Privacy Policy

1. Introduction

This Privacy Policy explains how Blancutes LTD, a company registered in England & Wales under company number 10588006 with its registered office at 46 Walham Green Court, Cedarne Road, London, SW6 2DH, United Kingdom (“Commozi,” “we,” “us,” or “our”), collects, uses, stores, and protects personal data when you interact with our website at commozi.com, our Chrome Extension, our CRM web application at app.commozi.com, and any related services (together, the “Services”).

We take privacy seriously. This policy is written in plain English wherever possible, and is designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU GDPR, the California Consumer Privacy Act (CCPA/CPRA), and other applicable data protection laws.

2. Who we are

The data controller responsible for your personal data is:

For all privacy-related queries — including data access, correction, and deletion requests — please contact us at support@commozi.com.

3. Scope of this policy

This policy covers three surfaces:

• The Website (commozi.com) — our marketing site and waitlist.
• The Chrome Extension — installed inside your browser and used alongside Skool.com.
• The CRM (app.commozi.com) — our web application for managing your community.

We are not affiliated with, endorsed by, or operated by Skool. Skool is a separate platform with its own privacy practices. See Section 11.

4. Data we collect

4.1 Website & waitlist

• Email address and first name (when you join the waitlist).
• Your IP address and basic request metadata (used only for rate-limiting and abuse prevention).
• A non-identifying referral code generated from your email address.

4.2 Account data (Extension & CRM)

• Name, email address, and profile photo (provided via Google Sign-In powered by Firebase Authentication).
• A unique user identifier issued by Firebase.
• Your Commozi subscription, plan, and billing status.

4.3 Skool community data (Extension)

When you sign in to Skool with the Commozi Extension installed, the Extension reads data that is already visible to you as a Skool community owner or moderator, including:

• Member profiles and metadata (name, handle, avatar, join date, activity level).
• Posts, comments, and direct messages you can already see in Skool.
• Group/community settings you have permission to view.

This data is transmitted securely to our servers so we can power your CRM, analytics, automations, and AI copilot. Your Skool data is stored in a workspace that is private to your account. No other Commozi user can access it.

4.4 Usage & diagnostic data

• Feature usage events (e.g. “DM automation triggered”) used to improve the product.
• Error logs and crash reports.
• Approximate device and browser information.

4.5 Data we do not collect

• We do not collect your Skool password. Authentication into Skool is handled entirely by Skool itself.
• We do not collect data from websites other than Skool.com via the Extension.
• We do not collect special category (sensitive) personal data.

5. How we use your data

We use personal data only for the purposes set out below:

• To create and maintain your Commozi account.
• To deliver the features you have asked us to deliver — CRM, analytics, DM automation, post scheduling, AI copilot.
• To send service emails (e.g. waitlist confirmations, security notices, billing receipts).
• To improve, secure, and debug the Services.
• To prevent abuse, fraud, and violations of our Terms.
• To comply with our legal obligations.

5.1 AI features & processing

Some Commozi features (including the AI copilot, AI-generated drafts, AI summaries, and AI suggestions) use large language models (“LLMs”) provided by third-party AI providers acting as our sub-processors (which may include OpenAI, Anthropic, and Google). To deliver these features, we send the minimum data required (such as the message you ask the AI to draft, the context you select, or the content you ask it to summarise) to the AI provider.

• Our AI sub-processors are contractually prohibited from using your data or your community members' data to train their generalised models.
• We disable model-training and retain-for-abuse-monitoring options wherever the provider supports it.
• We do not knowingly send special category (sensitive) personal data to AI providers.
• AI outputs are generated automatically and may be inaccurate. You are responsible for reviewing AI outputs before sending or publishing them.

5.2 Automated decision-making

Some Services features (such as auto-tagging members, lead scoring, churn-risk signals, and automation triggers) involve automated processing. None of these features produce decisions that have a legal or similarly significant effect on you or your community members within the meaning of Article 22 UK GDPR. You retain meaningful human control: you configure the rules, you can review and override the outputs, and you can disable automated features at any time.

We do not sell your personal data. We do not use your data, or the data of your community members, to train third-party AI models.

6. Legal bases (UK & EU GDPR)

Under UK and EU GDPR, we rely on the following legal bases:

• Contract — to provide the Services you have signed up for.
• Legitimate interests — to secure our Services, prevent abuse, analyse usage in aggregate, and improve the product.
• Consent — for the waitlist sign-up and any optional marketing emails. You can withdraw consent at any time.
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements where applicable.

7. Who we share data with

We share personal data only with the trusted sub-processors we need to run the Services. Each is bound by a data processing agreement and processes data on our instructions.

We may update this list from time to time as our infrastructure evolves. Where you have a paid subscription, we will give you reasonable prior notice of material changes to our sub-processors so you may object on legitimate grounds.

We may also disclose personal data if required by law, court order, or to protect the rights, safety, or property of Commozi, our users, or the public. If Blancutes LTD is involved in a merger, acquisition, reorganisation, or sale of assets, we will notify you before your data is transferred and becomes subject to a different privacy policy.

8. Google API Services & Firebase Authentication

Commozi uses Firebase Authentication to allow you to sign in with your Google account. When you do this, Google shares with us your basic profile information (name, email, profile photo, and Google account ID).

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We use Google user data only to authenticate you and provide the Services you request.
• We do not transfer Google user data to third parties except as necessary to provide the Services, for security purposes, or to comply with applicable law.
• We do not use Google user data to serve advertising.
• We do not allow humans to read Google user data unless we have your explicit consent, it is necessary for security purposes, to comply with the law, or the data is aggregated and used for internal operations in compliance with the Limited Use Policy.
• We do not use Google user data to train generalised AI/ML models.

9. The Commozi Chrome Extension

The Extension runs inside your Chrome browser on Skool.com. It is the layer that powers your CRM, analytics, and automations on top of Skool.

In line with the Chrome Web Store User Data Policy, including the Limited Use clause:

• The Extension only activates on Skool.com and related Skool domains.
• The Extension only reads data that you, as a signed-in Skool user, can already see.
• Data we transmit to our servers is used only to provide the features you have enabled (CRM, analytics, scheduling, automation, AI copilot).
• We do not sell, rent, or share your Skool community data with third parties for marketing.
• We do not use Extension-collected data to train third-party AI models.

Automations such as DM sending and scheduling are executed only when you configure them. You remain responsible for using these features in compliance with Skool's Terms of Service and applicable anti-spam laws.

10. CRM customer data (Processor role)

When you use the Commozi CRM to manage your own community members, the personal data of those members (“Customer Data”) is:

• Owned and controlled by you. You are the Data Controller of your community members' data.
• Processed by us on your behalf. Commozi acts as the Data Processor.
• Used only to provide the Services to you — never for our own marketing or sold to anyone.

You are responsible for ensuring you have a lawful basis to process your community members' personal data, and for honouring their data subject rights. We will assist you with any reasonable data subject request you forward to us.

A Data Processing Agreement (DPA) reflecting the obligations of UK GDPR Article 28 and EU GDPR Article 28 is available on request from support@commozi.com. Where applicable, our DPA incorporates the UK International Data Transfer Addendum and the EU Standard Contractual Clauses for any data transfers outside the UK or EEA.

11. Our relationship with Skool

Commozi is an independent third-party tool. We are not affiliated with, endorsed by, sponsored by, or partnered with Skool.com or its operators. “Skool” is used here purely descriptively to identify the platform our product works alongside.

Your use of Skool is governed by Skool's own Terms of Service and Privacy Policy. We have no control over how Skool processes your data on its platform.

12. Cookies & tracking

Our website uses a minimal number of cookies and similar technologies:

• Strictly necessary cookies — required for the site and CRM to function (e.g. session, auth). These do not require consent under the UK Privacy and Electronic Communications Regulations (PECR).
• Local storage — used to remember your referral code and preferences in your browser.
• Analytics — privacy-respecting product analytics to understand aggregate usage. No cross-site advertising tracking.

Where we set non-essential cookies, we will display a cookie banner that lets you accept, reject, or manage your preferences before any non-essential cookies are placed, in line with PECR and UK/EU GDPR.

You can clear cookies at any time through your browser. Disabling strictly necessary cookies will prevent the Services from functioning.

13. Data retention

• Waitlist data — kept until you unsubscribe or request deletion.
• Account data — kept for the lifetime of your account, then deleted within 90 days of account closure.
• Skool / CRM data — kept while your account is active, then deleted within 90 days of account closure (or sooner on request).
• Billing records — retained for up to 7 years to comply with UK accounting and tax law.
• Backups — encrypted backups are routinely purged within 30 days.

14. International data transfers

Our sub-processors may store data in the United States and the European Economic Area. Where personal data is transferred outside the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA), the EU Standard Contractual Clauses (SCCs), or an adequacy decision, as applicable.

You can request a copy of the safeguards in place by emailing support@commozi.com.

15. Security

We use industry-standard technical and organisational measures to protect your data, including:

• TLS encryption for all data in transit.
• Encryption at rest on our infrastructure providers (Firebase, Vercel).
• Strict per-user data isolation — your data is only accessible to your authenticated account.
• Principle-of-least-privilege access for our team.
• Routine dependency and infrastructure security reviews.

No system is ever 100% secure. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority (the UK ICO) without undue delay and in any event within 72 hours where required. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay.

16. Your rights

Under UK and EU GDPR, you have the right to:

• Access the personal data we hold about you.
• Rectify inaccurate or incomplete data.
• Erase your data (the “right to be forgotten”).
• Restrict or object to processing.
• Data portability — receive your data in a portable format.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner's Office: ico.org.uk.

To exercise any of these rights, email support@commozi.com. We will respond within one calendar month.

17. California residents (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act and the California Privacy Rights Act, including:

• The right to know what personal information we collect, use, and disclose.
• The right to delete personal information we have collected.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of personal information. We do not sell or share personal information as defined under the CCPA.
• The right to limit the use of sensitive personal information.
• The right to non-discrimination for exercising your rights.

To exercise these rights, email support@commozi.com with the subject line “California Privacy Rights”.

18. Children

The Services are not intended for, and are not directed at, children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

19. Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page. If the changes are material, we will notify you by email or through the Services before they take effect.

20. Contact us

For any questions about this policy, your data, or to exercise your rights, contact: