Privacy Policy

Last updated: 29 June 2026

Commazaar ("we", "us", or "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have. It applies when you use our website, mobile applications, and related services (together, the "Services").

1. Who we are

Commazaar operates a rewards platform for consumers and partner businesses across Europe. For the purposes of applicable data protection law, Commazaar is the data controller responsible for your personal data collected through the Services.

General enquiries: [email protected]
Privacy and data protection: [email protected] (subject line: Privacy)

2. Scope of this policy

This policy covers personal data we process when you visit our website, create or use a Commazaar account, join our waitlist, manage your notification preferences, contact us, or otherwise interact with the Services.

It also covers personal data in emails and other communications we send you that link to this policy. If you use the Commazaar app or additional features after launch, we may provide supplementary notices where those features involve additional data processing.

3. Personal data we collect

Depending on how you use the Services, we may collect the following categories of personal data:

Identity and contact data: email address, name (if provided), country or region, and language preferences.
Account and authentication data: account identifiers, sign-in method (such as email magic link or Google), and security-related logs.
Waitlist and preference data: whether you have joined a waitlist, your notification preferences, and records of consent or opt-out.
Usage and device data: IP address, browser type, device type, operating system, pages viewed, referral source, and similar technical information collected through cookies and similar technologies.
Communications data: messages you send us and our correspondence with you.
Rewards and transaction data (when the Services are live): offer activity, receipt images or e-receipt data you submit, redemption history, and related purchase information needed to validate rewards.
Marketing interaction data: whether you opened or clicked links in our emails, and your marketing preferences.

4. How we collect personal data

We collect personal data from the following sources:

Directly from you when you sign up, join the waitlist, update preferences, contact support, or use features of the Services.
Automatically when you use our website or app, including through cookies, pixels, and similar technologies.
From authentication providers when you choose to sign in with a third party (such as Google), subject to your settings with that provider.
From reward and retail partners, where necessary to validate offers and process rewards when the Services are live.
From service providers that help us operate the Services, such as hosting, analytics, email delivery, and fraud prevention providers.

5. How we use your personal data

We use personal data for the following purposes:

Creating and managing your account, including authentication and security.
Operating the waitlist and telling you when Commazaar becomes available in your area.
Providing rewards, verifying purchases, processing redemptions, and personalising offers when the Services are live.
Sending service-related communications, such as sign-in links, security alerts, and important updates about your account or the Services.
Sending marketing and promotional communications about Commazaar, including launch announcements, product news, and offers, where permitted by law and in line with your preferences.
Understanding how the Services are used, improving performance, developing new features, and conducting analytics.
Preventing fraud, abuse, and security incidents, and enforcing our terms.
Complying with legal obligations and responding to lawful requests.
Establishing, exercising, or defending legal claims.

6. Email communications and marketing

When you create a Commazaar account or join our waitlist, you provide your email address so we can communicate with you. This includes essential messages we need to send you to provide the Services, such as magic-link sign-in emails and important account notices.

Where you agree to our Terms of Service and this Privacy Policy at sign-up, you also consent to receive marketing and promotional emails from us about Commazaar, including regional launch updates, product news, partner offers, and similar communications. You can withdraw this consent at any time.

You can manage launch and marketing email preferences through your notification preferences page, by using the unsubscribe link in any marketing email, or by contacting us at [email protected]. Withdrawing marketing consent does not affect the lawfulness of processing before withdrawal, and we may still send you non-marketing messages necessary to provide the Services or comply with law.

We do not sell your email address to third parties for their own marketing. We may use email service providers to deliver messages on our behalf under strict contractual terms.

7. Legal bases for processing (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases:

Performance of a contract: to create and manage your account and provide the Services you request.
Legitimate interests: to secure and improve the Services, prevent fraud, understand usage, and send proportionate service communications, balanced against your rights.
Consent: for non-essential cookies, certain analytics, and marketing emails where required. You may withdraw consent at any time.
Legal obligation: where we must retain or disclose data to comply with applicable law.
Vital interests or public interest: only where strictly necessary and permitted by law.

8. Who we share personal data with

We do not sell your personal data. We share personal data only as described below and require recipients to protect it appropriately.

Service providers (processors) that help us host infrastructure, send emails, authenticate users, analyse usage, provide customer support, and prevent fraud.
Reward, retail, and brand partners, where necessary to validate offers, attribute rewards, and operate partner campaigns when the Services are live.
Professional advisers such as lawyers, accountants, and insurers, where required.
Authorities, regulators, courts, or law enforcement when required by law or to protect rights, safety, and security.
Successors in the event of a merger, acquisition, or reorganisation, subject to appropriate safeguards.

9. International transfers

We are established in Europe and aim to process personal data within the European Economic Area and other jurisdictions with adequate protections where possible.

If we transfer personal data outside the EEA, UK, or Switzerland, we use appropriate safeguards such as adequacy decisions, Standard Contractual Clauses, or equivalent mechanisms required by applicable law. You may contact us for more information about these safeguards.

10. Data retention

We keep personal data only for as long as necessary for the purposes described in this policy, including:

Account and waitlist data: for as long as your account is active or you remain on the waitlist, plus a reasonable period afterwards unless you ask us to delete it sooner (subject to legal exceptions).
Marketing records: for as long as needed to respect your preferences and demonstrate consent or opt-out, and as required by law.
Security and fraud logs: for a limited period appropriate to security needs.
Legal, tax, and compliance records: for the period required by applicable law.

When data is no longer needed, we delete or anonymise it.

11. Your rights

Depending on where you live, you may have the following rights in relation to your personal data:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete your data in certain circumstances.
Restriction: ask us to limit how we use your data in certain circumstances.
Portability: receive your data in a structured, commonly used, machine-readable format where applicable.
Objection: object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
Withdraw consent: where processing is based on consent, withdraw it without affecting prior lawful processing.
Complaint: lodge a complaint with your local data protection supervisory authority.

12. How to exercise your rights

To exercise your rights, email [email protected] with the subject line "Privacy request" and tell us what you would like us to do. We may need to verify your identity before responding. We aim to respond within one month, or longer where permitted by law for complex requests.

If you are unhappy with our response, you have the right to complain to the data protection authority in your country of residence, place of work, or where you believe an infringement occurred.

13. Cookies and similar technologies

We use cookies and similar technologies to operate the website, remember preferences, measure performance, and, where you consent, understand how visitors use the Services.

Essential cookies are necessary for core functionality such as security and locale selection. Non-essential cookies, including analytics cookies, are used only with your consent where required by law. You can manage preferences through our cookie settings and your browser controls.

For more detail about the cookies we use and how to change your choices, use the cookie settings link in our website footer.

14. Security

We implement appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

15. Children

The Services are not directed at children under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will take appropriate steps to delete it.

16. Automated decision-making

We do not use automated decision-making that produces legal or similarly significant effects on you without appropriate safeguards, except where permitted by law and disclosed to you.

17. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on our website and update the "Last updated" date. Where required by law, we will notify you by email or through the Services.

We encourage you to review this policy periodically. Continued use of the Services after changes take effect constitutes acknowledgement of the updated policy, subject to your rights under applicable law.

18. Contact us

If you have questions about this Privacy Policy or how we handle personal data, contact us at [email protected].