1. Introduction
This Privacy Policy describes how Commet Labs Inc. ("Commet", "we", "us", "our") collects, uses, and shares information when you use our billing and payments platform at commet.co ("the Service").
Commet acts as a Merchant of Record, which means we process payments, collect taxes, and handle compliance on behalf of Sellers who use our platform. This creates a three-party relationship between Commet, Sellers (businesses using our platform), and Buyers (their customers).
Data Controller: Commet Labs Inc., legal@commet.co.
2. Information We Collect
2.1 Information Sellers Provide
- Account information: name and email address
- Organization information: organization name, country, and business type
- Business validation data: information about your business and products, submitted during our review process
- Configuration data: plans, pricing, features, and billing settings entered into the platform
Payout account verification (including identity verification, bank account details, and tax documentation) is handled directly by Stripe. Commet does not store this information.
2.2 Information Buyers Provide
- Payment information: processed securely through Stripe. We do not store full card numbers, CVVs, or complete card details. We receive card type, last four digits, expiration date, and billing address.
- Contact information: name, email address, and billing address as provided during checkout
- Tax information: tax identification numbers when applicable for business purchases
2.3 Information Collected Automatically
- Usage data: pages visited, features used, API calls made, and interactions with the platform
- Device information: browser type, operating system, screen resolution, and IP address
- Geolocation data: country and region derived from IP address, used for tax calculation and currency detection
- Log data: server logs including access times, error logs, and request metadata
2.4 Information from Third Parties
- Stripe: transaction status, settlement amounts, and fraud signals
- Authentication providers: name, email, and profile information when using third-party sign-in
3. Legal Bases for Processing
We process personal data under the following legal bases (GDPR Article 6):
| Legal Basis | Examples |
|---|---|
| Contract performance | Processing payments, managing subscriptions, delivering the Service |
| Legal obligation | Tax collection and remittance, fraud prevention, financial record-keeping |
| Legitimate interest | Platform security, analytics to improve the Service, preventing abuse, business validation |
| Consent | Marketing communications, optional analytics cookies |
4. How We Use Your Information
We use collected information to:
- Provide the Service: process Transactions, manage subscriptions, generate invoices, and facilitate Payouts
- MoR obligations: calculate and remit taxes, issue tax-compliant invoices, handle refunds
- Business validation: evaluate Seller applications for compliance with our Acceptable Use Policy
- Security and fraud prevention: detect and prevent fraudulent Transactions, validate business legitimacy, and protect accounts
- Communication: send transactional notifications (payment confirmations, invoice delivery, payout notifications) and account-related alerts via email
- Improve the Service: analyze usage patterns, diagnose technical issues, and optimize performance
- Legal compliance: respond to legal requests, enforce our Terms, and meet regulatory obligations
5. How We Share Your Information
We do not sell your personal information. We share data only in the following circumstances:
5.1 Payment Infrastructure
Our payment infrastructure provider processes all payments, handles payout account verification, and performs identity checks for Sellers. They receive payment details, billing address, and transaction information necessary to process charges and payouts.
5.2 Seller-Buyer Data Sharing
- Sellers receive Buyer information necessary to deliver their Product: name, email, subscription status, and usage data. Sellers do not receive full payment details.
- Buyers receive Seller business information as displayed on invoices and checkout pages.
5.3 Tax Authorities
As Merchant of Record, we share transaction data with tax authorities as required for sales tax, VAT, GST, and other consumption tax compliance.
5.4 Service Providers
We use trusted third-party service providers for infrastructure, hosting, email delivery, analytics, and other operational purposes. These providers process data only as necessary to perform their services and are bound by contractual obligations to protect your information.
Stripe is our primary payment infrastructure provider. Stripe's use of your data is governed by Stripe's Privacy Policy.
5.5 Legal Requirements
We may disclose information when required by law, court order, or government regulation, or when we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety.
5.6 Business Transfers
In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you before your data becomes subject to a different privacy policy.
6. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. For transfers of personal data from the EU/EEA/UK, we rely on:
- Standard Contractual Clauses (SCCs) as approved by the European Commission (Implementing Decision 2021/914)
- UK International Data Transfer Addendum for transfers from the United Kingdom
7. Data Retention
We retain your data for as long as your account is active or as needed to provide the Service. Transaction records are retained for 7 years as required by tax and financial regulations.
When a Seller deletes their organization, all associated data (customers, subscriptions, invoices, usage data, API keys) is permanently deleted. Transaction records may be retained as required by law.
You may request deletion of personal data not subject to legal retention requirements.
8. Data Security
We implement industry-standard security measures including:
- Encryption in transit and at rest
- PCI DSS compliance via Stripe (we never store full card data)
- Role-based access controls within organizations
- Complete data isolation between Seller organizations
9. Your Rights
9.1 Rights Under GDPR (EU/EEA/UK)
If you are in the EU, EEA, or UK, you have the right to:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate data
- Erasure: request deletion of your personal data, subject to legal retention obligations
- Restriction: request restriction of processing in certain circumstances
- Portability: receive your data in a structured, machine-readable format
- Objection: object to processing based on legitimate interests
- Withdraw consent: withdraw consent at any time where processing is based on consent
- Lodge a complaint: file a complaint with your local supervisory authority
9.2 Rights Under CCPA/CPRA (California)
California residents have the right to:
- Know what personal information we collect and how it is used
- Delete personal information, subject to legal exceptions
- Opt-out of the sale or sharing of personal information (we do not sell personal information)
- Non-discrimination for exercising your privacy rights
9.3 Rights Under LGPD (Brazil)
If you are in Brazil, you have the right to:
- Confirmation of the existence of processing
- Access to your data
- Correction of incomplete or inaccurate data
- Anonymization, blocking, or deletion of unnecessary or excessive data
- Portability of your data
- Deletion of data processed with your consent
- Information about third parties with whom data has been shared
- Revocation of consent
9.4 Exercising Your Rights
To exercise any of these rights, contact us at privacy@commet.co. We will respond within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.
10. Cookies
We use cookies and similar technologies for:
| Type | Purpose |
|---|---|
| Essential | Authentication and session management |
| Analytics | Understanding usage patterns and improving the Service |
| Preferences | Remembering your settings |
We do not use advertising or tracking cookies. We do not respond to Do Not Track (DNT) browser signals.
You can control cookie preferences through your browser settings. Disabling essential cookies may affect platform functionality.
11. Data Processing Addendum
For Sellers who process personal data of EU/EEA individuals through the Service, a Data Processing Addendum (DPA) is available upon request. The DPA complies with GDPR Article 28 requirements and includes Standard Contractual Clauses.
Contact legal@commet.co to request a DPA.
12. Children's Privacy
The Service is not intended for individuals under 18. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the platform. The "Last Updated" date at the top reflects the most recent revision. Continued use of the Service after changes constitutes acceptance.
14. Contact
For questions about this Privacy Policy or to exercise your data rights:
- Email: privacy@commet.co
- General legal inquiries: legal@commet.co