ParseRelay — Privacy Policy
Operator: ParseRelay (parserelay.app) (the “Operator,” “we,” “us,” or “our”). Contact: privacy@parserelay.app (general support: support@parserelay.app · legal: legal@parserelay.app) Effective date: June 15, 2026 Last updated: June 15, 2026
1. Introduction
1.1. This Privacy Policy explains how ParseRelay (the “Service”) handles data. ParseRelay is a developer API and tooling that converts an uploaded document image into structured data (a “scan”). It is sold to developers and businesses, not to consumers.
1.2. This Policy should be read together with the Terms of Service.
1.3. Who controls the data in your documents. The documents you submit are chosen by you. As between you and us, you are the controller (or equivalent) of any personal data contained in those documents, and we act as a processor that processes it on your instructions to provide the Service. You are responsible for having a lawful basis to submit that data and for any notices or consents required from the individuals concerned. See Sections 6 and 7.
1.4. We do not sell your data. We do not sell or share your personal data or your scan content, and we do not use them for advertising or to build any profile of individuals. We process them only to provide the Service, as described in this Policy.
2. The data we handle
We handle two broad categories of data, and we treat them very differently.
2.1. Scan content (submitted documents and extracted results)
This is the substance of what you process and is subject to the short retention period in Section 3:
- Submitted Content: document images (and/or base64-encoded images), an optional output schema, an optional model key passed inline with a single request (BYO-key), and an optional webhook URL. A model key passed inline is used only to process that one scan and is not stored (a key you instead pair to your account is covered in Section 2.4).
- Output: the extracted results, including
raw_text, structuredfields, and anything derived from the document content.
Documents may contain personal data — for example, names and addresses on receipts, invoices, or identity documents. We do not control what you submit.
2.2. Operational metadata (retained for billing, metering, and audit)
This is not document content. It is the audit trail of which scans ran and were delivered, and it is retained beyond the scan-content retention period (see Section 4):
- scan IDs and timestamps;
- per-scan cost and latency;
- credit-ledger entries;
- idempotency keys;
- API-key identifiers;
- webhook delivery records and HMAC signatures.
We keep this metadata to operate the Service — to bill accurately, meter usage, prevent abuse, and maintain a delivery audit trail. It records that a scan happened and was delivered, not what was in it.
2.3. Account data
To provide accounts and authentication we process account/login data through Supabase (see Section 5). This includes your login identifier and authentication session. The dashboard is used only for account management, authentication, and viewing usage and billing — document content is never submitted through the dashboard. Scans are made through the API; the dashboard does not accept document uploads or scan input.
2.4. Stored provider keys (optional BYO-key pairing)
If you choose to pair a model-provider key to your account so it can be reused across scans, we store that key encrypted at rest as account configuration. A paired key is not scan content: it is retained until you remove it or close your account, and is used only to authenticate calls to your chosen provider on your behalf. A key you instead pass inline with a single request (Section 2.1) is used only for that scan and is not stored.
3. Retention and deletion of scan content (7 days)
3.1. We retain Submitted Content and Output only as long as needed to process the scan and deliver the result, and we delete them from our systems within 7 days. This includes the uploaded document image and the extracted Output (raw_text, structured fields, and anything derived from the document content). A model-provider key passed inline with a single request is used only to process that scan and is not retained; a key you pair to your account (Section 2.4) is account configuration, not scan content, and persists until you remove it.
3.2. This 7-day deletion applies everywhere scan content persists in our systems, including processing buffers, queues, webhook delivery payloads stored for retries, and logs.
3.3. Sub-processor retention. The model providers that perform extraction (Section 5) may retain API inputs and outputs for a limited period under their own terms — for example, for abuse monitoring — before deleting them. Their handling of that data is governed by their own terms, which are linked in Section 5 and which you accept when you use the Service; we make no representation or warranty about those terms. The 7-day commitment in Section 3.1 refers to our own systems.
4. Retention of operational metadata
4.1. The operational metadata in Section 2.2 is retained for as long as needed for billing, metering, abuse prevention, delivery audit, and legal compliance. If you close your account or request deletion at privacy@parserelay.app, we delete the metadata associated with your account, except for records we are required to keep (for example, billing and credit-ledger records needed for tax and accounting purposes).
4.2. We keep operational metadata clearly separated from scan content, so the 7-day deletion in Section 3 does not depend on, and is not delayed by, metadata retention.
5. Sub-processors
We use the third parties below to process data on our behalf to provide the Service. Each provider processes data under its own terms, linked below. Your use of the Service is subject to those terms: by submitting a scan you accept the conditions of the model provider(s) that process it. We link their terms for transparency, but we make no representation or warranty about their data-handling practices — those are controlled by the provider and may change. Your configuration (the engine, the model, and any bring-your-own key) influences which model providers process a given scan.
| Sub-processor | Purpose | Data it receives | Governing terms |
|---|---|---|---|
| Mistral AI (privacy policy · DPA · privacy docs) | OCR / extraction | Document image and/or text to be extracted | Per its linked terms |
| z.ai (Zhipu AI) (terms of use) | OCR / extraction (GLM) | Document image and/or text to be extracted | Per its linked terms |
| OpenAI (enterprise privacy · API data controls) | Extraction (model processing) | Document image and/or text to be extracted | Per its linked terms |
| Anthropic (API data retention · training policy) | Extraction (model processing) | Document image and/or text to be extracted | Per its linked terms |
| Cloudflare (DPA · GDPR hub) | Runtime / hosting (Workers, Queues, Durable Objects, D1) and request routing | Scan content in transit/processing, and operational metadata | Per its DPA |
| Supabase (privacy · DPA) | Authentication and account/metadata storage | Account/auth data and operational metadata — not document content | Per its DPA |
| Polar (privacy) | Merchant of record / payments | Billing data — not document content | Per its privacy policy |
5.1. BYO-key (bring-your-own-key) users. If you supply your own model key, your chosen model provider receives the data under your own account and the provider’s terms with you. That is a relationship between you and that provider, not between us and that provider, and that provider’s handling of your data is governed by your agreement with them, not by this Policy.
6. Webhook delivery
6.1. If you supply a webhook URL, we POST the Output to that URL, signed with an HMAC signature. The destination is controlled by you. Once data is delivered to a destination you control, its handling is your responsibility.
7. Your responsibilities as the submitting party
7.1. Because you decide what to submit, you are responsible for:
(a) having a lawful basis to submit the documents and any personal data they contain;
(b) providing any notices to, and obtaining any consents from, the individuals whose data appears in the documents, where required;
(c) not submitting personal data of minors, or special-category / sensitive personal data, without an appropriate lawful basis and any heightened safeguards required by law.
8. International data transfers
8.1. The Operator is based in Canada. Some sub-processors process data in the United States, the European Union, or other countries. This means your data (including scan content during the short processing window) may be transferred to and processed in countries other than your own.
8.2. Where personal data is transferred out of the EEA, UK, or Switzerland, our sub-processors rely on the transfer mechanisms in their own data-processing terms — for example, the EU Standard Contractual Clauses incorporated into their DPAs (e.g., Cloudflare, Supabase, Mistral AI), and, for transfers to the United States, the EU-U.S. Data Privacy Framework where applicable. Our model sub-processors are located in the European Union (Mistral AI), the United States (OpenAI, Anthropic), and China (z.ai / Zhipu AI). Transfers to a country without an adequacy decision are governed by the relevant provider’s own terms, which you accept when you submit a scan that is processed by that provider (Section 5). Links to each provider’s terms are in Section 5.
9. PIPEDA (Canada)
9.1. As an operator based in Canada, our handling of personal data is subject to the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and any applicable provincial privacy legislation.
9.2. Consistent with PIPEDA’s principles, we limit collection of personal data to what is needed to provide the Service, use it only for the purposes described here, retain it only as long as necessary (see Sections 3 and 4), and apply safeguards appropriate to its sensitivity.
9.3. Access and complaints. Individuals may have rights under PIPEDA to access personal data about them that we hold and to request corrections. Because the personal data inside submitted documents is controlled by our customers, requests about that data should usually be directed to the customer who submitted it; we will assist our customers in responding as required. Contact us at privacy@parserelay.app. If you are not satisfied with our response, you may escalate to the Office of the Privacy Commissioner of Canada.
10. GDPR (European Economic Area / UK)
10.1. Some of our customers, and some individuals whose data appears in submitted documents, may be in the EEA or the UK. This section addresses the EU/UK General Data Protection Regulation (GDPR).
10.2. Controller / processor roles. For personal data contained in documents you submit, you are the controller and we are the processor, processing that data on your documented instructions to provide the Service. For account data and operational metadata that we determine the purposes of, we act as a controller.
10.3. Lawful basis. As controller of the document content, you are responsible for establishing a lawful basis (for example, consent, contract, or legitimate interests) for the processing you instruct us to carry out. For our own processing of account data and operational metadata, we rely on our legitimate interests in operating, securing, and billing for the Service, and on compliance with legal obligations.
10.4. Data-subject rights. Subject to applicable law, individuals have rights to access, rectify, erase, restrict, and port their personal data, and to object to certain processing. Because we act as processor for document content, we will refer requests relating to that content to the relevant customer (controller) and assist the controller in responding. Requests may be sent to privacy@parserelay.app.
10.5. Data processing addendum. Our data processing addendum (DPA) is available at parserelay.app/dpa and governs our processing of personal data on behalf of business customers under GDPR Article 28. If your organization requires a signed copy or has questions, contact legal@parserelay.app.
10.6. Breach notification. We will notify affected customers without undue delay after becoming aware of a personal-data breach affecting their data, to support the customer’s own notification obligations (which under GDPR include notifying the supervisory authority within 72 hours where applicable).
10.7. International transfers. See Section 8.
10.8. DPIA and prior-consultation assistance. Where your processing requires a data protection impact assessment or prior consultation with a supervisory authority, we will provide reasonable information and assistance to support it, taking into account the nature of the Service and the information available to us.
11. Security
11.1. We apply administrative and technical safeguards appropriate to the stage of the Service and the sensitivity of the data, including encryption in transit (TLS) for data sent to and from the Service, encryption at rest for stored account data and paired provider keys, authentication, HMAC-signed webhook delivery, and reliance on reputable infrastructure providers. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
12. Cookies and local storage
12.1. The Service uses no third-party analytics and no tracking or advertising cookies.
12.2. The dashboard sets no session cookies. Authentication is handled by Supabase, which stores your authentication session token in the browser’s localStorage rather than in cookies. This strictly-necessary localStorage (together with any essential storage needed for API-key handling) is the only client-side storage the Service itself relies on. Our infrastructure provider (Cloudflare) may set strictly-necessary security cookies (for example, __cf_bm for bot management); these are not used for tracking or advertising.
12.3. Because this storage is strictly necessary to provide the Service and is not used for tracking, the Service does not use a cookie-consent banner and there is no separate Cookie Policy.
12.4. If third-party analytics or any non-essential storage is added in the future, we will revisit this section and our consent approach.
13. Children
13.1. The Service is a developer tool not directed to children, and it is not intended for the processing of children’s personal data. You must not submit personal data of minors without an appropriate lawful basis and any required safeguards (see Section 7 and the Terms of Service).
14. Changes to this Policy
14.1. We may update this Policy from time to time. For material changes we will provide reasonable notice (for example, by email or a notice in the dashboard or on the website). The “Last updated” date above reflects the latest version.
15. Contact
15.1. Questions, requests, or complaints about this Policy or our data handling may be sent to privacy@parserelay.app.