Privacy Notice

Symos Ltd is the data controller for personal data processed through Commly Professional. Symos Ltd is registered in England and Wales, Company No. 17165346. Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ. Contact: admin@symos.net

Commly Professional is designed around a privacy-first architecture intended to minimise retention of user communication content.

User-submitted communication is processed transiently for real-time AI assistance and is not persisted within Commly's primary systems.

• —Communication content you submit is processed in volatile memory only. It is not written to any database, file store, or log.
• —Content is discarded immediately once your result is returned. Nothing persists beyond the active request.
• —Your content is not used to train, fine-tune, or evaluate any AI model.
• —Google Gemini processes your input solely to generate your response. Our API usage terms restrict retention of input data for training purposes.

All AI outputs are drafts. You are responsible for reviewing, editing, and approving any content before use in a professional, clinical, legal, or interpersonal context.

• —Account data: your email address, used exclusively for authentication and account management.
• —Billing data: processed exclusively by Stripe. Symos Ltd does not store, receive, or have access to payment card details at any point.
• —Module entitlements: a record of which capabilities your subscription grants access to.
• —Operational logs: anonymised performance metrics, authentication events, and billing transaction records only. No communication content is included.
• —Communication content: not collected. Processed transiently in volatile memory and discarded immediately. See AI Processing Transparency above.

Supabase provides authentication infrastructure and module entitlement management for Commly Professional. Its role is specifically limited to:

• —User authentication — verifying your identity when you sign in.
• —Session management — maintaining your login state securely.
• —Module entitlements — recording which capabilities your subscription provides access to.

Supabase does not receive, process, or store your communication content at any point.

System logging is restricted to the minimum necessary for security and billing operations:

• —Authentication events — sign-in, sign-out, and session management.
• —Billing and subscription transaction records.
• —Anonymised system performance and error monitoring.

No communication content is ever included in operational logs.

• —Supabase: authentication session management and module entitlement records only.
• —Stripe: PCI DSS Level 1 certified payment processor. Handles all billing data independently.
• —Google Gemini API: AI language processing for communication analysis. Input is not retained for training purposes under our API usage terms.
• —Netlify: application hosting and edge delivery. Processes request metadata only.

• —Contract performance: to provide the service you subscribe to, including authentication and module access.
• —Legitimate interests: operational security, fraud prevention, and service performance monitoring.
• —Legal obligation: financial record-keeping as required by UK law.

• —Account data is retained for the duration of your active subscription plus 12 months.
• —Billing records are retained for 7 years as required by UK financial regulation.
• —Communication content is never retained. It exists only transiently during active request processing.

You have the right to access, rectify, erase, restrict, or port your personal data. You also have the right to object to processing and to withdraw consent where consent is the legal basis for processing.

To exercise any of these rights, contact admin@symos.net. We will respond within 30 days as required by law.

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

We will notify active users of material changes to this Privacy Notice by email. Continued use of the service following notification constitutes acceptance of the updated notice.