Legal

Privacy Policy

We built BumpHQ to help Discord server owners grow — not to harvest your data. This policy explains exactly what we collect, why, and what rights you have over it.

Plain-English summary: We store your email, hashed password, Discord bot token (encrypted at rest), and bump history. We share only what's necessary with Stripe (payments), iProyal (proxies), and Disboard (the service we automate). We never sell your data. You can export or delete everything. GDPR applies.

Effective date: 2026-05-05 · Last updated: 2026-05-05

1. Who we are

BumpHQ ("we", "us", "our") is a Discord server growth automation service. For purposes of GDPR and similar privacy laws, BumpHQ is the data controller for information collected through bumphq.co and related services.

Contact: privacy@bumphq.co

2. What data we collect

2.1 Account data

Email address — used for authentication, transactional emails (receipts, password reset), and service notices.
Display name — shown in your dashboard only; not shared publicly.
Password — stored as a bcrypt hash. We never store or see your plaintext password.
Google OAuth token — if you sign in via Google, we receive your Google account ID and email. We do not receive or store your Google password.

2.2 Discord bot token

Important: When you connect your Discord bot, we store the bot token you provide. This token allows our system to control the bot on your behalf. It is encrypted at rest using AES-256 and is never logged in plaintext. We use it exclusively to perform the bumping and server management actions you configure.

The token is scoped to the bot account you create — it does not grant us access to your personal Discord account.
You can revoke the token at any time from the Discord Developer Portal, which immediately invalidates our stored copy.
We do not share your bot token with any third party.

2.3 Server and bump data

Discord server IDs and names — for the servers you connect to BumpHQ.
Bump logs — timestamps and outcomes of automated bumps (success/fail/rate-limited).
Portal channel IDs — the channels our bot creates on your servers.
Ghost-ping configuration — intervals and channel preferences you set.

2.4 Payment data

We use Stripe for payment processing. We do not store credit card numbers or full payment card data on our servers. Stripe provides us with:

A Stripe customer ID linked to your BumpHQ account
Subscription status, plan type, and billing period
Invoice IDs and amounts for your billing history

Stripe's privacy practices are governed by stripe.com/privacy.

2.5 Technical and usage data

IP addresses — logged for security (login events, suspicious activity detection). Retained for 90 days.
Browser/client metadata — user-agent, timestamp. Not used for tracking or advertising.
API request logs — request paths, response codes, latency. Retained for 14 days.

3. How we use your data

Purpose	Legal basis (GDPR)	Data used
Provide the BumpHQ service (automated bumping, portal management)	Contract performance	Bot token, server IDs, bump config
Account authentication	Contract performance	Email, password hash
Payment processing and billing	Contract performance	Email, Stripe customer ID
Transactional emails (receipts, password reset)	Contract performance	Email
Security: fraud detection, abuse prevention	Legitimate interest	IP addresses, login events
Service improvement (aggregate, anonymized analytics)	Legitimate interest	Anonymized bump/usage counts
Legal compliance	Legal obligation	Any data required by law

We do not use your data for advertising, sell it to third parties, or profile you for any purpose beyond operating BumpHQ.

4. Data sharing

We share your data only with the following sub-processors, and only to the extent necessary:

Recipient	Purpose	Data shared	Location
Stripe	Payment processing, subscription management	Email, billing amounts, plan type	USA / EU
iProyal	Residential proxy network used for Disboard interactions	Outbound request IP (proxy-routed) — no personal data sent to iProyal directly	EU
Disboard.org	The bumping platform we automate. Bumps are submitted on your server's behalf.	Your Discord server ID and Disboard session cookies managed by your bot	Unknown
Hetzner Cloud	Hosting provider for our servers and database	All data stored on-platform is hosted on Hetzner infrastructure in Germany (EU)	Germany (EU)

We do not share data with any other third parties unless required to do so by law (e.g., valid court order or law enforcement request), in which case we will notify you if legally permitted.

5. Data retention

Account data — retained for the duration of your account. Soft-deleted on account closure; hard-deleted after 30 days.
Bump logs — retained for 90 days, then purged.
Payment records — Stripe invoice IDs retained for 7 years (tax/legal requirement).
IP address logs — retained for 90 days.
API request logs — retained for 14 days.
Backups — database backups retained for 14 days, then overwritten.

6. Security

All data in transit is encrypted via TLS 1.2+.
Bot tokens are encrypted at rest using AES-256.
Passwords are hashed with bcrypt (cost factor ≥ 12).
Our servers run on Hetzner Cloud (Germany) with private networking between application and database tiers.
Database backups are stored with date-stamped filenames and overwritten after 14 days.
Access to production systems is restricted to authorized operators only.

Despite these measures, no system is 100% secure. In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR.

7. Your rights (GDPR and similar laws)

If you are located in the EU, UK, or California (CCPA), you have the following rights:

Access — request a copy of your personal data. Use the "Export my data" feature in your dashboard settings, or email us.
Rectification — correct inaccurate data. Update your display name and email directly in dashboard settings.
Erasure ("right to be forgotten") — request deletion of your account and associated data. Use "Delete account" in dashboard settings. Hard delete occurs after a 30-day grace period.
Portability — receive your data in a structured, machine-readable format (JSON). Available via "Export my data".
Restriction — request we stop processing your data while a dispute is resolved.
Objection — object to processing based on legitimate interest.
Withdraw consent — where processing is based on consent, you may withdraw at any time.

To exercise any right, email privacy@bumphq.co. We will respond within 30 days. If you believe we have violated your rights, you have the right to lodge a complaint with your local data protection authority (e.g., the CNIL in France, ICO in the UK, or BfDI in Germany).

8. Cookies

BumpHQ uses minimal cookies:

Authentication session cookie — a signed JWT stored in localStorage (not a cookie), used to keep you logged in. No tracking cookies.
We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts.

9. Children

BumpHQ is not intended for users under 13 years of age (or under 16 in EU/UK). We do not knowingly collect personal data from children. If you believe a child has registered, contact us at privacy@bumphq.co and we will delete the account promptly.

10. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last updated" date at the top and, for material changes, send a notice to your registered email address. Continued use of BumpHQ after the effective date constitutes acceptance of the updated policy.

Questions or requests?

Email us at privacy@bumphq.co. We aim to respond within 5 business days and are legally required to respond to GDPR requests within 30 days.

BumpHQ · bumphq.co · Effective 2026-05-05