TL;DR
- Any data your end users provide through the Komo Engagement Engine is your data — Komo does not claim ownership of it.
- You control what is collected, how consent is presented, and how that data is used; Komo processes and stores data on your behalf to deliver the platform.
- Komo keeps data secure and only shares it with sub-processors required to run the service.
- Marketing communications require explicit opt-in before any message is sent.
Contents
- Roles and ownership
- What data is collected
- How data is collected
- How data is used
- Storage and retention
- Access, export, and deletion
- Sharing and sub-processors
- Cookies and consent
- Security
- Compliance and legal
- Contact
Roles and ownership
Who owns the data?
Who owns the data?
Any data captured on the Komo Engagement Engine is owned by you, not Komo. We do not place any rights on the data other than what is required to deliver the service under our Terms of Service.You represent and warrant that you have obtained all necessary rights and permissions to collect and use the data you submit to the platform.
What is Komo's role vs ours as data controller?
What is Komo's role vs ours as data controller?
In general, you decide what personal data to collect, the legal basis for collection, and how end-user data is used for your campaigns and communications. Komo processes that data on your behalf to operate the Engagement Engine — hosting, delivery, support, security, and integrations you configure.The relationship is governed by our Terms of Service and, where applicable, a Data Processing Agreement (DPA). This FAQ is general guidance only; your legal team should confirm roles and obligations for your jurisdiction and use case.
Does Komo sell or license our end-user data?
Does Komo sell or license our end-user data?
No. Komo does not sell, rent, or license your Customer Data to third parties for their own marketing or data enrichment purposes. Data is processed solely to deliver the services covered under our Terms of Service.
Can Komo staff access our data?
Can Komo staff access our data?
Komo personnel may access Customer Data only when authorised and typically only to resolve a support issue. All Komo staff are bound by confidentiality obligations and NDAs. See Are Komo staff under an NDA? in Security.
What data is collected
What types of data can Komo collect on our behalf?
What types of data can Komo collect on our behalf?
Komo collects only the data you configure the platform to capture. This typically falls into:
- Identity and contact details — name, email address, mobile number, and any contact properties you create (e.g. date of birth, postcode, favourite team).
- Competition and form responses — answers submitted through data capture forms, including free-text responses, poll and quiz answers, and receipt uploads.
- Engagement and behavioural data — card interactions, game progress, badge achievements, hub visits, and entry history tied to a contact profile.
- Consent records — terms and conditions acceptance, communication subscription opt-ins, and cookie consent preferences.
- Technical metadata — IP address, timestamps, and device/session information used for fraud prevention, analytics, and platform operation.
What is the difference between anonymous, identified, and authenticated contacts?
What is the difference between anonymous, identified, and authenticated contacts?
Komo classifies end users based on what they have shared:
- Anonymous — visited your Engagement Hub but has not provided identifying information.
- Identified — the end user has supplied identifying information (for example through a public data capture form), but Komo has not verified who they are. There is no email validation at this stage, and this is not the same as Authenticated (account login or SSO). Think of a standard competition or form submission where someone enters their details without proving their identity.
- Authenticated — created an account within your Engagement Hub and completed the required profile fields.
How data is collected
How does Komo collect data from our end users?
How does Komo collect data from our end users?
Data is collected when end users interact with your Engagement Hub and the experiences you configure:
- Data capture forms — attached to competitions, games, polls, and other cards. You configure the fields, required status, and consent checkboxes for each form. See Data Capture.
- Account registration and profiles — when authentication is enabled, users can create accounts and build profiles over repeat visits.
- Passive engagement tracking — card views, completions, and gameplay events are recorded against a session or contact profile for analytics and personalisation.
- Integrations — data can flow to or from external systems (CRM, email platforms, tag managers) based on rules and filters you configure. See Integrations & Tag Management.
Can we control exactly what we ask for on each form?
Can we control exactly what we ask for on each form?
Yes. Every data capture form is fully configurable. You can:
- Add, remove, and reorder fields using existing contact properties or create new ones.
- Mark fields as required or optional.
- Attach your terms and conditions to a mandatory T&Cs acceptance checkbox.
- Add communication subscription consent fields for marketing opt-in.
- Set a default data capture form at the Hub level and override it per card where needed.
How data is used
How does Komo use the data we collect?
How does Komo use the data we collect?
Komo uses Customer Data only to:
- Operate and deliver the Engagement Engine (competitions, communications, CRM, analytics, and integrations you configure).
- Provide customer support when you or your end users raise an issue.
- Maintain platform security, monitor performance, and prevent fraud.
- Comply with legal obligations.
How can we use the data we collect?
How can we use the data we collect?
As the data owner, you decide how to use the first-party data captured through Komo — for example:
- Segmenting contacts and running prize draws.
- Sending marketing communications to opted-in subscribers.
- Syncing opted-in contacts to external CRMs and email platforms via workflows and integrations.
- Exporting data for reporting, fulfilment, or transfer to your own systems.
Storage and retention
Where is our data stored?
Where is our data stored?
Customer Data — the data your end users submit through the platform, including contacts, entries, form responses, and engagement history — is stored on infrastructure provided by Google LLC in one of the following data regions.US1 and AU1 are platform data regions. They determine which admin portal you use, which country your data is stored in and how your published Engagement Hub URLs are routed — not where Customer Data is physically stored:
- US1 — admin portal at app.us1.komo.cloud; published sites use
*.komo.siteor*.us1.komo.site - AU1 — admin portal at app.au1.komo.cloud; published sites use
*.au1.komo.site
How long is data retained?
How long is data retained?
You control retention of your Customer Data during your subscription. You can export or delete contacts at any time from the Komo portal — see Access, export, and deletion.After a subscription ends, you may export Customer Data for up to 30 days using the platform’s export features. Komo may retain automated backup copies for up to 30 days from creation before they are destroyed.You are solely responsible for meeting your own data retention obligations under applicable law.
Access, export, and deletion
How can we access and export our data?
How can we access and export our data?
You can access your data at any time through the Komo portal:
- Contacts — view, search, filter, and export your full contact list as CSV. See Contacts.
- Entries — export competition entry data including form responses and consent status. See Entry Management.
- Integrations — push data to external CRMs, webhooks, and automation tools based on rules you define.
Can we delete end-user data?
Can we delete end-user data?
Yes. You can delete individual contacts or bulk-delete from the Contacts area. Deletion is permanent and cannot be undone.Komo will not modify User data except as agreed with you in writing.
How do end-user access or deletion requests work?
How do end-user access or deletion requests work?
If an end user contacts Komo directly with a data access, correction, or deletion request (for example under GDPR or CCPA), Komo will promptly notify you unless required by law to act otherwise. You, as the organisation that collected the data, action the request through the portal — export, update, or delete the relevant contact or entry records.For privacy or DPA questions about this process, contact [email protected].
Sharing and sub-processors
Does Komo share our data with anyone else?
Does Komo share our data with anyone else?
Who are Komo's sub-processors?
Who are Komo's sub-processors?
The following third-party sub-processors may process data in connection with the Komo platform. Optional services are only engaged when you enable the relevant feature.For the current list, see komo.trust.site/subprocessors. Annex 1 of our Terms of Service is also authoritative.
This summary may be updated from time to time. Always refer to the live sub-processor list or Annex 1 of the Terms of Service for the current version.
| Sub-processor | Purpose | Applicable service | Location |
|---|---|---|---|
| Google, LLC | Hosting & infrastructure — server and data hosting | Core platform | United States |
| Cloudflare, Inc. | Content delivery network — web infrastructure, security, DDoS mitigation, DNS | Core platform | United States (global data centres; traffic routed to nearest) |
| PostHog Inc. | Product analytics and in-app behaviour insights | Core platform | United States |
| DataDog, Inc. | Infrastructure monitoring — uptime, performance, security | Core platform | United States |
| HubSpot | CRM, customer support, and marketing website | Komo internal operations | United States |
| Stripe | Online payments | Billing | United States |
| Sprinto | Security and compliance monitoring | Komo internal operations | United States |
| Xero | Accounting | Komo internal operations | Australia |
| OpenAI | AI language-model inference | Optional AI features | United States (optional) |
| Twilio, Inc. | SMS sending | Optional SMS communications | United States (optional) |
| ActiveCampaign, LLC | Email sending via Postmark (transactional and broadcast) | Optional email communications | United States (optional) |
Cookies and consent
How does opt-in work on the Komo platform?
How does opt-in work on the Komo platform?
Komo provides layered consent controls so you can align collection and communications with your privacy policy and legal requirements. Consent is managed at three levels:
- Hub-level cookie and privacy consent — enable a cookie consent banner in your Hub’s GDPR settings. End users see this when they first load the Engagement Hub and can accept or manage preferences before engaging with content.
- Form-level consent for data collection — every data capture form supports a mandatory terms and conditions acceptance checkbox, linked to your uploaded T&Cs. You can add additional required or optional fields for specific consents.
- Marketing opt-in via Communication Subscriptions — create workspace-level Communication Subscriptions and add them to your forms. End users must explicitly opt in before they can receive marketing emails. Marketing communications cannot be sent to contacts who have not subscribed. Transactional email and SMS subscription controls are evolving — see the Communication Subscriptions FAQ for current scope.
Can we show a cookie consent banner on an Engagement Hub?
Can we show a cookie consent banner on an Engagement Hub?
Does Komo integrate with cookie consent providers?
Does Komo integrate with cookie consent providers?
Does Komo use cookies?
Does Komo use cookies?
We want to enrich profiles with first-party data — how does consent fit?
We want to enrich profiles with first-party data — how does consent fit?
Komo is designed for zero- and first-party data collection — data your end users voluntarily provide through engagement, not third-party data appended without their knowledge.A typical approach for building richer profiles while staying consent-aligned:
- Start with low-friction engagement — polls, games, and quizzes that do not require personal data, building anonymous engagement first.
- Gate deeper data behind explicit consent — use data capture forms with T&Cs acceptance when you need identifying information for competitions or rewards.
- Separate competition consent from marketing consent — require T&Cs for entry, but treat marketing as a distinct, optional Communication Subscription checkbox that end users must actively tick.
- Layer data over time — as identified contacts return to your Hub, badges, profiles, and repeat entries add engagement data to existing contact records without re-asking for information they have already provided.
- Respect subscription status in integrations — when syncing to external CRMs or email platforms, use workflow filters so only contacts with active subscription consent are transferred. See Mailchimp Contact Sync for an example.
How have other customers approached opt-in and consent?
How have other customers approached opt-in and consent?
While every organisation’s legal requirements differ, common patterns we see across Komo customers include:
- Opt-in first for marketing — rather than collecting data and relying on opt-out, customers use Communication Subscriptions so marketing emails are only sent to contacts who have explicitly opted in. This is the platform default for marketing communications.
- Reusable workspace-level subscriptions — consent fields are created once at the workspace level and added to forms across multiple campaigns, ensuring consistent consent language and auditability.
- Separate subscriptions for different channels — distinct opt-ins for email, SMS, and other channels, each with its own label and description visible on the communications preference page.
- Hub-level cookie consent plus form-level T&Cs — a cookie banner on first visit, combined with mandatory T&Cs acceptance on competition entry forms.
- OneTrust integration — customers with existing cookie consent programmes connect OneTrust Cookie Consent to their Hub for a consistent consent experience across their web properties.
- Filtered CRM syncs — integrations and workflows are configured to sync only contacts who meet specific consent criteria (e.g. active email subscription), so external systems receive only appropriately consented data.
Security
How does Komo protect our data?
How does Komo protect our data?
Komo implements commercially reasonable technical and organisational security measures, including:
- Encryption of data in transit and at rest
- Access controls limiting Komo personnel access to authorised support scenarios — see Can Komo staff access our data?
- Regular third-party penetration testing, code review, and grey-box testing
- Security and compliance monitoring via sub-processors such as Sprinto and DataDog
- Internal policies covering physical access, IT asset management, and data handling
Do you regularly conduct penetration tests?
Do you regularly conduct penetration tests?
Yes. Komo engages third-party security experts to conduct penetration tests against our software. We also conduct code review and grey-box testing. See How does Komo protect our data? for our broader security programme.
Do you have a physical data security policy?
Do you have a physical data security policy?
Yes. We maintain several policies covering physical access and control of data and IT systems, including an IT Asset Register, IT Asset Decommissioning Policy, Physical Data Policy, and Technology Equipment Agreement.
Are Komo staff under an NDA?
Are Komo staff under an NDA?
Yes. All Komo staff are required to commit to confidentiality obligations and an NDA. For when staff may access Customer Data, see Can Komo staff access our data?.
Compliance and legal
Where are Komo's Terms of Service?
Where are Komo's Terms of Service?
Komo maintains separate Terms of Service for Australia/New Zealand and US/International customers. Use the version that matches your contract and region:The sub-processor list is in Annex 1 of the Terms of Service. The live sub-processor list on our trust site may also be useful.
Where is Komo's Privacy Policy?
Where is Komo's Privacy Policy?
Komo maintains separate Privacy Policies for Australia/New Zealand and US/International customers. Use the version that matches your contract and region:
Where can we find trust and security documentation?
Where can we find trust and security documentation?
Our trust centre is available at https://komo.trust.site. It includes security, compliance, and privacy documentation — including the sub-processor list — that may be useful when sharing information with your legal or policy teams.
Are you GDPR compliant?
Are you GDPR compliant?
Yes. Komo complies with EU GDPR obligations, including Standard Contractual Clauses for international data transfers from the EU. For how end-user access and deletion requests are handled, see How do end-user access or deletion requests work?.
Are you CCPA compliant?
Are you CCPA compliant?
Yes. Komo complies with the California Consumer Privacy Act (CCPA). End-user requests directed to Komo are routed to you as described in How do end-user access or deletion requests work?.
Will Komo sign a Data Processing Agreement (DPA)?
Will Komo sign a Data Processing Agreement (DPA)?
Yes. Komo is happy to sign a DPA — please send agreements to [email protected] for review.
Contact
Whom do we contact for data and privacy questions?
Whom do we contact for data and privacy questions?
Email [email protected] for privacy, DPA, and data processing questions. For platform support, contact [email protected].