BetaChangelog.gg

Legal

Privacy Policy

Controller details, data categories, lawful bases, retention, rights, and processors.

Operator
KORDU LTD
Company number
16836154
Last updated
16 May 2026
Contact
privacy@changelog.gg

Controller and contact

KORDU LTD is the controller for Changelog.gg personal data. KORDU LTD. Company number: 16836154. Registered office: First Floor Office, 3 Hornton Place, London, United Kingdom, W8 4LZ.

Use privacy@changelog.gg for privacy rights requests, deletion requests, exports, and questions. You can also use hello@kordu.co if needed.

Data we process

We process account and session data, Discord OAuth identifiers, Discord guild, channel, role, route, command, and entitlement data needed to operate alerts, support correspondence, security and abuse logs, billing metadata, and public-source ingestion data.

Public-source ingestion may include names, handles, public posts, release notes, repository metadata, package metadata, and source URLs that source owners or platforms have made public.

We do not knowingly collect data from children and the service is not directed to children. Do not submit special category data, health data, government identifiers, payment card numbers outside Stripe or Discord payment flows, or other sensitive data unless we explicitly ask for it in a secure flow.

Lawful bases

We use contract where processing is needed to provide your account, dashboard, Discord alerts, paid plan, or support. We use legitimate interests for service security, abuse prevention, source provenance, product reliability, and limited analytics. We use legal obligation where records must be kept for tax, accounting, consumer, security, or rights-handling duties. We use consent where a flow asks for it.

Discord API Data

Discord API Data is used only to provide and improve the Changelog.gg Discord integration, route alerts, enforce limits, support servers, diagnose delivery, and comply with law or Discord platform requirements.

We do not sell Discord API Data. We do not use Discord API Data to train machine learning or AI models. We share Discord API Data only with service providers, where required by law, or where a user or server administrator directs the integration to share it.

We delete or de-identify Discord API Data when it is no longer needed for the integration, legal obligations, security, billing, abuse prevention, or dispute handling.

Service providers

Cloudflare provides edge hosting, security, Turnstile, caching, storage, and optional Web Analytics. Cloudflare Web Analytics is disclosed as cookie-free and client-state-free for our analytics use.

Stripe processes payment, checkout, portal, fraud, invoice, tax, and billing data for Stripe-paid plans. Discord processes OAuth, bot, server, channel, command, and Discord-native billing data under Discord platform terms.

Processor contracts and subprocessors

Where KORDU LTD uses a processor for personal data, we aim to rely on written contracts, data processing terms, or other legally binding arrangements that meet Article 28 of the UK GDPR.

Current subprocessors are listed on the Subprocessors page. Independent public sources such as Steam/Valve, GitHub, npm, Roblox, publishers, RSS feeds, and status pages are not subprocessors merely because we read their public material.

Retention

We keep account, billing, route, and support records while needed to provide the service and handle disputes, tax, accounting, fraud, or legal obligations. Security logs are retained for a limited operational period unless needed for investigation. Public-source records may remain in source trails while they are needed to explain game-update provenance or rights handling.

International transfers

Our providers may process data in the UK, EEA, United States, or other countries where they operate. Where required, we use provider terms, transfer safeguards, data processing agreements, UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), the UK Addendum to EU standard contractual clauses, or another lawful transfer mechanism for restricted transfers.

Security and breach handling

We use technical and organizational measures intended to protect personal data, including Cloudflare edge security, access controls, least-privilege operational access, and logging for security investigations.

If we become aware of a personal data breach that is notifiable under the UK GDPR, we will notify the ICO without undue delay and, where feasible, within 72 hours. If a breach is likely to result in a high risk to affected individuals, we will notify those individuals without undue delay. We keep records of personal data breaches as required by law.

ICO fee and accountability

KORDU LTD is responsible for checking whether it must pay the ICO data protection fee and for keeping privacy records, supplier terms, retention decisions, transfer safeguards, and breach records proportionate to the service.

Your rights

Depending on your location and the lawful basis, you may have rights to access, rectify, erase, restrict, object, port data, withdraw consent, and complain to the UK Information Commissioner or another supervisory authority.

For deletion or export, contact privacy with your account email, Discord user ID if relevant, and the workspace or route you are asking about. We may need to verify control before acting. We aim to respond within the period required by UK data protection law unless an extension or exemption applies.

We do not use solely automated decisions that produce legal or similarly significant effects about users. Abuse, billing, security, and source moderation decisions may use automated signals but can be reviewed through the contact routes where appropriate.