Privacy Policy

Last updated: February 20, 2026

1. Who We Are

One-Tap ("we", "us", "our") operates the One-Tap Discord verification bot and the associated web dashboard at this domain. This policy explains how we collect, use, and protect information when you interact with our service.

2. What We Collect

We collect only the minimum data required to operate the service. What we collect depends on how you interact with One-Tap:

If you verify through the bot (all users)

• Discord user ID, username, and avatar hash: Provided by Discord when you verify. Stored alongside your verification result.
• Verification result: Status (verified/rejected), risk score, risk level, and reason codes associated with your Discord user ID.
• IP address: Collected during verification and immediately pseudonymized using a one-way cryptographic hash (SHA-256) before storage. The raw IP address is never stored. The hashed value is used for rate limiting and alt-account detection.
• Device security analysis: When you complete verification, we perform a one-time security analysis of your browser environment to determine whether the account may be associated with abuse patterns or alt accounts. This analysis processes technical characteristics of your browser and device into pseudonymized security scores using one-way cryptographic hashing. No raw signal data is permanently stored - only the resulting hashed values are retained alongside your verification result.
• Device verification token: We store a randomly generated device token in your browser (via localStorage, a cookie, and IndexedDB) for up to 2 years. This token has no personal meaning on its own. Its hashed equivalent is retained in our database solely to detect when multiple Discord accounts verify from the same device.

If you log in to the dashboard (server administrators)

In addition to the above, we collect:

• Server information: Discord server (guild) IDs, names, and icons for servers you manage. This data is fetched from Discord on demand and cached temporarily in memory. It is not permanently stored in our database.
• Essential browser storage: We use browser localStorage to store your authentication token, selected server, and cookie consent preference. No third-party cookies or tracking cookies are used.

If you subscribe to Premium

• Payment and billing data: Handled entirely by Lemon Squeezy (our Merchant of Record). We do not collect or store your payment details, billing address, or email. Lemon Squeezy's privacy policy governs this data.

3. What We Do NOT Collect

• We do not collect or store names, email addresses, physical locations, or raw IP addresses.
• We do not collect or store payment or billing information (this is handled by Lemon Squeezy).
• We do not use analytics, advertising, or tracking cookies.
• We do not sell, rent, or share your data with any third party.

4. Pseudonymization

IP addresses, device verification tokens, and device security signals are pseudonymized using one-way cryptographic hashing (SHA-256) before being stored. This means the original values cannot be recovered from the stored data. However, under GDPR, pseudonymized data is still considered personal data and is treated as such. All your data protection rights apply to this data.

5. How We Use Your Data

• Verification: To determine whether a user joining a Discord server is legitimate or a known alt/spam account.
• Dashboard: To display verification logs, analytics, and server settings to authorized server administrators. Server administrators can see accounts linked to the same identity (related accounts) to help identify alts.
• Service operation: To authenticate you via Discord OAuth2 and maintain your session.
• Payment processing: To process Premium subscription payments through our payment provider.

6. Legal Basis (GDPR)

If you are in the European Economic Area (EEA), our legal bases for processing are:

• Legitimate interest: Processing verification data to protect Discord servers from abuse (alt accounts, spam, raids).
• Consent: For storing data in your browser via localStorage. You can withdraw consent at any time by clearing your browser data or declining cookies.
• Contract: For Premium subscribers, processing is necessary to provide the service you are paying for.

7. Data Retention

Verification records are retained for as long as they are needed to provide alt-detection across servers. If you would like your data deleted, contact us and we will remove all records associated with your Discord user ID within 30 days.

8. Your Rights

Depending on your location, you may have the following rights:

• Access: Request a copy of the data we hold about you.
• Deletion: Request that we delete your data.
• Rectification: Request correction of inaccurate data.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interest.
• Restriction: Request that we limit how we use your data.

California residents (CCPA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, contact us at [email protected].

9. Data Security

We use industry-standard security measures to protect your data, including encrypted connections (HTTPS), secure authentication via Discord OAuth2, and pseudonymization of sensitive identifiers using SHA-256 cryptographic hashing. Raw IP addresses and device security signals are never stored, only their hashed equivalents.

10. Data Location

All data is stored on servers located in Finland, within the European Economic Area (EEA). Your data does not leave the EEA.

11. Third-Party Services

We integrate with the following third-party services:

• Discord: For OAuth2 authentication and bot functionality. Discord's privacy policy applies to data processed by Discord.
• Lemon Squeezy: For processing Premium subscription payments. When you subscribe to Premium, your payment information is handled directly by Lemon Squeezy. We do not store your payment details. See Lemon Squeezy's Privacy Policy.
• ProxyCheck.io: During verification, your IP address is sent to ProxyCheck.io to detect VPN and proxy usage. This is the only context in which a raw IP address is transmitted to a third party; it is not stored by us. See ProxyCheck.io's Privacy Policy.

12. Children's Privacy

Our service is not directed at children under 13 (or under 16 in the EEA). We do not knowingly collect data from children. If you believe a child has provided data to us, please contact us for removal.

13. Changes

We may update this policy from time to time. Material changes will be communicated through the service. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related requests, contact us at [email protected] or join our Discord support server.