Bounded storage
Babblebox stores what the feature needs, not a broad historical warehouse of server activity.
This Privacy Policy explains what Babblebox can access, what it stores, how that information is used, and the limits designed to keep storage and exposure bounded. Babblebox is built for Discord servers and aims to stay compact instead of turning into an everything archive.
Effective date: May 28, 2026. By using Babblebox in a Discord server or through Babblebox's Discord-based features, you agree to the practices described on this page.
Babblebox stores what the feature needs, not a broad historical warehouse of server activity.
Some surfaces are public by design, while Watch, reminders, Later, Capture, anonymous confessions and votes, and setup flows are private-first.
Shield, moderation, Anti-Nuke, and admin helpers prefer configuration, configured logs, compact incidents, and short-lived state over heavy moderation archives.
Babblebox only works inside the Discord context it is invited into and only with the permissions granted to it. Depending on the feature used, Babblebox may process or store the following categories of information.
Babblebox is not designed to store payment card numbers or similar payment-instrument data. Premium payments and billing are handled by the relevant external provider.
Babblebox uses information only to operate its Discord features and to keep those features reliable, low-noise, and reasonably safe.
Babblebox is not built as an ad network, data brokerage product, or engagement farm. Stored data exists to operate the bot, not to build a separate marketing profile about users.
Babblebox deliberately treats visibility differently depending on the feature. Some commands are designed for public, shareable output. Others are intentionally private-first because they can contain personal context, reminders, server reading position, or moderation setup details.
/confessions root is permission-unfiltered at Discord's slash visibility layer because Discord cannot see Babblebox's configured staff role; manual Confessions moderation still requires Manage Messages plus that configured role at runtime, and setup and policy changes stay admin-only.CF- confession posts and CV- anonymous vote posts; Babblebox stores the selected target channel ID so reviewed posts publish to the intended public channel without keeping raw published confession text long-term.Anonymous OP Reply without exposing identity./confess reply-to-user; expired, dismissed, or used opportunities scrub private source payloads while retaining compact status metadata during the retention window.Anonymous OP Reply, stay text-only, and do not expose the confession or vote owner or the responding member in public or staff-facing moderation surfaces.Babblebox may rely on infrastructure providers necessary to run the bot, such as Discord for platform delivery and Supabase or Postgres-backed storage for durable feature state.
If premium linking is enabled, Babblebox may exchange data with Patreon to link a Discord user to a Patreon member identity, verify active tiers, refresh entitlement state, process webhook updates, and support manual recovery when provider delivery is stale or interrupted. That can include Patreon member IDs, tier IDs, campaign IDs, encrypted OAuth tokens, compact sanitized webhook event metadata, and guild-claim state. Babblebox deletes the local encrypted Patreon tokens when a user unlinks and is not designed to receive or store payment card data from Patreon.
If the private admin dashboard is enabled, Babblebox uses Discord OAuth with only the identify
and guilds scopes to sign in an administrator, fetch the user's current Discord guild list, and
show only servers where the user has owner, Administrator, or Manage Server access and where Babblebox is
present. Babblebox stores an opaque server-side dashboard session, the signed-in Discord user ID and basic
display fields, and a short-lived guild permission snapshot needed for the server picker. Discord OAuth access
tokens are used only during the callback and are not stored after the user and guild data are fetched. Dashboard
session cookies are HttpOnly, Secure, and SameSite=Lax; tokens are not designed to be placed in localStorage,
URLs, logs, or public JSON. Ordinary members cannot use dashboard settings unless their current Discord
permissions already grant server-admin access for that server.
When dashboard setting writes are enabled, Babblebox still rechecks the live Discord member, guild, bot
permissions, CSRF token, owner-control policy, and storage readiness before any safe server-configuration
change. Dashboard writes cover durable server configuration only; runtime moderation actions, private review
queues, provider internals, raw evidence, and personal or member-only commands stay Discord-only. Dashboard
previews and audit history expose only sanitized feature ids, changed field names, readiness, and delivery
status, not raw message bodies, provider payloads, Discord OAuth tokens, session tokens, CSRF values, or
confession content. Operators can set BABBLEBOX_DASHBOARD_WRITES_DISABLED=true to force the
dashboard into read-only mode without a code rollback.
If the Top.gg vote bonus lane is enabled, Babblebox may receive Top.gg webhook events and optionally query
Top.gg for a user's current vote window when that user explicitly refreshes /vote. That can
include the Top.gg vote event ID, created or expires timestamps, weekend vote weight, webhook trace
metadata, and the user's vote reminder preference. Babblebox does not need to durably store a Top.gg
username or avatar_url for the vote bonus lane.
Babblebox does not perform always-on AI scanning by default. If optional AI-assisted Shield review is enabled
where available, it only runs after local Shield logic has already flagged live-message content. Owner policy controls whether Shield AI
runs at all and can keep gpt-5.4-nano, gpt-5.4-mini, and gpt-5.4
configured by default, while effective higher-tier use still depends on Guild Pro entitlement and provider/runtime readiness.
In that flow, only minimal,
sanitized, and truncated flagged text needed for that review is intended to be sent to the configured AI provider,
even when the local signal came from embed text, attachment labels, forwarded message snapshots, or sanitized OCR-extracted
image text instead of the raw message body alone. AI does not scan images and must not receive image bytes, base64,
screenshots, raw image URLs, raw QR payloads, filenames, or visual content. Shield's private feature-surface checks for AFK, reminders, watch keywords, bump reminder copy, server-message copy, and Confessions stay AI-free in this release.
Shield image OCR and QR decoding are local-only. Babblebox does not use external OCR APIs, QR APIs, paid OCR services, or OCR API keys. If the local Tesseract or zbar runtime is unavailable, Babblebox keeps running and falls back to hash, metadata, and override signals.
When Shield flags an image scam, the original flagged upload may be attached to the configured Shield log channel for moderator review. Babblebox does not persist those raw images in its database or action records, and AI review still receives only sanitized OCR text plus compact metadata.
Shield dangerous-file scanning is opt-in and compact. Babblebox may evaluate attachment filenames, declared size/content type, message context, and local known-bad SHA256s. When hash reputation is explicitly enabled, file hashes may be checked with configured reputation providers, but raw attachment files are not uploaded to reputation providers. Babblebox does not execute, decompress, inspect macros, or persist suspicious files, and malware-file alerts do not attach the suspicious file to Shield logs.
Babblebox is not designed to sell user data. Information is shared only when needed to operate the service, comply with law, protect the service, or deliver optional integrations that a specific feature requires.
Babblebox aims to keep durable data small, specific, and tied to live product needs instead of retaining broad historical records.
/giverole add-target, and /removerole remove-target role IDs; role-tool action records are delivered to the configured admin log channel rather than kept as a separate Babblebox case archive.Deletion timing can depend on when a reminder expires, a schedule ends, a configuration is removed, or a short-lived moderation workflow finishes.
Babblebox takes a data-minimization approach because the safest archive is often the one that was never created. Even so, no internet-connected service can promise absolute security.
Babblebox does not claim to be zero-knowledge or operator-proof. Infrastructure operators with code, runtime, and key control are still part of the trust model even after these privacy hardening measures.
Users and server administrators can often control Babblebox directly through the feature itself, such as clearing Later markers, removing reminders, disabling Shield live moderation, or changing Watch settings. Server owners also control whether Babblebox is invited, where it can see content, and which channels are used for logs or moderation workflows.
If you need help with a privacy-related request, a correction, or a removal question related to Babblebox-managed state, use the support contact points listed below and include enough context to identify the relevant server, user, or feature state.
Babblebox may update this policy when the product, storage model, or privacy practices materially change. When this page is updated, the effective date at the top will also be updated.