Privacy Policy

1. Who We Are

Viirless ("Viirless", "we", "us", or "our") operates a Discord bot hosting platform available at viirless.net. The platform allows users to upload, deploy, and manage Discord bots running inside isolated Docker containers on our infrastructure.

This Privacy Policy explains what personal data we collect when you use the Viirless platform, how we use it, and what controls you have over it.

2. Information We Collect

2.1 Account Information

When you register an account, we collect:

• Username — the display name you choose
• Email address — used for login and account notices
• Password — stored as a bcrypt hash; we never store your plain-text password
• Account creation date and IP address — recorded for security and fraud prevention

2.2 Bot and Deployment Data

When you deploy a bot, we store:

• Bot source files — the ZIP archive or GitHub repository you upload, saved under a per-user directory on our server
• Environment variables — any key/value pairs you configure for your bot (e.g. your Discord bot token). These are stored in our database and injected into the container at runtime.
• Bot name and configuration — name, main entry file, runtime type (Node.js / Python / Go), memory and CPU limits
• Container logs — stdout/stderr output produced by your running bot, accessible to you in the dashboard
• Container status history — start/stop events and resource usage metrics

2.3 Subscription and Billing Data

• Plan subscription records — which plan you are on, when it started, when it expires, and whether auto-renew is enabled; or whether it is a permanent Lifetime Plan
• Stripe Customer ID — when you subscribe to a monthly recurring plan, we create a Stripe Customer object and store the resulting customer ID against your account so future subscription charges can be linked to your card on file. This ID is never shown to other users.
• Stripe Subscription ID — the identifier of your active recurring subscription in Stripe, used to process renewals, handle cancellations, and reconcile webhook events from Stripe.
• Token balance and purchase history — credits used to purchase upgrades, bot slots, and other platform features. Tokens are no longer used to pay for monthly plans.
• Extra bot slot records — when you purchase additional bot slots (with tokens or via Stripe), we record the package purchased, number of slots granted, tokens spent or amount paid, and timestamp. This record is retained for reconciliation purposes.
• Monthly plan payment records — for real-money recurring plan payments processed by Stripe, we store the Stripe invoice ID, subscription ID, amount charged, and timestamp for reconciliation and audit purposes. These records are retained for a minimum of 7 years.
• Lifetime Plan purchase records — for real-money Lifetime Plan purchases made via Stripe, we store the Stripe session ID, plan purchased, amount paid, and timestamp. Retained for a minimum of 7 years.
• Stripe transaction identifiers — we store Stripe session, invoice, and subscription IDs to reconcile all purchases. Full card details are handled exclusively by Stripe and are never stored on Viirless servers.

2.4 Support Tickets

If you submit a support ticket, we store the ticket content and any follow-up messages you send so that our team can respond and track the issue.

2.5 Collaboration Data

When a bot owner invites another Viirless user as a collaborator, we store:

• Collaboration record — the bot ID, the owner's user ID, and the collaborator's user ID, along with the permission flags that were granted (edit files, view environment variables, start, stop, restart)
• Invitation timestamp — when the collaborator was added

Collaborators who are granted the "View Env" permission will be able to see the bot owner's environment variables (including any Discord bot token or API keys stored in that bot). This access is entirely at the discretion of the bot owner. Viirless is not responsible for what a bot owner chooses to share with their collaborators.

When a collaborator is removed, the collaboration record is deleted. The collaborator loses all access to the bot immediately. Any environment variable values they may have viewed prior to removal are no longer accessible through the platform.

2.6 AI Coding Assistant Data

If you choose to use the optional AI Coding Assistant feature, we collect and process the following additional data:

• Google Gemini API key — if you save a key in Profile → AI Coding Assistant, it is encrypted using AES-256-GCM before storage. The encryption key is held server-side in an environment variable and never stored alongside the encrypted value. Your plain-text API key is never logged, written to disk in plain text, or accessible to Viirless staff. You can reveal it (via password verification), replace it, or delete it at any time.
• AI chat sessions — the messages you send to the AI and the AI's replies are stored in our database, associated with your account and the relevant bot. This history exists so you can resume sessions across page refreshes. Sessions are visible only to you (and the bot owner, if you are a collaborator).
• Tool call results — when the AI reads, writes, or deletes files or environment variables on your behalf, the fact that these actions occurred is reflected in your session history. The content of modified files is not separately stored by Viirless beyond what exists in your bot's file directory.

Your chat messages are transmitted to Google's Generative AI API (generativelanguage.googleapis.com) using your own API key. This transmission is subject to Google's Generative AI Additional Terms of Service and Google's Privacy Policy. Viirless does not control how Google processes data submitted to its APIs.

We do not use your AI chat history for training, advertising, or any purpose other than displaying it back to you within the session interface.

2.7 Ban & Unban Review Data

If your account is banned and you submit an unban review request, we collect and store the following data in connection with that review:

• Ban record — the reason for the ban, the date it was issued, and the administrator user ID that applied it
• Review submission — the message you submit in support of your review request, the date and time of submission, and the current review status (pending, approved, or denied)
• Payment record — the Stripe Checkout Session ID associated with the review fee payment, the amount charged, and the payment timestamp. Full card details are handled exclusively by Stripe and are never stored on Viirless servers.
• Administrator decision — the outcome (approved or denied), any note left by the reviewing administrator, and the date the decision was made

This data is used solely to administer the ban appeal process and to maintain a record of enforcement decisions for audit and dispute resolution purposes. It is not used for advertising or shared with third parties except as required by law.

Our legal basis for processing unban review data is legitimate interests (Art. 6(1)(f) GDPR): maintaining secure, abuse-resistant enforcement processes and a reliable audit trail of disciplinary decisions.

2.8 Technical and Usage Data

We may automatically collect:

• IP addresses — at login and registration for security purposes
• Browser/device information — standard HTTP headers (user agent, referrer) for debugging
• API request logs — timestamps and endpoints accessed, retained briefly for operational monitoring

We do not use analytics trackers, advertising pixels, or fingerprinting scripts.

3. How We Use Your Information

We use the data we collect for the following purposes:

• Providing the service — creating and managing your account, deploying and running your bots, applying the correct resource limits based on your plan
• Billing and subscriptions — processing token purchases, applying plan upgrades/downgrades, enforcing bot limits when a subscription expires, handling auto-renew
• Security — detecting and preventing abuse, brute-force login attempts, and unauthorized access
• Support — responding to tickets and resolving technical issues with your bots
• Service communications — sending transactional emails such as account confirmation or billing notices (we do not send marketing email without your explicit consent)
• Platform improvements — using aggregate, anonymized usage data to improve reliability and performance

We do not use your data for advertising, profiling, or sale to third parties.

3.1 Legal Bases for Processing (GDPR Article 6)

Viirless is based in Denmark and processes personal data in accordance with the EU General Data Protection Regulation (GDPR) and the Danish Data Protection Act (Databeskyttelsesloven). For each category of data we process, our legal basis is:

4. How We Store and Protect Your Data

• Passwords are hashed with bcrypt before storage. The plain-text password is never written to disk or logs.
• API authentication uses short-lived JWT tokens (7-day expiry). Tokens are transmitted over HTTPS only.
• Database access is restricted to backend services on a private network. Direct external access is disabled.
• Bot files are stored in a per-user directory on the server filesystem with access restricted to the application process and the user's own container.
• Environment variables are stored encrypted-at-rest in the database and passed securely into containers at startup.
• Transport encryption — all traffic between your browser and our servers is encrypted via TLS/HTTPS.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security. We recommend you use a strong, unique password and never store sensitive secrets beyond what your bot needs to function.

5. Docker Container Isolation

Each bot runs in its own Docker container with enforced CPU and memory limits. Containers are configured with the following security constraints:

• No host network access — bots communicate via the internet like any other process, but cannot access the host machine's internal network
• Read-only filesystem for the bot code directory, with a separate writable data volume if needed
• No privilege escalation — containers run as non-root users and cannot gain elevated permissions on the host
• Strict resource caps — memory and CPU quotas prevent one bot from impacting others on the same host
• Container-to-container isolation — bots cannot see or communicate with other users' containers

Bot code you upload is executed only within these containers. It cannot read or write files outside its assigned directory, and it cannot access other users' data or environment variables.

6. Payments and Billing

All payments are processed by Stripe (stripe.com/privacy). This includes monthly recurring plan subscriptions (billed to your card each billing period), token package purchases, extra bot slot purchases, Lifetime Plan purchases, and unban review fees (a non-refundable administrative fee paid by banned users to request account reinstatement review). When you complete a purchase, you are redirected to a Stripe-hosted checkout page. Viirless never handles, sees, or stores your full card number, CVV, or bank details.

We store the following billing data on our side:

• Stripe Customer ID (created when you first subscribe to a recurring plan)
• Stripe Subscription ID for active recurring plans
• Stripe session, invoice, and payment IDs for reconciliation
• Plan, token package, or bot slot purchased, amount, and timestamp
• Your token balance and transaction history within the platform
• Plan activation and renewal records (plan tier, activation date, expiry date, permanent status flag)

For monthly recurring plans, Stripe automatically charges your card each billing period. You can cancel at any time from your Subscription page in the dashboard — cancelling stops future charges and your access continues until the end of the current paid period.

When a paid subscription expires or is cancelled and the current period ends, any bots exceeding the free plan's bot limit will be automatically suspended (stopped and locked). Your bot files and configuration are retained; you can reactivate them by subscribing to a new plan.

7. Cookies and Local Storage

Viirless does not use tracking cookies or third-party advertising cookies.

The dashboard stores your JWT authentication token in the browser's localStorage so you remain logged in between sessions. This token is scoped to viirless.net and is never shared with third parties. Clearing your browser's local storage will log you out.

We do not use Google Analytics, Facebook Pixel, or similar tracking services.

8. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data. We share data only in the following limited cases:

8.0 User-to-User Sharing via Collaboration

When a bot owner grants another user collaborator access, that user may see the bot's name, files, container status, and — if the owner enables it — environment variables. This is a voluntary, owner-initiated sharing of data between platform users.

Viirless does not make this sharing decision; it is made by the bot owner. We provide the mechanism and enforce the permission boundaries, but we are not responsible for the data shared between a bot owner and their chosen collaborators.

We store the minimum data necessary to implement and display collaboration relationships: the collaborator's username, email (shown to the owner in the collaborator list), and the permission flags. Collaborators' profile data (username, email) is visible to the bot owner who invited them.

8.1 Service Providers

• Stripe — payment processing. Subject to Stripe's own privacy policy.
• Infrastructure providers — the Linux server(s) on which Viirless runs. Data is processed only on servers we control or have contracted for this purpose.

8.2 Legal Requirements

We may disclose your data if required to do so by law, court order, or a valid request from a government authority, or to protect the rights, property, or safety of Viirless, our users, or the public.

8.3 Business Transfers

If Viirless is acquired or merged with another company, your data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our site before such a transfer takes place.

9. Data Retention

• Account data — retained for as long as your account is active. Deleting your account removes your profile, bots, and associated files from our systems within 30 days.
• Bot files and environment variables — deleted when the bot is deleted or when the account is deleted.
• Container logs — rolling retention; older logs are purged automatically.
• Billing records — retained for a minimum of 7 years to comply with financial record-keeping regulations, even after account deletion.
• Collaboration records — deleted immediately when a collaborator is removed or when either party's account is deleted.
• AI Coding Assistant API key — deleted immediately when you remove it via Profile settings, or when your account is deleted.
• AI chat sessions and message history — retained for the life of the account; you may delete individual sessions at any time from the AI panel. All session data is deleted when your account is deleted.
• Support tickets — retained for the life of the account to assist with dispute resolution.
• Ban and unban review records — retained indefinitely as part of the account's enforcement history, even after account deletion, for audit, dispute resolution, and abuse-prevention purposes. This includes the ban reason, user review message, administrator decision and note, and the associated Stripe payment record (retained for 7 years for financial record-keeping compliance).
• Server/API logs — retained for up to 90 days for security monitoring, then deleted.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access (Art. 15 GDPR) — request a copy of the personal data we hold about you
• Correction (Art. 16 GDPR) — update your username or email address at any time from your Profile settings in the dashboard
• Deletion (Art. 17 GDPR) — delete your account and associated data via the dashboard (Settings → Delete Account), or by contacting us. Note: billing records are retained as required by law (see Section 9).
• Data portability (Art. 20 GDPR) — request an export of your bot files and account data in a machine-readable format
• Restriction of processing (Art. 18 GDPR) — request that we restrict processing of your data in certain circumstances
• Objection (Art. 21 GDPR) — object to processing based on legitimate interests, including profiling
• Withdraw consent — where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, use the self-service tools in your dashboard or contact us at privacy@viirless.net. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice).

10.1 Right to Complain to a Supervisory Authority

If you believe we have processed your personal data in violation of the GDPR, you have the right to lodge a complaint with the Danish data protection supervisory authority:

If you are located in another EU/EEA member state, you may also lodge a complaint with the supervisory authority in your country of residence.

10.2 California Residents (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell your personal information. To exercise your CCPA rights, contact us at privacy@viirless.net.

11. Children's Privacy

The Viirless platform is not directed at children under the age of 13 (or 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has created an account on our platform, please contact us and we will delete the account promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or via an in-app notice.

Continued use of the platform after changes become effective constitutes acceptance of the revised policy. We encourage you to review this page periodically.

13. Contact Us & Data Controller

The data controller for personal data processed by the Viirless platform is Viirless, based in Denmark.

If you have questions about this Privacy Policy, want to exercise your data rights, or need to report a privacy concern, you can reach us through:

• Support tickets — open a ticket from your dashboard (fastest response)
• Email — privacy@viirless.net

We aim to respond to all privacy-related requests within 5 business days, and in any event within the 30-day period required under GDPR.