Privacy Policy - Dox Box

1. Data we collect

The table below lists every category of personal data we hold, where it comes from, and what it is used for.

Data	Source	Purpose
Discord user ID, display name, email address, avatar image	Authentik SSO (via Discord OAuth)	Identity, profile display, authentication, and Discord integration features (role sync, bridge relay). The avatar image is cached to our own object storage on each login to provide a stable URL independent of Discord’s CDN.
Google account ID, name, email address, avatar image	Authentik SSO (via Google OAuth)	Alternative sign-in method for users who prefer to log in with Google instead of Discord. The avatar image is cached to our own object storage on each login.
Timezone	Set by you in your profile	Displaying game session times and scheduling information in your local time zone
Phone number (stored AES-256-GCM encrypted at rest)	Set by you in your profile	Optional SMS notifications when game sessions are scheduled or updated
Minecraft username	Set by you in your profile	Minecraft server whitelist management and in-game player identification
Steam ID	Set by you in your profile	Gaming platform identification for group members
Dice roll history (roll expression, result, timestamp)	Generated when you roll dice via the Portal or via Quinn slash commands or inline dice detection in Discord	Displaying your roll history and statistics within the Portal
Saved rolls and roll variables (name, expression, optional description)	Created by you in the Portal or via Quinn slash commands in Discord	Persistent roll macros and shorthand variables you can reuse across game sessions
Game session availability responses	Set by you when responding to game session polls in the Portal	Game session scheduling; identifying when group members are available
API key (stored as a hashed value; up to 3 active keys per account)	Auto-generated on your first Portal login; additional keys can be created manually in the Portal; the browser extension provisions a dedicated key via an OAuth flow	Authenticates requests from the Quinn browser extension and other API clients to the Dox Box API on your behalf
Watchlist data (watchlist names, descriptions, items added, optional per-item notes, and episode watch progress)	Created by you in the Portal	Maintaining your personal and shared watchlists of movies, TV series, and games; tracking episode progress for series you are watching
Campaign metadata (campaign name, description, external map/VTT URLs)	Created by you in the Portal or via Discord commands	Managing tabletop RPG campaigns
Journal entries (categories, narrative entries, quests, quest steps, and collaborative text)	Created by you and other campaign members in the Portal	Shared campaign journal for recording session narratives, tracking quests, and collaboratively writing story notes. Journal steps record the author’s identity and use a collaborative text editor (Yjs) whose state is stored as encoded data.
DM notification preferences (per-campaign opt-in)	Set by you via Quinn slash commands or the Portal	Controlling whether you receive Discord direct messages for initiative events (combat started, turn advanced, combat ended) in each campaign
Privacy acceptance timestamp and policy version	Recorded when you accept this policy on first login, and updated each time you accept a revised version of the policy	Compliance record confirming you have reviewed and accepted this policy, and which version you have consented to. If the policy is updated, you will be required to review and accept the new version before continuing to use the Portal or running Quinn slash commands.
IP address	Automatically collected on each authenticated request	Security audit logging; anonymised after 30 days and fully deleted after 90 days

We do not collect any data beyond what is listed above. Most of what we hold only exists because you actively provided or created it. Specifically:

Optional profile fields: phone number, Minecraft username, and Steam ID are never required to use the Portal. They can be left blank or removed at any time from your profile page.
User-created content: saved rolls, roll variables, watchlists (including their names, items, notes, and episode progress), journal entries (including quests and collaborative narrative text), and game session availability responses exist only because you chose to create them. None of this is collected passively. Deleting your account removes it all immediately.

Your display name and avatar are visible to other Portal members in shared contexts such as watchlist member lists, campaign rosters, journal step authorship, and initiative displays. An internal account identifier (a randomly generated ID) is used by the system to link records to your account; it is not displayed anywhere in the Portal interface and is not meaningful outside of the Dox Box system.

Avatar storage: By default (automatic avatar enabled), on each login the Portal fetches your avatar image from Authentik’s OIDC picture claim — which Authentik populates from your Discord or Google profile — downloads the image, and stores it in our own object storage. This provides a stable URL that remains accessible even if the source CDN is unavailable. You can disable automatic avatar refresh from your profile settings, which locks in your chosen avatar so it is never overwritten on login. You may also upload a custom avatar image directly (JPEG, PNG, GIF, or WebP, maximum 4 MB), which is then stored in our object storage and optionally written back to Authentik. Stored avatar images are deleted when you delete your account.

Automatic display name: By default (automatic display name enabled), on each login your display name is synced from Authentik’s OIDC claims, reflecting your current Discord or Google display name. You can disable automatic display name refresh from your profile settings, which locks in your chosen display name so it is never overwritten on login. Once disabled, your display name must be updated manually from your profile page.

Watchlist visibility: each watchlist has a visibility setting chosen by its owner: Public (visible to all Portal members), Members Only (visible only to members of that watchlist), or Private (visible only to the owner). The default is Members Only. You can change a watchlist’s visibility at any time from the watchlist settings.

2. Bots and automated services

Several automated tools interact with Dox Box services on behalf of users or the group. This section explains what each one does and what data it handles.

Quinn (Discord bot)

Quinn is a Discord bot that can be installed in any Discord server. It provides tabletop RPG utilities including dice rolling, initiative tracking, and campaign management. Because Quinn may operate outside our primary Discord server, this section describes how it handles data from all users who interact with it, regardless of which server they are in.

Account creation

The first time you run a Quinn slash command, Quinn will display a private (ephemeral) message asking you to review our Privacy Policy before creating an account. The message includes a summary of what data is collected and a link to this full policy. If you click Accept, a Dox Box account linked to your Discord ID is created and your consent is recorded with a timestamp. If you click Decline, no account is created and the command is not processed. You can accept at any time simply by running any Quinn command again.

What Quinn does

Accepts slash commands to roll dice, manage named roll presets, and manage {variable} placeholders injected into roll expressions. Roll results and presets are stored in the Dox Box API and linked to your Discord ID.
Manages an initiative tracker per campaign: adding, editing, and removing characters, advancing turns, and starting or ending combat. Character names and their owners are stored in the Dox Box API.
Maintains a live initiative HUD: a pinned embed in a Discord channel that shows the current turn order and updates automatically as combat progresses.
Sends you direct messages and channel notifications for initiative lifecycle events (combat started, turn advanced, combat ended) if you have opted in to DM notifications for a campaign.
Creates and manages campaigns, including linking Discord channels to campaigns. Both the Discord server ID and channel ID are stored as part of that association.
Resolves your Discord user ID to your Dox Box account for every command. Your Discord display name is used in command responses but not stored separately from your Discord ID.
In Discord channels that have been explicitly linked to a campaign, reads message content to detect inline dice notation (e.g. 2d6, !roll 1d20+5). Only the dice expression and any optional description you include are extracted and sent to the Dox Box API for processing; the rest of the message is discarded. Quinn does not read messages in any channel that has not been linked to a campaign.
When Quinn detects a dice expression in a linked channel, it deletes your original message and replaces it with a formatted roll-result embed sent via a Discord webhook. This is done so the result appears inline in the conversation. Quinn does not archive, log, or retain the original message content beyond the extracted dice expression.

What Quinn does not do

Quinn receives every message event from Discord (this is how Discord bots work), but immediately discards messages from channels not linked to a campaign. In DMs, if you have no campaign selected, it discards all messages unless they contain a recognised dice expression, to which it replies with a prompt to select a campaign first. In DMs where you do have a campaign selected, it processes any dice expression the same way it would in a linked channel.
Quinn does not share your data with any third party or other Discord server.
Quinn does not use your data for advertising, profiling, or any purpose unrelated to the features described above.

Data stored on your behalf

When you use Quinn, the following data is stored in the Dox Box API: your Discord user ID; dice roll history; saved roll presets and variables; initiative character records; campaign memberships and GM status; DM notification preferences; and records of which Discord channels are linked to which campaigns (including server IDs).

Authentication

Quinn authenticates to the Dox Box API using a shared server-side secret. It does not use your personal API key. Your personal API key (if you have one) is a separate credential used only by the Quinn browser extension described below.

Your rights as a user in another server

Even if you only interact with Quinn through another Discord server and have never visited the Dox Box Portal, you have the right to request access to or deletion of your data. To do so, contact us at privacy@doxbox.org and include your Discord user ID. We will respond within 30 days.

Quinn (Browser Extension)

The Quinn browser extension is a Chrome and Firefox extension designed to assist with live initiative tracking during play sessions that use Shmeppy as a virtual battle map. When installed and active it:

Reads the current browser tab title on Shmeppy pages only, to detect which map or game is active and, if you have enabled auto-campaign switching, to match the URL to one of your campaign map links.
Connects to the Dox Box WebSocket API using your personal API key to send and receive initiative order updates in real time.
Stores the following data locally on your device using the browser’s extension storage API: your API key, a copy of your basic profile (Discord ID, display name, email, avatar URL), your currently selected campaign ID, your campaign list, the latest initiative state, and display preferences (overlay position and auto-campaign-switch setting). This data is stored on your device only and is not synced to any browser account or cloud service.
Does not read, transmit, or record any other content from Shmeppy or any other tab.

No personal data is sent to Shmeppy by Dox Box. The extension communicates only with the Dox Box API. Uninstalling the extension or revoking your API key in the Portal removes all locally stored data and immediately prevents the extension from authenticating.

Dox (Discord bot)

The Dox bot is a Discord bot that runs in our private Discord server. It handles several functions:

Monitors designated Discord channels to relay messages to the Minecraft server chat in real time (the Minecraft bridge, described further below).
Delivers game session notifications and reminders to Discord channels or direct messages when a game session is scheduled or updated in the Portal.
Reads your Discord role membership to determine access levels within the group.

Voice channel creator

The Dox bot can automatically create temporary personal voice channels when you join a designated trigger channel in Discord. These channels are named using your Discord display name and are deleted automatically when all members leave. Your Discord user ID is held in Redis to track channel ownership while the channel exists; this data is removed as soon as the channel is deleted or the bot restarts. No voice audio is recorded or transmitted by Dox Box.

The Dox bot only operates within our own Discord server. It does not access message history beyond what is needed for real-time relay, does not store message content, and does not interact with any other Discord server.

Minecraft bridge

The Minecraft bridge relays messages between our Discord server and Minecraft server in real time. When you send a message in a bridged Discord channel, your Discord display name and message content are forwarded to the Minecraft server chat. Likewise, messages sent in Minecraft chat are forwarded to Discord. Message content is not stored by Dox Box; it appears in both platforms’ chat histories and is subject to each platform’s own data retention policies.

To make relay messages more readable, the Dox bot temporarily caches your Discord display name and avatar URL in an in-memory store (Redis). This cached data expires automatically after 7 days and is deleted immediately if you leave the Discord server. It is not shared with any third party and is not linked to your Portal account.

3. How we use your data

We use the data listed in Section 1 for the following purposes:

Authentication and access control: verifying your identity when you log in and determining what features you can access within the group.
Game session scheduling: collecting and displaying availability responses so the group can agree on game session times.
Notifications: sending you reminders and updates about upcoming game sessions via SMS (if enabled) or Discord; sending transactional email notifications (via Resend) when actions you have initiated are complete, such as a data export becoming ready to download.
Gaming features: maintaining your dice roll history and saved macros; relaying Minecraft bridge messages; managing server whitelists; and providing collaborative campaign journals.
Watchlists: storing and organising your personal and shared lists of movies, TV series, and games, including episode watch progress for series.
Security and stability: recording IP addresses in audit logs so that unauthorised access attempts can be identified. Logs are automatically anonymised and deleted on a rolling basis.

We do not use your data for advertising, profiling, automated decision-making, or any purpose not listed here.

4. Legal basis for processing

We process your personal data under the following legal bases as defined by the UK GDPR and EU GDPR:

Consent: you actively accept this policy when you first log in to the Portal, or via the consent button shown by Quinn in Discord when you first use a slash command. You may withdraw consent at any time by deleting your account, which permanently removes all your personal data from our systems.
Legitimate interests: security audit logging and access control within our private group. We have assessed that this interest is not overridden by your rights or freedoms.
Contract: processing necessary to provide the scheduling, notification, dice rolling, and gaming integration features you signed up to use.

5. Data retention

We do not keep your data any longer than is necessary for the purposes described above.

IP addresses in audit logs are anonymised after 30 days.
Audit log entries are permanently deleted after 90 days.
All other account data (profile, dice history, saved rolls, journal entries, watchlists, game session responses, API keys) is kept until you delete your account. Deletion is immediate and permanent.
Data export files (JSON and PDF) are stored in our object storage for 7 days after the export is ready, then automatically deleted. The download links expire at the same time. You can request a new export at any time.
When you delete your account, a minimal deletion compliance record is retained containing only your internal account ID, Discord ID, the deletion timestamp, and the IP address from which the deletion was requested. This record contains no other personal information (no name, email, or content) and exists solely to demonstrate that we fulfilled your erasure request, as permitted under GDPR Article 17(3)(e). It is not used for any other purpose.
Minecraft bridge message content is not stored at all; it is processed in memory only and discarded after transmission.
Discord display name and avatar URL cached by the Dox bot for Minecraft bridge relay are automatically deleted after 7 days, or immediately when you leave the Discord server.
CubeCoders AMP user accounts (username, email, group memberships) are deleted when you delete your Dox Box account. AMP operational logs (server console output, scheduled task logs, access logs) may retain your display name for up to 30 days after account deletion.

6. Your rights

Under the GDPR you have the following rights regarding your personal data. Most can be exercised directly within the Portal without needing to contact us.

Right	How to exercise it
Access and portability (download a copy of all your data)	Profile → Privacy & Data → Download Your Data. You will receive both a JSON file and a PDF document containing everything we hold about your account. Download links are available for 7 days after the export is ready, after which the files are automatically deleted from our storage.
Erasure (permanently delete your account and all associated data)	Profile → Privacy & Data → Delete Account. Deletion is immediate and irreversible. Your API key is revoked instantly.
Rectification (correct inaccurate or incomplete information)	Your display name and profile picture are synced from the Discord or Google account you used to sign up; update them there and they will be reflected in Dox Box on your next login. Timezone, Minecraft username, Steam ID, phone number, and other profile fields can be edited directly in the Portal at any time. For anything else, contact us at privacy@doxbox.org.
Object to processing	Where we rely on legitimate interests as our legal basis (security audit logging), you have the right to object. Contact us at privacy@doxbox.org to raise an objection; we will assess and respond within 30 days. To stop receiving notifications specifically, visit your profile page and disable SMS and Discord notification delivery in the Notifications section without needing to delete your account.
Withdraw consent	Delete your account (see Erasure above). Withdrawing consent means we can no longer provide the Portal service to you.
Restrict processing (limit how we use certain data)	Contact us at privacy@doxbox.org or via Discord. We will assess and respond within 30 days.

ℹ️ For any right you cannot exercise via self-service, or to raise a concern, contact us at privacy@doxbox.org or through our Discord server. We aim to respond within 30 days. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local supervisory authority.

7. Self-hosted infrastructure

All of the following components are self-hosted on servers we own and operate, located in Germany within the European Union. Your data does not leave this infrastructure and is not subject to any data-sharing with third parties.

Component	Role	Personal data stored
Portal & API	The Dox Box web application and its NestJS backend. All user requests, sessions, and activity pass through here and are persisted to the PostgreSQL database.	All data described in §1.
Authentik	Self-hosted single sign-on identity provider. Manages the OAuth flows for Discord and Google login, and issues session tokens to the Portal and AMP.	Discord and/or Google OAuth tokens and the profile attributes returned by those providers (user ID, name, email, avatar). This is the same data described in §1 as received from your OAuth provider — it is held within our own infrastructure, not sent to a third party.
CubeCoders AMP	Game server management panel for Minecraft and other game servers. Login is provided via our Authentik SSO.	Your Authentik identity (user ID, display name, email, group memberships) is held in AMP to authenticate you and determine your access level. Your AMP user account is deleted when you delete your Dox Box account. AMP operational logs (server console output, scheduled task logs, and access logs) may retain your display name for up to 30 days after account deletion, after which they are purged.
Object storage (Hetzner)	S3-compatible object storage used for data export downloads and avatar image caching.	Data export files (JSON and PDF) are stored for up to 7 days after the export is ready, then automatically deleted. Avatar images are stored and deleted when you delete your account.

8. Third-party services

We use the following external third-party services. No data is shared with any other party beyond those listed here.

Dox Box is an independent private group. We are not affiliated with, endorsed by, or sponsored by any of the services listed below. “Discord”, “Google”, “Shmeppy”, “Twilio”, “Resend”, “TMDB”, “IGDB”, “Steam”, and “Mojang” are independent companies; their names and trademarks remain the property of their respective owners.

Service	Purpose	Data shared
Discord	OAuth authentication provider; group communication; notification delivery via bot messages; Minecraft bridge relay.	Your Discord account ID, username, email, and avatar are received during login. Bridged chat messages (display name and message content) are relayed in real time.
Google	OAuth authentication provider (alternative to Discord login).	Your Google account ID, name, email address, and avatar image are received during login via Authentik. The avatar image is cached to our own object storage. We do not access your Google Drive, Gmail, or any other Google service.
Twilio	SMS delivery for game session notifications.	Your phone number and the notification message text. Used only when you have enabled SMS notifications in your profile. You can remove your phone number at any time to opt out.
TMDB (The Movie Database)	Searching for and importing movie and TV series metadata (titles, descriptions, poster images, release years, episode lists).	Your search query text is sent to the TMDB API when you search for a movie or series to add to a watchlist. TMDB does not receive any personal account information. TMDB privacy policy.
IGDB (Internet Games Database, operated by Twitch/Amazon)	Searching for and importing game metadata (titles, descriptions, cover images, release years, genres).	Your search query text is sent to the IGDB API when you search for a game to add to a watchlist. IGDB does not receive any personal account information. Twitch privacy notice.
Shmeppy	Virtual battle map tool used alongside the Quinn browser extension.	No data is sent from Dox Box to Shmeppy. The Quinn extension reads your current Shmeppy tab’s title client-side and communicates initiative data only with the Dox Box API.
Mojang	Validating your Minecraft username when you add it to your profile.	Your Minecraft username is sent to the Mojang API to confirm the account exists.
Steam	Validating your Steam ID when you add it to your profile and fetching player summaries.	Your Steam ID or vanity URL is sent to the Steam API.
Resend	Transactional email delivery (e.g. notifying you when your data export is ready to download).	Your email address and the notification message content are passed to Resend for delivery. Email is only sent when you have triggered an action that generates a notification (such as requesting a data export). Resend privacy policy.

9. Security

We take reasonable technical and organisational measures to protect your data:

Phone numbers are encrypted at rest using AES-256-GCM before being written to the database. The encryption key is held separately from the database.
API keys are stored only as a one-way hashed value. The plaintext key is shown to you once on creation and never stored.
Login sessions are managed by Authentik via HTTP-only cookies and expire after 30 days. Logging out invalidates the session immediately.
API key revocation: when you revoke your API key in the Portal, the Quinn extension can no longer authenticate with the Dox Box API until a new key is issued.
Access control: all infrastructure is accessible only to authorised group members. The database and internal services are not publicly exposed.
Audit logging: API requests are logged with the requesting user’s ID, the endpoint accessed, and the IP address. Email addresses and phone numbers are never written to logs. Login events (sign-ins from the Portal and from the Quinn browser extension) are also recorded and are visible to you in Profile → Privacy & Data → Sign-In History (last 20 events).

If you believe your account has been compromised, revoke your API key immediately from the Portal and contact us via Discord or at privacy@doxbox.org.

10. Cookies and local storage

We use a small number of strictly necessary cookies and browser storage entries:

doxbox-theme (cookie and localStorage): stores your chosen colour theme preference. No personal data. The cookie expires after 1 year, and localStorage persists until cleared. Can be cleared from your browser at any time.
Session token (cookie): used to maintain your login session. Expires after 30 days or on logout.
Quinn extension data (browser extension storage): your API key, a cached copy of your basic profile, your selected campaign, campaign list, latest initiative state, and display preferences are stored locally on your device only. This storage is not synced to any browser account or cloud service. All data is cleared when you uninstall the extension or revoke your API key.
doxbox-privacy-v1 (localStorage): records that you have already accepted this Privacy Policy so returning users are not shown the consent screen again. Contains no personal data. Persists until you clear your browser storage or uninstall the site data.
Authentik SSO session cookie (set on our identity provider domain during the login flow): maintained by our self-hosted Authentik instance to keep you authenticated across the sign-in flow and to support single sign-on to Dox Box services including the Portal and the game server panel. HTTP-only and strictly necessary. Expires after 30 days or on logout from any connected service.
AMP session cookie (set on gameservers.doxbox.org): set when you access the CubeCoders AMP game server management panel. Strictly necessary for maintaining your authenticated panel session. Cleared on logout or when the session expires.

We do not use any advertising, analytics, or tracking cookies.

11. Children

Dox Box is a private group for adults. Membership requires you to be 18 or older. We do not knowingly collect data from anyone under the age of 18. If you believe a minor has provided us with personal data, please contact us at privacy@doxbox.org and we will delete it promptly.

12. Changes to this policy

If we make material changes to this policy, we will increment the policy version number and require fresh consent before you can continue using the Portal or running Quinn slash commands. When the policy changes, the Portal will display a consent screen on your next login and the API will reject requests until you have accepted the new version. Similarly, Quinn in Discord will show a private consent message the next time you run a slash command. The “last updated” date and version number at the top of this page always reflect the current version. The version you consented to is recorded alongside the timestamp of your acceptance.

13. International transfers

Data held within our own infrastructure (see §7) is stored and processed exclusively on servers in Germany and does not leave the EU. International transfer obligations arise only from the external third-party services listed in §8 that operate outside the UK or EEA.

Some of the third-party services listed in §8 operate outside the United Kingdom and the European Economic Area. The transfer safeguards that apply depend on where you are based:

UK residents: where personal data is transferred to a country not covered by a UK adequacy decision, we rely on UK GDPR Standard Contractual Clauses (SCCs) or another appropriate safeguard. Discord, Google, and Twilio additionally participate in the UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge), a transfer mechanism recognised under UK GDPR.
EU/EEA residents: where personal data is transferred outside the EEA to a country not covered by an EU adequacy decision, we rely on EU GDPR Standard Contractual Clauses. Discord, Google, and Twilio additionally participate in the EU-US Data Privacy Framework (EU-US DPF), which is recognised under EU GDPR as an adequacy mechanism for transfers to certified US organisations.

Note that search queries sent to TMDB and IGDB contain no personal identity information beyond your IP address. For other global services like Steam and Mojang, we rely on the platforms’ own compliance frameworks or standard contractual clauses. Details of the safeguards used by each processor are available in their respective privacy documentation.

14. Data breaches

In the event of a personal data breach we will:

Assess the risk to affected individuals within 24 hours of becoming aware of the breach.
Notify the relevant supervisory authority within 72 hours where the breach is likely to result in a risk to the rights and freedoms of individuals, as required by Article 33 of the UK GDPR / EU GDPR. For UK residents this is the Information Commissioner’s Office (ICO); for EU/EEA residents this is the relevant national data protection authority.
Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 of the UK GDPR / EU GDPR. Notification will be made via the email address associated with your account or via our Discord server.
Maintain an internal record of all breaches, including those that are not reportable, as required by Article 33(5).

If you believe your account has been compromised, revoke your API key immediately from the Portal and contact us at privacy@doxbox.org.

15. Contact

Questions or concerns about this policy can be directed to privacy@doxbox.org or raised directly in our Discord server. We will respond within 30 days.