Commona

Privacy

Your community, your data.

Commona treats community information as a public trust. We collect only what we need to help your Circle coordinate, we explain exactly what that means, and we honour every right local law gives you — wherever you live.

Effective date: 1 January 2026. Last updated: 24 May 2026. Version 2.0.

At a glance

  • We collect the minimum needed to run a civic coordination platform.
  • We do not sell community data, do not run behavioural advertising, and do not train third-party AI on your contributions.
  • Geolocation is opt-in, cached for 30 minutes, and used only to surface closest content first.
  • You can access, correct, export and delete your personal data at any time from Settings.
  • We honour the strongest applicable law: GDPR, UK GDPR, CCPA/CPRA, LGPD, POPIA, NDPA, Kenya DPA, PIPEDA, DPDP Act 2023, Australian Privacy Principles and equivalents.

Who is responsible

Commona Ltd. ("Commona") is the data controller for personal data processed through the Service. Registered office: 1 Civic Square, London, United Kingdom. ICO registration: ZB-COMMONA-001 (placeholder until issuance).

What we collect

  • Account details — name, email, phone, password (stored as a salted hash).
  • Geographic affiliation — country, region, town and village at the level you choose.
  • Verified roles — resident, steward, NGO, authority, journalist, diaspora. Identity verification documents are processed by our verification partner and not retained by Commona beyond a verification token.
  • Civic content — talking points, comments, votes, projects, petitions, attached media and their metadata.
  • Device & usage signals — device type, OS, app version, IP address (truncated within 30 days), session timestamps, error traces.
  • Optional geolocation — only if you opt in; cached for 30 minutes; precise coordinates are never displayed publicly.
  • Payment data — when you fund a project: amount, currency, processor reference. Card and bank credentials are handled by PCI-DSS-certified processors and never touch our servers.
  • Communications — messages you send to support, moderation appeals, abuse reports.
  • Cookies & local storage — see the Cookies Policy.

Where the data comes from

  • You — most personal data is provided directly by you.
  • Your device — automatic technical signals (browser, OS, language) for security and analytics.
  • Verification partners — confirmation that a verification check passed, never the underlying ID document.
  • Other members — when they mention you, invite you to a Circle, or appeal a decision involving your content.
  • Public records — only for officially-verified institutional roles (e.g. confirming a council seat).

How we use it

  • To create and operate your account.
  • To match you to relevant Circles and surface opportunities, talking points and projects near you.
  • To keep moderation accountable through verified identity and audit logs.
  • To prevent abuse, fraud, impersonation, brigading, vote manipulation and financial crime.
  • To produce anonymised, aggregated civic intelligence (e.g. "issues filed across this region this month") for stewards, NGOs and councils that have a legitimate scope.
  • To process voluntary contributions and issue receipts.
  • To keep the platform stable, fix bugs and respond to incidents.
  • To comply with legal obligations and respond to valid law-enforcement requests.
  • Contract (Art. 6(1)(b)) — to provide the Service you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — to keep the Service safe, prevent abuse and improve usability. Balancing-test summaries are available on request.
  • Consent (Art. 6(1)(a)) — for optional features (geolocation, marketing emails, optional analytics). Withdrawable at any time without affecting prior processing.
  • Legal obligation (Art. 6(1)(c)) — for tax, accounting, sanctions screening and lawful disclosure.
  • Public interest / substantial public interest (Art. 6(1)(e), Art. 9(2)(g)) — where local civic-data law applies to public petitions.
  • Vital interests (Art. 6(1)(d)) — in life-safety emergencies.

Who we share with

We share the minimum data needed for a clearly-defined purpose, with vetted processors under written data-processing agreements (Art. 28 GDPR / equivalent). Current categories:

  • Cloud infrastructure — hosting, database, file storage, content-delivery network.
  • Communications — transactional email, SMS, push-notification delivery.
  • Identity verification — third-party providers for ID-verified roles, where the underlying document never returns to Commona.
  • Payment processors — to process contributions and issue receipts. PCI-DSS Level 1 certified.
  • Analytics — privacy-respecting, cookieless, aggregated.
  • Verified partners (NGOs, councils, journalists) — only the data scoped to a project they sponsor or a petition addressed to them.
  • Legal & safety — to comply with valid legal process, protect users from imminent harm, or report CSAM to NCMEC / INHOPE / local authorities.
  • Corporate events — in a merger, acquisition or restructuring, with prior notice and protections at least as strong as this Notice.

We do not sell community data. Ever.

International data transfers

Commona operates globally and may transfer data between the regions where you and our processors are located. When data leaves your country we use one or more of the following safeguards:

  • European Commission adequacy decisions (e.g. UK, Switzerland, Japan, South Korea, EU-US Data Privacy Framework).
  • Standard Contractual Clauses (EU 2021/914) and the UK International Data Transfer Addendum.
  • Binding Corporate Rules for intra-group transfers, where adopted.
  • Transfer-impact assessments for high-risk destinations, with supplementary measures (encryption in transit and at rest, key separation, access logging).
  • For Brazil (ANPD), South Africa (POPIA), Nigeria (NDPA) and Kenya (DPA), equivalent contractual safeguards and notifications as required.

We do not transfer personal data to countries under EU/UK/UN sanctions, and we screen processor jurisdictions for systemic surveillance risk.

How long we keep it

  • Account profile: while your account is active, then 30 days after deletion.
  • Civic content (talking points, projects, votes): retained while the Circle remains active; on account deletion the content is anonymised, not removed, to preserve community memory.
  • Moderation logs: 24 months for accountability and appeal.
  • Payment records: 7 years where required by tax and anti-money-laundering law.
  • Security logs: 12 months; longer in case of an active investigation.
  • Geolocation cache: 30 minutes, then automatically discarded.
  • Backups: encrypted, rotated, and overwritten within 90 days.

Security

We use TLS in transit, AES-256 at rest, hardware-backed key management, role-based access control with least privilege, audit logging, anomaly detection, mandatory two-factor authentication for staff, and an established incident-response procedure. We notify supervisory authorities within 72 hours of a qualifying breach (Art. 33 GDPR) and affected users without undue delay when there is a high risk to rights or freedoms. No system is perfect; please report vulnerabilities responsibly to security@commona.app.

Your rights

Subject to local law, you have the right to:

  • Access — request a copy of the personal data we hold.
  • Correction — edit your profile and most contributions directly in-app.
  • Deletion / erasure — delete your account from Settings → Account. Personal data is removed within 30 days; public civic records remain in anonymised form to preserve community memory.
  • Restriction — ask us to limit processing while a request is being resolved.
  • Portability — export your contributions in a machine-readable format (JSON).
  • Objection — opt out of optional features (geolocation, marketing digests) at any time.
  • Withdraw consent — without affecting processing carried out before withdrawal.
  • Avoid solely-automated decisions with legal or similarly significant effects (Art. 22 GDPR; see below).
  • Complain to a supervisory authority — see the contact section.
  • Authorised agent / representative — California and certain other jurisdictions allow an agent to submit a request on your behalf.

We respond to verifiable requests within 30 days (extendable by 60 days for complex requests, with notice). There is no fee unless requests are manifestly unfounded or excessive.

Children & minors

Commona is not directed to children under 13 (under 16 in much of the EU; the applicable digital-consent age in your country). We do not knowingly collect personal data from children below that age. If you believe a child has provided personal data, contact privacy@commona.app and we will delete it promptly. Where parental consent is required, we obtain it through documented mechanisms (e.g. COPPA-compliant verification in the US, verifiable parental consent under the GDPR).

Regional notices

European Economic Area & United Kingdom

  • Lead supervisory authority: UK Information Commissioner's Office (ico.org.uk). EU residents may complain to their national authority.
  • EU representative under Art. 27 GDPR: see "Who is responsible".

California, Virginia, Colorado, Connecticut, Utah, Texas (US)

  • Rights under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA: know, access, correct, delete, limit use of sensitive personal information, opt out of "sale" or "sharing" and of targeted advertising. Commona does not sell or share personal information for targeted advertising.
  • Submit requests via Settings → Privacy or privacy@commona.app. Two-step verification protects against fraudulent requests.
  • "Shine the Light" requests (Cal. Civ. Code § 1798.83): email the address above.

Brazil

  • Rights under LGPD (Lei nº 13.709/2018): confirmation, access, correction, anonymisation, portability, deletion, information about sharing, revocation of consent, opposition.
  • Supervisory authority: ANPD (gov.br/anpd).

South Africa

Nigeria

  • Rights under the NDPA 2023 and NDPR 2019.
  • Nigeria Data Protection Commission (NDPC): ndpc.gov.ng.

Kenya, Ghana, Uganda, Tanzania, Rwanda

  • Rights under national Data Protection Acts; complaints to the respective ODPCs.

Canada

  • Rights under PIPEDA and Quebec Law 25. Office of the Privacy Commissioner: priv.gc.ca.

Australia & New Zealand

India

  • Rights under the Digital Personal Data Protection Act 2023; grievance officer listed above; Data Protection Board of India will supervise once constituted.

Switzerland

Automated decision-making

We use automated tools for spam detection, duplicate-content matching and risk scoring of suspicious payments. These tools do not, on their own, take legal or similarly significant decisions about you. Account suspension, content removal and appeals are reviewed by trained humans, with documented reasons and a right to challenge — consistent with Art. 22 GDPR, the EU AI Act, and equivalent obligations in the UK Online Safety Act, the DSA and Brazil's LGPD.

What we never do

  • We do not sell community data.
  • We do not run behavioural advertising.
  • We do not amplify outrage for engagement.
  • We do not allow employers, councils or NGOs to scrape contributions.
  • We do not retain precise location coordinates on public pages.
  • We do not use Your Content to train third-party AI models.
  • We do not share data with political campaigns or advertisers.

Contact & complaints

Privacy questions or data requests: privacy@commona.app. Global Data Protection Officer: dpo@commona.app. You can also reach us through the contact page.

If you believe we have not addressed your concern, you have the right to complain to your local data-protection authority — see the regional notices above for direct links. We would always appreciate the chance to resolve the matter first.