Commazaar Privacy Policy
Last updated: July 12, 2026
This Privacy Policy describes how Commazaar ("Commazaar," "we," "us," or "our") collects, uses, discloses, and protects information when you access or use the Commazaar platform, including our website, cloud-hosted software, on-premise software, application programming interfaces, and related services (collectively, the "Service").
This Privacy Policy applies to visitors to our public website, individuals who create or join an organization account, and authorized members of organizations that use the Service. The Service is offered exclusively as a business-to-business workplace tool. It is not intended for personal, household, or consumer use, and it is not directed at anyone under the age of 18.
For purposes of many data protection laws, your organization ("Customer" or "Organization") is typically the controller of personal information about its employees and contractors that is processed through the Service, and Commazaar acts as a processor or service provider processing that information on the Customer's instructions to provide the Service. Commazaar may also act as a controller for certain information, such as billing contact details, website analytics, and account administration data relating to organization owners who sign up for the Service.
1. Information We Collect
We collect information in the following categories:
1.1 Account and identity information
When an organization signs up or a user joins an organization, we collect information such as name, work email address, organization name, organization slug, role (for example, owner, admin, or participant), division membership, and authentication identifiers from our identity provider.
1.2 Organization and configuration information
We collect information your organization provides to configure the Service, including branding (such as logos), workspace settings, token policies, stake limits, leaderboard settings, division names and descriptions, and billing tier selections.
1.3 Service activity and content
We collect information generated through use of the Service, including:
- Market titles, descriptions, resolution criteria, outcomes, categories, tags, and related comments;
- Orders, trades, positions, token balances, and leaderboard rankings;
- Market requests, admin notes, and audit log entries describing actions taken within the Service;
- Saved markets, invite lists, and access-control settings.
1.4 Technical and security information
We collect information needed to operate and secure the Service, including IP addresses, browser and device information, session identifiers, authentication events, rate-limiting signals, bot-detection challenge results, timestamps, and error logs.
1.5 Payment and billing information
Subscription billing is processed by Stripe, Inc. We receive billing metadata such as Stripe customer and subscription identifiers, plan tier, seat counts, trial status, and payment status. We do not store full payment card numbers.
1.6 Communications
If you contact us by email, through our website chat widget, or through support channels, we collect the content of those communications and related contact details.
1.7 Demo and evaluation use
If you use our public demo environment, we may create or assign demo accounts and store demo activity separately from production customer tenants. Demo data may be reset periodically and should not be treated as confidential.
2. How We Use Information
We use information to:
- Provide, operate, maintain, and improve the Service;
- Authenticate users, manage organizations, enforce role-based access, and maintain multi-tenant data isolation;
- Process subscriptions, enforce seat limits, and manage trials and billing;
- Generate audit trails, leaderboards, market activity, and administrative reports for organization owners and admins;
- Detect, prevent, and respond to fraud, abuse, security incidents, and violations of our Terms of Service;
- Communicate with you about the Service, including service updates, security notices, and support responses;
- Comply with law, respond to lawful requests, and enforce our agreements;
- Analyze aggregated or de-identified usage trends to improve the product.
We do not sell personal information. We do not use workplace market content to train public machine-learning models.
3. Legal Bases for Processing (EEA, UK, and Similar Jurisdictions)
Where applicable data protection law requires a legal basis, we rely on one or more of the following:
- Contract: to provide the Service under our agreement with your organization or with you as an authorized user;
- Legitimate interests: to secure, improve, and administer the Service, prevent abuse, and communicate about the Service, balanced against your rights;
- Legal obligation: to comply with applicable law, regulation, or valid legal process;
- Consent: where required for optional features such as marketing communications or certain cookies, which you may withdraw at any time.
Your organization is responsible for determining the legal basis on which it collects and uses employee information submitted to the Service.
4. How We Share Information
We share information only as described below:
4.1 Within your organization
Information you submit to the Service is visible to other authorized members of your organization according to role, division, and market access settings configured by your organization.
4.2 Service providers and subprocessors
We use third-party providers to help us operate the Service. Material providers may include:
| Provider | Purpose |
|---|---|
| Stytch | Business authentication, organization and member management, SSO, and session handling |
| Stripe | Subscription billing, checkout, and customer portal |
| MongoDB | Primary application database hosting (cloud deployments) |
| Cloudflare Turnstile | Bot detection and abuse prevention on authentication flows |
| Tawk.to (if enabled) | Optional live chat support widget |
| Socket.io infrastructure | Real-time order book and trading updates |
| Google Fonts | Website typography delivery |
These providers process information on our instructions and subject to their own terms and privacy practices. We do not authorize them to use customer content for their own unrelated marketing purposes.
4.3 Legal and safety disclosures
We may disclose information if we believe in good faith that disclosure is necessary to comply with law, respond to lawful requests, protect the rights, property, or safety of Commazaar, our users, or others, or investigate fraud or security issues.
4.4 Business transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, information may be transferred as part of that transaction, subject to standard confidentiality obligations.
5. Data Encryption and Security
We implement technical and organizational measures designed to protect information, including:
- Encryption in transit using TLS for network communications;
- Field-level encryption at rest for sensitive application content stored in our database, including market questions and outcomes, user names and emails, comments, and related workplace content, using keys controlled by Commazaar and not stored in the database;
- HttpOnly session cookies, role-based access controls, and organization-scoped data queries;
- Rate limiting, security headers, and bot protection on authentication flows where configured.
Authentication credentials and session data managed by Stytch are protected under Stytch's own security program on their infrastructure. We do not store user passwords directly.
No method of transmission or storage is completely secure. We cannot guarantee absolute security. If you believe your account or organization has been compromised, contact [email protected] promptly.
6. Multi-Tenant Isolation
Each organization's data is logically isolated within the Service. We implement technical controls intended to prevent cross-tenant access. Organization administrators control which members can view markets, comments, audit logs, billing information, and administrative settings.
7. Data Retention
We retain information for as long as reasonably necessary to provide the Service, comply with law, resolve disputes, and enforce our agreements.
In general:
- Account, organization, and activity data is retained while your organization maintains an active subscription or ongoing use of the Service;
- After termination or deletion of an organization account, we aim to delete or de-identify customer content within 90 days, except where longer retention is required by law, needed to resolve disputes, or maintained in encrypted backups for a limited period;
- Demo environment data may be deleted or reset at any time without notice.
Specific retention practices may vary based on deployment model and legal requirements.
8. On-Premise Deployments
If your organization deploys the Service on its own infrastructure under a separate license, your organization hosts and controls the underlying environment and data. Commazaar does not have access to your on-premise database or infrastructure unless you separately grant such access for support purposes.
In on-premise deployments, your organization is solely responsible for security, backup, retention, access control, breach notification, and compliance obligations relating to data stored in its environment. This Privacy Policy describes Commazaar's practices for cloud-hosted Service offerings unless your separate license agreement states otherwise.
9. International Data Transfers
Commazaar is based in the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States and other countries where we or our service providers operate.
Where required by applicable law, we implement appropriate safeguards for cross-border transfers, such as standard contractual clauses or equivalent mechanisms offered by our service providers.
10. Your Rights and Choices
Depending on your location, you may have rights to access, correct, delete, restrict, or object to certain processing of your personal information, or to receive a portable copy of certain information.
Because the Service is a workplace tool, many requests relating to employee information should be directed first to your organization administrator, who controls your account and much of the information processed in the Service. We will assist organizations in responding to lawful requests as required by applicable law and our agreements with them.
You may also contact us at [email protected] regarding privacy questions or requests. We may need to verify your identity and coordinate with your organization before fulfilling certain requests.
If you are a California resident, you may have additional rights under applicable state privacy laws, including the right to know, delete, and correct certain personal information, and the right to opt out of certain sharing that may be considered a "sale" or "sharing" under California law. Commazaar does not sell personal information as defined by the California Consumer Privacy Act.
11. Children's Privacy
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal information from children. If we learn that we have collected personal information from a child without appropriate authorization, we will take steps to delete it.
12. Cookies and Similar Technologies
We use cookies and similar technologies to operate the Service, including:
- Essential cookies, such as authentication session cookies, required for login and security;
- Preference cookies, such as theme selection stored in your browser;
- Third-party cookies from providers such as Stripe, Stytch, Tawk.to, or Cloudflare when those features are enabled.
You can control certain non-essential cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service, by email, or by posting an updated version with a new "Last updated" date. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.
14. Contact Us
Privacy questions or requests may be sent to [email protected] or through the chat widget available on our website.
This document is a template describing Commazaar's business practices as of the date above and is provided for general informational purposes. It is not a substitute for advice from a licensed attorney familiar with your specific business, jurisdiction, and circumstances.