Privacy Policy
Last updated: 7 July 2026
1. Who we are
CommoVision B.V. (“CommoVision”, “we”, “us”, “our”) operates this website and the CommoVision data service. We are the controller of the personal data described in this policy.
| Legal entity | CommoVision B.V. (Dutch private limited company / besloten vennootschap) |
|---|---|
| Registered office | Waldenlaan 91, 1093 NH Amsterdam, Netherlands |
| Chamber of Commerce (KvK) | 98777300 |
| Privacy contact | [email protected] |
We have assessed that we are not required to appoint a Data Protection Officer (our core product is oil-and-gas production data, which is overwhelmingly non-personal; we do not carry out large-scale monitoring of individuals or process special-category data). We will re-assess this if that changes.
2. What this policy covers
This policy explains how we handle personal data in three situations:
- When you visit our website — technical data your browser sends, and how we identify visiting organisations (Section 4).
- When you create an account, start a trial, or contact us — the data you give us and the data we generate about your use of the service (Section 5).
- Personal data that appears inside our datasets — a small amount of personal data (mainly names on public oil-and-gas regulatory filings) that we obtain from public records and commercial data providers, not from you (Section 6). This is our Art. 14 GDPR disclosure.
Our core product — oil-and-gas well and production data — is about wells, not people, so most of what we process is not personal data at all.
3. The short version
- We rely mainly on legitimate interests to run, secure and grow our business, and on your consent or our contract with you where the law requires it.
- We do not sell your personal data, and we do not use third-party advertising trackers.
- We do not fingerprint your device or build a profile that links your browsing to you as a named individual unless you give us consent.
- You can object, access, correct, delete or port your data, and complain to the Dutch data-protection authority. Section 8 explains how.
4. Website analytics and visitor data
When you visit our website we automatically collect technical information your browser sends: your IP address, browser and device type (user-agent), the pages you view, the site you arrived from, and timestamps. We use this to measure and improve our website, to keep it secure and prevent abuse, and to identify the organisations (not individuals) that show interest in our service so that we can reach out to them.
Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in operating, securing and growing a business website. You have the right to object to this processing at any time (see Section 8), and where we use this data to decide who to contact for business development (direct marketing), your right to object is absolute — we will stop on request, with no balancing.
Organisation identification. We match visiting IP addresses to the organisation that operates them using a licensed IP-intelligence dataset that we hold and query on our own servers. We do not send your data to that provider, and at this stage we do not identify individual visitors.
What we do NOT do without your consent. We do not fingerprint your device, and we do not link your browsing history to you as a named individual, unless and until you give us consent (for example when you start a trial or contact us — see Section 5).
Cookies and local storage. Our website works without advertising or cross-site tracking cookies. We use only strictly necessary cookies, which do not require consent: session and authentication cookies when you sign in to your account, and security cookies set by our content-delivery network to protect the site against bots and abuse. As of this version, no first-party analytics identifier is set.
Retention. Raw IP addresses in our logs are deleted or aggregated after 90 days; aggregated, non-identifying analytics are kept longer.
5. Account, trial and contact data
When you create an account, start a trial, subscribe, or contact us, we process the data you give us and data we generate about your use of the service:
| Category | Examples | Legal basis |
|---|---|---|
| Identity & contact | name, work email, employer, job title | Contract (Art. 6(1)(b)); legitimate interest for enquiries before a contract exists |
| Authentication | login credentials / single-sign-on identifiers | Contract; our legitimate interest in account security |
| Billing | company billing details, transaction records (we do not store full card numbers — our payment processor does) | Contract; legal obligation (tax/accounting) |
| Usage | features used, queries run, API calls, records consumed | Contract; legitimate interest in improving and securing the service |
| Support | messages you send us | Legitimate interest / contract |
Linking your activity to your account (consent). With your separate, opt-in consent, we may link your account to your activity on our website — including visits made before you signed up — to provide, personalise and improve the service and manage our relationship. This is optional, we ask for it distinctly (not bundled into acceptance of our Terms), and you can withdraw it at any time as easily as you gave it, via your account settings or by emailing [email protected]. Withdrawing consent does not affect processing that already took place.
Do you have to provide it? The identity, authentication and billing data above is required to create an account and provide the Service. Usage data is generated automatically as you use the Service.
Retention. We keep account data for the life of your account and then for as long as we are legally required to (Dutch law requires business and invoicing records to be kept for 7 years), after which we delete or anonymise it.
6. Personal data inside our datasets (our Art. 14 disclosure)
Our product is built from oil-and-gas well, permit and production data. This data is overwhelmingly about wells and companies, not about people. However, a limited amount of personal data unavoidably appears in it, because it comes from public regulatory records:
- the name of an operator that is a sole trader or a one-person business (where the trading name is also a person’s name);
- names or signatures of agents, engineers or officers that appear on public permit, completion or production filings;
- natural-person mineral or lease owners where a public record names them.
Where it comes from (Art. 14(2)(f)). We obtain this data from publicly accessible sources — chiefly the public records of US state oil-and-gas regulators, Canadian provincial regulators, and comparable authorities in other producing jurisdictions — and, where relevant, from commercial oil-and-gas data providers. We do not collect it from you.
Why we process it and on what basis. We process it to build, verify and present an accurate oil-and-gas production dataset for our customers. Our legal basis is our legitimate interests (Art. 6(1)(f) GDPR) in providing accurate market-data, balanced against the limited privacy impact of using information that is already in the public record for the purpose it was filed.
How we give you this notice (Art. 14(5)(b)). Because our datasets are built from a very large number of public filings, contacting each named individual directly would involve disproportionate effort. In line with Art. 14(5)(b) GDPR we therefore provide the information required by Art. 14 by making this disclosure publicly available in this policy.
Your rights over this data. The rights in Section 8 apply. In particular you can ask us what personal data about you appears in our datasets, ask us to correct or delete it, or object to our processing of it. Where a legal obligation requires the underlying public record to remain, we will explain that in our response.
7. Who we share data with
We do not sell your personal data. We share it only with:
- Service providers (sub-processors) who process data on our behalf under a contract. Our current and planned sub-processors are:
| Purpose | Provider | Location / transfer basis |
|---|---|---|
| Hosting / infrastructure | Hetzner (Germany) | EU — no third-country transfer |
| Content delivery / security (CDN / WAF) | Cloudflare (US) | EU–US Data Privacy Framework + Standard Contractual Clauses |
| Payment processing (paid tier) | Stripe (US) | EU–US Data Privacy Framework + Standard Contractual Clauses |
| Authentication (paid tier) | WorkOS (US) | EU–US Data Privacy Framework + Standard Contractual Clauses |
| Email / correspondence | Our email provider | EU, or EU–US DPF + SCCs where US-based |
We also share data with authorities or advisers where we are legally required to, or to establish, exercise or defend legal claims; and with a successor in the event of a merger, acquisition or reorganisation, subject to this policy.
8. Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data and complete incomplete data;
- erase your data (“right to be forgotten”) in the circumstances the law allows;
- restrict or object to our processing — and where we process your data for direct marketing (including deciding which organisations to approach), your right to object is absolute and we will always honour it;
- data portability — receive data you gave us in a portable format;
- withdraw consent at any time, where we rely on consent, without affecting prior processing;
- not be subject to solely automated decisions with legal or similarly significant effects — we do not carry out such automated decision-making.
To exercise any right, email [email protected]. We respond within one month; for complex or numerous requests we may extend this by a further two months and will tell you if we do (Art. 12(3) GDPR).
Complaints. You can lodge a complaint with the Dutch data-protection authority, the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl), or with the authority in your EU country of residence.
9. International transfers
We process personal data in the European Union. Where a service provider processes data outside the EU/EEA (for example our US-based content-delivery network, or a US-based payment or authentication provider on our paid tier — see Section 7), we only allow this under an appropriate safeguard recognised by the GDPR: the EU–US Data Privacy Framework (where the provider is certified) or the European Commission’s Standard Contractual Clauses, with supplementary measures where needed.
10. How we protect data
We use appropriate technical and organisational measures — including access controls, encryption in transit, and minimisation (we mask IP addresses in our analytics store and keep raw IPs only briefly). No system is perfectly secure, but we take reasonable steps to protect your data.
11. Children
Our website and service are aimed at businesses and professionals. They are not directed at children, and we do not knowingly collect data from children.
12. Changes to this policy
We may update this policy. We will post the new version here with an updated “Last updated” date and, where changes are material, take reasonable steps to notify account holders.
13. Contact
Questions about this policy or your data: [email protected], or write to CommoVision B.V., Waldenlaan 91, 1093 NH Amsterdam, Netherlands.