Your data, our small obligation.

We collect only what the product needs to do the work you have asked of it. There is no advertising network, no behavioural tracking pixel from a third party we did not list on the sub-processors page, and no enrichment from data brokers. The categories below are the entire collection set.

• Account data: your email address, a securely-hashed password (Argon2id), an optional display name, and your chosen prompt-time. We do not ask for a real name, a postal address, or a date of birth beyond the age-of-majority check on sign-up.
• Decision data: the questions you compose, the format and duration you choose, the partners or family members you invite, your daily votes, and any notes you seal alongside each vote. This is the most sensitive category we hold.
• Verdict data: the analyses produced at the end of each decision (the trajectory, the themes, the synthesis paragraph on paid tiers, and the suggested conversation prompt).
• Billing data: Stripe holds your card details on its own infrastructure; we receive a token, the billing country, and the last four digits of the card for receipts. We never see the full card number.
• Operational logs: IP addresses and user-agent strings for the most recent thirty days, retained for security and fraud prevention. After thirty days these logs are purged.
• Analytics: aggregate page-view counts via Google Analytics 4, set to IP anonymisation and a fourteen-month retention. No personally-identifying data is exported.

We do not collect special-category data (health, religion, sexuality, political opinion, biometrics). If the questions you choose to seal happen to touch on those subjects, the data lives only inside your private decision, encrypted at rest, readable only by you under row-level-security policy.

Under Article 6 of GDPR and the equivalent provisions in the UK GDPR, NZ Privacy Act, and Australian Privacy Principles, every processing activity has a stated lawful basis. Ours are:

• Contract (Art. 6(1)(b)): running the decision, sending the daily-vote email, computing the verdict, and providing the account. Without this processing there is no product.
• Legitimate interest (Art. 6(1)(f)): security logging, fraud prevention, abuse detection, and product improvement based on aggregate (non-individual) usage signals. We have run a balancing test on each; the assessments are available on request.
• Consent (Art. 6(1)(a)): Google Analytics 4 fires on the marketing site by default; you can disable it from the cookie banner or by sending Do-Not-Track. Marketing email is opt-in only.
• Legal obligation (Art. 6(1)(c)): retaining the minimum financial records required by NZ Inland Revenue (seven years for invoices and tax receipts).

The product hinges on a privacy guarantee that is not a setting and not a promise: it is enforced at the database row-level-security policy. Until the unseal date of a decision, the database refuses to return your partner's vote rows on any query, including queries issued by the operations team with the service-role key. The guarantee is the product. If it could be bypassed, the verdict would not be honest.

The technical reference for this mechanism lives at engineering/the-privacy-mechanism. The shortest possible summary: each vote row carries a visible_after timestamp; the row-level-security policy on the votes table allows SELECT only when the participant is the row's author or when now() >= visible_after. There is no service-role bypass in the production schema.

Counsel.day staff cannot read decision content. Aggregate, fully anonymised counts (how many decisions ran for how many days, what formats are most popular) are visible to the operations team for capacity planning; these counts are computed inside the database and the resulting tables hold no participant identifiers.

• Account data: for as long as the account is open. On deletion, account data is removed from production within 30 days and from encrypted backups within 90 days.
• Decision data: retained while your account is open so you can re-read past verdicts. You can delete an individual decision at any time; deletion is permanent.
• Billing data: tax-relevant records (invoice, payment receipt, billing country, amount, date) retained seven years to satisfy NZ Inland Revenue. Card tokens are deleted with the account.
• Operational logs: thirty days, then purged.
• Analytics: Google Analytics 4 retention set to fourteen months; user-level data automatically expires after that.

Wherever you live, you have the following rights over the personal data we hold about you. We respond to each within 30 calendar days; if a request is complex we will tell you so within the first ten days and extend by a further two months at most, as GDPR permits.

• Access: a machine-readable copy of every record we hold about you, including past verdicts.
• Correction: any inaccurate field on your account, fixed promptly.
• Erasure (the "right to be forgotten"): permanent deletion of your account and all decision data, subject only to the seven-year tax-record retention for billing.
• Portability: export of your decision history as a JSON archive, suitable for re-import elsewhere.
• Restriction: a freeze on processing while a dispute is being resolved.
• Objection: to any processing we do under legitimate interest, including analytics.
• Withdraw consent: for analytics or marketing email, at any time, with no effect on processing already done.
• Complain to a regulator: the Office of the Privacy Commissioner (NZ) at privacy.org.nz; in the UK, the ICO at ico.org.uk; in the EU, your national data-protection authority; in Australia, the OAIC at oaic.gov.au.

To exercise any of the above, email privacy@counsel.day from the address on your account. We may ask for one additional verification before acting on an erasure or portability request.

Counsel.day Limited is incorporated in New Zealand. Our primary production database runs in an EU region (Frankfurt). Several sub-processors (Stripe, Anthropic, Cloudflare) process data in the United States. Transfers out of the EU and UK are made under the European Commission's Standard Contractual Clauses (SCCs) and the UK Addendum where applicable; transfers from New Zealand rely on the comparable-protection assessment required under Part 4 of the NZ Privacy Act 2020.

The full list of sub-processors, their locations, and the transfer mechanism for each, is published at sub-processors.

The full security write-up lives at security. In summary:

• In transit: TLS 1.3 only; HSTS preload; certificate transparency monitoring.
• At rest: AES-256 disk encryption on the database volumes; column-level encryption for note content with keys held in Infisical.
• Authentication: Argon2id password hashing; mandatory MFA for staff; magic-link sign-in for users on request.
• Access control: Postgres row-level-security on every decision-content table; no service-role bypass in production.
• Application: Content-Security-Policy, Subresource Integrity, CSRF tokens on every state-changing request, rate-limiting at Cloudflare and at the edge.
• Process: quarterly penetration tests by an independent firm; every commit ships pen-test-ready with no security debt deferred to a later phase.

In the unlikely event of a breach involving your personal data, we will notify you and the relevant regulator within 72 hours of becoming aware, as required by GDPR Article 33 and the equivalent NZ Privacy Act notification thresholds.

Counsel.day is a small company; we do not maintain a full-time Data Protection Officer at present, as GDPR Article 37 does not require one for our size and risk profile. The privacy lead and accountable person is the founder, James Graham; correspondence routes to privacy@counsel.day. If the company grows to require a designated DPO under Article 37, we will appoint one and update this page within the same calendar quarter.

For users in the European Union, our Article 27 representative is appointed and listed in our internal records of processing; the representative's contact details are published in the footer of every transactional email and provided on request.

Material changes (anything that affects the categories of data we collect, the purposes we use them for, or your rights as set out above) are announced by email to every account holder at least thirty days before the change takes effect. Non-material clarifications (typography, broken links, re-phrasings that do not alter meaning) are made silently with the revised date updated at the top of this page. A full revision history is kept and available on request.