Privacy Policy — Plain English, No Surprises

Most privacy policies are written to protect the company, not inform you. Ours is different. Plain English. No legalese. No surprises.

Effective Date: April 5, 2026

The short version

If you read nothing else, read this.

Zero tracking

No analytics. No cookies. No pixels. No fingerprinting. We don't measure your behavior.

No AI training

Your documents and conversations are never used to train AI models. Ever.

No data selling

Your data is never sold, rented, or shared with advertisers or data brokers.

Encrypted everything

TLS 1.3 in transit. AES-256 at rest. Row-level security on every query.

Who we are

SynthCounsel is a legal document preparation platform operated by SynthCORP LLC, based in Utah. We built this product for people navigating the legal system on their own. Your trust is the only reason we exist, so we treat your privacy like our own.

What we collect

Only what's needed to make the product work. Nothing more.

Account info

Your email address, name (if you provide one), and authentication credentials. Managed by Supabase Auth.

Case data

Case names, numbers, parties, court details, and other information you enter. This is your data — we just store it for you.

Generated documents

The documents you create, stored in encrypted storage buckets scoped to your user ID. No one else can access them.

Audit logs

Timestamps, document types, disclaimer acceptance, and generation metadata. We do not log the substantive content of your documents.

Payment info

Processed and stored entirely by Stripe. We never see or store your credit card number.

What we don't collect

This is the part most companies skip.

Analytics or usage tracking of any kind

Cookies for tracking or advertising

Browser or device fingerprints

Clicks, scrolls, or navigation patterns

Third-party tracking pixels or scripts

Biometric data

How we use your data

To generate your documents and calculate your deadlines
To manage your subscription and enforce free tier limits
To maintain audit trails — for your protection and ours
To send you important service updates (not marketing, unless you opt in)

That's it. We don't “improve the service based on aggregate usage patterns” because we don't collect usage data to aggregate.

How AI works

When you generate a document or chat with Counsel, we send the minimum necessary context to the AI provider (Anthropic) via their API.

Document generation

Your case details and document parameters are sent to Anthropic. We use API configurations that explicitly opt out of model training. The AI processes your request and returns the result. It does not retain your data.

Chat conversations

Messages are sent to the AI for response generation only. Your conversations are stored in your account (encrypted at rest) so you can reference them later. Never shared. Never used for training.

Document uploads

When you upload a document, the AI reads it in a single API call to classify it, extract dates, and identify parties. The AI does not retain the document content after processing.

AI costs are included in your subscription. You never need to provide your own API keys. We hold the relationship with Anthropic on your behalf and pass through their no-training data terms.

Data storage & security

Hosted on Supabase (AWS infrastructure) with row-level security — every database query is scoped to your user ID

Encrypted in transit (TLS 1.3) and at rest (AES-256). Backups encrypted. Documents in encrypted object storage.

Authentication required on every API endpoint. Principle of least privilege. Parameterized queries everywhere.

Sub-processors

Every third-party service we use, what it does, and what data it touches. This list is exhaustive — we do not share data with any party not listed here.

Supabase

Authentication, database, file storage

Account data, case data, documents

Stripe

Payment processing

Billing info only — we never see card numbers

Anthropic

AI document generation and chat

Case context sent per-request, opted out of training

Resend

Transactional email (welcome, support replies, deadline reminders)

Email address + message body

Vercel

Web hosting / edge runtime

Request metadata only — no case data persisted

PostHog

Anonymous usage analytics (page views, wizard starts, checkout funnel)

Anonymized IP (truncated to /24), event metadata. NO form-field values, NO session replay.

Upstash Redis

Rate limiting (anti-abuse only)

IP address counter, no message content

All sub-processors are bound by their own published data-protection agreements. We do not sell your data to advertisers or data brokers. Updated 2026-05-06.

Your privacy rights — including Utah (UCPA)

The Utah Consumer Privacy Act (Utah Code §§ 13-61-101 et seq., effective Dec. 31, 2023), the California Consumer Privacy Act (CCPA / CPRA), the Virginia CDPA, the Colorado CPA, and the Connecticut CTDPA all give you the same core rights. We honor these rights for every user, regardless of state.

Right to access — Get a copy of every piece of data we have on you. Email privacy@synthcounsel.com with subject “Access request.” Response within 45 days.
Right to delete — Have your account and all associated data permanently purged. Email privacy@synthcounsel.com with subject “Delete request.” We delete within 30 days.
Right to correct — Have inaccurate data corrected. Most fields are editable directly in your dashboard; for the rest, email us.
Right to opt out of sale / sharing for targeted advertising — We don’t sell or share your data for advertising. To opt out anyway, email privacy@synthcounsel.com with subject “Opt-out.”
Right to portability — Get your data in a machine-readable JSON export.
No retaliation — We do not charge a different price or provide a different level of service to users who exercise these rights.

Data retention

Account and case data: retained while your account is active

Deleted documents: soft-deleted immediately, permanently purged after 30 days

AI Counsel transcripts: capped at 90 days. Older messages and inactive conversations are purged nightly to limit data-breach blast radius.

Full account deletion: available anytime — contact privacy@synthcounsel.com

Your rights

Access

Request a copy of all your personal data

Correction

Update or correct your personal data anytime

Deletion

Request deletion of your account and all associated data

Export

Download your case data and generated documents

To exercise any of these rights: privacy@synthcounsel.com

Children

SynthCounsel is not intended for anyone under 18. We do not knowingly collect data from minors.

Changes to this policy

If we make material changes, we'll email registered users before the changes take effect. The effective date at the top reflects the latest revision.

Privacy shouldn't require a law degree to understand. We wrote this policy for humans, not lawyers. If something is unclear, email us at privacy@synthcounsel.com and we'll explain it in plain English. See also: Security commitments.

Most privacy policies are written to protect the company, not inform you. Ours is different. Plain English. No legalese. No surprises.

Effective Date: April 5, 2026

The short version

If you read nothing else, read this.

Zero tracking

No analytics. No cookies. No pixels. No fingerprinting. We don't measure your behavior.

No AI training

Your documents and conversations are never used to train AI models. Ever.

No data selling

Your data is never sold, rented, or shared with advertisers or data brokers.

Encrypted everything

TLS 1.3 in transit. AES-256 at rest. Row-level security on every query.

Who we are

What we collect

Only what's needed to make the product work. Nothing more.

Account info

Your email address, name (if you provide one), and authentication credentials. Managed by Supabase Auth.

Case data

Case names, numbers, parties, court details, and other information you enter. This is your data — we just store it for you.

Generated documents

The documents you create, stored in encrypted storage buckets scoped to your user ID. No one else can access them.

Audit logs

Timestamps, document types, disclaimer acceptance, and generation metadata. We do not log the substantive content of your documents.

Payment info

Processed and stored entirely by Stripe. We never see or store your credit card number.

What we don't collect

This is the part most companies skip.

Analytics or usage tracking of any kind

Cookies for tracking or advertising

Browser or device fingerprints

Clicks, scrolls, or navigation patterns

Third-party tracking pixels or scripts

Biometric data

How we use your data

To generate your documents and calculate your deadlines
To manage your subscription and enforce free tier limits
To maintain audit trails — for your protection and ours
To send you important service updates (not marketing, unless you opt in)

That's it. We don't “improve the service based on aggregate usage patterns” because we don't collect usage data to aggregate.

How AI works

When you generate a document or chat with Counsel, we send the minimum necessary context to the AI provider (Anthropic) via their API.

Document generation

Chat conversations

Messages are sent to the AI for response generation only. Your conversations are stored in your account (encrypted at rest) so you can reference them later. Never shared. Never used for training.

Document uploads

When you upload a document, the AI reads it in a single API call to classify it, extract dates, and identify parties. The AI does not retain the document content after processing.

AI costs are included in your subscription. You never need to provide your own API keys. We hold the relationship with Anthropic on your behalf and pass through their no-training data terms.

Data storage & security

Hosted on Supabase (AWS infrastructure) with row-level security — every database query is scoped to your user ID

Encrypted in transit (TLS 1.3) and at rest (AES-256). Backups encrypted. Documents in encrypted object storage.

Authentication required on every API endpoint. Principle of least privilege. Parameterized queries everywhere.

Sub-processors

Every third-party service we use, what it does, and what data it touches. This list is exhaustive — we do not share data with any party not listed here.

Supabase

Authentication, database, file storage

Account data, case data, documents

Stripe

Payment processing

Billing info only — we never see card numbers

Anthropic

AI document generation and chat

Case context sent per-request, opted out of training

Resend

Transactional email (welcome, support replies, deadline reminders)

Email address + message body

Vercel

Web hosting / edge runtime

Request metadata only — no case data persisted

PostHog

Anonymous usage analytics (page views, wizard starts, checkout funnel)

Anonymized IP (truncated to /24), event metadata. NO form-field values, NO session replay.

Upstash Redis

Rate limiting (anti-abuse only)

IP address counter, no message content

All sub-processors are bound by their own published data-protection agreements. We do not sell your data to advertisers or data brokers. Updated 2026-05-06.

Your privacy rights — including Utah (UCPA)

Right to access — Get a copy of every piece of data we have on you. Email privacy@synthcounsel.com with subject “Access request.” Response within 45 days.
Right to delete — Have your account and all associated data permanently purged. Email privacy@synthcounsel.com with subject “Delete request.” We delete within 30 days.
Right to correct — Have inaccurate data corrected. Most fields are editable directly in your dashboard; for the rest, email us.
Right to opt out of sale / sharing for targeted advertising — We don’t sell or share your data for advertising. To opt out anyway, email privacy@synthcounsel.com with subject “Opt-out.”
Right to portability — Get your data in a machine-readable JSON export.
No retaliation — We do not charge a different price or provide a different level of service to users who exercise these rights.

Data retention

Account and case data: retained while your account is active

Deleted documents: soft-deleted immediately, permanently purged after 30 days

AI Counsel transcripts: capped at 90 days. Older messages and inactive conversations are purged nightly to limit data-breach blast radius.

Full account deletion: available anytime — contact privacy@synthcounsel.com

Your rights

Access

Request a copy of all your personal data

Correction

Update or correct your personal data anytime

Deletion

Request deletion of your account and all associated data

Export

Download your case data and generated documents

To exercise any of these rights: privacy@synthcounsel.com

Children

SynthCounsel is not intended for anyone under 18. We do not knowingly collect data from minors.

Changes to this policy

If we make material changes, we'll email registered users before the changes take effect. The effective date at the top reflects the latest revision.

A privacy policy you can actually read.

The short version

Zero tracking

No AI training

No data selling

Encrypted everything

Who we are

What we collect

What we don't collect

How we use your data

How AI works

Data storage & security

Sub-processors

Your privacy rights — including Utah (UCPA)

Data retention

Your rights

Children

Changes to this policy

A privacy policy you can actually read.

The short version

Zero tracking

No AI training

No data selling

Encrypted everything

Who we are

What we collect

What we don't collect

How we use your data

How AI works

Data storage & security

Sub-processors

Your privacy rights — including Utah (UCPA)

Data retention

Your rights

Children

Changes to this policy