Privacy Policy.

The data controller for the personal data described in this policy is Levee Investments LLC d/b/a CommunityOS, an Ohio limited liability company (“CommunityOS,” “we,” “us,” or “our”). For European Economic Area, United Kingdom, and Swiss data subjects, CommunityOS, Inc. is the controller for direct customer data and the operator (acting on legitimate interest) for public X profile data analyzed for our customers.

For privacy questions or to exercise your rights, contact us at privacy@communityos.so.

CommunityOS handles two clearly separated categories of personal data. The legal basis, retention, and rights differ between them.

A. Customer data — people who sign up for the platform

If you create a CommunityOS account, we collect:

• Account information: name, work email, company name, role, password hash, billing address.
• Payment data: handled by Stripe; we do not see or store your full card number.
• Usage data: pages visited, features used, scan history, queue actions, support tickets.
• Communications: emails you send us and our replies.
• Cookies and similar technologies: session cookies for authentication, a small set of analytics cookies (see section 12).

B. Scanned data — public X account information analyzed for customers

When a customer initiates a scan in their workspace, we ingest publicly available information from the X platform about that customer’s followers. This includes:

• The public handle, display name, and profile bio.
• Follower count, following count, and account creation date as reported publicly by X.
• Up to the most recent 200 posts and replies (public, not private; excluding direct messages, which we never access).
• Engagement-pattern data computed over the public posts.

We do not collect or store private direct messages, deleted posts, locked-account content, or any data that requires authentication to view. We do not collect email addresses, phone numbers, payment information, or any private identifier of scanned X users.

We use customer data to:

• Provide the service: authenticate you, configure your workspace, deliver scans, surface queues, generate reports.
• Process payments and manage subscriptions.
• Communicate with you about your account, updates to the service, security advisories, and (with your consent) product news.
• Maintain platform security: detect abuse, prevent fraud, enforce the acceptable-use rules in our Terms of Service.
• Improve the platform through aggregated, de-identified usage analytics.
• Comply with legal obligations.

Legal bases (GDPR): performance of the contract between us and you; our legitimate interests in operating and securing the service; legal obligations; and, where required, your consent (for example, optional marketing emails).

We process publicly available X profile and post data to provide the scoring service to our customers. Specifically, we:

• Apply the Bot-Kill filter to remove inauthentic accounts before analysis.
• Compute archetype scores (Champion, Amplifier, Builder, Early Adopter) for each remaining account.
• Display the scored results inside the requesting customer’s workspace only.
• Store the analysis result against the scanning customer’s workspace for the duration of their subscription, refreshed on subsequent scans.

Legal basis — legitimate interest

For data subjects in the European Economic Area, the United Kingdom, and Switzerland, we rely on legitimate interest as the legal basis under Article 6(1)(f) GDPR. The legitimate interest is the operation of a B2B analytical service that helps brands understand which members of their public follower base are most likely to engage meaningfully with their work, replacing high-cost and lower-precision paid-influencer engagement.

We have conducted a Legitimate Interest Assessment and concluded:

• The data is already publicly available on X under that platform’s terms of service.
• We process only what is necessary for the analysis; we do not enrich it with private data sources.
• Output is visible only to the scanning customer, not published.
• Data subjects can opt out at any time through the mechanism described below.
• The analysis does not produce legal effects or similarly significant effects on individuals; it informs B2B marketing decisions.

Opt-out

Any scanned X user may opt out of being processed by CommunityOS by emailing optout@communityos.so from any address, including their handle in the subject line, or by submitting a request via the form at /optout. We will action opt-out requests within fifteen (15) business days. After opt-out, the handle is excluded from all future scans across all customer workspaces and any retained analytical records for that handle are deleted.

We do not sell personal data. We share data only with the following categories of subprocessors, each bound by a written data processing agreement:

• DigitalOcean (United States) — cloud hosting for the platform.
• Stripe (United States) — payment processing.
• Resend (United States) — transactional email delivery.
• Anthropic (United States) — AI assistance for internal content tooling (does not process customer Workspace data without explicit configuration).
• TwitterAPI.io (United States) — the X data ingestion provider used for scans.
• X Corp. (United States) — the source platform whose public data we analyze, accessed under that platform’s API terms.
• Google (United States) — Google Workspace for internal communication, Google Drive for internal document storage.

We will give you reasonable advance notice of any change to this list by posting an update to this page. If you object to a new subprocessor, you may terminate your subscription with a prorated refund of any prepaid term.

CommunityOS is established in the United States and most of our subprocessors are also based in the United States. If you access the service from outside the United States, your personal data will be transferred to, stored, and processed in the United States.

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on the Standard Contractual Clauses approved by the European Commission (and the UK International Data Transfer Addendum where applicable), incorporated by reference into our agreements with subprocessors. We assess transfer risk on a per-subprocessor basis and implement supplementary technical and organizational measures where required.

Customer data

• Active account data: retained while your subscription is active.
• After subscription ends: retained for thirty (30) days to allow export, then permanently deleted.
• Billing records: retained for seven (7) years to satisfy tax-record obligations.
• Support communications: retained for three (3) years from the last interaction.

Scanned X data

• Analysis results retained against the scanning customer’s workspace while their subscription is active, refreshed on subsequent scans.
• If the scanning customer’s subscription ends, scan-derived data is deleted within thirty (30) days.
• Opt-out requests honored across all workspaces and applied to all retained records for the handle within fifteen (15) business days.

Depending on your jurisdiction, you have some or all of the following rights regarding personal data we hold about you:

• Access: obtain a copy of the data we hold about you.
• Rectification: correct inaccurate or incomplete data.
• Erasure: request deletion of your data (right to be forgotten).
• Restriction: limit how we process your data.
• Portability: receive your data in a portable, machine-readable format.
• Objection: object to processing based on our legitimate interests, including direct marketing.
• Opt out of sale or sharing (California): we do not sell personal information; this right is still preserved.
• Withdraw consent: where processing is based on consent, you may withdraw it at any time.
• Complain to a supervisory authority: in the EEA, UK, or California, you may complain to your local data-protection authority.

To exercise any of these rights, email privacy@communityos.so. We will respond within thirty (30) days. We do not charge a fee for reasonable requests. We may ask you to verify your identity before disclosing personal data.

California residents

California residents have the right to know what personal information we collect, the right to delete it, the right to correct it, and the right to opt out of sale or sharing of personal information. We do not sell personal information. To submit a California Consumer Privacy Act request, email privacy@communityos.so with the subject “CCPA Request.”

We protect personal data using a combination of technical and organizational measures, including:

• HTTPS for all data in transit.
• Encryption at rest for production databases.
• Salted password hashing (PBKDF2 / bcrypt-class).
• Role-based access controls and the principle of least privilege for internal access.
• Workspace isolation between customers.
• Multi-factor authentication for administrative access.
• Daily database backups with retention.
• Regular dependency and security patching.
• An incident response process with notification commitments described below.

No system is perfectly secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours where required and notify affected individuals without undue delay where the breach is likely to result in a high risk.

CommunityOS is a B2B service. It is not directed at children and we do not knowingly collect personal data from anyone under the age of sixteen (16). If you believe a child has provided us with personal data, contact privacy@communityos.so and we will delete it.

The CommunityOS scoring engine is deterministic and rules-based. It is not a large language model and it does not produce decisions with legal or similarly significant effects on individuals. The engine outputs categorical scores (Champion, Amplifier, Builder, Early Adopter) and bucket assignments (Act Now, Act Soft, Wait, Monitor, Ignore) intended to inform B2B marketing decisions made by human operators.

We do not use scored data to train the scoring engine without separate written customer consent. We do not use scanned X account data to train any third-party AI system.

We use cookies and similar technologies for:

• Strictly necessary: session authentication, security, load balancing.
• Functional: remembering your workspace selection and UI preferences.
• Analytics: a small set of cookies that help us understand aggregated usage. We use privacy-respecting analytics that do not track you across sites.

You can disable non-essential cookies in your browser settings. Strictly necessary cookies cannot be disabled without breaking the service.

We may update this policy from time to time. The current version is always available at /privacy and the “Last updated” date will reflect the most recent change.

For material changes, we will notify account holders by email at least thirty (30) days before the change takes effect.

To exercise your rights, ask a question, or file a complaint about how we handle your data:

• Primary: privacy@communityos.so
• Opt-out (for scanned X users): optout@communityos.so or /optout
• Security disclosures: security@communityos.so

If you are in the European Economic Area, the United Kingdom, or Switzerland and you believe we have not addressed your concern, you have the right to complain to your local data-protection authority.