Privacy policy

What you should know about Discord login and your data.

What matters most

We use Supabase Auth for "Sign in with Discord." That service may collect and store your email as part of the authentication flow (alongside your Discord profile). CAM Hub does not use your email for site features, marketing, or public profile — and we do not display it in the app.

The Discord permission screen lists what the OAuth connection is allowed to access. Part of that comes from Supabase's Discord integration (not a separate toggle we can turn off on hosted Supabase). You are still consenting on Discord's side before login completes.

What we use in CAM Hub

For logged-in features (builds, votes, dungeon finder, etc.), we rely on your Discord identity: display name, avatar, and related profile fields our backend receives from the login provider. That is what we show in the UI and tie to your game data.

Email retention — scheduled deletion

CAM Hub runs an automated scheduled job (daily) that removes email addresses from our authentication database ( Supabase Auth) for Discord-based accounts where we do not need to keep them for login — so we do not hold email longer than necessary. The job skips administrator accounts and users who use email/password sign-in.

Whether the auth provider allows the email field to be cleared can vary by Supabase version; the job still runs so we minimize retention whenever the platform permits it.

Why Discord may still list "email"

Our frontend requests Discord's identify scope (profile). Hosted Supabase Auth also includes Discord's email scope in the server-side OAuth configuration, so the authorization screen can mention email even though CAM Hub doesn't use it in the product. This is documented in Supabase's open-source auth code (discord provider). The "Allow users without an email" option in Supabase does not remove email from that screen; it only affects whether sign-up can finish when no email is returned.

There is no supported workaround on hosted Supabase to use Discord OAuth without that scope being requested by the auth service, short of replacing or self-hosting auth. For many projects this is primarily a UX and transparency issue: we disclose it here and avoid using email in the app.

Security & your data

Supabase keeps authentication data (including emails when provided) in protected auth storage; it is not exposed through public database APIs by default. App data in our Postgres database uses Row Level Security (RLS) so users can only access what they are allowed to. Server-only secrets (e.g. service role keys) must stay off the client and out of public repos — that is how we operate CAM Hub.

If a serious data incident ever affects users, we would follow applicable laws (including notification timeframes where required), rotate credentials, assess impact, and publish a clear notice on this site.

Other processing

Normal browsing may generate logs or analytics like any website. We do not sell your personal data. Questions: use the contacts in the site footer.