Privacy Policy
(hereinafter: "Privacy Policy")
1. Introduction
1.1. Purpose and characteristics of Privacy Policy
This Privacy Policy explains how personal data is processed in connection with the NotiCord application ("Application") and related services ("Services"), including support and feedback services.
Because NotiCord is an integration between Customer-selected platforms (Discord and Notion), personal data is processed in different legal roles: sometimes Service Provider acts as Controller, and sometimes as Processor.
1.2. Who is the controller? When do we act as controller vs processor?
Controller for account and business operations. The controller of personal data processed for Service Provider's own account administration and business operations (for example billing, invoicing, subscription management, support communications, fraud/security logs, and marketing where lawful) is Firnity (full business name: Łukasz Wiatrak Firnity) (the "Service Provider" as defined in the Terms of Use), with its registered office at ul. Zamknięta 10, lok. 1.5, 30-554 Kraków, Poland, NIP: 5130127144, REGON: 520124248. Contact details: phone +48 693 066 020, email contact@firnity.com.
Processor for Customer Data in integration flows. For personal data flowing between Notion and Discord via the Application (including page content and properties, Discord messages and command inputs, user identifiers, delivery logs, and identity links), the User (Customer) is the Controller and Service Provider is the Processor acting on the User's documented instructions under the Data Processing Agreement.
For these integration flows, Service Provider and User are not joint controllers.
Data protection contact / DPO. We have not appointed a Data Protection Officer (DPO). For all data protection matters, please contact us at contact@firnity.com.
1.3. Who does Privacy Policy apply to?
Privacy Policy applies to Users (including Consumers and Business Users) and to individuals whose personal data is processed in connection with Services (for example Personnel, User's Clients, and persons contacting support).
By authorizing the Application through Discord OAuth, continuing the onboarding flow, or purchasing a Subscription, User acknowledges having read this Privacy Policy.
If personal data is processed in a Discord server or Notion workspace that uses NotiCord (and you are not the account holder), this Privacy Policy is provided for transparency; your organization/server admin is the Controller for those integration flows (see Sections 2.2 and 7.2).
1.4. Definitions
Capitalized terms not defined in this Privacy Policy have the meanings given in the Terms of Use and/or the DPA (as applicable). If documents conflict, the DPA prevails for Customer Data processing as Processor, and the Terms of Use prevail for commercial terms.
2. How and why personal data is processed
2.1. Processing where Service Provider acts as Controller
Service Provider processes personal data as Controller to:
2.1.1. Provide accounts and access: authentication, session security, account settings.
2.1.2. Provide subscription administration: plan enforcement, usage measurement required for service operations and billing.
2.1.3. Handle billing, invoicing, tax and accounting obligations.
2.1.4. Provide support and incident handling.
2.1.5. Provide security and fraud-abuse prevention.
2.1.6. Operate service telemetry (Account Data / service security): reliability and security monitoring, fraud-abuse prevention, and operational logging necessary to run the Application (for example account login events, subscription/quota enforcement events, and security alerts).
Where telemetry or logging relates to Customer Data processed on behalf of a User (Customer) (for example delivery logs, integration health checks, and troubleshooting data tied to Discord/Notion integration flows), Service Provider processes such data as Processor under Section 2.2 and DPA, not for independent controller-side purposes.
2.1.7. Operate product analytics and service improvement: analyze aggregated product usage and performance trends to improve features, reliability, and user experience, including basic cookieless analytics where no optional persistent browser storage is used.
2.1.8. Send marketing communications where lawful and where required consent has been collected.
2.1.9. Marketing consent and opt-out: Service Provider does not send electronic direct marketing or commercial communications without prior consent where required (including under the Polish Prawo komunikacji elektronicznej (PKE)). Consent may be withdrawn at any time (see Section 7.1).
2.2. Processing where Service Provider acts as Processor
When User connects Discord and Notion to the Application, Service Provider processes Customer Data on User's behalf to:
2.2.1. Deliver core integration functionality: notifications, configured checks, and user-configured create/update operations.
2.2.2. Operate and secure the integration: delivery logs, connectivity checks, abuse prevention, and service integrity controls. This may include limited error and diagnostic data needed to detect and resolve integration failures, processed on User's documented instructions under DPA.
2.2.3. Run Diagnostics and Automated Remediation (as defined in the Terms of Use) only to restore configuration/connectivity within permissions granted by User.
For Customer Data in this section, User (Customer) determines legal basis and data-subject information obligations as Controller.
2.3. Cookies and similar technologies
The Application and website may use cookies, localStorage, sessionStorage, or similar technologies.
Under Polish electronic communications law (Prawo komunikacji elektronicznej) and the EU "cookie rule" approach, storing information on your device or accessing information stored on your device generally requires prior information and consent, unless strictly necessary to transmit a communication or provide a service explicitly requested by you.
Service Provider therefore uses strictly necessary technologies by default for login/session security and core service operation.
Where non-essential technologies involve storage/access on your device, Service Provider enables them only after consent via the consent banner/settings, where required.
Where analytics operates without non-essential storage/access on your device, Service Provider relies on an appropriate GDPR legal basis (for example Art. 6(1)(f), legitimate interests), as described in the Cookie Notice.
See Cookie Notice for details.
3. Which personal data is processed
Service Provider processes only the data necessary for defined purposes.
3.1. Controller-side data categories
3.1.1. Account and authentication data: email, user identifiers, login metadata, session/security data, and authentication/session token metadata required for sign-in continuity via Auth0. Auth0 authentication/session tokens may be stored in browser storage on User devices as part of the authentication flow. Service Provider does not store Auth0 access/refresh tokens in the Application database.
3.1.2. Subscription and payment administration data: Stripe customer identifiers, subscription status, billing contact details, billing address, tax/VAT identifiers, invoice/payment status metadata. Service Provider does not store full card numbers.
3.1.3. Usage and quota records: counts and metadata necessary to administer subscriptions, enforce plan limits, and support billing integrity.
3.1.4. Controller-side support/account correspondence data: support requests and correspondence about account administration (for example billing, subscription management, legal/compliance matters, and service operations). This data is processed by Service Provider as Controller.
3.1.5. Marketing contact data: contact details and preference data where User has provided required consent.
3.1.6. Accounting and invoicing data: legal/business details, tax identifiers, invoice numbers, amounts, payment status, and transaction references.
3.1.7. Controller-side security and service activity logs: audit/security events and reliability telemetry related to account security, access control, billing/subscription administration, abuse prevention, and service stability.
3.1.8. Technical identifiers and device/network data: IP address, browser/device metadata, session and diagnostic identifiers, and other technical request metadata processed for account security, abuse prevention, service reliability, and troubleshooting.
3.2. Processor-side data categories (Customer Data)
Depending on User configuration, Service Provider may process on User instructions:
3.2.1. Notion data: user display names/IDs, page and database content, properties, comments, metadata.
3.2.2. Discord data: user IDs/usernames, command inputs/messages, attachments, server/channel identifiers, and configuration data.
3.2.3. Integration metadata: delivery logs, timestamps, identifiers, identity links, and integration diagnostics required to operate, troubleshoot, and secure the integration under User instructions.
3.2.4. Integration credentials: authorization credentials required for connected integrations (for example Notion workspace access credentials) to execute User-configured integration actions. These credentials are stored encrypted at rest.
3.2.5. Discord bot-install authorization flow data: OAuth authorization codes used during bot-install callback processing are handled transiently to complete installation and are not stored by Service Provider as persistent Discord user OAuth access/refresh tokens.
3.2.6. Support submissions containing Customer Data: if a support request submitted through email, support portal, or in-app support form includes Customer Data from User-configured Discord/Notion integration flows, that part of the request (including metadata and attachments) is processed by Service Provider as Processor on User instructions under DPA.
4. To whom personal data is disclosed
4.1. Controller-side recipients
Service Provider may use processors/subcontractors for its own operations, including:
- payments and billing providers;
- support tooling providers;
- accounting/invoicing providers;
- transactional email providers; and
- infrastructure and operational providers (cloud hosting/infrastructure, authentication, error monitoring, and operational telemetry used to operate and secure the Application, including account security, reliability monitoring, and incident handling).
Current controller-side vendors are listed on Controller-Side Vendors.
Where a support communication contains Customer Data processed on a User's behalf, the support-channel provider handling that communication may process such data as a Sub-Processor under DPA scope.
Where operational telemetry or diagnostics tied to Discord/Notion integration flows includes Customer Data, telemetry providers handling that data (including PostHog and Sentry) may process such data as Sub-Processors under DPA scope.
4.2. Sub-processors for Customer Data
When Service Provider acts as Processor, Sub-processors used for Customer Data are listed on Sub-Processors.
4.3. Third-party platforms selected by User
Customer Data may be transferred to Third-Party Platforms strictly on User instructions through configured integrations. These platforms (including Discord and Notion) are selected and controlled by User and are not Service Provider's Sub-processors for such user-directed transfers.
4.4. International data transfers
Service Provider's primary hosting is in the EU. Some controller-side service providers (including payments, support tooling, and email delivery providers) may process personal data outside the EEA/UK/Switzerland (including in the United States).
Where required, Service Provider relies on GDPR Chapter V transfer mechanisms such as adequacy decisions (where applicable) and/or Standard Contractual Clauses (SCCs) with supplementary measures as appropriate.
For Customer Data processed as Processor, international transfers (if any) are handled under DPA and applicable Sub-Processor arrangements.
You may request information about the transfer safeguard used for a specific provider by contacting contact@firnity.com. Where SCCs are used, you may request a copy of the relevant transfer safeguard terms. Service Provider may redact confidential commercial terms that are not part of the transfer safeguard, where legally permissible.
For transfers to Third-Party Platforms selected by User, User is responsible for controller-side transfer compliance.
4.5. Legal obligations
Service Provider may disclose personal data where required by law or binding requests from competent authorities.
5. Retention period
Retention depends on data category, processing role, legal obligations, and claim-defense needs.
5.1. Controller-side retention
5.1.1. Account and service administration data: retained for account lifetime and for a limited period after termination/deletion in active systems to complete billing closeout, secure services, investigate abuse, and handle disputes, unless longer retention is required by law or needed to establish, exercise, or defend legal claims.
5.1.2. Tax/accounting records: retained for periods required by law (generally 5 years from the end of the calendar year in which the tax obligation arose, unless longer retention is required).
5.1.3. Marketing data: retained until consent is withdrawn or marketing purpose otherwise ends.
5.1.4. Service activity logs and operational telemetry: retained according to log purpose and risk context, including account/service administration, product activity history (including last activity indicators in the Application), quota and billing integrity, incident investigation, abuse prevention, security operations, and legal-claim defense.
Retention periods vary by log category and risk context. As a general rule, Service Provider retains:
- security/authentication logs for a limited period needed for security monitoring and investigation;
- billing/quota integrity logs for the billing cycle, reconciliation, and dispute-handling period; and
- error/diagnostics logs for the period needed to debug, maintain reliability, and investigate incidents.
Retention may be extended where required by law, legal hold, incident response, or establishment, exercise, or defense of legal claims. Retention schedules are periodically reviewed by log category.
5.1.5. Self-service deletion: account deletion requests (including through in-app self-service) remove or anonymize data in active systems, subject to legal/claims/security retention limits. If a paid Subscription is active, self-service account deletion triggers cancellation in Stripe effective at the end of the current billing period. If Stripe cancellation cannot be initiated, account deletion does not complete and User is asked to retry or contact support. Installed Discord/Notion integrations may require separate manual removal by User.
5.1.6. Controller-side support tickets and correspondence: retained for as long as needed to resolve requests and manage disputes. Closed-ticket records are typically retained for up to 24 months after closure, unless a longer period is required by law, legal hold, security incident response, or claim-defense needs. Any Customer Data included in support requests follows processor-side retention in Section 5.2.
5.2. Processor-side retention (Customer Data)
Customer Data is retained and deleted/returned under DPA terms and User instructions, unless law requires longer retention.
5.3. Backups
Deleted data may persist in encrypted backups until backup rotation completes. Backups are retained for a limited period and overwritten in the ordinary course. Backup retention may be extended where required for service continuity, security incidents, or legal hold.
6. Legal basis and security measures
6.1. Legal bases where Service Provider acts as Controller
Controller-side processing is based on the following legal bases, depending on purpose:
| Purpose (Section 2.1) | Typical legal basis |
|---|---|
| Account creation/access, authentication, and account settings (2.1.1) | Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR (service security, fraud-abuse prevention) |
| Subscription administration and billing integrity (2.1.2) | Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR |
| Billing, invoicing, tax, and accounting (2.1.3) | Art. 6(1)(c) GDPR |
| Support and incident handling (2.1.4) | Art. 6(1)(b) GDPR and/or Art. 6(1)(f) GDPR |
| Security, fraud-abuse prevention, and operational telemetry (2.1.5-2.1.6) | Art. 6(1)(f) GDPR |
| Product analytics and service improvement (2.1.7) | Art. 6(1)(f) GDPR and/or Art. 6(1)(a) GDPR where consent is required for persistent analytics storage/access on the device |
| Marketing communications and marketing preferences (2.1.8-2.1.9) | Art. 6(1)(a) GDPR and consent where required by Polish Prawo komunikacji elektronicznej (PKE) |
Where Service Provider relies on Art. 6(1)(f) GDPR, legitimate interests include account and service security, fraud-abuse prevention, reliability and quality of Services, and establishment, exercise, or defense of legal claims.
6.2. Customer Data where Service Provider acts as Processor
For Customer Data processed through integration flows, User is Controller and determines legal basis. Service Provider processes such data only on documented instructions under DPA.
6.3. Security measures
Service Provider implements appropriate technical and organizational safeguards proportionate to risk, including:
6.3.1. Encryption in transit and encryption at rest in primary storage systems where supported.
6.3.2. Access controls and least-privilege access management.
6.3.3. Security logging, monitoring, and periodic review of security practices.
6.3.4. Secure infrastructure and trusted service providers.
6.3.5. Payment-card credentials processed by Stripe and not stored by Service Provider.
7. How to exercise your rights
7.1. If Service Provider is Controller
If your data is processed for account/billing/support/marketing operations, you may exercise GDPR rights (access, rectification, erasure, restriction, portability, objection) by contacting contact@firnity.com.
You may object to processing based on legitimate interests (including basic product analytics) by contacting contact@firnity.com. If you have an account, you may also use account settings where available.
Service Provider responds to data-subject requests without undue delay and in any event within one month of receipt. This period may be extended by up to two further months where necessary due to complexity or number of requests; if extended, Service Provider will inform you within the initial one-month period and explain the reasons.
For security, Service Provider may verify identity before completing requests. Self-service account deletion may also be used where available.
If processing is based on consent (for example marketing communications or non-essential cookies/technologies), you may withdraw consent at any time by using unsubscribe links (where available), changing account settings (where available), or contacting contact@firnity.com. Withdrawal does not affect the lawfulness of processing before withdrawal.
7.2. If Service Provider is Processor
If your data is processed because you are a member of a Discord server or Notion workspace using NotiCord, your organization/server admin is the Controller. Please contact that Controller first.
If Service Provider receives such request directly, Service Provider will forward it to the relevant User where Service Provider can identify the relevant Controller, and will assist User under DPA.
7.3. Complaint to supervisory authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement.
In Poland, the supervisory authority is the President of the Personal Data Protection Office (Prezes UODO): https://uodo.gov.pl/.
8. Final provisions
8.1. Is providing data necessary to enter into an Agreement?
Data is collected to the extent necessary to conclude and perform Agreement and satisfy legal obligations. Failure to provide required data may prevent account creation, subscription provisioning, or legal invoicing.
8.2. Where does Service Provider get your personal data from?
Personal data may be obtained:
- directly from User during account creation, configuration, support requests, and subscription activities;
- from Auth0 (using Discord as identity provider) for authentication/session claims and account sign-in continuity;
- from Discord/Notion when User authorizes integrations and uses configured flows;
- from Stripe for subscription and billing administration;
- from Atlassian Jira Service Management when support requests are submitted through the support portal or in-app support form;
- from email correspondence and attachments sent to contact@firnity.com through Google Workspace;
- from accounting systems/providers for invoicing and tax bookkeeping;
- from User organizations when they grant access to Personnel or User's Clients.
8.3. Children and minors
NotiCord is not directed to children as account holders. Account owners must be adults (see Terms of Use).
However, the Services may process personal data relating to minors as part of Customer Data when a User (Customer) connects a Discord server or Notion workspace that contains information relating to minors (for example messages, content, or records).
For such Customer Data, the User (Customer) is the Controller and is responsible for determining the lawful basis, providing required notices to data subjects, and implementing any additional safeguards required by applicable law for processing children's personal data. We act as Processor under the DPA and do not use Customer Data (including data relating to minors) for our own marketing or profiling.
8.4. Changes to Privacy Policy
Service Provider may update this Privacy Policy to reflect legal, technical, or business changes. Updated versions are published with revised "Last updated" date.
Non-material changes (for example typo fixes, formatting, clarifications, and non-substantive edits) may take effect immediately upon publication.
For material changes (changes affecting processing purposes, categories of data, categories of recipients/transfers, or data-subject rights), Service Provider notifies account holders by email and/or in-application notice with an effective date.
Changes required for legal compliance, security, fraud-abuse prevention, or incident response may take effect immediately (or as required by law), with notice provided as soon as reasonably practicable.
8.5. Automated decision-making
Service Provider does not use automated decision-making (including profiling) producing legal effects or similarly significant effects within the meaning of Art. 22 GDPR.
Last updated: February 17, 2026