2. Data collected
- Discogs identity: public username and OAuth tokens needed to read your wantlist. No Discogs password is stored.
- Wantlist: the list of pressings you follow, with the associated public metadata (artist, title, pressing, market price).
- Telegram: Telegram chat_id and username, read only after you enable the bot.
- Payment: Polar (merchant of record) collects banking data directly. Needle only receives a Polar customer identifier and the subscription status.
- Technical logs: IP addresses, API timestamps, kept 30 days for security and debugging.
3. Purposes
Monitoring your Discogs wantlist, sending Telegram alerts, managing the paid subscription, fraud prevention.
4. Sub-processors
- Discogs — provider of the monitored API
- Polar — payment processing (merchant of record, PCI-DSS)
- Telegram — alert delivery
- Hetzner Online GmbH (Germany, EU) — hosting of the backend and PostgreSQL database
5. Retention period
Account data is kept as long as your subscription is active. After cancellation, your data is deleted within 30 days, except for accounting obligations (10 years for invoices). Unused Discogs OAuth tokens are purged within 1 hour.
6. Your rights
Under the GDPR, you may request at any time access, rectification or deletion of your data, as well as portability or restriction of processing. Write to
ludovic.cleuet@gmail.com. You may also lodge a complaint with the CNIL (French data protection authority).
7. Cookies
Needle uses no tracking cookies or third-party analytics.