Privacy Policy

Last updated: 4 June 2026

We at the Tawqeet bot development team take the privacy of your data seriously. This policy explains the types of data we collect through the Discord bot and the (web) dashboard, the basis for processing it, and how we use, store, protect, and share it, its retention periods, and your rights regarding it — in line with Saudi Arabia's Personal Data Protection Law and its Implementing Regulations.

By using the Tawqeet bot or signing in to the dashboard via Discord OAuth2, you agree to the processing of your data in accordance with this policy and the legal basis set out in it.

Data Controller and Contact Details

The data controller is the “Tawqeet team”, the party that determines the purposes and means of processing your personal data. For any privacy-related inquiry or to exercise your rights, you may contact us at the official email [email protected], and we commit to responding to your requests within no more than 30 days.

1. Data We Collect

To provide attendance tracking and analytics services, the system collects and stores the following categories of data:

1.1 Discord Data

  • Discord IDs:
    • User ID: to link attendance and points records to the correct person.
    • Guild ID: to keep each server's data separate.
    • Channel/Role IDs: to store server settings (logs, reports, and admin role channels).
  • Usernames: Username and Display Name, to show them in reports and the dashboard.
  • Member roles: server member roles are synced periodically to support filtering by role in analytics.

1.2 Attendance and Session Data

  • Check-in and check-out timestamps.
  • Duration of each session and any manual adjustments to it.
  • Session status: automatic or manual, forced check-out, AFK status.
  • Session notes (if added by an admin).
  • Points earned from each session.

1.3 Points System Data

  • Each member's points balance.
  • Transaction log: amount, type (attendance/manual), reason, date, and the ID of the executing admin.

1.4 Engagement System Data

  • Voice Activity: a member's presence status in voice channels (muted, listening, alone or with others) for the purpose of calculating engagement points fairly.
  • Text message analysis: the content of messages in your Discord channels is read instantaneously and temporarily only to prevent abuse (spam), to count points based on word count, and to run command shortcuts, and message content is never saved or stored in our databases.
  • Level and points records: a member's lifetime XP, level, and the last three weeks' points record are stored to display weekly leaderboards.

1.5 Command Logs

  • The executed command name, the options sent, the executing username, the execution status (success/failure), and error messages.
  • Used for auditing, preventing misuse, and improving the service.

1.6 AI Assistant Data

  • The questions you send to the AI assistant and its responses are stored temporarily as conversations for 7 days and then deleted automatically.
  • Your questions are sent, along with limited attendance-data context, to the AI model provider (OpenRouter / Google Gemini) for processing, and sharing is limited to what is necessary to fulfil your request.
  • Daily usage counters (to enforce usage limits).

1.7 Authentication Data (Dashboard)

  • When signing in to the dashboard, we use Discord OAuth2 with the identify and guilds scopes only. The access token is stored in an encrypted session cookie on your device and is not stored in our databases.

1.8 Website Analytics

  • The website may use web analytics tools (Google Analytics and Cloudflare Insights) to collect aggregate, pseudonymized statistics about page visits in order to improve the service, and these tools only run after your consent via the cookie banner (see the Cookies section).

2. Legal Basis for Processing

We process your data based on one or more legal bases depending on the purpose:

  • Necessity to provide the service: processing Discord IDs, attendance records, and settings is necessary to operate the attendance-tracking service requested by the server.
  • Legitimate interest: command logs, security, abuse prevention, and auditing, in a manner that does not prejudice the data subject's rights.
  • Explicit consent: use of the AI assistant and optional analytics tools is based on your consent, which you may withdraw at any time.
  • Legal obligation: where a legal basis requires processing or disclosure.

Tawqeet is the controller of the data it processes. Server owners and administrators are responsible for their use of the service within their communities, for informing their members, and for obtaining the necessary consents where the regulations require it.

3. How We Use Your Data

We use the collected data for the following purposes only:

  • Recording and calculating members' attendance and absence durations.
  • Generating daily, weekly, monthly, and individual reports.
  • Displaying leaderboards and analytics (charts, peak times, forecasts).
  • Calculating and rewarding points based on attendance hours.
  • Tracking members' voice and text engagement to calculate their levels and roles automatically.
  • Providing smart analytics through the AI assistant using attendance data.
  • Sending long-session and AFK status alerts.
  • Monitoring data integrity and detecting stuck or anomalous sessions.
  • Improving the performance of the bot and website and fixing bugs.

4. Sharing Data with Third Parties

  • We do not sell or rent your data to any third party under any circumstances.
  • Service providers: we share limited data with the following service providers to operate the system:
    • Discord API: for authentication and managing servers and members.
    • OpenRouter / Google Gemini: to process AI assistant questions — limited attendance context is sent with the question solely to fulfil the request.
    • MongoDB: to store data in a secured database.
    • Hosting provider (in Europe): to run the website, the bot, and the database.
    • Google Analytics / Cloudflare: for aggregate website analytics (after your consent).
  • Your attendance data is available only to the administrators of the server in which the attendance was recorded.
  • We may have to disclose data if required by an applicable law or by an order from a competent authority.

5. Transferring and Processing Data Outside the Kingdom

The website, bot, and database servers are hosted with a provider in Europe, and the service relies on global providers (Discord for authentication, Google / Gemini via OpenRouter for the AI assistant, and Cloudflare for website analytics) whose servers may be located outside the Kingdom. Accordingly, your data may be transferred and processed outside the Kingdom of Saudi Arabia. This transfer takes place to the minimum extent necessary to provide the service you requested, with providers that maintain an appropriate level of protection, and in accordance with the controls prescribed by law for transferring personal data outside the Kingdom.

6. Data Retention and Deletion

The default is that data is destroyed once the purpose of collecting it ends. The retention periods for each category are as follows:

IDs, names, and roles

Retained as long as the bot is added to the server and linked to your records. Role data is deleted when you leave the server, and the rest is deleted via /reset or when the purpose ends.

Attendance records

Retained according to the per-server customizable retention policy (default: 12 months), then automatically destroyed or anonymized.

Points and engagement levels

Points balance and engagement levels (XP) are retained while the bot is active in the server, and are deleted via /points reset or upon bot removal after the recovery period ends.

Command logs

Automatically deleted 12 months after they are executed.

AI assistant conversations

Automatically deleted after 7 days via a TTL mechanism in the database.

Authentication data

The Discord access token is stored in an encrypted session cookie on your device only, is not stored in our databases, and expires when the session ends or you sign out.

Analytics data

Collected in an aggregate/pseudonymized form and subject to the retention periods of their providers (Google / Cloudflare).

Manual deletion

Server administrators can use the /reset command to delete attendance records for a member or all members, and /points reset to reset points.

Member leaving

When a member leaves the server, their active session is closed automatically, their role data is deleted, and the collection of any new data about them stops. We may retain some historical records in accordance with the retention policy and for a legitimate operational or compliance purpose, then destroy or anonymize them once the purpose ends.

Bot removal

When the bot is removed from the server, automated services stop. The server owner may request an export of their data within 14 days of removal (via the dashboard while available or via the official email), after which the data is destroyed or anonymized unless there is a legal basis for retention.

7. Data Security

We take appropriate organizational, administrative, and technical measures to protect your data, and we limit processing to the minimum necessary for the purpose:

  • Data is stored in a secured MongoDB database with connection encryption.
  • Every dashboard request passes through a multi-level permission check (Discord Permissions → bot admin roles).
  • A rate-limiting system on the AI assistant and sensitive bot commands.
  • A strict Content Security Policy (CSP) on the website and secured communications.
  • A blacklist system to block abusive users or servers, and mechanisms to detect abuse and prevent unlawful use.

Nevertheless, no system is 100% secure. We continuously review and improve our security standards.

8. Data Breach Notification

In the event of an incident leading to the leakage, destruction, or unlawful access to your personal data, we commit to notifying the competent authority (the Saudi Data and Artificial Intelligence Authority — SDAIA) within the period prescribed by law, and to notifying you if the incident is likely to cause you serious harm.

9. Cookies

The website uses essential cookies to operate sign-in and the session; these cannot be disabled as they are necessary for the service to work. We also use optional analytics tools (Google Analytics and Cloudflare) to understand and improve website usage; these tools only run after your consent via the cookie banner, and you can change your choice at any time. Analytics data is aggregate and is not used to identify you personally.

10. Your Rights

As a data subject, you have the following rights under the Personal Data Protection Law:

  • Right to be informed: to know the legal basis for collecting your data and its purpose.
  • Access and obtaining a copy: to view your data and obtain a copy of it via /mystats and /points balance or by exporting Excel from the dashboard.
  • Correction and update: to request the correction, completion, or update of your data.
  • Destruction: to request the deletion of data that is no longer needed via /reset, a server admin, or the official email.
  • Withdrawing consent: to withdraw your consent to optional processing (such as the AI assistant and analytics) at any time.
  • Opting out: to stop using the service at any time; when you leave the server, the collection of new data stops immediately.

To exercise any of these rights, contact us at the official email [email protected], and we will respond within no more than 30 days. You also have the right to file a complaint with the competent authority (SDAIA).

11. Eligibility and Age

The service complies with the minimum age set in Discord's Terms of Service and is not directed at anyone below that age. The server owner is responsible for the appropriateness of using the service within their community in accordance with Discord's rules and applicable laws.

12. Changes to the Privacy Policy

We may update this policy from time to time. Non-material changes take effect from the date of their publication, while material changes are announced through the official bot channels, the support server, or the website at least 7 days before they take effect, unless required for urgent security or legal reasons. If a change results in a material alteration of the purposes or scope of processing, the necessary legal step — including obtaining your consent where applicable — is taken before it takes effect.

Governing Text and Contact

In the event of any discrepancy between the Arabic version and other translations of this policy, the Arabic version is the authoritative reference. For inquiries or to exercise rights: official email [email protected] or the support server.