Privacy Policy

Feri is built so there is almost nothing to collect. This policy explains, precisely, what is processed and what is not.

Effective date: 1 July 2025. This policy applies to the Feri website, the Feri MCP server, and the hosted Feri Discord bot and relay (together, the "Services").

Summary

This summary is provided for convenience and does not replace the full text below.

  • No user accounts, sign-up, or login.
  • No personal data is collected or stored to identify you.
  • The only identifier is a connection code, which is stored in hashed form.
  • Messages are transient: encrypted in transit, never stored in readable form, and auto-deleted within five (5) minutes.
  • No analytics, no tracking, no third-party advertising SDKs.
  • No cookies beyond those strictly necessary for the website.
  • No sale of data. No advertising. Open source under GPL-3.0.

1. Definitions

In this policy, the following defined terms apply:

  • 1.1 "Connection Code" — a randomly generated, twelve (12) character alphanumeric string (format FERI-XXXX-XXXX-XXXX) used to bind one MCP server session to one Discord channel.
  • 1.2 "MCP Server" — the open source Model Context Protocol server component that runs on your own machine or infrastructure.
  • 1.3 "Relay" — the hosted service that routes messages between the Discord bot and an MCP Server.
  • 1.4 "Bot" — the hosted Feri Discord application that reads and posts messages in channels you connect.
  • 1.5 "Message" — the content relayed between a connected Discord channel and your MCP Server.
  • 1.6 "We", "us", "our" — the maintainers of the Feri project who operate the hosted Services.

2. Scope

2.1 This policy covers the hosted Services operated by us. The MCP Server is open source software that you run yourself; when you self-host, you are the controller of any data it processes on your systems.

2.2 The website at https://getferi.dev is a static site. The only runtime request it makes is a request to https://api.getferi.dev/codes/generate when you choose to generate a Connection Code.

2.3 The Services integrate with Discord, which is operated by a third party under its own terms and privacy policy. See section 9.

3. What we process

3.1 We operate without accounts. We do not ask for, and do not hold, a name, email address, password, or any profile information.

3.2 For an active connection, the relay stores only:

  • A hash of the Connection Code. Codes are not stored in plaintext; lookups are performed against the hash. A leak of our datastore does not yield usable codes.
  • The associated Discord channel identifier, encrypted at rest, so the relay knows where to deliver a reply.
  • Connection status and timestamps (created, verified, last polled, and, for unverified codes, an expiry time) used to manage the lifecycle of a connection.

3.3 Abuse prevention. To enforce rate limits and prevent automated abuse, our edge infrastructure transiently processes network metadata such as the originating IP address of code-generation requests. This metadata is used only for rate limiting and abuse detection and is not stored against, or used to build a profile of, any user. Failed verification attempts may be counted on a short-lived, per-channel basis to apply temporary throttling.

3.4 Aggregate metrics. We may compute aggregate, non-identifying operational figures (for example, the total number of active codes or total requests per day). These figures cannot be tied to an individual and contain no message content.

4. What we don't collect

For the avoidance of doubt, we do not collect or store:

  • Message content in any persistent or readable form (see section 5).
  • Names, email addresses, or any account credentials.
  • The contents of your files, workspace, repository, or code.
  • Stored IP addresses or device identifiers tied to a user record.
  • Behavioural analytics, tracking pixels, or third-party advertising data.
  • Discord user profiles, server membership lists, or server-wide data.

5. Message handling

5.1 In transit. All traffic between the Bot, the relay, and the MCP Server is encrypted using TLS 1.3.

5.2 We cannot read message content. The relay passes message payloads between endpoints and does not store them in a readable form.

5.3 Transient by design. A Message waiting for delivery lives in the queue for a maximum of five (5) minutes. Once delivered to the MCP Server it is marked delivered and removed; if it is not collected within the five-minute window, it expires and is deleted automatically.

5.4 The practical effect is that there is no archive of your conversations on our infrastructure. If a connection is revoked, its message queue is purged.

6.1 We have designed the Services around data minimisation (Article 5(1)(c) GDPR) and privacy by design and by default (Article 25 GDPR).

6.2 To the limited extent that the hashed Connection Code, encrypted channel identifier, and connection timestamps constitute personal data, our legal basis for processing is our legitimate interest (Article 6(1)(f) GDPR) in operating a functioning, abuse-resistant relay that you have chosen to use.

6.3 Because Messages are transient and no identifying records are retained, in most cases there is no personal data left to access, rectify, or erase after a connection ends.

7. Retention

  • Messages — up to five (5) minutes, then deleted automatically.
  • Unverified (pending) codes — deleted automatically ten (10) minutes after generation if not verified.
  • Active connection records — retained while the connection is active; purged when you disconnect or revoke. An inactive connection that is not polled for seven (7) days is soft-expired.
  • Abuse-prevention counters — short-lived and reset on their rate-limiting window.

8. Infrastructure and sub-processors

8.1 The relay API runs on Cloudflare Workers, with supporting Cloudflare services (KV, D1, and Durable Objects) for routing, transient queues, and rate-limiting state. Cloudflare operates a global edge network spanning the EU and US.

8.2 The hosted Bot runs as a persistent process on a standard cloud host. It writes incoming Messages to the transient queue and does not maintain its own store of message content.

8.3 Discord, Inc. provides the messaging platform on which the Bot operates and is an independent processor under its own policies.

8.4 As traffic is processed at globally distributed edge locations, data may transit infrastructure in the EU and US. Transfers are protected by encryption in transit and by the data-minimisation measures described above.

9. Discord

9.1 The Bot operates inside Discord and is subject to the Discord Developer Policy and Developer Terms of Service.

9.2 The Bot accesses message content only in the specific channels you connect it to. It does not read direct messages, does not collect server-wide data, and does not build user profiles. A dedicated Discord Bot Privacy Policy describes the Bot's access in detail.

9.3 Your use of Discord itself is governed by Discord's own Privacy Policy, over which we have no control.

10. Your rights

10.1 Where applicable data protection law (including the GDPR) grants you rights of access, rectification, erasure, restriction, objection, and portability, we will honour them.

10.2 In practice, the most direct way to exercise control is self-service: run /disconnect in your connected Discord channel, or revoke the connection from your IDE. This purges the connection record and its message queue immediately.

10.3 Because we hold no account and no identifying records, we may be unable to identify you from a request alone; this is a consequence of collecting as little as possible, not a refusal of your rights.

10.4 You may also lodge a complaint with your local supervisory authority.

11. Self-hosting

11.1 Feri is open source under GPL-3.0. You can inspect exactly what the software does and you can run the entire stack yourself.

11.2 When you self-host the MCP Server, relay, or bot, this policy does not apply to your deployment; you act as the data controller for it.

12. Changes to this policy

12.1 We may update this policy as the Services evolve. Material changes will be reflected by an updated effective date at the top of this page, and the history is visible in the public source repository.

12.2 Continued use of the Services after a change takes effect constitutes acceptance of the updated policy.

13. Contact

13.1 Questions, requests, or privacy concerns can be raised through the project's public repository, where issue and security-reporting channels are maintained.

This document is provided for transparency and does not constitute legal advice.