Privacy Policy

Counteraxiom ("we," "us," or "our") operates the Counteraxiom AI debate and critical-thinking platform at counteraxiom.com (the "Service"). We are the data controller responsible for your personal information collected through the Service.

Privacy contact: legal@counteraxiom.com

Account data: When you register, we collect your name, email address, and hashed password.

Conversation and session data: The messages you send and the AI-generated responses are stored to provide chat history and deliver the Service. This includes content from all features — standard debate sessions, Interactive Chat, Interview Prep, Classroom, Pitch Room, Case Room, Market Research sessions, Contract Review submissions, Spend Analyser inputs, and Portfolio Lab sessions. Any text, file attachments, CV files, pitch decks, or documents you upload are stored as part of this data.

Performance and progress data: When you complete sessions that produce a score (Pitch Room, Negotiation Trainer, Reasoning Test), your scores and session metadata (session title, feature, date, difficulty) are stored to power the Progress dashboard and generate improvement analytics. This data is retained as part of your account and is deleted when you close your account.

AI Memory data (opt-in): If you enable AI Memory in Settings, we store a flag on your account indicating your preference. When enabled, existing session history (scores, session titles, and dates from Pitch Room, Negotiation Trainer, Interview Prep, Study Assessment, and Main Chat) is read at the start of each new session and included in the AI's system context to provide continuity across sessions. No additional data is collected beyond what is already stored as session data. AI Memory can be disabled at any time in Settings, at which point new sessions will start without any prior context. Disabling AI Memory does not delete your session history — it only prevents it from being injected into future AI prompts.

Usage data: We record usage counts (debates used per day, total file uploads, bonus prompt balances) to enforce plan limits and detect abuse.

Technical data: We automatically collect your IP address, browser type, and session information when you use the Service for security, fraud prevention, and service stability.

Voice data (Axiom Voice): If you use Axiom Voice, your speech audio is processed for transcription. See the dedicated Voice Data section below for full details.

Payment data: Billing is handled entirely by our third-party payment processor (Polar). We do not store, see, or process full payment card information. We receive only non-sensitive billing confirmation data (plan type, subscription status, subscription ID, and customer ID).

Important — Sensitive content warning: Do not submit real confidential documents, personally identifiable information belonging to third parties, privileged legal materials, or sensitive financial records to any Counteraxiom tool. We are not equipped to handle such data and our Terms of Use prohibit it.

Axiom Voice uses speech recognition to allow you to speak instead of type, and provides AI-generated voice output. The following explains how your voice data is handled.

What is collected: When Axiom Voice is active, your speech audio is captured and transmitted to a speech recognition service for real-time transcription. The resulting text transcript is then processed as part of the debate session.

Biometric identifiers: Counteraxiom does not create persistent voice profiles, voiceprints, or biometric templates derived from your voice for the purpose of identifying you. Audio is processed transiently to produce a text transcript. Raw audio is not retained after transcription beyond the active session.

Third-party speech processing: Voice audio may be transmitted to a third-party speech recognition API (such as a browser-native Web Speech API or a cloud transcription service) to perform transcription. That provider processes your audio under its own privacy policy. We will update this section when the specific provider is identified.

Retention: Text transcripts derived from Axiom Voice are retained as part of your conversation history on the same basis as text-based messages. Raw audio is not retained. Transcripts are deleted when you delete the associated conversation or close your account.

Illinois residents — BIPA (740 ILCS 14/): Before enabling Axiom Voice for the first time, Illinois residents are presented with a separate written notice and affirmative consent mechanism. We will not collect, capture, or use your voice data without your written consent. Your voice data will not be sold, leased, traded, or otherwise profited from. It will not be disclosed to third parties except as strictly necessary to provide transcription (in which case such third parties are contractually bound to equivalent protections). Voice-derived data will be destroyed no later than the earlier of: (a) when the purpose for which it was collected is fulfilled; or (b) 3 years from the date of collection.

Texas residents — CUBI (Tex. Bus. & Com. Code § 503.001): We provide notice and obtain consent before capturing any voice data. Voice data will be destroyed no later than one year after the purpose for which it was collected is fulfilled. We will not sell voice data.

EU/UK residents — GDPR Art. 9: Where voice data processing constitutes processing of biometric data for the purpose of unique identification under GDPR Article 9, we rely on your explicit consent (Art. 9(2)(a)). You may withdraw consent at any time by disabling Axiom Voice in Settings; withdrawal does not affect processing carried out before withdrawal. Where required by Art. 35, a Data Protection Impact Assessment has been conducted for voice data processing.

CCPA — Sensitive personal information: Voice data may constitute sensitive personal information under the California Privacy Rights Act (Cal. Civ. Code § 1798.121). California residents have the right to limit use of sensitive personal information. To exercise this right, contact legal@counteraxiom.com.

AI Memory is an opt-in feature that allows the AI to carry context from your past sessions into new ones. It is disabled by default and can be toggled on or off at any time in Settings → Profile → AI Memory.

What AI Memory does: When enabled, at the start of each new session, we read a structured summary of your prior session history — including session titles, scores, feature types, and dates — from your account and include it in the AI's system prompt. This gives the AI context such as "this user has practiced 6 pitch sessions, their average score is 71/100, their last pitch was titled X." No new data is collected; AI Memory reads data that is already stored as your normal session history.

What AI Memory does not do: AI Memory does not create a separate profile, does not read the full content of past conversations (only metadata: titles, scores, dates, feature types), and does not share your data with third parties beyond the normal AI provider routing described in this policy.

Legal basis (GDPR): Processing of session metadata to power AI Memory is based on your explicit opt-in consent (Art. 6(1)(a)). You may withdraw consent at any time by disabling AI Memory in Settings; withdrawal does not affect sessions that have already been conducted.

CCPA: The AI Memory feature uses data you have already provided to the Service for the purpose of providing you a personalised service experience. This is not a "sale" or "sharing" of personal information under the CCPA.

Disabling AI Memory: Disabling the toggle stops future sessions from reading your prior history. It does not delete your session history from our servers — your Progress dashboard will continue to display historical session data. To delete your session history, use the account deletion function or contact legal@counteraxiom.com.

Counteraxiom stores scores and session metadata from Pitch Room, Negotiation Trainer, and Reasoning Test sessions to power the Progress dashboard — a feature that displays your score history, improvement trends, and weak-area analysis over time.

What is stored: For scored sessions, we store the session title, score, feature type, difficulty level, and date. For unscored sessions (Interview Prep, Study Assessment), we store session count and date. Full conversation transcripts are stored separately as session data.

How it is used: Progress data is used exclusively to generate your personal Progress dashboard and, if AI Memory is enabled, to provide session context to the AI. It is not used to benchmark you against other users in any identifiable way and is not shared with third parties.

Legal basis (GDPR): Progress data processing is based on contract performance (Art. 6(1)(b)) — it is necessary to deliver the Progress feature you access as part of the Service.

In addition to cookies, Counteraxiom uses browser localStorage — a client-side storage mechanism that persists data in your browser — to store lightweight user preferences on your device. Unlike cookies, localStorage data is not transmitted to our servers automatically; it exists only in your browser.

We use localStorage to store the following preference flags:

• axiom_pitchroom_seen — whether you have viewed the Pitch Room tutorial
• axiom_negotiation_seen — whether you have viewed the Negotiation Trainer tutorial
• axiom_disclaimer_pitchroom — whether you have acknowledged the Pitch Room legal disclaimer
• axiom_disclaimer_negotiation — whether you have acknowledged the Negotiation Trainer legal disclaimer
• axiom_voice_consent — whether you have provided consent for Axiom Voice data processing

These flags are strictly necessary for the functioning of their respective features (e.g., showing the correct disclaimer on first use). They do not identify you, are not linked to your account, and are not transmitted to our servers. They are exempt from cookie consent requirements under the EU ePrivacy Directive as functional/necessary storage. You can clear them at any time by clearing your browser's site data.

ePrivacy Directive / UK PECR: The localStorage items listed above are used solely to enable a service expressly requested by the user or to fulfil a legal compliance obligation (consent record-keeping). They are therefore exempt from the requirement to obtain prior consent under Article 5(3) of the ePrivacy Directive and Regulation 6 of the UK PECR.

We use your information to:

• Provide, operate, and maintain the Service and all its specialist tools
• Authenticate you and enforce subscription plan limits and daily usage quotas
• Deliver AI-generated responses by routing your inputs through third-party AI providers
• Enable web search capabilities where applicable (inputs may be transmitted to search index providers)
• Process voice audio for speech-to-text transcription when Axiom Voice is enabled
• Generate and display your Progress dashboard — scores, trends, and weak-area analysis derived from your session history
• Provide AI Memory continuity (if enabled) by reading your prior session history and injecting a structured summary into each new AI session prompt
• Send transactional emails (account creation, email verification, password reset, subscription reminders)
• Detect, prevent, and address security incidents, fraud, and abuse
• Comply with legal obligations
• Improve and develop the Service using aggregated, de-identified data only

We do not sell your personal data to third parties. We do not use your conversation content, session transcripts, specialist tool submissions, or voice data to train AI models.

Counteraxiom routes your messages through OpenRouter (openrouter.ai) to reach the underlying AI models (including models provided by Anthropic, OpenAI, and others). Your message content is transmitted to these providers to generate responses.

This applies to all tools — debate sessions, Interactive Chat, Interview Prep, Classroom, Pitch Room, Case Room, Contract Review, Portfolio Lab, and all others. Content you submit to any tool is transmitted to AI providers as part of normal operation.

These providers process your inputs under their own privacy policies and terms of service. We recommend reviewing OpenRouter's privacy policy at openrouter.ai/privacy.

Web Search: When web search is enabled, your query may be transmitted to a third-party search provider to retrieve live results. Search queries are not linked to your account by the search provider.

Payment processing: Payments are processed by Polar (polar.sh) under their own privacy policy and PCI-DSS compliance. We receive only non-sensitive billing confirmation data.

Email delivery: Transactional emails (verification codes, password resets, subscription notifications, group invitations) are delivered via Resend (resend.com). Your email address and the email content are transmitted to Resend solely to deliver these messages. We do not use Resend for marketing.

Database hosting: Your account data, conversation history, and session data are stored in a managed PostgreSQL database hosted by Neon (neon.tech) in the United States. Neon acts as a sub-processor under their own security and privacy commitments.

Product analytics: We use PostHog (posthog.com) — a product analytics platform hosted in the United States — to understand how people use Counteraxiom (pages visited, features used, signups, paid conversions). PostHog uses cookies and localStorage to identify returning sessions. PostHog does not receive your conversation content, voice audio, or AI prompts. You can opt out using browser do-not-track / global privacy control signals, or by emailing legal@counteraxiom.com.

Speech recognition: Axiom Voice audio may be transmitted to a speech recognition service (the browser's built-in Web Speech API for Lite mode; Groq for advanced transcription in Pitch Room and Interview Prep). See the Voice Data section for details.

Data location: Counteraxiom infrastructure and all sub-processors named above operate from data centres in the United States. By using the Service from outside the US you consent to your personal data being transferred to and processed in the US.

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data on the following legal bases:

• Contract performance — processing necessary to provide the Service you have signed up for (account data, conversation data, usage enforcement)
• Legitimate interests — security, fraud prevention, abuse detection, and service improvement (where your interests do not override ours)
• Legal obligation — where we are required to process data to comply with applicable law
• Explicit consent — for voice/biometric data processing under Art. 9(2)(a), where applicable

Counteraxiom uses automated systems to route your debate inputs to AI models and to enforce plan usage limits. These automated processes do not produce legal or similarly significant effects on you.

California ADMT (California Privacy Protection Agency regulations, effective April 2026): We use automated decision-making technology (ADMT) for model routing and usage enforcement. You have the right to opt out of profiling conducted through ADMT. To exercise this right or to request information about the ADMT logic used, contact legal@counteraxiom.com.

GDPR Art. 22: We do not make solely automated decisions that produce legal or similarly significant effects on you within the meaning of GDPR Art. 22. If we ever implement such processing, we will provide appropriate notice and rights in advance.

We retain your data as follows:

• Account data: Retained while your account is active and for 30 days after a deletion request, after which it is deleted or anonymised
• Conversation and session history (including all specialist tool sessions): Retained until you delete individual conversations, use the account deletion function, or close your account
• Performance and progress data (session scores, titles, dates): Retained as part of your account for as long as your account is active, and deleted when you close your account
• AI Memory preference: The on/off flag is stored on your account and deleted when you close your account. Disabling AI Memory does not delete your session history; it only stops future sessions from reading it
• File uploads and documents: Retained until the associated conversation or session is deleted
• Voice audio: Raw audio is not retained after transcription. Text transcripts are retained as conversation history
• Illinois BIPA voice data: Destroyed no later than the earlier of (a) fulfilment of purpose or (b) 3 years from collection
• Texas CUBI voice data: Destroyed no later than 1 year after fulfilment of purpose
• Usage logs: Retained for 90 days for fraud prevention and billing dispute resolution
• Technical / security logs: Retained for up to 90 days

When you request account deletion (via the in-app feature or by emailing us), we delete or anonymise your personal data within 30 days, except where retention is required by law.

Counteraxiom uses a session cookie (axiom_session — encrypted, HTTP-only, not accessible to JavaScript) to authenticate you and maintain your login session. This cookie is strictly necessary for the Service to function and does not require your consent under GDPR Article 5(3) of the ePrivacy Directive.

We also use product analytics cookies set by PostHog to measure aggregate usage of the Service (which pages are visited, which features are used, how signups convert). These cookies do not contain advertising identifiers and are not shared with ad networks or social media platforms. You may opt out via your browser's do-not-track / Global Privacy Control settings.

We do not use advertising cookies, retargeting pixels, or social media tracking pixels.

For full details, see our Cookie Policy.

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you
• Correction: Request correction of inaccurate or incomplete data
• Deletion: Request deletion of your account and associated personal data
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to processing based on legitimate interests
• Restriction: Request that we restrict processing while a dispute is resolved
• Withdraw consent: Where processing is based on consent (including voice data), withdraw it at any time
• Opt out of ADMT profiling (California): Opt out of automated decision-making profiling
• Limit sensitive personal information (California CPRA): Limit use of sensitive personal information including voice data

CCPA (California residents): You have the right to know what personal information we collect and how it is used, to request deletion, to correct inaccurate information, and to opt out of any sale or sharing of personal information. We do not sell or share personal information for cross-context behavioural advertising.

Illinois residents (BIPA): You have the right to know what biometric data has been collected about you, to obtain a copy, and to request deletion. Contact legal@counteraxiom.com to exercise these rights.

To exercise any right, email legal@counteraxiom.com. We will respond within 30 days (GDPR/UK GDPR) or 45 days (CCPA). We may need to verify your identity before processing your request.

In the event of a personal data breach, Counteraxiom will notify affected parties as required by applicable law:

• GDPR / UK GDPR: We will notify the competent supervisory authority (EEA: lead DPA; UK: ICO) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. Where the breach is likely to result in high risk to individuals, we will also notify affected data subjects without undue delay.
• CCPA / California (Cal. Civ. Code § 1798.82): We will notify affected California residents in the most expedient time possible and without unreasonable delay. If the breach affects more than 500 California residents, we will notify the California Attorney General.
• Washington state (RCW 19.255.010): We will notify affected Washington residents within 30 days of discovering a qualifying breach.
• Colorado (CRS § 6-1-716): We will notify affected Colorado residents within 30 days.
• Other US states: We will comply with applicable state breach notification laws, which generally require notification as quickly as reasonably practicable.
• Quebec (Law 25): We will notify the Commission d'accès à l'information (CAI) and affected individuals within 72 hours of a confidentiality incident involving sensitive personal information that presents a risk of serious injury.
• Australia (Privacy Act 1988, NDB scheme): We will notify the OAIC and affected individuals as soon as practicable where a breach is likely to result in serious harm.

We maintain an incident response plan to enable timely detection, assessment, and notification. To report a suspected security incident involving your data, contact legal@counteraxiom.com immediately.

We implement appropriate technical and organisational measures to protect your personal data. These include: encrypted password storage (bcrypt), encrypted session cookies (AES-256 via iron-session), HTTPS-only data transmission, restricted database access controls, and separation of payment processing via Polar's PCI-compliant infrastructure. Despite these measures, no internet-based system is 100% secure. You are responsible for keeping your credentials private and using a strong, unique password. Notify us immediately at support@counteraxiom.com if you suspect unauthorised access to your account.

Counteraxiom's infrastructure and our third-party AI, speech recognition, email, analytics, database, and payment providers are located in the United States. If you are located in the EEA, UK, Switzerland, or another jurisdiction with cross-border data transfer restrictions, your data will be transferred to and processed in the United States. Where required by GDPR Chapter V (or equivalent law), we rely on Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, the EU-US Data Privacy Framework where applicable, and Transfer Impact Assessments to safeguard such transfers. By using the Service from outside the United States you consent to these transfers to the extent permitted by your local law.

The following sub-processors may process your personal data on our behalf:

• Vercel (US) — application hosting and edge runtime
• Neon (US) — managed PostgreSQL database for account, conversation, and session data
• OpenRouter (US) — routing layer for AI model providers
• Groq (US) — speech-to-text transcription for Pitch Room and Interview Prep voice features
• Polar (US) — payment processing, subscription management, and invoicing
• Resend (US) — transactional email delivery (verification codes, password resets, billing notices, group invites)
• PostHog (US) — product analytics; page views, feature usage, signup conversions (no conversation content)

We may add or replace sub-processors at any time as our infrastructure evolves. Where required by your jurisdiction's law, we will provide reasonable advance notice of material changes by updating this list. If you require a written Data Processing Agreement (DPA) covering these sub-processors — for example, on behalf of an EU/UK business customer — contact legal@counteraxiom.com.

The Service is not directed to children under 13 years of age. We do not knowingly collect personal information from children under 13. If the Classroom tool is deployed in a K-12 setting, educational institutions must obtain appropriate parental consent or rely on the COPPA school exception (16 C.F.R. § 312.5(b)(1)) and must contact us at legal@counteraxiom.com to execute a FERPA/COPPA-compliant data processing agreement before use. If you become aware that a child under 13 has provided us with personal information without appropriate consent, please contact us at legal@counteraxiom.com and we will delete it promptly.

Canada (PIPEDA / Quebec Law 25): Canadian residents have rights of access and correction under PIPEDA. Quebec residents have additional rights under Law 25, including the right to be de-indexed and to data portability. Contact legal@counteraxiom.com to exercise these rights.

Australia (Privacy Act 1988): Australian residents have rights under the Australian Privacy Principles (APPs), including rights of access and correction under APPs 12 and 13. Contact legal@counteraxiom.com to exercise these rights. Complaints may be referred to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

UK (UK GDPR / Data Protection Act 2018): UK residents may lodge complaints with the Information Commissioner's Office (ICO) at ico.org.uk.

We may update this Privacy Policy from time to time as our features, providers, or legal obligations change. We will notify you of material changes by updating the effective date at the top of this page and, where required by law, by email or in-app notification. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related questions or to exercise your rights: legal@counteraxiom.com

For general support: support@counteraxiom.com

If you are located in the EEA and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.