Privacy Policy
Last updated: June 11, 2026
1. Who We Are
This Privacy Policy applies to Vyndexo, a digital agency operated by independent self-contractors collectively trading as Vyndexo, based in Brussels, Belgium. We build and deliver custom websites, AI tools, Discord bots, event services, business video, AI creative content, Vyndexo Studio (a SaaS prompt-generation platform), and Vyndexo ScamGuard (an automated Discord moderation service).
Data controller contact:
Vyndexo
Brussels, Belgium
Email: contact@vyndexo.com
Website: https://vyndexo.com
We do not have a designated Data Protection Officer (DPO) as we do not meet the thresholds under Article 37 GDPR that mandate the appointment of a DPO. However, you can address all data-related requests to the contact above and we will respond within the statutory deadline.
2. Scope and Legal Framework
This policy is issued in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR"), the Belgian Act of 30 July 2018 on the protection of natural persons with regard to the processing of personal data, and the Belgian Act of 13 June 2005 on electronic communications (as amended). It applies to all personal data we process in connection with our website, our services, Vyndexo Studio, and Vyndexo ScamGuard.
3. Personal Data We Collect
We collect personal data in the following situations:
3.1 Contact & Project Enquiries
- Name and email address (mandatory to respond)
- Company name, project description, and budget range (provided voluntarily)
- Message content submitted via our contact form
3.2 Vyndexo Studio (SaaS Platform)
- Account credentials: email address, hashed password
- Billing information: processed exclusively by Stripe (we do not store card numbers or full payment details)
- Subscription tier and transaction history
- Prompts created, saved, or exported through the platform
- Usage metadata: feature interactions, session timestamps, tier upgrade/downgrade events
3.3 Website Analytics & Technical Data
- IP address (anonymised where technically feasible)
- Browser type, operating system, referring URL
- Pages visited, time on page, click events
- Cookies (see our Cookie Policy for full details)
3.4 Discord Community & Bots
- Discord user ID, username, and server membership data (accessible via Discord API)
- Bot command inputs and interaction logs for troubleshooting and service delivery
3.5 Vyndexo ScamGuard (Discord Moderation Bot)
ScamGuard is an automated Discord moderation service that detects scam attempts, phishing links, impersonation, and prohibited content in real time. When installed in a Discord server by an administrator, ScamGuard reads messages in channels it has been granted permission to access and evaluates them in memory against scam indicators. Message content is processed transiently and is not stored.
ScamGuard persists only the minimum data required to operate the service:
- Per-guild configuration: guild (server) ID, log channel ID, exempt role IDs, mod role IDs, and feature toggles set by the server administrator
- Banned-domain and banned-image-hash lists: entries added by your moderators (perceptual hashes of images, no raw images stored)
- Offender ledger: for users that triggered a moderation action — user ID, guild ID, action taken (warned / kicked / banned), and a short reason string
- Action audit log: guild ID, user ID, user tag at time of action, action type, short reason, and number of messages deleted by the action — used to power the moderator dashboard history feed
- Global ban list: Discord user IDs flagged across servers as known scammers/raiders, with the reason and originating guild
- Subscription status: guild ID, plan, billing status, expiry
- Dashboard sessions: Discord user ID + OAuth tokens of administrators who log into the moderator dashboard
ScamGuard does not store the text or attachments of scanned messages, does not read messages in channels it lacks permission to access, does not process voice traffic, and does not use server messages to train AI models.
For borderline cases, ScamGuard may send a minimised text snippet (typically the URL and surrounding phrase) to Google's Gemini API for classification. These snippets are subject to Google's Gemini API terms, under which API inputs are not used to train Google's general models, and are not persisted by Vyndexo after the classification call returns.
3.6 Data We Do Not Collect
We do not knowingly collect special categories of personal data (Article 9 GDPR), including health data, racial or ethnic origin, political opinions, religious beliefs, biometric data, or data concerning sexual orientation. We do not knowingly collect data from children under the age of 16. If we become aware that data from a minor has been submitted without appropriate consent, we will delete it promptly.
4. Purposes and Legal Bases
The GDPR requires us to identify a lawful basis for each processing activity. The table below documents our purposes and the applicable legal bases under Article 6 GDPR.
| Processing activity | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Responding to contact form submissions | Pre-contractual communication; answering enquiries | Art. 6(1)(b) — necessary to take steps at the request of the data subject prior to entering a contract |
| Vyndexo Studio account creation and management | Providing the SaaS service; managing subscriptions | Art. 6(1)(b) — performance of a contract |
| Processing Stripe payments | Billing for paid Studio tiers; invoicing | Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — compliance with legal obligation (VAT records, accounting) |
| Sending transactional emails (account confirmation, subscription receipts) | Service delivery and account communication | Art. 6(1)(b) — performance of a contract |
| Website analytics | Understanding site performance; improving user experience | Art. 6(1)(f) — legitimate interests (subject to opt-out; does not override your rights) |
| Discord bot operation and logs | Providing bot functionality; debugging and abuse prevention | Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interests (security) |
| Vyndexo ScamGuard message scanning and moderation | Detecting scams, phishing, impersonation and prohibited content in Discord servers that have installed the bot; protecting community members from fraud and abuse | Art. 6(1)(f) — legitimate interests of the server operator and members in a safe community (balancing test on file); Art. 6(1)(b) where ScamGuard is provided under a paid contract to the server operator |
| AI inference via Google Gemini API (Studio prompts and ScamGuard scam scoring) | Generating prompts in Vyndexo Studio; classifying borderline messages as scam vs. legitimate in ScamGuard | Art. 6(1)(b) — performance of a contract (Studio); Art. 6(1)(f) — legitimate interests in fraud prevention (ScamGuard) |
| Compliance with legal obligations | Accounting records, tax obligations under Belgian law, responding to lawful authority requests | Art. 6(1)(c) — compliance with a legal obligation |
| Marketing communications (where you have opted in) | Sending project updates, product announcements, or newsletters | Art. 6(1)(a) — consent (freely given, specific, informed, unambiguous; withdrawable at any time) |
Where we rely on legitimate interests (Article 6(1)(f)), we have conducted a balancing test and determined that our interests are not overridden by your interests, fundamental rights, or freedoms. You can request a copy of our legitimate interest assessment by contacting us.
5. Data Retention
We retain personal data only as long as necessary for the purpose for which it was collected, or as required by law.
| Data category | Retention period | Rationale |
|---|---|---|
| Contact form enquiries (no contract concluded) | 12 months | Reasonable follow-up window; deleted thereafter |
| Client project data and correspondence | Duration of contract + 5 years | Belgian civil law prescription period (Article 2262bis Belgian Civil Code) |
| Vyndexo Studio account data (active accounts) | For the life of the account | Required for service delivery |
| Vyndexo Studio account data (closed accounts) | 90 days post-closure, then deleted | Grace period for reactivation; billing records retained per tax law |
| Payment and billing records (Stripe) | 7 years | Belgian accounting law (Royal Decree of 29 April 2019); VAT obligations |
| Website analytics logs | Up to 13 months (rolling) | Industry standard for year-on-year comparison; anonymised thereafter |
| Discord bot interaction logs | 30 days | Debugging and security; purged automatically |
| ScamGuard — message content | Not stored | Evaluated in memory only; discarded immediately after scoring |
| ScamGuard — action audit log (offender ledger, bot_actions, banned hashes/domains) | For the life of the guild installation | Required for moderator review, repeat-offender detection, and the dashboard history feed. Server administrators can delete entries at any time from the dashboard. |
| ScamGuard — global ban list (cross-server known scammers) | Indefinite until the user is delisted by a moderator | Required for cross-server scam prevention; subject to deletion requests |
| ScamGuard — guild configuration data | For the life of the installation + 30 days post-uninstall | Required to operate the service; brief grace period for reinstallation |
| ScamGuard — dashboard sessions | Until session expiry (set by the OAuth token TTL) | Required for moderator dashboard authentication |
6. Cookies
We use cookies and similar technologies on our website. Please refer to our Cookie Policy for a complete breakdown of which cookies we use, why, and how to manage them.
7. Third Parties and Data Processors
We engage the following third-party processors and service providers. All processors are bound by data processing agreements (DPAs) and, where applicable, Standard Contractual Clauses (SCCs) for international transfers.
| Third party | Role | Data shared | Location |
|---|---|---|---|
| Stripe, Inc. | Payment processing for Vyndexo Studio subscriptions | Name, email, billing address, payment card data (held by Stripe only) | USA (EU SCCs in place; Stripe is PCI-DSS Level 1 certified) |
| Discord, Inc. | Platform for Discord bot deployment and community management; ScamGuard operates as a Discord application | Discord user IDs, server data, bot interaction data, ScamGuard moderation activity | USA (EU SCCs in place; subject to Discord's own Privacy Policy) |
| Google LLC (Gemini API) | AI inference for Vyndexo Studio prompt generation and Vyndexo ScamGuard scam scoring | Minimised text snippets sent for inference (user prompts in Studio; flagged URLs and short surrounding context in ScamGuard). Not used to train Google's general models per the Gemini API terms. | USA / EU (EU SCCs in place; processed under Google Cloud's Data Processing Addendum) |
| Hosting / Infrastructure provider | Web hosting and database storage | All data stored on our platform | EU (we operate on EU-based infrastructure wherever possible) |
| Email delivery provider | Transactional email (account confirmations, receipts) | Recipient email address, email content | EU or USA (SCCs in place) |
We do not sell, rent, or trade personal data with third parties for their own marketing purposes. We do not use advertising networks or retargeting services. We do not share personal data with third parties beyond what is necessary to deliver our services.
8. International Data Transfers
Some of our third-party service providers (particularly Stripe, Discord, and Google) are based in the United States. Transfers of personal data to the USA are governed by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), which provide appropriate safeguards for your data rights. You may request a copy of the applicable transfer mechanisms by contacting us.
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. We will respond to all valid requests within 30 calendar days of receipt (extendable by a further 60 days for complex requests, with notice given to you).
- Right of access (Art. 15): You may request a copy of the personal data we hold about you and information about how it is processed.
- Right to rectification (Art. 16): You may ask us to correct inaccurate or incomplete personal data without undue delay.
- Right to erasure / "right to be forgotten" (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing. This right is subject to exemptions (e.g., data required for legal compliance or the establishment, exercise, or defence of legal claims).
- Right to restriction of processing (Art. 18): You may ask us to restrict processing of your data in certain circumstances (e.g., while a rectification request is assessed).
- Right to data portability (Art. 20): Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to object (Art. 21): You may object at any time to processing based on legitimate interests (Art. 6(1)(f)). We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.
- Right to withdraw consent (Art. 7(3)): Where processing is based on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
- Right not to be subject to solely automated decision-making (Art. 22): We do not make decisions that produce legal or similarly significant effects based solely on automated processing.
To exercise any of these rights, contact us at contact@vyndexo.com. We may ask you to verify your identity before processing the request. There is no charge for exercising your rights unless requests are manifestly unfounded or excessive (in which case we may charge a reasonable fee or refuse, with explanation).
10. Right to Lodge a Complaint
If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the competent supervisory authority. In Belgium, this is:
Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)
Rue de la Presse 35, 1000 Brussels
Website: www.dataprotectionauthority.be
Email: contact@apd-gba.be
We would nonetheless appreciate the opportunity to address your concerns directly before you escalate to the supervisory authority.
11. Security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:
- HTTPS/TLS encryption for all data in transit
- Encryption at rest for sensitive stored data
- Password hashing using industry-standard algorithms (bcrypt or equivalent)
- Access controls limited to personnel who require data for their specific function
- Regular security reviews of infrastructure and dependencies
- Use of PCI-DSS compliant Stripe for all payment processing (we never handle raw card data)
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the GBA/APD within 72 hours of becoming aware of the breach, and we will notify affected individuals without undue delay where the breach is likely to result in high risk.
12. Children's Data
Our services are directed at individuals aged 16 and over. We do not knowingly process personal data of children under 16 without verifiable parental consent, as required by Article 8 GDPR and the Belgian implementing legislation. If you believe we hold data relating to a child under 16, please contact us immediately and we will take prompt action.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify Vyndexo Studio users by email. We encourage you to review this page periodically. Continued use of our services after a policy update constitutes acceptance of the revised policy.
14. Contact
For any questions about this Privacy Policy, to exercise your data subject rights, or to report a concern, please contact us at:
Vyndexo
Brussels, Belgium
contact@vyndexo.com