Privacy Policy

Last updated: May 19, 2026

CounselGuard (“CounselGuard,” “we,” “us”) provides AI compliance and governance software to law firms (“Customers”). Customers deploy the CounselGuard web dashboard, desktop agent, and Chrome extension to their employees and contractors (“End Users”). This policy describes what information our products collect, how it is used, how it is protected, and the rights individuals have with respect to that information.

CounselGuard acts as a data processor on behalf of the Customer. The Customer is the data controller for records created by their End Users. Questions about a specific firm’s configuration, retention, or access policies should be directed to that firm’s administrator.

1. Information we collect

Through the Chrome extension and desktop agent, CounselGuard collects:

  • Browsing activity related to AI tools. Top-level URLs, domain names, page titles, and timestamps for navigation to domains listed in the Customer’s AI Tool Registry. We do not collect page content, form inputs, keystrokes, passwords, or browsing activity on non-registered domains.
  • AI tool transcripts. When a Customer enables transcript capture for a registered AI tool, the prompt and response text from that tool’s interface is captured for compliance review. Transcripts are processed by Google Gemini for sanitization and analysis.
  • Process and application usage. Names of AI-related desktop applications launched on managed devices, along with start/stop times.
  • Account identifiers. Work email address, display name, role, and practice group, as provisioned by the Customer.
  • Device metadata. Device name, operating system, agent version, and extension version, used for enrollment and tamper detection.

Through the web dashboard, CounselGuard collects:

  • Authentication data managed by Firebase Auth (email, hashed credentials).
  • Compliance artifacts created by authorized users: policies, evidence notes, uploaded files, and compliance check statuses.
  • Standard web logs (IP address, user-agent, request times).

2. How we use information

  • Detect and log End User activity on AI tools registered by the Customer.
  • Produce compliance dashboards, reports, and investigation workflows for the Customer’s compliance team.
  • Operate, secure, monitor, and improve the service.
  • Communicate with Customer administrators about service-related matters.
  • Comply with legal obligations and respond to valid legal process.

We do not sell personal information, share it for cross-context behavioral advertising, or use Customer data to train AI models or for any purpose outside delivering the service.

3. Legal bases for processing (GDPR)

Where the EU or UK General Data Protection Regulation applies, we process personal data on the following legal bases:

  • Performance of a contract with the Customer who deployed the service.
  • Legitimate interests in operating, securing, and improving the service, where those interests are not overridden by individual rights.
  • Compliance with legal obligations.
  • Consent, where required and obtained.

4. Chrome extension permissions

The CounselGuard Chrome extension requests the following permissions:

  • webNavigation, tabs — detect navigation events to compare against the Customer’s AI Tool Registry.
  • storage — cache the registry and queue events when offline.
  • alarms — schedule periodic registry sync and event flush.
  • scripting — inject a minimal content script on registered domains to capture tool-specific context (never form contents).
  • Host access to all sites (*://*/*) — the registry is Customer-controlled and changes at runtime. Broad host access lets the extension evaluate the registry against the current URL without requiring a re-prompt every time a Customer adds a new tool. Only URLs matching the registry are logged.

5. Data transmission and storage

Data is transmitted over TLS 1.2 or higher to CounselGuard’s API and stored in Firebase (Google Cloud) in the region selected by the Customer. Desktop agent data at rest on the End User’s device is encrypted with AES-256-GCM. Authentication tokens and API keys are encrypted at rest. Access to production systems is restricted to authorized personnel and logged.

6. International data transfers

CounselGuard is operated from the United States. If the Customer’s region settings result in personal data being transferred from the European Economic Area, United Kingdom, or Switzerland to the United States, we rely on the European Commission’s Standard Contractual Clauses (or, where applicable, an adequacy decision) as the transfer mechanism. The Customer’s Data Processing Addendum sets out the applicable safeguards.

7. Retention

Activity records, transcripts, and compliance artifacts are retained for the period configured by the Customer (default 24 months). Customers can export or delete their workspace data at any time. On termination of a Customer’s subscription, all Customer data is deleted within 30 days unless a longer retention period is required by law. Backups containing Customer data are overwritten on a rolling basis within 90 days.

8. Sub-processors and sharing

We share data only with sub-processors required to run the service. Our current sub-processors are:

  • Google Cloud / Firebase — hosting, database, authentication.
  • Vercel — web application hosting and serverless compute.
  • Google (Gemini API) — transcript sanitization and compliance analysis.
  • Resend — transactional email delivery.
  • Upstash — rate-limiting and ephemeral state.

We do not share End User data with advertisers or unrelated third parties. Customer administrators within the End User’s firm can view that End User’s activity records, consistent with the firm’s internal compliance program. We notify Customers of material changes to the sub-processor list at least 30 days in advance.

9. Cookies and tracking technologies

The CounselGuard web dashboard uses strictly necessary cookies for authentication (Firebase Auth session tokens) and CSRF protection. We do not use advertising cookies, third-party analytics that profile individuals, or cross-site tracking. The marketing site (counselguard.io) uses minimal, privacy-preserving analytics that do not set persistent identifiers.

10. Security and breach notification

We maintain administrative, physical, and technical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction. These include encryption in transit and at rest, role-based access controls, audit logging, secure development practices, and ongoing monitoring. In the event of a personal data breach affecting Customer data, we will notify affected Customers without undue delay and in accordance with applicable law and the Data Processing Addendum.

11. Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you;
  • Correct inaccurate personal data;
  • Delete personal data;
  • Restrict or object to certain processing;
  • Receive a portable copy of your data;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with a supervisory authority.

California residents (CCPA/CPRA): you have the right to know, delete, correct, and limit the use of sensitive personal information; you also have a right to opt out of the “sale” or “sharing” of personal information. We do not sell or share personal information for cross-context behavioral advertising.

End Users with questions about their data should first contact their firm’s CounselGuard administrator, since the firm controls the relevant records. End Users and Customers may also contact CounselGuard directly to exercise these rights at the address below. We will not discriminate against you for exercising any of these rights.

12. Children

CounselGuard is a workplace product and is not directed to children. We do not knowingly collect personal information from anyone under the age of 16. If we learn that we have collected such information, we will delete it.

13. Contact

For privacy questions or to exercise the rights described in Section 11, contact ryan@counselguard.com. For technical or security-related issues, contact james@counselguard.com.

14. Changes to this policy

We will post updates to this page and update the “Last updated” date. Material changes will be communicated to Customer administrators in advance through the dashboard or by email. Your continued use of the service after the effective date of an updated policy constitutes acceptance of the updated policy.