DreamSync

Privacy Policy

Last updated: 2026-04-19

DreamSync (“DreamSync”, “we”) is operated by Dreamscape. This policy describes what information we collect, how we use it, and the rights you have over it. It applies to the DreamSync dashboard, Discord bot, and REST API.

Information we collect

When you sign in with Discord

  • Your Discord user ID, username, avatar hash, and (if granted) email address.
  • The list of Discord servers you belong to, used only to populate the server picker. This list is cached in Redis for ten minutes and not written to long-term storage.

When you link a Roblox account

  • Your Roblox user ID, username, and display name.
  • The OAuth access and refresh tokens Roblox issues. Refresh tokens are encrypted at rest with AES-256-GCM.

When you use the DreamSync bot in a server

  • The server ID, server name, icon hash, and its owner’s Discord ID.
  • Per-member verification state, current slot selection (if configured), and timestamps of updates we apply on your behalf.
  • Audit log entries recording configuration changes, bans, API key lifecycle events, and update outcomes, retained per your plan’s retention window.

When you use the DreamSync API

  • The SHA-256 hash of every API key you generate; we never store the plaintext. A short display prefix is kept so you can identify keys in the dashboard.
  • Per-key request count and last-used timestamp for rate limiting and abuse detection.

Telemetry and operational data

  • Hashed IP addresses attached to session and audit rows for abuse investigation. Raw IP addresses are not persisted.
  • User-agent strings for session records.
  • Error reports and latency metrics, scrubbed of personal data, collected in Sentry / Prometheus.

How we use information

  • To authenticate you to the dashboard and authorize actions you take.
  • To evaluate the role bindings and verification rules each server has configured.
  • To operate the API, enforce plan-based rate limits, and detect anti-scraping patterns.
  • To bill you for paid plans via Stripe and handle refund or chargeback inquiries.
  • To communicate about outages, security issues, and product changes that affect your account.

Sharing

  • Stripe receives billing information when you subscribe. We send a customer identifier, email (if provided), and metadata linking the subscription to a Discord server. Stripe’s privacy policy governs their handling.
  • Discord receives requests we make on your behalf to apply role and nickname changes. This is inherent to running a Discord bot.
  • Roblox receives requests when we verify group membership, gamepass ownership, or Open Cloud DataStore values.
  • We do not sell or rent personal data. We do not share personal data with advertisers or data brokers.

Your rights

  • Access. You can export everything DreamSync has stored about you at /account/export when signed in.
  • Deletion. You can delete your DreamSync account at /account/delete. This removes user, session, and Roblox link rows. Data written to guild-scoped audit logs as a result of actions you took is retained for as long as that server’s retention window requires, referenced by your Discord ID; we cannot remove it without breaking the server’s audit trail.
  • Correction. Re-run the Discord / Roblox OAuth flows to refresh the data we cache about you.
  • Objection. Contact privacy@serflain.com to object to specific processing. We will respond within thirty days.

Retention

  • Active sessions: up to 30 days absolute, 7 days idle; rotated on login.
  • Revoked sessions: metadata retained 30 days, then deleted.
  • Audit logs: retained per the server’s plan, 30 days on Free, 90 on Pro, 365 on Developer.
  • Revoked API keys: metadata only (prefix, name) beyond 90 days; the key hash is zeroed.
  • Stripe events and migration records: 180 days unless needed for dispute resolution.

Security

All traffic uses TLS. Session tokens are stored as SHA-256 hashes; API keys are stored as SHA-256 hashes; Roblox refresh tokens and Open Cloud API keys are encrypted at rest with AES-256-GCM and a data encryption key that is rotated and, in production, wrapped by a cloud KMS. Postgres and Redis are private and never exposed to the public internet.

Children

DreamSync is not directed at children under 13. If you believe a child has provided us with personal information, contact privacy@serflain.com and we will delete it.

Changes

We will announce material changes to this policy via the dashboard and, where appropriate, email. Continued use after the effective date constitutes acceptance.

Contact

Privacy questions: privacy@serflain.com. Security reports: security@serflain.com.