Controller and contact
KORDU LTD is the controller for Changelog.gg user personal data. KORDU LTD. Company number: 16836154. Registered office: First Floor Office, 3 Hornton Place, London, United Kingdom, W8 4LZ. Registered in England and Wales. ICO Registration: 00014202653.
Use privacy@kordu.gg for privacy rights requests, deletion requests, exports, correction requests, objections, and questions. You can use hello@kordu.gg if needed.
Personal data we collect
The data we collect depends on which features you use. It may include account and session identifiers, email address, Steam account links where used, Discord user, guild, channel, role, command, route, and entitlement data where the Discord integration is used, saved games, alert preferences, dashboard settings, API keys where API access exists, support messages, rights requests, billing metadata where paid plans exist, IP address, browser and device metadata, security logs, Analytics Engine events, Cloudflare Web Analytics where configured, and Sentry error or performance telemetry.
Public-source ingestion may include game names, publisher names, public posts, release notes, source URLs, public usernames or handles where the source publishes them, repository/package metadata, source timestamps, and evidence needed to explain a game update.
We do not ask for payment card numbers outside Stripe or Discord payment flows. Do not submit special category data, health data, government identifiers, secrets, tokens, or other sensitive data unless we explicitly ask for it in a secure flow.
Sources of personal data
We collect personal data directly from you when you create an account, configure alerts, contact support, submit a legal/privacy/security request, or use account, billing, Discord, API, dashboard, or webhook features.
We also receive data from connected services and processors where you use them, including Discord, Steam authentication, Stripe, Cloudflare, and Sentry. Public source pages may contain public names, handles, URLs, timestamps, or publisher/developer information that appears in source evidence.
You are not required by law to provide account, Discord, billing, support, or API data to Changelog.gg, but some features cannot work without the data needed to provide them.
Purposes and lawful bases
The table below describes the main reasons we process personal data and the lawful bases we rely on. More than one lawful basis may apply to the same record depending on the context.
| Purpose | Personal data involved | Lawful basis |
|---|---|---|
| Provide accounts, sessions, dashboard settings, alerts, API access, support, and Discord routing. | Email, account/session identifiers, saved games, alert preferences, API keys, Discord routing data, support messages. | Contract where needed to provide the requested service; legitimate interests for related support and reliability. |
| Secure the service, prevent abuse, enforce limits, investigate incidents, and protect users and source owners. | IP address, request metadata, browser/device data, rate-limit records, security logs, Sentry diagnostics. | Legitimate interests in operating a secure and reliable service; legal obligation where a record must be kept or disclosed. |
| Build source provenance, attribution, evidence trails, search, feeds, and public update intelligence. | Public source URLs, timestamps, public names or handles where published by the source, content hashes, parser/source metadata. | Legitimate interests in documenting public game-update information with attribution and source context. |
| Process payments, invoices, renewals, cancellations, tax, fraud checks, and billing support where paid plans exist. | Stripe or Discord billing/customer metadata, plan, invoice, tax, fraud, and support records. | Contract, legal obligation for accounting/tax records, and legitimate interests for fraud prevention and support. |
| Measure reliability and product performance. | Aggregate Analytics Engine events, Cloudflare Web Analytics where configured, and Sentry error/performance telemetry. | Legitimate interests for diagnostics and basic analytics; consent where a cookie or similar technology requires it. |
| Handle privacy, copyright, takedown, abuse, legal, and security requests. | Request content, contact details, evidence, verification details, and correspondence. | Legal obligation and legitimate interests in handling rights, compliance, disputes, and service safety. |
Discord API Data
Discord API Data is used only to provide and improve the Changelog.gg Discord integration, route alerts, enforce limits, support servers, diagnose delivery, and comply with law or Discord platform requirements.
We do not sell Discord API Data. We do not use Discord API Data to train machine learning or AI models. We share Discord API Data only with service providers, where required by law, or where a user or server administrator directs the integration to share it.
We delete or de-identify Discord API Data when it is no longer needed for the integration, legal obligations, security, billing, abuse prevention, or dispute handling.
Who we share data with
We share personal data only where needed to operate Changelog.gg, provide a feature you use, comply with law, protect the service, process payments, handle requests, or use a processor under appropriate terms.
Cloudflare provides hosting, Workers, D1, R2, KV, Queues, cache, security, Turnstile, Analytics Engine, and Web Analytics where configured. Sentry provides error monitoring and performance diagnostics. Stripe processes checkout, billing, portal, fraud, invoice, tax, and payment metadata where paid plans are enabled. Discord processes OAuth, bot, server, channel, command, entitlement, and Discord-native billing data under Discord platform terms.
Independent public sources such as Steam/Valve, Riot, Epic, GitHub, npm, Roblox, RSS publishers, status pages, developers, and publishers are not subprocessors merely because we read public material from them.
Where KORDU LTD uses a processor for personal data, it requires written contracts, data processing terms, or other legally binding arrangements intended to meet Article 28 of the UK GDPR.
Retention
We keep account, billing, dashboard, route, support, and rights-handling records while needed to provide the service, handle disputes, meet tax/accounting obligations, investigate security or abuse, and comply with law. Some accounting records may need to be kept for six years or longer where law requires it.
Implemented operational cleanup currently prunes selected diagnostic and operational tables after 7, 30, 90, or 180 days depending on the record type. Examples include short Discord delivery success and rate-limit windows, 30-day diagnostic and queue windows, 90-day parser or failed platform-change windows, and 180-day admin action, usage, review, and achievement snapshot windows.
Public-source evidence, source URLs, content hashes, and attribution records may remain while needed to explain public update provenance, rights handling, trust, abuse prevention, or historical update context. Where a retention period is not fixed in code, KORDU LTD reviews the record against service need, legal duties, disputes, security, rights handling, and data minimisation.
International transfers
Our providers may process data in the UK, EEA, United States, or other countries where they operate. Where required, we use provider terms, transfer safeguards, data processing agreements, UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU standard contractual clauses, or another lawful transfer mechanism for restricted transfers.
Security and breaches
We use technical and organisational measures intended to protect personal data, including Cloudflare edge security, access controls, least-privilege operational access, hashed or minimised abuse identifiers where appropriate, and logging for security investigations.
If we become aware of a personal data breach that is notifiable under the UK GDPR, we will notify the ICO without undue delay and, where feasible, within 72 hours. If a breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay. We keep records of personal data breaches as required by law.
Children
Changelog.gg is not aimed at children, but gaming content may be likely to be accessed by under-18s. KORDU LTD assesses child access risk when account, Discord, billing, analytics, alert, or community features change.
If a child, parent, or guardian believes child personal data has been submitted to Changelog.gg, contact privacy@kordu.gg so we can review the account, request, or integration.
Your rights and complaints
Depending on your location and the lawful basis, you may have rights to access, rectify, erase, restrict, object, port data, withdraw consent, and complain to the UK Information Commissioner or another supervisory authority.
For deletion or export, contact privacy with your account email, Discord user ID if relevant, Steam account link if relevant, and the workspace or route you are asking about. We may need to verify control before acting. We aim to respond within the period required by UK data protection law unless an extension or exemption applies.
You can complain to the ICO if you are unhappy with how we handle your personal data. We would prefer you contact us first so we can investigate.
Automated decisions
We do not use solely automated decisions that produce legal or similarly significant effects about users. Abuse, billing, security, source classification, and alert routing may use automated signals, but important account or rights issues can be reviewed through the contact routes where appropriate.