Legal

Privacy Policy

Effective 2026-05-06

1. Who we are

Command Center (referred to in this policy as "we", "us", or "our") is operated by Command Center Global, an entity established in the European Union. We are the data controller for personal data processed via commandcenter.global.

For any privacy question, request, or complaint, reach us at [email protected]. We do not have a Data Protection Officer (DPO) — our processing volume does not require one under GDPR Article 37. The email address above is the contact point for all data-protection matters.

2. What this policy covers

This policy describes the personal data we collect from you, why we collect it, who we share it with, and the rights you have under the EU General Data Protection Regulation (GDPR) and any equivalent national law in the EU member state where we are established. It applies to anyone using Command Center — whether browsing anonymously, signed up on our Free tier, or paying for Pro / Premium.

3. Data we collect and why

The data we hold falls into a small number of categories:

Account data — when you sign up: email address, hashed password (or your Google identity if you use OAuth), display name, unique handle, and your selected tier. Purpose: identifying you, signing you in, billing you. Lawful basis: contract (GDPR Art. 6(1)(b)) — we need this to provide the service you're paying for.
Usage data — timestamps for briefings you consume, notification rules you create, and rate-limit counters. Purpose: enforcing your tier's limits and detecting abuse. Lawful basis: legitimate interest (Art. 6(1)(f)) — keeping the service available and affordable for everyone.
Diagnostic data — IP address (always hashed before storage), browser type, request paths and timing. Purpose: security, fraud prevention, debugging. Lawful basis: legitimate interest. We never correlate this back to your account beyond the active session.
Payment data — only if you subscribe. Card numbers and billing details go directly to Stripe; we never see or store them. We retain a Stripe customer ID, a subscription ID, and your subscription status. Lawful basis: contract + legal obligation for tax records (Art. 6(1)(b) and (c)).
Notification subscriptions — only if you enable browser push: an opaque endpoint URL plus the public encryption keys your browser generates. We push alerts to that endpoint when one of your rules matches. Lawful basis: consent (Art. 6(1)(a)) — you explicitly opt in via your browser's permission prompt; you can revoke any time from the browser settings.

4. How long we keep it

Account data: as long as your account exists. When you delete your account, we delete your profile row and any data tied to your user ID within 30 days, with the exception of accounting records we are legally required to retain (see below).

Usage and diagnostic data: 90 days for individual rate-limit and request logs. Aggregate cost-audit records (which never contain raw IPs) may be retained longer for internal accounting.

Payment records: as required by applicable EU and national tax law (typically 7–10 years). These are minimal — a Stripe customer ID plus invoice metadata — and are not used for any other purpose.

Notification subscriptions: until you disable notifications or revoke browser permission. Endpoints that return permanent failure codes (HTTP 410 / 404) are removed automatically.

5. Who we share it with (sub-processors)

Command Center is built on third-party infrastructure. The services below process some of your data on our behalf, under contract (Data Processing Agreements) that require them to apply the same protection standards we do. Most are US-based — see Section 6 for transfer safeguards.

Provider	Role	Data	Location
Supabase	Authentication, account database	Email, hashed password, profile metadata, tier	EU (Frankfurt)
Stripe	Payment processing	Name, email, billing address, payment method (handled solely by Stripe)	USA (DPF certified)
ElevenLabs	Text-to-speech voice synthesis	Briefing text content (article excerpts + your commander name in greetings)	USA (SCCs)
OpenRouter / Anthropic	LLM ranker for story prioritisation	Public article titles + summaries (no user data)	USA (SCCs)
Resend	Transactional email (signup, password reset)	Email address, message content	USA (SCCs)
Cloudflare	DNS, edge security, email routing	IP addresses, request paths, TLS termination	Global (DPF certified)
Railway	Application hosting	All request data post-Cloudflare	USA
Sentry	Error monitoring (server-side + browser exceptions)	Stack traces, request paths (query strings stripped), hashed IP, browser metadata. Personal identifiers (raw IP, cookies, request headers) are not auto-captured.	EU (Germany)

We do not sell your data, share it with advertisers, or use it to train AI models on your behalf — content you submit (briefing playback, notification rules) is processed only to provide the service and is not retained by our AI sub-processors beyond the immediate request.

6. International transfers

Some sub-processors are located outside the European Economic Area (EEA), primarily in the United States. Transfers happen under the EU Standard Contractual Clauses (SCCs) where the sub-processor is not covered by an EU adequacy decision, and via the EU–US Data Privacy Framework where the sub-processor self-certifies. Each provider's current safeguards are linked from the table in Section 5.

If you'd like a copy of any specific safeguard document, email us at [email protected].

7. News content and the publishers we link to

Command Center aggregates publicly available RSS feeds from major news publishers (BBC, Reuters, Al Jazeera, NYT, Guardian, and others). We display the headline, a short summary, the source attribution, and a link back to the original article. We do not host the full article text. We do not collect any personal data from the publishers we link to — they only see our backend's IP address fetching their RSS feed.

Our voice briefings, threat-level scoring, and story categorisation are derived intelligence built on top of those public feeds — that derived layer is what we licence under our paid tiers, not the underlying article content. See our Terms of Service for the attribution and content-use disclosures.

8. Cookies and local storage

We use a small number of essential cookies to keep you signed in (Supabase Auth session) and to remember your tier across page loads. These are required for the service to work; we do not show a cookie banner for them because GDPR / ePrivacy permit strictly necessary cookies without consent.

We use browser localStorage to remember your UI preferences (selected theme, voice, briefing mode, saved filters). This data never leaves your browser unless you explicitly sync filters to your account, in which case it becomes part of your account data.

We do not use analytics cookies, advertising cookies, or third-party tracking cookies. If we add any in the future, we'll update this policy and ask for your consent first.

9. Automated processing and AI

Command Center uses automated systems to:

Rank news stories by editorial significance (LLM-based ranker — Anthropic's Claude Haiku via OpenRouter, with a free open-source fallback).
Generate spoken voice briefings (ElevenLabs text-to-speech).
Compute a global threat-level signal from the day's stories (rule-based, deterministic).
Match new articles against your notification rules (rule-based filter matching).

None of these decisions produce legal effects on you or similarly significantly affect you in the sense of GDPR Article 22(1) — they affect what you read or hear, not your rights, opportunities, or contractual standing. You can disable any of these features from your settings panel.

10. Your rights

Under GDPR you have the right to:

Access the personal data we hold about you (Art. 15).
Correct inaccurate data (Art. 16).
Delete your account and associated data (Art. 17). Subject to the legal-retention exception in Section 4.
Restrict our processing in certain circumstances (Art. 18).
Receive your data in a portable format (Art. 20) — JSON export available on request.
Object to processing based on legitimate interest (Art. 21).
Withdraw consent any time it was the basis for a particular use (Art. 7(3)) — applies mainly to browser push subscriptions.
Lodge a complaint with a supervisory authority. EU residents may complain to their national data-protection authority — a directory is maintained by the European Data Protection Board at edpb.europa.eu.

To exercise any of these, email [email protected]. We will respond within 30 days as required by GDPR Art. 12(3). For account deletion + portability we may ask you to confirm your identity to prevent unauthorised disclosure.

11. Security

We protect your data with encryption in transit (TLS 1.3), encryption at rest (Supabase, Stripe, all hosting providers), hashed-only storage of passwords and IPs, principle-of-least- privilege access via Supabase Row-Level Security, and a small surface area (we collect very little to begin with).

If a breach affects your data, we will notify you and the relevant supervisory authority within 72 hours of becoming aware, as required by GDPR Article 33.

12. Children

Command Center is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided data to us, please email us at the address above and we will delete it.

13. Changes to this policy

We will update this policy when our practices change. The effective date at the top of this page reflects the latest version. Material changes will be communicated via email (for active subscribers) and via a banner on the dashboard for at least 30 days before they take effect.