Privacy Policy

This Privacy Policy describes how Cordia ("we," "us," or "our") collects, uses, stores, and protects information when you use our platform, management portal, and related services (the "Service"). By using the Service, you agree to the practices described in this Policy.

1. Who We Are

Cordia is responsible for the personal information collected through this website and the management portal. For privacy inquiries, contact us at support@cordiaai.com. Cordia's subscribers (community owners and administrators) are responsible for the personal data of their community members that is processed through the Service. In those cases, Cordia processes such data only on the subscriber's behalf and at their direction, and not for any independent purpose.

2. Information We Collect

We collect the following categories of information to provide the Service:

• Account Information: When you authenticate via Discord OAuth, we receive your Discord user ID, username, and avatar. We do not receive your Discord password or email unless you explicitly provide it.
• Community and Configuration Data: Server settings, feature configurations, culture profiles, tolerance levels, and rules you configure within Cordia.
• Moderation Records: Warning histories, violation records, case notes, and moderation action logs for community members.
• Identity Links: Cross-platform identity mappings you create (e.g., Discord ID linked to a Steam ID or other game account identifier).
• Infrastructure Credentials: RCON passwords, API keys for third-party platforms (Google Workspace, social media, etc.), and other connection credentials you provide. All credentials are encrypted at rest using AES-256-CBC encryption.
• AI Interaction Data: Messages sent through the AI channels and conversation history retained per community, used solely to provide contextual AI responses within your community.
• Usage and Technical Data: Server logs, error reports, API call records, and usage metrics used to operate and improve the Service.
• Payment Information: We use Stripe to process payments. We do not store your full payment card details. Stripe's privacy policy governs the handling of your payment information.

3. Google Workspace Data

If you choose to connect a Google Workspace account to Cordia, we access the following Google data on your behalf:

• Gmail: read, send, reply, forward, archive, trash, and label email messages and threads.
• Google Calendar: read and create calendar events.
• Google Drive: read and create documents.
• Google Sheets: read, write, and append spreadsheet data.

Google Workspace data is accessed solely to perform actions you or Cordia directs on your behalf. Your Google data is never used to train AI models, shared with other Cordia subscribers, or used for any purpose other than carrying out the specific task requested within your own account. OAuth tokens are stored encrypted and are automatically refreshed. You may revoke Cordia's access to your Google account at any time through your Google account settings. Revoking access will disable Google Workspace features within Cordia. Use of Google Workspace integrations is also governed by Google's Terms of Service and Privacy Policy.

4. How We Use Your Information

We use the information we collect to:

• Provide, operate, and improve the Service.
• Authenticate your identity and manage your account.
• Execute AI-driven moderation, automation, and management actions at your direction.
• Store and apply the culture profile and rules you configure for your community.
• Send transactional communications such as subscription confirmations, billing receipts, and service notices.
• Detect and prevent abuse, fraud, or violations of our Terms of Service.
• Comply with applicable legal obligations.

We do not use your data for advertising, sell your data to third parties, or share your community's data with other Cordia subscribers.

4a. AI Processing of File and Account Content

When you direct Cordia to read or act on content from connected integrations (such as files, emails, documents, or repositories), that content is transmitted through Cordia's infrastructure to the AI provider configured for your instance:

• BYOAK (your own API key): Content is transmitted to your own AI provider account. Your provider's privacy policy and terms govern how they handle that content. Cordia does not control and assumes no liability for your provider's data practices.
• Non-BYOAK (Cordia's default infrastructure): Content is transmitted to Cordia's designated AI provider (currently Groq) solely to fulfill your request. Content is not stored, used for training, or retained beyond the active request.

In all cases, Cordia does not retain file or account content beyond the duration of the active session. You are responsible for ensuring that any content you direct Cordia to process complies with applicable confidentiality, privilege, or regulatory obligations.

5. Organizational Isolation

Each subscriber's data is strictly isolated. Your community's moderation history, AI conversation data, culture profile, and configuration are never accessible to other subscribers. Cordia's AI processes your community's data within the scope of your own instance only. No message content, member identifiers, or community-specific data is shared between organizations.

6. Per-Community Learning

Cordia supports a learning mechanism ("Learning Loop") through which administrators can correct or refine Cordia's understanding of their community. These corrections (for example, "our community is gaming-focused" or "the cooldown for this rule should be 2 hours") are stored and applied only within your own community's configuration. Corrections are not shared with other communities, used to train global AI models, or applied outside your own instance. No private message content or personally identifiable member information is included in these corrections.

7. Third-Party Service Providers

We share data with the following trusted third-party providers solely as necessary to operate the Service:

• Stripe — Payment processing. Stripe's privacy policy applies to payment data.
• Cloudflare — Website hosting, CDN, edge security, and web analytics. Cloudflare's analytics are cookieless and do not track individual users.
• Hetzner — Cloud infrastructure and VPS hosting for subscriber instances.
• Groq — AI inference provider used as a fallback when no subscriber-provided API key is configured.
• OpenAI, Together.ai — Optional AI inference providers accessed via your own API key (BYOAK only). We do not share data with these providers unless you have configured your own key.
• Discord — Authentication and community management integration. Discord's privacy policy governs data processed through their platform.

We do not sell, rent, or trade your data to any third party for marketing or advertising purposes.

8. Data Retention

• Active subscriptions: Data is retained for the duration of your subscription plus 30 days following cancellation or termination.
• After cancellation: Your organizational data is deleted within 30 days of subscription end, unless you request earlier deletion.
• Moderation records: Retained for the duration of your subscription. You may request deletion of individual records at any time.
• Backups: Encrypted backups may be retained for up to 90 days for disaster recovery purposes.
• Legal holds: We may retain certain data longer than the above periods if required by law or to resolve active disputes.

9. Your Rights

You have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your personal data. Submit a request via our support Discord or at support@cordiaai.com and we will process it within 30 days.
• Portability: Request your data in a structured, machine-readable format.
• California Residents (CCPA): You have the right to know what personal information we collect, to request deletion, and to opt out of the sale of your data. We do not sell personal information.

To exercise any of these rights, contact us at support@cordiaai.com. We will respond within 30 days.

10. Security

We implement industry-standard security measures to protect your data, including:

• AES-256-CBC encryption for all credentials and sensitive configuration data stored at rest.
• HTTPS/TLS encryption for all data in transit.
• Access controls limiting data access to authorized personnel only.
• Stripe's certified payment security for all billing transactions.

No method of transmission or storage is 100% secure. While we take every reasonable precaution, we cannot guarantee absolute security. In the event of a data breach that affects your personal data, we will notify affected subscribers within 45 days of discovery, as required under Ohio law, and will cooperate with any applicable regulatory requirements.

11. Children's Privacy

The Service is not directed to children under the age of 13. In compliance with the Children's Online Privacy Protection Act (COPPA), we do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly. If you believe we have inadvertently collected data from a child, please contact us at support@cordiaai.com.

12. Website Analytics

Our public website (cordiaai.com) uses Cloudflare Web Analytics, a cookieless, privacy-first analytics solution. It does not use cookies, does not track individual users across sessions, and does not collect personally identifiable information. No data is sold to or shared with advertising networks.

13. Cookies and Session Technologies

The management portal uses session cookies solely to maintain your authenticated login state after you sign in via Discord OAuth. These cookies are strictly necessary for the portal to function and are not used for advertising, tracking, or analytics. Our public website (cordiaai.com) does not use tracking or advertising cookies. We do not currently respond to browser "Do Not Track" (DNT) signals, as we do not engage in the cross-site tracking that such signals are designed to prevent.

14. Governing Law

This Privacy Policy is governed by the laws of the State of Ohio. The Service is intended for use by residents of the United States only. If you are located outside the United States, do not use the Service.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last Updated" date and, where feasible, notify active subscribers. Your continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.

16. Contact

For privacy inquiries, data requests, or concerns, contact us at support@cordiaai.com or open a ticket in our official support Discord.