Privacy Policy
Pursuant to Art. 13, 14 GDPR and § 13 TMG (German Telemedia Act)
1. Controller
Arne WernerHauptstr. 234B
26639 Wiesmoor
Germany
Email: arne.werner87@gmail.com
2. Data Processing Principles
TrustCord is designed as a privacy-friendly service. We process personal data only to the strictly necessary extent (data minimisation pursuant to Art. 5(1)(c) GDPR).
- No storage of identity documents
- No storage of selfies or biometric characteristics
- No storage of the exact date of birth or precise age
- No storage of names, addresses, or document numbers
- No storage of full verification reports
3. Data We Store
TrustCord exclusively stores:
- Discord User ID (pseudonymised identifier)
- Discord Server ID (Guild ID)
- Verification status ("18+ confirmed: yes/no")
- Provider session reference (session ID from the third-party provider)
- Timestamps of verification and expiry date
- Per-server consent record (consent mapping)
4. Purpose and Legal Basis
Processing occurs for the purpose of 18+ age verification for Discord server access.
- Legal basis: Art. 6(1)(b) GDPR (performance of contract) for registered server administrators; Art. 6(1)(a) GDPR (consent) for end users who voluntarily initiate verification.
- BYOK mode: Server administrators using their own third-party API keys (Bring Your Own Key) are solely responsible for compliance with the privacy policies of their chosen age verification provider.
5. Third-Party Provider – Didit
In BYOK mode, age verification sessions are processed via the third-party provider Didit (didit.me). Didit processes the user's identity document and selfie as part of the verification process. TrustCord receives from Didit exclusively the binary result "age proof provided / not provided" and an anonymised session identifier. Raw data (documents, images) remain with the third-party provider and are not stored by TrustCord.
Please refer to Didit's privacy policy: didit.me/privacy
6. International Transfers
Where third-party providers (e.g. Didit) process data outside the European Economic Area, this is done on the basis of appropriate safeguards pursuant to Art. 46 GDPR (standard contractual clauses). Please refer to the respective provider's privacy policy for details.
7. Retention Period
Verification records are stored by default for 12 months (configurable per server between 1 and 36 months). After expiry or upon deletion by the user, all personal data is irreversibly anonymised.
8. Your Rights (Art. 15–22 GDPR)
You have the right to:
- Access (Art. 15 GDPR): What data we have stored about you.
- Rectification (Art. 16 GDPR): Correction of inaccurate data.
- Erasure (Art. 17 GDPR): Use the Discord command
/delete-my-datato delete all your data immediately and irreversibly. - Restriction of processing (Art. 18 GDPR)
- Objection (Art. 21 GDPR)
- Data portability (Art. 20 GDPR)
- Withdrawal of consent (Art. 7(3) GDPR): At any time via
/delete-my-data.
To exercise your rights, please contact: arne.werner87@gmail.com
9. Right to Lodge a Complaint
You have the right to lodge a complaint with a data protection supervisory authority. For Lower Saxony, Germany:
Landesbeauftragte für den Datenschutz Niedersachsen (LfD) — State Commissioner for Data Protection Lower SaxonyPrinzenstraße 5
30159 Hannover
www.lfd.niedersachsen.de
10. Data Security
All API keys are stored encrypted with AES-256-GCM. Communication between the Discord bot and API uses encrypted connections exclusively. Webhook messages are verified with HMAC-SHA256 where a webhook signature secret is configured.
Last updated: June 2026 · This privacy policy applies to the TrustCord service.