Privacy Policy.

Contact information you submit through demo, pilot, or sales request forms: name, work email, company, role, and message content.

Account information for Authorized Users of the platform: name, work email, role, and authentication identifiers.

Usage and log information: IP address, browser type, pages viewed, timestamps, and actions taken within the platform, retained in tenant-scoped audit logs.

Customer Data uploaded by enterprise customers may contain personal information of their employees, suppliers, or counterparties. We process that data only on documented instructions from the customer.

To provide, operate, secure, and improve the Service, including authentication, audit logging, and abuse prevention.

To respond to demo, pilot, sales, and support requests, and to communicate with prospective and existing customers about the Service.

To meet legal, regulatory, contractual, and tax obligations.

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising.

Sub-processors we engage to host, secure, and operate the Service (such as cloud infrastructure and email delivery providers), under written contracts that bind them to confidentiality and data protection obligations no less protective than this Policy.

Professional advisors (legal, accounting, audit) under confidentiality obligations.

Legal disclosures where required by law, court order, or to protect the rights, property, or safety of Counterpass, our customers, or others.

Corporate transactions in connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality.

We retain personal information for as long as needed to provide the Service, to meet legal and contractual obligations, and to resolve disputes. Tenant-scoped audit logs are retained for the contract term unless otherwise agreed. Customer Data retention follows the applicable customer agreement.

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These include role-based access control, tenant-scoped data isolation, encryption in transit, and audit logging. No method of transmission or storage is perfectly secure.

Counterpass is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States. Where required, transfers are governed by appropriate safeguards such as Standard Contractual Clauses.

This section applies to California residents and describes their rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").

Categories of personal information collected in the preceding twelve months:

• Identifiers (name, email, IP address)
• Commercial information (company, role, services of interest)
• Internet or other electronic network activity (usage logs)
• Professional or employment-related information (job title, employer)
• Inferences drawn from the above (e.g., buyer interest level)

We do not knowingly collect sensitive personal information (SPI) outside what may be present in Customer Data uploaded by enterprise customers.

Purposes: providing the Service, responding to requests, security and fraud prevention, legal compliance, and improving the Service. Categories disclosed for business purposes: identifiers and usage data to sub-processors as described in § 03. We do not sell or share personal information as those terms are defined under the CCPA.

Your CCPA rights:

• Right to know the categories and specific pieces of personal information we have collected about you.
• Right to delete personal information we have collected, subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the "sale" or "sharing" of personal information (we do not sell or share).
• Right to limit the use and disclosure of sensitive personal information.
• Right to non-discrimination for exercising your rights.

How to exercise your rights: email contact@counterpass.ai with your request. We will verify your identity (typically by confirming control of the email address on file or other reasonable verification) before responding, generally within forty-five (45) days. You may use an authorized agent; the agent must provide proof of authorization.

Do Not Sell or Share My Personal Information: Counterpass does not sell or share personal information for cross-context behavioral advertising. If our practices change, this Policy will be updated and an opt-out mechanism made available.

The Service is an enterprise B2B platform not directed to children. We do not knowingly collect personal information from children under thirteen (13). If you believe a child has provided us with personal information, contact us and we will delete it.

We may update this Policy from time to time. The effective date at the top of this document indicates when the Policy was last revised. Material changes will be communicated through the Service or by other reasonable means.

Clickwrap acceptance: To create an account or access the Counterpass software, users must affirmatively accept the Terms of Service, this Privacy Policy, and the Acceptable Use Policy by checking a required, unchecked-by-default checkbox at signup. Accounts cannot be created without this acceptance.

What we log on acceptance:

• User identifier (and tenant/organization identifier, where applicable)
• Policy type accepted (Terms, Privacy, Acceptable Use)
• Version of each policy accepted
• Timestamp of acceptance
• IP address and user-agent string, where safely available, for fraud prevention and audit integrity

Re-consent on version changes: When we publish a new required version of the Terms, Privacy Policy, or Acceptable Use Policy, users will be presented with a legal acceptance screen at their next session and must accept the updated versions before continuing to use the Service. Access to product routes is blocked, both client- and server-side, until acceptance is recorded.

Records retention: Consent records are retained for the duration of the account and for a reasonable period thereafter to evidence agreement, defend legal claims, and meet regulatory obligations.

Access to your consent record: You may request a copy of your consent history by emailing contact@counterpass.ai.