Privacy Policy

1 Who We Are

Cyphyrix is an open source software project based in the United Kingdom. We operate a suite of free services including a Fluxer bot, a bot web panel, a status page, a self-hosted Git instance, and a main website. Throughout this Privacy Policy, "Cyphyrix", "we", "us", and "our" refer to the Cyphyrix project and its operators.

Cyphyrix is the data controller for personal data processed in connection with our Services. This means we determine the purposes and means of processing your personal data.

As a UK-based project we comply with the UK General Data Protection Regulation (UK GDPR) as implemented by the Data Protection Act 2018. Where our Services are used by individuals in the European Economic Area (EEA), we also comply with the EU GDPR to the extent it applies.

Privacy contact: privacy@cyphyrix.xyz. We have not formally designated a Data Protection Officer (DPO), but your privacy enquiries will be handled promptly by the Cyphyrix team.

2 What This Policy Covers

This Privacy Policy explains how Cyphyrix collects, uses, stores, and shares personal data across all of our Services:

• cyphyrix.xyz — main website
• status.cyphyrix.xyz — status and uptime page
• Cyphyrix Bot — Fluxer bot (operates on the Fluxer platform)
• bot.cyphyrix.xyz — bot web panel (Fluxer OAuth2 login)
• git.cyphyrix.xyz — self-hosted Forgejo Git instance

It does not cover the data practices of third-party services we depend on (such as Fluxer, BunnyCDN, OVH, or Interserver). Where those services handle your data, their own privacy policies apply.

3 Data We Collect

The data we collect depends entirely on which Service you use. Below we describe each Service and the data associated with it.

3.1 Main Website (cyphyrix.xyz)

The main website is informational and does not require any account or login. We do not set any first-party tracking or analytics cookies. However:

• Server access logs — your IP address, browser user agent, the URL requested, HTTP status code, and timestamp are logged by BunnyCDN as part of normal web server operation. We use these for security monitoring and troubleshooting. Logs are retained for a limited period (typically 30–90 days) and are then deleted.
• Theme preference — if you toggle between light and dark mode, your preference is saved in your browser's localStorage. This data never leaves your device and is not sent to our servers.

3.2 Status Page (status.cyphyrix.xyz)

The status page is read-only and requires no account. Data collected is the same as for the main website: standard server access logs processed by BunnyCDN (IP address, user agent, URL, timestamp). No personal data specific to this Service is stored on our servers.

3.3 Cyphyrix Bot (Fluxer Bot)

The Cyphyrix Bot operates on the Fluxer platform. When you or a guild (server) administrator uses the Bot, we collect and store the following data in a MySQL database on our servers:

• Fluxer user ID — a unique numeric identifier assigned by Fluxer to your account.
• Fluxer username — your display username on Fluxer.
• Guild (server) IDs — the numeric IDs of Fluxer servers that have added the Bot, used to scope bot functionality to the correct server.
• Song request history — tracks for music playback commands you issue in servers where the Bot is active (track title, requester user ID, timestamp).
• Moderation actions — records of moderation commands executed via the Bot (warnings, kicks, bans, unbans), including the target user's ID and username, the moderator's user ID and username, the guild ID, the reason (if provided), and the timestamp. These records persist to provide guild administrators with an auditable moderation history.
• Warning counts — a per-guild cumulative warning counter stored for each user who has received a warning in that server. We store the user ID, username, total warning count, and the timestamp of the most recent warning. This counter is updated each time a warning is issued and is used to enforce escalation thresholds configured by guild administrators.
• AutoMod violation logs — when the AutoMod system detects a rule violation (e.g., a banned word or phrase), we log: your Fluxer user ID, your username, the content of the offending message, the matched words or phrases (stored as a JSON list), the violation category (e.g., "swear", "nsfw", "offensive", or a custom guild category), and the timestamp. These logs are retained for guild administrators to review moderation activity.
• AutoMod configuration — guild-level AutoMod settings (enabled/disabled state, log channel ID, custom word lists, and category definitions) are stored and associated with the guild ID. This configuration data contains no personal information beyond the guild ID and, where a category was created by a moderator, that moderator's user ID.
• Autoroles and reaction roles — server-scoped configuration records (guild ID, role ID, message ID, channel ID, emoji) set by guild administrators. These records contain no personal data beyond the administrator's guild membership.

3.4 Bot Web Panel (bot.cyphyrix.xyz)

The Bot Web Panel allows you to manage the Cyphyrix Bot through a browser interface. Login is provided via Fluxer OAuth2. We store the following in our database:

• Fluxer user ID — a unique numeric identifier used to identify your account on the panel.
• Fluxer username — your display username on Fluxer, shown in the panel interface.
• Discriminator — your Fluxer account discriminator (the numeric tag appended to your username), stored as received from the Fluxer API.
• Email address — the email address associated with your Fluxer account, received via OAuth2 and stored in our database. This is used solely for account identification and is not used for marketing.
• Avatar hash and avatar URL — the avatar identifier provided by the Fluxer API and the resolved URL of your profile picture, stored for display in the panel interface.
• Guild (server) list — the list of Fluxer guilds you are a member of, received from the Fluxer API via OAuth2, to determine which servers you can manage via the panel. This list is cached in your user record and refreshed on login.
• OAuth2 access and refresh tokens — stored securely to maintain your authenticated session and to re-authenticate with the Fluxer API on your behalf.
• Session data — a session token stored in a secure, HTTP-only cookie to maintain your login session. Sessions expire after a period of inactivity.
• Account timestamps — the date and time your panel account was first created (created_at), the date and time your profile was last updated (updated_at), and the date and time of your most recent login (last_login).
• Scheduled account deletion record — if you request deletion of your panel account, the deletion is not immediate. We store a record of the scheduled deletion date (7 days from your request) in an account_deletions table. This record is used to execute or cancel the deletion and is purged once the deletion is carried out or cancelled. See Section 8 (Your Rights) for details on account deletion.
• Access logs — IP address and timestamp of login events, retained for security monitoring.

We do not store your Fluxer password. Authentication is handled entirely via Fluxer's OAuth2 service.

3.5 Git Instance (git.cyphyrix.xyz — Forgejo)

Our self-hosted Forgejo instance requires you to create an account to contribute code, file issues, or submit pull requests. Browsing repositories and viewing code is possible without an account. We store the following in the Forgejo database:

• Account details — username, email address, and a securely hashed password (we do not store plain-text passwords).
• Profile information — any optional information you choose to add to your public profile (e.g., bio, website, location, avatar).
• SSH public keys — if you add them to your account for repository access via SSH. (Private keys are never sent to or stored by us.)
• Repository data — code, commits, branches, tags, releases, and other repository metadata for repositories you create or contribute to.
• Issues and pull requests — any issues, pull request discussions, code reviews, and comments you post.
• Activity logs — Forgejo maintains logs of account activity (e.g., pushes, logins) for security and auditing purposes. IP addresses associated with login events may be retained for a limited period.

Forgejo is open source software. Its own data handling is documented in the Forgejo documentation. We operate the instance, so we are the data controller for all data stored on it.

4 How We Use Your Data

We use the data we collect for the following purposes:

• To provide and operate our Services — for example, storing song queues so the Bot can process music requests, or storing your OAuth2 token so the Webpanel can authenticate API calls on your behalf.
• Moderation history — the Bot records moderation actions (warnings, bans, etc.) to provide guild administrators with an auditable history for their server.
• Account management — to create, manage, and secure accounts on the Git instance and Webpanel.
• Security and abuse prevention — to detect and prevent unauthorised access, abuse, spam, and other harmful use of our Services.
• Service improvement — to understand usage patterns at an aggregate level and prioritise development work. We do not build individual user profiles for this purpose.
• Legal compliance — to comply with applicable UK and other laws, respond to lawful requests from authorities, and enforce our Terms of Service.

We do not use your data for advertising, and we do not train AI or machine learning models on your content.

5 Legal Bases for Processing (UK GDPR)

If you are in the UK or EEA, we are required to have a lawful basis for processing your personal data. Our lawful bases are:

5.1 Contract Necessity

We process data that is necessary to provide the Service you have requested — for example, storing your Fluxer user ID so the Bot knows which user issued a command, or storing your Git account credentials so you can authenticate and push code.

5.2 Legitimate Interests

We process some data based on our legitimate interests in:

• Securing our Services and preventing fraud and abuse (e.g., login logs, rate limiting).
• Maintaining and improving service reliability and performance.
• Understanding how features are used at an aggregate level.

When we rely on legitimate interests, we balance them against your rights and implement privacy-preserving measures. You have the right to object to processing based on legitimate interests — see Section 9.

5.3 Legal Obligation

We may process data to comply with applicable legal obligations, including responding to lawful requests from law enforcement or regulatory authorities, complying with data retention requirements, and our obligations under the UK Online Safety Act and similar legislation.

5.4 Consent

In limited cases we may rely on your consent, for example where required for specific cookie use. Where we rely on consent, you can withdraw it at any time by contacting us at privacy@cyphyrix.xyz. Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal.

6 Who We Share Data With

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances.

6.1 Fluxer Platform AB

The Cyphyrix Bot and Bot Web Panel interact with the Fluxer API. Data you share with Fluxer (such as your username, user ID, and guild membership) is received by us via the API and is governed by Fluxer's Privacy Policy. We act as a data controller when we store that data; Fluxer acts as an independent controller for the data it collects on its own platform.

6.2 BunnyCDN (Bunny.net)

We use Bunny.net for DNS management and CDN services. Traffic to our websites is routed through BunnyCDN's network, which means BunnyCDN may process your IP address and request metadata as part of delivering content. BunnyCDN's data handling is governed by their Privacy Policy. We have reviewed BunnyCDN's privacy practices and are satisfied they provide appropriate safeguards.

6.3 OVH

Some of our servers are hosted by OVH, with data centres in the European Union. OVH provides infrastructure only and does not have access to your data other than as necessary to provide hosting services. OVH is a processor acting on our instructions.

6.4 Interserver.net

Some of our servers are hosted by Interserver.net, with data centres in the United States. As with OVH, Interserver provides infrastructure only and acts as a processor under our instructions.

6.5 Legal Disclosures

We may disclose your personal data to law enforcement agencies, courts, regulators, or other public authorities where we are required to do so by applicable law, or where we believe it is necessary to:

• Comply with a legal obligation or valid legal process (such as a court order or warrant).
• Protect the safety, rights, or property of our users, third parties, or Cyphyrix.
• Detect, prevent, or address fraud, security vulnerabilities, or abuse of our Services.

Where legally permitted, we will endeavour to notify you before disclosing your data in response to a legal request.

7 International Data Transfers

Cyphyrix is based in the United Kingdom. Our servers are currently located in:

• European Union — OVH data centres (EU, adequate protection under UK GDPR/EU GDPR).
• United States — Interserver.net data centres. The US does not have a blanket adequacy decision under UK GDPR for all transfers. We rely on appropriate safeguards, such as standard contractual clauses (SCCs) or equivalent mechanisms approved by the UK ICO, where required.

Traffic routed through BunnyCDN may pass through edge nodes in various countries. BunnyCDN implements appropriate contractual and technical safeguards for international transfers as described in their privacy documentation.

If you would like more information about the specific safeguards we use for international data transfers, please contact us at privacy@cyphyrix.xyz.

8 Data Retention

We retain your personal data only for as long as necessary for the purposes described in this policy, to comply with our legal obligations, and to resolve disputes.

8.1 Cyphyrix Bot Data

Bot data (user IDs, usernames, guild IDs, song history, moderation logs) is retained for as long as the Bot remains in a guild and for a reasonable period thereafter.

Guild administrators can delete all data associated with their server directly through the Bot Web Panel. Please be aware that deleting server data via the Webpanel will also remove the Bot from your server. This action is irreversible — the Bot must be re-added separately if you wish to use it again.

Individual users may request deletion of their personal data (user ID, username, and associated records, including song history and references in moderation logs) by contacting us at privacy@cyphyrix.xyz.

Moderation logs are retained indefinitely by default to preserve an auditable history for guild moderation purposes. You may request deletion of your personal data within those logs, subject to any legitimate interests or legal obligations that require us to retain certain records.

8.2 Bot Web Panel Data

OAuth2 tokens and cached profile data are retained for as long as you have an active panel account. Session tokens expire after a period of inactivity.

You can delete your Webpanel account and all associated data at any time directly through the Bot Web Panel account settings at bot.cyphyrix.xyz. This will remove your stored OAuth2 tokens, cached profile data, and session records. If you are unable to access the panel, you can also contact us at privacy@cyphyrix.xyz to request deletion.

8.3 Git Instance Accounts

Account data (username, email address, profile information, and SSH keys) is retained for as long as your account exists on the Git instance. You can delete your account at any time via the account settings page in Forgejo at git.cyphyrix.xyz.

Please be aware that deleting your account does not remove your contribution history from repositories. Commit history, co-authorship records, issues, pull requests, comments, and code reviews you have submitted will remain part of the repository's permanent record, typically attributed to your former username. This is inherent to the nature of distributed version control systems — removing commits would rewrite history and break the integrity of repositories for all other contributors.

If you have specific concerns about data remaining after account deletion, please contact us at privacy@cyphyrix.xyz and we will consider your request on a case-by-case basis.

8.4 Server Access Logs

Server access logs (IP addresses, user agents, timestamps) for the main website and status page are retained for up to 90 days, after which they are deleted or anonymised. Login event logs on the Webpanel and Git instance may be retained for up to 90 days for security purposes.

8.5 Legal Holds

Where we are required by law to retain data for longer periods (for example, in connection with a legal hold, investigation, or regulatory obligation), we will retain the relevant data for the period required.

9 Your Rights

Under UK GDPR (and EU GDPR where applicable), you have the following rights with respect to your personal data:

9.1 Right of Access

You can request a copy of the personal data we hold about you across any of our Services. We will respond within 30 days (or up to three months in complex cases, with notice).

9.2 Right to Rectification

You can ask us to correct inaccurate or incomplete personal data. On the Git instance, you can update most account details yourself via account settings.

9.3 Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data in certain circumstances, for example where it is no longer necessary for the purpose for which it was collected, or where you withdraw consent. Note that some data may need to be retained for legal compliance or legitimate business purposes, in which case we will explain why.

9.4 Right to Restriction of Processing

You can ask us to restrict processing of your personal data in certain circumstances, for example while we verify accuracy or consider an objection.

9.5 Right to Data Portability

Where processing is based on consent or contract, and carried out by automated means, you can request a copy of your personal data in a structured, commonly used, machine-readable format.

9.6 Right to Object

You can object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

9.7 Rights Related to Automated Decision-Making

We do not make automated decisions about you that produce significant legal or similarly significant effects without human oversight. If this changes, we will update this policy and ensure you have the right to request human review.

9.8 How to Exercise Your Rights

To exercise any of the above rights, please contact us at privacy@cyphyrix.xyz. Please include enough information for us to identify you (for example, your username or the email address associated with your account) and a clear description of your request. We may need to verify your identity before acting on the request. We will respond within the timeframes required by applicable law (typically 30 days).

9.9 Right to Lodge a Complaint

If you are based in the UK and believe your rights under UK GDPR have been violated, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

If you are in the EEA, you may also lodge a complaint with your national data protection authority. We encourage you to contact us at privacy@cyphyrix.xyz first so we can try to resolve your concern directly.

10 Children's Privacy

Our Services are not directed at children under the age of 13. In certain jurisdictions (for example, some EEA countries under GDPR), the minimum age for processing personal data without parental consent may be higher (up to 16). You are responsible for ensuring your use complies with the age requirements in your jurisdiction.

We do not knowingly collect personal data from children below the applicable minimum age. If we become aware that we have inadvertently collected such data, we will promptly delete it and the associated account. If you are a parent or guardian and believe your child has created an account on one of our Services without appropriate consent, please contact us at privacy@cyphyrix.xyz.

11 Cookies & Local Storage

11.1 Main Website and Status Page

We do not set any first-party analytics or advertising cookies on these pages. We do not use third-party tracking technologies. Your light/dark theme preference is stored in your browser's localStorage — this is purely local to your device and is never sent to our servers.

11.2 Bot Web Panel

The Webpanel sets a single secure, HTTP-only session cookie to maintain your authenticated login session. This cookie:

• Does not track you across other websites.
• Contains only a session identifier — no personal data is stored in the cookie itself.
• Expires after a period of inactivity or when you log out.

11.3 Git Instance (Forgejo)

The Forgejo instance sets cookies necessary for session management (login state) and CSRF protection. These are strictly functional cookies required for the service to work. No advertising or tracking cookies are set by Forgejo.

11.4 Managing Cookies

You can control and delete cookies through your browser settings. Blocking session cookies will prevent you from logging in to the Webpanel and Git instance.

12 Data Security

We implement a range of technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure:

• Encryption in transit — all traffic between your browser and our Services is encrypted via TLS (HTTPS). We enforce HSTS where applicable.
• Encryption at rest — sensitive data (including OAuth2 tokens on the Webpanel) is encrypted at rest on our servers.
• Password hashing — passwords on the Git instance are stored using a strong, modern hashing algorithm. We do not store plain-text passwords.
• Access controls — access to our databases and servers is limited to authorised Cyphyrix team members on a need-to-know basis.
• MySQL security — the MySQL database used by the Bot and Webpanel is not exposed to the public internet. Access is restricted by firewall rules and user permissions.
• Regular updates — we apply security patches to our server operating systems and application dependencies promptly.

No online service is completely immune to security risks. If you discover a potential security vulnerability, please report it responsibly to hello@cyphyrix.xyz before public disclosure.

12.1 Data Breaches

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the UK ICO within 72 hours of becoming aware, as required by UK GDPR.
• Notify affected individuals without undue delay where the breach is likely to result in a high risk to them.
• Take prompt steps to contain, investigate, and remediate the breach.

13 Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our Services, data practices, or legal obligations. When we make material changes, we will:

• Update the "Last updated" date at the top of this page.
• Where practicable, provide at least 30 days' advance notice via a notice on our website.

Your continued use of our Services after the updated policy takes effect constitutes your acceptance of the changes. Prior versions of this policy may be viewed in the Website source repository.

14 Contact Us

For all privacy and data protection enquiries, including requests to exercise your rights under UK GDPR, please use the contact details below. Where possible, please contact us from the same email address or account associated with the data you are enquiring about — this helps us verify your identity.