Privacy & Security
This page covers what CraftyAI collects, how it is stored, and how it is protected.
What we collect
When a player triggers the AI in chat, the plugin sends the following to our servers:
- The player's username
- The chat message (the player's question or command)
- Game state needed to answer the question: biome, health, hunger, coordinates, inventory snapshot, time of day, weather
- Your server's session ID (used for rate limits and tier tracking)
That's it. We don't see player IP addresses, world saves, chest contents, or anything outside the immediate context of the question.
What we don't collect
- Player IP addresses
- World save data, terrain, or chunks
- Other players' positions or inventory (only the asking player)
- Passwords, login tokens, or session cookies
- Anything from outside the AI request
How long we keep data
Chat messages
Processed in real time. The message is sent to the AI provider, the response is sent back to the player, and the original message is not stored after the response is delivered.
Memory (taught knowledge)
Anything you teach with /crafty learn Q | A is stored in our vector database, indexed against your session ID. It stays until you remove it or close the account.
Memory (conversation history)
Recent chat messages are kept briefly so the AI can answer follow-up questions. After the conversation goes idle, the AI compresses the relevant parts into long-term memory and the original messages are dropped.
Long-term memory persists indefinitely until you delete it.
Telemetry
Every 3 minutes, the plugin sends a heartbeat ping to our servers. The heartbeat contains:
- Server version
- Plugin or mod version
- Online player count
That's all. No chat content, no player names, no game state.
You can disable telemetry:
- Plugin: Set
enable_metrics: falseinconfig.yml - Mod: Set
telemetry_enabled: falseincraftyai.json
Disabling telemetry does not disable the AI. The plugin will still work for chat and actions.
BYOK
If you configure your own Gemini API key (BYOK), your prompts go directly to Google instead of through our AI providers. In that mode, Google receives the prompt and our servers don't see the AI traffic. Google's API Privacy Policy applies to that data.
How we protect your data
- All traffic between your server and our backend is encrypted with HTTPS and TLS.
- API keys are stored as bcrypt hashes, not plaintext. We can't recover a key from our database, but we can rotate it on request.
- Server isolation: learned knowledge is keyed by session ID, so no other server can read your facts.
Abuse detection
We monitor for unusual traffic patterns (requests from non-Minecraft clients, requests claiming a session ID that doesn't match their API key, etc.). When we detect abuse, we send an alert to all operators on the affected server.
This is a security check, not surveillance. We only act on requests that fail client validation, we don't read chat content for abuse detection.
Deleting your data
To have all data associated with your session ID deleted, including learned knowledge, long-term memory, and usage analytics, open a ticket in our Discord. We delete the data within 7 days and confirm by reply.
Questions
If anything on this page is unclear or you want more detail on a specific point, ask on Discord.