Bifrost icon

Last updated: 11 June 2026

Privacy Policy

1. Overview

Bifröst is a trading name of Bifrost Development Ltd("we", "us", "our"), a company registered in England & Wales (Company No. 17215135). We operate the bifrost.gg website and the Heimdall Discord bot. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

Bifrost Development Ltd is the data controller for the purposes of the UK GDPR and the Data Protection Act 2018.

This policy also applies to branded or "whitelabel" bot instances that run on the Heimdall platform and are operated by us on our infrastructure. Such bots may carry a different name and avatar, but they use the same Heimdall software and handle data exactly as described here. Where a customer supplies and owns the underlying Discord application for such an instance, that customer acts as a controller for their server's data and we act as a processor operating the bot on their behalf.

2. Data We Collect

When you use Heimdall or our website, we may collect:

  • Discord Data: Guild (server) IDs, user IDs, usernames, and avatar URLs — provided via Discord OAuth2 or bot interactions.
  • Message Content: Message content processed for modmail, tickets, automod, moderation logging, translation, and optional AI features. Messages are processed in real-time and stored when they are part of a ticket transcript or modmail conversation. Where a server enables message logging, recent message content is held in a temporary cache for up to 14 days so that moderators can see what a deleted or edited message said. Where automod matches a message, the matched snippet may be retained as part of the resulting infraction record, and optional AI features may retain short excerpts in their processing logs.
  • Minecraft Usernames: When users link their Minecraft accounts via the Minecraft integration plugin.
  • Tebex Transaction Data:Transaction IDs and purchase information read from Tebex's API when using the Tebex store management features. We only read and display this data for the server operator's convenience — we never process, hold, or facilitate the funds from a Minecraft store operator's sales. Those payments are handled entirely by Tebex.
  • Server Configuration: Plugin settings, automod rules, and bot configuration data for your Discord server.
  • Usage Analytics: Usage statistics and product telemetry to improve our services (see Third-Party Processors).

We do not collect presence data (online status or activity) and we do not read messages in channels Heimdall has not been configured to operate in.

3. How We Use Your Data

  • To provide and maintain the Heimdall bot and dashboard
  • To process modmail conversations and support tickets
  • To enforce automod rules and moderation actions
  • To link Discord accounts to Minecraft accounts
  • To manage Tebex store integrations
  • To authenticate users via Discord OAuth2
  • To process payments via our payment provider(s)
  • To improve our services and fix bugs

4. Legal Basis for Processing (UK GDPR)

Under Article 6 of the UK GDPR, we rely on the following lawful bases for processing your personal data:

  • Performance of a contract (Art. 6(1)(b)): to provide and maintain the Heimdall bot, dashboard, and account; to authenticate you via Discord OAuth2; and to process payments and manage your subscription.
  • Legitimate interests (Art. 6(1)(f)): to keep our services secure, prevent abuse and fraud, and to analyse anonymous usage statistics so we can improve our services. We balance these interests against your rights and freedoms.
  • Legal obligation (Art. 6(1)(c)): to comply with applicable laws, including responding to lawful requests and meeting accounting and tax requirements.
  • Consent (Art. 6(1)(a)): where we ask for it explicitly — for example, optional features you choose to enable. You may withdraw consent at any time.

5. Data Retention

We retain your data for as long as your server uses Heimdall. Specifically:

  • Server configuration: Retained until the bot is removed from your server or you request deletion.
  • Ticket transcripts: Retained for 90 days after ticket closure, unless configured otherwise.
  • Modmail conversations: Retained until manually deleted or the server removes the bot.
  • Infraction records: Retained until manually cleared by server staff.
  • Message content for automod: Processed in real-time. The matched snippet may be retained as part of an infraction record until that record is cleared.
  • Message logging cache: Where a server enables message logging, recent message content is cached for up to 14 days and then expires automatically.
  • AI feature logs: Optional AI features retain short message excerpts in processing logs for abuse prevention and debugging.

6. Data Deletion (GDPR Right to be Forgotten)

You have the right to request deletion of your personal data. To do so:

  • Contact us at hello@bifrost.gg with your Discord user ID and we will delete your user-specific data.
  • Server owners can remove the bot from their server, which will initiate an automatic cleanup of that server's data after a grace period.

We will process deletion requests within 30 days.

7. Discord OAuth Data

When you log in via Discord OAuth2 (on our website or dashboard), we request access to:

  • Your Discord user ID, username, avatar, and email address
  • Your Discord server memberships (to identify which servers you manage)

We do not post to your Discord account or read your private messages outside of Heimdall's configured channels.

8. Third-Party Processors

We use the following third-party services to operate:

  • MongoDB (self-hosted): Server configuration and user data are stored in MongoDB databases running on our own infrastructure.
  • Polar.sh: Checkout, billing, and subscription management for paid plans, acting as Merchant of Record. We do not store your full payment card details.
  • Cloudflare R2: Object storage for ticket transcripts and attachments.
  • OpenAI / OpenRouter: AI services for optional features such as AI-assisted moderation, support replies, summaries, and suggestion titles (content processed is not used for model training).
  • DeepL: Message translation, only for messages a user explicitly asks to translate or in channels where a server has enabled translation.
  • PostHog: Product analytics and telemetry used to improve our services.
  • Discord: Bot platform and OAuth2 provider.

9. Data Security

We implement industry-standard security measures including encrypted connections (TLS), secure database access controls, and regular security audits. All database storage is encrypted at rest (LUKS, AES). However, no method of transmission over the Internet is 100% secure.

10. Children's Privacy

Our services are not directed to individuals under 13. We do not knowingly collect personal information from children under 13. If you are under 13, please do not use our services.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of significant changes via our Discord server or email. Your continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact

For questions about this Privacy Policy or data requests, contact us at:

hello@bifrost.gg

Bifrost Development Ltd
Registered in England & Wales · Company No. 17215135
Lytchett House, 13 Freeland Park, Wareham Road, Poole, Dorset, BH16 6FA