Counsely Privacy & Cookie Policy

Counsely is a trade name of James Hamilton (sole proprietor), with online place of business in California, United States. We are the "controller" of your personal data for purposes of the EU/UK GDPR and equivalent laws elsewhere.

Counsely is available globally except where prohibited by sanctions or local law (see Terms §4). This policy applies to all users; jurisdiction-specific addenda are at the end (Sections 13–20).

Privacy contact: privacy@getcounsely.com
EU Article 27 Representative (GDPR): To be appointed — contact privacy@getcounsely.com in the interim.
UK Article 27 Representative (UK GDPR): To be appointed — contact privacy@getcounsely.com in the interim.

1. Information We Collect

a. Information You Provide

• Account & Authentication. Name, email, hashed password, username, profile photo, optional bio, time zone. If you sign in with Google, we receive your Google profile (name, email, avatar) and OAuth tokens stored on our database. We do not separately collect a country field on your account; we may infer your country from your IP, ZIP/postal code, or billing address where relevant.
• Student Profile. High school, graduation year, weighted/unweighted GPA, SAT/ACT scores, phone (optional), city, state/region, ZIP/postal code, intended major(s), target colleges, course rigor, honors, awards, extracurriculars, leadership positions, courses (including AP/IB), skills, custom resume sections.
• Content & AI Inputs. Essays, essay drafts, version history, outlines, AI chat history with our "Counsely" assistant, interview-prep notes, curriculum plans, college lists, college notes, application progress, friend list, direct/group messages, activity-feed items, accomplishments, streak logs.
• Files. Profile photo and resume photo (up to 5 MB each, stored in Vercel Blob with public URLs that are not enumerable but are not protected by access control — do not upload sensitive images).
• Payment & Billing. Cardholder name, billing ZIP/postal code, country. Full card data is transmitted directly to Stripe and never reaches our servers; we receive only your Stripe customer ID, subscription metadata, and last-4 of the card.
• Communications. Contact-form submissions (name, email, subject, message), support emails, newsletter preferences.

b. Automatically Collected Data

• Usage Data. Pages visited, clicks, scrolls, session duration, feature usage counters (used to enforce free-tier limits).
• Device & Browser. IP address, device type, browser, OS, screen size, time zone, language preference.
• Referral Data. Referring URL, UTM parameters, GoAffPro affiliate-attribution tag (if you arrived via an affiliate link and consented to marketing cookies).
• Error & Performance Data. Stack traces, route, response times via Sentry. Sentry Session Replay records DOM mutations during a session for debugging; we configure it with strict masking (maskAllText, maskAllInputs, blockAllMedia) so the text you type (essays, profile fields, chat messages, names, emails) and any media are not captured. EU/UK users may opt out via Cookie Settings.
• Rate-Limit Tokens. Truncated user/IP identifiers in Upstash Redis to enforce per-feature usage limits.
• Anonymous-Trial Cookie. A signed cookie (counsely_anon_trial) tracks which free AI features an anonymous visitor has tried.

c. Data From Third Parties

• OAuth providers (Google) when you sign in: name, email, profile picture.
• Stripe: subscription status, last-4 of card, country of card, billing events.
• U.S. College Scorecard, O*NET, and similar public datasets: institutional/occupational data only (no personal data about you).

2. How We Use Your Information & Lawful Bases

We process personal data on the following lawful bases (GDPR Article 6 / UK GDPR Article 6 / equivalents):

Where we rely on legitimate interests, we have conducted a balancing test; you have the right to object (see Section 9).

3. Cookies & Tracking Technologies

a. Categories

• Strictly Necessary (always on) — session, login, CSRF, security, language preference, anonymous-trial counter. Required for the site to function.
• Functional (consent required outside the US) — UI customization stored in localStorage (e.g., onboarding progress, draft auto-save).
• Analytics (consent in EU/UK; opt-out in some US states) — Google Analytics 4 with IP anonymization. Off by default.
• Marketing / Affiliate Attribution (consent in EU/UK) — GoAffPro affiliate-attribution cookie, used to credit affiliate partners who refer you. Off by default in EU/UK. (This category was previously labelled "always active"; that classification has been corrected — affiliate attribution is for the merchant, not the user, and therefore requires consent under EU ePrivacy.)
• Embedded Third-Party Content (consent in EU/UK) — third-party iframes and widgets we may embed.

b. Local Storage Keys

For transparency, here are local-storage keys our app uses on your device:

• cookiePreferences — your cookie consent choices
• counsely_essay_ideas, counsely_essay_has_profile — cached AI essay ideas
• userSettings, counsely_interview_checklist, counsely_college_checklists — your in-app settings & checklists
• onboarding storage keys, tour progress, full-report cache, resume draft auto-save

c. How Your Choice Is Honored

• EU/UK first visit: no analytics or marketing cookies are set until you click Accept All or enable them in Customize. The banner offers Reject All, Customize, and Accept All with equal prominence.
• Rest of world: analytics may be set on a notice-and-continue basis where local law permits; you can opt out at any time.
• Update preferences anytime at /cookie-settings.

d. Do-Not-Track & Global Privacy Control

We honor the Global Privacy Control (GPC) signal where required by law (currently California, Colorado, Connecticut, and any state that adopts it). On receipt of a GPC signal we treat it as an opt-out of "sale" and "sharing" under CCPA/CPRA and as a withdrawal of consent for analytics and marketing cookies where applicable. We do not respond to legacy DNT signals.

4. Sub-Processors

We engage the following sub-processors to help us deliver the Services. We require each to apply appropriate safeguards and to use your data only on documented instructions from us.

We update this list at this URL when sub-processors change. Email privacy@getcounsely.com for the specific transfer mechanism applied to a particular recipient.

5. Cross-Border Data Transfers

Personal data may be transferred outside your country, including to the United States. Where you are in the EU/EEA, UK, or Switzerland, we rely on:

• The EU-US Data Privacy Framework (DPF) where the recipient is DPF-certified; or
• Standard Contractual Clauses (SCCs) — EU Commission Decision 2021/914;
• For UK transfers, the UK International Data Transfer Addendum (IDTA) or UK Addendum to the SCCs;
• For Switzerland, the Swiss FADP equivalent.

6. Data Retention

When you delete your account, your personal data is removed from our production database immediately (typically the same day, and in any case within 30 days). Backups are cycled out within 90 days, subject to the retention exceptions above.

7. Data Security & Breach Notification

We use TLS/HTTPS in transit, encryption at rest where supported, role-based access, MFA for admin tools, and regular security review. If we discover a personal-data breach we will (a) notify the relevant supervisory authority within 72 hours where required by GDPR Article 33 / UK GDPR; (b) notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (Article 34); and (c) comply with applicable US state breach-notification laws (e.g., California Civil Code §1798.82) and equivalents elsewhere.

8. AI Features & Automated Decision-Making

• What our AI features do. Essay editing & review, idea generation, outlines, résumé analysis, college-strategy analysis, interview-prep feedback, career analysis, and the Counsely chat assistant. The AI provider is OpenAI. Your inputs (essay text, résumé fields, chat questions, profile snippets) are transmitted to OpenAI to generate the requested output and may be retained briefly by the provider for abuse-monitoring purposes (per OpenAI's API terms; the provider does not use API inputs to train its models). We may add additional providers and will update this list.
• In-house AI-content detector. Runs entirely in your browser using linguistic heuristics — your text is not sent to our servers or any third party for this analysis. The score is a heuristic and may be wrong; it is not evidence of academic dishonesty.
• Profiling — ASI & College Selectivity Score. The Admission Strength Index and College Selectivity Score are automated profiling. They are advisory only — no legal effect, no binding decision. EU/UK/EEA users have rights under GDPR Article 22: a plain-language explanation, human review, and correction of inputs. Email privacy@getcounsely.com.
• Sentry session replay. Sentry replay records DOM mutations during a session for debugging. We configure it so that all text and inputs are masked and media is blocked, meaning the content you type is not captured. EU/UK users may opt out of session replay via Cookie Settings.
• Content moderation. Direct and group chat messages may be screened by automated moderation, which can include sending message content to our AI sub-processor (currently OpenAI) for classification (e.g., abuse, harassment, CSAM). The output is used only for safety enforcement and is not used to train any model.

9. Your Rights

Subject to your jurisdiction, you have the following rights:

• Access — request a copy of personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — request deletion (subject to retention exceptions in §6).
• Restriction — limit how we use your data while a request is pending.
• Portability — receive your data in a machine-readable format.
• Objection — object to legitimate-interest processing, including marketing.
• Withdraw consent — for any consent-based processing.
• No solely-automated decisions — request human review where applicable (Art. 22).
• Lodge a complaint — with your national supervisory authority (see §11–§19).

How to exercise. Email privacy@getcounsely.com or use the in-app data-request form (Settings → Privacy). We respond within 1 month (EU/UK), 45 days (California), or 30 days globally as a default. We may extend by up to 2 additional months for complex requests with notice within the first month. We do not sell personal data and do not engage in cross-context behavioral advertising.

10. Community Features & Privacy

• Public profiles. Default is private. If you mark your profile public, it can be viewed by anyone and may be indexed by search engines including Google. Reverting to private removes future indexing but cached search results may persist outside our control.
• Direct & group messages. Visible to participants. Subject to automated and human moderation review for safety, abuse, and CSAM detection. Deleted messages may be retained briefly for moderation review before purge.
• Friends graph. Friend list is visible to you and your friends. Sharing of additional signals (streak, college list, essays) is opt-in via Settings → Privacy.
• Activity feed. Items you choose to share appear to your friends only.
• Group chats. Up to 8 members; messages are visible to all members; the creator may add or remove members.
• Reporting & blocking. You can block users at any time and report messages or profiles via the in-app report flow, which routes to our moderation queue.
• Account-linking notice. If you previously created an account with email/password and then sign in with Google using the same email, the Google sign-in will link to your existing account. If this was unintended, contact privacy@getcounsely.com.

11. Children's Privacy

Counsely is intended for users aged 13 or older, or the digital-consent age in your country, whichever is higher (see Terms §3 for country-by-country thresholds). We do not knowingly collect data from children below the applicable digital-consent age without verifiable parental consent (US COPPA; GDPR Article 8; equivalent laws elsewhere). If we learn we have, we will delete the data promptly.

We do not sell or share personal data of users under 16. Community Features (chat, friends, public profile) are designed for under-18 users in line with the UK Children's Code (Age Appropriate Design Code) and the California Age-Appropriate Design Code Act: profiles are private by default, geolocation precision is limited, and we do not profile under-18 users for marketing.

12. Marketing & Transactional Communications

When you create a Counsely account, we add your email and name to our list with our email provider (Brevo). We use this list for service announcements (e.g., new features, important notices) and, when you opt in, for marketing emails such as our newsletter and college tips. You can unsubscribe from marketing at any time using the link in any marketing email; this does not affect transactional emails (receipts, password reset, security and account notices), which we are required to send to operate the Service.

The newsletter checkbox at signup is currently a preference indicator; for users in the EU/UK/EEA we treat marketing email as opt-in only and we will not send marketing-only campaigns to you unless you opt in (separate consent capture is being rolled out as part of our international launch). You may also email privacy@getcounsely.com at any time to be removed from the list.

Marketing emails comply with US CAN-SPAM, Canada CASL, EU GDPR/ePrivacy, UK PECR, Australia Spam Act 2003, and equivalent laws.

12A. Free-for-a-Limited-Time Service

Counsely is currently offered free to all users for a limited time. When you create an account we automatically activate a complimentary multi-year plan in our records so all features are available without a purchase. We will give you advance notice (at least 30 days, by email or in-app notice) before any transition to a paid plan, and your data will continue to be governed by this Privacy & Cookie Policy.

13. EU / EEA — GDPR Addendum

Controller: Counsely (James Hamilton, sole proprietor), California, USA.
EU Article 27 Representative: To be appointed.
Lawful bases: see §2. Your rights: see §9.

Right to lodge a complaint. You may complain to your local Data Protection Authority. The European Data Protection Board lists national authorities at edpb.europa.eu.

14. United Kingdom — UK GDPR Addendum

Controller: Counsely.
UK Article 27 Representative: To be appointed.
Complaints: Information Commissioner's Office (ICO), ico.org.uk.

15. California — CCPA / CPRA

California consumers may:

1. Request disclosure of personal information we have collected.
2. Request deletion of personal information.
3. Opt out of any "sale" or "sharing" (we do not sell or share for cross-context behavioral advertising).
4. Correct inaccurate personal information.
5. Limit use of sensitive personal information (we use it only to provide requested Services).
6. Request information about direct-marketing disclosures ("Shine the Light").

We honor Global Privacy Control (GPC) as a valid opt-out request. We will not deny services, charge different prices, or provide a different level of quality solely because you exercised your CCPA rights. To exercise any of these rights, email privacy@getcounsely.com with subject "California Privacy Request." We respond within 45 days (extendable by 45 with notice).

16. Other US States

Residents of Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Tennessee, Texas, Oregon, Montana, Delaware, Nebraska, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, Kentucky, and any similar US states have privacy rights comparable to those described above (access, deletion, correction, portability, opt-out of targeted advertising / sale, etc.). Email privacy@getcounsely.com to exercise.

17. Canada — PIPEDA & Quebec Law 25

We comply with PIPEDA and (for Quebec residents) Law 25 / Loi 25, including a designated privacy officer (privacy@getcounsely.com), access & correction rights, and disclosure that your data may be processed in the United States. You may complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or, in Quebec, the Commission d'accès à l'information.

18. Australia — Privacy Act 1988

We follow the Australian Privacy Principles (APPs). You may complain to the Office of the Australian Information Commissioner (oaic.gov.au).

19. Other Jurisdictions

• Brazil — LGPD. DPO: privacy@getcounsely.com. Complaints to the ANPD.
• India — DPDP Act 2023. Rights via privacy@getcounsely.com. Children under 18 require verifiable parental consent.
• Switzerland — FADP. Equivalent rights apply.
• South Korea — PIPA. Equivalent rights apply.
• Other countries. We extend GDPR-style rights to users in any jurisdiction; contact us to exercise them.

20. Third-Party Links

Our Services may contain links to third-party websites we do not control. We are not responsible for their privacy practices. Review their policies before providing personal information.

21. Changes to This Policy

We may update this policy from time to time. We will revise the "Last Updated" date at the top and, if changes are material, notify you by email or a prominent on-site notice before they take effect.

22. Contact Us

Counsely Privacy Office

Email: privacy@getcounsely.com (general support: support@getcounsely.com)

Website: https://www.getcounsely.com