Privacy Policy

COUNSEL is a legal services marketplace operated by Inevara Pty Ltd (ABN [TBD — confirm with Inevara Pty Ltd before public launch]), a company incorporated in Australia (“Inevara”, “we”, “us”, or “our”). COUNSEL is one of the SINGULARITY family of marketplace platforms operated by Inevara.

This Privacy Policy explains how we collect, use, disclose, store, and protect your personal information when you use the COUNSEL platform, accessible at withcounsel.app (collectively, the “Platform”).

We are bound by the Privacy Act 1988 (Cth) (“Privacy Act”) and the Australian Privacy Principles (“APPs”) contained in Schedule 1 of that Act. For users accessing the Platform from the European Economic Area or United Kingdom, additional rights under the General Data Protection Regulation (“GDPR”) and UK GDPR may apply as described in Section 12 below.

Important note: COUNSEL is a technology platform that connects consumers with independent legal practitioners. COUNSEL is not a law firm and does not provide legal advice. Conversations between you and legal practitioners facilitated through the Platform are subject to legal professional privilege in accordance with applicable law. However, your account and profile data is held by Inevara and governed by this policy, not by any individual practitioner.

By creating an account or using the Platform you acknowledge you have read this Policy. If you do not agree, please do not use the Platform.

2.1 Account information

When you register for a COUNSEL account (as a consumer or as a legal practitioner), we collect:

• Full name and display name
• Email address
• Password (stored as a salted cryptographic hash — never in plain text)
• Mobile phone number (optional, used for matter notifications)

2.2 Legal matter information (consumers)

To enable our AI-powered matching service, we collect information about your legal needs:

• Legal matter type (e.g. family law, property, employment, immigration)
• Matter urgency level
• Preferred geographic jurisdiction or location
• Budget range for legal services (optional)
• Brief description of your matter (optional, max 2,000 characters)
• Opposing and related parties: Names of persons or entities that may be adverse to your interests, used solely to perform automated conflict-of-interest checks against practitioner client histories. This information is treated with the highest confidentiality and is never shared with practitioners before a formal engagement commences.

2.3 Conflict-of-interest check data

When we perform a conflict-of-interest check, we compare the opposing party names you provide against anonymised conflict records registered by legal practitioners. Conflict checks are performed automatically — no human at Inevara reviews the party names you provide except in the context of a support enquiry or investigation you initiate.

2.4 Practitioner profile information

If you register as a legal practitioner, we also collect:

• Law Society practitioner number and admitting state or territory
• Practice areas and specialisations
• Years admitted to practice
• Jurisdictions in which you are admitted
• Business address and contact information
• Professional biography (optional)
• Bank or payment account details for fee disbursement (held by our payment processor)

2.5 Engagement and matter records

For every matter facilitated through the Platform, we record:

• Matter type, status, and lifecycle events
• Consumer and practitioner identifiers
• Match score and matching rationale (for audit and quality purposes)
• Payment metadata: amount, currency, and transaction reference (no full card numbers stored)
• Any written communications exchanged through the Platform

2.6 Device and analytics data

When you use the Platform, we automatically collect:

• IP address (truncated where technically feasible)
• Browser type and version, operating system
• Device identifiers (anonymised)
• Pages visited, time spent, click events, and navigation paths
• Referring URL
• Session identifiers (stored in secure HTTP-only cookies)

2.7 Information from third parties

We may receive information about legal practitioners from the relevant State or Territory Law Society or Legal Services Commissioner to verify practitioner credentials and standing. We use this data solely for verification purposes.

We use personal information only for the purposes set out below. Where the Privacy Act or GDPR requires a legal basis, we specify it:

We will not use your information for a purpose incompatible with the purpose for which it was collected without your consent or as otherwise permitted by the Privacy Act or GDPR.

We do not sell your personal information. We disclose it only in the following circumstances:

4.1 With legal practitioners upon engagement

When you confirm an engagement, we share your name, contact information, matter type, and relevant notes with the practitioner. Practitioners are bound by both the terms of the Platform and their professional obligations under applicable legal professional conduct rules. The opposing party names you provided for conflict-of-interest checking are shared with the practitioner only after a conflict-clear result is returned.

4.2 Payment processors

Payments are processed by third-party payment service providers including Stripe and/or Paddle. These processors receive only the payment information necessary to complete your transaction, are PCI-DSS compliant, and operate under their own privacy policies.

4.3 Infrastructure and hosting providers

We host the Platform on Amazon Web Services (AWS) infrastructure located in Australia (Sydney region, ap-southeast-2). Inevara has data processing agreements with AWS requiring data to be processed only on our instructions.

4.4 Law Society credential verification

We share practitioner numbers with State and Territory Law Societies solely for the purpose of verifying practitioner standing and licence validity. We do not disclose consumer information to Law Societies.

4.5 Legal and regulatory requirements

We may disclose personal information if required by law, court order, or regulatory direction, or where we believe disclosure is necessary to prevent harm to any person or to investigate suspected illegal activity.

4.6 Business transfers

In the event of a merger, acquisition, asset sale, or corporate restructure involving Inevara, personal information held in relation to the Platform may be transferred to the successor entity. We will notify you before any such transfer and give you the opportunity to delete your account if you do not consent.

• Account and profile data: retained for the life of your account plus 24 months after closure (to support dispute resolution and comply with tax obligations).
• Matter and engagement records: retained for 7 years from the date of engagement, as required by Australian taxation law (Tax Administration Act 1953) and to support any professional conduct complaints.
• Conflict-of-interest check data: retained for 7 years from the date of the check in accordance with professional conduct obligations.
• Communications (messages): retained for 2 years from the date of the last message in a thread, unless subject to an active dispute or legal hold.
• Device and analytics logs: retained for 13 months in identifiable form, then aggregated and de-identified.

When we no longer need your personal information, we securely delete or de-identify it in accordance with our data destruction procedures.

We take reasonable steps to protect the personal information we hold from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our measures include:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption at rest for sensitive fields and stored files
• Passwords stored using cryptographic hashing (never in plain text)
• Role-based access controls — Inevara staff access personal data only where required for their role
• Multi-factor authentication required for administrative access
• Regular security assessments and penetration testing
• Data stored in AWS ap-southeast-2 (Sydney) — Australian soil

In the event of a data breach that is likely to result in serious harm, we will notify the Office of the Australian Information Commissioner (OAIC) and affected individuals as required under the Notifiable Data Breaches scheme (Privacy Act 1988, Part IIIC).

We use cookies and similar technologies for the following purposes:

• Essential cookies: Maintain your session and authentication state. These are strictly necessary and cannot be disabled.
• Preference cookies: Remember your settings (e.g. search filters).
• Analytics cookies: Help us understand how the Platform is used. Used with your consent where required by law.

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us at [email protected].

Under the Australian Privacy Principles and, where applicable, the GDPR, you have the following rights:

• Access: You can request a copy of the personal information we hold about you. We will respond within 30 days.
• Correction: You can ask us to correct inaccurate, out-of-date, or misleading information. Most information can be updated directly in account settings.
• Deletion (erasure): You may request deletion of your account and associated personal information, subject to retention obligations in Section 5. Go to Settings → Account → Delete Account, or contact us.
• Withdrawal of consent: Where we rely on consent (e.g. marketing emails), you may withdraw it at any time via account settings or the unsubscribe link in any marketing email.
• Restriction and objection (GDPR): Where GDPR applies, you may request restriction of processing or object to processing based on legitimate interests.
• Data portability (GDPR): You may request a copy of personal data you have provided in a structured, machine-readable format.
• Complaint to a regulator: You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC).

Our primary infrastructure is in Australia. Some service providers (including certain analytics and monitoring tools) are based overseas, including the United States. Where personal information is transferred to an overseas recipient, we ensure it receives adequate protection via contractual data processing agreements and recognised security frameworks (e.g. SOC 2 Type II certification).

If you are located in the European Economic Area or the United Kingdom, Inevara Pty Ltd acts as a data controller under the GDPR and UK GDPR respectively. In addition to the rights in Section 9, you may lodge a complaint with your local supervisory authority (e.g. the Information Commissioner’s Office in the UK).

If you have any questions about this Privacy Policy, wish to exercise your privacy rights, or wish to make a complaint, please contact our Privacy Officer:

We aim to respond to all privacy enquiries within 30 days.

We may update this Privacy Policy from time to time. When we make a material change, we will notify you by email and/or by displaying a prominent notice on the Platform at least 14 days before the changes take effect. Continued use after a change takes effect constitutes acceptance of the updated Policy.