Yes, Discord requires a privacy policy for all bots. The Discord Developer Policy mandates that every application have a publicly accessible privacy policy. Bots in 75 or more servers must be verified, and verification requires a privacy policy URL. Your policy must disclose what user data your bot receives, stores, and how it handles message content, user IDs, and server information.
Discord has grown from a gaming chat platform into one of the largest communication platforms in the world, with over 200 million monthly active users. The ecosystem of Discord bots has grown alongside it. Millions of bots serve communities with moderation, music, games, utilities, and custom functionality.
But most bot developers focus on features and code, not privacy compliance. That is a problem because Discord bots inherently process personal data. Every time your bot receives an event from the Discord Gateway, it is handling user IDs, usernames, server information, and potentially message content. Discord's Developer Policy recognizes this and requires all bots to have a privacy policy.
This guide covers exactly what Discord requires, what data your bot collects (even if you do not realize it), how privileged intents affect your obligations, and the fastest way to create a compliant privacy policy for your Discord bot.
Does Discord Require a Privacy Policy for Bots?
Yes. Discord's Developer Policy and Developer Terms of Service explicitly require all applications (including bots) to maintain a privacy policy. This is not optional guidance. It is a binding requirement that you agree to when you create an application in the Discord Developer Portal.
Required
For all Discord bots
75+
Servers triggers verification
Enforced
During bot verification
The Developer Policy states that developers must provide a privacy policy that clearly and accurately describes how their application collects, uses, and shares user data. This policy must be publicly accessible and linked in your application's settings in the Developer Portal.
For verified bots, this requirement is strictly enforced. During the verification process, Discord's team reviews your privacy policy URL and checks that it adequately describes your bot's data handling. If your privacy policy is missing, incomplete, or inaccurate, your verification will be rejected.
Even for unverified bots with fewer than 75 servers, the privacy policy requirement still applies. Discord can take action against any bot that violates the Developer Policy, including bots that lack a privacy policy. Enforcement for small bots is less systematic, but the requirement exists and violations can result in your bot being disabled.
Q: What if my bot is just for my own server?
Technically, the Developer Policy applies to all bots. In practice, Discord is unlikely to enforce against a bot used only in one private server. However, if you ever plan to grow your bot or open it to other servers, having a privacy policy from the start is much easier than adding one retroactively.
Q: Where do I add my privacy policy URL in Discord?
Go to the Discord Developer Portal, select your application, navigate to General Information, and you will find a "Privacy Policy URL" field. Enter the full URL to your publicly accessible privacy policy. This URL is displayed to users during the OAuth2 authorization flow when they add your bot to a server.
What Data Discord Bots Collect
Understanding what data your bot collects is the first step to writing an accurate privacy policy. There is an important distinction between data your bot receives from Discord through the API and Gateway, and data your bot actively stores in a database. Your privacy policy needs to address both.
| Data Type | How Bot Receives It | Personal Data? | Requires Intent? |
|---|---|---|---|
| User IDs | Included in every event involving a user | Yes (unique identifier) | No |
| Usernames | User objects in API responses and events | Yes (personally identifiable) | No |
| Avatar URLs | User objects in API responses | Potentially (may contain photos) | No |
| Server/Guild IDs | All guild-related events | No (organizational data) | No |
| Message content | MESSAGE_CREATE events (if intent enabled) | Yes (user-generated content) | Yes (privileged) |
| Member list | GUILD_MEMBERS events and API endpoint | Yes (list of identifiable users) | Yes (privileged) |
| Presence data | PRESENCE_UPDATE events | Yes (activity and status) | Yes (privileged) |
| Slash command inputs | INTERACTION_CREATE events | Depends on input content | No |
The critical point most bot developers miss is that receiving data through the API is itself data processing under GDPR, even if you never store it. When your bot receives a message event containing a user ID, username, and message content, it has processed personal data. Your privacy policy must account for this processing, not just what you save to a database.
Did you know?
Discord user IDs are classified as personal data under GDPR because they are unique identifiers that can be used to identify a specific individual. Even though a user ID looks like a random number (e.g., 123456789012345678), it maps directly to one person and is therefore personally identifiable information. This means every Discord bot that receives events is processing personal data.
Data Received vs. Data Stored
Your privacy policy should clearly distinguish between data your bot receives from Discord (which it processes temporarily) and data your bot actively stores in a database or file system. Users want to know whether their messages are being logged, whether their user IDs are saved in a database, and how long any stored data is retained.
For example, a moderation bot might receive all message events but only store data when a moderation action is taken (warning, mute, ban). The privacy policy should explain that the bot processes all messages to check for rule violations but only permanently stores records of moderation actions along with the relevant user ID and reason.
Discord Developer Policy Requirements
Discord's Developer Policy sets specific requirements for how bots must handle user data and what developers must disclose. These requirements exist in addition to any applicable privacy laws like GDPR and CCPA.
What Discord Specifically Mandates
- Public privacy policy URL: Your application must have a publicly accessible privacy policy linked in the Developer Portal
- Data handling disclosure: You must clearly describe what data your bot collects, how it uses that data, and who it shares data with
- Data minimization: You should only request access to data your bot actually needs. Do not request privileged intents unless your bot requires the data they provide
- Data deletion: You must delete stored user data when a user requests it or when your bot is removed from a server
- Security: You must implement reasonable security measures to protect user data from unauthorized access
- No selling data: You may not sell user data obtained through the Discord API under any circumstances
Did you know?
Discord's Developer Policy requires that when your bot is removed from a server, you must delete any data specific to that server within a reasonable timeframe. This means your bot should listen for the GUILD_DELETE event and have a process for purging server-specific data from your database. Many bots fail to implement this, which is a direct policy violation.
These Discord-specific requirements overlap with but do not replace GDPR, CCPA, and other privacy laws. If your bot has users in the EU, GDPR applies in addition to Discord's policies. If your bot has users in California, CCPA may also apply. Your privacy policy needs to satisfy all applicable requirements simultaneously.
For details on general app privacy policy requirements, including what GDPR and CCPA require for software applications, see our dedicated guide.
The Privileged Intents Problem
Discord introduced privileged intents to protect user privacy by requiring explicit approval before bots can access sensitive data categories. If your bot uses any privileged intents, your privacy obligations are significantly greater.
MESSAGE_CONTENT Intent
Gives your bot access to the full text of messages in servers. Without this intent, your bot only sees message content when it is directly mentioned, receives a DM, or processes a slash command. With it, your bot receives every message in every channel it has access to. This is the most privacy-sensitive intent because message content can contain anything: personal conversations, email addresses, phone numbers, or other sensitive information shared casually in chat.
GUILD_MEMBERS Intent
Gives your bot access to the complete member list of every server it is in, including member join/leave events and role changes. Without this intent, your bot only has access to members it has interacted with. With it, your bot receives the full membership roster, which can include thousands of user profiles per server. This data includes user IDs, usernames, nicknames, roles, and join dates.
GUILD_PRESENCES Intent
Gives your bot access to presence updates, which include online/offline status, custom status messages, and what game or application a user is currently using. This is behavioral data that can reveal patterns about when users are active and what they do on their computer. Under GDPR, this type of behavioral tracking requires clear disclosure and typically a legitimate interest assessment.
If your bot uses any privileged intents, your privacy policy must include stronger disclosures. You need to explain exactly why your bot needs access to this sensitive data, what it does with it, whether it stores it, and how users can control or limit the data collection. Discord reviews these justifications during the bot verification process.
Q: My bot uses MESSAGE_CONTENT to detect commands with a prefix. Is that justified?
Discord recommends migrating prefix commands to slash commands, which do not require the MESSAGE_CONTENT intent. If your bot's only use of message content is prefix command detection, Discord may reject your intent request during verification. Slash commands are the preferred approach for new bots.
Q: What if I only use privileged intents in some features?
Your privacy policy should specify which features use privileged data and allow server administrators to understand what data access each feature requires. Some bots offer granular feature toggles so server owners can disable features they are not comfortable with.
Bot Verification and Privacy Policy
Discord requires bot verification when your bot reaches 75 or more servers. Once you hit this threshold, your bot cannot join additional servers until it passes verification. A valid privacy policy is one of the core requirements for passing this review.
What Discord Reviews During Verification
- Your privacy policy URL is publicly accessible and working
- The policy accurately describes what data your bot collects and stores
- If you request privileged intents, the policy explains why they are needed
- The policy includes information about data deletion and user rights
- The policy includes your contact information for privacy-related inquiries
Verification reviews can take several weeks. If your privacy policy is rejected, you will need to revise it and resubmit, adding more time. Getting your privacy policy right before you approach the 75-server threshold saves significant delay.
Did you know?
Discord's bot verification process has become significantly stricter over time. In the early days of Discord bots, verification was minimal. Today, Discord's Trust and Safety team conducts thorough reviews of privacy policies, data handling practices, and privileged intent justifications. Bots that previously would have passed verification with a basic policy now face rejection. Having a comprehensive, professionally written privacy policy is more important than ever for bot developers.
Beyond verification, having a solid privacy policy builds trust with server administrators who decide whether to add your bot. Many large servers now review a bot's privacy policy before inviting it, especially servers in regulated industries or those with privacy-conscious communities. A professional privacy policy can be a competitive advantage in the crowded bot ecosystem.
Common Mistakes Bot Developers Make
These are the five most common privacy policy mistakes Discord bot developers make, along with why each one can cause problems during verification or with privacy regulators.
Mistake: "My bot does not store data, so I do not need a privacy policy"
Even if your bot has no database, it still processes personal data through the Discord API. Every user ID, username, and message it receives is data processing under GDPR. Discord's Developer Policy requires a privacy policy regardless of whether data is stored. Your policy should explain that data is processed in-memory but not persisted, if that is the case.
Mistake: "I just log to console, that is not data storage"
Console logs that contain user IDs, usernames, or message content are data storage if those logs persist on disk. Many hosting providers retain application logs for days or weeks. If your bot logs user data to stdout and your hosting provider stores those logs, you are storing personal data. Your privacy policy must account for this, or you should configure your logging to exclude personal data.
Mistake: "Discord handles privacy for me"
Discord's privacy policy covers Discord's own relationship with its users. It does not cover what your bot does with the data it receives through the API. You are a separate data controller (or processor, depending on your bot's purpose). Discord provides the platform. You provide the service. Both need their own privacy policies.
Mistake: "Only big bots need a privacy policy"
Discord's Developer Policy applies to all applications, not just popular ones. GDPR applies to any entity processing EU residents' personal data, regardless of scale. A bot in 5 servers that stores user data has the same privacy obligations as one in 5,000 servers. The only practical difference is that enforcement becomes more visible at scale, but the legal requirements are identical.
Mistake: "A GitHub Gist or pastebin is good enough"
While technically accessible, hosting your privacy policy on a GitHub Gist, Pastebin, or similar platform looks unprofessional and can undermine trust. These platforms can also change their URLs, go down, or remove content. For bot verification, Discord expects a stable, professional privacy policy page. Use your bot's website, a GitHub Pages site, or a dedicated landing page instead.
Worried about what happens if you do not have a policy? See our guide on the consequences of missing a privacy policy.
How to Create a Privacy Policy for Your Discord Bot (6 Steps)
Follow these steps to create a privacy policy that satisfies Discord's Developer Policy and complies with GDPR, CCPA, and other applicable privacy laws.
Document all data your bot receives from Discord
Go through every event your bot listens to and document what data fields it receives. Check your Gateway intents to understand what data Discord sends your bot. Note whether you use any privileged intents (Message Content, Guild Members, Presence). List every slash command and what user input it accepts.
Identify what data your bot stores and where
Review your database schema, configuration files, and any persistent storage. Document every table or collection that contains user data: user IDs, server configurations, command usage logs, moderation records, or custom user settings. Note where your database is hosted (AWS, DigitalOcean, Railway, etc.) and in what region, as this affects GDPR data transfer requirements.
List all third-party services your bot uses
Beyond Discord itself, identify every external service your bot sends data to. This includes database hosting (MongoDB Atlas, Supabase, PlanetScale), error tracking (Sentry, Bugsnag), analytics (any usage tracking), external APIs (weather, translation, AI services), and hosting providers (Heroku, Railway, VPS providers). Each service that receives user data is a sub-processor that must be disclosed.
Generate your privacy policy
Use a privacy policy generator to create a comprehensive policy. Input the data types, storage methods, third-party services, and your contact details. The generator produces a complete policy with all required GDPR, CCPA, and platform-specific sections.
Host your privacy policy at a permanent URL
Publish your policy at a stable, publicly accessible URL. Your bot's website or landing page is ideal. A GitHub Pages site works well for open-source bots. A dedicated page on your personal domain is also acceptable. The URL must remain accessible long-term, so avoid platforms that might change URLs or remove content.
Add the URL to your Discord application settings
Go to the Discord Developer Portal, select your application, and paste your privacy policy URL in the Privacy Policy URL field under General Information. Also consider adding a link in your bot's help command, about command, or description so users can easily find your policy. Update your policy whenever you change your bot's data handling, and review it at least annually.
The Easiest Way to Get a Discord Bot Privacy Policy
Most bot developers are programmers, not lawyers. Writing a privacy policy from scratch requires understanding GDPR, CCPA, CalOPPA, and Discord's Developer Policy simultaneously. Copying another bot's privacy policy is a copyright and compliance risk because their data practices are different from yours.
A privacy policy generator lets you describe your bot's specific data handling and produces a complete, legally compliant policy in under 60 seconds. It covers all the sections required by GDPR (data categories, legal basis, user rights, retention periods), CCPA (California-specific disclosures), and Discord's Developer Policy (data handling, deletion, security).
The generated policy is ready to host on your bot's website and link in the Discord Developer Portal. It includes all the disclosures needed for bot verification and can be updated whenever your bot's data practices change. For a GDPR-compliant template reference, see our dedicated guide.
Frequently Asked Questions
Does Discord require a privacy policy for bots?
Yes. Discord's Developer Policy requires all applications to have a publicly accessible privacy policy. This is enforced during bot verification (at 75+ servers) but applies to all bots regardless of size. The policy URL must be entered in your application settings in the Developer Portal.
What data do Discord bots collect?
At minimum, every bot receives user IDs, usernames, server IDs, and channel IDs through the Discord API. Bots with the Message Content intent also receive full message text. Bots with Guild Members intent receive complete member lists. The key distinction is between data received (processed temporarily) and data stored (saved to a database).
Do I need a privacy policy if my bot does not store data?
Yes. Discord requires a privacy policy regardless of storage. Your bot still processes personal data (user IDs, usernames) through the API, even if only in memory. Under GDPR, processing includes any operation performed on personal data, not just storage. Your policy should clarify that data is processed but not permanently stored.
What are privileged intents and how do they affect my privacy policy?
Privileged intents (Message Content, Guild Members, Presence) give bots access to sensitive data that requires explicit Discord approval. If your bot uses privileged intents, your privacy policy must include stronger disclosures about why the data is needed, how it is used, and whether it is stored. Discord reviews these disclosures during verification.
When does a Discord bot need to be verified?
Verification is required when your bot reaches 75 or more servers. Without verification, your bot cannot join additional servers beyond this limit. The verification process requires a working privacy policy URL, accurate data handling descriptions, and valid justifications for any privileged intents.
Where should I host my Discord bot's privacy policy?
Use a stable, professional hosting solution. Your bot's website, a GitHub Pages site, or a dedicated page on your personal domain are all good options. Avoid GitHub Gists, Google Docs, or Pastebin, which look unprofessional and may not satisfy Discord's verification requirements.
How do I create a privacy policy for my Discord bot?
Document your bot's data handling (what it receives, stores, and shares), then use a privacy policy generator to produce a complete, compliant policy. Host it at a permanent URL and add that URL to your Discord application settings.
Related Resources
Privacy Policy for Apps
General app privacy policy requirements for all platforms
Privacy Policy for Slack Apps
Slack App Directory requirements for developers
Privacy Policy for Chrome Extensions
Chrome Web Store privacy requirements for extension developers
What Happens Without a Privacy Policy
The real consequences of operating without one
GDPR Privacy Policy Template
All 12 required GDPR sections with a compliant template
Can I Copy Someone Else's Privacy Policy?
Why copying creates both copyright and compliance risk
Privacy Policy for Websites
Complete guide for website privacy policy requirements
How Often to Update Your Privacy Policy
Annual reviews, triggers, and CCPA requirements