Disfora
Pricing About Contact
Log in Start free

Privacy Policy

Last updated: June 11, 2026

1. Introduction

Welcome to Disfora ("we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at disfora.com ("Website") and use our embeddable commenting platform and related services (collectively, the "Service"). Please read this policy carefully. By using the Service, you consent to the data practices described here.

2. Data controller

Disfora is the data controller responsible for your personal data. If you have questions about how your data is processed, contact us at [email protected].

3. Data we collect

We collect the following categories of personal data:

3.1 Account data. When you register for an account, we collect your email address, username, first name, last name, and a hashed version of your password.

3.2 Payment data. When you subscribe to a paid plan, our payment processor collects your payment card details, billing address, and transaction history. We do not store any card details on our servers. All payment information is handled entirely by our PCI-compliant payment processor. We only receive tokenized references and transaction confirmations.

3.3 Content data. Comments, ratings, votes, and other content you submit through the Service, along with associated metadata (timestamps, page URLs, parent comment references).

3.4 Technical data. Like most websites, our servers generate standard logs (such as request timestamps and error reports) needed to operate and secure the Service. We do not run third-party advertising or analytics trackers, and our embeddable widget does not track your visitors across sites. Where a spam check is required (for example, on the contact form), your IP address may be passed transiently to our anti-abuse provider to verify the request - we do not store it.

3.5 Usage data. Information needed to operate the Service, such as actions taken (comments posted, votes cast) and error reports. We do not build advertising profiles or track behavior across third-party sites.

3.6 Communication data. Records of correspondence when you contact us for support, including your name, email, and the content of your messages.

4. How we use your data

We use your personal data for the following purposes:

  • Provide and maintain the Service - creating accounts, authenticating users, displaying comments, calculating reputation scores (Clout), and processing payments.
  • Process transactions - managing subscriptions, issuing invoices, handling refunds, and preventing fraudulent transactions.
  • Communicate with you - sending transactional emails (account verification, password resets, billing receipts, subscription changes), and responding to support inquiries.
  • Maintain security - detecting abuse, enforcing rate limits, preventing spam, and protecting the integrity of the platform.
  • Improve the Service - using error reports and aggregate, non-identifying signals to fix bugs, improve performance, and develop new features. We do not profile individual users for this purpose.
  • Comply with legal obligations - responding to lawful requests from public authorities and meeting regulatory requirements.

We do not use your personal data for automated decision-making or profiling that produces legal effects. We do not sell your data to third parties. We do not serve advertisements.

We process personal data under one or more of the following legal bases:

  • Contract performance - processing necessary to provide the Service you have subscribed to.
  • Legitimate interests - processing necessary for our legitimate interests (security, fraud prevention, service improvement), provided these do not override your rights.
  • Consent - where you have given explicit consent (e.g., marketing communications). You may withdraw consent at any time.
  • Legal obligation - processing necessary to comply with applicable laws.

6. Data sharing and third parties

We share personal data only when necessary to operate the Service. The sub-processors we currently rely on are:

  • Payments - Dodo Payments. Handles billing and subscriptions. Receives the data necessary to process your payment and is bound by its own privacy policy and PCI DSS obligations. We do not store card details.
  • Sign-in - Google OAuth. If you choose to sign in with Google, Google provides us your basic profile (name, email, profile picture) so we can create or link your account.
  • Anti-abuse - Cloudflare Turnstile. Used to verify form submissions are not automated. Receives a verification token and your IP address transiently for the check.
  • Email delivery. Transactional emails (verification, password resets, receipts, notifications) are sent through a third-party email provider (Brevo or Resend).
  • Hosting & CDN. We use cloud hosting and content-delivery providers to run the Service. Data is processed on our behalf under data processing agreements.
  • Legal compliance - we may disclose data if required by law, subpoena, court order, or government request.
  • Business transfers - in the event of a merger, acquisition, or sale of assets, personal data may be transferred to the successor entity.

We do not share data with advertisers or data brokers, and we do not sell your data. Public content (comments, usernames, Clout scores) is visible to other users of the Service by design.

7. Cookies and tracking

We use cookies and similar technologies as follows:

  • Authentication cookies - httpOnly cookies that maintain your login session. These are essential for the Service to function and cannot be disabled.
  • CNAME-based cookies - for sites using the embedded widget, authentication cookies are set on a subdomain of the site owner's domain (e.g., comments.example.com) via DNS CNAME. This makes them first-party cookies in the browser context.

We do not use third-party advertising cookies, tracking pixels, or analytics cookies - on this website or in the embeddable widget - and we do not participate in cross-site tracking. Because the only cookies we set are strictly necessary to provide the Service, no cookie-consent banner is required.

8. Data retention

We retain personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy. Specifically:

  • Account data - retained until you delete your account.
  • Payment records - retained for as long as required to comply with tax and accounting regulations.
  • Comments, ratings, and content - retained for as long as the associated project exists. When content is soft-deleted by a user or moderator, it remains in our systems indefinitely to maintain the integrity of discussion threads and reputation scores. When a user deletes their account, we remove the association between their identity and their content, but the content itself remains.
  • Project data - when a Project Owner deletes a project, all data associated with that project (comments, ratings, configurations, domains) is permanently removed.

When you request account deletion, we remove your personal identity data and disassociate your content. Any projects you own will also be permanently deleted, along with all associated project data. This action is irreversible.

9. Your privacy rights

Depending on where you live (including under the EU/UK GDPR), you have rights over your personal data. We honor these rights regardless of location:

  • Access - request a copy of the personal data we hold about you. Email us and we will respond within the timeframe required by law (generally 30 days).
  • Rectification - correct inaccurate data. You can edit most profile data directly in your account, or ask us to fix the rest.
  • Erasure - delete your account at any time from your account settings. This removes your personal identity data, disassociates your content, and permanently deletes any projects you own.
  • Objection & restriction - object to or ask us to restrict certain processing based on our legitimate interests.
  • Portability - request your data in a portable format.
  • Withdraw consent - where we rely on consent, withdraw it at any time without affecting prior processing.
  • Complain - lodge a complaint with your local data protection authority.

To exercise any of these rights, email [email protected]. We may need to verify your identity before acting on a request.

10. Data security

We implement appropriate technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data.
  • Password hashing using bcrypt with appropriate cost factors.
  • Token-based authentication with automatic rotation and replay detection.
  • Access controls that limit data access to authorized personnel.
  • Regular security reviews and dependency updates.

No system is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a breach affecting your data, we will notify you and relevant authorities as required by applicable law.

11. Children and the Service

Disfora has two sides: Project Owners who pay to embed our widget on their websites, and end users who browse those websites and may choose to create accounts and comment. We do not restrict account creation by age. Users of all ages may create accounts and participate in discussions on websites that use Disfora.

Project Owners are responsible for ensuring their websites comply with applicable laws regarding minors, including COPPA where relevant. We reserve the right to remove any content or data that we believe is intended to harm or exploit children.

12. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where appropriate, notify you by email or through a notice on the Website. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

13. Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: [email protected]