Privacy Policy

VRChat Legends ("we," "our," "us") is a community-driven fan site that documents VRChat players, groups, worlds, and events. This Privacy Policy explains what information we collect, how we use it, and your rights regarding that information. By using the site - including Discord sign-in for profile editing or creation, VRChat-linked verification where applicable, optional profile likes while signed in, the live chat feature, and the optional Nexus Voice Assistant desktop companion app described below - you agree to the practices described here.

• Presence & Analytics: Your IP address is temporarily stored in memory to count live visitors (online count) and to rate-limit API requests. It is never persisted to disk or shared.
• Profile View Counts: When you visit a legend profile, a view is recorded against that profile's ID. No personally identifiable information is stored with the count.
• Discord Auth Data: If you sign in via Discord OAuth (to create a community profile, edit linked profile information, chat with authenticated features where required, submit a profile report, or like/remove a legend like), we receive your Discord user ID, username, and avatar where the OAuth scopes provide them. That data is used to verify identity, operate those features, and issue a signed session JWT.
• VRChat Verification (community profiles): If you onboard a community profile through our verification flow, you provide a VRChat username or usr_ ID. We look up public VRChat profile metadata (such as username, display name, and biography text) via VRChat APIs to verify that you temporarily placed an issued verification code in your VRChat biography. Upon success, we store a record on your Legend profile tying your Discord account to that VRChat user ID and related display identifiers. Verification requests waiting to be confirmed are stored on our backend keyed by your Discord user ID.
• Legend profile likes: When you sign in with Discord and like or unlike an eligible Legend profile on the website, your Discord user ID is stored alongside that action so each account cannot duplicate-like the same profile and so you may remove your like later. Aggregated counts are shown publicly.
• Profile reports: If you report a community user profile while signed in, we process your Discord user ID, chosen category, optional details you provide, and context about the reported profile when relaying information to moderation staff or systems (such as Discord logging channels).
• Submitted Profile Content: Any text, images, gallery items, links, badges, pronouns, and similar fields you submit through profile onboarding, profile edits, or admin tools are stored in our backend and displayed publicly according to site rules.
• Usage Data: Standard web server logs (page requests, timestamps, browser type) may be retained briefly for debugging and security purposes.
• Nexus Voice Assistant (desktop app): If you install and run our optional Windows desktop app "Nexus Voice Assistant," the app may record non-content diagnostic events on your PC (for example app start/stop, whether a translation send succeeded, which settings screen was opened, and whether account linking succeeded). These diagnostics are designed not to include your spoken audio, transcripts, or translation text. A pseudonymous install identifier is stored on your machine to correlate events. By default, events are appended to a local log file under the app's profile directory; they are not automatically uploaded to VRChat Legends. We may offer optional upload or sync in a future version, in which case this policy will be updated and the app will request or reflect your choice where required. You can disable local diagnostics in the app settings at any time. When you use in-app translation features, text may be sent to independent public translation HTTP services on the internet; those requests are governed by those services' policies, not this site's hosting stack.
• Chat Messages: When you use the live chat feature, your messages (text, images, and audio files) are stored on our server and synced with our Discord server. Messages are linked to your Discord ID and username. Audio files are stored permanently until an admin deletes them. Blurred images are stored with a flag to render them hidden-by-default for sensitive content.
• Chat Audio Files: Audio files uploaded to chat are stored on the API server and served publicly at a predictable URL. Do not upload audio containing personal information or third-party copyrighted material.

• To display and serve the VRChat Legends website and player profiles.
• To authenticate you via Discord OAuth and issue signed session tokens for profile creation, edits, authenticated chat actions, legend likes, and profile reports.
• To operate VRChat-linked verification during community-profile onboarding against public VRChat profile data.
• To persist legend-profile likes keyed to Discord identifiers as described above.
• To relay authenticated profile-report submissions to human moderators.
• To show a live visitor count in the footer (based on anonymous ping tracking).
• To track profile view popularity for the leaderboard feature.
• To operate the live chat feature: storing, displaying, and syncing messages with the connected Discord server.
• To protect the API from abuse via rate limiting.
• To respond to support requests sent to our contact email.
• To improve the optional Nexus Voice Assistant desktop app using aggregated or diagnostic information as described in this policy (including local-only logs unless and until a future version offers optional upload with notice).

• We do not sell or rent any personal data to third parties.
• We do not use advertising networks or ad trackers.
• We do not store Discord tokens. Only a short-lived JWT is issued after OAuth completes.
• We do not persistently log IP addresses beyond in-memory rate limiting and presence tracking.
• We do not run a standalone general-purpose account portal: access to edit or create Discord-linked Legend pages is mediated through Discord OAuth signing and short-lived site tokens.

• Session storage: The splash screen state is stored in sessionStorage so it only shows once per browser session.
• LocalStorage (auth): Your profile edit JWT is stored in localStorage and expires after 7 days.
• No tracking cookies: We do not use advertising or cross-site tracking cookies of any kind.

The site integrates with the following external services, each governed by their own privacy policies:

We do not sell or rent personal information. Data may be shared only in the following limited circumstances:

• With infrastructure providers (Cloudflare Pages for hosting, the API server provider) as necessary to operate the service.
• With Discord when you sign in, moderate in Discord channels, or synchronize chat, only the data required for those integrations (for example OAuth payloads, message content, webhook metadata, or moderator audit logging).
• To comply with a valid legal obligation, court order, or law enforcement request.

When you upload avatar, banner, or gallery images through profile onboarding or the profile edit feature, files are converted to WebP format, stored under your Legend directory on the API server, and served at public URLs referenced from your profile. When admins upload images or audio files to the live chat, those files are stored in the chat-images and chat-audio directories and served publicly. Chat images may optionally be marked as blurred (hidden-by-default), though the raw URL remains accessible. Do not upload any content you do not have the right to publish publicly.

• The API uses HTTPS in production. All JWT tokens are signed and expire after 7 days.
• Rate limiting is applied to all API endpoints to prevent abuse.
• VRChat session credentials (used for the API's world/group data) are stored only in .env and never exposed publicly.
• No system is 100% secure. If you discover a vulnerability, please disclose it responsibly to support@vrchatlegends.com.

• You may request to view, correct, or delete your profile data at any time by contacting support@vrchatlegends.com.
• If you were added to the site without consent, we will remove your profile within 7 business days of a verified request.
• Residents of the EU/EEA have additional rights under GDPR including the right to data portability and to lodge a complaint with a supervisory authority.

Our services are not directed at anyone under the age of 13. We do not knowingly collect personal data from minors. If you believe a minor's data has been collected, please contact us and we will delete it promptly.

We may update this Privacy Policy periodically to reflect changes in our practices, features (such as the live chat or Nexus Voice Assistant), or the law. The "Last updated" date at the top of this page indicates when the most recent revision was made. Continued use of the site after a revision constitutes acceptance of the updated policy.

The Nexus Voice Assistant Windows app is optional companion software. It stores pairing tokens and configuration on your PC, sends OSC to VRChat on your local network when you enable the chatbox feature, and may contact VRChat Legends APIs when you link your Legend profile or verify a device token. Diagnostic events are described under "Data We Collect" above. For the full in-product explanation, open the app settings.

For any privacy-related questions, requests, or concerns, please contact us at support@vrchatlegends.com. We aim to respond within 7 business days.