Privacy Policy

This policy covers everyone who uses Common Elements (“CE,” “we,” “us”) — board members, association staff, management company employees, vendors, attorneys, insurance professionals, and anyone visiting our public pages. Common Elements operates from Florida and serves U.S.-based community associations and the businesses around them.

The data we collect falls into three buckets:

• Account information you give us: email address, full name, organization name, role within that organization, and (optionally) phone number, biography, avatar, professional credentials (LCAM, license numbers, attorney bar admission), and contact-visibility preferences.
• Content you create on the platform: forum posts, RFPs, proposals, reviews, direct messages, follow relationships, and any documents you upload.
• Operational data we collect automatically: authentication tokens, session timestamps, IP addresses, browser metadata, error reports, and basic usage events (which pages were visited, which actions were taken). We do not run advertising trackers and do not sell or share this data with ad networks.

We use the data above to operate the platform, authenticate users, route notifications, deliver email, prevent abuse, investigate security incidents, debug errors, and improve the product. Membership status determines what you can see on the platform — that’s enforced at the database level, not by UI hiding.

We do not sell personal information. We do not share it with advertisers. We do not use it to train third-party AI models outside the narrow set of service providers below.

To run the platform we share specific data with a small set of vetted service providers, each under contract:

• Supabase (PostgreSQL hosting, authentication, file storage). All account and platform content data.
• Vercel (web hosting, edge networking). Request metadata and edge cache.
• Resend (transactional email delivery). Email addresses and message bodies for notifications and platform emails.
• Stripe (billing, when paid plans launch). Customer record and payment metadata; no card numbers ever touch our servers.
• Sentry (error monitoring). Stack traces and request metadata for errors. Personally identifying details are scrubbed where feasible.

We use cookies that are strictly necessary to keep you signed in and to remember your in-product preferences (such as your active organization context and notification preferences). We do not set third-party advertising cookies.

We keep your account data for as long as your account is active. Forum posts, RFPs, proposals, reviews, and messages persist for the operational lifetime of the platform so that audit trails remain intact for boards and counsel — that’s a fiduciary expectation, not a marketing one. Server logs and error reports are retained for up to 90 days. If you close your account, we retain content you authored in shared contexts (forum posts, RFPs, reviews) but disassociate it from your identifying account information unless we’re legally required to keep it linked.

You can request a copy of your personal data, correct inaccuracies, restrict processing, or ask us to delete your account by emailing privacy@commonelements.com. If you’re a California resident, you have additional rights under the California Consumer Privacy Act; if you’re based in the EEA or UK, GDPR rights apply. We respond to verified requests within 30 days.

Account access requires authentication. Database row-level security ensures users only see what their organization membership entitles them to. Production traffic is HTTPS-only with strict transport security; HSTS, frame-busting, and a content security policy are enforced at the application edge. We rotate credentials, scan dependencies for known vulnerabilities, and document our incident response procedure.

No system is impervious. If we discover a security incident that affects your data, we’ll tell you what happened, what we did about it, and what you should do — without spin.

Common Elements is not directed at children under 13 and we do not knowingly collect data from them. If you believe a minor has created an account, contact us and we’ll delete it.

We’ll update this page when our practices change. Material changes are announced via in-app notification and email at least 30 days before they take effect. The “last updated” date at the top of this page reflects the most recent revision.

Common Elements
Florida, USA
privacy@commonelements.com