Privacy Policy

Effective Date: May 30, 2025

Last Updated: May 30, 2025 | Version 1.0

1. Introduction

CommsOK, Inc. ("CommsOK," "we," "us," or "our") provides email list analytics services to help businesses understand and improve their email marketing performance. This Privacy Policy explains how we collect, use, and protect your information when you use our services.

Important Note About Our Service Scope: CommsOK is designed for and marketed to U.S. businesses. We do not actively market our services to residents of the European Economic Area (EEA), United Kingdom, or California, and our services are not directed at children under 13 years of age.

2. Definitions

For purposes of this Privacy Policy: "Personal information" means information that identifies, relates to, or could reasonably be linked with a particular individual. "Processing" means any operation performed on personal information, including collection, use, storage, and disclosure. "Processor" means a third party that processes personal information on our behalf. "Services" refers to our email list analytics platform and related offerings. "Customer data" means information you upload or provide to use our services. "Usage data" means information about how you interact with our platform.

3. Current Compliance Status

To the best of our knowledge, based on current thresholds and definitions, we are not yet legally subject to the General Data Protection Regulation (GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), or the Children's Online Privacy Protection Act (COPPA).

Even so, we already follow the core privacy principles embodied in those laws—data minimisation, purpose limitation, security, and respect for individual rights—and we voluntarily honour reasonable access, correction, deletion, and opt-out requests from residents of those jurisdictions.

Similar comprehensive privacy statutes are now in force (or imminent) in several other U.S. states. We will implement any additional controls required once their applicability thresholds are met.

We do not "sell" or "share" personal information as those terms are defined under the California Privacy Rights Act.

We are committed to continuous improvement of our privacy programme and will update this Policy, and our internal controls, as our business evolves or regulatory requirements change.

4. Information We Collect

4.1 Account Information

• Business name and contact details
• User names and email addresses
• Billing and payment information
• Account preferences and settings

4.2 Email Performance Telemetry

• Email delivery statistics and metrics
• List quality analytics and insights
• Engagement data (opens, clicks, bounces, unsubscribes)
• Sender reputation indicators

4.3 Technical Information

• Cookies and Similar Technologies: We use cookies to maintain your session, remember preferences, and analyze usage patterns
• Usage Analytics: Information about how you interact with our platform, including pages visited, features used, and time spent
• Device and Browser Information: IP address, browser type, operating system, and device identifiers

4.4 Communications

• Support requests and correspondence
• Feedback and survey responses

5. How We Use Your Information

5.1 Primary Purposes

• Service Delivery: Providing email list analytics and performance insights
• Account Management: Creating and maintaining your account, processing payments
• Customer Support: Responding to inquiries and providing technical assistance
• Service Improvement: Analyzing usage patterns to enhance our platform

5.2 Legal Bases for Processing

Where applicable, we process personal information based on:

• Contractual Necessity: To fulfill our service obligations to you
• Legitimate Interests: To improve our services and ensure platform security
• Consent: Where you have provided explicit consent for specific uses
• Legal Compliance: To meet applicable legal and regulatory requirements

6. Data Sharing and Processors

6.1 Service Providers and Sub-Processors

Current as of the "Last Updated" date shown at the top of this Policy.
We engage a small number of specialized service providers ("sub-processors") that may process Customer Personal Data to deliver the CommsOK platform. A live list is always available at commsok.com/legal/sub-processors.

Notice of changes.
We will update that page before a new provider begins processing Customer Personal Data and will send an in-app or e-mail notice. If you object on reasonable privacy or security grounds, notify us within 10 days and we will work with you in good faith to resolve the concern.

Current sub-processors

• Google Cloud Platform (AWS), US-West-2 – cloud infrastructure and data storage
• Vercel – application hosting and content delivery
• Clerk – user authentication and identity management
• Stripe – payment processing and billing

6.2 Data Sharing Principles

• We do not sell your personal information to third parties
• We only share data with processors necessary for service delivery
• All processors are contractually bound to protect your information
• We conduct due diligence on all service providers

7. Data Storage and International Transfers

7.1 Data Location

All data is processed and stored in U.S. data centers. We do not routinely transfer personal information across international borders.

7.2 International Transfer Safeguards

In the event that international data transfers become necessary, we will implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): EU Commission Decision 2021/914
• UK International Data Transfer Addendum: For any UK data transfers
• Additional security measures as required by applicable law

8. Data Retention

8.1 Standard Retention Periods

• Account and Service Data: 24 months after account closure, or earlier at the customer's request unless a longer period is required by law
• Email Analytics Data: 24 months from collection date, or earlier at the customer's request unless a longer period is required by law
• Payment Information: As required by financial regulations and tax law

8.2 Extended Retention

• Legal and Compliance Logs: 5 years to meet regulatory requirements
• Security Incident Records: As required by applicable law and best practices

8.3 Data Deletion

Upon expiration of retention periods, we securely delete or anonymize personal information unless longer retention is required by law.

9. Security Measures

We implement industry-standard security measures to protect your information:

9.1 Technical Safeguards

• Encryption in Transit: TLS 1.2+ for all data transmissions
• Encryption at Rest: AES-256 encryption for stored data
• Network Security: Firewalls, intrusion detection, and monitoring

9.2 Organizational Measures

• Regular security training for employees
• Annual penetration testing and vulnerability scanning
• Formal incident response plan with a 72-hour customer notification target
• Vendor security assessments
• Regular security audits and updates

10. Your Rights and Choices

10.1 Account Management

• Access: View and download your account information through your dashboard
• Correction: Update inaccurate information in your account settings
• Deletion: Request account deletion by contacting support

10.2 Marketing Communications

• Opt-Out: Unsubscribe from marketing emails using the link in each message
• Preferences: Manage communication preferences in your account settings

10.3 Data Subject Rights (Where Applicable)

If you are subject to GDPR or similar privacy laws, you may have additional rights including:

• Right to access your personal information
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

10.4 Exercising Your Rights

To exercise any of these rights, please contact us at privacy@commsok.com. We will respond to valid requests within the timeframes required by applicable law.

• Appeal: If you are dissatisfied with our response to a privacy request, you may appeal by emailing privacy@commsok.com with "Privacy Appeal" in the subject line.

11. Cookies and Tracking Technologies

11.1 Types of Cookies We Use

• Essential Cookies: Required for basic platform functionality
• Analytics Cookies: Help us understand how you use our services
• Preference Cookies: Remember your settings and preferences

We currently rely only on essential and analytics cookies and do not use advertising or behavioral-tracking cookies. If that changes, we will display a cookie-consent banner where required.

11.2 Cookie Management

You can control cookies through your browser settings. Note that disabling certain cookies may affect platform functionality.

12. Children's Privacy

Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that we have collected such information, we will take steps to delete it promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@commsok.com; we will promptly delete such data.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable law. We will:

• Post the updated Policy on our website
• Update the "Last Updated" date
• Notify you of material changes via email or platform notification
• Provide advance notice where required by law

14. Contact Information

14.1 Privacy Questions

For questions about this Privacy Policy or our privacy practices:
Email: privacy@commsok.com

14.2 Data Protection Officer

If we become subject to GDPR or similar regulations requiring a Data Protection Officer, we will update this section with appropriate contact information.

14.3 Supervisory Authority

If you are located in the EEA or UK and believe we have not addressed your privacy concerns adequately, you may have the right to lodge a complaint with your local data protection authority.