Privacy Policy

1. Who We Are

HexSplash is operated by Richard Thornton (trading as HexSplash), based in Melbourne, Victoria, Australia. We provide an AI-powered colour generation service for Discord communities, along with a web dashboard and public API.

If you have any questions or concerns about privacy, contact us at richard@hexsplash.com.

2. Information We Collect

Personal Information from Discord

When you connect your Discord account to HexSplash (via OAuth authentication), we collect:

• Discord user ID (your unique Discord identifier)
• Username (your Discord username and discriminator)
• Avatar (your Discord profile picture)
• Email address (from your Discord account, used for dashboard login)
• Discord servers (list of servers where you have management permissions)

When the bot is added to a Discord server, we collect:

• Server ID (unique identifier for the Discord server)
• Server name and icon (to display in the dashboard)
• Server owner ID (to identify who added the bot)
• Member count (for statistical purposes)
• Channel information (names and IDs of channels where the bot is configured to listen)

Usage Information

To provide and improve the service, we automatically collect:

• Bot commands: The command type (!col, !grad, !pal), your input prompt, generated output, and timestamp
• API requests: Endpoints accessed, IP addresses, response times, and HTTP status codes
• Credit transactions: Purchases, usage, balance changes, payment IDs (not card numbers)
• Dashboard activity: Login times, pages accessed, and actions taken
• Error logs: Technical errors and system diagnostics for debugging

Technical Information

When you use HexSplash, we collect:

• IP addresses: For security, rate limiting, and fraud prevention
• Browser information: User agent, device type, and browser type
• Session data: Authentication tokens and session duration

Payment Information

When you purchase credits:

• Payment processing is handled by Stripe or PayPal — we don't store credit card numbers or banking details on our servers
• Transaction records (payment IDs, amounts, dates) are stored for accounting and tax compliance
• Billing information may be collected by our payment processors (subject to their privacy policies)

3. How We Use Your Information

Provide the Service

• Authenticate you through Discord OAuth
• Process bot commands using Claude AI (your prompts are sent to Anthropic for colour generation)
• Track and manage credit balances for your Discord servers
• Display server settings and configuration in the dashboard
• Process credit purchases and handle transactions
• Send bot messages and responses in Discord channels

Improve the Service

• Analyze usage patterns to understand how the service is used (in aggregated, anonymized form)
• Debug errors and fix technical issues
• Monitor system performance and uptime
• Optimize AI prompt processing for better colour generation

Legal & Administrative

• Maintain transaction records for Australian tax compliance (7-year retention required)
• Respond to valid legal requests from authorities
• Enforce our Terms of Service
• Detect and prevent fraud or abuse

We will never:

• Sell your personal information to third parties
• Send you marketing emails without your explicit consent
• Use your data for third-party advertising

4. Information Sharing & Third Parties

We share your information only with trusted service providers necessary to operate HexSplash:

Discord

• What we share: Nothing — Discord provides your information to us via OAuth
• Purpose: User authentication, bot platform, server integration
• Their privacy policy: discord.com/privacy

Anthropic (Claude AI)

• What we share: Your colour prompts/descriptions from bot commands
• Purpose: AI-powered colour generation
• Note: Prompts are processed to generate colours; Anthropic's privacy policy applies to their use of data
• Their privacy policy: anthropic.com/privacy

Stripe & PayPal

• What we share: Purchase amounts and transaction details
• Purpose: Payment processing for credit purchases
• Note: These processors collect payment information directly from you (not through us)
• Their privacy policies:
  • Stripe: stripe.com/privacy
  • PayPal: paypal.com/privacy

Cloudflare

• What they handle: DNS resolution and SSL certificates
• Purpose: Secure connections and domain management
• Their privacy policy: cloudflare.com/privacypolicy

We don't sell, rent, or share your personal information with any other third parties for their marketing purposes.

5. Data Storage & Security

How We Protect Your Data

• Encryption: All connections use HTTPS/TLS encryption
• Secure storage: Passwords and tokens are hashed (not stored in plain text)
• Access controls: Database access is restricted to necessary systems only
• Regular updates: We keep our systems patched and up-to-date
• Containerization: Services run in isolated Docker containers

Where Data Is Stored

• Primary storage: Australian data centers where possible
• International transfers: Some third-party services (Discord, Anthropic) may store or process data internationally, with appropriate safeguards in their terms

6. Data Retention

We keep your information only as long as necessary:

Active Use

• User accounts: While you use HexSplash + 30 days after bot removal
• Server configurations: While bot is installed + 30 days after removal
• Credit balances: Kept indefinitely (preserved if you re-add the bot)
• Transaction records: 7 years (required by Australian tax law)

Automatic Deletion (Time-to-Live)

• Command logs: Automatically deleted after 90 days
• API usage logs: Automatically deleted after 30 days
• Error logs: Automatically deleted after 1 year
• Session tokens: Deleted on expiry or logout

After You Leave

When you remove the bot from your Discord server:

• Most personal data is deleted after 30 days (grace period in case you return)
• Credit balance is preserved indefinitely
• Transaction records are kept for 7 years (tax compliance requirement)
• Aggregated, anonymized usage statistics may be retained

7. Your Privacy Rights

Under Australian Privacy Principles, you have the right to:

Access Your Data

You can request a copy of the personal information we hold about you:

• Email richard@hexsplash.com with your request
• We'll respond within 30 days
• The dashboard shows your credit history and server settings in real-time

Correct Your Information

If your information is incorrect or out-of-date:

• Discord information: Update it in Discord — changes sync automatically to HexSplash
• Server settings: Update directly in the dashboard
• Other corrections: Email richard@hexsplash.com

Delete Your Data

You can request deletion of your personal information:

• Remove the bot: Simply remove HexSplash from your Discord server (30-day grace period)
• Delete account: Email richard@hexsplash.com to request full account deletion
• Note: Some data must be retained for legal compliance (transaction records)

Lodge a Complaint

If you're concerned about how we handle your privacy:

1. Contact us first: richard@hexsplash.com — we'll work to resolve your concern
2. Escalate if needed: If you're not satisfied with our response, you can lodge a complaint with the Office of the Australian Information Commissioner (OAIC):
   • Website: oaic.gov.au
   • Phone: 1300 363 992
   • Email: enquiries@oaic.gov.au

8. Cookies & Tracking

Session Cookies Only

HexSplash uses cookies only for essential functions:

• Authentication cookies: To keep you logged in to the dashboard
• Session management: To maintain your session state

No Tracking or Advertising

• We don't use advertising or analytics cookies currently
• No third-party tracking scripts
• No behavioral advertising or remarketing

If we add analytics in the future (like Google Analytics), we'll update this policy and notify you via a website banner.

9. Children's Privacy

HexSplash requires users to be at least 13 years old (matching Discord's minimum age).

• We don't knowingly collect information from children under 13
• If we discover a user is under 13, we'll delete their account
• Parents or guardians can request deletion of their child's information by emailing richard@hexsplash.com

10. International Users

While HexSplash is based in Australia and complies with Australian privacy law, users from other countries can use the service:

• Australian users: Full protection under Australian Privacy Principles
• EU/UK users: We're not required to comply with GDPR, but we respect similar privacy principles
• Other regions: Australian privacy standards are generally robust and comparable to international standards

If you're outside Australia and have concerns about how your data is handled, please contact us at richard@hexsplash.com.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

When we update this policy:

• The "Last Updated" date at the top will change
• We'll display a notice banner on hexsplash.com for 30 days
• Material changes will be clearly explained

Continuing to use HexSplash after the updated policy is posted means you accept the changes. If you don't agree, please stop using the service and contact us to delete your account.

12. Data Breach Notification

In the unlikely event of a data breach that affects your personal information:

• We'll assess the breach and take immediate steps to contain it
• We'll notify affected users as soon as practicable
• We'll report to the OAIC if required by Australian law
• We'll provide information on steps you can take to protect yourself

13. Third-Party Links

Our website and dashboard may contain links to third-party services (Discord, payment processors, etc.). This Privacy Policy doesn't cover those services — they have their own privacy policies. We encourage you to review them.

14. Contact Us

Questions about privacy? Want to access, correct, or delete your data?

• Email: richard@hexsplash.com
• Business Name: Richard Thornton trading as HexSplash
• Location: Melbourne, Victoria, Australia

We aim to respond to all privacy inquiries within 30 days.