Privacy Notice
1.Controller (Civora) and contact
This Notice is drafted pursuant to Article 13 of Regulation (EU) 2016/679 (GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (Infotv.) to inform data subjects about how Civora processes their personal data.
- Controller (Civora side)
- Tibor Levente Székely, Hungarian sole trader (Civora)
- Registered seat
- Domaháza utca 46., 1154 Budapest, Hungary
- Sole-trader registration number
- 59845982
- Tax number
- 90586961-1-42 (HU90586961)
- Privacy contact
- hello@civora.hu
- EU representative (GDPR Art. 27)
- not applicable — Civora is established in the EU (Hungarian sole trader)
- Data Protection Officer (DPO)
- not applicable — Civora does not meet the GDPR Art. 37(1)(a)–(c) thresholds (no large-scale special-category processing, not a public authority, no large-scale systematic monitoring as a core activity). The Service Provider personally fulfils the DPO role.
- Supervisory authority
- Hungarian National Authority for Data Protection and Freedom of Information (NAIH) — H-1055 Budapest, Falk Miksa u. 9–11.; ugyfelszolgalat@naih.hu; https://naih.hu
2.Scope of the Notice; terminology
2.1. This Notice covers visitors of https://civora.hu, registered Customers using the Civora Dashboard, the Civora Discord bot, customer support (email and Dashboard), the related application surfaces — and, where expressly stated, End Users on Customer Discord servers.
2.2. Controller / processor roles:
- Civora as controller (GDPR Art. 4(7)): for personal data linked to the Customer account (registration, billing, support, marketing) and to the use of the Civora website / Dashboard.
- Civora as processor (GDPR Arts. 4(8) and 28): for personal data contained in messages posted on the Customer's Discord server (End-User message content, Discord user_id, message metadata). In this role, the Customer is the controller, and Civora acts on the Customer's documented instructions under the Data Processing Agreement (DPA).
- Dodo Payments Inc. as independent controller: for personal data collected directly from the Customer at its hosted checkout for payment + invoicing + tax-collection purposes (name, email, billing address, payment method, tax location). Dodo operates under its own privacy notice (https://dodopayments.com/privacy).
3.Categories of data processed
| Category | Specific data | Source |
|---|---|---|
| Account + identifier | name, email, password hash (bcrypt), Discord OAuth user_id, encrypted access/refresh token, display name, avatar URL, locale, created_at | Customer-supplied + Discord OAuth flow |
| Profile + settings | theme preference, language, chosen tier, trial state | Customer's Dashboard settings |
| Discord server configuration | guild_id, guild_name, install time, moderation template, severity thresholds | Discord API + Customer Dashboard |
| Message data (for moderation) | message text, author user_id, channel ID, timestamp | Discord API in real time — on the Customer's instruction (Civora is processor here) |
| Moderation events (audit log) | AI severity score, AI explanation, action taken (delete / mute / flag), Customer override | generated by Civora on the Customer's behalf |
| Usage + quota | monthly / daily message count, exceeded flags | Civora-generated |
| Billing data on Civora side | received from Dodo: Dodo customer_id, subscription_id, product_id, amount paid, currency, success, date, invoice URL | Dodo Payments webhooks |
| Technical logs | IP (per-connection only, not persistently stored), user-agent, error logs, request-id | automatic from HTTP traffic |
| Support correspondence | complaints, requests, replies, attachments | Customer / Civora |
3.2. Special-category data (GDPR Art. 9). Civora does not systematically process special-category data (racial/ethnic origin, political opinions, religious beliefs, health data — Infotv. § 3(3)). Messages on a Customer's Discord server may however contain such data; Civora processes them only as long as needed for the moderation decision, and stores them under the general audit-log retention period (7/30/90 days per tier).
4.Purposes + legal bases
Per GDPR Art. 5(1)(b) (purpose limitation) and Art. 6 (lawfulness), Civora processes personal data for the following purposes on the following bases.
| Purpose | Data subject | Legal basis (GDPR Art. 6) |
|---|---|---|
| User account creation, maintenance, customer support | Customer | 6(1)(b) — performance of contract |
| Service provision (AI moderation of messages on the server) | End User | the Customer as controller decides the basis (typically legitimate interest under 6(1)(f) for community safety); Civora acts as processor under Art. 28 |
| Invoicing, accounting | Customer | 6(1)(c) — legal obligation (Számv. tv. § 169; Áfa tv. §§ 187–196) |
| Marketing communication | Customer | 6(1)(a) — consent (withdrawable any time in one click) |
| Product analytics, Dashboard improvement | Customer | 6(1)(f) — legitimate interest in product development; right to object available |
| Security, fraud + abuse prevention | Customer, End User | 6(1)(f) — legitimate interest in Service integrity |
| Compliance with regulatory / court orders (e.g., NAIH, NAV) | anyone | 6(1)(c) — legal obligation |
Legitimate-interest balancing test: where the basis is 6(1)(f), Civora has conducted the balancing test (as expected by Infotv. § 5(5)); the outcome confirmed that data-subject rights do not override Civora's / the Customer's legitimate interest. Documentation available on request via PRIVACY_EMAIL.
5.Recipients + sub-processors
Civora uses the following sub-processors (under general written authorisation per GDPR Art. 28(2)–(4); the Customer may object to a new sub-processor in the Dashboard / DPA).
| Sub-processor / recipient | Role | Location | Transfer basis |
|---|---|---|---|
| OVH SAS (Gravelines DC) | Hosting, compute, network infrastructure | France (EU) | EU-internal — GDPR Art. 5 |
| Dodo Payments Inc. | Payment processing (Merchant of Record) + tax collection | USA (Delaware) | EU-US Data Privacy Framework or SCC module Civora-Dodo — GDPR Art. 46 |
| Supabase, Inc. (self-hosted EU instance) | Database + auth | EU (Civora-self-hosted instance under Supabase contract) | EU-internal |
| Google LLC (Gemini API) | AI translation (feature-request texts) | USA | EU-US DPF / SCC — GDPR Art. 46 |
| SMTP provider (Gmail / Google Workspace) | Transactional email (registration confirmation, invoice notification, payment-failure) | USA / EU mixed | EU-US DPF / SCC — GDPR Art. 46 |
| Discord Inc. | Storage of the Discord server itself + bot operations | USA | EU-US DPF / SCC — GDPR Art. 46; Discord's own privacy notice applies |
5.2. The up-to-date sub-processor list is in Annex I of the DPA. Customers may request a copy of the SCC between Civora and Dodo, as well as the contact data for Google data processing terms, via hello@civora.hu.
5.3. Disclosure to authorities. Civora discloses personal data to Hungarian or EU authorities (NAIH, NAV, courts, prosecutor's office, investigation authorities) only where required by law or by an enforceable judicial / administrative order — GDPR Art. 6(1)(c).
6.International transfers (GDPR Art. 46)
Civora processes data primarily within the EU (OVH Gravelines + self-hosted Supabase EU instance). Transfers to third countries (currently the United States) take place to:
- Dodo Payments Inc. (USA) — MoR, payment processing (Customer billing data).
- Google LLC / Google Cloud (USA) — Gemini API (feature-request translation), Gmail SMTP (transactional emails).
- Discord Inc. (USA) — the Discord server itself is hosted where Discord operates the platform.
Each non-EU transfer relies on one of the following GDPR Art. 46 mechanisms:
- Commission Implementing Decision (EU) 2023/1795 under the EU-US Data Privacy Framework, where the recipient is certified;
- where the recipient is not DPF-certified, the Standard Contractual Clauses (SCC) adopted by Commission Implementing Decision (EU) 2021/914 — the applicable Module 2 (controller-to-processor) or Module 3 (processor-to-processor) — supplemented by additional technical and organisational measures (TLS in transit, encryption at rest, access control, audit rights).
Copies of the relevant safeguards (SCC + DPF certifications) are made available on request via hello@civora.hu.
7.Retention
| Data category | Retention |
|---|---|
| Active account data | duration of the contract |
| Terminated account data | up to 30 days after termination, then anonymisation or deletion |
| Billing / accounting data (Számv. tv. § 169) | 8 years — mandatory statutory requirement |
| Moderation audit logs (processed on Customer's behalf) | Free: 7 days; Pro: 30 days; Business: 90 days — then auto-deletion |
| Webhook idempotency log | 90 days |
| Support correspondence (tickets) | 1 year after contract termination, longer if needed for dispute / claim |
| Marketing-consent log | 5 years from consent withdrawal (claim-defence interest) |
7.2. Periodic review (Infotv. § 5(5)). Civora reviews non-mandatory processing every three years to confirm continued necessity and proportionality.
8.Data-subject rights
Under Chapter III of the GDPR (Arts. 12–22) and Chapter III of the Infotv., data subjects have the following rights:
- Right to information (GDPR Art. 13–14) — fulfilled by this Notice.
- Access (GDPR Art. 15) — obtain a copy of personal data we process about you.
- Rectification (GDPR Art. 16) — correct inaccurate data.
- Erasure / "right to be forgotten" (GDPR Art. 17) — in specified cases (e.g., consent withdrawn, no longer needed).
- Restriction of processing (GDPR Art. 18) — e.g., during rectification review.
- Data portability (GDPR Art. 20) — receive your provided data in structured, machine-readable form (JSON/CSV).
- Objection (GDPR Art. 21) — in particular against legitimate-interest-based processing, and absolutely against direct marketing.
- Right regarding automated decision-making (GDPR Art. 22) — the data subject has the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them. In moderation, the data subject (End User) has the right to obtain human intervention, express their view, and contest the decision, in practice via the channel offered by the Customer (moderator message / appeal form).
- Withdraw consent (GDPR Art. 7(3)) — where the basis is consent, you may withdraw it at any time, without affecting the lawfulness of processing prior to the withdrawal.
- Lodge a complaint with the supervisory authority (GDPR Art. 77 / Infotv. § 52(1)) — anyone may turn to NAIH.
- Judicial remedies (GDPR Art. 79 / Infotv. § 23) — actions may be brought against Civora and/or against the Customer (as controller). Per Infotv. § 23(3) the action may be brought before the court of the data subject's place of residence.
8.2. How to exercise these rights. Send an email to hello@civora.hu. Civora responds within one month at most (GDPR Art. 12(3); extendable by 2 months in complex cases). Exercise is free of charge by default; a reasonable fee may be charged or the request refused only if manifestly unfounded or excessive (GDPR Art. 12(5)).
8.3. Identity verification. Where reasonably needed to prevent abuse of these rights, Civora may ask for reasonable proof of identity (GDPR Art. 12(6)) — e.g. reply from the registered email account.
9.Automated decision-making and profiling
9.1. What we automate. Civora performs automated moderation decisions (message deletion, temporary mute, flagging) on Discord messages, based on AI analysis and the Customer-configured severity thresholds. This may qualify as a GDPR Art. 22(1) decision if it has legal effects on the End User or similarly significantly affects them (e.g., timeout, ban).
9.2. Legal basis under GDPR Art. 22(2): the decision is necessary for the performance of the Civora-Customer contract (Art. 22(2)(a)); and the Customer, via its server community rules, expressly consents to such automation.
9.3. Safeguards under Art. 22(3): the data subject has the right to obtain human intervention, express their view, and contest the decision. Civora provides override functionality in the Dashboard and, where the Customer enables it, DM notifications to End Users about moderation actions indicating the appeal route.
9.4. Information about the logic (GDPR Art. 13(2)(f)). The analysis is based on the statistical inference of Civora's own large language model (LLM). The model does not build a long-term profile of the End User; each decision is made on the specific message and — optionally — a short channel context. Model characteristics: tone identification, directed-attack detection, multi-language (30+ languages), and classification by the configured severity thresholds.
10.Security (GDPR Art. 32; Infotv. § 25/F)
Civora implements technical and organisational measures appropriate to the risk (GDPR Art. 32), taking into account the nature, scope, context, and purposes of processing and the varying likelihood and severity of risks to natural persons' rights and freedoms.
- Transport encryption (TLS 1.3): for all HTTPS traffic and all sub-processor connections.
- Encryption at rest: Discord OAuth tokens are stored with application-level AES-GCM encryption; the database storage layer is encrypted.
- Access control: Row-Level Security (RLS) policies in Supabase; service-role key restricted to server-side code; admin tier behind a separate role.
- Audit log: electronic log of operations on personal data, per Infotv. § 25/F(1)–(2) — purpose, reason, time, operator, and recipient recorded.
- Periodic retention review (Infotv. § 5(5)): at least every three years, documented.
- Incident response: documented incident-response procedure; Civora notifies NAIH of personal-data breaches without undue delay and, where feasible, within 72 hours of awareness, per GDPR Art. 33(1). Data subjects are informed without undue delay where the breach is likely to result in a high risk to their rights (GDPR Art. 34).
- Backup + DR: daily automated backup; annual recoverability test.
11.Children
Civora's Service is not directed at children under 16 (the digital-consent age applicable in Hungary under GDPR Art. 8(1) — Hungary has not lowered it). Discord's own minimum age is 13; Civora follows Discord platform rules. If we learn that we are processing data of a person under 13, we delete it.
12.Changes to this Notice
Civora updates this Notice as needed. Material changes are notified to Customers at least 30 days in advance, via registered email and an in-Dashboard banner. Earlier versions are archived and provided on request via PRIVACY_EMAIL.
13.Contact + supervisory authority
13.1. Privacy contact: hello@civora.hu.
13.2. Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) — H-1055 Budapest, Falk Miksa u. 9–11.; ugyfelszolgalat@naih.hu; https://naih.hu. Investigation initiation: under Infotv. § 52(1), anyone may file a complaint free of charge.
13.3. Judicial remedies: under Infotv. § 23(1) and (3), the action may be brought against Civora or the Customer (as controller) before the court of the data subject's place of residence at their option. GDPR remedies: Arts. 78–79.
14.Effective date
This Privacy Notice v2.0 takes effect on 2026-05-15.