What we collect, why, and for how long.

The short version

Alt Detector collects two kinds of data: account identity from Discord when you log in, and player identity from the DayZ servers you connect to the bot. We use the first to know who you are; we use the second to do the work the product exists for — detecting alt accounts and applying bans you've configured.

We do not sell, rent, or share your data with third parties for marketing. We do share Stripe with your billing details so you can pay us. That's it.

What we collect about you

Discord identity

• Your Discord ID, username, avatar hash, and email address (whatever Discord gives us during OAuth).
• The list of guilds you have manage permission on, so we can show you which ones the bot is in.
• The last time you logged in to the website.

Subscription & billing

• Your Stripe customer ID and subscription ID, the tier you're on, the renewal date, and whether you've cancelled. We do not store card numbers — Stripe holds those.
• A receipt-style record of each payment: amount, date, currency, Stripe invoice ID. No card details.

Sessions

• One row per active browser session, identifying you to the server while you're logged in. Sessions expire automatically after 30 days of inactivity. You can revoke any session from your profile page.

What we collect about players (not you)

When the bot is installed on a Nitrado server, it observes every player connection and records:

• Gamertag at the time of connection.
• Account ID (Xbox XUID or PSN identifier) — the stable identifier behind the gamertag.
• Device ID — the console/install fingerprint reported by the platform.
• Last-seen timestamp and last-seen server name.

This is the data that powers alt detection. It is not personally identifying in the legal sense — gamertags are the names people choose for public play. We do not collect IP addresses, real names, payment information, location data, voice or chat content, or anything beyond the four identifiers above.

Who can see what

• You can see everything we hold about you on your profile page.
• Other moderators can see player records in alt searches and the player profile. They can not see your account or billing data.
• Site administrators can see all account and subscription data for the purpose of customer support. Every admin action that touches user data is recorded in an audit log.
• The Discord bot reads the same player tables to do its work. The bot does not read your Discord profile beyond what's needed to know who runs which guild.

How long we keep it

• Account data — for as long as your account exists. If you delete your account, we delete the row.
• Sessions — 30 days of inactivity, then automatically purged.
• Payment records — kept for 7 years for accounting and tax compliance, even after account deletion.
• Player records — kept indefinitely. Alt detection is only useful when historical data is available; deleting a player record would defeat the purpose. Players who have not connected in a long time are not deleted, but they also don't actively cost anything to keep.

Your rights

You can:

• See everything we hold on your account by visiting your profile page.
• Export a copy of your account data — contact support and we'll send you a JSON dump within 30 days.
• Delete your account — every web_* row keyed to your Discord ID is removed (sessions, subscription state, payment receipts keep their stripped-down 7-year-retained shadow). Player records the bot collected from servers you ran are not affected, since they don't identify you.
• Cancel your subscription at any time without contacting us, from the Stripe customer portal linked in the billing page.

Cookies

We set one cookie: a session cookie called altdet.sid. It's a random opaque ID that lets the server remember who you are between requests. We don't set tracking, advertising, or analytics cookies.

Third parties

• Discord — identity provider via OAuth. They tell us who you are when you log in.
• Stripe — payment processor. Card numbers go to Stripe, not us. Their privacy policy applies to the data they hold for billing.
• That's the entire list.

Security

Sessions are stored server-side. Cookies are HTTP-only and marked secure in production. Sensitive endpoints require a CSRF token. The webhook endpoint Stripe calls is signed and verified. The database is not exposed to the public internet. Nobody is perfect; if you find a problem, please tell us before you tell anyone else.

Changes

If we change anything material on this page, we'll bump the "last updated" date at the top and call it out in the changelog.

Contact

Questions? Drop into the support Discord or open an issue on the project repository. For data-deletion requests specifically, email the address on your billing receipts so we can verify it's you.