We collect the following categories of personal information for the purposes described below: 

• Identity and Contact Data (e.g., name, email, physical address): Used to facilitate communication, verify identity, and authorize Service access.
• Support Inquiries: Information provided during support requests is processed to diagnose technical issues and enhance platform performance. 
• Social Engagement Data: Public interactions with our official social media channels are collected to foster community engagement and market the Service.
• Payment and Transaction Data (e.g., credit card information):: If you sign up and pay for the Service online, we collect necessary billing details (such as credit card numbers and billing addresses). We use third-party payment processors to handle these payments.
• Third-Party Login: If you choose to log in using an external provider (like Google), we receive limited profile data permitted by your privacy settings with that provider, typically including your name, email address, language settings, and profile image. 
• Technical Usage Metrics (e.g., browser version, IP address): We employ external analytics providers to evaluate user interaction patterns with our Service and Site. Our service providers may use cookies or similar technologies to collect this information. You can prevent analytics tracking on return visits by disabling cookies in your browser or by using opt-out mechanisms provided by these services, which we can direct you to upon request. Please see our Cookie Policy. We have configured our analytics to anonymize IP addresses and comply with applicable privacy laws. We utilize IP masking protocols to obscure identifying segments of your IP address prior to processing by analytics vendors.
• Corporate Usage Data: We may analyze IP addresses and site traffic to identify the organizations visiting our Site for B2B marketing and lead generation purposes. This information is used to identify the entity you are associated with. For B2B identification, our tools may associate site activity with specific organizations. You may disable this tracking via the cookie consent manager or your browser's blocking settings.
• Applicant Data: If you apply for a position with us, we process the information included in your application materials (such as your resume/CV, contact details, and employment history). We may also process interview feedback, background check results, and demographic information where legally permissible.

We use your personal information for the following purposes: 

• For Service operation and maintenance, including performance monitoring.
• Service Functionality: To process user inputs and deliver the core features of the Service.
• For account administration and feature authorization.
• Transaction Fulfillment: Processing necessary to execute orders and provision the requested Services. 
• To contact you and for marketing purposes. This includes sending notifications regarding terms, subprocessors, or service information. We also send newsletters, product updates, and event invitations, tailored to your interests based on your contact details and interactions with our Services. Additionally, we may use organizational data to send commercial messages to your company. You can opt out at any time via the 'unsubscribe' link in our emails or by contacting us at privacy@counselai.com.
• To manage and respond to your requests to us for customer support or other information. 
• Corporate Transactions: In scenarios involving a merger, divestiture, restructuring, or sale of assets, your data may be disclosed or transferred to prospective successors or acquiring entities. 
• For data analysis and improvement purposes: we may analyze data to identify usage trends or enhance user experience. 
• For educational events, we collect registration details (e.g., name, role) when you sign up for webinars or courses, and track engagement metrics like attendance and responses. We use this data to deliver requested content, improve our offerings, send marketing about related services, and analyze topic interests.
• For Job Candidates, we use your personal information to assess your skills and suitability, verify info and conduct checks (with consent where required), and contact you regarding your application. We also use it to maintain hiring records, submit reports required by employment laws, analyze and enhance our recruiting process, and consider you for other opportunities (with your consent)

We may share your personal information with others in the following situations: 

• Service Providers: We engage third-party service providers to assist with our business operations, such as cloud infrastructure, data analytics, technical support, communication services, and marketing. As part of these activities, we may make available device identifiers, general location information, and browsing activity to advertising partners to facilitate interest-based advertising on other websites and platforms. We maintain contractual agreements with these providers requiring them to protect the confidentiality of your information and comply with data privacy laws.
• Corporate Affiliates: Information may be shared within our corporate group (entities under common control), subject to the terms of this Notice. 
• User Interaction: Information shared via collaborative features is visible to involved peers or the public community. 
• Consensual Disclosure: We may release data when explicitly authorized by you, such as for third-party integrations.
• Legal and Financial Consultants: We may disclose data to attorneys, accountants, insurers, and bankers when required for their professional rendering of services to Counsel AI.
• Governmental and Legal Requests: We may disclose information to law enforcement or regulatory bodies if we maintain a good faith belief that such action is required for compliance, safety, or legal protection. When legally permissible, we endeavor to provide prior notice.
• Recruitment Vendors: For applicants, we share data with service providers managing hiring, such as applicant tracking systems and background check agencies (with consent where required).

Counsel AI maintains Personal Information solely for the duration required to fulfill the objectives described herein or to satisfy legal compliance, dispute resolution, and enforcement obligations. Counsel AI will also retain Usage Data for internal analysis purposes. 

Applicant Retention: We retain application data for three years to address legal obligations and potential disputes. With your consent, we may also keep it to contact you about future roles. If hired, this data transfers to your employment file.

Your data is processed at Counsel AI and service provider facilities globally, meaning it may be transferred to and maintained in jurisdictions with different data protection laws. See our Subprocessor List for details. By submitting your information, you consent to this transfer. 

Counsel AI implements commercially reasonable measures to ensure secure data handling in accordance with this Notice and your personal information will not be transferred to an organization or a country unless there are adequate controls. 

Erasure Requests: You are entitled to request the removal of your personal data. Certain deletions may be performed directly via Service tools. 

Data Management: Account holders can modify or remove profile data via settings. For other requests, contact privacy@counselai.com. Note that legal obligations may mandate retention of specific records. 

We prioritize data security; however, please acknowledge that no internet transmission or electronic storage method can guarantee absolute security. 

Our Service may contain hyperlinks to external sites not managed by Counsel AI. We bear no liability for the content, privacy practices, or operational policies of these third-party destinations. 

Enterprise Accounts: When you use the Service via an account provisioned by your employer or another organization, that entity acts as the administrator and controls your access. Administrators may modify, audit, or revoke your privileges at any time. We are not responsible for your organization's privacy or security practices; please refer to their policies for details.

Under applicable state privacy law, you have the following rights regarding personal information that we have collected and process about you:

• Right to know. You are entitled to request details regarding the categories of personal data we collect and our business purposes for processing it. We do not “sell” or “share” personal information, as we understand those terms to be defined under applicable state privacy laws.
• Access. You are entitled to receive a portable copy of the data we hold about you, including details on its collection, use, and disclosure.
• Correction: You may ask us to rectify inaccurate or incomplete personal data.
• Deletion: You may request the erasure of your personal data, subject to legal retention requirements.
• Portability: You may request your data in a portable format for transfer to another party.
• Opt-out. You have the right to opt-out of the sale of your personal information. If you are a California resident, please see California Privacy Notice, which forms part of this Privacy Notice, supplements this Privacy Notice, and applies solely to residents in the State of California. 

Global Transfer Notice: Users outside the US acknowledge that data is transmitted to and processed in the United States and other regions where our vendors operate. A list of the Subprocessors Counsel AI uses to process personal information may be found on the Subprocessor List.

Transfer Safeguards: We utilize approved mechanisms, such as Standard Contractual Clauses (SCCs), to legitimize cross-border data flows in compliance with EU/UK/Swiss standards. 

European Rights: Residents of the EEA, UK, or Switzerland hold specific rights under local data protection laws, including:

• Right of Access: Request details on data collection sources, purposes, sharing recipients, and obtain a copy of your personal data.
• Rectification: Request correction of accurate or incomplete data we hold about you.
• Erasure: Request that we delete your personal data permanently.
• Data Portability: Request a copy of your data in a structured, machine-readable format for transfer to another service.
• Restriction: Request that we temporarily halt processing your data under certain conditions.
• Objection: Challenge our processing grounds where we rely on legitimate interests, specifically regarding how it affects your fundamental rights.
• Consent Withdrawal: Revoke previously granted consent at any time. This does not invalidate processing deemed lawful prior to revocation.

You may submit these requests by email to privacy@counselai.com or via mail to the address above.

When you connect your Google account to CounselAI, we access the following data through Google APIs:

• Google Drive Files. Content of documents, spreadsheets, presentations, PDFs, and other files you select for import or that exist in folders you choose to sync.
• File Metadata. File names, types, sizes, modification dates, owner information, and folder structure used to display your Drive contents and detect changes during sync.
• Google Docs Comments and Suggestions. Comments (including anchored/quoted text) and tracked changes (suggestions) within Google Docs, used for legal review and annotation analysis.
• Google Docs Content. Full document content accessed for text extraction, AI-assisted analysis, and collaborative editing through the CounselAI Chrome extension.

CounselAI requests the following OAuth permission scopes from Google. Each scope is required for the functionality described:

• drive.readonly. Browse and list Drive files for import; detect new or modified files during automatic folder sync. This scope is required because users need to import pre-existing files not created with CounselAI, and automatic folder sync requires server-side access to folder contents.
• drive.metadata.readonly. Display file names, types, modification dates, and folder structures when users browse their Drive to select documents for import. Also used for change detection during automatic folder sync to identify new or modified files.
• drive.file. Access files explicitly selected by users through the Google Picker, and convert uploaded DOCX files to Google Docs format for annotation extraction.
• documents. Extract comments, suggestions (track changes), and anchored annotations from Google Docs for legal review. The Chrome extension also uses this scope to enable in-document collaborative editing. The read-only scope is insufficient because the extension requires write access.

Google user data is used solely to provide CounselAI’s core functionality:

• Document Import. Files and their content are imported into secure CounselAI hubs for AI-assisted legal review and analysis.
• Annotation Extraction. Comments and suggestions are extracted to support legal review workflows.
• Folder Synchronization. File metadata is used to automatically detect and sync new or modified files in folders you have selected for monitoring.
• Collaborative Editing. The CounselAI Chrome extension accesses Google Docs content to enable in-document legal review and editing.

We do not use Google user data for advertising, market research, or any purpose unrelated to providing CounselAI’s legal operations platform.

• OAuth Credentials. Access and refresh tokens are encrypted at rest and stored in our database.
• Imported Content. Document text and annotations imported from Google Drive are stored in CounselAI’s secure database infrastructure.
• File Metadata. Metadata such as file names, types, and modification dates is stored alongside imported resources for display and change detection.

We do not sell, rent, or share Google user data with third parties except as follows:

• AI Model Providers. Document content may be processed by third-party AI model providers (such as Google, Anthropic, and OpenAI) solely to deliver CounselAI’s AI-assisted review features. No Google user data is retained by AI model providers after processing, and no Google user data is used to train AI models.
• Cloud Infrastructure. Data is stored on cloud infrastructure providers that act as subprocessors under contractual data protection obligations.
• Legal Requirements. We may disclose data if required by law, regulation, or legal process.

A current list of subprocessors is available at www.counselai.com/company/legal/subprocessors.

You can disconnect your Google account from CounselAI at any time:

1. Navigate to your integration settings within CounselAI.

2. Click "Disconnect" on the Google Drive connection.

3. This immediately revokes CounselAI’s access tokens and deletes stored OAuth credentials.

You can also revoke access directly from your Google Account at https://myaccount.google.com/permissions.

• OAuth Credentials. Encrypted tokens are deleted immediately when you disconnect your Google account.
• Imported Content. Document content and annotations imported into CounselAI hubs are retained until you delete them from the hub or delete the hub itself.
• File Metadata. Metadata associated with imported resources is deleted when the corresponding resource is removed.

To request complete deletion of all Google-sourced data, contact privacy@counselai.com.

We implement the following security controls to protect Google user data:

• Encryption of OAuth credentials at rest.
• CSRF protection during the OAuth authorization flow.
• Input validation on all Google Drive API parameters.
• Rate limiting on Google API calls.
• Automatic token refresh to maintain secure sessions.

When you connect CounselAI to your Slack workspace, we collect and process the following data from Slack:

• Messages and thread context in channels where CounselAI is @mentioned, including the originating message, thread replies, and associated metadata (timestamps, channel ID, user ID).
• File attachments shared in Slack threads linked to CounselAI workspaces. Files are downloaded and stored within the associated CounselAI workspace.
• User profile information, including display name, Slack user ID, and email address. Email addresses are used solely to map Slack users to corresponding CounselAI platform accounts.
• Workspace and team information, including workspace name and team ID, used to identify and manage the integration.

• We do not read or store messages in channels where CounselAI has not been @mentioned.
• We do not access private direct messages unless the message is sent directly to the CounselAI bot.
• We do not monitor or store message content from channels that are not configured for CounselAI workspace creation.

• To create and populate legal workspaces from Slack conversations.
• To synchronize ongoing thread replies with the corresponding CounselAI workspace.
• To map Slack users to CounselAI platform accounts for attribution.
• Slack data is not used to train any AI or machine learning models.

Slack data is not used for advertising, market research, or any purpose unrelated to providing CounselAI’s legal operations platform.

• All Slack OAuth tokens are encrypted at rest.
• All communication between CounselAI and Slack uses HTTPS/TLS encryption.
• Every incoming request from Slack is verified using Slack’s signing secret to prevent tampering and replay attacks.

• Slack integration tokens and workspace connection data are retained for as long as the integration remains active.
• Pending installation records expire automatically after 24 hours.
• Event deduplication records are purged after 30 days.

• Organization administrators can disconnect the Slack integration at any time, which revokes stored tokens and deactivates the connection.
• When the CounselAI app is uninstalled from a Slack workspace, all associated tokens are revoked and integration data is deactivated.
• To request deletion of all Slack-related data, contact privacy@counselai.com.

We do not sell, rent, or share Slack data with third parties except as follows:

• AI Model Providers. Slack data may be processed by third-party AI model providers (such as Google, Anthropic, and OpenAI) solely to provide CounselAI’s core functionality (e.g., triage and categorization). No Slack data is retained by AI model providers after processing, and no Slack data is used to train AI models.
• Cloud Infrastructure. Data is stored on cloud infrastructure providers that act as subprocessors under contractual data protection obligations.
• Legal Requirements. We may disclose data if required by law, regulation, or legal process.

A current list of subprocessors is available at www.counselai.com/company/legal/subprocessors.