Privacy Policy

The data controller responsible for your personal data is:

Supatimer
Operated by Luwall AB (org. nr 559359-5993)
Contact us via our Discord server.

We have not appointed a Data Protection Officer (DPO) as we do not carry out large-scale processing of special categories of data or systematic monitoring of individuals. You may contact us directly for any data protection matters via our Discord server.

When you use Supatimer, we collect and process the following personal data, obtained from Discord via their official API:

• Discord profile data: Your Discord user ID, username (global display name), server nickname, and avatar URL
• Server membership: Which Discord servers (guilds) you share with the bot, and your roles in those servers
• Availability selections: The days and time slots you select as available through the bot or web dashboard, including who set or changed the selection
• Absence records: Any absence periods you or a team manager sets
• Team configuration: Your assigned scrim roles, primary role, player status, and preferred server
• Authentication tokens: Discord OAuth access and refresh tokens, stored securely to maintain your web dashboard session
• Poll votes: Your votes on scheduling polls created within your team

During Discord OAuth sign-in, your email address is transmitted by Discord as part of the authentication handshake. This email is not stored or retained by Supatimer and is processed only transiently during the sign-in process.

We do not collect message content, direct messages, voice data, IP addresses, or any information from channels where the bot is not actively used.

When a server administrator installs the Supatimer bot in a Discord server, we receive basic membership data about all members of that server from the Discord API. This means we may process your data even if you have not directly interacted with Supatimer.

Categories of data obtained indirectly:

• Discord user ID
• Username (global display name) and server nickname
• Avatar URL
• Server roles
• Guild membership (which servers you share with the bot)

Source: This data is obtained from Discord's official API when the bot joins a server or when guild member lists are refreshed.

Purpose and legal basis: This data is processed under legitimate interest (Art. 6(1)(f)) to enable the scheduling service to function - for example, to display team rosters and allow managers to set availability on behalf of team members. We only process the minimum data necessary and do not use it for any secondary purposes.

If you are a member of a Discord server that uses Supatimer but have not interacted with the bot yourself, all rights described in Section 12 of this policy apply to you. You may contact us to request access to, correction of, or deletion of your data.

We process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)) - Processing your Discord profile data and availability selections is necessary to provide the scheduling service you request when you interact with the bot or sign in to the dashboard.
• Legitimate interest (Art. 6(1)(f)) - We process server membership and role data to ensure the service operates correctly (e.g. verifying you have access to a team). Our legitimate interest is providing a functional multi-team scheduling service. We have assessed that this does not override your rights, as we only process the minimum data needed and do not use it for any secondary purposes.

We do not rely on consent as a legal basis for processing. We do not use your data for marketing, advertising, or profiling.

Your data is used to provide and improve the scheduling service:

• Display availability calendars to your team
• Generate lineup suggestions based on availability
• Send automated calendar embeds and reminders in Discord
• Authenticate you on the web dashboard
• Understand how the service is used through anonymized usage analytics (page views, session recordings, and interaction data) to improve the user experience

We do not use your data for advertising, analytics profiling, or any purpose unrelated to the scheduling service. We do not use automated decision-making or profiling that produces legal effects concerning you. Lineup suggestions are advisory and always subject to manager review.

Your availability data is visible to other members of your team within Supatimer. This is the core functionality of the service.

We do not sell, rent, or share your personal data with third parties for their own purposes. We do not disclose data to ad networks or data brokers.

The following service providers (data processors) process your data on our behalf to operate the service:

• Discord (Discord Inc., USA) - Bot interactions and OAuth authentication
• Supabase (Supabase Inc., USA) - Database hosting (PostgreSQL)
• Vercel (Vercel Inc., USA) - Web application hosting
• Cloudflare (Cloudflare Inc., USA) - Discord interaction proxy (Cloudflare Workers)
• PostHog (PostHog Inc., USA / EU) - Product analytics, session recordings, and heatmaps. Data is stored in the EU (Frankfurt). PostHog operates in cookieless mode on our site, meaning no cookies or persistent identifiers are set on your device. See our Cookie Policy for details.

These providers act as data processors under applicable data protection agreements. We do not share data with any other third parties except when required by law.

Your personal data is transferred to the United States where our service providers (Discord, Supabase, Vercel, and Cloudflare) operate. These transfers are protected by the following safeguards:

• EU-U.S. Data Privacy Framework (DPF): Discord, Vercel, and Cloudflare are certified under the EU-U.S. Data Privacy Framework. The European Commission has adopted an adequacy decision for transfers to DPF-certified companies (July 2023).
• Standard Contractual Clauses (SCCs): Where DPF certification does not apply (including Supabase), transfers are governed by Standard Contractual Clauses approved by the European Commission, which provide appropriate contractual safeguards.

You may request further details about the specific safeguards applied to any transfer by contacting us.

Your data is stored in a PostgreSQL database hosted by Supabase with row-level security (RLS) policies that restrict access at the database level. All communication between services is encrypted via HTTPS/TLS. Data at rest is encrypted by our infrastructure providers.

We implement technical and organisational measures appropriate to the risk, including access controls, encrypted connections, and regular security reviews. However, no internet service can guarantee absolute security.

We retain your data only as long as necessary for the purposes described in this policy:

• Active use: Data is retained while your team actively uses the service.
• After bot removal: If the bot is removed from a Discord server, associated guild data is retained for up to 24 months to allow for re-installation. After this period, data may be deleted. Guild owners may request immediate deletion by contacting us.
• Authentication tokens: Discord OAuth tokens expire automatically after 6 days if not refreshed.
• Upon deletion request: When you request erasure of your personal data, we will process your request within 30 days. Your Discord profile data (user ID, username, avatar) and absence records are permanently deleted. Availability selections and poll votes are anonymized (your Discord ID is removed) to preserve team continuity.

The web dashboard uses only strictly necessary cookies for authentication (Supabase session tokens). These cookies are required for the service to function and are exempt from consent requirements under the ePrivacy Directive (Article 5(3)) as they are essential to provide the service you have requested.

We use PostHog for product analytics (page views, session recordings, and interaction heatmaps) to understand how the service is used and to improve the user experience. PostHog operates in cookieless mode - it does not set any cookies or persistent identifiers on your device. Analytics data is stored in the EU (Frankfurt). No cross-session tracking is performed.

We do not use tracking cookies, advertising cookies, or any third-party cookies. For full details, see our Cookie Policy.

Supatimer is not directed at children under 13 years of age (or the applicable minimum age of digital consent in your jurisdiction, such as 13 in Sweden per the Swedish Data Protection Act). We do not knowingly collect data from children. In accordance with Discord's Terms of Service, users must meet the minimum age requirement to use Discord and our service.

If you believe a child has provided us with personal data, please contact us so we can delete it promptly.

Under the General Data Protection Regulation (GDPR) and the Swedish Data Protection Act (Dataskyddslagen 2018:218), you have the following rights:

• Right of access (Art. 15) - Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16) - Request correction of inaccurate or incomplete data.
• Right to erasure (Art. 17) - Request deletion of your personal data. See Section 9 for details on what is deleted and what is anonymized.
• Right to restriction (Art. 18) - Request restriction of processing in certain circumstances.
• Right to data portability (Art. 20) - Receive your data in a structured, commonly used, machine-readable format.
• Right to object (Art. 21) - Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
• Right related to automated decision-making (Art. 22) - You have the right not to be subject to decisions based solely on automated processing that produce legal effects concerning you. Supatimer does not make such decisions.

Since we do not rely on consent as a legal basis for processing, the right to withdraw consent under Art. 7(3) does not apply. However, you retain all other rights listed above.

To exercise any of these rights, contact us through our Discord server. We will respond within 30 days as required by GDPR.

If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with the supervisory authority. For Sweden, this is:

Integritetsskyddsmyndigheten (IMY)
Swedish Authority for Privacy Protection
Box 8114, 104 20 Stockholm, Sweden
Phone: +46 (0)8 657 61 00
Email: imy@imy.se
Website: www.imy.se

If you reside in another EU/EEA country, you may also file a complaint with your local supervisory authority.

Providing your Discord profile data is required for the service to function. If you choose not to provide this data (by not interacting with the bot or not signing in), you will be unable to use Supatimer. There are no other consequences beyond inability to access the service.

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For significant changes, we will make reasonable efforts to notify users (for example, through a Discord announcement). Continued use of the Service after changes constitutes acceptance of the updated policy.

If you have questions about this Privacy Policy, want to exercise your data rights, or have concerns about how we handle your data, please reach out through our Discord server.