Comnly · Monosphere Ltd
Version 1.1.0 · Effective 7 August 2026
Privacy Policy
Version 1.1.0 · Effective 7 August 2026
This Privacy Policy explains how Monosphere Ltd (trading as Comnly), a company incorporated in England and Wales ("Monosphere", "we", "us" or "our"), processes personal data in connection with the Comnly platform (the "Service").
We process personal data in line with the UK General Data Protection Regulation ("UK GDPR"), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (as amended).
The Service is offered exclusively to organisations and individuals in the United Kingdom.
At a glance
This is a plain-English summary. The full Policy below is what legally applies.
- Your club owns your membership data, not Comnly. When you are a member of an organisation, the things that flow through the Service (your membership record, posts, replies, RSVPs, polls, document downloads, notifications) belong to your organisation. Your organisation is the controller (it decides how that data is used) and Comnly is only the processor (we hold and handle it on the organisation's instructions). We do not use it for our own purposes. - For your direct relationship with Comnly, we are the controller. Account creation, login security, fraud prevention and our app-store presence are run by us, so for those we are the controller. The same is true for the people who register and pay for an organisation (administrators), where we are the controller for the billing and account relationship. - We never sell your data, we do not run cross-site advertising tracking, and we do not use your data to train AI models. - Want your data changed or deleted? If it is club membership data, ask your organisation first (it is their data and we will help them act on it). For your direct account with Comnly, email support@comnly.com.
1. Who is the controller of your data
1.1 For administrators and other authorised users of paying organisations ("Organisation Admin Users") — when you register an organisation, pay for a subscription, contact our support team, use permissioned organisation-management features or otherwise interact with us in an administrative or operational role: Monosphere is the controller.
1.2 For members of organisations ("Members") — most personal data about Members that flows through the Service (membership records, posts, replies, RSVPs, polls, document downloads, push notifications etc.) is processed by Monosphere as a processor on behalf of the Member's organisation, which is the controller. The Data Processing Agreement between us and the organisation governs that processing. The organisation's own privacy notice should explain how it uses your data.
1.3 For some Member-facing matters — for example account creation, security, fraud prevention, the operation of our app stores presence, and where Monosphere directly relates to you as a service provider — Monosphere is the controller. This Privacy Policy describes that role.
1.4 For guest ticket purchasers — where you buy a ticket to an organisation's public event without holding a Comnly account, the organisation selling the ticket is the controller of your purchase data and Monosphere processes your name, email and ticket records as a processor on the organisation's behalf, for ticket issue, delivery and refund support only. See the Guest Ticket Terms for more detail.
1.5 For prospective customers — where you ask us for a personalised demo, use a marketing tool on our website (for example the club communication health check) or otherwise give us your contact details as a prospective customer, Monosphere is the controller of that data.
1.6 If you are unsure who is the controller for a particular interaction, please contact us at support@comnly.com.
2. The personal data we process
We process the categories of personal data below. Not all categories apply to every user.
Account and identity data: name, email address, password (stored hashed), date of birth, profile photo (optional), organisation role/title for administrators and other permissioned users (optional), phone number (optional).
Organisation context data: organisation name and address (admins), club role/title, membership status, joined-at and last-active timestamps.
Communications data: posts, replies, polls and votes, RSVPs, acknowledgements of critical notices, document uploads/downloads, message reads/opens.
Notification data: Expo push tokens, device platform (iOS/Android), notification preferences, notification logs (delivery, failure, retries) for push and email.
Billing data (billing administrators only): organisation billing email, subscription plan, subscription status, Stripe customer and subscription identifiers, invoice records (we do not see card numbers — those go directly to Stripe).
Member payment data: where your organisation uses the Service to request or collect payments from you (joining fees, membership dues, payment links, event tickets, season passes), we hold the payment request and its status (for example requested, paid, refunded), the amount, and the Stripe identifiers needed to reconcile it. Card details are collected by Stripe directly on your organisation's own Stripe account; we never see or store them. We process member payment data as a processor on behalf of your organisation.
Tickets, passes and attendance data: event tickets, season passes and digital membership cards issued to you (including their QR credentials and used/refunded status), ticket transfers, RSVP and check-in records, and door-scan results. Where you add a pass to Apple Wallet or Google Wallet, the pass content (the same details shown on your in-app card or ticket) is delivered through Apple's or Google's wallet services.
Guest ticket purchaser data: where someone buys a ticket to a public event without a Comnly account, we hold their name, email and ticket records for ticket issue, delivery and refund support only, as a processor on behalf of the selling organisation. Guest details are never added to any notification or marketing audience.
Prospective customer data: where you request a personalised demo or use a marketing tool on our website (for example the club communication health check), the contact details you choose to give us (name, email, phone, club name) and your consent record, used to respond to you and follow up on your interest.
Technical data: IP address, user agent, app version, device type, log records of interactions with the Service, anti-abuse signals.
Support data: any information you give us when contacting support.
Marketing preferences: whether you have opted in to Comnly product communications by email, and separately whether you have opted in to sponsor / third-party promotional communications from your Organisation by push notification or email. Each preference is captured by its own specifically-worded tickbox at signup and can be changed at any time in your member settings.
We do not deliberately collect special-category personal data (such as health data) or criminal-offence data. If you choose to include such data in a post, reply or document upload, you do so at your own risk.
3. Where we get the data from
We collect data: (a) directly from you when you sign up or use the Service; (b) from your organisation (e.g. when an admin invites you); (c) automatically through your use of the Service (e.g. logs, device signals); and (d) from our service providers (e.g. Stripe sends us subscription status updates).
4. Lawful bases (UK GDPR Article 6)
We process personal data on one or more of the following lawful bases.
Performance of a contract — to provide the Service to you under the Master Subscription Agreement (admins) or the End User Terms (members), and to provide notifications, billing, support and account management.
Legitimate interests — for the security and integrity of the Service, fraud prevention, anti-abuse, service analytics, product improvement, internal record-keeping and aggregated reporting. We have assessed that our interests are not overridden by your rights and freedoms; you have the right to object (see section 9).
Consent — for non-essential cookies, optional analytics where applicable, marketing emails, and where we collect optional information you choose to provide. You can withdraw consent at any time.
Legal obligation — to comply with our legal obligations, including tax, accounting, anti-money-laundering and responses to lawful requests by authorities.
For the avoidance of doubt: in respect of personal data we process as a processor for an organisation, the lawful basis is identified by that organisation as controller, and our processing is on its documented instructions.
5. Why we process your data (purposes)
Account management, authentication, providing the Service's communication and engagement features, sending push notifications and emails (including critical-notice deliveries on behalf of organisations), processing subscription payments via Stripe, operating payment, ticketing, season-pass and membership-card features on behalf of organisations (including delivering tickets and passes by email and to Apple Wallet or Google Wallet where you choose to add them), providing customer support, debugging, security and abuse prevention, complying with our legal obligations, responding to demo requests and marketing-tool submissions from prospective customers, and producing aggregated and anonymised analytics.
Sponsor content in the feed. Where your Organisation chooses to display sponsor content in your member feed, we render that content to you as part of providing the Service. We do not share your personal data with sponsors as part of this display. If you click a sponsor link and leave the Service, the sponsor's site or app will set its own terms and privacy notice, and we have no control over what they collect from you.
Sponsor push and email marketing. Where you have specifically opted in to receive sponsor / third-party promotional content from your Organisation by push notification or email, we use your Expo push token or email address to deliver that content on behalf of your Organisation. You can withdraw this consent at any time in member settings, and we will respect it on the next dispatch. This is separate from your operational notification preferences and from any consent you may have given to receive Comnly product updates.
We do not sell personal data, we do not engage in cross-context behavioural advertising, and we do not use personal data to train generative AI models.
6. Recipients
We share personal data with the following categories of recipient.
Hosting and infrastructure: Supabase Inc. (PostgreSQL hosting, authentication, storage) and Vercel Inc. (web application hosting and edge runtime). Default Supabase region for new Comnly projects is in the UK/EU.
Email: our transactional email provider (e.g. Resend or equivalent), used for account, billing, notification and ticket-delivery emails.
Payments: Stripe Payments Europe, Ltd. (and its affiliates) for subscription billing, and for payments you make to your organisation through its own Stripe Connect account (joining fees, dues, tickets, season passes). Card data is collected by Stripe directly under its own privacy notice.
Push notifications: Expo (Expo Push Service), Apple Push Notification service and Google Firebase Cloud Messaging. Push payloads are sent through these third parties.
Wallet passes: where you choose to add a membership card, ticket or season pass to your device wallet, Apple Inc. (Apple Wallet and the Apple Push Notification service used for pass updates) or Google LLC (Google Wallet) receive the pass content, which contains no more personal data than the in-app card or ticket already shows.
Error monitoring and analytics: where enabled, error-monitoring providers used to diagnose crashes and operational issues.
Customer's organisation: where we process Member data on behalf of an organisation, the organisation's administrators and other authorised Organisation users can access data via the Service only according to the role permissions assigned by that organisation. Some permissioned roles may be able to create operational content, such as posts or events, without having member-directory access.
Professional advisers and authorities: lawyers, accountants, auditors, regulators or law enforcement, where lawful and necessary.
Successors: in the context of a corporate reorganisation or sale of business, subject to continuing protection of your data.
A current list of sub-processors is available on request from support@comnly.com, and is incorporated into the Data Processing Agreement.
7. International transfers
7.1 Where any of our service providers process personal data outside the UK, we rely on adequacy regulations made by the UK Government, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another transfer mechanism permitted under UK Data Protection Law.
7.2 We will provide details of any specific transfer mechanism on request.
8. Retention
8.1 We retain account data for as long as your account is active and for a reasonable period afterwards to handle queries, comply with legal obligations and protect our legal interests. Specifically:
(a) active account data: retained while your account or your organisation's subscription is active;
(b) member content (posts, replies, polls, etc.): retained while the organisation chooses to keep it active in the Service, subject to the organisation's instructions;
(c) on account deletion: account data is deleted or anonymised within 30 days of the deletion request, except where retention is required for legal, accounting or fraud-prevention reasons (in which case the data is locked down and retained for the minimum necessary period). Where you have contributed content that your organisation retains in the Service (for example posts or replies), that content is controlled by your organisation: on deletion of your account we remove or anonymise the account identity attached to it, and any request for erasure of the content itself should be directed to your organisation as controller;
(d) on subscription termination by an organisation: Customer Content is available for export for 30 days and is then deleted within a reasonable period;
(e) billing records: retained for 7 years to meet UK accounting and tax obligations;
(f) logs and security data: retained for up to 24 months for security, abuse-detection and audit purposes;
(g) anonymised, aggregated data: may be retained indefinitely (it does not identify you).
9. Your rights
9.1 Under UK GDPR you have the following rights, subject to the conditions and exceptions in the law:
(a) right of access — to obtain a copy of personal data we hold about you;
(b) right to rectification — to have inaccurate or incomplete data corrected;
(c) right to erasure — to have your data deleted in certain circumstances;
(d) right to restriction — to limit how we process your data in certain circumstances;
(e) right to data portability — to receive certain data in a structured, commonly used format;
(f) right to object — to processing based on legitimate interests, and to processing for direct marketing (which we will always respect);
(g) right not to be subject to automated decisions — including profiling, that produces legal or similarly significant effects (we do not currently make such decisions);
(h) right to withdraw consent — at any time, where processing is based on consent.
9.2 To exercise any of these rights, email support@comnly.com with the subject line "Data subject request". We may need to verify your identity. We will respond within one month or tell you if we need a longer period.
9.3 For Member data we hold as a processor for your organisation, please direct your data subject request to your organisation. We will assist your organisation in responding.
9.4 You have the right to complain to the Information Commissioner's Office (the UK supervisory authority) — ico.org.uk or 0303 123 1113 — if you think we have mishandled your personal data. We would appreciate the opportunity to address your concerns first.
10. Children
10.1 Account creation is strictly limited to individuals aged 18 and over. We do not knowingly permit individuals under 18 to register accounts or use the Service directly. If we discover that an account belongs to a person under 18 we will delete it. If you believe a child under 18 has registered an account, please contact support@comnly.com.
10.2 While individuals under 18 cannot create accounts, adult members who hold parental responsibility may voluntarily submit limited personal data of children (specifically first name, last name, and date of birth) as sub-records under their own membership to manage junior section activities. We process this child data strictly as a processor on behalf of your Organisation (the controller) and in accordance with the Parental Responsibility Attestation.
11. Cookies and similar technologies
11.1 The web Service uses strictly necessary cookies and limited functional storage (including localStorage) to keep you signed in, remember in-progress signup drafts and remember your preferences. We do not currently use cookies for advertising or cross-site tracking. See the Cookie Policy for details.
12. Security
12.1 We implement appropriate technical and organisational measures to protect personal data, including encryption in transit, encryption at rest for our hosted database and storage, role-based access control, least-privilege permission design for operational roles, audit logging, secure software development practices, and regular review of our security posture. We require sub-processors to maintain equivalent protections.
13. Changes to this Policy
13.1 We may update this Policy from time to time. If a change is material, we will notify users at least 14 days in advance by email or in-product notice, except where the change is required immediately by law or for security reasons.
14. Contact us
14.1 Monosphere Ltd (trading as Comnly), a company registered in England and Wales under company number 16315949. Registered office: 3 Broadway East, Chester, CH2 2DW, United Kingdom.
14.2 Privacy enquiries, legal notices, and support: support@comnly.com.