In Development·Tumobird is actively shipping — features and pricing are preview-only
Privacy Policy

Privacy Policy

How Tumobird collects, uses, and protects your data. Last updated 2026-04-23.

Overview

Tumobird ("we", "us", "our") provides production-grade Discord bot hosting. This Privacy Policy explains what personal information we collect, how we use it, and the rights you have over it. We collect as little as we reasonably can, we don't sell your data, and we believe plain English belongs in a privacy policy.

What we collect

We collect the following categories of information when you use Tumobird:

  • Account information — your name, email, and password hash when you sign up. If you sign in with GitHub OAuth, we receive your GitHub username, email, and avatar URL.
  • Billing information — billing address and the last four digits of your card. Full card numbers are processed and stored by Stripe, our payment processor. We never see or store them.
  • Deployment metadata — the name, region, and runtime of your Discord bot deployments. The source code itself lives in your Git repository; we pull it only during builds.
  • Logs and metrics — standard output, standard error, and resource usage (CPU, RAM, network) from your running bot. Retained for 7–90 days depending on plan.
  • Usage analytics — pages viewed on tumobird.com and actions taken in the dashboard, collected via first-party analytics. We do not use Google Analytics, Facebook Pixel, or third-party behavioral tracking.
  • Support correspondence — emails, chat transcripts, and any attachments you send us.

What we don't collect

We don't collect data from inside your Discord bot deployments. Your bot talks to Discord directly; we provide the runtime and networking. Messages your bot receives, user IDs your bot processes, database contents — none of that flows through our systems or is visible to us, barring log lines you explicitly write via stdout. If your bot logs user messages, those logs land in the deployment's log stream, where our retention policy applies.

We do not sell, rent, or trade any personal information to third parties. We do not allow advertisers to place tracking pixels or ad tags on Tumobird properties.

How we use the information

Personal information is used for the following purposes:

  • Providing the service — running your Discord bot, sending deploy notifications, billing your account.
  • Customer support — answering your questions and debugging deployments.
  • Product development — improving the platform based on aggregate usage patterns.
  • Security — detecting abuse, fraud, and unauthorized access.
  • Legal compliance — responding to lawful requests from law enforcement and complying with tax, accounting, and corporate reporting obligations.

Data retention

Account data is retained while your account is active and for 90 days after deletion, after which it is permanently erased except where retention is required by law (for example, tax records). Deployment logs are retained per plan: 7 days on Hobby, 30 days on Standard, 90 days on Dedicated. Backup snapshots follow the same retention on Standard and Dedicated plans.

Data security

All data in transit is encrypted with TLS 1.3. Data at rest is encrypted with AES-256 on encrypted block storage. Environment variables are encrypted with a separate key managed via an HSM-backed key management service. Access to production systems is limited to a small number of engineers, gated by hardware security keys, and logged.

We run annual third-party penetration tests and publish the executive summary at security.tumobird.com. Security issues can be reported at [email protected]; we follow a 90-day coordinated disclosure policy and publish CVEs through MITRE when applicable.

Your rights

You have the following rights over your personal data, regardless of where you live:

  • Access — request a copy of everything we have about you.
  • Rectification — correct information that is wrong.
  • Erasure — delete your account and have your personal information permanently removed (subject to legal retention obligations).
  • Portability — receive your data in a machine-readable format.
  • Objection — opt out of any processing done on the basis of our legitimate interest.

To exercise any of these rights, email [email protected]. We respond within 30 days. For EU residents, you can also complain to your local Data Protection Authority. For California residents, you have additional rights under the CCPA, including the right to know the specific categories of information collected and the right to opt out of any future sale of personal data (we currently do not sell any).

Cookies and similar technologies

We use a single first-party cookie (tumobird_session) to keep you logged in. We use localStorage to remember your theme preference (light vs. dark mode). We do not use third-party cookies, session replay tools, or advertising tags. A cookie banner is not required in jurisdictions where cookies are strictly necessary for the service; if the applicable law changes, we'll add one.

Third-party subprocessors

Tumobird relies on the following subprocessors to operate the service:

  • Stripe — payment processing (US)
  • AWS — infrastructure hosting (EU, US, APAC regions as selected per deployment)
  • Cloudflare — edge networking and TLS termination
  • Postmark — transactional email delivery

A current subprocessor list with jurisdictions and data transfer mechanisms is maintained at /subprocessors.

Children's data

Tumobird is not directed at children under 13. We do not knowingly collect personal information from anyone under 13. If you believe a child has created an account, email [email protected] and we will delete the account and any associated data.

Changes to this policy

When we change this policy, we'll update the "last updated" date and email all account holders at least 14 days before the changes take effect. Historic versions are available at /privacy-history.

Contact

Privacy questions: [email protected]. Security vulnerabilities: [email protected]. Our Data Protection Officer can be reached at the same privacy address.