Privacy Policy
Last updated: March 31, 2025
Kordis ("we", "our", "us") operates the website kordis.app and the dashboard at dash.kordis.app (the "Service"). This Privacy Policy explains what information we collect, how we use it, with whom we share it, and how you can exercise your rights.
By using the Service, you agree to the practices described in this Policy. If you do not agree, please stop using the Service.
1. Who We Are
Kordis is a Discord server management platform that lets communities use an AI assistant, a moderation bot, economy systems, ticketing, music playback, and more — all from a single web dashboard. For questions about this Policy, contact us at support@kordis.app.
2. Information We Collect
2.1 Account & Identity Data
When you sign in with Discord we receive and store:
- Discord user ID, username, and display name
- Email address (if provided by Discord; a placeholder is used otherwise)
- Profile avatar URL
- Discord OAuth tokens (access token and refresh token) — required to act on your behalf within Discord's API
- Guild (server) list — the list of Discord servers you are a member of, fetched via the
guildsOAuth scope, used to let you connect servers to Kordis
We request the following Discord OAuth scopes: identify, email, and guilds.
2.2 Connected Server Data
When you connect a Discord server to Kordis, we store:
- Guild ID, guild name, and guild icon
- Bot configuration settings you apply (moderation rules, economy settings, ticket categories, custom commands, etc.)
2.3 AI Chat Data
When you use the Kordis AI assistant, your messages and the assistant's replies are stored in our database so you can review your conversation history. Your connected server names and IDs may be included in the context sent to the AI model to provide relevant responses.
2.4 Billing & Subscription Data
Subscription and payment processing is handled entirely by Polar.sh. We do not store raw card numbers or full payment details. We do store: your Polar customer ID, your active subscription ID, your current plan tier, and the subscription's billing interval and expiry date.
2.5 Referral Data
Each user may be assigned a unique referral code. If you join Kordis through a referral link, we record which user referred you and grant you a one-month Pro trial. The referrer can see your display name, username, avatar, current plan, and the date you joined.
2.6 Technical & Usage Data
We automatically collect:
- IP addresses and browser/device information in server logs (retained for security and debugging)
- AI message usage counters (stored in Redis, tied to your user ID, reset daily)
- OAuth state tokens (stored in Redis with a 10-minute TTL, used to prevent CSRF)
- Aggregate analytics on the marketing site (kordis.app) via Vercel Web Analytics — cookieless, privacy-friendly page-view data
3. How We Use Your Information
| Purpose | Legal basis |
|---|---|
| Authenticate you and maintain your session | Contract performance |
| Power the AI assistant and chat history | Contract performance |
| Connect and manage your Discord servers | Contract performance |
| Process subscription payments via Polar | Contract performance |
| Enforce plan limits (AI quota, server count, features) | Contract performance |
| Operate the referral program | Legitimate interest |
| Detect abuse, fraud, and security threats | Legitimate interest |
| Send transactional emails (e.g., account alerts) | Contract performance |
| Improve the Service through aggregate analytics | Legitimate interest |
| Comply with legal obligations | Legal obligation |
We do not sell your personal data. We do not use your data for advertising profiling.
4. Third-Party Services We Use
We share data with the following sub-processors only to the extent necessary for the Service:
| Service | Purpose | Data shared |
|---|---|---|
| Discord (discord.com) | OAuth authentication, bot operations | Your Discord ID, tokens; guild data |
| Google Gemini (Google LLC) | AI assistant inference | Your chat messages and server context |
| Perplexity AI | Web-search tool inside the AI assistant (Pro/Ultra plans) | Search query derived from your message |
| Polar.sh | Subscription billing and payment processing | Email, billing details you provide to Polar |
| Vercel | Hosting & edge delivery; cookieless analytics on kordis.app | Anonymised page-view metrics |
Each third party is bound by its own privacy policy and data processing agreements. We do not control their practices beyond what is governed by those agreements.
5. Data Storage and Security
Your data is stored in a PostgreSQL database and Redis cache, hosted on servers within the European Union / United States (depending on deployment region). We use encryption in transit (TLS) for all connections. Discord OAuth tokens are stored in the database and are only used to communicate with Discord's API on your behalf.
Access to production data is restricted to authorised team members. Despite our safeguards, no method of electronic transmission or storage is 100% secure. If you believe your account has been compromised, contact us immediately at support@kordis.app.
6. Data Retention
- Account data — retained while your account is active. Soft-deleted on account deletion (hard-purged within 90 days upon written request).
- Chat messages — retained until you delete the chat or your account.
- AI usage counters (Redis) — reset daily; not persisted beyond 48 hours.
- OAuth state tokens (Redis) — expire automatically after 10 minutes.
- Server logs — typically retained for 30 days for security purposes.
- Billing records — retained for a minimum of 7 years to comply with accounting and tax laws.
7. Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your account and personal data.
- Portability — receive your data in a machine-readable format.
- Restriction — ask us to restrict certain processing activities.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent.
To exercise any of these rights, email support@kordis.app. We will respond within 30 days. We may ask you to verify your identity before processing your request.
8. Cookies and Local Storage
We use:
- refresh_token — an HTTP-only, secure cookie containing your refresh token. Lifespan: 14 days. Strictly necessary for authentication; no opt-out.
- localStorage (browser) — used to temporarily store a pending referral code and pending AI prompt between page redirects. No personal data is persisted long-term.
- Vercel Analytics — cookieless; uses hashed IP for anonymised page-view counts on kordis.app only.
We do not use any advertising or tracking cookies.
9. Children's Privacy
The Service is not directed at children under the age of 13. We do not knowingly collect personal data from children under 13. Discord itself requires users to be at least 13 years old. If you believe a child under 13 has provided us with personal data, please contact us and we will delete it promptly.
10. International Transfers
If you are located outside the country where our servers are hosted, your data may be transferred internationally. Where required, such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes your acceptance of the updated Policy.
12. Contact Us
For privacy-related inquiries, contact:
Kordis Support
Email: support@kordis.app
Website: kordis.app
© 2026 Kordis. All rights reserved.