Privacy Policy

Pursuant to Art. 13, 14 GDPR and § 13 TMG (German Telemedia Act)

1. Controller

2. Data Processing Principles

TrustCord is designed as a privacy-friendly service. We process personal data only to the strictly necessary extent (data minimisation pursuant to Art. 5(1)(c) GDPR).

• No storage of identity documents
• No storage of selfies or biometric characteristics
• No storage of the exact date of birth or precise age
• No storage of names, addresses, or document numbers
• No storage of full verification reports

3. Data We Store

TrustCord exclusively stores:

• Discord User ID (pseudonymised identifier)
• Discord Server ID (Guild ID)
• Verification status ("18+ confirmed: yes/no")
• Provider session reference (session ID from the third-party provider)
• Timestamps of verification and expiry date
• Per-server consent record (consent mapping)

4. Purpose and Legal Basis

Processing occurs for the purpose of 18+ age verification for Discord server access.

• Legal basis: Art. 6(1)(b) GDPR (performance of contract) for registered server administrators; Art. 6(1)(a) GDPR (consent) for end users who voluntarily initiate verification.
• BYOK mode: Server administrators using their own third-party API keys (Bring Your Own Key) are solely responsible for compliance with the privacy policies of their chosen age verification provider.

5. Third-Party Provider – Didit

In BYOK mode, age verification sessions are processed via the third-party provider Didit (didit.me). Didit processes the user's identity document and selfie as part of the verification process. TrustCord receives from Didit exclusively the binary result "age proof provided / not provided" and an anonymised session identifier. Raw data (documents, images) remain with the third-party provider and are not stored by TrustCord.

Please refer to Didit's privacy policy: didit.me/privacy

6. International Transfers

Where third-party providers (e.g. Didit) process data outside the European Economic Area, this is done on the basis of appropriate safeguards pursuant to Art. 46 GDPR (standard contractual clauses). Please refer to the respective provider's privacy policy for details.

7. Retention Period

Verification records are stored by default for 12 months (configurable per server between 1 and 36 months). After expiry or upon deletion by the user, all personal data is irreversibly anonymised.

8. Your Rights (Art. 15–22 GDPR)

You have the right to:

• Access (Art. 15 GDPR): What data we have stored about you.
• Rectification (Art. 16 GDPR): Correction of inaccurate data.
• Erasure (Art. 17 GDPR): Use the Discord command /delete-my-data to delete all your data immediately and irreversibly.
• Restriction of processing (Art. 18 GDPR)
• Objection (Art. 21 GDPR)
• Data portability (Art. 20 GDPR)
• Withdrawal of consent (Art. 7(3) GDPR): At any time via /delete-my-data.

To exercise your rights, please contact: arne.werner87@gmail.com

9. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. For Lower Saxony, Germany:

10. Data Security

All API keys are stored encrypted with AES-256-GCM. Communication between the Discord bot and API uses encrypted connections exclusively. Webhook messages are verified with HMAC-SHA256 where a webhook signature secret is configured.

Last updated: June 2026 · This privacy policy applies to the TrustCord service.