COMM HERO

PRIVACY POLICY

Your privacy is critical to us. This policy explains how CommHero collects, uses, and protects your data.

Last Updated: October 21, 2025

Quick Navigation

IntroductionInformation We CollectHow We Collect InformationHow We Use Your InformationData Sharing and Third PartiesData SecurityData RetentionYour Privacy RightsCookies and TrackingInternational Data TransfersChildren's PrivacyChanges to This PolicyContact Us

Introduction

CommHero, Inc. ("CommHero," "we," "our," or "us") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our incident communication platform and related services (collectively, the "Services").

Our Services enable organizations to orchestrate multi-channel incident communications across email, Slack, Microsoft Teams, and other platforms. As a business-to-business (B2B) SaaS platform, we primarily process organizational and business contact data for incident management purposes. In providing these Services, we process personal data on behalf of our customers (as a data processor) and collect limited data directly from users who access our platform (as a data controller).

By using our Services, you consent to the collection, use, and disclosure of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our Services.

Scope: This Privacy Policy applies to information collected through our website at commhero.io, our web application, mobile applications, APIs, and any other services we provide.

Information We Collect

Account Information

When you create a CommHero account, we collect:

  • Full name and email address
  • Company or organization name
  • Job title and department
  • Phone number (optional)
  • Password (encrypted and hashed)
  • Profile photo (optional)

Billing Information

For paid subscriptions, we collect:

  • Billing contact details
  • Payment card information (processed securely through our payment processor)
  • Billing address and tax identification numbers
  • Transaction history and invoices

Note: We do not directly store complete credit card numbers. Payment processing is handled by our PCI DSS-compliant payment processors.

Customer Data

When you use our Services, you may provide or we may collect:

  • Incident communication templates and content
  • Audience lists and contact information (names, email addresses, phone numbers)
  • Integration credentials for third-party services (Gmail, Office 365, Slack, Microsoft Teams)
  • Incident metadata including timestamps, severity levels, and incident descriptions
  • Communication logs and delivery status
  • Files, images, and attachments included in incident communications

Usage Information

We automatically collect information about how you use our Services:

  • Log data including IP addresses, browser type, and operating system
  • Device information including device type, unique device identifiers, and mobile network information
  • Pages visited, features used, and time spent on our Services
  • Referring and exit pages, clickstream data
  • API usage and performance metrics
  • Error logs and diagnostic information

Communications Data

When you communicate with us, we collect:

  • Support ticket content and correspondence
  • Feedback and survey responses
  • Email communications with our team
  • Chat transcripts from customer support interactions

How We Collect Information

Direct Collection

We collect information directly from you when you register for an account, configure settings, create incident templates, upload audience lists, integrate third-party services, submit support requests, or otherwise interact with our Services.

Automated Collection

We use cookies, web beacons, and similar tracking technologies to automatically collect usage information. This includes session cookies for authentication, persistent cookies for preferences, and analytics cookies to understand how users interact with our Services.

Third-Party Integrations

When you connect CommHero to third-party services (Gmail, Office 365, Slack, Microsoft Teams), we collect information through OAuth authentication and API connections. This may include:

  • Profile information from your connected accounts
  • Access tokens for sending messages on your behalf
  • Contact information from your organization's directory
  • Channel and workspace information from communication platforms

Analytics Providers

We use third-party analytics services to help us understand usage patterns and improve our Services. These providers may collect information about your interactions with our Services and other websites or applications.

How We Use Your Information

We use the information we collect for the following purposes:

Service Provision: To provide, maintain, and improve our incident communication platform, including processing and delivering incident communications across multiple channels on your behalf.
Account Management: To create and manage your account, authenticate users, process payments, and provide customer support.
Communications: To send you service-related notifications, updates about incidents you've created or are involved in, billing information, and responses to your inquiries.
Analytics and Improvement: To analyze usage patterns, monitor performance, identify and fix technical issues, and develop new features and functionality.
Security and Fraud Prevention: To detect, prevent, and respond to security incidents, fraudulent activity, and violations of our terms of service.
Legal Compliance: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
Marketing (with consent): To send you information about new features, updates, and promotional offers. You can opt out of marketing communications at any time.
Aggregated Data: To create anonymized, aggregated statistics about the use of our Services for benchmarking and industry analysis. This data cannot be used to identify individuals or organizations.

Data Processing Role: For Customer Data that you upload or process through our Services, CommHero acts as a data processor on your behalf. You remain the data controller and are responsible for ensuring you have appropriate rights and consents to process this data. We process Customer Data strictly according to your instructions and in accordance with our Data Processing Agreement.

Data Sharing and Third Parties

We do not sell, rent, or trade your personal information to third parties. We share your information only in the following circumstances:

Service Providers

We engage trusted third-party service providers to perform functions on our behalf, including:

  • Cloud infrastructure and hosting providers (AWS, Google Cloud, or similar)
  • Payment processors (third-party PCI DSS-compliant providers)
  • Email delivery services
  • Analytics providers (e.g., Google Analytics)
  • Customer support platforms
  • Security and monitoring tools

These service providers have access to your information only to perform specific tasks on our behalf and are obligated to protect your information and use it only for the purposes for which it was disclosed.

Communication Platforms

When you use our Services to send incident communications, we share data with the platforms you've connected (Gmail, Office 365, Slack, Microsoft Teams) solely for the purpose of delivering your communications. These platforms are governed by their own privacy policies.

Legal Requirements

We may disclose your information if required to do so by law or in response to:

  • Valid legal processes (subpoenas, court orders, warrants)
  • Requests from public and government authorities
  • National security or law enforcement requirements
  • Enforcement of our terms of service or other agreements
  • Protection of our rights, property, or safety, or that of our users or the public

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred to the acquiring entity. We will notify you via email and/or prominent notice on our website before your information becomes subject to a different privacy policy.

With Your Consent

We may share your information with third parties when we have your explicit consent to do so.

Subprocessor Information: We work with carefully selected third-party service providers (subprocessors) who may have access to Customer Data. A list of subprocessors is available upon request, and we will notify customers of any material changes to our subprocessor list.

Data Security

We take the security of your data seriously and implement industry-standard technical and organizational measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

Technical Safeguards

  • Encryption: Data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption.
  • Access Controls: We implement role-based access controls (RBAC) and the principle of least privilege to limit access to personal data.
  • Authentication: Password authentication is required for all accounts. Multi-factor authentication (MFA) is available for enhanced security, and Single Sign-On (SSO) via OAuth is supported.
  • Network Security: Our infrastructure includes firewalls and security monitoring to protect against unauthorized access.
  • Secure Development: We follow secure coding practices and conduct security reviews of our code.
  • Monitoring and Logging: We maintain activity logs and monitor for suspicious activities to detect potential security issues.

Organizational Safeguards

  • Employee Training: Team members receive security awareness training and are bound by confidentiality obligations.
  • Access Management: Access to sensitive systems and data is restricted to authorized personnel only.
  • Incident Response: We have established procedures for responding to and managing security incidents.
  • Vendor Management: Third-party service providers are evaluated for security practices and bound by appropriate agreements.

Compliance and Standards

  • SOC 2 Compliance: We are working towards SOC 2 Type II certification and have implemented security controls aligned with SOC 2 requirements. We expect to complete our first audit in the near future.
  • GDPR Compliance: We maintain compliance with the EU General Data Protection Regulation and implement appropriate technical and organizational measures to protect personal data.
  • CCPA Compliance: We comply with the California Consumer Privacy Act and CPRA requirements for applicable customers.
  • Data Processing Agreements: Available to all customers upon request, incorporating Standard Contractual Clauses for international data transfers.

Data Breach Notification: In the event of a security incident that affects your data, we will notify you and relevant authorities as required by applicable law, typically within 72 hours of becoming aware of the breach. We will provide information about the nature of the breach, the data affected, and steps we are taking to address the issue.

Limitations: While we implement robust security measures, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but continuously work to improve our security posture.

Data Retention

We retain your information for as long as necessary to provide our Services, comply with legal obligations, resolve disputes, and enforce our agreements.

Retention Periods

Account Information:

Retained for the duration of your account plus 90 days after account closure for backup and recovery purposes.

Customer Data:

Retention periods vary by subscription tier:

  • Free tier: 30 days of incident logs
  • Team tier: 1 year of audit logs
  • Business tier: 2 years of retention
  • Enterprise tier: Custom retention periods as agreed

You can export your data at any time before deletion.

Billing Information:

Retained for 7 years to comply with tax and accounting regulations.

Usage Logs:

Retained for 90 days for security monitoring and troubleshooting, then aggregated or deleted.

Support Communications:

Retained for 3 years to maintain support history and quality assurance.

Data Deletion

Upon termination of your account or subscription, we will delete or anonymize your Customer Data within 30 days, unless:

  • Longer retention is required by law (e.g., financial records, legal holds)
  • Data is needed for legitimate business purposes (e.g., fraud prevention, resolving disputes)
  • Data has been aggregated and anonymized for analytics purposes

Data Portability

You can export your data at any time through our platform. We provide data exports in common formats including JSON, CSV, and PDF. Contact our support team for assistance with bulk data exports.

Your Privacy Rights

Depending on your location and applicable law, you may have certain rights regarding your personal information.

GDPR Rights (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights:

Right of Access:

Request confirmation of whether we process your personal data and obtain a copy of such data.

Right to Rectification:

Request correction of inaccurate or incomplete personal data.

Right to Erasure (Right to be Forgotten):

Request deletion of your personal data in certain circumstances.

Right to Restriction of Processing:

Request restriction of processing of your personal data in certain situations.

Right to Data Portability:

Request transfer of your data to another service provider in a machine-readable format.

Right to Object:

Object to processing of your personal data for direct marketing or other purposes based on legitimate interests.

Right to Withdraw Consent:

Where processing is based on consent, withdraw your consent at any time.

Right to Lodge a Complaint:

File a complaint with your local data protection authority if you believe your rights have been violated.

CCPA/CPRA Rights (California Residents)

If you are a California resident, you have the following rights:

Right to Know:

Request information about the categories and specific pieces of personal information we collect, use, disclose, and sell.

Right to Delete:

Request deletion of personal information we have collected from you, subject to certain exceptions.

Right to Opt-Out:

Opt out of the sale or sharing of your personal information. Note: CommHero does not sell personal information.

Right to Correct:

Request correction of inaccurate personal information.

Right to Limit Use of Sensitive Personal Information:

Limit the use and disclosure of sensitive personal information.

Right to Non-Discrimination:

Not be discriminated against for exercising your privacy rights.

We do not sell personal information and have not sold personal information in the past 12 months.

Exercising Your Rights

To exercise any of these rights, you may:

  • Access your account settings to update or delete certain information
  • Email us at privacy@commhero.io with your request
  • Submit a request through our privacy request form (available in your account settings)

We will respond to your request within 30 days (or as required by applicable law). We may need to verify your identity before processing your request.

Authorized Agents: California residents may designate an authorized agent to make requests on their behalf. We will require written proof of authorization and may require you to verify your identity directly with us.

Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and track information and improve our Services.

Types of Cookies We Use

Essential Cookies:

Required for the platform to function. These include authentication cookies, security cookies, and load balancing cookies.

These cannot be disabled as they are necessary for the Services to work.

Functional Cookies:

Remember your preferences and settings, such as language preference, timezone, and UI customizations.

Analytics Cookies:

Help us understand how users interact with our Services. We use Google Analytics and similar tools to collect usage statistics.

Performance Cookies:

Collect information about how the Services perform and help us identify and fix issues.

Third-Party Tracking

We may use third-party analytics and tracking services such as:

  • Google Analytics or similar - for usage analytics and behavior tracking
  • Product analytics tools - for feature usage and product insights
  • Error tracking services - for monitoring application errors and performance
  • Customer support platforms - for support ticket management

These services may use cookies and other tracking technologies governed by their own privacy policies.

Managing Cookies

You can control cookies through:

  • Your browser settings - most browsers allow you to refuse cookies or alert you when cookies are being sent
  • Our cookie consent banner - manage your cookie preferences when you first visit our site
  • Cookie preference center - accessible from your account settings
  • Opt-out tools provided by analytics providers (e.g., Google Analytics Opt-out Browser Add-on)

Note: Disabling essential cookies may prevent you from using certain features of our Services.

Do Not Track

Some browsers have a "Do Not Track" feature. Currently, there is no industry standard for how to respond to Do Not Track signals. Our Services do not respond to Do Not Track signals at this time.

International Data Transfers

CommHero is based in the United States. If you are accessing our Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.

Data Storage Locations

We primarily store data in secure data centers located in the United States. We are building capabilities to offer data residency options in the EU and other regions as part of future enterprise offerings.

Transfer Mechanisms

For transfers of personal data from the EU/EEA to the United States and other countries, we rely on:

  • Standard Contractual Clauses (SCCs): We use the European Commission-approved Standard Contractual Clauses for data transfers and can incorporate them into customer agreements upon request.
  • Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission.
  • Data Processing Agreements: Our DPA is available upon request and includes appropriate safeguards for international data transfers.

Supplementary Measures

In addition to SCCs, we implement supplementary technical and organizational measures including:

  • End-to-end encryption for data in transit and at rest
  • Strict access controls and authentication requirements
  • Regular security audits and assessments
  • Transparent government data request policies

UK Data Transfers

For transfers of personal data from the UK, we use the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses as approved by the UK Information Commissioner's Office.

Note: By using our Services, you acknowledge and consent to the transfer of your information to the United States and other countries as described in this Privacy Policy. If you do not consent to such transfers, you should not use our Services.

Children's Privacy

Our Services are not directed to individuals under the age of 16, and we do not knowingly collect personal information from children under 16. Our Services are designed for use by businesses and organizations, and we require users to be at least 16 years old or the age of majority in their jurisdiction, whichever is greater.

If you are a parent or guardian and believe that your child under 16 has provided us with personal information, please contact us at privacy@commhero.io. If we become aware that we have collected personal information from a child under 16 without verification of parental consent, we will take steps to delete that information.

For users in the EU, we do not knowingly collect personal information from children under 16 without parental consent as required by the GDPR.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes, we will update the "Last Updated" date at the top of this policy.

Material Changes: If we make material changes to how we process your personal information, we will provide notice through one or more of the following methods:

  • Sending an email to the email address associated with your account
  • Posting a prominent notice on our website and within our Services
  • Requiring you to accept the updated policy before continuing to use our Services

We will provide such notice at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

Your continued use of our Services after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the changes, you should discontinue using our Services and contact us to close your account.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

General Privacy Inquiries

Email: privacy@commhero.io

We will respond to your inquiry within 5 business days.

Privacy Team

Email: dpo@commhero.io

For GDPR-related inquiries and data subject requests.

Security Issues

Email: security@commhero.io

For reporting security vulnerabilities or incidents.

Supervisory Authority: If you are located in the EU/EEA, you have the right to lodge a complaint with your local data protection authority if you believe we have violated your privacy rights. Contact information for EU data protection authorities is available at https://edpb.europa.eu.

Additional Legal Resources

Terms of Service

Review our terms and conditions for using CommHero

Read Terms →
Data Processing Agreement

View our DPA and Standard Contractual Clauses

View DPA →
Security Practices

Learn about our security measures and certifications

View Security →