PARIE Privacy Policy

Plain-English summary: Your data is yours. We collect what we need to deliver the service, store it securely on Google Cloud (US), never sell it, never train AI models on it, and let you export or delete it anytime. We're aligned with GDPR, CCPA, and HIPAA. Sub-processors are listed at parie.io/subprocessors.

1. Who We Are

PARIE ("we," "us," "our") is the data controller for personal information collected through parie.io. For enterprise deployments, we act as a data processor on behalf of your organization (which is the controller). Contact: hello@parie.io.

2. What We Collect

Account information

Name, email, organization, role
Encrypted password hash (we never see your plaintext password)
Profile preferences (language, time zone)

Usage information

Login timestamps, portal accessed, browser/device user-agent
Documents uploaded, training records, quiz scores
AI feature usage (which feature, when, token counts) — for billing and quality monitoring

Technical information

IP address (used for rate-limiting and abuse prevention; not retained beyond 30 days)
Cookies necessary for authentication (no advertising cookies; no tracking cookies)

Customer-provided content

Training documents you upload
Staff records you create
Tickets, notes, audit-log entries

3. How We Use It

Purpose	Legal basis (GDPR)
Provide the service — render portals, run AI calls, store documents	Contract
Authenticate users — sign-in, session management, password reset	Contract
Bill subscriptions — track usage against plan quotas	Contract
Detect abuse — brute-force lockout, rate-limiting, fraud prevention	Legitimate interest
Improve the product — aggregate, anonymized usage analytics only	Legitimate interest
Send transactional email — welcome, password reset, training reminders, billing receipts	Contract
Comply with law — audit-log retention, lawful disclosure orders	Legal obligation

We do NOT:

Sell, rent, or trade your personal data.
Use customer documents or training records to train AI models (ours or third-party).
Share data with advertising networks.
Track you across other websites.

4. Who We Share It With

We use a small set of vetted sub-processors to deliver the service. Each is bound by a Data Processing Agreement (DPA). Full list with purposes and locations: parie.io/subprocessors.

Summary:

Google Cloud / Firebase (USA) — primary infrastructure: database, storage, authentication, hosting
Anthropic (USA) — AI model provider; documents you ask questions about are sent to Claude for processing per their privacy policy; no training on your data
Gmail / Google Workspace (USA) — transactional email delivery

We do not transfer personal data to non-vetted third parties without your explicit instruction (e.g. a Slack integration you enable).

5. Where We Store It

Customer data is stored in Google Cloud regions in the United States (us-east1 for Storage, us-central1 for Firestore and Cloud Functions). EU and APAC region options are on the roadmap for Enterprise customers with data-residency requirements. For international transfers from the EU/UK, we rely on Standard Contractual Clauses (SCCs).

6. How Long We Keep It

Data type	Retention
Account data	Lifetime of subscription + 30 days after termination
Customer-uploaded documents	Until you delete them, or 30 days after subscription ends
Training records, quiz scores, certificates	7 years (regulatory retention; can be shortened by request)
Audit logs	7 years (immutable, append-only; SOC 2 / SOX requirement)
IP addresses	30 days (abuse prevention)
Backups	30 days rolling, then permanently deleted

7. Your Rights

Wherever you live, you can:

Access the personal data we hold about you
Correct inaccurate data
Delete your data ("right to erasure") — we'll honor within 30 days subject to legal retention
Export your data in a machine-readable format from the Workspace portal at any time
Object to processing based on legitimate interest
Withdraw consent for any processing based on consent

To exercise any right, email hello@parie.io. We respond within 30 days.

EU residents: You also have the right to lodge a complaint with your local Data Protection Authority. We don't currently have an EU representative — Enterprise customers can request appointment of one as part of their MSA.

California residents (CCPA): We do not "sell" personal information as defined by CCPA. You have the rights to know, delete, and not be discriminated against for exercising your rights. To submit a request: hello@parie.io.

8. Security

We follow industry-standard security practices, including:

TLS 1.2+ for all data in transit
AES-256 encryption at rest (Google Cloud default)
Multi-tenant data isolation enforced at the database rule layer
Append-only audit logs that even our admins cannot tamper with
Brute-force account lockout after 5 failed sign-ins
Forced password change on first sign-in
Daily encrypted backups

Full security architecture: parie.io/trust. We will notify affected customers within 72 hours of becoming aware of a personal data breach involving their data.

9. Cookies

PARIE uses only essential cookies required for sign-in sessions and security. We do not use advertising or analytics cookies. No cookie banner is shown because no consent is required for strictly necessary cookies under GDPR/ePrivacy.

10. Children's Data

PARIE is not directed at children under 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has created an account, contact us and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email at least 30 days before they take effect. Past versions are available on request.

12. Contact

Privacy questions, requests, or concerns: hello@parie.io.

For Data Processing Agreements (DPA) or Business Associate Agreements (BAA — HIPAA): include "DPA" or "BAA" in your subject line.