Privacy Policy

1. Who we are

VantaSupport is operated by VantaSupport Pte. Ltd. (“VantaSupport”, “we”, “us”). We provide a Discord bot and web dashboard that help server operators run tickets, moderation, and AI assisted replies.

For data submitted by server operators about their members, we act as a processoron behalf of the operator (the “Customer”), who is the controller. For data we collect directly from you when you sign in to the dashboard or contact us, we act as the controller.

Contact for privacy matters: privacy@vantasupport.com.

2. What we collect

We only collect what we need to deliver the service. Specifically:

2.1 Account data

• Your Discord user ID, username, display name, avatar hash, and email address as provided by Discord during OAuth.
• An OAuth access token used to list servers you administer. We never receive your Discord password.
• A session token (JWT) stored in an httpOnly cookie on your browser.

2.2 Server configuration

• Server ID, channel IDs, role IDs, and your bot configuration choices.
• Tone presets, refusal rules, prompt overrides, allowed and blocked phrases you upload.
• Knowledge base documents, URLs, and FAQs you provide to train server-specific AI replies.

2.3 Message content (only when invoked)

• When a server member opens a ticket, runs an AI command, or triggers an AI moderation check, the relevant message content (and limited surrounding context where you have opted in to context-aware replies) is sent to our servers for processing.
• We do not passively log channels the bot is not invited to or messages unrelated to a bot interaction.
• Ticket transcripts are stored against the ticket record and are visible to server staff you authorize.

2.4 Billing data

• Plan, billing email, country, and subscription status.
• Card details and tax information are collected and stored by our payment processor, not by us. We receive only the last four digits and a tokenized identifier.

2.5 Operational logs

• IP address, user agent, request path, status code, latency, and timestamp for dashboard and API requests.
• Audit records of admin actions taken inside a server (who changed what, when).
• Error reports including stack traces and a redacted snapshot of the failing request.

3. Why we process it

We rely on one of the following legal bases for each processing activity:

We do not sell personal data, we do not share it for cross-context behavioral advertising, and we do not use customer message content to train general-purpose AI models.

4. How AI features handle your data

When AI features are invoked, the relevant prompt (the member message, optional context passages from your knowledge base, and your server's system prompt) is sent to one of our AI sub-processors over TLS. The provider returns a reply which we deliver back to Discord.

• We have signed data processing terms with each AI provider listed in section 7 that prohibit using customer prompts and responses to train their foundation models.
• AI providers may retain prompts for up to thirty days for abuse monitoring before deletion. We cannot shorten this retention.
• You can disable AI features per server, per channel, or per role from the dashboard at any time. Where the server enables it, members can stop the AI from continuing to reply to them.
• AI replies are generated by probabilistic models and may be inaccurate. Do not use the bot as a substitute for legal, medical, financial, or safety advice.

5. Automated decision-making

Where you enable AI moderation, the bot will use a machine-learning classifier to assign a risk score to a message and may take an automated action (delete, timeout, alert moderators) based on the thresholds the Customer configures. Under Article 22 GDPR you have the right not to be subject to a decision based solely on automated processing that produces a legal or similarly significant effect on you.

• A human moderator can review and reverse an automated action (for example, lift a timeout or unban) using the bot's moderation commands, and every action is recorded in the server's case log.
• Server members can ask a human moderator to review any automated decision by contacting the server's staff, or by emailing privacy@vantasupport.com if the server is unresponsive.
• The classifier is not used for credit, employment, insurance, or other Article 22 high-impact decisions.

6. Illegal content and CSAM

VantaSupport has a zero-tolerance policy for child sexual abuse material (CSAM) and other illegal content. We use automated and manual review to detect CSAM in content uploaded through tickets and AI prompts. Where we identify or are notified of suspected CSAM we will:

• Remove the content immediately.
• Preserve the content and associated metadata as required by law.
• Report to the U.S. National Center for Missing & Exploited Children (NCMEC) under 18 U.S.C. § 2258A and to other competent authorities as required by applicable law.
• Suspend the responsible account and the affected server.

You can report suspected CSAM or other illegal content to trust@vantasupport.com or directly to NCMEC at report.cybertip.org.

7. Who we share data with

We share personal data only with the sub-processors listed below, only to the extent needed to deliver the service, and only under written processing terms that bind them to the same level of protection.

The current list lives at vantasupport.com/legal/dpa. We will notify Customers at least thirty days before adding or replacing a sub-processor that handles customer data.

8. How long we keep data

9. What happens when the bot is removed

When a server admin removes the VantaSupport bot from a Discord server, the bot stops processing that server. Your configuration, knowledge base, and history are retained so you can reinstall later without losing your setup. To have that data deleted, a server admin can send a deletion request (see section 10); we action it within thirty days.

10. Your rights

Subject to your local law, you may have the right to access, correct, delete, restrict, or port your personal data, and to object to certain processing. EEA, UK, and Swiss residents have GDPR rights. California residents have CCPA and CPRA rights including the right to know and the right to delete.

To exercise any of these rights, email privacy@vantasupport.com (for server data, from or via a server admin). We verify the request and respond within thirty days.

If you believe we are processing your data unlawfully, you may complain to your local supervisory authority. For EEA residents, that is the data protection authority in your country of residence.

11. California residents

If you are a California resident, you have the following additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know the categories and specific pieces of personal information we collect, the sources we collect from, the purposes for collection, and the categories of third parties we share with.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing.We do not sell personal information and we do not share it for cross-context behavioral advertising. There is nothing to opt out of, but if this ever changes we will provide a “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control signals.
• Right to limit use of sensitive personal information. We do not use sensitive personal information for any purpose other than providing the service.
• Right to non-discrimination for exercising any of these rights.

To exercise these rights, use the dashboard self-service tools or email privacy@vantasupport.com. We may need to verify your identity before responding. You may authorize an agent to make a request on your behalf with written authorization.

12. Government and law-enforcement requests

• We require a valid legal process (subpoena, court order, warrant, or equivalent foreign instrument) before disclosing personal data to a government authority, unless an emergency disclosure is required to prevent imminent risk of death or serious physical harm.
• We will challenge requests that we believe are overbroad, unlawful, or inconsistent with international human rights standards.
• Unless prohibited by law, we will notify the affected Customer before disclosing their data so they can seek a protective order.
• We publish an annual transparency report summarizing the number, type, and outcome of government requests received.

13. International transfers

Personal data may be transferred outside the EEA, UK, or Switzerland to sub-processors listed above. For each such transfer we rely on the European Commission Standard Contractual Clauses (2021/914) plus, where required, the UK Addendum, and we apply supplementary measures including encryption in transit, encryption of stored credentials and backups, and access logging.

14. Security

• TLS 1.2 or higher for all traffic between you, our servers, and sub-processors.
• OAuth tokens and other secrets encrypted with AES-256-GCM, never stored in plain text. Off-site backups are encrypted.
• Two-factor authentication and least-privilege access controls for our team.
• Continuous dependency and vulnerability scanning. An independent penetration test before we take on enterprise contracts.
• Logged and reviewed access to production systems.

No service is perfectly secure. If we discover a breach affecting your personal data we will notify the relevant Customer without undue delay after becoming aware, and we will notify affected end users where required by law.

15. Children and parental rights

VantaSupport is not directed at children under thirteen, or under sixteen in the EEA. We do not knowingly collect personal data from a person we know to be under those ages. Discord requires its users to meet its own minimum age requirements; we rely on that.

If you are a parent or legal guardian and you believe your child has used the service, email privacy@vantasupport.com from the parent's contact address with the child's Discord user ID. We will delete the child's data within thirty days and block re-collection from that identifier. We do not require a court order to honor a verified parental request.

16. Changes to this policy

We will post the effective date at the top of this page whenever we update it. For material changes we will notify account admins by email at least thirty days before the change takes effect.

17. Contact