Privacy Policy

Last updated: 2026-05-09

What we collect

We keep the minimum data needed to run the site.

  • Account identity: When you sign in via Discord, Microsoft, or Google, we receive your provider user ID, display name, email (if the provider releases it), and avatar URL. We do not receive your provider password.
  • Content you create: Guilds, events, schedule polls, RSVPs, invites, reports, and roster data. These persist until you delete them or close your account.
  • Session + traffic: A session cookie (HttpOnly, SameSite=Lax) and your IP address as seen by Cloudflare. Used for authentication, rate limiting, and abuse mitigation.
    • Diagnostic logs: Operational logs (HTTP method + path + status, error traces, IP addresses for rate-limiting) are written to the application's log directory and rotated daily. Retention is 14 days by default and configured in code, not by external system policy. Logs are not used for analytics or marketing and are not shared with third parties.
What we don't collect
  • No third-party analytics or ad trackers.
  • No social-network pixels.
  • No selling, renting, or sharing your data with marketers.
Why we collect it
  • Authenticate you and remember you across sessions.
  • Show you only the guilds, events, and polls you have access to.
  • Detect and stop abuse — rate limits, block lists, moderation reports.
  • Diagnose bugs from anonymous error reports.
Who we share it with
  • Auth providers (Discord, Microsoft, Google) — only the OAuth handshake. They learn that you signed into raid.rsvp; they do not see what you do here.
  • Cloudflare — terminates TLS and tunnels traffic to our origin. Sees your IP and request URL.
  • No one else. We do not sell or rent personal data.
Your rights

If you're in the EU, UK, or California, you have legal rights to access, export, and delete your data. Everyone gets these rights here regardless of jurisdiction:

  • Export: Account → "Export my data" returns a JSON dump of everything tied to your account.
  • Delete: Account → "Delete my account" hard-deletes your row, your linked OAuth records, and all content you authored.
  • Correct: Edit your display name and timezone in Account settings. Email is set by your auth provider — change it there.
Cookies

One cookie: the session ID. HttpOnly, SameSite=Lax, marked Secure in production. Lifetime: 14 days, rolling. No tracking cookies.

Data retention
  • Account data: until you delete the account.
  • Sessions: 14 days of inactivity, then expire.
  • Logs: rotated daily, 14-day retention enforced in application code.
  • Reports + moderation records: kept indefinitely (audit trail).
Contact

Privacy questions or data requests: [email protected]

Terms of Service · Home