ChuTao

ChuTao

Privacy Policy for Chu Tao

Effective Date: March 19, 2026

1. Introduction

Welcome to Chu Tao's Privacy Policy. This document outlines how we collect, use, and protect your information when you interact with our services, including the Chu Tao Discord bot ("Bot"), the Chu Tao web application at chutao.meoverse.com ("Web App"), and the Chu Tao API ("API") (collectively, the "Service").

2. Information We Collect

When you use the Service, we may collect the following types of information:

  • Discord Account Information:

    • User ID
    • Username and display name
    • Avatar

  • HoYoverse Account Information (if linked):

    • HoYoverse Account ID
    • Email address (encrypted at rest)
    • Authentication credentials (encrypted at rest; see Section 6)

  • Game Account Information (if linked):

    • Game UID, nickname, server/region, and adventure rank
    • Game-related data such as character information, game progress, Spiral Abyss records, wish/gacha history, daily check-in status, and other in-game statistics

  • Technical Information:

    • IP address (collected during API requests for security and logging purposes)
    • Device identifiers generated by the Web App for HoYoverse authentication
    • Browser cookies required for session management (see Section 5)

  • Interaction Data:

    • Bot command usage and interaction logs (aggregated for performance monitoring; no personally identifiable information is included in metrics)

  • Message Content (limited):

    • Message text is processed in real time solely for the translation feature (flag emoji reactions and auto-translate in configured guilds). Message content is not stored or logged by the Service.

3. How We Use Your Information

We access and process certain information to provide features and improve user experience. This includes retrieving publicly available or user-authorized HoYoverse game data, provided that users explicitly grant permission. The data we collect is used solely for the following purposes:

  • Authenticating your identity via Discord OAuth and managing your session across the Web App and Bot.
  • Linking and managing your HoYoverse game accounts at your request.
  • Providing features such as game profile viewing, character information, Spiral Abyss insights, wish history tracking, daily check-in automation, redeem code redemption, and other related functionalities.
  • Translating message content in real time when you use the translation feature. Translated text is not stored.
  • Monitoring service health, performance, and reliability through aggregated, non-identifiable metrics.
  • Ensuring security, preventing abuse, and enforcing rate limits.

4. Third-Party Services

The Service integrates with or transmits data to the following third-party services. Each is governed by its own privacy policy and terms:

  • HoYoverse / HoYoLAB: Game data retrieval, daily check-in, redeem code redemption, and account authentication. Your encrypted credentials are sent to HoYoverse APIs to perform actions you have authorized.
  • Discord: OAuth authentication and bot interactions.
  • Google Translate (via @iamtraction/google-translate): Real-time translation of message content when the translation feature is triggered. Message text is sent to Google's translation service and is subject to Google's privacy policy.
  • Geetest: CAPTCHA verification during HoYoverse login to prevent automated abuse.
  • Sentry: Error tracking and diagnostics. Request metadata (including IP address) may be transmitted to Sentry when errors occur. Sentry's data retention policy applies.
  • Google Cloud Platform (GCP) Logging: API request logs (including IP addresses) are transmitted to GCP for operational monitoring and debugging.
  • Enka.Network: Public game profile data retrieval by game UID.
  • gi.yatta.moe: Static game data (characters, weapons, artifacts, events) retrieval. No user-identifiable information is sent.

We are not affiliated with, endorsed by, or associated with HoYoverse, Discord, Google, Geetest, Sentry, Enka.Network, or any other third-party service.

5. Cookies and Local Storage

The Web App uses the following cookies and browser storage:

Cookies (HttpOnly, Secure in production, SameSite=Lax):

CookiePurposeDuration
chutao.accessTokenJWT authentication token15 minutes
chutao.refreshTokenSession renewal token7 days
chutao.hoyo.credentialsEncrypted HoYoverse session credentials365 days
chutao.discord.access_tokenDiscord OAuth access tokenSet by Discord
chutao.discord.refresh_tokenDiscord OAuth refresh tokenSet by Discord
chutao.discord.expires_atDiscord token expiration trackerSet by Discord
themeUI theme preference (light/dark)Persistent

Local Storage (temporary):

KeyPurposeDuration
deviceIdDevice identifier for HoYoverse authenticationPersistent until cleared
LOGIN_DATATemporary login state during CAPTCHA verificationCleared after login completes
VERIFY_EMAIL_DATATemporary state during email verificationCleared after verification completes

The Service does not use any analytics cookies, tracking pixels, or advertising trackers.

6. Data Storage and Security

We implement the following technical and organizational measures to protect your data:

  • Encryption at rest: HoYoverse credentials and email addresses are encrypted using RSA-2048 with AES-256-GCM before storage in the database. Encryption keys are stored separately from the database.
  • Encryption in transit: All communications use HTTPS/TLS. Security headers including HSTS (with preload), X-Frame-Options, X-Content-Type-Options, and a strict Referrer-Policy are enforced.
  • Cookie security: All authentication cookies are HttpOnly (not accessible to JavaScript), use the Secure flag in production (HTTPS only), and are scoped with SameSite=Lax to mitigate CSRF attacks.
  • Access control: Bot-to-API communication is authenticated using encrypted trusted credentials. Web-to-API communication is authenticated using short-lived JWT tokens.
  • Rate limiting: Redis-backed per-user rate limiting is enforced to prevent abuse.
  • HoYoverse passwords: Passwords provided during HoYoverse login are encrypted client-side before transmission and are never stored by the Service. Only session credentials (cookies) returned by HoYoverse are stored (encrypted).

However, no method of electronic storage or transmission is 100% secure. By using the Service, you acknowledge and accept these inherent risks.

7. Data Sharing

We do not sell, rent, or trade your personal data. We may share your information only in the following circumstances:

  • With Third-Party Services: As described in Section 4, data is transmitted to third-party services solely to provide the features you have requested.
  • With Your Consent: We may share information with additional third parties if you have given explicit consent.
  • Legal Obligations: We may disclose your information if required to comply with applicable laws, regulations, or law enforcement requests.

8. Data Retention

We retain your data only for as long as necessary to fulfill the purposes outlined in this policy:

Data TypeRetention Period
User account and linked game accountsUntil you delete your account
HoYoverse credentials (encrypted)Until you unlink your account or credentials are refreshed
Wish/gacha historyUntil you delete your account
API request logsSubject to GCP Logging retention policy
Error reportsSubject to Sentry retention policy (typically 90 days)
Redis cacheVaries (15 minutes to 12 hours depending on data type)

9. Your Rights

You have the following rights regarding your data:

  • Access: You may request information about the data we hold about you.
  • Correction: You may request correction of any inaccurate or incomplete data.
  • Deletion: You may delete your account and all associated data at any time using the in-bot account management buttons to unlink game accounts or delete your data. Once deleted, your data is permanently removed from our database and cannot be recovered.
  • Withdraw Consent: You may stop using the Service at any time. Unlinking your HoYoverse account will stop all automated actions (check-ins, redeem codes) and remove your stored credentials.

Note that deletion from our systems does not affect data already transmitted to third-party services (e.g., logs in GCP, error reports in Sentry, or data held by HoYoverse).

For any additional requests, you can join our official Discord server at ChocoTao and contact an administrator.

10. User Responsibility

By using the Service, you acknowledge the following:

  • You are responsible for the security of your own Discord and HoYoverse accounts.
  • Providing your HoYoverse credentials to the Service is voluntary. You understand that these credentials are used to perform actions on your behalf (such as daily check-ins and redeem code redemption) and are stored in encrypted form.
  • HoYoverse retains the right to modify its services, enforce its terms, and apply restrictions or penalties at its sole discretion. We are not responsible for any actions taken by HoYoverse, including but not limited to account restrictions, suspensions, or bans.
  • You are responsible for ensuring that your use of the Service complies with all applicable laws and the terms of service of Discord and HoYoverse.

11. Children's Privacy

The Service is not directed at individuals under the age of 13 (or the minimum age required by applicable law). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can take appropriate action.

12. Changes to This Privacy Policy

We may update this privacy policy from time to time. Significant changes will be communicated through official announcements on our Discord server. The updated policy will be effective as of the date of posting. Your continued use of the Service after changes are posted constitutes your acceptance of the revised policy.

13. Contact Us

If you have any questions or concerns about this privacy policy, please contact us on our official Discord server at ChocoTao.