Zippy Wall

Privacy Policy

Last updated: May 21, 2026

This Privacy Policy explains what data Zippy Wall collects, how we use it, and the choices you have. We’ve tried to write this plainly. If anything is unclear, email [email protected].

1. What we collect

OAuth / account data. When you sign in with Twitch or Discord, we receive your platform user ID, username, optional email, and OAuth access and refresh tokens. Tokens are stored encrypted at rest in our database and used solely to operate the bot on your behalf (joining your chat via EventSub or Gateway, deleting messages, timing out users, etc.).

Chat-flag events. When the bot deletes, censors, times out, kicks, or bans a message, we store a record of that event: the channel/guild ID, the offending sender’s ID and display name, the URL or matched phrase, the verdict, the threat sources that flagged it, and the action taken. We do not store the content of unflagged messages.

Aggregate message counts. To power the engagement section of your dashboard, we count the number of messages each user sends per day in your channel/server. We store only the count and the sender’s display name — not the messages themselves.

Payment data. Subscription payments are handled by Stripe. We store your Stripe customer ID and subscription state. We never see your card details — Stripe does.

2. How we use it

  • To run the bot in your channel/server and apply the moderation rules you configure.
  • To populate your dashboard with stats and the live threat log.
  • To process payments and manage your subscription.
  • To send you operational emails (billing receipts, security notices, planned-downtime warnings).
  • To investigate abuse, debug crashes, and improve detection quality (e.g. tuning heuristics).

We do not sell your data, ever.

3. Who we share it with

  • Threat-intel feeds (URLhaus, OpenPhish, Google Safe Browsing): URLs from your chat are queried against these feeds for classification. We do not send user identities — only the URL.
  • Stripe: payment processing and subscription management.
  • Supabase: our database provider (AWS, us-west-2).
  • Discord and Twitch: by design — we call their APIs to read chat and moderate it.
  • Google Ads: receives anonymized conversion data when an ad click leads to a trial sign-up (see “Cookies and tracking” below). No chat content, identities, or moderation events are shared.
  • Law enforcement: only when legally required and after evaluating the request.

We do not resell your data to advertisers or data brokers.

4. Cookies and tracking

Session cookies. We set one HTTP-only session cookie per platform (zw_session for Twitch, zw_discord_session for Discord) so you stay signed in. These are essential for the product to work.

Google Ads conversion tracking. We use Google Ads to advertise Zippy Wall. Google’s gtag.js script may set cookies on your browser to measure the effectiveness of those ads (for example, whether a click on an ad led to a trial sign-up). Google receives anonymized data about your visit; we do not share your identity, chat content, or moderation events with Google. You can opt out via adssettings.google.com or by using a browser-level ad-tracking blocker. No other advertising or analytics scripts run on the site.

5. Where data lives

All application data is stored in a Supabase Postgres database hosted on AWS in the us-west-2 region (Oregon, USA). Backups are managed by Supabase per their security practices.

6. How long we keep it

  • Account data: as long as your account is active.
  • Chat-flag events & message counts: kept while your account is active; deleted within 30 days of account closure.
  • Payment records: retained per Canadian tax requirements (currently 6 years).

7. Your rights

You can request access, export, correction, or deletion of your personal data by emailing [email protected]. We’ll respond within 30 days. If you’re in the EU or UK, you have rights under GDPR; if you’re in Canada, under PIPEDA; in California, under CCPA. The rights of access, deletion, and portability are the same in all three.

8. Children

Zippy Wall is not intended for users under 13 years of age. Both Twitch and Discord require users to be at least 13. We do not knowingly collect data from anyone under that age.

9. Security

We use HTTPS everywhere, HMAC-signed session cookies, encrypted-at-rest token storage, and least-privilege database access. No system is perfectly secure; if you discover a vulnerability, please report it to [email protected].

10. Changes

We’ll post any updates here and bump the “Last updated” date. Material changes will be communicated at least 30 days in advance via a dashboard banner or email.

11. Contact

Operator: Joel Cripps, British Columbia, Canada.
Email: [email protected]