Privacy Policy
Introduction
Who we are
WHITE SPACE is a Discord bot, verification system, voice platform, kit storefront, and suite of desktop tools maintained by an individual developer (@cl5rr). This policy covers data collected by all services operating under wspacebot.com.
Scope
This policy applies to: the WHITE SPACE Discord bot, the web dashboard, the White Space Guardian browser extension, the voice/video platform, the BEATS API, the YtDown desktop application, and the kit license verification system. By using any of these, you consent to the data practices described here.
Principle
The minimum data necessary to provide each feature is collected. Data is not sold to third parties. Data is not used for advertising.
WHITE SPACE Bot
Discord Interactions
When you interact with the bot via Discord, the following metadata is processed:
- Snowflakes: User IDs, Server IDs, Channel IDs, and Role IDs required for command execution.
- Message metadata: Timestamps processed to calculate cooldowns. Message content is not stored except within ticket channels (see section 7).
- Audit log access: The Anti-Nuke system reads Discord audit logs in real time to identify executors of destructive actions. This data is used only for in-memory threat detection and is not stored beyond what is logged to your configured log channel.
Auto-Moderation (Image Filter)
If a server enables the Image Filter, image attachments posted in that server are checked against lists of known scam/prohibited images (for example, recurring fake-giveaway screenshots):
- Image processing: When you post an image, the bot downloads it into memory and computes a compact perceptual hash (a short "dHash" fingerprint, e.g. a 16-character code). The image itself is never stored; it is discarded from memory as soon as the hash is computed.
- Matching: The hash is compared against a global default list (maintained by WHITE SPACE staff) and the server's own list. If your image closely matches a blocked entry, the message is deleted and the server's configured action (delete only, timeout, kick, or ban) is applied.
- What is stored: Only the perceptual hashes of images that a server administrator (or WHITE SPACE staff, for the default list) has deliberately added to a block list are stored. These hashes are one-way fingerprints and cannot be used to reconstruct the original image. Hashes added to a server's list may record the ID of the administrator who added them.
- Logging: When a blocked image is removed, an entry may be posted to the server's configured moderation log channel, as with other auto-moderation actions.
Global Chat
Before your first Global Chat message, a button-based challenge is presented. Your pass/fail result is processed in memory only and is not stored. Passing grants a 20-minute session token stored in memory, cleared on bot restart, and never persisted to the database.
Verification System
When you use the /verify portal, the following is processed to calculate a Trust Score (a reputation score used to decide whether to grant you access to a server):
- Discord account signals: Your account age (derived from your User ID), Nitro/premium status, and public account badges/flags (such as Staff, Partner, HypeSquad, Early Supporter, and Active Developer). These contribute to your score.
- Third-party connections: Public metadata from accounts you explicitly authorize via Discord OAuth. This may include Steam, GitHub, Spotify, Twitch, YouTube, Reddit, Twitter/X, Battle.net, PlayStation, Xbox, Roblox, Epic Games, Facebook, Instagram, TikTok, Crunchyroll, and verified domains. Only public data such as the platform type, account name, and verification status is read. Credentials and private content are never accessed.
- Mutual servers: Your list of Discord servers is read once during verification to count how many servers you share with the bot (capped, and excluding servers you own or administrate). The count contributes to your score; the full server list is not stored.
- Browser fingerprint: A SHA-256 hash of device characteristics (User Agent, language headers, IP address, and client hints) stored as
ws_device_idin your cookies. Used to detect when one device is linked to multiple accounts (alt detection). - IP address: Your IP is processed during verification. A SHA-256 hash of it may be stored to detect shared-IP situations (potential alternate accounts). Your raw IP is also sent to our VPN/proxy detection subprocessor (proxycheck.io) to determine whether you are connecting through a VPN, proxy, or Tor. Verification through a detected VPN/proxy is blocked.
- Verification result: Your Trust Score, tier, the score breakdown, the connected accounts found, your pass/fail status, and (unless you have opted out) your hashed IP and device fingerprint are stored persistently. The result and breakdown are also posted to the server's configured verification log channel, where server staff can see it and may manually approve you.
Verification Privacy Controls
You can opt out of IP logging and/or device-fingerprint tracking for verification from your account privacy settings (wspacebot.com,
/api/me/privacy). Opting out disables the corresponding alt-detection check for your account; the rest of the Trust Score is still calculated. Manual approval by a server administrator grants a temporary 5-minute verification window held in memory only.Voice and Video
- IP addresses: Processed to establish WebRTC connections via STUN/TURN servers. Not stored permanently.
- Streams: Audio and video are transmitted peer-to-peer or via relay and are not recorded or stored by the Service.
- Local preferences: Mic and camera settings are stored in your browser's localStorage on your device only.
Browser Extension
The White Space Guardian extension processes page content locally. It transmits only specific identifiers (User IDs or URLs) to the API to check against safety lists. No browsing history or passwords are transmitted.
WS Accounts
When you create a WS Account at wspacebot.com/login, the following is stored persistently:
- Credentials: Username (permanent) and a password stored as a scrypt-derived hash with a random salt. Passwords are never stored in plain text and are not readable by the Developer.
- Identity: Display name (up to 32 characters) and bio (up to 280 characters).
- User content: Social links, project entries, tile configurations, journal entries (public or private), and mood logs.
- Appearance settings: Avatar colors, eye style, wallpaper, custom background URL, custom cursor URL, and animations.
- Linked Discord ID: Optionally stored if you connect your Discord account. Not shared with third parties.
- Session data: A session cookie persisting for 7 days (30 days if "stay logged in" is selected). Cleared on logout.
- Security metadata: Last login timestamp, IP address, and a failed login counter used to enforce temporary lockouts.
YtDown
What we collect
YtDown is a local desktop application. It does not require an account and does not transmit personal data to our servers during normal operation.
- Clipboard content: YtDown monitors your clipboard locally for YouTube URLs. This processing happens entirely on your device. Clipboard content is never transmitted.
- Downloaded files: Files are saved to the folder you configure on your machine. The Service does not receive copies of downloaded files.
- User preferences: Format, quality, and folder settings are stored locally in a configuration file on your device.
Update checks
YtDown may periodically check wspacebot.com for a new version number. This request contains no personal identifiers beyond a standard HTTP request (which includes your IP address as part of normal network operation). No usage telemetry is collected.
Third-party tools
YtDown bundles yt-dlp and ffmpeg. These tools interact directly with YouTube and other platforms from your device. Their privacy behavior is governed by their own projects and is outside the Developer's control.
Kit License Verification
Roblox OAuth
When you verify your kit license at wspacebot.com/purchase, you authorize Roblox's OAuth 2.0 system to share your Roblox account information with the Service. The following is received and processed:
- Roblox user ID: A numeric identifier used to query the Roblox Open Cloud API for gamepass ownership.
- Roblox username: Displayed to you during the verification session for confirmation.
Storage
Your Roblox user ID and username are stored in your server-side session only. They are not written to the persistent database. Session data is cleared when you unlink your account or your session expires.
Gamepass check
Your Roblox user ID is used to query Roblox's Open Cloud inventory API via the Developer's API key to confirm ownership of the relevant gamepass. This query is made from the server and the result (owned or not owned) is used only to grant or deny access to the download link.
Avatar thumbnail
Your Roblox avatar headshot is fetched from Roblox's public thumbnail API and displayed during the verification session. It is not stored.
No permanent Roblox data
No Roblox account data is stored permanently. The Service does not retain your Roblox identity after your session ends.
BEATS
When you save a beat map via the BEATS editor:
- A unique map name, title, encoded beat data, your Discord User ID as creator, and timestamps are stored persistently.
- Saved beat maps are publicly accessible via the REST API at their named endpoint.
- Local drafts: Unsaved work is stored in your browser's localStorage under the key
beats_draft. This never leaves your device.
Ticket System
When you open or participate in a ticket, the following is stored persistently:
- Ticket metadata: Ticket ID, Guild ID, Channel ID, creation timestamp, and status.
- Creator information: User ID, display name, and subject line.
- Message content: Full text of each message, including author User ID, display name, avatar URL, role color, bot status, and timestamp.
- Attachments: URLs and metadata for files or embeds sent in the ticket.
- Participants: A list of User IDs of all participants.
- Closure information: User ID, display name, and timestamp of the closing action.
Transcripts are accessible at wspacebot.com/tickets to the ticket creator and server staff. Staff may delete transcripts at any time, permanently removing all associated message data.
Storage and Retention
Volatile memory
Highly sensitive data is processed in-memory and never written to the database: voice signaling packets, Anti-Nuke tracking windows, quarantine states, Global Chat verification tokens, and flood tracking states. All of this resets on bot restart.
Persistent database
Data stored in MongoDB is limited to what is necessary for long-term functionality: economy and leveling data, server configurations (including any image-filter hashes a server has added), verification records, WS Ban entries, Anti-Nuke audit logs, WS Account data, mood logs, ticket records, and BEATS beat maps.
Retention periods
Server configuration data is retained while the bot remains in your server. Verification logs are retained to prevent immediate re-verification abuse. WS Account data is retained until you delete your account. Ticket data persists until deleted by staff or the ticket creator.
Your right to deletion
You may delete your WS Account and all associated data at any time via the settings panel on your profile page. You may also opt out of IP logging and device fingerprinting for verification from your privacy settings at any time. For deletion of other data (verification records, hashed IP and fingerprint identity records, economy data), contact the Developer directly.
Third-Party Subprocessors
- Discord Inc.: The primary platform for the bot and OAuth.
- Roblox Corporation: OAuth provider and inventory API for kit license verification.
- MongoDB Atlas: Cloud database provider.
- Groq Inc.: AI inference provider for the AI chat module.
- proxycheck.io: VPN, proxy, and Tor detection during verification. Your IP address is sent to this provider to assess connection risk. No other personal data is shared.
- Google (STUN): Used for establishing peer-to-peer voice connections. IP resolution only.
- Kamatera: VPS hosting provider for the web server.
Security
The Service employs industry-standard security measures including encryption in transit (TLS/SSL), strict access control, input sanitization, hashing of device fingerprints, and scrypt-based password hashing with per-account random salts. Passwords are never stored in recoverable form.
Contact
For privacy-related inquiries, data deletion requests, or questions about this policy:
- Discord: @cl5rr
- Support server: WHITE SPACE Community
WHITE SPACE