Legal
Privacy Policy
How we collect, use, and protect your information.
Effective July 4, 2026 / Last updated July 4, 2026
This Privacy Policy ("Policy") describes how the operators of Radar ("Radar", "we", "us", or "our") collect, use, disclose, retain, and protect information from individuals ("you" or "your") who access or use the Radar platform, including the Radar Discord bot, the website at https://radarsys.xyz (the "Website"), the dashboard and admin console, and the associated API (together, the "Service").
Radar is a Discord security and moderation platform. This Policy is both a notice about our data practices and a description of where we rely on your consent. Some processing, such as screening Discord identifiers in a server that has installed Radar, relies on legitimate interests and does not require your individual consent. Other activities, such as signing in through Discord OAuth, happen only after your affirmative action. Visiting the Website does not by itself grant consent to those activities.
1. Who we are
Radar is the controller of the personal information processed through the Service, except where a server manager independently decides how information is used within their own server, in which case that server manager is an independent controller for that use. Our mission is to protect Discord communities from malicious activity through real-time moderation, screening, and a network-wide blacklist.
2. Scope
This Policy applies to:
- Users who authenticate with the Service through Discord OAuth;
- Server managers who configure the Service for their servers;
- Any individual whose Discord identity is processed because they are present in a server where Radar is installed, including members screened by Safeguard;
- Any individual whose IP address is processed by our rate-limiting and abuse-detection systems.
It does not apply to third-party services linked to or from the Service, including Discord, Roblox, Roblox-linking providers, or Stripe. Review their policies independently.
3. Information we collect
What we collect depends on how you interact with the Service. Some data is collected automatically when you or your members interact with the bot; other data is collected only when you use a specific feature.
3.1 Information from Discord authentication
When you sign in with Discord OAuth 2.0, we receive information under the identify, guilds, and connections scopes:
| Data element | Purpose |
|---|---|
| Discord user ID | Unique identifier and primary key for your records |
| Username and display name | Identity and display in the dashboard |
| Avatar hash | Profile image in the dashboard |
| OAuth access and refresh tokens | Making scoped calls to Discord on your behalf and refreshing access without re-authentication; stored encrypted at rest |
| Token expiry timestamp | Managing the token lifecycle |
| List of servers you belong to or manage | Showing which servers you can configure |
| Linked account connections | Resolving a linked Roblox account for Safeguard, where that module is enabled |
We request only these scopes. We do not request access to your Discord messages, direct messages, email address, or friends list. The OAuth tokens we hold are scoped, time-limited tokens issued to Radar; they are not your Discord login credentials and cannot be used to read your messages or act as you beyond the scopes above.
3.2 Safeguard and Roblox data
Where a server manager enables Safeguard, we process the following to screen members for risk to communities with younger audiences:
| Data element | Purpose |
|---|---|
| Resolved Roblox user ID and username | Linking a Discord member to a Roblox account, resolved through Roblox-linking providers or the member's own linked Discord connection |
| Public Roblox group memberships and related public signals | Comparing against known risk indicators |
| Risk score and supporting evidence | Deciding whether to alert, quarantine, review, or remove a member, according to the server's settings |
| Review records | Letting server managers review and resolve flagged members |
Safeguard uses public data and third-party lookups that can be incomplete or wrong. A risk score is a signal, not a determination of fact.
3.3 Session and authentication state
- Session token. A signed token identifying your session, stored client-side in an HttpOnly, Secure, SameSite cookie, with a maximum lifetime of seven (7) days.
- OAuth state token. A cryptographically random token created during the OAuth flow to prevent cross-site request forgery. It expires within about ten (10) minutes and is discarded once used.
3.4 Server configuration data
| Data element | Purpose |
|---|---|
| Server, channel, and role IDs | Applying your configuration |
| Per-module enabled status and settings | Running each module as you configured it, including thresholds, actions, and exemption lists |
| Audit log entries | Recording which administrator made which change and when |
3.5 Security screening and network blacklist
| Data element | Purpose |
|---|---|
| Discord user ID of a joining or present member | Checking against the network blacklist and your enabled modules |
| Blacklist status and category | Enabling cross-server protection |
| Enforcement action and timestamp | Maintaining a security audit trail |
The network blacklist is controlled solely by Radar's founders and is not editable by server managers, any command, the dashboard, or the database.
3.6 Payment data
If you subscribe to Premium, billing is processed by Stripe. We receive and store a subscription status and related identifiers so we can grant and manage your plan. We never receive or store your card number or other full payment credentials; those are handled entirely by Stripe.
3.7 Moderation and audit data
We store records of moderation and security events (the action taken, the module, the target, an optional reason, and a timestamp) so that server managers can view and export an audit history. Automod inspects message content as it arrives to enforce your filters, but message contents are not stored.
3.8 Security and abuse-detection data
To protect the Service, we process the IP address of requests to the API and Website, the endpoint requested, and the time of any rate-limit violation, together with your Discord user ID where the request is authenticated. We use this only to enforce rate limits, detect abuse, and, where necessary, block access.
3.9 Information we do not collect
- Passwords of any kind. All authentication is delegated to Discord OAuth.
- Card numbers or other full payment credentials, which are handled by Stripe.
- Your Discord messages, direct messages, or message history.
- Precise geolocation, biometric data, or special-category data such as health, religion, or ethnicity.
4. How we collect it
- Authentication. When you complete the Discord OAuth flow, Discord returns an authorization code that we exchange, server to server, for access and refresh tokens.
- API calls. After authentication we make scoped calls to retrieve the profile and server information above.
- Bot processing. While the bot is present in a server, it processes member identifiers against your enabled modules and the network blacklist, and communicates with our API over a secured internal channel.
- Dashboard. When you configure the Service, your settings are submitted to our API and stored.
- Request monitoring. Every request to the API and Website passes through rate-limiting and abuse-detection logic as described in section 3.8.
5. Legal bases
Where applicable law requires a legal basis, we rely on the following:
| Processing | Legal basis |
|---|---|
| Authenticating you through Discord OAuth | Performance of a contract and legitimate interest |
| Running enabled security and moderation modules | Legitimate interest in protecting communities that use the Service |
| Maintaining the network blacklist | Legitimate interest in cross-server protection |
| Safeguard screening | Legitimate interest in protecting communities with younger audiences |
| Storing configuration and audit data | Performance of a contract with the server manager |
| Processing Premium payments | Performance of a contract |
| Rate limiting and abuse detection | Legitimate interest in the security and availability of the Service |
Where we rely on legitimate interest, we have assessed that it does not override your fundamental rights.
6. How we use information
- To provide, configure, and operate the security and moderation modules you enable.
- To screen members against the network blacklist and, where enabled, Safeguard risk signals.
- To maintain the audit history you can view and export.
- To authenticate you, maintain your session, and secure dashboard and admin access.
- To provide and manage Premium subscriptions.
- To detect and respond to abuse and to keep the Service available and secure.
- To comply with legal obligations.
We do not sell or rent your data, we do not use it for advertising, and we do not use it to train machine-learning or artificial-intelligence models.
7. Disclosure to third parties
We do not sell your information. We disclose it only in the limited situations below.
- Discord. We make scoped API calls to Discord on your behalf using tokens you granted. Data exchanged with Discord is governed by Discord's policies.
- Roblox and Roblox-linking providers. Where Safeguard is enabled, we query public Roblox data and third-party linking providers to resolve and screen a member's Roblox account.
- Stripe. Payment processing for Premium is handled by Stripe under its own privacy policy.
- Server managers. Managers of a server where Radar is installed may see security and plugin events (such as an enforcement action and its reason) and nickname changes, where they have enabled logging. Their handling of that information is their responsibility.
- Infrastructure providers. We use vendors to host our databases and run the Service, including a managed MongoDB provider (bot configuration and blacklist), a managed PostgreSQL provider (sessions, audit history, admin roles, Safeguard records, and Premium status), and our hosting platform. These vendors process data only on our behalf under contractual restrictions.
- Law and safety. We may disclose information where required by law or legal process, or where necessary to protect the rights, property, or safety of Radar, its users, or the public.
- Business transfers. In a merger, acquisition, or sale of assets, information may be transferred as part of that transaction.
8. Data retention
| Data type | Retention |
|---|---|
| Discord identity and profile | While your account is active; refreshed at each login |
| OAuth access and refresh tokens | Until expired and no longer refreshable, or until you log out and request deletion |
| OAuth state tokens | Automatically expire after about 10 minutes |
| Session tokens | Expire after 7 days; stored only client-side |
| Server configuration | Until the server manager changes it or removes the bot |
| Audit and moderation history | According to your plan (a shorter window on Free, longer on Premium) |
| Safeguard registry and reviews | Retained to keep screening effective; may be cleared by an administrator |
| Network blacklist records | Retained until successfully appealed or removed by Radar's founders |
| Premium subscription status | Retained while the subscription is active and as required for records and tax purposes |
| Abuse and rate-limit records | Retained for security, dispute resolution, and review of enforcement decisions |
After any applicable period, data is deleted or anonymized, except where longer retention is required by law or to establish, exercise, or defend legal claims.
9. Data security
We use technical and organizational measures to protect information, including:
- Encryption in transit. Traffic between your browser and our servers uses HTTPS, and cookies are set with the Secure flag.
- Encryption at rest for tokens. Stored Discord OAuth tokens are encrypted with a server-side key before being written to the database.
- HttpOnly and SameSite cookies. Session cookies are inaccessible to client-side scripts and use a SameSite policy to mitigate cross-site request forgery.
- CSRF protection. The OAuth flow uses a random, time-limited, single-use state token compared in constant time.
- Restricted CORS. The API accepts credentialed cross-origin requests only from the Radar Website.
- Ownership re-checks. Every configuration read or write is re-verified against your current Discord permissions.
- Rate limiting and abuse detection. Endpoints are rate-limited, and abusive request patterns can be blocked automatically.
- No password storage. We never receive or store passwords.
No measure is perfect. We cannot guarantee absolute security, but if a breach is likely to create a high risk to your rights, we will notify affected users and authorities as required by law.
10. Automated decisions
Two parts of the Service operate automatically. Safeguard assigns a risk score and, where a server manager has chosen to automate enforcement, can act on a member without human review; the server manager controls whether this is automatic or review-only, and is responsible for appeals. Separately, our abuse-detection system can block access automatically when it detects patterns consistent with abuse. If you believe an automated action affected you in error, contact us to request review.
11. Your rights
Depending on your jurisdiction, including under the GDPR and CCPA, you may have the right to access, correct, export, delete, or restrict processing of your personal information, and to withdraw consent or object to certain processing. To exercise these rights, contact us using the details below. We may need to verify your identity, and we will respond within the period required by applicable law, and in any case aim to respond within 30 days.
Exception for network blacklist and enforcement records. If your account is on the network blacklist, or is subject to an abuse-enforcement record, we may retain that record despite an erasure request. Deleting it would let a blacklisted or abusive account evade cross-server protection. You may still request review of your standing.
12. Children's privacy
The Service is not directed to children under 13, or under the minimum age to use Discord in your country, and we do not knowingly collect their information. If you believe we have collected information from someone under that age without appropriate consent, contact us and we will delete it promptly.
13. Cookies
We use only the cookies strictly necessary to operate the Service. We do not use advertising, analytics, or tracking cookies. The main cookie is a session cookie: an HttpOnly, Secure, SameSite cookie that keeps you signed in and expires after 7 days. A short-lived OAuth state value is also used during sign-in to prevent cross-site request forgery. Because these cookies are strictly necessary, separate cookie consent is generally not required; by using the Service you consent to them being set.
14. International transfers
The Service and its infrastructure may be operated from, and your information stored in, countries other than your own, where data-protection law may differ. Where a transfer safeguard is required, we rely on the necessity of the transfer to perform our contract with you, on your consent, or on appropriate contractual protections with our providers.
15. Third-party links
The Service may link to third-party sites and services, including Discord, Roblox, and Stripe. This Policy covers only information collected by the Service. We are not responsible for the privacy practices of third parties, and we encourage you to review their policies.
16. Changes
We may update this Policy from time to time. When we make material changes we will update the "Last updated" date, post the revised Policy on the Website, and, where appropriate, give additional notice. Continued use of the Service after changes take effect constitutes acceptance.
17. Contact
For privacy questions or requests, reach us at:
- Email: privacy@radarsys.xyz
- Support server: discord.gg/radarsys
- Website: https://radarsys.xyz
We aim to respond to all inquiries within 30 days.