Dis.gg MCP Docs

Privacy Policy

Last updated: March 22, 2026

Overview #

This Privacy Policy only applies to the public Dis.gg MCP service.

This service and all related data processing are operated by Dylan Ysmal (Xenthys) from France, domiciled at 58 Rue de Monceau, 75008 Paris, and registered under SIREN n°843111576 since 2024.

It additionally depends on the following providers:

  • Cloudflare (California, US): secure web requests
  • Hetzner (Germany): host the entire service infrastructure (Falkenstein)
  • Scaleway (France): store encrypted backups for disaster recovery (Paris)

Even if the Dis.gg MCP service did not use Cloudflare directly in front of its own infrastructure, calls to the Discord API would still pass through Cloudflare since Discord also uses it on its side.

We store a limited amount of technical data so the service can:

  • authenticate requests safely
  • reduce repeated calls to the Discord API
  • apply access restrictions chosen by integrators
  • detect obvious abuse such as invalid-token storms

No connection to the Discord Gateway is established, and only necessary data is stored for as long as required. Bot tokens are therefore not saved since they must be sent with every request, to which they are entirely scoped.

Because the service is operated from France and hosted inside the European Union, it is intended to align with the General Data Protection Regulation (GDPR).

The Dis.gg MCP service is primarily a technical gateway, not a full application platform, so most long-term retention decisions usually belong to the bot, assistant, or product that integrates with this service behind the scenes.

What We Store #

Discord and application metadata #

To validate a bot token and answer requests efficiently, the service keeps a temporary copy of basic technical metadata returned by Discord, such as:

  • bot identity
  • application identity
  • server, channel, role, emoji, team, or user references needed to handle recent requests

This information is cached for a limited time and refreshed only when needed.

Security markers #

The service also stores short-lived security markers to:

  • remember that a token was authenticated or rejected
  • slow down repeated invalid authentication attempts
  • apply operator-defined restrictions consistently

Bot tokens are never stored. We however keep a derived cryptographic hash, which cannot be used to recover the original token and cannot be reused as an equivalent credential, to reliably recognize the same token later without storing its content.

Operator configuration #

The operator can configure service-wide defaults and application-specific options, for example:

  • support links
  • access restrictions
  • upload provider settings
  • image-generation provider settings

These settings are stored so the service can keep working between restarts.

If the operator stores provider secrets such as API keys or upload webhook credentials, those secret values are encrypted before being written to the database. The encryption key is kept separately in the service configuration; it is not stored in the database itself, which would defeat its purpose.

Custom application data #

When a client uses the util_custom_data tool, the service stores small structured JSON values on behalf of that client.

  • maximum size per value: 128 KiB
  • maximum retention per value: 168 hours
  • each successful read or write refreshes the retention timer

This feature is optional and exists only when a client actively uses it.

If you believe an application has stored personal data through that tool and you wish to access or delete it, the operator of that application should be your first contact point before escalating to the Dis.gg MCP service operator.

Data Retention #

By design, most technical data is temporary.

  • Discord metadata cache: 12 hours
  • App cache access data: 30 minutes
  • Invalid token marker: 30 minutes
  • Invalid IP marker: 1 hour

The service also enforces data transfer limits:

  • Download limit: 50 MiB
  • Upload limit: provider-dependent

Configuration data set by applications or the MCP operator should be considered persistent until edited or deleted manually.

The short-lived technical caches used by this service automatically expire. In practice, this means their lifetime is shorter than applicable GDPR deletion-response windows.

What We Do Not Store #

The service does not store:

  • Discord bot tokens
  • Discord Gateway presence/state
  • a history of your Discord activity
  • generated images (unless using the local storage provider)
  • any data that isn't needed once the client request has been processed

Since the Dis.gg MCP service is a stateless gateway, the less data it stores, the better it works for everyone and the safer it remains.

Your Rights and Deletion Requests #

If you are an end user and want data removed, corrected, or clarified:

  1. contact the provider of the bot or application you were interacting with first, because that application is usually the one deciding what was stored and why;
  2. if you believe the Dis.gg MCP service itself is holding personal data about you, you may get in touch with the operator using the contact details listed on the Terms of Service page;
  3. the operator can delete custom application data where applicable, explain which information is only a short-lived cache, and which information is controlled by the calling application.

Because the Dis.gg MCP service is a gateway, requests about transcripts, prompts, business records, personal data, user profiles… will need to be handled by the provider of the application that integrates with it rather than by the MCP service operator alone.

Security and Assurance #

No independent third-party security audit has been completed for this public service at the time of writing.

That said, the project is not maintained casually:

  • the code is reviewed by a human before acceptance
  • the service operator works professionally as a Systems Engineer
  • agentic coding tools are used to help implement and review changes
  • automated regression tests are always run before validating changes
  • end-to-end tests against real MCP flows, using live API credentials, are performed before and after every major update

While this does not replace an expensive, formal external audit, security and non-regression remain treated as first-class concerns rather than afterthoughts.

Scope of This Policy #

This page describes the public service at mcp.dis.gg only.

It does not describe:

  • any self-hosted or third-party deployment of the same codebase
  • the privacy practices of bots, assistants, or applications using this service

If you interact with a bot or application that may be integrating with this MCP, we heavily recommend you also review that application's own privacy policy, terms of service, and security practices before sharing any data.