1. Who we are
CommStack (“CommStack,” “we,” “us,” or “our”) operates the commission-reconciliation application available at commstack.health. The data controller responsible for your personal information is [Legal Entity Name], located at [Company Address]. For any privacy questions, contact us at privacy@commstack.health.
2. Information we collect
Information you provide
- Account information — name, email address, password (stored only as a secure hash), and agency or organization details.
- Commission & reconciliation data — carrier statements, books of business (BOB), policy and member identifiers, commission amounts, and related documents you upload or import.
- Communications — messages you send to support and any disputes or notes you record in the app.
- Billing information — handled by our payment processor; we do not store full card numbers.
Information collected automatically
- IP address — we collect and process your IP address for security, fraud prevention, rate limiting, account-lockout protection, and approximate location.
- Device & usage data — browser type, operating system, pages viewed, referring URLs, timestamps, and interactions, collected via server logs and privacy-respecting analytics.
- Cookies & similar technologies — strictly necessary cookies for authentication and session management, plus optional analytics. See “Cookies” below.
3. How we use your information
- Provide, operate, and maintain the reconciliation service and your account.
- Process, match, and reconcile commission statements against your book of business.
- Authenticate logins, send verification and security codes, and prevent unauthorized access.
- Secure the platform — detect, investigate, and prevent fraudulent or abusive activity (this is where IP address and device data are used).
- Communicate with you about your account, service changes, and support requests.
- Comply with legal, regulatory, and contractual obligations.
- Improve and develop features using aggregated or de-identified data.
4. Legal bases for processing (EEA/UK)
Where the GDPR or UK GDPR applies, we rely on: performance of a contract (to deliver the service you sign up for), legitimate interests (to secure and improve the platform, balanced against your rights), consent (for optional analytics and marketing, which you may withdraw), and legal obligation (to meet our compliance duties).
5. How we share information
We do not sell your personal information. We share it only as described here:
- Service providers (sub-processors) — vendors who process data on our behalf under contract, including:
| Provider | Purpose | Data location |
|---|---|---|
| Supabase | Database, authentication, and storage | United States |
| Vercel | Application hosting and delivery | United States / global edge |
| Resend | Transactional email (verification & security codes) | United States |
| Upstash | Rate limiting and security throttling | United States |
- Legal & safety — when required by law, subpoena, or to protect the rights, property, or safety of CommStack, our users, or others.
- Business transfers — in connection with a merger, acquisition, or sale of assets, subject to this Policy.
6. Data retention
We retain personal information for as long as your account is active and as needed to provide the service. After account closure we delete or de-identify your data within [retention period, e.g. 90 days], except where longer retention is required for legal, tax, accounting, or dispute-resolution purposes. You may request deletion at any time (see “Your rights”).
7. Security
- Encryption in transit (HTTPS/TLS) and at rest for data stored with our infrastructure providers.
- Row-level security and least-privilege access controls on the database.
- Hardened HTTP security headers, a strict Content-Security-Policy, and HSTS.
- Server-side account-lockout with escalating delays to deter credential attacks.
- Passwords stored only as salted hashes; we never have access to your plaintext password.
No method of transmission or storage is 100% secure, but we work to protect your information using industry-standard safeguards.
8. Your privacy rights
Depending on where you live, you may have the right to:
- Access, correct, or delete your personal information.
- Port your data to another service.
- Object to or restrict certain processing, and withdraw consent.
- Opt out of the “sale” or “sharing” of personal information — we do not sell or share it for cross-context behavioral advertising.
- Not receive discriminatory treatment for exercising your rights (California / CPRA).
To exercise any right, email privacy@commstack.health. We will verify your request and respond within the timeframe required by applicable law (e.g. 30 days under GDPR, 45 days under CPRA).
9. Insurance & sensitive data
CommStack is designed to process commission and book-of-business data, not patient health records. You agree not to upload protected health information (PHI/ePHI) or other special-category data unless we have agreed in writing (including, where applicable, a Business Associate Agreement). You are responsible for ensuring you have the right to upload any carrier, policy, or member data you provide.
10. Cookies
We use strictly necessary cookies to keep you signed in and to protect against cross-site request forgery. With your consent, we may use analytics cookies to understand usage. You can control cookies through your browser settings; disabling necessary cookies may break authentication.
11. International data transfers
Our providers are located in the United States, so your information may be transferred to and processed there. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses for transfers out of the EEA/UK.
12. Children’s privacy
The service is intended for business users and is not directed to anyone under 18. We do not knowingly collect information from children.
13. Changes to this Policy
We may update this Policy from time to time. We will post the new version here with an updated “Last updated” date and, for material changes, notify you by email or in-app.
14. Contact us
Questions or requests? Email privacy@commstack.health or write to [Legal Entity Name], [Company Address].
This document contains bracketed placeholders (e.g. [Legal Entity Name], [Governing Jurisdiction]). Replace them with your finalized details and have the document reviewed by qualified legal counsel before publishing. CommStack provides this template for convenience and it is not legal advice.