Privacy Policy
Last updated: June 2026
Privacy at a Glance
General Information
The following notices provide a simple overview of what happens to your personal data when you use MSK Forms at forms.msk-scripts.de. Personal data is any data that can be used to personally identify you.
MSK Forms is a hosted platform that lets Discord servers (guilds) build forms and review the resulting submissions. Two roles are important throughout this policy: we operate the platform, and the guild operators decide which forms to publish and what data to collect from their applicants (see "Roles and Responsibilities" below).
What rights do you have?
You have the right at any time to obtain information free of charge about the origin, recipients, and purpose of your stored personal data, as well as the right to have this data corrected or deleted. You can contact us at any time regarding this and other questions.
Hosting
We host MSK Forms with the following provider:
netcup GmbH, Daimlerstraße 25, D-76185 Karlsruhe, Germany
When you use the service, netcup, acting as a processor, automatically records information transmitted by your browser in server log files: browser type and version, operating system used, referrer URL, hostname of the accessing computer, time of the server request, and the IP address. This data is not merged with other data sources.
Legal basis: the legitimate interest in the technically error-free provision and security of our service (Art. 6(1)(f) GDPR). We have concluded a data processing agreement (DPA) with the provider. The server, the database, and all uploaded files are located within the European Union.
General Information and Mandatory Information
Data Protection
We take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this privacy policy.
Notice Regarding the Responsible Party
The party responsible for the operation of the platform is:
Moritz Kohm
c/o Impressumservice Dein-Impressum
Stettiner Str. 41
35410 Hungen
Germany
Email: info@msk-scripts.de
Roles and Responsibilities
- For platform and account data (your Discord login, billing, technical operation), MSK Scripts is the controller.
- For the content of forms and submissions, the guild operator who created the form is responsible (controller) and decides which data is collected. We process that data on their behalf in order to provide the platform. Guild operators must inform their own applicants about this processing.
Data Protection Officer
There is no statutory obligation for us to appoint a data protection officer. For questions regarding data protection, please contact us directly using the contact details above.
Storage Period
Unless a more specific storage period is mentioned, your personal data remains with us until the purpose of the data processing no longer applies, or until you (or, for submissions, the relevant guild operator) delete it.
Revocation of Your Consent
Many data processing operations are only possible with your explicit consent. You can revoke a consent you have already given at any time. The legality of the data processing carried out until the revocation remains unaffected.
Right to Object (Art. 21 GDPR)
IF DATA PROCESSING IS BASED ON ART. 6(1)(E) OR (F) GDPR, YOU HAVE THE RIGHT AT ANY TIME TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED, UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS (ART. 21(1) GDPR).
Right to Lodge a Complaint
In the event of violations of the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place of the alleged violation.
Further Rights
You have the right to data portability, to information, correction, and deletion, and to restriction of processing, within the framework of the applicable statutory provisions. You can contact us at any time for this purpose.
SSL / TLS Encryption
For security reasons, this service uses SSL/TLS encryption. You can recognise an encrypted connection by the "https://" prefix and the lock icon in your browser's address bar.
Data We Process
Login and Account (Discord OAuth)
To use the dashboard you log in with Discord (OAuth scopes: identify, email, guilds). After authorisation, Discord transmits your Discord user ID, username, avatar, email address, and the list of servers you are a member of. We store your Discord user ID, username, avatar, email address, and language preference to operate your account, determine which servers you can manage, send you status notifications, and display your name to your team.
Your session is maintained with an encrypted, httpOnly cookie. Legal basis: Art. 6(1)(b) GDPR (provision of the service).
Form Submissions
When a form is submitted, we store the answers the applicant provided, together with metadata (submission timestamp, status, status history, internal notes and public messages from reviewers, and — for quizzes — a score). The answers may contain personal data that the guild operator chose to ask for; the operator is responsible for that choice (see "Roles and Responsibilities").
Each submission is reachable via a private link containing a random identifier (UUID). Anyone who has the link can view that submission's status page and use the self-service actions on it. The link is the access capability — handle it appropriately.
For logged-in applicants, we additionally store the Discord identity needed to send status direct messages and (on acceptance) to grant a role. Anonymous submissions (public forms, no login) carry no Discord identity. Legal basis: Art. 6(1)(b) GDPR (provision of the service) and the guild operator's respective legal basis for the application itself.
File Uploads
If a form contains a file, image, or signature field, the uploaded file is stored on our server (S3-compatible storage within the EU) under a random key. Files are served back only through the application as downloads. Legal basis: Art. 6(1)(b) GDPR.
Discord Bot
The MSK Forms bot is a multi-tenant bot that a guild can invite. To provide its functions it stores Discord identifiers for the guild, its members and forms, posts form and review messages to channels you configure, and sends status direct messages to applicants who logged in with Discord. Legal basis: Art. 6(1)(f) GDPR (providing the requested bot functionality) and Art. 6(1)(b) GDPR.
Subscription Payments (Stripe)
Paid plans (Pro, Enterprise) are processed via Stripe (Stripe Payments Europe, Ltd.). You enter your name, billing address, email, and payment details directly with Stripe. We do not receive or store your card details; we only store the Stripe customer and subscription IDs and your plan to provide the service. Stripe Privacy Policy: stripe.com/privacy. Legal basis: Art. 6(1)(b) GDPR.
Captcha (Cloudflare Turnstile)
Public forms may be protected by Cloudflare Turnstile, a privacy-friendly captcha. When active, your browser loads a script from Cloudflare and Turnstile assesses whether the request is automated. We only receive a pass/fail token; the assessment is performed by Cloudflare. Cloudflare Privacy Policy: cloudflare.com/privacypolicy. Legal basis: Art. 6(1)(f) GDPR (protection against spam and abuse).
Abuse Prevention (Rate Limiting)
To protect public endpoints (such as form submission and file upload) from automated abuse, the server temporarily processes your IP address in a short-lived in-memory/Redis counter to count requests within a time window. This counter is not used for profiling or tracking and is discarded after the window elapses. Legal basis: Art. 6(1)(f) GDPR (security and availability).
Live Status Updates
The status page can update live via a WebSocket connection so applicants see status changes without refreshing. This connection transmits only the technical information required to deliver updates for the specific submission. Legal basis: Art. 6(1)(f) GDPR.
Custom Domains (Pro and above)
If a guild configures a custom domain, the domain name is stored in our database and an Apache virtual host plus a free Let's Encrypt SSL certificate are set up. Your domain name may appear in public Certificate Transparency logs as part of standard Web PKI. A guild may optionally store its own Discord OAuth and Cloudflare Turnstile credentials for its domain; secret values are stored encrypted and are never displayed again. Legal basis: Art. 6(1)(b) and (f) GDPR.
What We Do NOT Do
- We do not use tracking cookies, analytics services, or advertising technologies.
- We do not receive or store your payment card details.
- We do not read your Discord messages beyond what the service requires to function (e.g. the slash commands you run and the channels you configure).
Legal Bases for Processing
| Processing activity | Legal basis |
|---|---|
| Discord login, account, sessions | Art. 6(1)(b) GDPR — provision of the service |
| Form submissions, files, status workflow | Art. 6(1)(b) GDPR — provision of the service |
| Discord bot functionality | Art. 6(1)(b) and (f) GDPR |
| Subscription processing (Stripe) | Art. 6(1)(b) GDPR — provision of the service |
| Captcha (Turnstile) | Art. 6(1)(f) GDPR — spam/abuse prevention |
| Rate limiting | Art. 6(1)(f) GDPR — security and availability |
| Web server logs | Art. 6(1)(f) GDPR — security and operation |
Cookies and Local Storage
We only use technically necessary cookies — there is no tracking and no cookie consent banner is required.
| Name | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you logged in (encrypted, httpOnly) | Session / until logout |
| OAuth state cookie | CSRF protection during the Discord login flow | A few minutes |
| NEXT_LOCALE | Stores your chosen display language | 1 year |
| A/B test cookie (per form) | Keeps an A/B variant assignment stable for an applicant | Limited |
| Turnstile cookie | Set by Cloudflare when the captcha is active | Per Cloudflare |
The browser's local storage may hold non-personal UI preferences (e.g. light/dark theme). Legal basis: Art. 6(1)(b) GDPR (technically necessary) and Art. 6(1)(f) GDPR (consistent language/UI preference).
Web Server Logs
Our server automatically records access logs containing: IP address, date and time, URL accessed, HTTP status code, and browser/client type. These are used for security and operational purposes and are automatically deleted after a maximum of 14 days. Legal basis: Art. 6(1)(f) GDPR.
Storage Period
| Data | Storage period |
|---|---|
| Server access logs | 14 days |
| Account data (Discord ID, username, avatar, email, language) | Until account/data deletion |
| Form submissions, answers, status history | Until deleted by the applicant or the guild operator, or the form is deleted |
| Uploaded files (file/image/signature) | Together with the submission |
| Stripe references (customer/subscription IDs, plan) | Until the subscription ends and account data is deleted |
| Session / OAuth state cookies | Session / a few minutes |
| Language cookie (NEXT_LOCALE) | 1 year (or until cleared) |
| Rate-limiting counters | Short rolling window |
| Custom domain + (encrypted) per-guild credentials | Until removed |
When the bot is removed from a server and the subscription has ended, we may delete the associated data.
Data Transfer to Third Countries
- Discord (Discord Netherlands B.V. / Discord Inc., USA): processing Discord identities necessarily involves Discord. Where data is transferred to the USA, this is based on Standard Contractual Clauses. See discord.com/privacy.
- Stripe (Ireland): subscription payments are processed within the EU; transfers to its US parent are based on Standard Contractual Clauses. See stripe.com/privacy.
- Cloudflare (USA): when the Turnstile captcha is active. Transfers are based on Standard Contractual Clauses. See cloudflare.com/privacypolicy.
Our server, database, and all uploaded files are stored within the European Union.
Your Rights Under the GDPR
As a data subject, you have the following rights:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure (Art. 17 GDPR)
- Right to restriction (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
- Right to lodge a complaint with the competent supervisory authority
Applicant self-service: if you submitted a form, you can exercise the core rights yourself directly on your status page, using only your submission link and without logging in — you can withdraw, export (as JSON), or delete your submission. Deleting also removes any files you uploaded.
To exercise your rights regarding account or platform data, contact: info@msk-scripts.de. For data contained in a specific application, the guild operator that runs the form is the primary point of contact; we will support you in reaching them. We process requests within 30 days.
Changes to This Privacy Policy
We reserve the right to update this privacy policy to reflect changes to our service or applicable law. The current version is always available at this URL. The date above indicates the last update.