1. Summary
GUY2 collects only the information needed to verify Discord access, protect launcher sessions, enforce device limits, operate the service, and investigate abuse. The verification backend is the authority for access; editable local fields are not trusted as proof of a role.
We do not ask for or store your Discord password, Roblox password, game password, or payment-card number.
2. Information collected by the verification service
- Discord account data: Discord user ID, server membership status, role IDs, and the highest eligible role shown in the launcher.
- Device security data: a device public key, a one-way device identifier hash, and a server-keyed machine-group hash used to group Windows accounts on the same underlying device.
- Session data: a one-way refresh-token hash, issue/expiry/last-use timestamps, revocation state, and role-check timestamps.
- Application data: launcher version and limited request/security metadata required for signed requests and replay protection.
- Audit data: event type, success/failure, a short reason, timestamp, Discord user ID or device row where relevant, and launcher version.
The current backend does not persist an IP address or IP hash in launcher sessions or audit records. Network addresses may be held briefly in server memory for rate limiting and are discarded when the process restarts or the short rate-limit window expires.
3. Information stored on your computer
The launcher stores an account-state file under your GUY2 launcher data directory. Its sensitive contents include the backend-issued refresh token and the device private key, protected with Windows Data Protection API for the current Windows user.
Local display values such as the last known role are not treated as authoritative. The launcher asks the backend to validate the session and current Discord access.
4. How information is used
- verify that a real Discord account belongs to the GUY2 server and has an eligible role;
- issue, rotate, validate, and revoke launcher sessions;
- show the current role in the launcher and update it when Discord roles change;
- enforce the configured device allowance and discourage account sharing;
- detect replayed, malformed, forged, or abusive requests;
- diagnose errors, maintain compatibility, and secure the service.
5. Discord OAuth
When you verify, your browser is sent to Discord's authorization page. Discord returns a short-lived authorization code to the GUY2 backend. The backend exchanges it with Discord, obtains your Discord user ID, and checks server membership and roles using server-side credentials.
The service does not store your Discord password. Discord OAuth access credentials are used only as needed to complete identity verification and are not stored as the persistent launcher credential. The launcher receives a separate GUY2 refresh token issued by the backend.
6. Data sharing and service providers
Information is not sold to advertisers. Limited information is processed by providers needed to run the service:
- Discord: identity, guild membership, roles, OAuth, and community services;
- Supabase: database storage for verification states, devices, sessions, and audit records;
- Railway: hosting and networking for the verification backend;
- Netlify: hosting and DNS for the main website;
- GitHub or other download providers: distribution of official releases where applicable.
Information may also be disclosed when required by law or reasonably necessary to protect users, the service, or legal rights.
7. Retention
- OAuth verification attempts expire after the configured short verification window, currently ten minutes. Expired database rows may remain until maintenance cleanup.
- Launcher refresh sessions currently use a rolling expiry of up to 180 days. Successful use can rotate and extend the session.
- Revoked and audit records may be retained for security, support, fraud prevention, and troubleshooting, then removed during maintenance.
- Device records may remain so device limits and revocations continue to work until they are reset or deleted.
8. Security measures
Security measures include server-side Discord role checks, signed device requests, short-lived nonces, replay prevention, refresh-token rotation, one-way token storage, device public-key verification, rate limiting, database constraints, and local DPAPI protection.
No system can be guaranteed perfectly secure. Keep Windows and Discord accounts protected and report suspected unauthorized access promptly.
9. Your choices and requests
You may stop using the launcher, delete the local account-state file, leave the Discord server, or ask support to revoke sessions, reset device registrations, or review/delete applicable server-side records.
Some data may be retained where reasonably required for security, legal compliance, dispute handling, or abuse prevention. Identity may need to be verified before fulfilling a request.
10. Website, cookies, and external content
The main website may load resources from third parties such as Google Fonts and the Discord server widget. Those providers can receive standard web request information under their own privacy policies.
The GUY2 verification API does not use advertising cookies. Browser or hosting-provider logs may still be produced as part of normal HTTPS delivery and security operations.
11. Changes to this policy
This policy may be updated when data practices, providers, security controls, or legal requirements change. The effective date will be updated, and significant changes may be announced on the website or Discord.
12. Contact
Use the official GUY2 Discord server for privacy questions, session revocation, device resets, or data requests.