Privacy Policy
1. Introduction
We (“we”, “us”, “our”) respect your privacy and are committed to protecting the personal data you share when signing in via Discord OAuth through Authentik, and when accessing BookStack using Authentik as our OpenID Connect (OIDC) provider. This Privacy Policy explains:
- What personal data we collect
- How we use, store, and share that data
- Your rights and choices regarding your information
By using our services, you consent to the collection and use of your data as outlined below.
2. Data Controller and Contact
Data Controller:
Stefanocoding
Privacy Inquiries:
[email protected]
3. Data We Collect
3.1. Discord OAuth via Authentik
When you sign in with Discord, Discord and Authentik will share the following attributes, depending on requested scopes and your consent:
- User ID (unique Discord identifier)
- Username & Discriminator (e.g. “JaneDoe#1234”)
- Global Avatar Hash
- Email Address (if you grant the
emailscope) - Locale & Verified Status
In addition, to support server-based access controls and personalization, we request:
- Guilds (
guilds): a list of servers the user is a member of, including each guild’s ID, name, and icon - Guild Member Data (
guilds.members.read): detailed membership information for each guild—such as the user’s roles array, joined timestamp, and permissions—allowing us to map Discord roles to Authentik groups or enforce role-based policies
Authentik may also log:
- Authentication timestamps
- IP address and device/browser metadata
3.2. BookStack via Authentik OIDC
When you access BookStack through Authentik:
- OIDC subject (
sub) – your Authentik user identifier - Name, email, and any additional claims (e.g. groups, roles) that we map for BookStack authorization
- Session information (timestamps, IPs, device)
4. Purposes of Processing
We process your data to:
- Authenticate and authorize you to access our applications securely.
- Personalize your experience (e.g. display your username, avatar).
- Maintain security by logging sign-in events, detecting anomalies, and preventing abuse.
- Communicate with you regarding account status, security alerts, or policy updates.
5. Legal Basis
Our lawful bases for processing personal data are:
- Performance of a contract: to provide you with access to our services.
- Legal compliance: to meet obligations under data-protection laws.
- Legitimate interests: to secure our systems, prevent fraud, and maintain service quality.
6. Data Sharing and Disclosure
6.1. Third-Party Services
- Discord: Facilitates user identity provision when you choose “Sign in with Discord.” We do not share data back to Discord beyond standard OAuth flows.
- Authentik: Acts as our identity provider. It processes your data under our instructions.
- BookStack: Receives only the OIDC claims necessary to grant you access and appropriate permissions.
6.2. Compliance and Protection
We may disclose personal data if required by law (e.g. court order), to protect our rights, or in response to lawful requests by public authorities.
7. Data Retention
- Authentication Logs (timestamps, IPs): retained for up to 12 months for security auditing.
- User Account Details (Discord IDs, email, profile info): retained as long as your account exists.
- BookStack OIDC Claims: retained while you remain an active user.
After account deletion or inactivity for [X months], we will anonymize or delete your data, except where retention is required by law.
8. Security Measures
We implement appropriate technical and organizational safeguards, including:
- TLS encryption for data in transit
- Encrypted storage for sensitive logs
- Access controls and audit trails in Authentik and BookStack
- Regular security assessments
9. Your Rights
Subject to applicable local law, you may have the right to:
- Access – obtain a copy of your personal data.
- Rectify – correct inaccurate or incomplete data.
- Erase (“right to be forgotten”) – request deletion of your data.
- Restrict processing – under certain circumstances.
- Data portability – receive your data in a structured format.
- Object to processing based on legitimate interests.
To exercise any of these rights, contact us at [email protected]. We may request identity verification before fulfilling requests.
10. Children’s Privacy
Our services are intended for users aged 13 or older. We do not knowingly collect data from children under 13. If you believe we have inadvertently collected such data, please contact us to have it deleted.
11. International Transfers
Your data may be processed in the EEA, Switzerland, or other countries where our providers operate. We rely on appropriate safeguards (e.g. EU Standard Contractual Clauses) to ensure adequate protection.
12. Changes to This Policy
We may update this policy to reflect changes in our practices or legal requirements. We will post the revised date at the top and notify you of significant changes via email or in-service notice.