In this policy, Commento refers to the service offered by Commento, Inc. (the "Company" or "We") through the commento.io website (the "Service"). We sometimes refer to "You". "You" may be a visitor on one of our websites, a user of one or more of our services ("User" or "Customer"), or a visitor of a user's website embedding the service ("Visitor"). This document explains what information we collect through your access and use of our service and how we make use of this information.
What happens when you create an account?
When you create a new account as a user, your full name and email address will be collected. The email address will serve as your identity for all operations on the service. You will receive all important notifications such as confirmation emails, password reset links, billing invoices, payment reminders, and any updates to our policies and terms of service through this email address. Your email address will not be shared with any external entity or used for any other purpose.
We are required to take certain measures in order to prevent spammers from excessively creating new accounts. This is to prevent an unfair degradation of service to non-malicious users, which might arise from a consistent attack from spam bots or human spammers. Commento may use CAPTCHA and email verification to mitigate such issues, record your IP address at any point for blacklisting if found to be in violation, and other techniques.
What data do we collect?
We make it a policy to collect as little user information as possible to allow users of the service and visitors on other websites using the service to maintain internet privacy, and optionally, allow anonymity.
The service's user data collection is limited to the following:
- Creating an account as a customer: As described in the previous section, your full name and email address is collected.
- Entering payment information: We will collect payment information for the continued offering of the service at the expiration of the trial period. We use Stripe as the payments processor. No credit card information ever touches our servers — instead, Stripe, a PCI-compliant service (PCI service Provider Level 1), will store the customer's payment details, providing us with a unique, secret token mapped to your information. This token is then associated with your account on our records and used for all transactions.
- Visiting a website embedding the service: As a visitor, if you are logged into our service, we will store a uniquely mapped cookie to automatically authenticate you on future visits; else, if you are not logged in, no cookies will be stored in your browser. Whenever you visit a website embedding the service, we log the time of visit and associate the record with your account if you are logged in. This is for imposing usage limits on customer accounts and providing basic analytics to customers. We do not embed any third-party scripts of any kind in websites using the service.
- Authenticating as a visitor of a website embedding the service: When you choose to authenticate yourself as a visitor on a website embedding the service, a unique, randomly generated token ("Session") will be stored as a cookie in your browser in order to remember you on future visits. Upon successfully authenticating yourself with a OAuth provider, all the information returned by the provider is stored and associated with your Session. This may include, but is not limited to, your full name, your email address, your photo, and an URL to your public profile. By authenticating yourself as a Vistor on a website embedding the service, you consent to allow the service to display all information except your email address publicly on all comments you create. This information will never be sold to advertisers, marketing agencies, or any other organization for user tracking or any other purpose.
- Communications with the company: All communications with the company, such as support requests, feature requests, bug reports, or any feedback may be saved by our staff. This information may also be displayed publicly with your approval (such as in the case of testimonials).
- Data Use: We do not have any advertising on our website. Any data that we do have will never be shared except under the circumstances described below in our Data disclosure policy. We do not do any analysis on the limited data we do possess with two exceptions:
Data storage: location, security, and reliability
The company uses the services of DigitalOcean
to host all components in the United States. All care is taken to securely protect your data, including the encryption of all user data using a secret key accessibly only to the employees of the company (your password is not accessible to anyone as it's cryptographically hashed). Backups of the entire database are regularly made in the event it is necessary to restore user data.
When a customer deletes a domain through the web dashboard interface, all information related to the domain (including user comments, voting data, and views) is permanently deleted from all servers. Deleted data may be retained in our backups for up to 14 days.
Data disclosure policy
We do not
sell or rent data to any third party, including marketers, advertisers, and tracking agencies.
We may, however, use and disclose data as we believe necessary:
- under applicable law, or payment method rules;
- to enforce our terms and conditions;
- to protect our rights, privacy, safety or property, you or others;
- to respond to requests from courts, law enforcement agencies, regulatory agencies, and other public and government authorities, which may include authorities outside your country of residence.
We may, from time to time, contest court orders if there is a public interest in doing so. In such situations, the company will not comply with the court order until all legal or other remedies have been exhausted. Therefore, not all court orders may lead to data disclosure.
We reserve the right to periodically review and change this policy from time to time. We will notify all customers about any such changes through the email address registered with us. Continued use of the service will be deemed as acceptance of such changes.
Because email communications are not always secure, please do not include credit card or other sensitive data (such as racial or ethnic origin, political opinions, religion, health, or the like) in your emails to us.