Legal
Data-Subject Requests
Under GDPR (EU), UK GDPR, and CCPA (California) you have the right to access, correct, port, and delete the personal data we hold about you. We honour these rights for everyone — not just users in regions where the law requires it.
Most requests are self-serve
Before emailing, check the dashboard. If you're an active Sloth Lee user, the fastest path is built in:
- Right to access (Article 15). Open Dashboard → Settings → Privacy → Export my data. You'll get a JSON archive of every record tied to your account: profile, preferences, dashboard activity, ticket history, audit-log entries you authored. Generated within 5 minutes for typical accounts.
- Right to correction (Article 16). Most fields you can edit in-place from Settings → Account. Discord identity fields (username, avatar) sync from Discord — change them there and they propagate within minutes.
- Right to deletion (Article 17). Dashboard → Settings → Privacy → Delete account. One click + email confirmation. Account deletion propagates within 24 hours; full backup purge within 30 days.
- Right to portability (Article 20).The data export above is JSON — machine-readable, easy to feed into another tool. We don't do CSV-only or PDF-only exports designed to make portability painful.
What about deleting my Discord identity entirely?
Audit-log entries you authored are anonymised rather than deleted — your Discord ID is replaced with a placeholder, but the action and timestamp remain. This preserves the historical record for the other users in the server (who have their own right to know what happened to them).
If you want full physical deletion of audit-log rows you authored, email us with the reason — we'll evaluate case-by-case under GDPR's Article 17(3) exemptions (freedom-of-expression, legitimate-interest balancing, etc.) and respond within the 30-day statutory window.
If you can't use the dashboard
Maybe you don't have an account anymore but appear in someone else's server's audit log. Maybe your account is locked. Maybe you're asking on behalf of someone else. In those cases:
Email privacy@slothlee.xyz with:
- What you're asking for. Access, correction, deletion, restriction of processing, objection to processing, or portability.
- Who you are.Discord user ID (the numeric one, not username) so we can identify the records. Asking on someone else's behalf? Include written authorisation plus their Discord ID.
- Verification.So we know it's actually you, we'll send a confirmation message via Discord DM to that user ID before processing. If we can't reach you on Discord, we may ask for OAuth re-authentication.
How long it takes
- Self-serve requests (export, deletion via dashboard): within minutes for most accounts; up to 24 hours for very large servers.
- Email requests: acknowledged within 5 business days. Fulfilled within 30 days, as required by GDPR Article 12(3). For complex requests we may extend by a further 60 days under Article 12(3) — we'll tell you if we need to and explain why.
- Deletions: visible in the dashboard immediately; purged from primary database within 24 hours; purged from backups within 30 days as those backups age out.
What we never charge for
All data-subject requests are free, every time. GDPR allows a reasonable fee for “manifestly unfounded or excessive” repeat requests; we've never invoked that and don't intend to.
Right to complain
If you're unhappy with how we've handled your request, you have the right to lodge a complaint with your national data-protection authority. In the EU/UK that's the relevant supervisory authority (e.g., the ICO in the UK, the CNIL in France). In California, the Attorney General's office.
We'd ask you to email us first so we can try to fix it, but we'll never tell you that's a precondition. It isn't.
Data we share with third parties
Listed in full in our privacy policy. Short version: Stripe (billing), Discord (auth + bot operation), OpenAI (when you opt in to AI moderation features), Postmark (transactional email — coming soon), Sentry (error monitoring, request bodies stripped before they reach Sentry). All of these are listed as “processors” in our records; none of them have free rein over your data.