Privacy Policy

Effective · April 28, 2026
Last updated · April 28, 2026

This Privacy Policy explains how we collect, use, store, and share personal information when you use the Counteroffer mobile application ("Counteroffer" or the "Service"). It applies to the Service in its current beta distribution via Apple TestFlight and to the App Store release when it launches.

We designed Counteroffer to collect as little personal information as possible, to keep it in the region it was collected wherever practical, and to be transparent about every third party that touches it.

1. Who we are

Counteroffer is operated by Christoph Marx ("we", "us", or "our"), acting as the data controller for personal information processed through the Service. For any privacy request — access, correction, deletion, portability, or a complaint — email legal@getcounteroffer.com. We respond to substantive requests within the timeframes described in §7.

2. Information we collect

2.1 Information you provide during onboarding

Before starting practice sessions, you enter:

  • First name
  • Age and gender
  • Your current situation (existing job, new offer, first job, etc.)
  • Job title, industry, company type, company name
  • Current and target salary
  • Time at company, time since your last raise, and the concerns you associate with negotiating

All fields are self-reported and we do not verify them against any external source.

2.2 Voice and conversation content during roleplays

When you use the practice-conversation feature, we collect:

  • Microphone audio while the session is live
  • Text transcripts of both sides of the conversation
  • Session metadata (duration, turn count, which scenario, timestamps)
  • Per-turn audio clips, saved to your account for later playback and post-session analysis

2.3 Technical, diagnostic, and product-usage information

  • An anonymous account identifier (a UUID), assigned the first time you open the app. It is not tied to your email, name, phone number, or any advertising identifier.
  • Crash reports and performance traces generated when the app misbehaves
  • Product-analytics events describing which screens you open and which steps of the product you complete
  • Device type, OS version, app version, and build number

3. How we use your information

We use your information to:

  • Deliver practice roleplays, generate coach responses in real time, and produce post-session feedback
  • Customize scenarios and prompts to your profile
  • Diagnose crashes and measure performance
  • Understand which product areas are used and where users encounter friction, so we can improve the Service
  • Respond to your support and privacy requests
  • Comply with legal obligations

We do not sell, rent, or share your personal information with advertisers or data brokers.

3.1 Legal basis for processing (EU / EEA / UK)

We rely on the following GDPR / UK GDPR lawful bases:

  • Performance of a contract — to deliver the service you've installed and agreed to use
  • Legitimate interests — to diagnose errors, improve product quality, detect abuse, and communicate with you about the Service, balanced against your rights and freedoms
  • Consent — for microphone access, granted via the iOS permission prompt

You may withdraw consent at any time by revoking microphone permission in iOS Settings or by uninstalling the Service.

4. How we share your information

We rely on a small, named set of sub-processors to operate the Service. We have or will execute data processing agreements with each of them, as required by applicable law.

Sub-processor Role Data received Region
Supabase Inc. Backend and storage Onboarding answers, transcripts, audio files, anonymous account ID United States (us-east-2)
OpenAI, L.L.C. — Realtime API Real-time AI conversation Voice audio and prompt text during active roleplays only United States
Functional Software, Inc. (Sentry) Error monitoring, performance Crash reports, performance traces, error logs, anonymous user ID European Union (de.sentry.io)
PostHog Inc. Product analytics Product-interaction events, anonymous user ID European Union (eu.i.posthog.com)
Apple Inc. App distribution via TestFlight and the App Store Standard App Store / TestFlight metadata, crash reports, device tokens Global

Data sent to OpenAI is processed under its API terms, which contractually exclude your data from being used to train OpenAI's models. See https://openai.com/policies/api-data-usage-policies.

We may also disclose information when required by law, to protect the rights, property, or safety of users, or in connection with a corporate transaction (merger, acquisition, asset sale). If ownership of the Service changes, we will provide notice of the transfer and any material changes to this Policy.

5. International data transfers

Because our backend (Supabase) and our AI processor (OpenAI) are hosted in the United States, personal data collected in the European Economic Area, the United Kingdom, or other jurisdictions with data-export restrictions is transferred to the United States.

For those transfers we rely on:

  • The European Commission's Standard Contractual Clauses (SCCs), incorporated into our agreements with each sub-processor where available
  • The UK International Data Transfer Addendum where applicable
  • Supplementary technical and organizational measures (transport encryption, minimization, pseudonymization by anonymous UUID)

You can request a summary of these safeguards at legal@getcounteroffer.com.

6. Data security

We take commercially reasonable technical and organizational measures to protect your data:

  • All transport is encrypted with TLS (HTTPS / WSS)
  • Data at rest in Supabase is encrypted with AES-256
  • Tenant isolation is enforced through Supabase Row-Level Security; one user cannot read or modify another user's records
  • Administrative access to backend systems is restricted and protected with multi-factor authentication where supported
  • We apply data minimization — we only collect what the Service needs to function

No method of transmission or storage is perfectly secure. If we become aware of a personal-data breach affecting your data, we will notify affected users and the relevant supervisory authority without undue delay, consistent with GDPR Article 33–34 and analogous laws.

7. Data retention

Category Retention period
User data (onboarding answers, transcripts, audio clips, derived feedback) While your account is active; deleted within 30 days of a verified deletion request
Anonymous account ID and associated records Until deletion request; cleared from primary systems within 30 days, from backups within 60 days
Crash reports and performance traces Retained for the diagnostic period configured with our observability provider (currently up to 90 days)
Product-analytics events Retained for the period required for product analytics (currently up to 12 months), typically in aggregate form

8. Your rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you
  • Rectify inaccurate or incomplete information
  • Erase your personal information ("right to be forgotten")
  • Portability — receive your data in a structured, machine-readable form
  • Restrict processing
  • Object to processing based on our legitimate interests or for direct marketing
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal
  • Lodge a complaint with your local data-protection authority (for example, the CNIL in France, the ICO in the UK, the BfDI in Germany, the Garante in Italy)

To exercise any right, email legal@getcounteroffer.com. We may ask you to verify your identity before acting on the request. We respond within the timeframes required by applicable law — typically 30 calendar days under GDPR and 45 calendar days under CCPA, extendable where legally permitted.

8.1 California residents (CCPA / CPRA)

In addition to the rights above, California residents have the right to:

  • Know what categories of personal information we collect and the purposes for which they are used
  • Delete personal information, subject to statutory exceptions
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information — we do not sell or share personal information as those terms are defined by CPRA, so no opt-out is required
  • Non-discrimination — you will not receive degraded service or pricing for exercising your rights

Submit requests to legal@getcounteroffer.com.

9. AI coaching and voice audio

Counteroffer uses OpenAI's Realtime API to conduct live voice roleplays. During an active session, your microphone audio and the conversation transcript are transmitted to OpenAI. OpenAI processes this data to generate the coach's next response.

Under OpenAI's current API terms, data submitted to OpenAI's API is not used by OpenAI to train its models. OpenAI retains API data only transiently for abuse monitoring, per their policy in effect at the time of the session.

After a session ends, we store the transcript and the per-turn audio clips in your account so that a post-session analysis can be produced and so you can review past sessions.

We do not currently use your voice audio or transcripts to train artificial-intelligence or machine-learning models. If we introduce such processing in the future — whether by training our own models on anonymized data, or by sharing data with a third party for training purposes — we will update this Policy and, where your consent is legally required, obtain it before doing so.

10. Children

The Service is not directed to, and we do not knowingly collect personal information from, individuals under 16. If you believe a child under 16 has provided us with personal information, please email legal@getcounteroffer.com and we will delete it.

11. Changes to this Policy

We may update this Policy as the Service evolves. The "Last Updated" date at the top reflects the most recent change. During the current beta phase, we may revise this Policy at any time to reflect changes in the Service, our sub-processors, or applicable law; continued use of the Service after such revision constitutes your acceptance of the updated terms.

When the Service is generally available, material changes — such as the introduction of new data categories, new sub-processors, or a new legal basis for processing — will be communicated through the app or by other reasonable means before they take effect.

12. Contact

For privacy requests, questions, or complaints:

Email: legal@getcounteroffer.com

To help us prioritize, please include "privacy" or "data request" in your subject line and indicate your jurisdiction (for example, "EU", "UK", "California") if you are invoking rights specific to that jurisdiction.