ComnlyComnly
← All legal documents

Comnly · Monosphere Ltd

Version 1.0.4 · Effective 24 May 2026

Privacy Policy

Version 1.0.4 · Effective 24 May 2026

This Privacy Policy explains how Monosphere Ltd (trading as Comnly), a company incorporated in England and Wales ("Monosphere", "we", "us" or "our"), processes personal data in connection with the Comnly platform (the "Service").

We process personal data in line with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (as amended).

The Service is offered exclusively to organisations and individuals in the United Kingdom.

1. Who is the controller of your data

1.1 For administrators and other authorised users of paying organisations ("Organisation Admin Users") — when you register an organisation, pay for a subscription, contact our support team, use permissioned organisation-management features or otherwise interact with us in an administrative or operational role: Monosphere is the controller.

1.2 For members of organisations ("Members") — most personal data about Members that flows through the Service (membership records, posts, replies, RSVPs, polls, document downloads, push notifications etc.) is processed by Monosphere as a processor on behalf of the Member's organisation, which is the controller. The Data Processing Agreement between us and the organisation governs that processing. The organisation's own privacy notice should explain how it uses your data.

1.3 For some Member-facing matters — for example account creation, security, fraud prevention, the operation of our app stores presence, and where Monosphere directly relates to you as a service provider — Monosphere is the controller. This Privacy Policy describes that role.

1.4 If you are unsure who is the controller for a particular interaction, please contact us at privacy@monosphere.co.uk.

2. The personal data we process

We process the categories of personal data below. Not all categories apply to every user.

Account and identity data: name, email address, password (stored hashed), date of birth, profile photo (optional), organisation role/title for administrators and other permissioned users (optional), phone number (optional).

Organisation context data: organisation name and address (admins), club role/title, membership status, joined-at and last-active timestamps.

Communications data: posts, replies, polls and votes, RSVPs, acknowledgements of critical notices, document uploads/downloads, message reads/opens.

Notification data: Expo push tokens, device platform (iOS/Android), notification preferences, notification logs (delivery, failure, retries) for push and email.

Billing data (billing administrators only): organisation billing email, subscription plan, subscription status, Stripe customer and subscription identifiers, invoice records (we do not see card numbers — those go directly to Stripe).

Technical data: IP address, user agent, app version, device type, log records of interactions with the Service, anti-abuse signals.

Support data: any information you give us when contacting support.

Marketing preferences: whether you have opted in to Comnly product communications by email, and separately whether you have opted in to sponsor / third-party promotional communications from your Organisation by push notification or email. Each preference is captured by its own specifically-worded tickbox at signup and can be changed at any time in your member settings.

We do not deliberately collect special-category personal data (such as health data) or criminal-offence data. If you choose to include such data in a post, reply or document upload, you do so at your own risk.

3. Where we get the data from

We collect data: (a) directly from you when you sign up or use the Service; (b) from your organisation (e.g. when an admin invites or imports you); (c) automatically through your use of the Service (e.g. logs, device signals); and (d) from our service providers (e.g. Stripe sends us subscription status updates).

4. Lawful bases (UK GDPR Article 6)

We process personal data on one or more of the following lawful bases.

Performance of a contract — to provide the Service to you under the Master Subscription Agreement (admins) or the End User Terms (members), and to provide notifications, billing, support and account management.

Legitimate interests — for the security and integrity of the Service, fraud prevention, anti-abuse, service analytics, product improvement, internal record-keeping and aggregated reporting. We have assessed that our interests are not overridden by your rights and freedoms; you have the right to object (see section 9).

Consent — for non-essential cookies, optional analytics where applicable, marketing emails, and where we collect optional information you choose to provide. You can withdraw consent at any time.

Legal obligation — to comply with our legal obligations, including tax, accounting, anti-money-laundering and responses to lawful requests by authorities.

For the avoidance of doubt: in respect of personal data we process as a processor for an organisation, the lawful basis is identified by that organisation as controller, and our processing is on its documented instructions.

5. Why we process your data (purposes)

Account management, authentication, providing the Service's communication and engagement features, sending push notifications and emails (including critical-notice deliveries on behalf of organisations), processing subscription payments via Stripe, providing customer support, debugging, security and abuse prevention, complying with our legal obligations, and producing aggregated and anonymised analytics.

Sponsor content in the feed. Where your Organisation chooses to display sponsor content in your member feed, we render that content to you as part of providing the Service. We do not share your personal data with sponsors as part of this display. If you click a sponsor link and leave the Service, the sponsor's site or app will set its own terms and privacy notice, and we have no control over what they collect from you.

Sponsor push and email marketing. Where you have specifically opted in to receive sponsor / third-party promotional content from your Organisation by push notification or email, we use your Expo push token or email address to deliver that content on behalf of your Organisation. You can withdraw this consent at any time in member settings, and we will respect it on the next dispatch. This is separate from your operational notification preferences and from any consent you may have given to receive Comnly product updates.

We do not sell personal data, we do not engage in cross-context behavioural advertising, and we do not use personal data to train generative AI models.

6. Recipients

We share personal data with the following categories of recipient.

Hosting and infrastructure: Supabase Inc. (PostgreSQL hosting, authentication, storage). Default Supabase region for new Comnly projects is in the UK/EU.

Email: our transactional email provider (e.g. Resend or equivalent), used for account, billing and notification emails.

Payments: Stripe Payments Europe, Ltd. (and its affiliates) for subscription billing. Card data is collected by Stripe directly under its own privacy notice.

Push notifications: Expo (Expo Push Service), Apple Push Notification service and Google Firebase Cloud Messaging. Push payloads are sent through these third parties.

Error monitoring and analytics: where enabled, error-monitoring providers used to diagnose crashes and operational issues.

Customer's organisation: where we process Member data on behalf of an organisation, the organisation's administrators and other authorised Organisation users can access data via the Service only according to the role permissions assigned by that organisation. Some permissioned roles may be able to create operational content, such as posts or events, without having member-directory access.

Professional advisers and authorities: lawyers, accountants, auditors, regulators or law enforcement, where lawful and necessary.

Successors: in the context of a corporate reorganisation or sale of business, subject to continuing protection of your data.

A current list of sub-processors is available on request from privacy@monosphere.co.uk, and is incorporated into the Data Processing Agreement.

7. International transfers

7.1 Where any of our service providers process personal data outside the UK, we rely on adequacy regulations made by the UK Government, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another transfer mechanism permitted under UK Data Protection Law.

7.2 We will provide details of any specific transfer mechanism on request.

8. Retention

8.1 We retain account data for as long as your account is active and for a reasonable period afterwards to handle queries, comply with legal obligations and protect our legal interests. Specifically:

(a) active account data: retained while your account or your organisation's subscription is active;

(b) member content (posts, replies, polls, etc.): retained while the organisation chooses to keep it active in the Service, subject to the organisation's instructions;

(c) on account deletion: account data is deleted or anonymised within 30 days of the deletion request, except where retention is required for legal, accounting or fraud-prevention reasons (in which case the data is locked down and retained for the minimum necessary period);

(d) on subscription termination by an organisation: Customer Content is available for export for 30 days and is then deleted within a reasonable period;

(e) billing records: retained for 7 years to meet UK accounting and tax obligations;

(f) logs and security data: retained for up to 24 months for security, abuse-detection and audit purposes;

(g) anonymised, aggregated data: may be retained indefinitely (it does not identify you).

9. Your rights

9.1 Under UK GDPR you have the following rights, subject to the conditions and exceptions in the law:

(a) right of access — to obtain a copy of personal data we hold about you;

(b) right to rectification — to have inaccurate or incomplete data corrected;

(c) right to erasure — to have your data deleted in certain circumstances;

(d) right to restriction — to limit how we process your data in certain circumstances;

(e) right to data portability — to receive certain data in a structured, commonly used format;

(f) right to object — to processing based on legitimate interests, and to processing for direct marketing (which we will always respect);

(g) right not to be subject to automated decisions — including profiling, that produces legal or similarly significant effects (we do not currently make such decisions);

(h) right to withdraw consent — at any time, where processing is based on consent.

9.2 To exercise any of these rights, email privacy@monosphere.co.uk with the subject line "Data subject request". We may need to verify your identity. We will respond within one month or tell you if we need a longer period.

9.3 For Member data we hold as a processor for your organisation, please direct your data subject request to your organisation. We will assist your organisation in responding.

9.4 You have the right to complain to the Information Commissioner's Office (the UK supervisory authority) — ico.org.uk or 0303 123 1113 — if you think we have mishandled your personal data. We would appreciate the opportunity to address your concerns first.

10. Children

10.1 Account creation is strictly limited to individuals aged 18 and over. We do not knowingly permit individuals under 18 to register accounts or use the Service directly. If we discover that an account belongs to a person under 18 we will delete it. If you believe a child under 18 has registered an account, please contact privacy@monosphere.co.uk.

10.2 While individuals under 18 cannot create accounts, adult members who hold parental responsibility may voluntarily submit limited personal data of children (specifically first name, last name, and date of birth) as sub-records under their own membership to manage junior section activities. We process this child data strictly as a processor on behalf of your Organisation (the controller) and in accordance with the Parental Responsibility Attestation.

11. Cookies and similar technologies

11.1 The web Service uses strictly necessary cookies and limited functional storage (including localStorage) to keep you signed in, remember in-progress signup drafts and remember your preferences. We do not currently use cookies for advertising or cross-site tracking. See the Cookie Policy for details.

12. Security

12.1 We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, encryption at rest for our hosted database and storage, role-based access control, least-privilege permission design for operational roles, audit logging, secure software development practices, and regular review of our security posture. We require sub-processors to maintain equivalent protections.

13. Changes to this Policy

13.1 We may update this Policy from time to time. If a change is material, we will notify users at least 14 days in advance by email or in-product notice, except where the change is required immediately by law or for security reasons.

14. Contact us

14.1 Monosphere Ltd, England and Wales.

14.2 General privacy enquiries: privacy@monosphere.co.uk.

14.3 Legal: legal@monosphere.co.uk.

14.4 Support: support@comnly.com.

Document hash (SHA-256): c708a6325e4e0962226489f4233ccdf62d9faa2c8b18ef7dea33d7dd218bc439

This hash is recorded server-side at the moment of acceptance and is the authoritative record of the text accepted.