Last updated: August 29th 2022
Welcome to Aunto
Whilst designing and building Aunto, we've made multiple deliberate decisions that increase the privacy of our users. From hashing important data before storing it, to implementing access controls, we truly do care about your privacy.
I, the developer of Aunto, created Aunto for three main reasons:
- There simply wasn't anything as good as it is now. I've been told multiple times by multiple users that Aunto has a better user experience than other available options. It just works.
- Other options were often unreliable. From going down multiple times a month, to websites that don't work across devices, to challenges that aren't accessible to users. They were helpful, but annoying.
- The final, and probably most important reason: Other integrations that operated in similar ways to Aunto weren't the most transparent. Be that on the data they collect, who they share it with, or how they store it. When starting to develop Aunto, I knew Aunto would have to store data, so made deliberate decisions to make it privacy-focused from the start, like by hashing data when possible.
Thank you for hearing me out. Now, here's the full in-depth description of what Aunto stores, why it does, and who it shares it with...
What we collect and why
Whilst you use Aunto's site or Discord integration, data and information is collected. We collect the following information under legitimate interest:
- Your IP address and user agent information. Fundamentally, the way the internet is built requires us to know this information at some point. We do, however, store some information such as your IP address (we only store a hashed version of your IP address to our databases, but your IP address is stored in plain text in our server's memory, our upstream provider's logs and some of our logfiles) and browser user agent to detect bots and abusive users.
- Unique device identifiers. We store unique identifiers that relate to your device and browser to uniquely identify your device. The data we use to build these identifiers are provided to us by your device and browser (sometimes automatically, but some of the data points we use have to be requested or queried). We use this data to detect bots and abusive users, and to prevent users from bypassing moderative actions imposed by the communities we protect.
- Your email address. We may store your email address to identify and contact you, but in the large majority of cases, we don't need it and don't request access to it. Email addresses are currently only used by us to bill and contact Aunto Premium users.
- Your Discord account information. When you login or authenticate with our website, you'll be asked to give us access to your Discord account. With this access, we process information such as your Discord username, account ID, avatar, connections and the servers you're in. We need to have access to information such as your username and account ID to identify your account, and need to access your connections and server list to properly risk assess your account. When you verify at the verify.aunto.xyz website, we request and store most of the data above.
- Network-related information. In some cases, we store information on your Internet Service Provider (ISP) such as their Autonomous System Number (ASN) and their name. We also send your IP address to Proxycheck.io (who you can find more information about below) to check for VPNs, proxies and networks with bad reputations. We hash the ASN before storing it in our database, but it may be still available in our servers' memory or cache for some time.
- Configuration options. When you use Aunto, you may be given the option to update Aunto's configuration or settings. We store these details in plain text in our databases and use them to operate Aunto.
- Other information you provide. When you provide us with information, you should expect us to use and store it to operate Aunto. For example, if you provide us with information whilst we're providing you with customer support, we must store and process that information to provide advice and resolutions to you. If you'd be uncomfortable about us processing a certain piece of information, please do not provide it to us.
When you verify you're not a robot on verify.aunto.xyz, we process your information under our legitimate interests to keep the communities we protect safe, your legitimate interest to join that community (otherwise you wouldn't be verifying), and the community in question's administrator's legitimate interest to keep their community free of spam and abuse.
A note regarding account connections and servers: Aunto may request access to the servers you're in and a list of what external accounts you've connected to your Discord account. We store the list of servers you're a part of in our servers' memory and caches, and store some information regarding your connected accounts in our servers' memory and caches as well as in our databases. When we store your connected account's information in our databases, we hash the account ID instead of storing it in plain text to protect your privacy.
Where we say we "hash" data, we mean that we use a hashing algorithm such as SHA-256 that performs one-way cryptographic operations on data. Hashing algorithms make it possible for us to check if data is the same as other data without actually storing that data in plain text.
You should keep in mind that we are still a company, and if we receive a notice or request from law enforcement or a government agency, we may have to disclose information to them. If we get served with an action such as a warrant that effects your data or activity, we may legally have no option other than to comply.
We do not sell the data we collect on the Aunto platform.
What we share with communities
We share some information with the owners, administrators, moderators and staff teams of the communities that use Aunto. Here's a list, but it is updated regularly:
- Public information about your Discord account. We allow access to information such as your user ID, username and avatar, but the communities we share it with would already have access to such information as it is public.
- Limited information on alternative accounts. Alternative accounts (also sometimes called "alts") are often used to bypass bans and moderative actions and harass communities. To combat this, we allow the staff members of the communities that use Aunto to access a list of alternative accounts that are in use in their community, including those that are banned. This list does not include accounts that do not interact with the community in question (for example, if you own an alternative account and use it only in Community A, we won't tell Community B about its existence).
- Basic information on your actions. We sometimes share very limited information on your actions whilst using Aunto with the communities you're in. We do not share any sensitive information (such as your IP address, any fingerprints we collect or your email address), but do share information such as roughly how long it took you to verify, what steps you completed, whether or not you used a VPN or proxy, and our calculated likelihood that you're a bot.
A note on ads and cookies
To pay our hosting bills and to allow us to continue to operate the Aunto platform, we may show ads. We shall not directly provide any of your personal information to the organizations we've partnered with to show ads, but they may collect data inline with their respective privacy policies.
Cookies are small bits of information, data or text that your browser stores on your device. Cookies are awesome, and let us do things like keeping you logged in to Aunto's website. Your browser auto-magically provides sites access to the cookies they set. You can explicitly tell your browser to reject cookies in your browser's settings if you want, but this will make most sites (including Aunto's verification pages) unusable.
Our providers and sub-processors
- Cloudflare who improves our site's performance and security. As they sit in front of our servers, they can view all traffic going to and from them.
- Contabo who is our main hosting provider. They have physical access to our servers so could theoretically access the data we hold.
- Proxycheck.io who provide us with IP geolocation, proxy detection and validation services.
- Fingerprint who provide us with browser and device fingerprinting technology. Some fingerprints are processed by their servers.
- Stripe who provide payment processing services.
- hCaptcha who provide us with CAPTCHA services.
Your data rights
Under data protection law, some of our users may have certain rights. To make things fair, we provide the following rights to ALL our personal users:
- Your right to access. You have the right to ask us for copies of the personal information we store on you. We can provide you with a data snapshot in the form of a ZIP file on request. This request can either be made over Discord or via email.
- Your right to rectification. You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure. You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restrict our processing. You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object. You have the the right to object to the processing of your personal information in certain circumstances.
As we use legitimate interests as our lawful basis of processing, we can and may object to certain requests, such as when our's or a third party's legitimate interests are more compelling than yours.
An example of this could be when we handle data regarding moderative actions the communities we serve make and the information that allows us to enforce such actions. It may be in the communities' legitimate interests to ensure that we can enforce the actions they take as if we were to accept a deletion or objection request in that case, it could negatively effect possibly hundreds or even thousands of other users.
If we refuse to honor your request, we'll provide our reasoning as to why and will provide you with contact details of the Information Commissioner's Office who you may complain to if you wish.
If we mess up
If you're worried about how we're using your data or want to complain, please send an email to us at [email protected]. Please also provide your Discord user ID so we can find it in our systems.
You can also complain to the UK Information Commissioner's Office (the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals) if you're unhappy with how we've used your data:
Information Commissioner’s Office
Helpline number: +44 (0) 303 123 1113
The ICO's website: www.ico.org.uk