Counterspine Counterspine

Legal

Privacy policy

Last updated: May 8, 2026 · Effective immediately

Who we are

Counterspine is operated by Counterspine SL, registered in Barcelona, Spain. The data controller is Counterspine SL. You can reach our data protection officer at [email protected].

What we collect

  • Account data: your name, email, password (hashed), workspace name, time zone, plan tier.
  • Workspace data: watched domains, watched URLs, alert configuration, API keys (digest only), counter-notice drafts you create.
  • Usage data: pages visited, features used, error logs. Aggregated and anonymized after 30 days.
  • Public takedown record: we ingest from Lumen Database, Google Transparency Report, the EU DSA Database, USCO, and CCB. This data is public and CC0/government-public-record. We redact PII (names, emails, addresses) from notice bodies before public render.

What we don't collect

  • We don't sell your data. Ever.
  • We don't track you across the web. No third-party advertising trackers.
  • We don't use your watched-domain list to inform anyone but you.
  • We don't process biometrics, health data, or anything inside the GDPR Article 9 special-categories list.

Your GDPR rights

If you are in the EU, EEA, or UK, you have the right to access, correct, port, restrict, or delete your personal data, and to object to processing. Email [email protected] and we'll respond within 30 days. Workspace data is also exportable from your dashboard.

Data retention

  • Account data: retained while your account is active. Deleted 30 days after account closure unless legally retained.
  • Workspace data: same as account data.
  • Public takedown record: mirrors the source. When Lumen, Google, or the DSA Database removes a record, we mirror the deletion within 24 hours.
  • Logs: 30 days for application logs, 1 year for security logs.

Where data lives

Primary database in Frankfurt (eu-central-1, Hetzner Cloud). Backups encrypted, also in eu-central-1. No data leaves the EU.

Sub-processors

We use the following sub-processors: Stripe (payments, US), Mailgun EU (transactional email, EU), OpenAI (AI counter-notice drafting, US — only the notice subject and your evidence package are sent; redacted of unnecessary PII first). Full list available on request.

Cookies

We use a single session cookie for authentication and a CSRF token. No tracking cookies, no third-party cookies, no dark patterns. See Cookies.

Changes

Material changes get 30 days' email notice. Non-material changes (typo fixes, link updates) are pushed without notice.