Back to home

Privacy notice

Effective date: 2026-05-15Version: 1.0

1.Identity of the controller and contact

This notice provides the information required under Articles 13 and 14 of Regulation (EU) 2016/679 (the "GDPR"), within the framework of Hungarian Act CXII of 2011 on Informational Self-Determination and Freedom of Information ("Infotv.").

Controller
Tibor Levente Székely, Hungarian sole trader (egyéni vállalkozó)
Registered seat (business address)
Domaháza utca 46., 1154 Budapest, Hungary
Sole-trader registration number
59845982
Tax number
90586961-1-42 (EU VAT: HU90586961)
VAT status
small-business VAT-exempt taxable person (alanyi adómentes, Áfa tv. Chapter XIII)
Privacy contact
hello@civora.hu
Data Protection Officer
Under Article 37 GDPR, the controller — as a sole trader whose processing is neither carried out by a public body nor consists of regular and systematic large-scale monitoring of data subjects nor of large-scale processing of special categories — is not required to appoint a DPO. Privacy queries are handled by the privacy contact (hello@civora.hu).

2.Two roles of Civora — important distinction

Civora processes personal data in two distinct capacities:

(A) As an independent controller — for data of its own Customers (account holders):

  • account name, email, password hash, billing data, usage analytics.

(B) As a processor — for message data transmitted through the Customer's Discord server, within the meaning of GDPR Art. 4(8) and Art. 28. In that relationship the Customer (Discord server owner) is the controller, and Civora processes (Discord usernames, message content, user IDs) on the Customer's instructions. This processing is governed by a separate Data Processing Agreement (DPA) with the Customer. Data subjects (end users) should exercise their rights primarily against the Customer.

3.Categories of personal data processed

Customer (account-holder) data — Civora as controller

  • Identification and contact data: email, name (optional), Discord OAuth ID.
  • Billing data: business name, tax ID, billing address (processed via Stripe; Civora sees only invoice IDs and amounts).
  • Account usage: login timestamps, IP address, device/browser metadata, dashboard activity.
  • Marketing opt-ins: email notifications, newsletter (consent-based).

End-user data — Civora as processor

  • Discord username (display name + handle), Discord user ID, role memberships.
  • Content and metadata (timestamp, channel) of messages posted on enrolled channels.
  • Moderation audit log (what action Civora took and why).

5.Categories of recipients and sub-processors

  • Hosting provider: OVH SAS, 2 rue Kellermann, 59100 Roubaix, France (EU) — Gravelines data centre.
  • AI inference sub-processor: third-party AI provider established in the EU or covered by an EU adequacy decision.
  • Payment processor: Stripe Payments Europe Ltd. (Ireland), and parent Stripe, Inc. (United States).
  • Email / transactional messaging: EU-based service provider.
  • Product analytics: privacy-respecting analytics with EU hosting.
  • Authorities: strictly under legal obligation (e.g. NAIH request, court order).

An up-to-date sub-processor list is maintained in Annex I of the DPA.

6.International transfers

Civora processes data primarily within the EU. The only regular non-EU transfer is to Stripe, Inc. (USA) for payment processing. Lawful transfer mechanisms (GDPR Art. 46):

  • Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 on the EU–US Data Privacy Framework, where the recipient is certified; or
  • the Commission's Standard Contractual Clauses approved by Implementing Decision (EU) 2021/914, supplemented by technical and organisational safeguards (encryption).

A copy of the relevant safeguards is available on request at hello@civora.hu.

7.Retention

CategoryPeriod
Active account dataFor the duration of the contract
Closed-account dataUp to 30 days after termination, then anonymised or deleted
Invoicing / accounting data8 years, under Számv. tv. § 169(2)
Moderation audit logs (processor capacity)Default 30 days; configurable up to 90 days on Business tier
Security logs (system level)Up to 12 months
Marketing consentUntil withdrawal or after 24 months of inactivity
CookiesSee Cookie Notice

8.Data subject rights (GDPR Arts. 15–22)

You may at any time exercise:

  • Access (Art. 15) – confirmation of processing and copy of data.
  • Rectification (Art. 16) – correction of inaccurate data.
  • Erasure ("right to be forgotten", Art. 17) – in specified cases.
  • Restriction (Art. 18).
  • Portability (Art. 20) – in machine-readable format.
  • Objection (Art. 21) – in particular to processing based on legitimate interests (Art. 6(1)(f)).
  • Withdrawal of consent (Art. 7(3)) – for consent-based processing.

How to exercise: email hello@civora.hu. We respond on the merits within 1 month of receipt (extendable by 2 months for complex matters with notice). Identity verification may be required to prevent abuse.

Important: as regards end-user (server member) data, rights should be exercised primarily against the Customer (controller). Civora forwards incoming requests to the Customer and assists pursuant to Art. 28(3)(e).

9.Right to lodge a complaint (GDPR Art. 77)

Supervisory authority: Hungarian National Authority for Data Protection and Freedom of Information (NAIH) — established under Infotv. § 38.

Address
H-1055 Budapest, Falk Miksa utca 9-11.
Postal
1363 Budapest, Pf. 9.
Tel
+36 (1) 391-1400
Email
ugyfelszolgalat@naih.hu
Web
https://naih.hu

You also have a right to an effective judicial remedy (GDPR Art. 79).

10.Cookies and tracking technologies

The Civora website and dashboard may use the following cookie categories:

  • Strictly necessary cookies: session, login — legal basis Art. 6(1)(f); ePrivacy Directive Art. 5(3) exemption.
  • Preference cookies: language, theme — opt-in.
  • Analytics cookies: product analytics — explicit consent only.

A detailed cookie policy and consent management tool are available on the website. Consent is withdrawable at any time.

11.Automated decision-making and AI (GDPR Art. 22)

Civora processes Discord messages by automated means and — depending on Customer configuration — may execute automatic actions (deleting a message, applying a timeout).

Logic: moderation decisions are produced by a machine-learning model that, based on content and context, computes weighted scores across multiple categories (toxicity, threat, spam, NSFW). The Customer configures thresholds and actions.

Your rights (End user)

  • To request human review, express your point of view and contest the decision (GDPR Art. 22(3)) in respect of significant decisions.
  • The Customer (as controller) must enable a human review path. The Civora dashboard exposes a review / appeal workflow for this purpose.

12.Security measures (GDPR Art. 32)

Civora applies risk-appropriate technical and organisational measures, including:

  • TLS 1.2+ encryption for all network traffic (in transit);
  • AES-256 encryption at rest;
  • strict role-based access control with multi-factor authentication for internal systems;
  • audit logging and anomaly detection;
  • regular security testing (vulnerability scans, penetration tests);
  • confidentiality obligations on all personnel involved in processing.

13.Children's data

Civora is not directed at persons under the age of 16 (GDPR Art. 8). Discord's own terms currently impose a minimum age of 13. The Customer is responsible for any age-restricted community moderation on its servers.

14.Changes to this notice

The controller may amend this notice. Material changes are notified to registered Customers by email or via the dashboard at least 30 days before effective date.

15.Effective date and version

This notice takes effect on 2026-05-15. Version 1.0.