Privacy Policy

Viscra (“we”, “our”, “us”) operates the Viscra SSO service at sso.viscra.uk. We are built and operated in the United Kingdom and follow the Data Protection Act 2018 and UK GDPR when handling any personal information that flows through this service.

This policy explains what we collect, why we keep it, and how you can control or erase it. If anything is unclear, reach out via our support server and we will walk you through it.

We only retain data required to operate the authentication and identity service:

• Account data - your chosen username and a bcrypt hash of your password. Your plaintext password is never stored.
• Passkeys - WebAuthn credential IDs and public keys registered to your account. No biometric data is transmitted or stored.
• Discord identity - your Discord user ID, username, and avatar when you link your Discord account. OAuth access and refresh tokens are stored encrypted using AES-256-GCM.
• Roblox identity - your Roblox user ID, username, display name, and profile thumbnail when you link your Roblox account. OAuth tokens are stored encrypted.
• Authorised applications - a record of which third-party apps you have granted access to, and which scopes were approved.
• Access tokens - short-lived bearer tokens issued to third-party apps on your behalf, expiring after one hour.

• Authentication - verifying your identity when you sign in via passkey, password, or Discord.
• Account linking - connecting your Discord and Roblox accounts so third-party apps can request that data under OAuth.
• OAuth authorisation - issuing scoped tokens to apps you explicitly approve, containing only the data you consented to share.
• Security - detecting replay attacks, validating credential counters, and preventing unauthorised access.

All data is stored in encrypted databases with strict network access controls. Discord and Roblox OAuth tokens are encrypted at rest using AES-256-GCM with a key that is never committed to source code.

Access tokens issued to third-party apps expire after one hour. Refresh tokens expire after 30 days. You can revoke any app's access instantly from your dashboard.

We do not sell data. The only sharing that occurs is:

• Third-party apps you authorise - apps receive only the scopes you explicitly approve (identity, Discord details, or Roblox details). We do not share your raw OAuth tokens with apps.
• Cloud infrastructure - database and hosting providers under contractual data processing agreements.
• Legal requirements - where required by UK law or a lawful governmental request.

• Disconnect accounts - unlink your Discord or Roblox account from your dashboard at any time.
• Revoke app access - remove any authorised application's access from your dashboard instantly.
• Remove passkeys - delete any registered passkey from your dashboard.
• Account deletion - contact us via our support server to request full erasure of your account and all associated data.

We will update this policy as the service evolves. Material changes will be announced in our support server, and the date at the top of this page will be updated.

Questions or data requests? Reach us via discord.gg/6HsxeHuwug.