Privacy Policy
1. Who We Are
This Privacy Policy explains how Counsel (“we”, “our”, or “us”) processes personal data when you use our platform at mycounsels.com.
Data controller: Counsel
Contact: legal@mycounsels.com
A Data Protection Officer has not been designated at the current scale of processing. We will assess designation as processing scope grows and will update this policy accordingly.
2. Data We Process
We process the following categories of personal data. The legal bases reference the General Data Protection Regulation (EU 2016/679, “GDPR”).
| Category | Examples | Legal basis | Retention |
|---|---|---|---|
| Account data | Email address, display name, avatar | Contractual necessity (Art. 6(1)(b)) | Duration of account + 30 days after deletion |
| Authentication data | Session tokens, MFA state, login history | Contractual necessity + legitimate interest (security) | Managed by Clerk per their DPA |
| Company context | Company description, team structure, financials, objectives — may contain personal data about employees or customers of your company | Legitimate interest (Art. 6(1)(f)) — you remain the controller for any personal data about your employees or customers | Duration of workspace + 30 days after deletion |
| Uploaded documents | Any documents you upload to inform the AI agents | You are the controller; Counsel is the processor (Art. 28) | Duration the document exists + immediate hard-deletion on removal |
| Consultation transcripts | Questions you submit, agent deliberations, recommendations | Contractual necessity (Art. 6(1)(b)) | Per tier retention limits (configurable) |
| Usage data | Features used, pages visited, actions taken (anonymised) | Legitimate interest — product improvement (Art. 6(1)(f)) | 24 months, then anonymised or deleted |
| Billing data | Subscription tier, billing email, payment method (processed by Lemon Squeezy, not stored by Counsel) | Contractual necessity (Art. 6(1)(b)) + legal obligation (tax records) | Managed by Lemon Squeezy. Invoice records retained per Spanish tax law (minimum 4 years). |
3. AI-Specific Transparency
You are interacting with AI agents, not human advisors.Counsel’s deliberation process is conducted by AI language models. No human analyst reviews your consultations unless you contact our support team.
The AI agents are powered by Claude, developed by Anthropic. During each consultation, your company context and question are transmitted to Anthropic’s API for inference (see Section 6 for transfer details). Anthropic does not use API data to train their models.
Technical limitation. Data is decrypted in server memory during AI processing. This is inherent to all server-side AI inference and cannot be eliminated without client-side encryption, which is technically incompatible with LLM reasoning. We disclose this honestly rather than obscuring it. See our Terms of Service Section 9 for the corresponding liability disclaimer.
4. Subprocessors
We use the following subprocessors to provide the Service. Each has a Data Processing Agreement (DPA) in place with us.
| Subprocessor | Data processed | Purpose | Location |
|---|---|---|---|
| Anthropic | Company context + consultation questions during inference | LLM inference for AI agent responses | USA (Data Privacy Framework) |
| Convex | All application data (accounts, documents, decisions, audit logs) | Database, backend, file storage, vector search | EU (Frankfurt) |
| Clerk | Authentication data (email, name, session tokens, MFA) | Authentication service | USA (Data Privacy Framework) |
| Lemon Squeezy | Billing data (name, email, payment details via Stripe) | Payment processing, invoicing, EU VAT handling | USA (Data Privacy Framework) |
| Upstash | Rate-limiting metadata (workspace IDs, request counts — no personal content) | Rate limiting and abuse prevention | EU (Frankfurt) |
| Resend | Email addresses and email content (alert digests, transactional emails) | Email delivery | USA (Data Privacy Framework) |
| Vercel | Request metadata (IPs, headers — transient, not retained by Counsel) | Frontend hosting and global CDN | Edge network (EU preference) |
| Sentry | Error telemetry — stack traces, request context; PII scrubbed before transmission | Error monitoring and performance tracking | EU (Frankfurt) |
You can request the current subprocessor list and DPA summaries at any time by emailing legal@mycounsels.com.
5. International Data Transfers
Most of your data is stored in the EU (Frankfurt). Anthropic, Clerk, Lemon Squeezy, Resend, and Sentry are US-based and receive data as described in Section 4.
Transfers to the United States are made on the basis of the EU–US Data Privacy Framework (DPF), which the European Commission has recognised as providing an adequate level of data protection (Commission Decision 2023/1795). We verify DPF certification for each US subprocessor quarterly at dataprivacyframework.gov.
Anthropic-specific disclosure.During each consultation, your company context is transmitted to Anthropic’s API. Per Anthropic’s published policy, API data is retained for up to 30 days for abuse detection, then deleted. Anthropic does not use API data for model training. Our DPA with Anthropic confirms these terms contractually.
If the DPF is invalidated or a subprocessor loses certification, we will implement EU Standard Contractual Clauses (SCCs) as the transfer mechanism within 30 days of notification.
6. Your Rights Under GDPR
You have the following rights regarding your personal data. To exercise any right, contact us at legal@mycounsels.com. We will respond within 30 days (the statutory deadline).
| Right | What it means | How to exercise it |
|---|---|---|
| Access (Art. 15) | Receive a copy of all personal data we hold about you | Settings → Data & Privacy → “Download all my data” |
| Portability (Art. 20) | Receive your data in a machine-readable format (JSON) | Same as above — the export is in JSON format |
| Rectification (Art. 16) | Correct inaccurate personal data | Edit directly via Settings, or email us |
| Erasure (Art. 17) | Delete your account and all associated data | Settings → Data & Privacy → “Delete my account” |
| Restriction (Art. 18) | Pause all processing of your data | Settings → Data & Privacy → “Pause my workspace” |
| Objection (Art. 21) | Object to processing based on legitimate interests (e.g., analytics) | Cookie consent settings; or Settings → “Do not track my usage” |
Erasure limitation. Data transmitted to Anthropic during a consultation is retained by Anthropic for up to 30 days for abuse detection. We cannot instruct Anthropic to delete this data before that window expires. After 30 days, Anthropic deletes it per their standard policy. This limitation is disclosed here in accordance with GDPR transparency requirements.
Right to complain. If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the Spanish data protection authority, the AEPD (Agencia Española de Protección de Datos), at www.aepd.es.
7. Cookies
We use a small number of strictly essential cookies (required for authentication and remembering your cookie preference). We do not currently set analytics or tracking cookies. See our full Cookie Policy for details.
8. Security
We implement technical and organisational measures appropriate to the risk, including: encryption in transit (TLS 1.2+), encryption at rest (Convex’s AES-256 infrastructure), multi-tenancy isolation (every query is scoped to your workspace), and access controls (Clerk MFA, role-based permissions).
In the event of a personal data breach likely to result in a high risk to your rights, we will notify you without undue delay and will notify the AEPD within 72 hours.
9. Changes to This Policy
We may update this Privacy Policy to reflect changes in our processing activities or regulatory requirements. We will notify you by email and prominent notice on the platform at least 15 days before material changes take effect.
10. Contact
For any questions about this Privacy Policy or to exercise your rights: legal@mycounsels.com
Counsel · Barcelona, Spain