Privacy Policy

Last updated: June 2026

Summary

This Privacy Policy explains how XOE ("XOE", "we", "us") collects, uses, shares, and protects information when you use the XOE ecosystem, including the website (xoe.gg), the dashboard (dashboard.xoe.gg), and the XOE Discord bot (collectively, the "Services"). XOE is the data controller for personal data processed through the Services.

Questions or privacy requests: admin@xoe.gg. You can change your cookie choices anytime via or our Cookie Policy.

1. Information we collect

Account & identity

  • Discord identifiers (user ID, server/guild ID), username, global name, avatar, and basic profile metadata returned by Discord OAuth

  • Email address, where you provide it or where Discord shares it for sign-in

  • Authentication and session data needed to sign in and keep the Services secure

Wallet & on-chain

  • Wallet addresses you connect for payments or token gating, with the signature/message used to verify ownership

  • Public on-chain data (e.g., token and NFT balances/holdings) used to verify token-gate eligibility and to operate the Services — this may be stored to power features and analytics

  • Crypto payments are settled on-chain and non-custodial: we never hold your funds or private keys

Payments & transactions

  • Payment status, amounts, fees, currency, timestamps, and checkout identifiers

  • Transaction hashes and chain for crypto payments (public on-chain data)

  • Card payments are processed by Stripe; we never receive or store full card numbers

Content & usage

  • Commands and interactions with the XOE bot, and the outcomes (e.g., success/failure, timing)

  • Server configuration you set (roles, channels, products, donations, token gates) and server metadata (e.g., member counts, settings) reported by the bot

  • Link-safety scanning (LinkGuard): the bot reads message content transiently to check posted links against threat databases (Google Safe Browsing, PhishTank, URLhaus). Message content is not stored and is never used to train AI/ML models — only a confirmed-malicious link and its threat type may be logged as a security event

  • Human verification status (whether a member passed the human-verification check)

  • Logs and diagnostics used to prevent abuse, troubleshoot, and improve reliability

Device, website & analytics

  • IP address, user agent, device/browser class, and approximate (city/country-level) location inferred from IP

  • Usage and product analytics: pages viewed, referrer/UTM campaign parameters, session and event activity, and performance metrics

  • Cookies and similar technologies — see Section 5 and our Cookie Policy

2. How we use information

  • Provide and operate the Services (payments, access grants, role automation, token gating, dashboards, and security scans)

  • Secure the Services, prevent fraud/abuse, and enforce limits

  • Customer support, troubleshooting, and service communications

  • Measure, analyze, and improve the Services, and develop new features

  • Produce aggregated and de-identified insights and benchmarks (see Section 6)

  • Comply with legal obligations and enforce our Terms

3. Legal bases (where applicable)

Depending on your location, we process personal data under one or more of these bases: contract (to provide the Services), legitimate interests (security, fraud prevention, analytics and improvement), consent (e.g., non-essential cookies and marketing, which you can withdraw at any time), and legal obligation.

4. How we share information — service providers

We share information with vendors ("subprocessors") that help us run the Services, under contracts that require them to protect it and use it only on our behalf. Current key subprocessors:

  • Stripe — card payment processing

  • Discord — authentication and bot platform

  • Vercel — website & dashboard hosting and product analytics

  • Neon — managed database hosting

  • Railway — bot hosting

  • Alchemy / Coinbase (x402) — blockchain infrastructure and crypto payment facilitation

  • Google Analytics — website usage analytics (only with your consent)

We may also disclose information if required by law, to protect rights or safety, or in connection with a merger, acquisition, or asset sale. We do not sell your personal information (see Section 10).

5. Cookies & analytics

We use strictly-necessary cookies to run the site and keep it secure, and — only with your consent — analytics and marketing cookies. Non-essential cookies and analytics (including Google Analytics) are off by default and load only after you opt in via our consent banner, using Google Consent Mode. You can review categories and change or withdraw consent at any time via , and you can read the full details in our Cookie Policy.

6. Aggregated & de-identified data

We may aggregate, de-identify, or anonymize data to understand ecosystem trends — for example, community growth patterns, payment and token-gating behaviors, and industry benchmarks. Aggregated and de-identified data does not identify individual users or servers, and we may use it to improve the Services, publish reports, or share benchmarks with partners.

If we ever introduce a product that shares data beyond aggregated/de-identified form, we will update this Policy and, where required, obtain your consent first.

7. Data retention

We keep personal data only as long as needed for the purposes above. As a guide: payment and transaction records are retained as long as required for accounting, tax, and legal purposes; security and audit logs are kept for a limited period for abuse prevention; cookie consent records are kept to evidence your choices; and analytics data is retained in line with our analytics tools' settings. We delete or de-identify data when it is no longer needed.

8. Security

We use reasonable technical and organizational measures designed to protect information, including encryption in transit, access controls, and non-custodial payment design. No system is perfectly secure, and we cannot guarantee absolute security.

9. Your rights (GDPR/UK)

Depending on your location, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. You may also lodge a complaint with your local data protection authority.

To exercise these rights, contact admin@xoe.gg. We respond within the timeframes required by applicable law.

10. California privacy (CCPA/CPRA)

If you are a California resident, you have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. XOE does not sell your personal information and does not share it for cross-context behavioral advertising. To make a request, contact admin@xoe.gg. We will not discriminate against you for exercising your rights.

11. International transfers

We may process and store information in countries other than where you live, including the United States. Where required, we use appropriate safeguards (such as standard contractual clauses) for cross-border transfers.

12. Children

The Services are not directed to children under 13 (or the minimum age in your country), and you must meet Discord's minimum age to use them. If you believe a child has provided personal information, contact us so we can delete it.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be reflected by the "Last updated" date above and, where required, we will seek renewed consent. Continued use of the Services after changes become effective means you accept the updated policy.