Last Updated: March 12, 2026 — Version 2.0
This Privacy Policy describes how CounterSign collects, uses, stores, and protects your personal data, and explains your rights under the General Data Protection Regulation (GDPR), the Digital Services Act (DSA), the Philippine Data Privacy Act of 2012, and other applicable data protection legislation. For privacy inquiries: privacy@c2cz.com
CounterSign is operated with a genuine commitment to the protection of personal data and the privacy of its Users. We are fully aware of the requirements of the General Data Protection Regulation (GDPR) (EU) 2016/679, the Digital Services Act (DSA) (EU) 2022/2065, the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations issued by the National Privacy Commission of the Republic of the Philippines, and other applicable national and international data protection laws and regulations. We process personal data only to the extent strictly necessary for the delivery of the Service, and we implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, destruction, or alteration.
This Privacy Policy should be read alongside our Terms of Service and Cookie Policy, all of which together govern the legal relationship between you and the Operator.
For the purposes of the GDPR and other applicable data protection legislation, the data controller in respect of personal data processed through the Service is the operator of the CounterSign platform. For the purposes of Philippine data protection law, the personal information controller is the same entity. All data protection inquiries, requests to exercise data subject rights, and complaints relating to data processing should be directed to the designated data protection contact by email.
Data Protection Contact / Privacy Officer
Email: privacy@c2cz.com
General inquiries: info@c2cz.com
Note: CounterSign is operated by a small independent team. We take all privacy inquiries seriously and will respond within applicable statutory timeframes, subject to the notes on response timelines in Section 11 below.
The following categories of personal data are collected and processed by the Operator in connection with the Service:
Data collected: Email address, username, password (stored as a one-way cryptographic hash — we never store your plaintext password).
Purpose: To create and manage your user account; to authenticate you when you access the Service; to communicate with you about your account.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)).
Data collected: Internet Protocol (IP) address associated with each request to the Service; precise UTC timestamp of each request; basic request metadata (HTTP method, resource path, response code).
Purpose: This data is collected as an integral and necessary component of the Service's core evidentiary function. The Service is designed to provide technically verifiable proof of access, acknowledgment, and publication. The IP address and timestamp associated with each platform interaction constitute part of the immutable audit trail that forms the basis of the constructive notice record. This data is in direct and necessary correlation with the purpose for which Users subscribe to the Service.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)); legitimate interests of the Operator and Users in maintaining the evidentiary integrity of the platform (GDPR Article 6(1)(f)).
Note: This data collection cannot be disabled while using the Service, as it is fundamental to the platform's evidentiary purpose.
Data collected: Text and other content submitted to and published through the Service, including legal terms, notices, and associated metadata.
Purpose: To enable the core Service functionality — creating, storing, and publishing immutable term records.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)). Note: User Content may itself contain personal data relating to third parties. Users are responsible for ensuring they have a valid legal basis for any personal data included in their Content.
Data collected: For Paid Plan users — email address provided in subscription request, subscription status, billing commencement date, plan tier.
Purpose: To manage your subscription and billing relationship with the Operator.
Legal basis: Performance of a contract (GDPR Article 6(1)(b)); compliance with legal obligations, including tax and accounting obligations (GDPR Article 6(1)(c)).
Data collected: Content of emails or messages you send to us, including support requests and inquiries.
Purpose: To respond to your inquiries and provide customer support.
Legal basis: Legitimate interests (GDPR Article 6(1)(f)).
CounterSign does not collect the following categories of data:
The Operator uses the following third-party data processors and sub-processors in connection with the delivery of the Service. Where required by applicable law, appropriate data processing agreements and/or standard contractual clauses are in place with these providers.
| Provider | Role | Data Processed | Jurisdiction |
|---|---|---|---|
| Cloudflare, Inc. | Infrastructure / CDN / Edge Computing | All request data (IP, headers, request metadata) | USA (global edge) |
| Turso / ChiselStrike | Database storage | Account data, content, logs | USA |
| Google LLC | Font delivery (CDN) | IP address, browser info (font requests) | USA |
Data transfers to providers in the United States and other third countries are made subject to appropriate safeguards including Cloudflare's and Google's participation in applicable cross-border data transfer frameworks and the implementation of standard contractual clauses where required.
The Operator retains personal data for no longer than is necessary for the purposes for which it was collected, subject to legal obligations and the following retention schedule:
Account data (email, username, password hash)
Retained for the duration of account registration plus a reasonable period thereafter to fulfil legal obligations
Published Term Versions (Content)
Immutable by design — cannot be deleted once published (this is a core feature of the Service)
IP address and timestamp logs
Retained to support the evidentiary function of the platform
Subscription / billing records
Retained for tax, accounting, and legal compliance
Communications / support emails
Retained for the period necessary to resolve the inquiry plus a reasonable period
The Service is operated on infrastructure based in the United States and other countries. Personal data you provide may be transferred to and processed in countries outside the European Economic Area (EEA) that may not provide a level of data protection equivalent to that of your country of residence.
Where such transfers occur, the Operator ensures that appropriate safeguards are in place, including the use of standard contractual clauses approved by the European Commission, or reliance on the adequacy decisions and transfer frameworks applicable to the respective data processors. Cloudflare and Google participate in applicable cross-border data transfer frameworks. For specific information about the safeguards applicable to your personal data, please contact privacy@c2cz.com.
Subject to applicable law and certain conditions, you have the following rights in respect of your personal data:
Right of Access (Art. 15 GDPR)
You have the right to request a copy of the personal data we hold about you, together with information about how it is processed.
Right to Rectification (Art. 16 GDPR)
You have the right to request correction of inaccurate personal data we hold about you.
Right to Erasure / "Right to be Forgotten" (Art. 17 GDPR)
You have the right to request deletion of your personal data where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent (if applicable), or where processing is otherwise unlawful. Please note: published Term Versions are immutable by design and cannot be deleted — this is a core architectural feature of the Service. Erasure requests will be fulfilled in respect of all other personal data we hold, subject to legal retention obligations.
Right to Restriction of Processing (Art. 18 GDPR)
You have the right to request restriction of processing of your personal data in certain circumstances, such as where you contest the accuracy of the data or object to its processing.
Right to Data Portability (Art. 20 GDPR)
You have the right to receive personal data you have provided to us in a structured, commonly-used, machine-readable format, where processing is based on consent or contract performance.
Right to Object (Art. 21 GDPR)
You have the right to object to processing based on the Operator's legitimate interests. The Operator will cease processing upon receipt of a valid objection, unless the Operator can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms.
Right to Lodge a Complaint
You have the right to lodge a complaint with a supervisory authority. If you are located in the EU/EEA, you may lodge a complaint with the data protection supervisory authority of your country of residence or habitual establishment. If you are located in the Philippines, you may lodge a complaint with the National Privacy Commission.
The Operator acknowledges its obligations under the Digital Services Act (DSA) (EU) 2022/2065. The Service does not employ algorithmic content recommendation systems, does not serve targeted advertising, and does not engage in profiling of Users for commercial purposes beyond what is strictly necessary for the delivery of the subscribed service.
The Operator maintains transparency regarding its data processing activities through this Privacy Policy and is committed to upholding the accountability and transparency standards required by the DSA. The Operator will update its practices and policies as required to maintain DSA compliance as the regulatory framework evolves.
In accordance with the Philippine Data Privacy Act of 2012 (Republic Act No. 10173) and its implementing rules and regulations issued by the National Privacy Commission, the Operator implements appropriate organizational, physical, and technical security measures to protect personal data collected from Users. The Operator's data processing activities are governed by principles of transparency, legitimate purpose, and proportionality, consistent with the requirements of the Data Privacy Act.
Data subjects who are Philippine nationals or residents may exercise their rights under the Data Privacy Act — including the right to be informed, the right to access, the right to object, the right to erasure, the right to rectify, and the right to damages — by contacting the data protection officer at privacy@c2cz.com. Complaints may also be filed with the National Privacy Commission of the Republic of the Philippines.
Please note: CounterSign is operated by a small, independent team. We take all data subject requests seriously and are committed to fulfilling them fully and in good faith. However, due to the limited size of our team, processing times for data requests may occasionally approach or reach the maximum statutory response deadlines permitted under applicable law (typically 30 days under GDPR, extendable to 90 days for complex requests under certain circumstances).
We will always acknowledge receipt of your request promptly and will complete all valid data requests. We appreciate your patience. If your request involves data deletion, please be aware that: (a) published Term Versions are architecturally immutable and cannot be deleted; (b) for all other data, deletion will be completed within the applicable statutory timeframe; (c) certain data may be retained longer where required by legal obligations (tax records, etc.).
The Operator implements the following technical and organizational measures to protect personal data against unauthorized access, loss, alteration, or disclosure:
The Service is not directed at or intended for use by individuals under the age of 18 years. The Operator does not knowingly collect personal data from minors. If you are a parent or guardian and believe that your child has provided personal data to the Service without your consent, please contact us immediately at privacy@c2cz.com and we will take prompt steps to delete that data.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, changes in applicable law, or changes to the Service. When we update this Policy, we will revise the "Last Updated" date at the top of the page. For material changes, we will make reasonable efforts to notify registered Users. Your continued use of the Service following any update constitutes acceptance of the updated Policy.
To exercise any of your data subject rights, or for any inquiry relating to privacy or data protection, please contact us using the details below. All requests must include sufficient information to verify your identity (to prevent unauthorized data disclosures). We will respond within the timeframe required by applicable law.
Privacy & Data Protection: privacy@c2cz.com
General Inquiries: info@c2cz.com
When contacting us for data subject rights, please include: your full name and email address associated with your account, the right(s) you wish to exercise, and any additional information that may help us locate your data. We may need to verify your identity before processing your request.