Privacy Policy

Last updated: May 2025

1. What Data We Collect

When you log in with Discord, we collect and store:

• Your Discord user ID, username, and display name
• Your Discord avatar hash (for display purposes)
• Your Discord role(s) within the XPD server
• Your VRChat display name (if you choose to link it)
• Your preferred language and timezone settings
• RSVP responses for events
• Application submissions (if you apply to join)

2. How We Use Your Data

• To verify your XPD Discord membership and assign your rank
• To generate the VRChat whitelist JSON so you can access restricted worlds
• To display your profile within the officer dashboard
• To associate arrest records with arresting officers
• To send RSVP and event notifications via Discord (if configured)

3. Data Sharing

We do not sell your personal data. Your VRChat display name is included in a publicly accessible JSON file used by VRChat worlds for whitelist verification. Your Discord username and arrest record contributions are visible to other logged-in officers.

Mugshot records (arrest records you upload) are public and visible to anyone who visits the site.

4. Data Retention

We retain your data for as long as you are a member of XPD or until you request deletion. See our Data Deletion page to submit a removal request.

5. Cookies & Sessions

We use a single session cookie to keep you logged in. No third-party tracking cookies are set unless Google Analytics is enabled (see Settings). Session cookies expire after 7 days of inactivity.

6. Your Rights (GDPR)

If you are located in the European Economic Area or United Kingdom, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data
• Object to or restrict processing of your data
• Data portability

To exercise these rights, use the Data Deletion / GDPR Request page or contact XPD leadership via Discord.

7. Security

We use session-based authentication and prepared SQL statements to protect your data. Discord OAuth2 is used for login - we never see or store your Discord password.

8. Third-Party Services

• Discord - Authentication via OAuth2. Subject to Discord's Privacy Policy.
• VRChat - Your display name is included in a whitelist JSON fetched by VRChat worlds.
• Google Analytics - Optional. Enabled only if configured by the site administrator.

9. Contact

Privacy questions? Contact XPD leadership via Discord or submit a request on the GDPR page.