Privacy Policy

Your Privacy Matters

We're committed to protecting your personal information and being transparent about how we collect, use, and share data in compliance with UK GDPR and Data Protection Act 2018.

Last Updated: 19 August 2025 | Effective Date: 19 August 2025
Version: 3.0 (UK GDPR Compliant) | Next Review: 19 February 2026

1. Introduction & Legal Basis

This Privacy Policy explains how FRIENDIFY LTD ("we", "our", "us") collects, uses, stores, shares and protects your personal data when you use our Discord AI bot platform and related services ("Service").

We are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR).

Legal Requirement

Under UK data protection law, we must inform you about our processing activities and your rights. Please read this policy carefully as it affects your legal rights.

Consent: By using our Service, you consent to the processing described in this policy where consent is the legal basis.

2. Data Controller Information

Data Controller: FRIENDIFY LTD

Company Registration: England and Wales, Company Number 16656938

Registered Office: 20 Wenlock Road, London, England, N1 7GU

ICO Registration: To be registered (pending business operations commencement)

Phone: +44 7851 497791

Data Protection Officer: privacy@friendify.net

GDPR Representative: Not required (UK-based controller)

General Contact: support@friendify.net

Legal Notices: legal@friendify.net

Regulatory Compliance

As a UK company, we comply with ICO guidance and UK data protection regulations. For complaints, contact the Information Commissioner's Office at ico.org.uk or call 0303 123 1113.

3. Personal Data We Collect

3.1 Identity & Authentication Data

  • Discord Account Information: User ID, username, discriminator, avatar URL
  • Email Address: For account management and legal communications
  • OAuth Tokens: Encrypted Discord authentication tokens (limited scope)
  • Account Preferences: Language, timezone, notification settings

3.2 Technical & Usage Data

  • Device Information: IP address, browser type, operating system, device identifiers
  • Usage Analytics: Page views, feature usage, session duration, interaction patterns
  • Performance Data: API response times, error logs, system performance metrics
  • Security Logs: Login attempts, security events, access logs

3.3 Bot Configuration & Content Data

  • Discord Server Data: Guild IDs, channel IDs, role configurations, bot permissions
  • AI Personalities: Custom personality configurations, prompts, example conversations
  • Chat History: Message content processed by AI (for context and learning)
  • Voice Data: Temporary audio recordings for speech-to-text processing
  • Custom Commands: User-created bot commands and automated responses

3.4 AI Processing & Learning Data

  • Embeddings & Vectors: Mathematical representations of text for AI context
  • Sentiment Analysis: Mood and emotional tone data from conversations
  • Context Metadata: Time, location, conversation state for AI enhancement
  • Learning Patterns: User interaction patterns for personalization

3.5 Payment & Commercial Data

  • Billing Information: Payment method details (processed by Stripe - not stored by us)
  • Transaction Records: Payment history, subscription details, invoice data
  • Credit Usage: Service usage patterns and credit consumption
  • Promotional Data: Coupon usage, referral information, marketing preferences

Children's Data Protection

Age Restriction: Our service is not intended for children under 16. We do not knowingly collect data from minors.

Parental Consent: Users aged 16-18 require verifiable parental consent.

Data Deletion: If we discover we've collected a child's data inappropriately, we will delete it immediately.

4. Legal Basis for Processing (UK GDPR Article 6 & 9)

4.1 Lawful Bases for Personal Data Processing

Data Category Legal Basis UK GDPR Article Retention Period
Account & Authentication Contract Performance Article 6(1)(b) Account lifetime + 30 days
Payment & Billing Contract + Legal Obligation Article 6(1)(b)(c) 10 years (tax law)
Service Usage & Analytics Legitimate Interest Article 6(1)(f) 3 years
Marketing Communications Consent Article 6(1)(a) Until withdrawn
Security & Fraud Prevention Legitimate Interest + Legal Obligation Article 6(1)(c)(f) 7 years

4.2 Legitimate Interest Assessment

Where we rely on legitimate interests, we have conducted balancing tests considering:

  • Purpose: Improving service quality and preventing fraud
  • Necessity: Processing is necessary for the specified purpose
  • Impact Assessment: Minimal impact on your privacy rights
  • Safeguards: Technical and organizational measures in place

Special Category Data

Voice Biometrics: Voice recordings may contain biometric identifiers (Article 9). We process this under Article 9(2)(a) - explicit consent for AI transcription.

Racial/Ethnic Data: AI may infer demographic information. Processing under Article 9(2)(f) - substantial public interest in AI safety research.

5. How We Use Your Personal Data

5.1 Primary Service Delivery

  • Account Management: User authentication, profile management, service access control
  • AI Bot Operations: Generate responses, maintain conversation context, personality adaptation
  • Voice Processing: Speech-to-text transcription, voice command recognition, audio synthesis
  • Memory & Learning: Conversation history, user preference learning, context improvement
  • Discord Integration: Bot deployment, server management, permission handling

5.2 Service Enhancement & Analytics

  • Usage Analytics: Feature usage patterns, performance optimization, user experience improvement
  • Error Monitoring: System diagnostics, bug identification, service reliability enhancement
  • Product Development: Feature development, AI model training, service innovation
  • User Research: Aggregated usage insights, market research, service optimization

5.3 Business Operations

  • Payment Processing: Subscription management, billing, refund processing, fraud prevention
  • Customer Support: Technical assistance, account recovery, service guidance
  • Communications: Service updates, security notifications, legal notices
  • Security & Compliance: Fraud detection, abuse prevention, regulatory compliance

5.4 AI Training & Improvement (Opt-In)

AI Model Enhancement

Aggregated Training: With explicit consent, we may use anonymized conversation data to improve AI models

Personalization: Individual bot behavior adaptation based on user interaction patterns

Safety Enhancement: Content filtering improvement using anonymized harmful content examples

Opt-Out Available: You can disable AI training usage in your account settings at any time

6. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data. We share data only as necessary for service delivery and legal compliance:

6.1 Essential Service Providers

Provider Service Data Shared Safeguards
OpenAI LLC (USA) AI Processing Chat content, embeddings TLS encryption, data agreements
Stripe Inc. (USA) Payment Processing Billing info, transaction data PCI DSS compliance, encryption
Discord Inc. (USA) Platform Integration OAuth tokens, bot interactions Encrypted API calls, limited scope
Cloud Infrastructure Hosting & CDN Application data, logs SOC2 compliance, encryption

6.2 Legal & Regulatory Disclosures

  • Court Orders: When required by valid legal process or court order
  • Law Enforcement: To investigate illegal activities or protect public safety
  • Regulatory Bodies: ICO, Financial Conduct Authority, or other UK regulators as required
  • Emergency Situations: To prevent harm to individuals or property

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the new entity. We will:

  • Provide 30 days advance notice
  • Ensure equivalent data protection standards
  • Offer account deletion option before transfer
  • Comply with UK GDPR requirements for data transfers

7. International Data Transfers

As a UK-based company, we primarily process data within the UK. However, some third-party services require international transfers:

7.1 Transfer Safeguards

  • Adequacy Decisions: We rely on UK adequacy decisions where available
  • Standard Contractual Clauses: UK ICO-approved SCCs for non-adequate countries
  • Certification Schemes: Providers with recognized privacy certifications
  • Technical Safeguards: End-to-end encryption for all international data flows

7.2 Specific Transfer Details

International Processing Locations

USA (OpenAI): Protected by Standard Contractual Clauses and additional technical safeguards

USA (Stripe): Covered by adequacy decision for payment processing and SCCs

EU/EEA: Covered by UK-EU adequacy decision and GDPR compliance

Your Rights: You can object to international transfers and request UK-only processing (may limit service features)

8. Cookies & Online Tracking (PECR Compliance)

We use cookies and similar technologies in compliance with the Privacy and Electronic Communications Regulations (PECR):

8.1 Strictly Necessary Cookies (No Consent Required)

  • Authentication Cookies: User login sessions, security tokens (expires: session/7 days)
  • Security Cookies: CSRF protection, fraud prevention (expires: session)
  • Functional Cookies: Language preferences, accessibility settings (expires: 1 year)
  • Load Balancing: Server routing, performance optimization (expires: session)

8.2 Consent-Required Cookies

Analytics & Performance (Opt-In)

Google Analytics: Anonymized usage statistics, page views, user journeys

Error Tracking: Application error monitoring and performance analysis

A/B Testing: Feature testing and user experience optimization

Retention: 2 years maximum, with periodic data deletion

Marketing & Advertising (Opt-In)

Social Media Pixels: Facebook, Twitter, LinkedIn conversion tracking

Remarketing: Targeted advertising on third-party platforms

Attribution: Marketing campaign effectiveness measurement

Control: Granular consent management in cookie banner

8.3 Cookie Management

  • Consent Banner: Granular control over cookie categories on first visit
  • Cookie Settings: Manage preferences in account settings or footer link
  • Browser Controls: Browser settings to block/delete cookies
  • Opt-Out Tools: Industry tools like Your Online Choices (youronlinechoices.com/uk)

9. Data Retention Policy

We retain personal data only as long as necessary for the purposes outlined in this policy or as required by law:

9.1 Retention Schedule

Data Category Retention Period Legal Basis Deletion Process
Account Information Account lifetime + 30 days Contract performance Automated deletion
Chat History & AI Data 90 days (user configurable: 1-365 days) Service delivery Rolling deletion
Voice Recordings 24 hours maximum Real-time processing Immediate after processing
Payment Records 10 years UK tax obligations Secure archival deletion
Marketing Data Until consent withdrawn + 30 days Consent Immediate on withdrawal
Security Logs 7 years Legitimate interest Secure deletion
Analytics Data 3 years (anonymized after 18 months) Legitimate interest Automated anonymization

9.2 Early Deletion Triggers

  • Account Deletion: All personal data deleted within 30 days
  • Consent Withdrawal: Immediate cessation of processing for consent-based data
  • Objection Requests: Data deletion within 30 days unless legal obligation prevents
  • Minors' Data: Immediate deletion upon discovery

Legal Retention Requirements

Tax Records: UK law requires 10-year retention of business transaction records

Legal Disputes: Data related to ongoing legal proceedings retained until resolution

Fraud Prevention: Security-related data may be retained longer for fraud prevention

Regulatory Requests: Data subject to regulatory investigation retained as required

10. Security Measures & Data Protection

We implement comprehensive technical and organizational measures to protect your personal data:

10.1 Technical Security Measures

  • Encryption: AES-256 encryption at rest, TLS 1.3+ in transit
  • Access Controls: Multi-factor authentication, role-based access, principle of least privilege
  • Infrastructure: Secure cloud hosting, regular security updates, network segmentation
  • Monitoring: 24/7 security monitoring, intrusion detection, log analysis
  • Backup Security: Encrypted backups, secure key management, tested recovery procedures

10.2 Organizational Security Measures

  • Staff Training: Regular data protection and security awareness training
  • Policies & Procedures: Comprehensive data protection policies and incident response plans
  • Vendor Management: Due diligence on third-party processors, contractual safeguards
  • Regular Audits: Internal audits, penetration testing, compliance assessments

10.3 Data Breach Response

Breach Notification Process

Detection & Assessment: 24-hour maximum detection, immediate risk assessment

ICO Notification: Within 72 hours of becoming aware (UK GDPR Article 33)

Individual Notification: Without undue delay if high risk to rights (UK GDPR Article 34)

Remediation: Immediate containment, investigation, and remediation measures

Communication: Clear, timely communication about nature of breach and protective measures

Security Limitations

No Absolute Security: No system is 100% secure. We implement industry best practices but cannot guarantee absolute security.

User Responsibility: You must maintain the security of your account credentials and report suspicious activity.

Third-Party Risk: Security depends partly on third-party services beyond our direct control.

11. Your Data Protection Rights (UK GDPR)

Under UK GDPR and Data Protection Act 2018, you have the following rights regarding your personal data:

11.1 Core Individual Rights

  • Right of Access (Article 15): Request copies of your personal data and processing information
  • Right to Rectification (Article 16): Correct inaccurate or incomplete personal data
  • Right to Erasure (Article 17): Request deletion of your personal data ("right to be forgotten")
  • Right to Restrict Processing (Article 18): Limit how we process your data in certain circumstances
  • Right to Data Portability (Article 20): Receive your data in machine-readable format
  • Right to Object (Article 21): Object to processing based on legitimate interests or direct marketing

11.2 Additional Rights

  • Consent Withdrawal: Withdraw consent at any time where processing is based on consent
  • Automated Decision-Making: Right not to be subject to solely automated decision-making
  • Lodge Complaints: Right to complain to the Information Commissioner's Office

11.3 Exercising Your Rights

How to Make a Request

Email: privacy@friendify.net with "Data Subject Request" in subject line

Required Information: Full name, account email, specific request type, identity verification

Response Time: 30 days maximum (may be extended to 60 days for complex requests)

No Fee: Generally free unless requests are manifestly unfounded or excessive

Identity Verification: We may request additional information to verify your identity

11.4 Right Limitations & Exceptions

When Rights May Be Limited

Legal Obligations: We cannot delete data we're legally required to retain (e.g., tax records)

Public Interest: Processing necessary for public interest or scientific research purposes

Legal Claims: Data needed for the establishment, exercise, or defense of legal claims

Freedom of Expression: Balancing privacy rights with freedom of expression and information

Contractual Necessity: Data essential for contract performance cannot be deleted while contract is active

12. Children's Privacy Protection

12.1 Age Restrictions & Verification

  • Minimum Age: 16 years (UK GDPR standard for information society services)
  • Parental Consent: Users aged 16-18 require verifiable parental consent
  • Age Verification: Self-declaration required during account creation
  • Enhanced Protection: Additional safeguards for users under 18

12.2 Child Data Protection Measures

  • No Targeted Advertising: Users under 18 excluded from behavioral advertising
  • Limited Profiling: Restricted data processing for users under 18
  • Enhanced Security: Additional security measures for minor accounts
  • Easy Deletion: Simplified account deletion process for minors

Parental Rights & Responsibilities

Access Rights: Parents can access and control their child's data (under 18)

Consent Management: Parents can withdraw consent and request data deletion

Monitoring Responsibility: Parents should monitor their child's online activity

Reporting: Report any concerns about child safety to support@friendify.net

13. Privacy Policy Updates & Changes

13.1 Amendment Process

  • Notice Period: 30 days advance notice for material changes affecting your rights
  • Notification Methods: Email notification, website banner, in-app notification
  • Version History: Previous versions archived and accessible
  • Continued Use: Continued service use after effective date constitutes acceptance

13.2 Material Change Definition

Material changes include:

  • New types of personal data collection
  • New third-party data sharing arrangements
  • Significant retention period changes
  • Changes to legal basis for processing
  • New international data transfers

Your Options for Policy Changes

Accept Changes: Continue using the service under new terms

Object to Changes: Contact us to discuss your concerns

Account Deletion: Delete your account before changes take effect

Data Export: Export your data before policy changes

14. Contact Information & Support

Data Protection Contacts

Data Protection Officer: privacy@friendify.net

General Privacy Inquiries: support@friendify.net

Data Subject Requests: privacy@friendify.net (Subject: "Data Subject Request")

Security Issues: security@friendify.net

Legal Notices: legal@friendify.net

Emergency Contact: +44 7851 497791 (business hours)

Company Details

Legal Entity: FRIENDIFY LTD

Company Registration: England and Wales, Number 16656938

Registered Office: 20 Wenlock Road, London, England, N1 7GU

ICO Registration: [To be completed upon business commencement]

Companies House: View Public Record

Response Time Commitments

General Inquiries: 3 business days

Data Subject Requests: 30 days (may extend to 60 days for complex requests)

Security Incidents: 24 hours acknowledgment

Breach Notifications: 72 hours to ICO, immediate to affected individuals if high risk

Regulatory Complaints

Information Commissioner's Office (ICO):

Website: ico.org.uk

Phone: 0303 123 1113

Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Note: We encourage you to contact us first to resolve any privacy concerns before filing a regulatory complaint.

Privacy Policy Acknowledgment

This Privacy Policy is effective as of the date stated above. By using our Service, you acknowledge that you have read and understood this Privacy Policy and consent to the processing of your personal data as described herein.

Document Version: 3.0 (UK GDPR Compliant)

Last Updated: 19 August 2025

Effective Date: 19 August 2025

Next Review: 19 February 2026

Compliance Framework: UK GDPR, Data Protection Act 2018, PECR

ICO Guidance: Based on latest ICO guidance and best practices