Data Processing Agreement
Last updated: December 2025
Introduction
This Data Processing Agreement ("DPA") explains how Arettox ID processes personal data in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other relevant legislation. This document is intended for transparency and to help you understand our data handling practices.
Data Controller and Processor
Arettox ID acts as a Data Processor on behalf of Discord server administrators (Data Controllers) when processing verification data. For our website visitors and direct users, we act as the Data Controller. Discord server administrators who use our bot are responsible for informing their community members about the use of verification services and obtaining any necessary consents.
Legal Basis for Processing
We process personal data based on the following legal grounds: (1) Contract Performance: Processing necessary to provide the verification service you requested; (2) Legitimate Interest: Preventing fraud, ensuring security, and improving our services; (3) Consent: For optional analytics and marketing communications; (4) Legal Obligation: When required to comply with applicable laws.
Categories of Data Processed
We process the following categories of personal data: (1) Identifiers: Discord User IDs, Discord usernames, Discord Server IDs; (2) Technical Data: Verification timestamps, verification status (boolean); (3) Derived Data: Nullifier hashes from World ID (cryptographic proof of uniqueness, not biometric data). We explicitly do NOT process: biometric data, real names, email addresses, physical addresses, phone numbers, IP addresses, or location data.
Processing Activities
We perform the following processing activities: (1) Collection: Receiving Discord IDs when users initiate verification; (2) Verification: Communicating with World ID to confirm unique human status; (3) Storage: Maintaining verification records in encrypted databases; (4) Role Assignment: Communicating with Discord API to assign verified roles; (5) Logging: Maintaining security and audit logs; (6) Deletion: Removing data upon request or when no longer necessary.
Data Flow Diagram
Data flows in our system as follows: User initiates /verify command → Discord sends user ID to our bot → Bot generates unique verification link → User scans QR code with World App → World ID returns ZKP confirmation (nullifier hash) → Bot verifies uniqueness → Bot assigns role via Discord API → Verification record stored. At no point do we receive, transmit, or store biometric data. The nullifier hash is a cryptographic derivative that cannot be reversed to reveal identity.
Data Retention Periods
We retain data for the following periods: Active verification records: Retained while user remains verified in at least one server; Inactive records: Deleted 90 days after user is unverified from all servers; Security logs: Retained for 12 months; Audit logs: Retained for 24 months (or as required by law); Deletion requests: Processed within 30 days.
International Data Transfers
Our servers are located in [EU/US - specify actual location]. When data is transferred internationally, we ensure adequate protection through: Standard Contractual Clauses (SCCs) approved by the European Commission; Adequacy decisions where applicable; Encryption in transit and at rest. We do not transfer data to countries without adequate data protection unless proper safeguards are in place.
Technical and Organizational Measures
We implement the following security measures: Technical: TLS 1.3 encryption for all data in transit; AES-256 encryption for data at rest; Regular security audits and penetration testing; Automated vulnerability scanning; Secure backup procedures. Organizational: Access controls with principle of least privilege; Employee training on data protection; Incident response procedures; Regular policy reviews.
Data Subject Rights
You have the following rights under applicable data protection laws: Right to Access: Request a copy of your personal data; Right to Rectification: Correct inaccurate data; Right to Erasure: Request deletion of your data; Right to Restriction: Limit how we process your data; Right to Portability: Receive your data in a structured format; Right to Object: Object to processing based on legitimate interests; Right to Withdraw Consent: Withdraw consent for optional processing.
Right to Lodge Complaints
If you believe we have not handled your data appropriately, you have the right to lodge a complaint with your local data protection authority. We encourage you to contact us first so we can address your concerns. EU residents can find their local authority at the European Data Protection Board website. UK residents can contact the Information Commissioner's Office (ICO).
Data Protection Contact
For data protection inquiries, exercising your rights, or concerns about our data practices, please contact: Data Protection Officer (if applicable): [email protected]; General Privacy Inquiries: [email protected]; Discord Support Server: [link in footer]. We aim to respond to all data protection requests within 30 days.