Privacy Policy

1. What we collect

• Account data: email address, display name, optional password hash (we never store your plaintext password), account creation timestamp, and your consent to the current Terms of Service.
• Content: the materials you create, the files (PDFs, images) you upload, comments, and practice session history. Files are stored with the sub-processors listed below.
• Billing data: Stripe holds your card and invoice records. We store references to your Stripe records and your current subscription status.
• Operational logs: request logs and application logs produced by our backend, captured by our hosting provider on a short rolling window to support debugging and operational monitoring.

2. How we use it

To run the service: authenticate you, display materials to your collaborators and students, process payments via Stripe, send transactional emails (magic links, invitations, trial expiry reminders), and debug problems when they happen.

We do not sell your personal information as “sale” is defined under the California Consumer Privacy Act or other applicable privacy laws. We do not rent or share your personal information with third parties for their independent advertising or marketing. We may disclose information to the sub-processors listed in Section 3 to operate the service, in response to valid legal process, to a successor in connection with a merger, acquisition, reorganization, or sale of assets, and in aggregated or de-identified form that cannot reasonably be linked to you.

3. Sub-processors

• Stripe — payment processing, invoice storage, tax calculation.
• Resend — transactional email delivery.
• Fly.io — application hosting.
• Cloudflare — marketing site hosting (Pages) and file storage for your uploads (R2).

4. Data location and transfers

Our application is hosted in the United States on Fly.io. Stripe processes payments globally. Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a jurisdiction that has not received an adequacy decision, we rely on the Standard Contractual Clauses approved by the European Commission and, where applicable, the UK International Data Transfer Addendum, which we incorporate by reference into our contracts with the receiving parties.

You can request a copy of the transfer safeguards in place by emailing hello@counterpointstudio.com.

5. Your rights

You can access, correct, or delete your account and materials from the settings page. You can export your materials in the formats we support.

If you’re in the EU or UK, you have additional rights under GDPR, including the right to data portability and to lodge a complaint with your supervisory authority.

6. Right to erasure and Stripe retention

When you request erasure, we delete your account, content, and identifying metadata from our systems. Stripe is required by financial, tax, and anti-money-laundering laws to retain transaction and invoice records for as long as those laws require — which may be up to 10 years depending on your jurisdiction. We sever the link between your account and Stripe’s retained records when you request erasure, so those records can no longer be linked back to an active profile in Counterpoint Studio. This is the standard mechanism for reconciling GDPR’s right-to-erasure with payment regulation.

Security-audit carve-out. We retain signup-attempt logs — timestamp, normalized email hash, IP address, user agent, and outcome (created, collision, rate-limited, invalid, or disposable) — for 90 days to detect and investigate mass-signup abuse, credential stuffing, and account-takeover attempts. These logs are held under a legitimate-interest basis and are not deleted on request within that 90-day window; after 90 days they roll off automatically. They are not shared with third parties and are used solely for platform security.

7. Children

Counterpoint Studio is not directed at children under 13. If you are between 13 and the age of digital consent in your jurisdiction, you must have a parent or guardian’s consent to use the service. Teachers who add student accounts are responsible for obtaining any parental or guardian consent required by applicable law before doing so; by adding a student, the teacher represents that this consent has been obtained. Counterpoint Studio does not independently verify parental consent and relies on the teacher’s representation.

When a teacher uses Counterpoint Studio to process personal data about their students, the teacher is the data controller and Counterpoint Studio acts as a data processor on the teacher’s behalf. This processing relationship is governed by our Data Processing Agreement.

8. Security and breach notification

Security measures. Data in transit is encrypted with TLS. Passwords are hashed using an industry-standard one-way algorithm before storage. Access to production systems is restricted to authorized personnel. While no online service can guarantee absolute security, we take commercially reasonable measures to protect your personal information against unauthorized access, disclosure, alteration, and destruction.

Breach notification. If we become aware of a security incident that results in the unauthorized access, acquisition, disclosure, or loss of your personal information, we will notify you without undue delay and in any event within the timeframes required by applicable law. For users subject to the EU or UK GDPR, we will also notify the relevant supervisory authority within 72 hours of becoming aware of a breach where required under Article 33. Notifications will include a description of the nature of the incident, the categories and approximate number of records affected, the likely consequences, and the measures we have taken or propose to take in response.

9. Cookies and tracking

We use cookies to keep you signed in. Some pages may use additional cookies as described at the point of collection.

10. Changes and contact

When we make material changes we’ll notify affected users by email. Questions: hello@counterpointstudio.com.