Commish Privacy Policy & Data Handling

Last Updated: October 2025
Legal Entity: Commish, LLC, registered in Brewster, MA

I. Our Commitment to Trust and Data Security

At Commish, we believe trust is the highest form of currency. This Privacy Policy details exactly how we collect, use, store, and protect your data. It is designed to comply with global regulations (including GDPR and CCPA) and is integrated with our Terms of Service.

II. Data We Collect & Why

We collect data necessary to perform our core function: facilitating commission-based sales and ensuring legal compliance.

Data Category
Account Data

Specific Data Points Collected
Full Legal Name, Email Address, Password (hashed), Date of Birth, User ID.

Purpose / Why We Collect It
Identity verification, Account access, Age compliance (18+ affirmation).

Storage Location & Compliance
Firebase Auth & Supabase Database (Securely Hashed)

Data Category
Financial/KYC Data

Specific Data Points Collected
Bank Account/Routing Number, Tax ID (EIN or SSN), Legal Business Address.Full Legal Name, Email Address, Password (hashed), Date of Birth, User ID.

Purpose / Why We Collect It
Mandatory for Payouts. To comply with AML/KYC regulations and facilitate tax reporting (e.g., issuing 1099s).Identity verification, Account access, Age compliance (18+ affirmation).

Storage Location & Compliance
Stripe Connect (Stored only by Stripe; Commish does not touch or store sensitive banking details).

Data Category
Transactional Data

Specific Data Points Collected
Order ID, Purchase Price, Commission Earned, Refund Status, Net Terms Due Dates.Bank Account/Routing Number, Tax ID (EIN or SSN), Legal Business Address.Full Legal Name, Email Address, Password (hashed), Date of Birth, User ID.

Purpose / Why We Collect It
Core Business Function. To facilitate payment splits, enforce the 14-day refund window, and provide transparent accounting.Mandatory for Payouts. To comply with AML/KYC regulations and facilitate tax reporting (e.g., issuing 1099s).Identity verification, Account access, Age compliance (18+ affirmation).

Storage Location & Compliance
Supabase Database (PostgreSQL)

Data Category
Activity & Attribution

Specific Data Points Collected
Referral Code used, Clicks on links, Geolocation (city/state level) based on IP at purchase.

Purpose / Why We Collect It
Attribution & Optimization. To calculate perpetual commissions, credit the correct Partner/Seller, and provide sales analytics to Businesses.

Storage Location & Compliance
Supabase Database (PostgreSQL)

Data Category
User-Generated Content (UGC)Activity & Attribution

Specific Data Points Collected
Product descriptions, Seller profiles, Reviews, Profile Photos.Referral Code used, Clicks on links, Geolocation (city/state level) based on IP at purchase.

Purpose / Why We Collect It
Platform operation, content promotion, and marketplace display.Attribution & Optimization. To calculate perpetual commissions, credit the correct Partner/Seller, and provide sales analytics to Businesses.Core Business Function. To facilitate payment splits, enforce the 14-day refund window, and provide transparent accounting.Mandatory for Payouts. To comply with AML/KYC regulations and facilitate tax reporting (e.g., issuing 1099s).Identity verification, Account access, Age compliance (18+ affirmation).

Storage Location & Compliance
Supabase Database/Storage

III. Data Sharing & Third-Party Processors

We do not sell your personal data to third parties for advertising purposes. Data is only shared with partners essential to providing the Commish service:

• Stripe Connect: Shared for processing payments, fraud detection, and fulfilling legal tax reporting obligations.
• Businesses: We share Customer Name and Shipping Address with the Business/Seller only for the purpose of order fulfillment and delivery.
• Legal Requirements: Data may be shared with law enforcement or government agencies if required by subpoena or law, as defined in our Terms of Service.

IV. Your Rights & Data Removal Process

You maintain full rights over your data. Requests must be sent to the official Privacy Contact: privacy@commish.co

User Right
Right to Access/Portability

Description
The right to receive a copy of all personal data held about you.

Technical Process (Supabase/Stripe)
Data is exported from Supabase Database and provided in a standard format (JSON/CSV).

User Right
Right to Rectification
‍
Description
The right to correct inaccurate or incomplete personal information.

Technical Process (Supabase/Stripe)
User data is updated directly in Supabase Auth and the primary user table.

User Right
Right to Erasure (Deletion)
‍
Description
The right to request the deletion of your personal data ("Right to Be Forgotten").

Technical Process (Supabase/Stripe)
Anonymization: Data critical for financial/tax records (e.g., transaction amounts, Order IDs) is anonymized and retained for legal audit purposes. All personally identifiable information (Name, Email, Address, etc.) is permanently removed from the Supabase Database and deletion is requested from Stripe.

V. Security and Protection Measures

We employ industry-standard measures to protect your data across our stack:

• Financial Security: All card data is handled and tokenized by Stripe, which maintains PCI DSS compliance. Commish does not store sensitive card information.
• Database Isolation: We utilize Supabase Row-Level Security (RLS) to enforce strict data segmentation, ensuring users can only access their own specific data which prevents internal leakage.
• Encryption: All data is encrypted in transit (using SSL/TLS) and at rest (within the Supabase/PostgreSQL database).