Privacy Policy

Last updated: May 29, 2026

This Privacy Policy describes how Comura (“Comura,” “we,” “us”) collects, uses, and shares information when you use comura.co and the Comura application (together, the “Service”). Capitalized terms not defined here have the meaning given in our Terms of Service.

Please do not share sensitive data with the Service that is not necessary for follow-up calling (for example: financial account numbers, social security numbers, government IDs, or protected health information).

1. Introduction

Comura provides software that places AI-driven follow-up phone calls to the customers of home-services businesses and analyses those calls. The business that signs up for Comura is our “Customer.” The consumers who receive Comura calls are the Customer’s customers (“End Users”). For most data covered by this Policy, the Customer is the controller and Comura is the processor.

2. Information we collect

We collect the following categories of information:

  • Account information you provide when you sign up — name, email, phone number, password (stored hashed), business name, country, address, business hours, and timezone.
  • Billing information needed to charge you — billing email and a payment method handle. Card numbers and bank details are collected and stored by our payment processor; we never see or store them.
  • Service configuration — review URL, voice-agent greeting and prompt, alert preferences, notification contacts, opt-out lists, and integration credentials.
  • Usage data — calls scheduled, completed, and failed; sentiment outcomes; dashboard access patterns; API logs.
  • Information you provide about End Users — name and phone number for each customer you schedule a call to.
  • Call content — audio recordings of follow-up calls placed by the AI agent, transcripts of those recordings, and AI-generated summaries, sentiment classifications, and topic tags.
  • Support data — anything you send us by email when you contact support.

3. How we use information

  1. Provide, secure, and operate the Service.
  2. Analyse call audio and transcripts to surface sentiment, summaries, and alerts to the Customer.
  3. Send transactional emails (welcome, password resets, team invitations, alert notifications, billing receipts).
  4. Comply with legal obligations and respond to lawful requests.
  5. Detect and prevent fraud, abuse, and policy violations.
  6. Improve the Service in aggregate, de-identified form. We do not train AI models on identifiable Customer or End-User data.

4. Legal bases (EEA, UK, Switzerland)

Where the GDPR applies, we process personal data on the following legal bases:

  • Performance of a contract — to deliver the Service to the Customer that signed up.
  • Legitimate interests — to operate, secure, and improve the Service in ways the Customer and End Users would reasonably expect.
  • Consent — where required by law and where you have given it (you can withdraw at any time by contacting us).
  • Legal obligations — to satisfy applicable tax, accounting, and law-enforcement requirements.

5. Sharing and disclosure

We share information in these limited circumstances:

  • To Service Providers / Sub-processors (e.g., AWS, Stripe, Twilio, Resend, Vercel) under written contracts requiring confidentiality and data protection.
  • To the Customer that scheduled a given call, so they can review the outcome (audio, transcript, sentiment, alerts) for their own business.
  • To comply with law or respond to lawful requests from public authorities, including to meet national-security or law-enforcement requirements.
  • To protect rights and safety — to enforce our Terms of Service, prevent fraud or abuse, or investigate security incidents.
  • In connection with a corporate transaction such as a merger, acquisition, or sale of assets, in which case we will notify Customers and require continued application of this Policy.

We do not sell personal information. Our current sub-processor list is available to Customers on request to help@comura.co; we’ll give Customers at least 30 days’ notice before adding a new sub-processor that materially changes the categories of processing.

6. International data transfers

We operate in the United States, and personal data may be transferred there from other regions. When we transfer personal data out of the EEA, UK, or Switzerland, we use Standard Contractual Clauses or another lawful transfer mechanism.

7. Security

We use commercially reasonable measures to protect information, including encryption in transit and at rest, access controls on production systems, and audit logging. No service can guarantee perfect security; if we learn of an incident that affects you, we will notify you in line with our legal obligations.

8. Data retention

  • Account, configuration, and billing records — kept for the life of the Customer’s account and for up to seven (7) years after termination to satisfy tax and accounting obligations.
  • Call audio and transcripts — kept for eighteen (18) months from the call date and then deleted, unless the Customer has requested a shorter retention or the law requires us to keep them longer.
  • Support correspondence — kept for two (2) years.
  • Aggregated, de-identified analytics — may be kept indefinitely.

9. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate or incomplete data.
  • Request deletion of your data.
  • Object to or restrict certain processing.
  • Receive your data in a portable format.
  • Withdraw consent where processing relies on it.
  • Lodge a complaint with your local supervisory authority (for example, the ICO in the UK or your state attorney general in the US).

Customers can manage most of their data directly from the Comura dashboard. For anything you can’t self-serve, email help@comura.co. End Users who received a Comura call should contact the business that placed the call; we will assist that business in fulfilling your request. We aim to respond within 30 days (45 days for CCPA requests).

California residents have specific rights under the CCPA/CPRA, including the right to know, the right to delete, the right to correct, and the right to opt out of “sales” or “sharing” of personal information. Comura does not sell personal information.

10. Children

Comura is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

11. Cookies and tracking

The Comura dashboard uses essential cookies for authentication. We use an error-monitoring service to capture information about crashes that happen in your browser; that service may record limited replays scoped to errored sessions. We do not use third-party advertising cookies or cross-site tracking.

12. Changes to this Policy

If we make material changes, we’ll update the “Last updated” date above and, where appropriate, notify Customers by email or in the dashboard at least 30 days before the change takes effect.

13. Contact

For any privacy question, or to exercise a right described in this Policy, email help@comura.co.