  • ❌ IP addresses
  • ❌ Device information
  • ❌ Location data
  • ❌ Cookies or tracking pixels
  • ❌ Data from other Discord bots

How we collect data

Direct input: When you run commands like /checkin, /checkout, /stats

Automatic: Session duration and break time are calculated automatically from timestamps

Discord API: User ID and username are provided by Discord's API

Optional: Settings like leaderboard visibility require explicit user action

Data Usage

Why we collect data

Primary purpose: Time tracking

We collect work session data to:

  • Track when you check in and out
  • Calculate total worked time
  • Display your statistics (/stats)
  • Show your work history (/history)
  • Generate leaderboards (if you opt-in)

Service improvement:

  • Detect and fix bugs
  • Improve performance
  • Understand feature usage
  • Plan new features

Legal obligations:

  • Comply with GDPR and privacy laws
  • Respond to legal requests (with notice to you)
  • Process refunds and billing disputes

Who can see your data

You (always):

  • View your own stats: /stats
  • View your own history: /history
  • Export your data: /data-export

Server admins (with Manage Server permission):

  • View your statistics: /stats user:@you
  • Close stuck sessions: /admin-close-session user:@you
  • Export server data (Premium only)

Other users:

  • If you opt-in to leaderboards: Your rank and hours on /leaderboard
  • If you opt-out: Nothing - you're completely private

Us (Clocky operators):

  • Aggregate, anonymized statistics (e.g., "total users", "average session length")
  • No individual user data viewing except for support tickets with your consent

Third parties:

  • ❌ We NEVER sell your data
  • ❌ We NEVER share individual data with third parties
  • ✅ Stripe processes payments (they don't see your work data)
  • ✅ Supabase hosts our database (encrypted, access restricted)

Data Storage

Where data is stored

Database: Supabase (PostgreSQL)

  • Location: United States (AWS us-east-1)
  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Backup: Daily encrypted backups, 30-day retention

Payment processing: Stripe

  • Handles all payment information
  • PCI DSS Level 1 certified
  • We never see or store card details

How long we keep data

Active users (checked in within retention period):

TierData RetentionAuto-deletion
Free1 yearData older than 1 year is automatically archived
Premium5 yearsData older than 5 years is automatically archived
Pro10 yearsData older than 10 years is automatically archived
LifetimeUnlimitedNo auto-deletion unless configured

Archived data:

  • Not visible to users
  • Not included in stats or exports
  • Can be restored if you resubscribe to appropriate tier
  • Permanently deleted after 90 days in archive

Deleted data:

  • When you run /data-delete, data follows your server's deletion policy:
    • Immediate: Deleted instantly
    • Grace period: Deleted after grace period (configurable)
    • Requires approval: Deleted after admin approval

Subscription data:

  • Kept for 7 years for tax/accounting compliance
  • Only includes billing dates and amounts (no work data)

Data security

Technical measures:

  • Encryption at rest (AES-256)
  • Encryption in transit (TLS 1.3)
  • Row-level security (RLS) in database
  • Regular security audits
  • Automated vulnerability scanning

Access controls:

  • Multi-factor authentication required for database access
  • Principle of least privilege
  • Audit logging of all data access
  • Annual security training for team members

Incident response:

  • 24-hour notification if breach affects your data
  • Published security incident page
  • Coordination with Discord security team if needed

Your Rights

GDPR rights

If you're in the EU/EEA, you have these rights:

Right to access (Article 15):

  • Request a copy of your data: /data-export
  • See what data we have about you
  • Receive data in machine-readable format (JSON/CSV)

Right to erasure (Article 17):

  • Delete your data: /data-delete current-server or /data-delete all-servers
  • "Right to be forgotten"
  • Fulfilled within 30 days (usually instant)

Right to rectification (Article 16):

  • Correct inaccurate data (contact support)
  • Complete incomplete data

Right to data portability (Article 20):

  • Export your data in JSON/CSV format
  • Transfer to another service

Right to object (Article 21):

  • Object to processing (effectively same as deletion)
  • Opt out of leaderboards: /public visibility:off

Right to restrict processing (Article 18):

  • Request temporary halt of data processing (contact support)

How to exercise your rights

Export your data:

/data-export

Receive JSON file within 24 hours via DM.

Delete your data:

# Delete from current server only
/data-delete current-server

# Delete from all servers
/data-delete all-servers

Opt out of leaderboards:

/public visibility:off

Other requests: Contact support via /support or email privacy@clocky.bot

Response time

  • Automated requests (export, deletion): Instant to 24 hours
  • Manual requests (corrections, restrictions): Within 7 days
  • GDPR deadline: Maximum 30 days

Children's Privacy

Clocky is not intended for users under 13 years old (or 16 in the EU).

Discord's requirements:

  • Discord requires users to be 13+ (or 16+ in EU)
  • We rely on Discord's age verification
  • We do not knowingly collect data from children

If you believe a child is using Clocky: Contact us immediately at privacy@clocky.bot and we'll delete their data.

International Data Transfers

Data location: United States (AWS us-east-1)

EU/EEA users:

  • We use Standard Contractual Clauses (SCCs) for EU data transfers
  • Supabase provides EU data residency options (coming soon)
  • You have the same rights regardless of location

Changes to Privacy Policy

How we notify you:

  • Discord announcement when major changes occur
  • Updated "Last Updated" date at top of policy
  • Email notification (if you're subscribed)
  • 30-day notice before changes take effect

Your choices:

  • Continue using Clocky (acceptance of new policy)
  • Export your data and delete your account
  • Contact us with concerns

Version history: All previous versions available at /privacy/history (coming soon)

Third-Party Services

We use these trusted third-party services:

Supabase (Database hosting):

  • Purpose: Store work session data
  • Data: User ID, timestamps, session data
  • Location: United States
  • Privacy: supabase.com/privacy

Stripe (Payment processing):

  • Purpose: Handle Premium, Pro, and Lifetime subscriptions
  • Data: Payment information (not work data)
  • Location: United States
  • Privacy: stripe.com/privacy

Discord (Platform):

  • Purpose: Bot platform, user authentication
  • Data: User ID, username, server membership
  • Location: United States
  • Privacy: discord.com/privacy

AWS (Infrastructure):

  • Purpose: Hosting, backups
  • Data: Encrypted database backups
  • Location: United States
  • Privacy: aws.amazon.com/privacy

Data Breach Notification

In the unlikely event of a data breach:

Our commitment:

  • Notify affected users within 24 hours
  • Notify EU supervisory authorities within 72 hours (if EU users affected)
  • Publish incident report on status page
  • Provide clear guidance on steps to take

What we'll tell you:

  • What data was affected
  • How the breach occurred
  • What we're doing to fix it
  • What you should do
  • How to contact us

Contact Information

Privacy inquiries:

  • Email: privacy@clocky.bot
  • Discord: /support (for non-sensitive inquiries)
  • Response time: Within 7 days (usually 24-48 hours)

Data Protection Officer (DPO):

EU Representative:

General support:

Under GDPR, our legal basis for processing your data:

Contract performance (Article 6(1)(b)):

  • Providing time tracking service as requested
  • Essential for service functionality

Legitimate interest (Article 6(1)(f)):

  • Service improvement and bug fixes
  • Fraud prevention
  • Security monitoring

Consent (Article 6(1)(a)):

  • Leaderboard participation (explicit opt-in)
  • Marketing communications (if subscribed)

Legal obligation (Article 6(1)(c)):

  • Tax and accounting records (7-year retention)
  • Responding to lawful requests

Your Responsibilities

Keep your account secure:

  • Don't share your Discord account
  • Report unauthorized use to Discord
  • Review your stats regularly for accuracy

Respect others' privacy:

  • Don't share others' work data without permission
  • Admins: Use data access responsibly
  • Follow your organization's privacy policies

Accurate information:

  • Ensure check-ins/checkouts reflect actual work
  • Don't manipulate data
  • Report bugs or discrepancies

Frequently Asked Questions

Can server admins see my exact check-in times?

Admins can see your total hours and statistics, but not individual session timestamps unless they export data (Premium feature).

What happens to my data if Clocky shuts down?

We'll provide 90 days notice and tools to export all your data.

Can I delete data from just one server?

Yes! Use /data-delete current-server to delete only from the current server.

Do you use my data to train AI?

No. We never use user data for AI training or machine learning.

Can police request my data?

We only respond to valid legal requests. We'll notify you unless legally prohibited.

GDPR Compliance

Data Export Guide

Data Deletion Guide

Terms of Service

Was this page helpful?