Last updated: June 2026
This Privacy Policy explains how XOE ("XOE", "we", "us") collects, uses, shares, and protects information when you use the XOE ecosystem, including the website (xoe.gg), the dashboard (dashboard.xoe.gg), and the XOE Discord bot (collectively, the "Services"). XOE is the data controller for personal data processed through the Services.
Questions or privacy requests: admin@xoe.gg. You can change your cookie choices anytime via or our Cookie Policy.
Discord identifiers (user ID, server/guild ID), username, global name, avatar, and basic profile metadata returned by Discord OAuth
Email address, where you provide it or where Discord shares it for sign-in
Authentication and session data needed to sign in and keep the Services secure
Wallet addresses you connect for payments or token gating, with the signature/message used to verify ownership
Public on-chain data (e.g., token and NFT balances/holdings) used to verify token-gate eligibility and to operate the Services — this may be stored to power features and analytics
Crypto payments are settled on-chain and non-custodial: we never hold your funds or private keys
Payment status, amounts, fees, currency, timestamps, and checkout identifiers
Transaction hashes and chain for crypto payments (public on-chain data)
Card payments are processed by Stripe; we never receive or store full card numbers
Commands and interactions with the XOE bot, and the outcomes (e.g., success/failure, timing)
Server configuration you set (roles, channels, products, donations, token gates) and server metadata (e.g., member counts, settings) reported by the bot
Link-safety scanning (LinkGuard): the bot reads message content transiently to check posted links against threat databases (Google Safe Browsing, PhishTank, URLhaus). Message content is not stored and is never used to train AI/ML models — only a confirmed-malicious link and its threat type may be logged as a security event
Human verification status (whether a member passed the human-verification check)
Logs and diagnostics used to prevent abuse, troubleshoot, and improve reliability
IP address, user agent, device/browser class, and approximate (city/country-level) location inferred from IP
Usage and product analytics: pages viewed, referrer/UTM campaign parameters, session and event activity, and performance metrics
Cookies and similar technologies — see Section 5 and our Cookie Policy
Provide and operate the Services (payments, access grants, role automation, token gating, dashboards, and security scans)
Secure the Services, prevent fraud/abuse, and enforce limits
Customer support, troubleshooting, and service communications
Measure, analyze, and improve the Services, and develop new features
Produce aggregated and de-identified insights and benchmarks (see Section 6)
Comply with legal obligations and enforce our Terms
Depending on your location, we process personal data under one or more of these bases: contract (to provide the Services), legitimate interests (security, fraud prevention, analytics and improvement), consent (e.g., non-essential cookies and marketing, which you can withdraw at any time), and legal obligation.
We share information with vendors ("subprocessors") that help us run the Services, under contracts that require them to protect it and use it only on our behalf. Current key subprocessors:
Stripe — card payment processing
Discord — authentication and bot platform
Vercel — website & dashboard hosting and product analytics
Neon — managed database hosting
Railway — bot hosting
Alchemy / Coinbase (x402) — blockchain infrastructure and crypto payment facilitation
Google Analytics — website usage analytics (only with your consent)
We may also disclose information if required by law, to protect rights or safety, or in connection with a merger, acquisition, or asset sale. We do not sell your personal information (see Section 10).
We use strictly-necessary cookies to run the site and keep it secure, and — only with your consent — analytics and marketing cookies. Non-essential cookies and analytics (including Google Analytics) are off by default and load only after you opt in via our consent banner, using Google Consent Mode. You can review categories and change or withdraw consent at any time via , and you can read the full details in our Cookie Policy.
We may aggregate, de-identify, or anonymize data to understand ecosystem trends — for example, community growth patterns, payment and token-gating behaviors, and industry benchmarks. Aggregated and de-identified data does not identify individual users or servers, and we may use it to improve the Services, publish reports, or share benchmarks with partners.
If we ever introduce a product that shares data beyond aggregated/de-identified form, we will update this Policy and, where required, obtain your consent first.
We keep personal data only as long as needed for the purposes above. As a guide: payment and transaction records are retained as long as required for accounting, tax, and legal purposes; security and audit logs are kept for a limited period for abuse prevention; cookie consent records are kept to evidence your choices; and analytics data is retained in line with our analytics tools' settings. We delete or de-identify data when it is no longer needed.
We use reasonable technical and organizational measures designed to protect information, including encryption in transit, access controls, and non-custodial payment design. No system is perfectly secure, and we cannot guarantee absolute security.
Depending on your location, you may have the right to access, correct, delete, or port your personal data, to object to or restrict certain processing, and to withdraw consent where processing is based on consent. You may also lodge a complaint with your local data protection authority.
To exercise these rights, contact admin@xoe.gg. We respond within the timeframes required by applicable law.
If you are a California resident, you have rights to know, delete, correct, and opt out of the "sale" or "sharing" of personal information. XOE does not sell your personal information and does not share it for cross-context behavioral advertising. To make a request, contact admin@xoe.gg. We will not discriminate against you for exercising your rights.
We may process and store information in countries other than where you live, including the United States. Where required, we use appropriate safeguards (such as standard contractual clauses) for cross-border transfers.
The Services are not directed to children under 13 (or the minimum age in your country), and you must meet Discord's minimum age to use them. If you believe a child has provided personal information, contact us so we can delete it.
We may update this Privacy Policy from time to time. Material changes will be reflected by the "Last updated" date above and, where required, we will seek renewed consent. Continued use of the Services after changes become effective means you accept the updated policy.