compass · privacy policy · last updated 2026-06-14

Privacy Policy

Draft for review — this is a working template pending sign-off by qualified legal counsel. It is not the final agreement and should not be relied on as legal advice.

Compass ('Compass', 'we', 'us', or 'our') runs an invite-only origination desk for commodity sourcing and brokering. This Privacy Policy explains what personal data we collect when you access the platform, why we collect it, who we share it with, how long we keep it, and the rights you have — wherever in the world you are. By accessing or using Compass you acknowledge the practices described here.

1. Who We Are and What This Covers

Compass is a single-tenant origination desk provided to a closed group of invited members (administrators, managers, and members of the operating team). Accounts are provisioned by us; there is no public sign-up. For data-protection purposes, Compass is the controller of the personal data described here. Where local law requires a named operating entity or representative, that detail will be confirmed before this policy is finalised.

This policy applies to personal data we process through the platform, through email and electronic messages between you and us, and through the activity you carry out on the desk. It does not cover third-party services that operate under their own privacy policies, even where we link to them.

2. Information We Collect

Account and identity data — your name, work email address, the role assigned to you (administrator, manager, or member), the team you belong to, authentication data (including any two-factor method you enrol), and the timestamped record of any agreement you accept.

Activity and deal data — the records you create or act on while using the desk: leads, quests, findings, deals, vault documents, notes, tasks, and the outcomes of that work. This is the core operating data of the desk.

Communications you bring into the desk — Compass lets you paste, forward, or connect inbound messages (for example from email, WhatsApp, Instagram, or Discord) into a shared inbox so the team can act on enquiries. Anything you import — including the message content and the contact details of the counterparties who sent it — is processed by Compass on your instruction. You are responsible for ensuring you have a lawful basis to bring third-party communications and personal data into the platform.

Automated processing and AI — to sort, grade, and extract structured information from inbox messages and research you submit, we and our processors run automated and AI-assisted analysis. Where you supply your own AI provider key, your content is sent to that provider under their terms; usage is metered and capped.

Device, usage, and analytics data — technical data such as IP address, device and browser type, pages and features used, timestamps, and diagnostic logs, collected to operate, secure, and improve the service and to produce aggregate performance analytics.

Cookies and similar technologies — strictly-necessary cookies for sign-in and security, and limited analytics as described in the Cookies section below.

3. How We Use Your Information

We use personal data to: operate and secure the desk and your account; authenticate you and prevent fraud, abuse, and unauthorised access; carry out the deal, outreach, and inbox workflows you initiate; produce aggregate business and performance analytics; maintain audit logs; provide support; comply with legal obligations; and operate, improve, and develop the product and future products.

We describe our data use broadly and openly so that it remains accurate as the product evolves. We do not use your personal data for purposes that are incompatible with those described here, and we do not sell your personal data.

4. Legal Bases for Processing (EU/EEA & UK)

Where the EU General Data Protection Regulation (GDPR) or the United Kingdom GDPR (UK GDPR) applies, we rely on one or more of the following legal bases: performance of a contract (to give you access to the desk and provide the service); our legitimate interests (to secure, operate, analyse, and improve the platform, balanced against your rights); your consent (where we ask for it, such as certain analytics — you may withdraw it at any time); and compliance with a legal obligation.

5. How We Share Information

Service providers and sub-processors — hosting, database, authentication, email, and AI-processing providers who act on our instructions under contract and may process data only for the purposes we specify. Our core infrastructure and sub-processors are available on request.

Within the team — your activity on the desk is visible to other members of your team in line with your assigned role and our access controls.

Legal and safety — where required to comply with a law, court order, or lawful request, or to protect the rights, property, safety, or security of Compass, our users, or others.

Business transfers — in connection with a merger, acquisition, financing, reorganisation, or sale of assets, in which case we will require the recipient to honour this policy.

We do not sell your personal data, and we do not 'share' it for cross-context behavioural advertising as those terms are defined under California law.

6. Cookies, Analytics, and Tracking

We use strictly-necessary cookies to keep you signed in and to protect the platform. We may use a limited set of privacy-respecting analytics to understand how the desk is used so we can improve it. Where required by law, we ask for your consent before setting non-essential cookies, and you can control cookies through your browser settings. We honour recognised opt-out signals (such as Global Privacy Control) where applicable.

7. Data Retention

We keep personal data for as long as your account is active and for as long as needed to provide the service, then for a limited period afterwards to meet legal, tax, accounting, security, and dispute-resolution obligations, after which it is deleted or anonymised. Signed agreements and audit records are retained for the period required to evidence them. You may ask us to delete your data as described in 'Your Privacy Rights', subject to those obligations.

8. International Transfers and Where We Offer the Service

Compass operates globally and our providers may process data in countries other than your own, including outside the EEA, the UK, and your home jurisdiction. Where we transfer personal data across borders, we use a lawful transfer mechanism — such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, an adequacy decision, or, where required, your explicit consent — and apply appropriate safeguards.

Some countries impose strict data-localisation or separate-consent requirements (for example under China's PIPL or Russia's data-localisation law). We offer Compass only where we can lawfully provide it, and we may restrict, decline, or withdraw access from any jurisdiction whose requirements we cannot currently meet. Nothing here is an offer of the service where it would be prohibited.

9. Your Privacy Rights

Your rights depend on where you live. In every case you can contact us using the details below, and we will respond within the time limits set by applicable law. We will not discriminate against you for exercising your rights, and we may need to verify your identity before acting on a request.

EU/EEA and United Kingdom (GDPR / UK GDPR): you have the right to access, rectify, erase, restrict, and object to processing of your personal data, the right to data portability, the right to withdraw consent, and the right to lodge a complaint with your local supervisory authority (in the UK, the Information Commissioner's Office).

California (CCPA / CPRA): if you are a California resident you have the right to know what personal information we collect and how we use and disclose it, the right to access and delete it, the right to correct inaccurate information, and the right to opt out of any sale or sharing of personal information and of profiling — although we do not sell or share personal information as those terms are defined under California law. You may exercise these rights without discrimination and may use an authorised agent.

China (PIPL): if the Personal Information Protection Law of the People's Republic of China applies to you, we process your personal information on the basis of your consent or another lawful basis, and we obtain separate consent where the law requires it (including for cross-border transfers). You have the right to access, copy, correct, supplement, and delete your personal information, to withdraw consent, and to ask us to explain our processing rules.

Australia (Privacy Act 1988 / Australian Privacy Principles): if you are in Australia, we handle your personal information in line with the Australian Privacy Principles. You may request access to and correction of your personal information, and you may complain to us and, if unsatisfied, to the Office of the Australian Information Commissioner (OAIC).

Everywhere else in the world: wherever you are — including, for example, under Canada's PIPEDA, Brazil's LGPD, Japan's APPI, South Korea's PIPA, India's DPDP Act, Switzerland's FADP, South Africa's POPIA, Singapore's PDPA, the data-protection laws of the UAE, Saudi Arabia, and other Gulf states, New Zealand's Privacy Act, and equivalent data-protection laws in every other country — you may have similar rights. Whoever and wherever you are, contact us and we will honour the rights available to you under your local law. To exercise any right, email us using the contact details in the final section and describe your request so we can verify and action it.

10. Security

We use administrative, technical, and organisational measures designed to protect personal data — including access controls scoped to your role, encryption in transit and at rest, authentication safeguards (including optional two-factor authentication), and audit logging. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security, and you are responsible for keeping your credentials confidential. If you discover a vulnerability, please report it responsibly to security@waitlistcompass.com. If we become aware of a personal-data breach that affects you, we will notify you and the relevant authorities where the law requires.

11. Children

Compass is a workplace tool intended for adults. It is not directed to children, and we do not knowingly collect personal data from anyone under 18 (or under the minimum age set by your local law, such as 16 in parts of the EEA). If you believe a child has provided us personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this policy as the product or the law changes. The 'last updated' date at the top shows the current version. If we make material changes, we will take reasonable steps to notify you, for example by email to your account address or by a notice in the platform. Your continued use after an update means you accept the revised policy.

13. Contact and How to Reach Us

For any privacy question, or to exercise a right described above, contact us at privacy@waitlistcompass.com. (This contact route and the responsible legal entity are placeholders in this draft and will be confirmed before the policy is finalised.) Where the law requires a data-protection officer or local representative, their details will be added here.

This document does not constitute legal advice. Consult qualified legal counsel for jurisdiction-specific questions.