Privacy Policy
Last updated: May 12, 2026
1. Data Controller
Kaiju ("Company," "we," "us," or "our") is the data controller responsible for the processing of personal data described in this policy.
This policy applies to all individuals whose personal data we process, including:
- Platform users — administrators, project managers, and other individuals who register for and log into the Service
- Data subjects / contributors — individuals whose publicly available social media activity, usernames, and content are collected and analyzed by the Service, regardless of whether they have a Kaiju account
2. Categories of Personal Data We Process
2.1 Data provided directly by platform users
- Account credentials — usernames, access codes, and session tokens
- Project configurations — scoring weights, tier thresholds, role mappings, and feature settings
- Imported data — contributor handles, platform identifiers, and profile information uploaded via bulk import or manual entry
2.2 Data collected from publicly available sources (Article 14 GDPR)
We collect personal data about contributors from publicly accessible third-party platforms. This data is not obtained directly from the data subjects. Sources and categories include:
- X/Twitter — public profile data (username, display name, bio, avatar, follower/following counts), public tweets and replies, engagement metrics (likes, retweets, impressions, views), and account creation date
- Discord — usernames, message content in monitored public channels within servers that have installed the Kaiju bot, and activity timestamps
- GitHub — public repository data, commit history, contributor usernames, and repository metadata
- Third-party quality providers — account quality scores and authenticity signals from Wallchain
2.3 Data generated by the Service (derived data)
- Contributor scores — overall scores, component breakdowns (Discord activity, X engagement, account quality), and tier assignments (Diamond, Gold, Silver, Bronze)
- Content quality assessments — AI-generated scores for originality, insight, relevance, and thought depth of individual posts
- Cross-platform identity links — associations between a contributor's accounts across X, Discord, and GitHub
2.4 Automatically collected technical data
- Server logs — HTTP method, URL path, status code, response time, and timestamp (retained 90 days)
-
Session cookie — a single HTTP-only cookie (
kaiju_session) for authentication; no tracking or advertising cookies are used -
Preference cookies — with your consent, we store a cookie consent flag (
kaiju_consent, 1 year) and optionally your X handle (xb_handle, 90 days) so you don't need to re-enter it on X Buddies. You can opt out at any time by unchecking "Remember my handle" or clearing your browser cookies
3. Purposes and Lawful Bases for Processing
Under Article 6 of the GDPR, we process personal data on the following lawful bases:
| Purpose | Lawful basis | Data subjects affected |
|---|---|---|
| Generating contributor scores, rankings, and tier assignments | Legitimate interest (Art. 6(1)(f)) | Contributors |
| AI-based content quality analysis of public posts | Legitimate interest (Art. 6(1)(f)) | Contributors |
| Account quality and authenticity analysis | Legitimate interest (Art. 6(1)(f)) | Contributors |
| Cross-platform identity resolution | Legitimate interest (Art. 6(1)(f)) | Contributors |
| Discord role management based on tiers | Legitimate interest (Art. 6(1)(f)) | Contributors |
| User authentication and session management | Contract performance (Art. 6(1)(b)) | Platform users |
| Service monitoring, security, and error diagnosis | Legitimate interest (Art. 6(1)(f)) | All |
| Responding to data subject rights requests | Legal obligation (Art. 6(1)(c)) | All |
Legitimate Interest Assessment
Where we rely on legitimate interest, we have conducted a balancing test weighing our interests (and those of the crypto projects we serve) against the rights and freedoms of data subjects. Key factors considered:
- Nature of data: We process only data that individuals have chosen to make publicly accessible on social media platforms. Contributors have a reduced expectation of privacy for content they have published publicly.
- Purpose: Scoring exists to recognize and reward genuine community contributors. The processing benefits data subjects by surfacing quality contributions that might otherwise go unnoticed.
- Safeguards: Data subjects may object to processing and request deletion at any time via our Data Subject Rights portal. Scores are informational and do not produce legal effects.
4. Automated Decision-Making and Profiling (Article 22 GDPR)
The Service uses automated processing to generate contributor scores and assign tier rankings (Diamond, Gold, Silver, Bronze). This constitutes profiling as defined by Article 4(4) GDPR.
How profiling works
Contributor scores are computed from three weighted dimensions:
- Discord activity (message frequency, recency)
- X/Twitter engagement (likes, retweets, impressions, AI content quality analysis)
- Account quality (third-party authenticity signals)
AI content analysis is performed by large language models (Google Gemini, with OpenRouter as fallback) that evaluate individual posts on originality, insight, relevance, and thought depth. Up to 25 posts are sampled per contributor.
Effects of profiling
Tier assignments may result in:
- Automatic assignment or removal of Discord server roles (when enabled by the project)
- Visibility on public or private leaderboards
- Eligibility for community rewards or recognition programs operated by individual projects
We do not consider these effects to produce legal effects or similarly significant effects within the meaning of Article 22(1) GDPR. However, we provide all data subjects the right to:
- Obtain an explanation of how their score was calculated
- Request human review of any automated decision
- Contest the result and express their point of view
- Object to profiling entirely and request deletion of all derived scores
To exercise these rights, visit our Data Subject Rights portal.
5. Recipients and Sub-Processors
We share personal data with the following categories of recipients:
| Recipient | Purpose | Location |
|---|---|---|
| Railway (cloud hosting) | Application and database hosting | United States |
| Google (Gemini API) | AI content quality analysis | United States |
| OpenRouter | AI content quality analysis (fallback) | United States |
| Wallchain | Account quality and authenticity scoring | United States |
| twitterapi.io | X/Twitter post and profile data retrieval | United States |
| Project administrators | Viewing contributor scores, profiles, and analytics | Various |
Projects may enable public leaderboards that display contributor usernames, scores, and tier rankings without requiring authentication. We do not sell personal data to any third party.
6. International Data Transfers
The Service is hosted in the United States. If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, your personal data is transferred to the United States for processing.
We rely on the following transfer mechanisms as applicable:
- EU-U.S. Data Privacy Framework — where sub-processors are certified participants
- Standard Contractual Clauses (SCCs) — approved by the European Commission, incorporated into our Data Processing Agreements with sub-processors
You may request a copy of the relevant transfer safeguards by contacting dpo@kaiju.gg.
7. Data Retention
| Data category | Retention period |
|---|---|
| Contributor profiles, scores, and tier history | Duration of the project's active status on the Service, plus 30 days |
| AI content quality assessments (individual post scores) | Duration of the project's active status on the Service, plus 30 days |
| Platform user accounts | Account lifetime plus 30 days after deletion |
| Server request logs | 90 days |
| Session tokens | 24 hours (auto-expired) |
| Data subject rights request records | 3 years (to demonstrate compliance) |
Upon receiving a valid deletion request, we will erase the data subject's personal data within 30 days, except where retention is required by law or to establish, exercise, or defend legal claims.
8. Data Security
We implement appropriate technical and organizational measures to protect personal data against unauthorized access, alteration, disclosure, or destruction, including:
- Encrypted database connections (TLS/SSL) and encrypted data at rest
- HTTP-only, Secure, SameSite session cookies
- Role-based access control with per-project permissions and session expiration
- Constant-time comparison for authentication tokens (protection against timing attacks)
- Request logging and anomaly monitoring
No method of electronic transmission or storage is completely secure. While we strive to protect personal data, we cannot guarantee absolute security. We will notify affected data subjects and relevant supervisory authorities of any personal data breach within 72 hours of discovery, as required by Article 33 GDPR.
9. Your Rights Under GDPR
If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the GDPR:
- Right of access (Art. 15) — obtain confirmation of whether we process your data and request a copy
- Right to rectification (Art. 16) — correct inaccurate or incomplete personal data
- Right to erasure (Art. 17) — request deletion of your personal data ("right to be forgotten")
- Right to restriction (Art. 18) — restrict processing while a dispute is resolved
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
- Right to object (Art. 21) — object to processing based on legitimate interest, including profiling. We will cease processing unless we demonstrate compelling legitimate grounds.
- Rights related to automated decisions (Art. 22) — obtain human intervention, express your point of view, and contest automated decisions
To exercise any right, submit a request through our Data Subject Rights portal or email dpo@kaiju.gg. We will respond within 30 days. If we need additional time, we will inform you of the extension and the reasons within the initial 30-day period.
There is no fee for exercising your rights unless requests are manifestly unfounded or excessive.
10. Right to Lodge a Complaint
If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. A directory of EEA supervisory authorities is available at edpb.europa.eu.
We encourage you to contact us first at dpo@kaiju.gg so that we may attempt to resolve your concern directly.
11. Children's Privacy
The Service is not directed at individuals under the age of 16 (or the applicable age of digital consent in their jurisdiction). We do not knowingly collect personal data from children. If we become aware that we have processed data belonging to a child, we will take steps to delete it promptly. If you believe we may have collected data from a child, contact dpo@kaiju.gg.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. For significant changes affecting the rights of data subjects, we will make reasonable efforts to provide advance notice (e.g., via a banner on the Service). We encourage you to review this policy periodically.
13. Contact
Data Protection Officer: dpo@kaiju.gg
General privacy inquiries: privacy@kaiju.gg
Data subject rights requests: kaiju.gg/data-rights