Privacy Policy

Last updated: March 17, 2025

1. What We Collect

We collect only what is necessary to operate the service:

  • Account information — your email address and display name, provided during registration via Firebase Authentication.
  • Usage data — messages sent, agents used, and session activity. This data is used to improve the service and manage credit usage.
  • API keys (BYOK) — if you choose to provide your own API keys, they are encrypted using AES-256-GCM encryption before being stored. The raw key is never written to our database. Only encrypted data is stored, and decryption happens server-side only at the moment of use.
  • Subscription data — billing information is handled entirely by Lemon Squeezy. We do not store or process your payment card details.

We do not collect: passwords (handled by Firebase Auth), payment card numbers, government IDs, or any sensitive personal data beyond what is listed above.

2. How We Use Your Data

  • To provide and improve the Councily.app service
  • To manage your subscription and credit usage
  • To authenticate you and keep your account secure

We will never:

  • Sell your data to third parties
  • Use your conversation content to train AI models
  • Share your data with advertisers

3. Data Storage & Security

  • Your data is stored in Google Firebase (Firestore), hosted on Google Cloud infrastructure.
  • API keys are encrypted with AES-256-GCM before storage — industry-standard encryption.
  • Access to your data is restricted to your own account via Firebase Security Rules.
  • All data transmission occurs over HTTPS/TLS.
  • We regularly review our security practices.

4. Third-Party Services

Councily.app integrates with the following third-party services, each governed by their own privacy policy:

  • Firebase (Google) — Authentication and database. firebase.google.com/support/privacy
  • Lemon Squeezy — Payment processing. lemonsqueezy.com/privacy
  • OpenRouter — AI model routing for subscription users. openrouter.ai/privacy
  • AI Providers (OpenAI, Anthropic, Google, xAI, DeepSeek) — When using BYOK, your messages are sent directly to these providers using your own API key, subject to their respective privacy policies.

5. Data Retention

  • Your account data is retained as long as your account is active.
  • You can request deletion of your account and all associated data at any time by contacting us.
  • Upon deletion, your data is permanently removed from our systems within 30 days.

6. Your Rights

  • Access — You can view your data within the app at any time.
  • Deletion — Request full account and data deletion by emailing us.
  • Portability — Request an export of your conversation history.
  • Correction — Update your profile information at any time in Settings.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use tracking cookies or advertising cookies.

8. Changes to This Policy

We will notify users of material changes via email or in-app notification. Continued use of the service after changes constitutes acceptance of the updated policy.

9. Contact

For privacy-related questions or data requests, email us at privacy@councily.app.