Privacy Policy

Consonant (“Company,” “we,” “us,” or “our”) operates the platform at consonant.cc (the “Service”). This Privacy Policy describes how we collect, use, store, share, and protect information when you access or use the Service. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and disclosure of your information as described herein. If you do not agree with this Privacy Policy, you must not access or use the Service.

This Privacy Policy is incorporated into and forms part of our Terms of Service. Capitalized terms not defined herein have the meanings set forth in the Terms of Service.

Information you provide directly

• Account information: Name, email address, profile photo, and authentication credentials when you register for an account.
• Submitted URLs and content: Website addresses you provide for analysis and any additional input, instructions, parameters, or context you supply.
• Billing information: Payment details processed through our billing provider, including billing name, billing address, and payment method. We do not store full payment card numbers on our servers.
• Communications: Information you provide when contacting support, submitting feedback, responding to surveys, or otherwise communicating with us, including the content, metadata, and attachments of such communications.
• Feedback: Suggestions, ideas, enhancement requests, or other input you provide about the Service, which become our property as described in our Terms of Service.

Information collected automatically

• Usage data: Pages visited, features used, actions taken, timestamps, session duration, frequency of use, click patterns, scroll depth, navigation paths, search queries within the Service, and interaction patterns.
• Device and technical data: IP address, browser type and version, operating system and version, device type, device identifiers, screen resolution, language preferences, time zone, and referring URLs.
• Log data: Server logs that automatically record information including your IP address, access times, pages viewed, HTTP methods and status codes, request payloads, error messages, and the page you visited before navigating to the Service.
• Cookies and similar technologies: We use cookies, local storage, session storage, web beacons, pixels, and similar tracking technologies for authentication, session management, analytics, fraud detection, and Service functionality. See Section 8 below.
• Geolocation data: Approximate geographic location inferred from your IP address.
• Inference data: We may draw inferences from the information we collect to create a profile about you reflecting your usage patterns, preferences, and characteristics relevant to the Service.

Information from third-party sources

• Authentication provider: When you sign up or log in, our authentication provider may share your name, email address, profile photo, and account identifiers with us.
• Billing provider: Our billing provider may share transaction status, payment confirmation, subscription state, and related metadata with us.
• Publicly available sources: We may collect information from publicly available websites, databases, and directories to supplement the data you provide or to improve the Service.

Information derived from analysis

• Website content: When you submit a URL, we access and process publicly available content from that website, which may include text, images, metadata, structural information, linked resources, scripts, stylesheets, and any other publicly accessible data.
• Generated reports and outputs: The analytical output produced by the Service, including brand assessments, cultural positioning analysis, strategic recommendations, scores, rankings, and any derivative data or insights.
• Aggregated and derived data: We may generate aggregated, anonymized, or de-identified data from your use of the Service and from the analysis of submitted content. Such data does not personally identify you and is not subject to the restrictions in this Privacy Policy. We own all aggregated and de-identified data and may use it for any purpose without restriction.

We use the information we collect for the following purposes:

• Provide, operate, maintain, secure, and improve the Service and its features
• Generate cross-cultural brand intelligence reports based on submitted URLs
• Process transactions, manage billing, and administer your account
• Authenticate your identity and prevent fraud or unauthorized access
• Send transactional communications, including report delivery notifications, account alerts, security notices, and service-related announcements
• Monitor, analyze, and measure usage trends and patterns to improve user experience and Service performance
• Develop, train, refine, and improve our analytical models, algorithms, machine learning systems, AI capabilities, and proprietary methodologies, including using User Content and generated outputs as training data
• Create aggregated, anonymized, or de-identified datasets for research, analytics, benchmarking, product development, and commercial purposes
• Generate inference data and usage profiles to personalize and optimize the Service
• Detect, investigate, prevent, and address fraud, abuse, security incidents, unauthorized access, and technical issues
• Enforce our Terms of Service and other policies
• Comply with legal obligations, respond to lawful requests, and protect our rights, property, and safety
• Communicate with you about updates, new features, promotions, or other information related to the Service, subject to your communication preferences and applicable law
• Conduct internal research, testing, and analytics
• Any other purpose disclosed to you at the time of collection or with your consent

We do not sell your personal information as that term is defined under the California Consumer Privacy Act or other applicable data protection laws.

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), we process your personal data on the following legal bases:

• Contract performance: Processing necessary to fulfill our contractual obligations to you, including providing the Service and processing payments.
• Legitimate interests: Processing necessary for our legitimate business interests, such as improving the Service, developing our analytical capabilities, training and refining AI models, ensuring security, preventing fraud, and enforcing our Terms, provided these interests are not overridden by your rights and interests.
• Legal obligations: Processing necessary to comply with applicable laws and regulations.
• Consent: Where you have given explicit consent to specific processing activities. You may withdraw consent at any time by contacting us; withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

We engage third-party service providers to assist in operating the Service. These providers may process your data on our behalf. By using the Service, you consent to the transfer of your information to these providers:

• Authentication: Clerk manages user accounts and authentication, processing your name, email, and login credentials.
• Billing: Polar processes payments. Your payment information is handled directly by Polar and is subject to their privacy policy.
• Database hosting: Neon, a managed PostgreSQL provider, stores account and report data.
• Email: Resend delivers transactional emails such as report notifications.
• Error monitoring and performance: Sentry tracks application errors and performance metrics, and may receive technical data including IP addresses, browser information, error context, and stack traces.
• Hosting, storage, and infrastructure: Vercel provides hosting and serverless compute. Vercel Blob storage stores generated reports, assets, and related files. Upstash provides Redis caching and job queue infrastructure.
• AI and machine learning processing: We use third-party large language model providers and web extraction services to analyze website content and generate reports. Submitted website content may be transmitted to and processed by these providers. These providers may use data submitted through their APIs to improve their models and services in accordance with their own terms and policies, which are outside our control.

The above list is not exhaustive. We reserve the right to engage additional third-party service providers and to change our providers at any time without prior notice to you. We use commercially reasonable efforts to select providers with adequate data protection practices, but we cannot and do not guarantee the security practices of any third party.

We may share or disclose your information in the following circumstances:

• Service providers and sub-processors: With third-party vendors who assist in operating the Service, as described in Section 5.
• Legal requirements and protection of rights: When required by law, regulation, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is reasonably necessary to (a) comply with applicable law, (b) protect and defend our rights, property, or safety, or the rights, property, or safety of our users, employees, or the public, (c) prevent or investigate fraud, security issues, or other illegal activity, (d) respond to a government or regulatory request, or (e) enforce our Terms of Service.
• Business transfers: In connection with any merger, acquisition, reorganization, bankruptcy, receivership, dissolution, sale of all or substantially all of our assets or equity, financing, or transition of the Service to another provider, your information may be transferred as a business asset. We will use reasonable efforts to direct the transferee to use your information in a manner consistent with this Privacy Policy, but we cannot guarantee that the transferee will maintain the same practices.
• Affiliates and related entities: With our current or future parent companies, subsidiaries, and affiliates for purposes consistent with this Privacy Policy.
• Aggregated or de-identified data: We may share aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you, without restriction, for any purpose, including research, analytics, benchmarking, marketing, or commercial use.
• With your consent: When you explicitly authorize us to share information with a specific third party.
• Professional advisors: With our attorneys, accountants, auditors, insurers, and other professional advisors as necessary for the conduct of our business.

This section provides additional disclosures required under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), and similar comprehensive state privacy laws.

Categories of personal information collected: In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA: (A) identifiers (name, email address, IP address, account ID); (B) personal information described in Cal. Civ. Code §1798.80(e) (name, billing address); (C) internet or electronic network activity information (browsing history, usage data, log data); (D) geolocation data (approximate location from IP address); (E) professional or employment-related information (to the extent provided in account registration or communications); and (F) inferences drawn from the above categories.

Use of personal information: We use personal information for the business and commercial purposes described in Section 3 of this Privacy Policy.

Sale and sharing: We do not “sell” or “share” personal information as those terms are defined under the CCPA. We do not have actual knowledge that we sell or share personal information of consumers under 16 years of age.

Sensitive personal information: We do not collect or process “sensitive personal information” as defined under the CCPA, beyond what is necessary to provide the Service (such as account login credentials).

Your rights: California residents and residents of states with comprehensive privacy laws (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others) may have additional rights, including the right to know, access, correct, delete, and opt out. To exercise your rights, contact us at support@consonant.cc. We will not discriminate against you for exercising your rights. We may require identity verification before processing your request.

Authorized agents: You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent’s authority and your identity before processing such requests.

Retention: We retain personal information for the periods described in Section 10 of this Privacy Policy.

We use cookies, local storage, session storage, web beacons, pixels, and similar tracking technologies to operate, secure, and improve the Service. These technologies may be set by us (first-party) or by our service providers (third-party).

• Essential cookies: Required for the Service to function, including authentication session cookies, CSRF tokens, and security tokens. These cannot be disabled while using the Service.
• Analytics and performance cookies: Used to understand how users interact with the Service, measure performance, identify errors, and identify areas for improvement.
• Functional cookies: Used to remember your preferences, settings, and choices across sessions.

We do not currently use advertising cookies or third-party tracking pixels for targeted advertising. We reserve the right to introduce additional tracking technologies in the future and will update this Privacy Policy accordingly.

Most browsers allow you to control cookies through their settings. Note that disabling or deleting cookies may affect the functionality of the Service, and you may be unable to access certain features. By continuing to use the Service, you consent to our use of cookies as described in this section.

We implement commercially reasonable administrative, technical, and physical security measures designed to protect your information, including encryption in transit (TLS), encryption at rest for stored data, access controls, and periodic security assessments. However, no method of electronic transmission or storage is completely secure, and we cannot and do not guarantee the absolute security, integrity, or confidentiality of your information. We expressly disclaim any representation or warranty, whether express or implied, that we can prevent unauthorized access to or disclosure of your information.

You acknowledge that you provide your information and transmit data at your own risk. You are responsible for safeguarding the credentials you use to access the Service and for any activity under your account. We shall not be liable for any unauthorized access, data breach, data loss, corruption, or other security incident, except to the minimum extent required by applicable law, and any such liability shall be subject to the limitations set forth in our Terms of Service.

We retain your information for as long as your account is active, as needed to provide the Service, or as necessary to fulfill the purposes described in this Privacy Policy, including complying with our legal obligations, resolving disputes, enforcing our agreements, and pursuing our legitimate business interests. Specific retention periods may vary based on the type of data, the sensitivity of the data, and the purpose of processing.

After account deletion or termination, we may retain certain data for a commercially reasonable period, including but not limited to: (a) data required to comply with legal, regulatory, tax, or accounting obligations, (b) data necessary to resolve pending disputes, enforce our agreements, or defend against legal claims, (c) aggregated, de-identified, or anonymized data derived from your use of the Service, which we may retain and use indefinitely without restriction, (d) backup copies maintained as part of our ordinary course disaster recovery procedures, which are purged on a rolling basis, and (e) log data and security records retained for fraud prevention and security purposes.

We reserve the right, but have no obligation, to delete your data at any time after your account is terminated or becomes inactive. We shall have no liability for the deletion or loss of any data following termination.

Depending on your jurisdiction and applicable law, you may have certain rights regarding your personal information, including the right to:

• Access the personal information we hold about you
• Correct inaccurate or incomplete personal information
• Request deletion or erasure of your personal information, subject to exceptions permitted by law
• Object to or restrict certain processing of your data
• Request portability of your data in a structured, commonly used, machine-readable format
• Withdraw consent where processing is based on consent
• Opt out of the sale or sharing of personal information (where applicable under your jurisdiction’s law)
• Opt out of automated decision-making and profiling (where applicable)
• Not be discriminated against for exercising your privacy rights
• Lodge a complaint with a supervisory authority (for EEA/UK residents)

To exercise any of these rights, contact us at support@consonant.cc. We will verify your identity before processing your request and may require additional information to confirm your identity. We will respond within 30 days or as required by applicable law. We reserve the right to deny or limit requests where permitted by law, including where we are unable to verify your identity, where the request is excessive, repetitive, manifestly unfounded, or where compliance would be disproportionately burdensome.

Please note that exercising certain rights (such as deletion) may result in the termination of your account and loss of access to the Service, and may not result in the deletion of (a) aggregated or de-identified data derived from your information, (b) data we are required to retain by law, or (c) data necessary for our legitimate business interests as permitted by law.

Communication preferences. You may opt out of non-essential marketing communications by following the unsubscribe instructions in those messages or by contacting us. You cannot opt out of transactional or service-related communications necessary for the operation of your account.

The Service uses automated processes, including artificial intelligence and machine learning, to analyze website content and generate reports. These automated processes are integral to the Service and do not produce legal or similarly significant effects on you as an individual. We do not use automated decision-making to make decisions that produce legal effects concerning you or similarly significantly affect you, as contemplated by GDPR Article 22.

We may use profiling and inference data to personalize the Service, improve our analytical capabilities, and optimize user experience. If you have concerns about automated processing, you may contact us at support@consonant.cc.

Your information may be transferred to, stored in, and processed in countries other than your country of residence, including the United States and other jurisdictions where our service providers operate. These countries may have data protection laws that are different from, and potentially less protective than, those of your jurisdiction. By using the Service, you explicitly and unambiguously consent to such transfers.

Where required by applicable law, we rely on appropriate transfer mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions, binding corporate rules, or other safeguards recognized under applicable data protection law. You acknowledge that the protections afforded by these mechanisms may not be equivalent to those in your home jurisdiction.

In the event of a confirmed data breach involving your personal information that poses a risk of harm, we will notify affected users and relevant supervisory authorities as required by applicable law. Notification will be made within the timeframes required by applicable law (such as 72 hours under GDPR, where applicable) or as soon as reasonably practicable. We reserve the right to determine the method and scope of notification in our sole discretion, subject to applicable legal requirements.

Our liability in connection with any data breach shall be subject to the limitations set forth in our Terms of Service.

The Service does not currently respond to “Do Not Track” (DNT) browser signals or the Global Privacy Control (GPC) signal, as there is no universally accepted standard for these signals. We will update this policy if a binding standard is established and we are required to adopt it.

The Service is not directed to individuals under the age of 18. We do not knowingly collect, solicit, or maintain personal information from children under 18. If we become aware that we have collected information from a child under 18, we will take commercially reasonable steps to delete such information promptly. If you believe a child has provided us with personal information, please contact us immediately at support@consonant.cc.

The Service may contain links to or integrations with third-party websites, services, or applications. This Privacy Policy does not apply to any third-party services, and we are not responsible for the privacy practices, content, or security of any third party. We encourage you to review the privacy policies of any third-party services you access. Your interactions with third-party services are solely between you and those third parties, and we disclaim all liability in connection therewith.

We may update this Privacy Policy at any time in our sole discretion. We will post the updated policy on the Service with a revised “Last updated” date and may, but are not required to, send notice to the email address associated with your account. Changes become effective immediately upon posting. Your continued use of the Service after any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree, your sole remedy is to stop using the Service and delete your account.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us at support@consonant.cc.