Skip to main content
Commlo

Privacy Policy

Last updated: February 2026

Commlo ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our commute planning platform.

Data Controller

The data controller responsible for your personal information is:

Commlo, Inc.
Oklahoma, United States

You can reach our data protection team at privacy@commlo.com.

Information We Collect

We collect information you provide directly to us, including:

  • Account information such as your name, email address, and password
  • Profile information including your professional details and brokerage affiliation
  • Address and location data you enter for commute estimates
  • Payment information processed securely through our third-party payment provider
  • Usage data such as search history, saved routes, and feature interactions

How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our commute planning services
  • Generate accurate transit time estimates and route recommendations
  • Process transactions and send related notifications
  • Send you technical notices, updates, and support messages
  • Respond to your comments, questions, and customer service requests
  • Monitor and analyze trends, usage, and activities on our platform

IP Address Hashing

For anonymous embed analytics (e.g., counting unique visitors to embedded commute widgets), we hash visitor IP addresses using SHA-256 with a daily-rotating random salt. Raw IP addresses are never stored. Because the salt changes every 24 hours, hashes from one day cannot be correlated with hashes from another day, making it impossible to track visitors over time. This mechanism is implemented in our edge functions.

Legal Basis for Processing

We process your personal data on the following legal grounds:

  • Contract performance: Processing necessary to provide our core commute planning services, manage your account, and fulfill our contractual obligations to you.
  • Legitimate interest: Processing for analytics, platform security, fraud prevention, and service improvement where our interests do not override your fundamental rights and freedoms.

Data Sharing

We do not sell your personal information. We may share your information in the following circumstances:

  • With service providers who assist in operating our platform
  • With transit data providers to generate accurate commute estimates
  • To comply with legal obligations or respond to lawful requests
  • To protect our rights, privacy, safety, or property
  • In connection with a merger, acquisition, or sale of assets

Sub-processors

We use the following third-party sub-processors to operate our platform:

  • Stripe — Payment processing and subscription management
  • Google Places API — Address autocomplete and geocoding
  • Supabase — Database hosting, authentication, and edge functions
  • Sentry — Error tracking and application monitoring
  • Cloudflare — Hosting, CDN, and DDoS protection
  • Resend — Transactional email delivery (invitations, notifications, digests)
  • OSRM (Open Source Routing Machine) — Driving and walking route calculations

Each sub-processor is contractually bound to process personal data only as necessary to provide their respective services and in accordance with applicable data protection laws.

Data Retention

We retain your personal information for as long as your account is active or as needed to provide you services. Specific retention periods are as follows:

  • Account data: Retained for the duration of your account plus 30 days following account deletion to allow for recovery
  • Reports: Shared commute reports expire and are automatically deleted after 30 days
  • IP hashes: Become un-correlatable after 24 hours due to daily salt rotation; historical hashes cannot be linked back to an IP address
  • Geocode cache: Cached address-to-coordinate lookups are retained indefinitely to improve service performance and reduce redundant API calls

You may request deletion of your account and associated data at any time. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Cookies and Local Storage

We do not use tracking cookies or any third-party advertising cookies. Our platform uses browser localStorage solely for the following purposes:

  • Authentication tokens: To keep you signed in across sessions
  • Theme preference: To remember your light/dark mode selection
  • Visitor identifier: A random, anonymous identifier used to track unique views on shared buyer pages. This identifier cannot be linked to your identity.

No personal data is shared with third parties through cookies or local storage mechanisms.

Your Rights

Depending on your location, you may have the following rights regarding your personal information:

  • Access and receive a copy of your personal data
  • Correct inaccurate or incomplete information
  • Request deletion of your personal data
  • Object to or restrict processing of your data
  • Data portability - receive your data in a structured format
  • Withdraw consent where applicable
  • Lodge a complaint with a supervisory authority if you believe your data protection rights have been violated (GDPR Article 77)

Children's Privacy

Our platform is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take steps to delete such information promptly. If you believe that a child under 13 has provided us with personal information, please contact us at privacy@commlo.com.

International Data Transfers

Our sub-processors may process your data in the United States and other countries outside your jurisdiction. Where personal data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission or reliance on the recipient's participation in recognized data protection frameworks.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the platform and updating the "Last updated" date. Your continued use of the service after changes are posted constitutes acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

Contact

If you have questions about this Privacy Policy or our data practices, please contact us at privacy@commlo.com or visit our Contact page.