> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.komo.tech/llms.txt
> Use this file to discover all available pages before exploring further.

# Data Privacy FAQ

> Learn what data Komo collects, how it is stored and used, who owns it, how to access or delete it, sub-processors, consent, and compliance.

## TL;DR

* Any data your end users provide through the Komo Engagement Engine is **your data** — Komo does not claim ownership of it.
* You control what is collected, how consent is presented, and how that data is used; Komo processes and stores data on your behalf to deliver the platform.
* Komo keeps data secure and only shares it with sub-processors required to run the service.
* Marketing communications require explicit opt-in before any message is sent.

### Contents

* [Roles and ownership](#roles-and-ownership)
* [What data is collected](#what-data-is-collected)
* [How data is collected](#how-data-is-collected)
* [How data is used](#how-data-is-used)
* [Storage and retention](#storage-and-retention)
* [Access, export, and deletion](#access-export-and-deletion)
* [Sharing and sub-processors](#sharing-and-sub-processors)
* [Cookies and consent](#cookies-and-consent)
* [Security](#security)
* [Compliance and legal](#compliance-and-legal)
* [Contact](#contact)

<Warning>
  Please note that the information and advice that Komo provides regarding privacy, consent, data processing, or any other matter of this nature is of a general basis only, and we suggest you seek your own legal advice specific to your needs.
</Warning>

## Roles and ownership

<AccordionGroup>
  <Accordion title="Who owns the data?">
    Any data captured on the Komo Engagement Engine is owned by **you**, not Komo. We do not place any rights on the data other than what is required to deliver the service under our [Terms of Service](/account-settings/faqs/data-privacy-faq#terms-of-service).

    You represent and warrant that you have obtained all necessary rights and permissions to collect and use the data you submit to the platform.
  </Accordion>

  <Accordion title="What is Komo's role vs ours as data controller?">
    In general, **you** decide what personal data to collect, the legal basis for collection, and how end-user data is used for your campaigns and communications. **Komo** processes that data on your behalf to operate the Engagement Engine — hosting, delivery, support, security, and integrations you configure.

    The relationship is governed by our Terms of Service and, where applicable, a Data Processing Agreement (DPA). This FAQ is general guidance only; your legal team should confirm roles and obligations for your jurisdiction and use case.
  </Accordion>

  <Accordion title="Does Komo sell or license our end-user data?">
    No. Komo does not sell, rent, or license your Customer Data to third parties for their own marketing or data enrichment purposes. Data is processed solely to deliver the services covered under our [Terms of Service](/account-settings/faqs/data-privacy-faq#terms-of-service).
  </Accordion>

  <Accordion title="Can Komo staff access our data?">
    Komo personnel may access Customer Data only when authorised and typically only to resolve a support issue. All Komo staff are bound by confidentiality obligations and NDAs. See [Are Komo staff under an NDA?](#security) in Security.
  </Accordion>
</AccordionGroup>

## What data is collected

<AccordionGroup>
  <Accordion title="What types of data can Komo collect on our behalf?">
    Komo collects only the data you configure the platform to capture. This typically falls into:

    * **Identity and contact details** — name, email address, mobile number, and any [contact properties](/crm/contacts/contact-properties/index) you create (e.g. date of birth, postcode, favourite team).
    * **Competition and form responses** — answers submitted through [data capture forms](/getting-started/hub-setup/data-capture/index), including free-text responses, poll and quiz answers, and receipt uploads.
    * **Engagement and behavioural data** — card interactions, game progress, badge achievements, hub visits, and entry history tied to a contact profile.
    * **Consent records** — terms and conditions acceptance, [communication subscription](/crm/communications/communication-subscriptions/index) opt-ins, and cookie consent preferences.
    * **Technical metadata** — IP address, timestamps, and device/session information used for fraud prevention, analytics, and platform operation.

    You decide which fields appear on each form and which are required. Komo does not automatically append third-party enrichment data to your contacts.
  </Accordion>

  <Accordion title="What is the difference between anonymous, identified, and authenticated contacts?">
    Komo classifies end users based on what they have shared:

    * **Anonymous** — visited your Engagement Hub but has not provided identifying information.
    * **Identified** — the end user has supplied identifying information (for example through a public data capture form), but Komo has not verified who they are. There is no email validation at this stage, and this is not the same as **Authenticated** (account login or SSO). Think of a standard competition or form submission where someone enters their details without proving their identity.
    * **Authenticated** — created an account within your Engagement Hub and completed the required profile fields.

    See [Contacts](/crm/contacts/index) for more detail on how contact profiles are built over time.
  </Accordion>
</AccordionGroup>

## How data is collected

<AccordionGroup>
  <Accordion title="How does Komo collect data from our end users?">
    Data is collected when end users interact with your Engagement Hub and the experiences you configure:

    * **Data capture forms** — attached to competitions, games, polls, and other cards. You configure the fields, required status, and consent checkboxes for each form. See [Data Capture](/getting-started/hub-setup/data-capture/index).
    * **Account registration and profiles** — when authentication is enabled, users can create accounts and build profiles over repeat visits.
    * **Passive engagement tracking** — card views, completions, and gameplay events are recorded against a session or contact profile for analytics and personalisation.
    * **Integrations** — data can flow to or from external systems (CRM, email platforms, tag managers) based on rules and filters you configure. See [Integrations & Tag Management](/integrations-automation/tag-management/index).

    Komo does not collect data independently of the experiences you publish. You are responsible for ensuring you have the appropriate legal basis and notices in place for the data you choose to collect.
  </Accordion>

  <Accordion title="Can we control exactly what we ask for on each form?">
    Yes. Every data capture form is fully configurable. You can:

    * Add, remove, and reorder fields using existing contact properties or create new ones.
    * Mark fields as required or optional.
    * Attach your [terms and conditions](/getting-started/resources/terms-conditions/index) to a mandatory T\&Cs acceptance checkbox.
    * Add [communication subscription](/crm/communications/communication-subscriptions/index) consent fields for marketing opt-in.
    * Set a [default data capture form](/getting-started/hub-setup/default-data-capture-form/index) at the Hub level and override it per card where needed.

    Nothing is collected through a form unless you have added the field and the end user submits it.
  </Accordion>
</AccordionGroup>

## How data is used

<AccordionGroup>
  <Accordion title="How does Komo use the data we collect?">
    Komo uses Customer Data only to:

    * Operate and deliver the Engagement Engine (competitions, communications, CRM, analytics, and integrations you configure).
    * Provide customer support when you or your end users raise an issue.
    * Maintain platform security, monitor performance, and prevent fraud.
    * Comply with legal obligations.

    Optional AI features process data only when you enable those features. Komo uses aggregated and anonymised platform data internally to improve the product. Komo does not use your Customer Data for Komo's own marketing to your end users.
  </Accordion>

  <Accordion title="How can we use the data we collect?">
    As the data owner, you decide how to use the first-party data captured through Komo — for example:

    * Segmenting contacts and running prize draws.
    * Sending [marketing communications](/crm/communications/communication-subscriptions/index) to opted-in subscribers.
    * Syncing opted-in contacts to external CRMs and email platforms via [workflows and integrations](/integrations-automation/workflows/triggers).
    * Exporting data for reporting, fulfilment, or transfer to your own systems.

    You must comply with your own privacy policy and all applicable laws governing how you use personal information.
  </Accordion>
</AccordionGroup>

## Storage and retention

<AccordionGroup>
  <Accordion title="Where is our data stored?">
    Customer Data — the data your end users submit through the platform, including contacts, entries, form responses, and engagement history — is stored on infrastructure provided by **Google LLC** in one of the following data regions.

    **US1** and **AU1** are platform data regions. They determine which admin portal you use, which country your data is stored in and how your published Engagement Hub URLs are routed — not where Customer Data is physically stored:

    * **US1** — admin portal at [app.us1.komo.cloud](https://app.us1.komo.cloud); published sites use `*.komo.site` or `*.us1.komo.site`
    * **AU1** — admin portal at [app.au1.komo.cloud](https://app.au1.komo.cloud); published sites use `*.au1.komo.site`

    Content is delivered globally via **Cloudflare, Inc.**, which routes traffic to the nearest edge data centre for performance. See [Sharing and sub-processors](#sharing-and-sub-processors) for how third-party providers fit into delivery and storage.

    Komo may disclose data to overseas service providers as described in our Terms of Service. We take reasonable steps to ensure data is handled in accordance with applicable privacy standards, including GDPR Standard Contractual Clauses and UK international data transfer mechanisms where applicable.

    Komo Technologies Pty Ltd is based in **Perth, Western Australia**.
  </Accordion>

  <Accordion title="How long is data retained?">
    You control retention of your Customer Data during your subscription. You can export or delete contacts at any time from the Komo portal — see [Access, export, and deletion](#access-export-and-deletion).

    After a subscription ends, you may export Customer Data for up to **30 days** using the platform's export features. Komo may retain automated backup copies for up to 30 days from creation before they are destroyed.

    You are solely responsible for meeting your own data retention obligations under applicable law.
  </Accordion>
</AccordionGroup>

## Access, export, and deletion

<AccordionGroup>
  <Accordion title="How can we access and export our data?">
    You can access your data at any time through the Komo portal:

    * **Contacts** — view, search, filter, and export your full contact list as CSV. See [Contacts](/crm/contacts/index).
    * **Entries** — export competition entry data including form responses and consent status. See [Entry Management](/interactive-features/features/entry-management/index).
    * **Integrations** — push data to external CRMs, webhooks, and automation tools based on rules you define.

    During your subscription and for up to 30 days after it ends, you can export Customer Data at no additional charge using the platform's existing export features.
  </Accordion>

  <Accordion title="Can we delete end-user data?">
    Yes. You can delete individual contacts or bulk-delete from the Contacts area. Deletion is permanent and cannot be undone.

    Komo will not modify User data except as agreed with you in writing.
  </Accordion>

  <Accordion title="How do end-user access or deletion requests work?">
    If an end user contacts Komo directly with a data access, correction, or deletion request (for example under GDPR or CCPA), Komo will promptly notify you unless required by law to act otherwise. **You**, as the organisation that collected the data, action the request through the portal — export, update, or delete the relevant contact or entry records.

    For privacy or DPA questions about this process, contact [privacy@komo.tech](mailto:privacy@komo.tech).
  </Accordion>
</AccordionGroup>

## Sharing and sub-processors

<AccordionGroup>
  <Accordion title="Does Komo share our data with anyone else?">
    Yes, but only with **sub-processors** engaged to deliver aspects of the platform, and only to the extent necessary to provide the services covered under the Terms of Service. Komo remains responsible for sub-processor handling of your data per our instructions.

    The authoritative sub-processor list is maintained on our [trust site](https://komo.trust.site/subprocessors) and in **Annex 1** of our Terms of Service. A summary table is below and may lag behind live updates.
  </Accordion>

  <Accordion title="Who are Komo's sub-processors?">
    The following third-party sub-processors may process data in connection with the Komo platform. Optional services are only engaged when you enable the relevant feature.

    For the current list, see [komo.trust.site/subprocessors](https://komo.trust.site/subprocessors). Annex 1 of our [Terms of Service](/account-settings/faqs/data-privacy-faq#terms-of-service) is also authoritative.

    | Sub-processor       | Purpose                                                                       | Applicable service            | Location                                                       |
    | ------------------- | ----------------------------------------------------------------------------- | ----------------------------- | -------------------------------------------------------------- |
    | Google, LLC         | Hosting & infrastructure — server and data hosting                            | Core platform                 | United States                                                  |
    | Cloudflare, Inc.    | Content delivery network — web infrastructure, security, DDoS mitigation, DNS | Core platform                 | United States (global data centres; traffic routed to nearest) |
    | PostHog Inc.        | Product analytics and in-app behaviour insights                               | Core platform                 | United States                                                  |
    | DataDog, Inc.       | Infrastructure monitoring — uptime, performance, security                     | Core platform                 | United States                                                  |
    | HubSpot             | CRM, customer support, and marketing website                                  | Komo internal operations      | United States                                                  |
    | Stripe              | Online payments                                                               | Billing                       | United States                                                  |
    | Sprinto             | Security and compliance monitoring                                            | Komo internal operations      | United States                                                  |
    | Xero                | Accounting                                                                    | Komo internal operations      | Australia                                                      |
    | OpenAI              | AI language-model inference                                                   | Optional AI features          | United States (optional)                                       |
    | Twilio, Inc.        | SMS sending                                                                   | Optional SMS communications   | United States (optional)                                       |
    | ActiveCampaign, LLC | Email sending via Postmark (transactional and broadcast)                      | Optional email communications | United States (optional)                                       |

    This summary may be updated from time to time. Always refer to the [live sub-processor list](https://komo.trust.site/subprocessors) or Annex 1 of the Terms of Service for the current version.
  </Accordion>
</AccordionGroup>

## Cookies and consent

<AccordionGroup>
  <Accordion title="How does opt-in work on the Komo platform?">
    Komo provides layered consent controls so you can align collection and communications with your privacy policy and legal requirements. Consent is managed at three levels:

    1. **Hub-level cookie and privacy consent** — enable a cookie consent banner in your Hub's [GDPR settings](/getting-started/hub-setup/hub-settings/index). End users see this when they first load the Engagement Hub and can accept or manage preferences before engaging with content.

    2. **Form-level consent for data collection** — every data capture form supports a mandatory **terms and conditions** acceptance checkbox, linked to your uploaded T\&Cs. You can add additional required or optional fields for specific consents.

    3. **Marketing opt-in via Communication Subscriptions** — create workspace-level [Communication Subscriptions](/crm/communications/communication-subscriptions/index) and add them to your forms. End users must **explicitly opt in** before they can receive marketing emails. Marketing communications cannot be sent to contacts who have not subscribed. Transactional email and SMS subscription controls are evolving — see the [Communication Subscriptions FAQ](/crm/communications/communication-subscriptions/index) for current scope.

    You configure the copy, required fields, and consent labels for each layer. Komo records consent status against each contact and entry, and this is visible in [Entry Management](/interactive-features/features/entry-management/index) and contact profiles.
  </Accordion>

  <Accordion title="Can we show a cookie consent banner on an Engagement Hub?">
    Yes. Enable a cookie consent banner in your Hub's **GDPR** settings tab. You can customise the banner copy, colours, and call-to-action buttons. End users see the banner when they first load the Engagement Hub. See [Hub Settings — GDPR](/getting-started/hub-setup/hub-settings/index).
  </Accordion>

  <Accordion title="Does Komo integrate with cookie consent providers?">
    Yes. Komo has a direct integration with **OneTrust Cookie Consent**, allowing you to connect your existing consent programme to your Engagement Hub. Komo is also open to exploring integrations with other providers — contact [privacy@komo.tech](mailto:privacy@komo.tech) to discuss.
  </Accordion>

  <Accordion title="Does Komo use cookies?">
    Yes. Komo uses cookies for the following purposes:

    * Remember users when returning to the Engagement Hub
    * Remember users who create an account so they do not have to re-enter information when entering competitions
    * Remember where a user got up to in a given game
    * Remember when a user has consented to a data and privacy consent form

    You must post a privacy policy on your Hub that provides notice of cookie use, and must not circumvent any opt-out mechanisms that are part of the platform.
  </Accordion>

  <Accordion title="We want to enrich profiles with first-party data — how does consent fit?">
    Komo is designed for **zero- and first-party data collection** — data your end users voluntarily provide through engagement, not third-party data appended without their knowledge.

    A typical approach for building richer profiles while staying consent-aligned:

    * **Start with low-friction engagement** — polls, games, and quizzes that do not require personal data, building anonymous engagement first.
    * **Gate deeper data behind explicit consent** — use data capture forms with T\&Cs acceptance when you need identifying information for competitions or rewards.
    * **Separate competition consent from marketing consent** — require T\&Cs for entry, but treat marketing as a distinct, optional [Communication Subscription](/crm/communications/communication-subscriptions/index) checkbox that end users must actively tick.
    * **Layer data over time** — as identified contacts return to your Hub, badges, profiles, and repeat entries add engagement data to existing contact records without re-asking for information they have already provided.
    * **Respect subscription status in integrations** — when syncing to external CRMs or email platforms, use workflow filters so only contacts with active subscription consent are transferred. See [Mailchimp Contact Sync](/crm/syncs/mailchimp-contact-sync/index) for an example.

    You remain responsible for determining the appropriate legal basis and privacy notices for your use case. Komo provides the tools to capture and record consent; your legal and policy teams define how they are applied.
  </Accordion>

  <Accordion title="How have other customers approached opt-in and consent?">
    While every organisation's legal requirements differ, common patterns we see across Komo customers include:

    * **Opt-in first for marketing** — rather than collecting data and relying on opt-out, customers use Communication Subscriptions so marketing emails are only sent to contacts who have explicitly opted in. This is the platform default for marketing communications.
    * **Reusable workspace-level subscriptions** — consent fields are created once at the workspace level and added to forms across multiple campaigns, ensuring consistent consent language and auditability.
    * **Separate subscriptions for different channels** — distinct opt-ins for email, SMS, and other channels, each with its own label and description visible on the communications preference page.
    * **Hub-level cookie consent plus form-level T\&Cs** — a cookie banner on first visit, combined with mandatory T\&Cs acceptance on competition entry forms.
    * **OneTrust integration** — customers with existing cookie consent programmes connect [OneTrust Cookie Consent](/integrations-automation/tag-management/index) to their Hub for a consistent consent experience across their web properties.
    * **Filtered CRM syncs** — integrations and workflows are configured to sync only contacts who meet specific consent criteria (e.g. active email subscription), so external systems receive only appropriately consented data.

    Your Komo account team can discuss patterns relevant to your industry and jurisdiction. For legal interpretation, we recommend sharing this FAQ, our [trust centre](https://komo.trust.site), and your planned data flows with your policy team alongside our [Terms of Service](/account-settings/faqs/data-privacy-faq#terms-of-service) and [Privacy Policy](/account-settings/faqs/data-privacy-faq#privacy-policy).
  </Accordion>
</AccordionGroup>

## Security

<AccordionGroup>
  <Accordion title="How does Komo protect our data?">
    Komo implements commercially reasonable technical and organisational security measures, including:

    * Encryption of data in transit and at rest
    * Access controls limiting Komo personnel access to authorised support scenarios — see [Can Komo staff access our data?](#roles-and-ownership)
    * Regular third-party penetration testing, code review, and grey-box testing
    * Security and compliance monitoring via sub-processors such as Sprinto and DataDog
    * Internal policies covering physical access, IT asset management, and data handling

    In the event of a security breach affecting Customer Data, Komo will notify you within 48 hours of confirming the nature and extent of the breach, or sooner if required by law.
  </Accordion>

  <Accordion title="Do you regularly conduct penetration tests?">
    Yes. Komo engages third-party security experts to conduct penetration tests against our software. We also conduct code review and grey-box testing. See [How does Komo protect our data?](#security) for our broader security programme.
  </Accordion>

  <Accordion title="Do you have a physical data security policy?">
    Yes. We maintain several policies covering physical access and control of data and IT systems, including an IT Asset Register, IT Asset Decommissioning Policy, Physical Data Policy, and Technology Equipment Agreement.
  </Accordion>

  <Accordion title="Are Komo staff under an NDA?">
    Yes. All Komo staff are required to commit to confidentiality obligations and an NDA. For when staff may access Customer Data, see [Can Komo staff access our data?](#roles-and-ownership).
  </Accordion>
</AccordionGroup>

## Compliance and legal

<AccordionGroup>
  <Accordion title="Where are Komo's Terms of Service?" id="terms-of-service">
    Komo maintains separate Terms of Service for Australia/New Zealand and US/International customers. Use the version that matches your contract and region:

    * [Australia & New Zealand](https://www.komo.tech/terms-of-service)
    * [US & International](https://www.komo.tech/us/terms-of-service)

    The sub-processor list is in **Annex 1** of the Terms of Service. The [live sub-processor list](https://komo.trust.site/subprocessors) on our trust site may also be useful.
  </Accordion>

  <Accordion title="Where is Komo's Privacy Policy?" id="privacy-policy">
    Komo maintains separate Privacy Policies for Australia/New Zealand and US/International customers. Use the version that matches your contract and region:

    * [Australia & New Zealand](https://www.komo.tech/privacy-policy)
    * [US & International](https://www.komo.tech/us/privacy-policy)
  </Accordion>

  <Accordion title="Where can we find trust and security documentation?">
    Our trust centre is available at [https://komo.trust.site](https://komo.trust.site). It includes security, compliance, and privacy documentation — including the [sub-processor list](https://komo.trust.site/subprocessors) — that may be useful when sharing information with your legal or policy teams.
  </Accordion>

  <Accordion title="Are you GDPR compliant?">
    Yes. Komo complies with EU GDPR obligations, including Standard Contractual Clauses for international data transfers from the EU. For how end-user access and deletion requests are handled, see [How do end-user access or deletion requests work?](#access-export-and-deletion).
  </Accordion>

  <Accordion title="Are you CCPA compliant?">
    Yes. Komo complies with the California Consumer Privacy Act (CCPA). End-user requests directed to Komo are routed to you as described in [How do end-user access or deletion requests work?](#access-export-and-deletion).
  </Accordion>

  <Accordion title="Will Komo sign a Data Processing Agreement (DPA)?">
    Yes. Komo is happy to sign a DPA — please send agreements to [privacy@komo.tech](mailto:privacy@komo.tech) for review.
  </Accordion>
</AccordionGroup>

## Contact

<AccordionGroup>
  <Accordion title="Whom do we contact for data and privacy questions?">
    Email [privacy@komo.tech](mailto:privacy@komo.tech) for privacy, DPA, and data processing questions. For platform support, contact [support@komo.tech](mailto:support@komo.tech).
  </Accordion>
</AccordionGroup>
