Privacy Policy

We collect and process the following categories of personal data:

3.1 Account Information

When you create an account via Discord OAuth, we collect:

• Discord user ID (unique identifier)
• Discord username and discriminator
• Discord email address (if provided by Discord)
• Discord profile avatar URL
• Account creation and last login timestamps

3.2 Discord Guild (Server) Data

When you connect a Discord server to index-cord, we collect:

• Guild ID, name, and icon
• Guild member count
• Channel IDs, names, and structure
• Role information (names and IDs)
• Guild settings and permissions

3.3 Discord Message Data

We collect and index Discord messages from connected servers:

• Message content: The text content of messages posted in your Discord server
• Message metadata: Message ID, timestamp, author information, channel location
• Thread information: Thread names, participants, and message relationships
• Reactions: Emoji reactions and reaction counts

Important: We only collect messages from Discord servers (guilds), not direct messages (DMs). We only process text messages; we do not collect or store voice chat data, video calls, or file attachments.

3.4 Subscription and Billing Data

When you subscribe to a paid plan, we collect:

• Subscription plan type and billing cycle
• Payment transaction IDs and timestamps
• Billing address and tax information (via Stripe)
• Invoice history

Note: We do not store your complete credit card information. Payment data is securely processed and stored by Stripe, our payment processor.

3.5 Usage and Analytics Data

We automatically collect certain technical information when you use our Service:

• IP address and geolocation (country/region level)
• Browser type and version
• Device type and operating system
• Pages visited and features used
• Search queries performed within the Service
• Timestamps of actions and events
• Referral source (how you arrived at our website)

3.6 Communications Data

If you contact us for support or other inquiries, we collect:

• Email address and name
• Contents of your messages and communications
• Any additional information you choose to provide

We use your personal data for the following purposes:

5.1 Service Provision

• Creating and managing your account
• Authenticating your identity via Discord OAuth
• Indexing and storing Discord messages from your connected servers
• Providing full-text search functionality across your messages
• Displaying analytics and insights about your Discord community
• Managing threads and organizing message content

5.2 Billing and Payments

• Processing subscription payments via Stripe
• Managing plan upgrades and downgrades
• Generating invoices and receipts
• Handling refunds and cancellations
• Complying with tax and accounting requirements

5.3 Service Improvement and Analytics

• Understanding how users interact with our service
• Identifying bugs and technical issues
• Improving user experience and interface design
• Developing new features based on usage patterns
• Conducting internal analytics and performance monitoring

5.4 Security and Fraud Prevention

• Detecting and preventing fraudulent activity
• Protecting against security threats and vulnerabilities
• Investigating suspicious behavior or Terms of Service violations
• Maintaining system integrity and availability

5.5 Communications

• Sending transactional emails (account verification, password resets, billing notifications)
• Providing customer support and responding to inquiries
• Notifying you of service changes or updates
• Sending important security alerts

5.6 Legal Compliance

• Complying with legal obligations and regulations
• Responding to lawful requests from authorities
• Enforcing our Terms of Service
• Protecting our legal rights and interests

6.1 Essential Session Management

We use secure, HTTP-only session tokens for authentication purposes only. These are necessary for the service to function and to keep you logged in. They are not used for tracking or analytics.

6.2 Third-Party Analytics (No Cookies)

We use privacy-focused analytics tools that do not rely on cookies:

• Plausible Analytics: Privacy-first web analytics that does not use cookies or collect personal data. Plausible is GDPR, CCPA, and PECR compliant.
• PostHog: Product analytics for understanding feature usage. PostHog can operate without cookies and respects Do Not Track settings.

6.3 Your Browser Settings

Even though we don't use cookies, you can configure your browser to block cookies from all websites if you prefer. This will not affect your ability to use index-cord.

We share your data with the following third-party service providers to operate our service. All providers are carefully selected and required to protect your data in accordance with GDPR.

7.1 Discord, Inc.

7.2 Stripe, Inc.

7.3 Resend

7.4 Plausible Analytics

7.5 PostHog

7.6 Internal Analytics (Metabase)

We use Metabase for internal business intelligence and data analysis. Metabase is self-hosted within our EU infrastructure and does not share data with external parties. It is used solely for internal operations and reporting.

7.7 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We only share data with service providers necessary to operate our service, and only to the extent required.

8.1 Data Center Location

All user data, including Discord messages, account information, and analytics, is stored on servers located within the European Union. We use EU-based cloud infrastructure providers to ensure compliance with GDPR data residency requirements.

8.2 Database Security

Your data is stored in secure PostgreSQL databases with the following protections:

• Encryption at rest using industry-standard encryption algorithms
• Encryption in transit via TLS/SSL connections
• Access controls and authentication requirements
• Regular automated backups stored securely in EU locations
• Network isolation and firewall protection

8.3 Infrastructure Provider

Our hosting infrastructure is located in EU data centers, ensuring that your data never leaves the European Economic Area during normal operations. We regularly review and audit our infrastructure providers for security and compliance.

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy or as required by law. Specific retention periods are:

If you wish to request early deletion of your data (except where legal retention requirements apply), please contact us at contact@fogges.com.

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

10.1 Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.

10.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate or incomplete personal data. You can update most account information directly through your account settings.

10.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data under certain circumstances:

• The data is no longer necessary for the purpose it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data has been unlawfully processed
• Erasure is required to comply with a legal obligation

Note: We may retain certain data where we have a legal obligation (e.g., 10-year retention of billing records for tax purposes).

10.4 Right to Restriction of Processing (Article 18)

You have the right to request that we restrict processing of your personal data in certain situations, such as when you contest the accuracy of the data or object to processing.

10.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller. We provide data export functionality for your Discord messages and account data.

10.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds that override your rights.

10.7 Right to Withdraw Consent (Article 7(3))

Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

10.8 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your residence, workplace, or where an alleged infringement occurred.

In Spain, the supervisory authority is the Spanish Data Protection Agency (Agencia Española de Protección de Datos - AEPD):

10.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at contact@fogges.com with the subject line "GDPR Request" and specify which right you wish to exercise.

We will respond to your request within 30 days of receiving it. In complex cases, we may extend this period by an additional 60 days and will inform you of the extension.

We may ask you to verify your identity before processing your request to ensure the security of your personal data.

We do not charge a fee for exercising your GDPR rights unless your request is manifestly unfounded or excessive.

We implement industry-standard technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

11.1 Technical Security Measures

• Encryption: All data is encrypted in transit (TLS/SSL) and at rest (AES-256 or equivalent)
• Authentication: Secure authentication via Discord OAuth 2.0
• Access Controls: Role-based access control (RBAC) limits who can access data
• Firewalls: Network-level firewalls protect our infrastructure
• Monitoring: 24/7 security monitoring and intrusion detection systems
• Vulnerability Scanning: Regular security audits and vulnerability assessments
• Secure Development: Security best practices in our development lifecycle

11.2 Organizational Security Measures

• Staff Training: Regular security and privacy training for all employees
• Access Limitation: Only authorized personnel have access to personal data
• Confidentiality Agreements: All staff sign confidentiality agreements
• Vendor Management: Due diligence and contracts with all third-party processors
• Incident Response: Documented procedures for handling security incidents

11.3 Your Security Responsibilities

While we implement strong security measures, you also play a role in protecting your data:

• Keep your Discord account credentials secure
• Use strong, unique passwords
• Enable two-factor authentication (2FA) on your Discord account
• Do not share your account access with others
• Report suspicious activity immediately to contact@fogges.com

11.4 Limitations

While we strive to protect your personal data, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we continuously work to improve our security measures.

12.1 Age Requirement

index-cord is intended for users who are at least 13 years old, in accordance with Discord's Terms of Service. We do not knowingly collect personal data from children under 13 years of age.

12.2 Parental Consent

If you are between 13 and 18 years old (or the age of majority in your jurisdiction), you must have your parent or legal guardian's permission to use index-cord and agree to this Privacy Policy.

12.3 Discovery of Child Data

If we discover that we have collected personal data from a child under 13 without parental consent, we will take steps to delete that information as quickly as possible.

If you believe we have collected data from a child under 13, please contact us immediately at contact@fogges.com with the subject line "Child Privacy Concern".

13.1 Our Commitment

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we are committed to:

• Notify the supervisory authority (Spanish AEPD) within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Document the breach including facts, effects, and remedial action taken

13.2 Notification Contents

If we notify you of a data breach, we will provide:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures we have taken or propose to take to address the breach
• Contact information for our Data Protection Officer
• Recommendations for steps you can take to protect yourself

13.3 Method of Notification

We will notify affected users via email to the address associated with their account, and may also post a notice on our website or within the Service.

14.1 Primary Storage in EU

All primary data storage and processing takes place within the European Union. Our infrastructure is hosted in EU data centers, ensuring compliance with GDPR data residency requirements.

14.2 Third-Party Services

Some third-party services we use may process data outside the EU:

• Discord: Discord, Inc. is a U.S.-based company. When you use Discord OAuth authentication, Discord processes your data in accordance with their privacy policy. We have no control over Discord's data practices.
• Stripe: Stripe processes payment data globally but maintains GDPR compliance through Standard Contractual Clauses (SCCs) and other appropriate safeguards.

14.3 Safeguards for International Transfers

When data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Contractual obligations requiring GDPR-equivalent protection
• Data Processing Agreements with all third-party processors
• Regular audits of third-party compliance

14.4 Your Rights Regarding Transfers

You have the right to request information about the safeguards we have in place for international data transfers. Contact us at contact@fogges.com for more information.

15.1 Right to Modify

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

15.2 Notification of Changes

When we make material changes to this Privacy Policy, we will:

• Update the "Last Updated" date at the top of this page
• Notify you via email at least 30 days before the changes take effect
• Display a prominent notice in the Service
• For significant changes affecting your rights, we may request your renewed consent

15.3 Your Acceptance

Your continued use of index-cord after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the changes, you must stop using the Service and may request deletion of your account and data.

15.4 Version History

Previous versions of this Privacy Policy are available upon request by contacting contact@fogges.com.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer

For GDPR-related inquiries, data subject requests, or privacy concerns, contact our Data Protection Officer:

Email: contact@fogges.com (Subject: Data Protection / GDPR Request)

Response Time

We aim to respond to all inquiries within 5 business days. For GDPR data subject requests, we will respond within 30 days as required by law.

Supervisory Authority

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Spanish Data Protection Agency: