Privacy Policy

Last Updated: March 8, 2026
Effective Date: March 8, 2026

Parseo ("we," "us," or "our") operates Parseo (the "Service") at parseo.io. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

By using the Service, you agree to the practices described in this Privacy Policy. This policy applies to all visitors, registered users, and subscribers of the Service.

This policy does not apply to third-party websites or services linked from the Service. Those third parties have their own privacy practices.

1. Information We Collect

1.1 Information You Provide Directly

Account Information
When you create an Account using Google Sign-In, we receive and store the following from your Google profile:

Email address
Display name
Profile photo URL (if provided in your Google account)

We do not receive or store your Google password.

Profile Updates
You may update your display name within account settings. Any changes you make are stored in our database.

Support Communications
When you contact us via email for support or send us feedback, we retain those communications and any personal information you include in them.

1.2 Information Collected Automatically

Usage Data
When you use the Service, we collect data about your activity, including:

Features used (e.g., Extractions performed, Blueprints created or accessed)
Page counts processed per Extraction
Billing period usage (pages consumed vs. plan limit)
Timestamps of key actions (account creation, last login)

Log Data
Our servers automatically record standard log data, including:

IP address
Browser type and version
Operating system
Referring URL
Error logs

Local Storage / Session Data
We use browser localStorage to store your theme preference (light/dark mode). This is a strictly necessary functional preference and does not track your browsing behavior.

We use secure, HTTP-only cookies for session authentication (Firebase Auth session tokens / JWT). These are strictly necessary for the Service to function and cannot be disabled.

1.3 Information from Third Parties

Google (Firebase Authentication)
When you sign in with Google, we receive your name, email address, and profile photo URL from Google's OAuth 2.0 service. We do not receive your Google password or access to your Gmail, Drive, or other Google data beyond the basic profile scope.

Stripe (Payment Processor)
If you subscribe to a paid plan or purchase Blueprint Credits, Stripe collects your payment information directly. Stripe shares with us:

A Stripe Customer ID (a pseudonymous identifier)
Subscription status and plan details
Billing period dates
Transaction metadata (amount, currency, date) for our records

We do not receive or store your full card number, CVV, or sensitive payment details. Stripe is PCI-DSS compliant and handles all payment card data.

1.4 Documents You Upload

Documents, images, and files you upload for Extraction are sent to Amazon Web Services (AWS) infrastructure for temporary storage and AI-powered processing during the Extraction process only. AWS acts as a sub-processor, using its AI infrastructure to extract structured data per your chosen Blueprint.

We do not store or retain your uploaded files after Extraction is complete. Files are deleted from AWS immediately upon the completion of each Extraction. We do not build training datasets from your document content, and your document contents are not used to improve any AI model.

2. How We Use Your Information

We use personal information for the following purposes:

Purpose	Legal Basis (GDPR)
Create and maintain your Account	Performance of contract
Authenticate you on each session	Performance of contract
Perform document Extractions you request	Performance of contract
Track page usage against your plan limits	Performance of contract
Process payments and manage Subscriptions	Performance of contract
Grant and track Blueprint Credits	Performance of contract
Send transactional communications (e.g., payment receipts, plan change confirmations)	Performance of contract
Respond to your support requests and feedback	Legitimate interest
Maintain logs for security and fraud prevention	Legitimate interest / Legal obligation
Analyze aggregate usage patterns to improve the Service	Legitimate interest
Comply with applicable legal obligations	Legal obligation

We do not sell your personal data. We do not use your data to serve advertising. We do not use your uploaded document content to train AI models.

3. How We Share Your Information

We share personal information only in the following circumstances:

3.1 Service Providers (Processors)

We engage trusted third-party service providers who process personal data on our behalf, under contractual data processing obligations:

Provider	Purpose	Privacy Policy
Google LLC (Firebase Authentication)	User authentication; identity management	google.com/privacy
Stripe, Inc.	Payment processing; subscription management; customer portal	stripe.com/privacy
Amazon Web Services (AWS)	Temporary file storage and AI/OCR-powered document processing during Extraction	aws.amazon.com/privacy
Google Cloud / Firebase	Firestore database (user, subscription, blueprint data); Cloud Functions compute; hosting	cloud.google.com/privacy

We do not sell your personal data to these providers; they act solely as processors on our behalf.

3.2 AI Processing Disclosure

⚠️ Important: Documents you upload are processed by Amazon Web Services (AWS) using AI-powered infrastructure to perform the Extraction you requested. AWS acts as a sub-processor subject to a data processing agreement with us. Document content is not retained by AWS after Extraction completes. For sensitive documents, please review AWS's privacy practices.

3.3 Business Transfers

If we are involved in a merger, acquisition, financing, bankruptcy, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity. We will provide notice before your information becomes subject to a materially different privacy policy.

3.4 Legal Requirements

We may disclose your information if required by:

A court order, subpoena, or other valid legal process;
Applicable law or government request;
Our reasonable belief that disclosure is necessary to protect our rights, your safety, or the safety of others, or to investigate fraud or abuse.

3.5 With Your Consent

We may share your information with third parties when you explicitly direct us to do so.

3.6 Aggregated / De-Identified Data

We may share aggregated or de-identified statistics (e.g., total pages processed across the platform) that cannot reasonably be used to identify you.

4. Cookies & Tracking Technologies

4.1 Cookies We Use

Cookie Type	Purpose	Can Be Disabled?
Essential / Strictly Necessary	Firebase Auth session tokens (JWT) required to keep you logged in; CSRF protection	No — disabling these prevents login
Functional	Theme preference stored in `localStorage` (light/dark mode)	Yes — clearing localStorage removes this
Analytics	(None currently deployed. We will update this section if analytics cookies are added.)	N/A
Marketing / Advertising	None	N/A

We do not currently use third-party advertising or tracking cookies.

4.2 Managing Cookies

You can control cookies through your browser settings. Disabling essential authentication cookies will prevent you from logging in to the Service. Our localStorage theme preference can be cleared by clearing your browser's site data.

If we add analytics cookies in the future, we will update this policy and implement a consent mechanism as required by applicable law.

5. Data Retention

We retain personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

Data Category	Retention Period
Account data (email, name, profile photo URL)	Retained while your Account is active, plus 90 days after deletion to allow for account recovery, unless a longer period is required by law
Usage data (monthly page counts, extraction history)	Retained for 24 months, then aggregated or deleted
Payment records (Stripe metadata, transaction IDs)	Retained for 7 years as required for tax and accounting compliance
Support communications	Retained for 2 years after the conversation closes
Blueprint definitions	Retained while your Account is active; deleted within 30 days of Account deletion
Uploaded Files (documents/images)	Deleted immediately after each Extraction completes. Not retained at all.
Backup copies	Backup copies of database data (excluding uploaded files) may persist for up to 30 days after deletion from the primary database

When you delete your Account, we will delete your personal data in accordance with the above schedule, except where we are required by law to retain it longer.

6. Data Security

We implement technical and organizational measures to protect your personal information, including:

Encryption of all data in transit using TLS/HTTPS
Encryption of data at rest within our database and file processing infrastructure
Authentication via Google OAuth 2.0 (we never handle passwords)
Access controls limiting employee and system access to personal data on a need-to-know basis
Firebase Security Rules to restrict database access to authenticated users
Secure, HTTP-only, SameSite cookies for session management

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security. In the event of a security breach affecting your personal data, we will notify you as required by applicable law.

7. International Data Transfers

Parseo is headquartered in [COUNTRY / STATE]. The Service operates using infrastructure located primarily in the United States (AWS us-east-1 / us-central1 regions for Firebase and AWS services).

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States or other countries outside your jurisdiction that may not have data protection laws equivalent to your own.

We implement appropriate safeguards for these international transfers, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, as incorporated into our agreements with Google/Firebase and AWS; and
Transfers to countries or providers with applicable adequacy decisions where available.

To request a copy of the applicable safeguards, contact us at hello@parseo.io.

8. Your Rights & Choices

8.1 Rights for All Users

You have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete data.
Deletion: Request deletion of your Account and associated personal data. Note: certain data may be retained as required by law (e.g., payment records).
Data Portability: Export your Blueprint definitions and other data through your account settings.
Opt-Out of Marketing: We do not currently send marketing emails. If we do in the future, each email will include an unsubscribe link.

To exercise these rights, contact us at hello@parseo.io or through your account settings. We will respond within 30 days (or as otherwise required by applicable law).

8.2 GDPR — Additional Rights for EEA / UK Residents

If you are located in the EEA, UK, or Switzerland, you have the following additional rights:

Right to Object: Object to processing based on our legitimate interests or for direct marketing purposes.
Right to Restrict Processing: Request that we restrict the processing of your data in certain circumstances.
Right to Withdraw Consent: Where processing is based on your consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint: Lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. In the UK, the relevant authority is the Information Commissioner's Office (ICO) at ico.org.uk.

8.3 CCPA — Additional Disclosures for California Residents

This section applies to California residents to whom the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) applies.

Categories of Personal Information Collected:

Category	Examples	Collected?
Identifiers	Name, email address, Google UID, IP address	Yes
Personal records	Subscription tier, payment metadata (via Stripe)	Yes
Protected characteristics	None	No
Commercial information	Purchase history, plan type, credit pack transactions	Yes
Internet or network activity	Usage data, log data, session tokens	Yes
Geolocation	IP-derived approximate location	Yes (log data only)
Professional/employment info	None collected	No
Sensitive personal information	None	No

Your California Rights:

Right to Know about the categories and specific pieces of personal information collected about you.
Right to Delete personal information we have collected, subject to certain exceptions.
Right to Correct inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a request, contact us at hello@parseo.io. We will verify your identity before processing requests. You may authorize an agent to submit requests on your behalf.

9. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we learn that we have inadvertently collected personal information from a child under 16, we will promptly delete that information.

If you believe we have collected information from a child under 16, please contact us at hello@parseo.io.

10. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to read the privacy policies of any third-party services you visit.

11. GDPR — Data Controller Information

For purposes of the General Data Protection Regulation (GDPR):

Data Controller:
Parseo
Paulista Avenue
São Paulo, Brazil
Email: hello@parseo.io

Data Protection Officer (DPO):
[A formal DPO is not currently required for Parseo's scale of operations. If this changes, this section will be updated. Consult your attorney if you believe a DPO may be required.]

Legal Bases for Processing:
We process personal data on the following legal bases:

Contract: Processing necessary to perform our contract with you (provide the Service, manage your Subscription, perform Extractions)
Legitimate Interests: Security and fraud prevention; service improvement through aggregate analytics; responding to support requests
Legal Obligation: Retention of financial records; compliance with court orders
Consent: Any future non-essential cookies or marketing communications (where applicable)

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law.

When we make material changes, we will:

Notify you by email to your registered address; and/or
Display a prominent notice within the Service.

We will provide at least 14 days' notice before material changes take effect. The "Last Updated" date at the top of this policy reflects the most recent revision.

Your continued use of the Service after the effective date of the updated policy constitutes your acceptance. If you do not agree, you must stop using the Service.

We maintain an archive of previous versions of this policy, available upon request.

13. Contact Us

For privacy questions, to exercise your rights, or to report a privacy concern:

Parseo
Privacy Team
Paulista Avenue
São Paulo, Brazil

Email: hello@parseo.io

Response time: We aim to respond to all privacy requests within 30 days. For complex requests or where required by applicable law (e.g., GDPR, CCPA), we may extend this period by an additional 30 days with advance notice.

For EU residents: If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority (see Section 8.2).