CommoVision
← Back to home

Privacy Policy

Last updated: 7 July 2026

1. Who we are

CommoVision B.V. (“CommoVision”, “we”, “us”, “our”) operates this website and the CommoVision data service. We are the controller of the personal data described in this policy.

Legal entityCommoVision B.V. (Dutch private limited company / besloten vennootschap)
Registered officeWaldenlaan 91, 1093 NH Amsterdam, Netherlands
Chamber of Commerce (KvK)98777300
Privacy contact[email protected]

We have assessed that we are not required to appoint a Data Protection Officer (our core product is oil-and-gas production data, which is overwhelmingly non-personal; we do not carry out large-scale monitoring of individuals or process special-category data). We will re-assess this if that changes.

2. What this policy covers

This policy explains how we handle personal data in three situations:

  1. When you visit our website — technical data your browser sends, and how we identify visiting organisations (Section 4).
  2. When you create an account, start a trial, or contact us — the data you give us and the data we generate about your use of the service (Section 5).
  3. Personal data that appears inside our datasets — a small amount of personal data (mainly names on public oil-and-gas regulatory filings) that we obtain from public records and commercial data providers, not from you (Section 6). This is our Art. 14 GDPR disclosure.

Our core product — oil-and-gas well and production data — is about wells, not people, so most of what we process is not personal data at all.

3. The short version

4. Website analytics and visitor data

When you visit our website we automatically collect technical information your browser sends: your IP address, browser and device type (user-agent), the pages you view, the site you arrived from, and timestamps. We use this to measure and improve our website, to keep it secure and prevent abuse, and to identify the organisations (not individuals) that show interest in our service so that we can reach out to them.

Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in operating, securing and growing a business website. You have the right to object to this processing at any time (see Section 8), and where we use this data to decide who to contact for business development (direct marketing), your right to object is absolute — we will stop on request, with no balancing.

Organisation identification. We match visiting IP addresses to the organisation that operates them using a licensed IP-intelligence dataset that we hold and query on our own servers. We do not send your data to that provider, and at this stage we do not identify individual visitors.

What we do NOT do without your consent. We do not fingerprint your device, and we do not link your browsing history to you as a named individual, unless and until you give us consent (for example when you start a trial or contact us — see Section 5).

Cookies and local storage. Our website works without advertising or cross-site tracking cookies. We use only strictly necessary cookies, which do not require consent: session and authentication cookies when you sign in to your account, and security cookies set by our content-delivery network to protect the site against bots and abuse. As of this version, no first-party analytics identifier is set.

Retention. Raw IP addresses in our logs are deleted or aggregated after 90 days; aggregated, non-identifying analytics are kept longer.

5. Account, trial and contact data

When you create an account, start a trial, subscribe, or contact us, we process the data you give us and data we generate about your use of the service:

CategoryExamplesLegal basis
Identity & contactname, work email, employer, job titleContract (Art. 6(1)(b)); legitimate interest for enquiries before a contract exists
Authenticationlogin credentials / single-sign-on identifiersContract; our legitimate interest in account security
Billingcompany billing details, transaction records (we do not store full card numbers — our payment processor does)Contract; legal obligation (tax/accounting)
Usagefeatures used, queries run, API calls, records consumedContract; legitimate interest in improving and securing the service
Supportmessages you send usLegitimate interest / contract

Linking your activity to your account (consent). With your separate, opt-in consent, we may link your account to your activity on our website — including visits made before you signed up — to provide, personalise and improve the service and manage our relationship. This is optional, we ask for it distinctly (not bundled into acceptance of our Terms), and you can withdraw it at any time as easily as you gave it, via your account settings or by emailing [email protected]. Withdrawing consent does not affect processing that already took place.

Do you have to provide it? The identity, authentication and billing data above is required to create an account and provide the Service. Usage data is generated automatically as you use the Service.

Retention. We keep account data for the life of your account and then for as long as we are legally required to (Dutch law requires business and invoicing records to be kept for 7 years), after which we delete or anonymise it.

6. Personal data inside our datasets (our Art. 14 disclosure)

Our product is built from oil-and-gas well, permit and production data. This data is overwhelmingly about wells and companies, not about people. However, a limited amount of personal data unavoidably appears in it, because it comes from public regulatory records:

Where it comes from (Art. 14(2)(f)). We obtain this data from publicly accessible sources — chiefly the public records of US state oil-and-gas regulators, Canadian provincial regulators, and comparable authorities in other producing jurisdictions — and, where relevant, from commercial oil-and-gas data providers. We do not collect it from you.

Why we process it and on what basis. We process it to build, verify and present an accurate oil-and-gas production dataset for our customers. Our legal basis is our legitimate interests (Art. 6(1)(f) GDPR) in providing accurate market-data, balanced against the limited privacy impact of using information that is already in the public record for the purpose it was filed.

How we give you this notice (Art. 14(5)(b)). Because our datasets are built from a very large number of public filings, contacting each named individual directly would involve disproportionate effort. In line with Art. 14(5)(b) GDPR we therefore provide the information required by Art. 14 by making this disclosure publicly available in this policy.

Your rights over this data. The rights in Section 8 apply. In particular you can ask us what personal data about you appears in our datasets, ask us to correct or delete it, or object to our processing of it. Where a legal obligation requires the underlying public record to remain, we will explain that in our response.

7. Who we share data with

We do not sell your personal data. We share it only with:

PurposeProviderLocation / transfer basis
Hosting / infrastructureHetzner (Germany)EU — no third-country transfer
Content delivery / security (CDN / WAF)Cloudflare (US)EU–US Data Privacy Framework + Standard Contractual Clauses
Payment processing (paid tier)Stripe (US)EU–US Data Privacy Framework + Standard Contractual Clauses
Authentication (paid tier)WorkOS (US)EU–US Data Privacy Framework + Standard Contractual Clauses
Email / correspondenceOur email providerEU, or EU–US DPF + SCCs where US-based

We also share data with authorities or advisers where we are legally required to, or to establish, exercise or defend legal claims; and with a successor in the event of a merger, acquisition or reorganisation, subject to this policy.

8. Your rights

Under the GDPR you have the right to:

To exercise any right, email [email protected]. We respond within one month; for complex or numerous requests we may extend this by a further two months and will tell you if we do (Art. 12(3) GDPR).

Complaints. You can lodge a complaint with the Dutch data-protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the authority in your EU country of residence.

9. International transfers

We process personal data in the European Union. Where a service provider processes data outside the EU/EEA (for example our US-based content-delivery network, or a US-based payment or authentication provider on our paid tier — see Section 7), we only allow this under an appropriate safeguard recognised by the GDPR: the EU–US Data Privacy Framework (where the provider is certified) or the European Commission’s Standard Contractual Clauses, with supplementary measures where needed.

10. How we protect data

We use appropriate technical and organisational measures — including access controls, encryption in transit, and minimisation (we mask IP addresses in our analytics store and keep raw IPs only briefly). No system is perfectly secure, but we take reasonable steps to protect your data.

11. Children

Our website and service are aimed at businesses and professionals. They are not directed at children, and we do not knowingly collect data from children.

12. Changes to this policy

We may update this policy. We will post the new version here with an updated “Last updated” date and, where changes are material, take reasonable steps to notify account holders.

13. Contact

Questions about this policy or your data: [email protected], or write to CommoVision B.V., Waldenlaan 91, 1093 NH Amsterdam, Netherlands.

← Back to home