Privacy Policy
Last updated: 17 May 2026
1. Who we are
Queue Scout (“Queue Scout”, “we”, “us”) provides real-time theme park
attraction queue and wait-time information through our website, REST API, Discord Activity, and
Discord webhook integrations, available at queuescout.com, queuescout.nl,
queuescout.app, and queuescout.io (the “Service”).
If you have questions about this policy or your data, contact us at privacy@queuescout.com.
2. Scope
This policy applies to all interactions with the Service, including:
- the public websites under the queuescout.com, .nl, .app, and .io domains;
- the Queue Scout Discord Activity loaded inside the Discord client;
- the public Queue Scout REST API;
- the Queue Scout Discord webhook sender that posts queue updates to Discord channels.
3. Personal data we process
3.1 When you use the website, Discord Activity, or REST API
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| IP address |
Used solely to derive a pseudonymous rate-limit identifier. We compute
sub = base64url(HMAC-SHA256(server-secret, ip)[..16]) and store only this
truncated HMAC inside short-lived JWT tokens. Your raw IP is not persisted by the issuer
beyond what is necessary to verify the anti-bot challenge and produce the token.
|
Legitimate interest (Art. 6(1)(f)): protecting the Service from abuse and providing fair access. |
| Cloudflare Turnstile challenge response | Used to verify you are not a bot before issuing an access token. Verified once and discarded. | Legitimate interest (Art. 6(1)(f)): preventing automated abuse. |
| JWT access token |
Issued in-memory to your browser/client and used to authenticate API requests. Contains the
pseudonymous sub, an issuer, audience, expiry and rank claim. Not stored in
cookies; not persisted across browser sessions.
|
Contract (Art. 6(1)(b)): necessary to provide the Service you requested. |
| HTTP request metadata (user agent, requested URL, response status, timing) | Used for security monitoring, troubleshooting, and aggregate performance analysis. | Legitimate interest (Art. 6(1)(f)). |
| Browser local storage |
The Discord Activity caches the translation bundle under the key
qs-i18n-en in your browser. This is non-sensitive UI text and never leaves
your device. It is not used for tracking and contains no identifiers.
|
Legitimate interest (Art. 6(1)(f)): reducing bandwidth and load time. |
3.2 When you use the Discord webhook integration
If you (or a Discord server administrator) configure Queue Scout to post queue updates into a Discord channel, we store the following in our database:
- the park and attraction identifiers you subscribed to;
- a randomly generated subscription identifier (UUID);
- the Discord webhook URL you provided (which is a Discord-issued secret URL that allows posting in a single channel);
- the Discord message ID and channel ID of the message we post (so we can edit it on subsequent updates);
- creation and last-update timestamps.
We do not request, store, or have access to Discord user accounts, server member lists, message content other than what we ourselves post, OAuth tokens, or any information beyond what is needed to deliver the queue update to the channel.
3.3 What we do not collect
- We do not use advertising cookies, advertising identifiers, or marketing trackers.
- We do not sell, rent, or trade personal data.
- We do not build behavioural profiles or target advertising.
- The Queue Scout Discord Activity (v1) does not perform Discord OAuth and does not learn your Discord user ID, username, or server membership.
4. Cookies and similar technologies
Queue Scout does not set tracking cookies. The Discord Activity uses one
localStorage entry (qs-i18n-en) to cache UI translations. The Cloudflare
Turnstile widget may set its own short-lived cookies on the
challenges.cloudflare.com domain in order to operate; see Cloudflare’s privacy
statement for details.
5. Third-party processors and services
We rely on the following third parties to run the Service. Each acts as a processor or independent controller as indicated.
| Provider | Purpose | Data shared |
|---|---|---|
| Cloudflare, Inc. | Turnstile bot-protection challenge and edge networking. | Your IP address, browser characteristics needed to issue a Turnstile challenge response, and the resulting verification token. |
| Functional Software, Inc. (Sentry) | Error tracking, performance monitoring, and distributed tracing for our backend services. | Truncated IP, request path, HTTP status, error stack traces, and trace identifiers. Personal data is minimised; we do not deliberately attach user identifiers to events. |
| Discord, Inc. | Hosting of the Queue Scout Discord Activity inside the Discord client; delivery of webhook messages to Discord channels you configure. | Network traffic to and from Discord’s servers, including queue update messages we post. Discord’s own Privacy Policy governs data they collect from you as a Discord user. |
| Hosting and infrastructure providers | Running our Kubernetes cluster, databases (ScyllaDB), message broker (RabbitMQ), and ingress. | Encrypted operational traffic. Providers do not have application-level access to user data. |
6. Where your data is processed
Queue Scout is operated from servers in the European Union. Some of the third-party services listed above (Cloudflare, Sentry, Discord) operate globally and may process data outside the EU/EEA. Where applicable, transfers rely on the European Commission’s Standard Contractual Clauses or equivalent safeguards offered by the provider.
7. Retention
- IP addresses and request logs: retained for up to 30 days for security and abuse-prevention purposes, then deleted or aggregated.
- Turnstile challenge responses: verified once and discarded immediately.
- JWT access tokens: short-lived (default 1 hour) and held only in your client’s memory.
- Sentry events: retained according to Sentry’s default project retention (typically 30–90 days), then automatically deleted.
- Discord webhook subscriptions: retained for as long as the subscription is active; deleted within 30 days after the subscription is removed or the webhook becomes permanently invalid.
- Browser local storage: persists until you clear your browser data; we cannot delete it remotely.
8. Your rights under the GDPR
If you are in the EU/EEA, UK, or another jurisdiction with comparable laws, you have the right to:
- access the personal data we hold about you;
- request correction of inaccurate data;
- request erasure of your data (“right to be forgotten”);
- request restriction of processing or object to processing based on legitimate interest;
- request data portability;
- lodge a complaint with your local supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
Because most of our data is pseudonymised (we do not know who you are without additional information), exercising some of these rights may require you to identify the specific request, IP range, time window, or Discord webhook subscription concerned. Send requests to privacy@queuescout.com.
9. Security
We use TLS for all public endpoints, store secrets using sealed-secrets in our Kubernetes
cluster, and minimise the personal data we collect by design. The IP-to-sub
derivation uses a server-side HMAC secret so the rate-limit identifier in your token cannot be
reversed to your IP by anyone who sees the token. No method of transmission or storage is 100%
secure, and we cannot guarantee absolute security.
10. Children
The Service is not directed to children under the age of 13 (or under 16 in the EU/EEA where applicable). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this policy from time to time. The “Last updated” date at the top of the
page reflects the most recent revision. Material changes will be announced on
queuescout.com at least 14 days before they take effect.
12. Contact
Questions, complaints, or requests under data-protection law: privacy@queuescout.com.