Back to CommuLand

Privacy Policy

Last updated: March 1, 2026

This Privacy Policy explains how CommuLand collects, uses, discloses, and protects your information. By using our Service, you acknowledge that you have read and understood this policy. If you do not agree with this policy, please do not use our Service.

1. Introduction

CommuLand ("we", "our", "us") operates commuland.com and related services (collectively, the "Service"). We are committed to protecting your personal information and being transparent about how we use it.

This Privacy Policy applies to all users of the Service, including individuals and teams using our platform for contact management, business card scanning, and lead management. It should be read alongside our Terms of Service.

We process personal data as a data controller for account and billing information, and as a data processor for CRM data you create and manage within the platform.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, and profile information through our authentication services. We also collect your organisation and team information to support multi-tenant workspace access.

2.2 CRM and Contact Data

We collect contact records, company details, events, deal pipeline entries, activity logs, lead scores, and other CRM records you create, import, or capture within CommuLand. This includes data extracted from business cards via AI and OCR processing, as well as occasion-linked context and scoring data.

2.3 Uploaded Files and Media

We collect business card images (front and back), PDF documents, and other media files you upload for OCR processing or attach to contact records. Files are stored securely in cloud storage with signed, time-limited access URLs. We do not make uploaded files publicly accessible.

2.4 Telegram Integration Data

If you use the Telegram bot integration, we receive photos, documents, and messages you send to the bot, along with your Telegram user ID, username, and display name. This data is used solely to create and update contact records on your behalf.

2.5 Usage and Technical Data

We automatically collect technical information when you use the Service, including browser type and version, IP address, device identifiers, pages visited, actions performed, timestamps, and error logs. This data is used to maintain, improve, and secure the Service.

2.6 Billing and Payment Data

Payment and billing information is collected and processed by our payment processor. We do not store full card numbers or sensitive payment credentials. We retain billing records including plan type, transaction history, and credit usage for legal and accounting purposes.

3. Legal Basis for Processing (GDPR)

Where applicable under the General Data Protection Regulation (GDPR) or similar laws, we process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide you with the Service as described in our Terms of Service.
  • Legitimate interests: Security monitoring, fraud prevention, service improvement, and usage measurement where permitted by law and where these interests do not override your rights.
  • Legal obligation: Retaining billing and transaction records as required by law.
  • Consent: Where we rely on your consent for specific processing activities such as analytics in regulated regions or marketing communications, which you may withdraw at any time.

4. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the CRM Service.
  • Process business cards and documents using AI and OCR services.
  • Generate lead scores, engagement context scores, and AI-powered contact summaries.
  • Manage your account, workspace, and organisation settings.
  • Process billing, credit transactions, and subscription management.
  • Send transactional and service-related notifications.
  • Detect, investigate, and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations and enforce our Terms of Service.
  • Analyse usage patterns to improve and optimise the Service.
  • Provide customer support and respond to your enquiries.

We do not use your CRM data or contact records for advertising, profiling for marketing purposes, or sale to third parties.

5. AI Processing and Third-Party Services

The Service relies on third-party AI, infrastructure, and payment providers to function. By using the Service, you acknowledge that your data may be processed by the following service categories:

  • Authentication and user management services may process your name, email address, and user identifiers.
  • AI and OCR processing services may process uploaded images and extracted text transiently to perform extraction and enrichment tasks.
  • Search and enrichment services may receive limited query data such as company or person names.
  • Secure cloud storage and infrastructure services may process uploaded files, IP addresses, and standard request logs as needed to operate the Service.
  • Payment processing services may process billing information, but we do not store full card numbers or sensitive payment credentials.
  • Transactional messaging and support services may process email addresses, notification content, and optional integration data needed to deliver the Service.

AI Processing Limitations: Third-party AI services process your data transiently to perform extraction and enrichment tasks. They do not retain your images or extracted content beyond the duration of the processing request, in accordance with their data processing agreements. However, we cannot guarantee the data handling practices of third-party providers beyond what is stated in their respective terms and data processing agreements.

AI Accuracy: AI-extracted and AI-generated data may contain errors or inaccuracies. You are responsible for reviewing and verifying all AI output. We are not liable for decisions made based on AI-generated content.

6. Data Isolation and Multi-Tenancy

All CRM data is strictly scoped to your organisation (tenant). Your data is logically isolated from other organisations on the platform at the database and API level. Team members within your organisation can access CRM data based on their assigned role:

  • Owners and Admins: Full access to all contacts, organisations, and activities within the workspace.
  • Members: Access limited to contacts they own or that have been explicitly shared with them.

We do not allow cross-tenant data access under any circumstances, except where required by law or valid legal process.

7. Data Security

We implement commercially reasonable security measures to protect your information, including:

  • AES-256-GCM encryption for integration secrets and sensitive credentials at rest.
  • Signed, time-limited URLs for all file access (no public or permanent file links).
  • Tenant-scoped access controls enforced on all API endpoints.
  • Webhook signature verification for all inbound integrations.
  • HTTPS/TLS encryption for all data in transit.
  • Access logging and anomaly detection on infrastructure.

Despite these measures, no system is completely secure. We cannot guarantee that unauthorised third parties will never be able to defeat our security measures. In the event of a security breach affecting your personal data, we will notify you as required by applicable law.

You are responsible for maintaining the security of your account credentials, devices, and network environment. We are not liable for breaches resulting from your failure to maintain adequate security on your end.

8. Security Incidents and Breach Notification

In the event of a data breach that affects your personal information and creates a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware, where required by applicable law.
  • Notify affected users without undue delay if the breach is likely to result in a high risk to their rights.
  • Provide information about the nature of the breach, data affected, and steps being taken to address it.

For security incidents caused by external cyberattacks, DDoS attacks, or third-party provider failures that are outside our reasonable control, our liability and notification obligations are limited to what is required by applicable law. We are not liable for losses arising from such incidents beyond what is expressly required by law.

To report a suspected security vulnerability, contact security@commuland.com.

9. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Specific retention periods:

  • Account and profile data: Retained for the duration of your account, deleted within 30 days of account closure.
  • CRM data (contacts, companies, activities): Retained for the duration of your account, deleted within 30 days of account closure upon request.
  • Uploaded files and media: Retained while your account is active; deleted within 30 days of account closure.
  • Billing and transaction records: Retained for up to 7 years as required by tax and accounting law.
  • Security and access logs: Retained for up to 12 months for security monitoring and incident response.
  • AI-processed data: Not retained by third-party AI providers beyond the processing request.

Some data may be retained longer if required by law, court order, or for the resolution of active legal disputes. We will notify you where this applies.

10. International Data Transfers

Your data may be processed and stored in regions outside your country of residence, including the United States and other countries where our service providers operate. These regions may have different data protection laws than your own.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom, or other regions with data transfer restrictions, we rely on appropriate safeguards including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission.
  • Data Processing Agreements with all third-party service providers.
  • Adequacy decisions where applicable.

By using the Service, you acknowledge and consent to the transfer of your data to these regions for the purposes described in this policy.

11. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data, subject to legal retention obligations.
  • Portability: Request your data in a structured, machine-readable format (CSV export available directly from the platform).
  • Restriction: Request that we restrict processing of your data in certain circumstances.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
  • Complaint: Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at privacy@commuland.com. We will respond within 30 days. We may need to verify your identity before processing your request. We reserve the right to refuse requests that are manifestly unfounded, excessive, or repetitive.

12. Cookies and Tracking

We use essential cookies necessary for authentication, session management, and security. We also use Google Analytics to understand aggregate site traffic and product usage. Specifically:

  • Session cookies: Required to keep you logged in during a browsing session.
  • Authentication cookies: Set by our authentication services to manage your login state.
  • Security cookies: Used to detect and prevent fraudulent activity.
  • Analytics cookies: Set by Google Analytics to measure aggregate traffic, feature usage, and performance.

For visitors in the European Economic Area, the United Kingdom, and Switzerland, analytics storage is disabled by default and enabled only after consent through our cookie banner. You can revisit that choice at any time using the cookie settings control on the site.

We do not use cross-site advertising cookies, remarketing tags, or fingerprinting technologies.

13. Children's Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal data from a child under 16 without verifiable parental consent, we will take steps to delete that data promptly.

If you believe a child under 16 has provided us with personal data, please contact us at privacy@commuland.com.

14. Limitation of Our Privacy Liability

While we take data protection seriously and implement reasonable safeguards, you acknowledge that:

  • We are not liable for data breaches, interceptions, or losses caused by cyberattacks, malicious third-party actors, or events beyond our reasonable control.
  • We are not liable for data you voluntarily share with third parties through integrations, exports, or external services.
  • We are not liable for inaccuracies in AI-extracted or AI-generated data that you rely on for business decisions.
  • Our total liability for any privacy-related claim is limited in accordance with the Limitation of Liability clause in our Terms of Service.

Nothing in this section limits rights you may have under applicable data protection law, including the GDPR.

15. Third-Party Links and Services

The Service may contain links to third-party websites, integrations, or services. This Privacy Policy does not apply to those third-party services. We are not responsible for the privacy practices of third parties and encourage you to review their privacy policies before providing any personal data.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by email or through a prominent notice on the Service at least 14 days before changes take effect, where practicable.

The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

17. Contact and Data Protection Enquiries

If you have questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:

We aim to respond to all privacy-related enquiries within 30 days.

Privacy Policy | CommuLand | CommuLand