Privacy Policy

Parry.io Ltd. (“Parry”, “we”, “us”, or “our”) is an Israeli company registered at Ein Harod 4/2, Tel Aviv-Yafo, Israel (company number 517334017). We provide AI-powered contract intelligence (“parry-core”) and real-time call-advice (“parry-realtime”) services to business customers.

This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our services, our website at parry-io.com, and the Parry Chrome extension.

If you are a user of our services through a customer organization (your employer or another business), please also refer to that organization’s own privacy notice — they determine the purposes for which your personal data is processed when using Parry.

This Privacy Policy applies to:

• The Parry website at parry-io.com.
• The Parry web application (parry-core dashboard and related services).
• The Parry Chrome extension distributed via the Chrome Web Store (subject to additional terms in Section 16 — Real-Time Agent Annex).
• Direct communications with Parry (email, sales inquiries, support).

For most of our services, Parry acts as a Data Processor under GDPR Article 28 on behalf of our business customers (who are the Data Controllers). Where we collect data directly from end users (e.g., website visitors, contact-form submissions), we act as a Data Controller for that limited processing.

3.1 Information you provide to us directly

• Account information when you register or are invited to use Parry: name, business email address, organization name, role/title.
• Authentication data: credentials managed by our identity provider (WorkOS); supported sign-in methods include Google SAML, SSO, and SAML 2.0 federation.
• Communications: messages you send us through support, sales, or contact forms, including any documents or files you attach.

3.2 Information we process on behalf of our customers (as Processor)

• For parry-core: contract documents and associated metadata that customers upload or grant access to; deal participant identities and contact information embedded in those contracts; derived analyses generated by Parry’s AI components.
• For parry-realtime: voice-derived transcripts of calls the customer records and processes through the service; metadata about call participants (names, times, durations); AI-generated advice content produced during or after the call.
• Configuration data: tenant settings, user entitlements, integration configurations.

We do not collect or process special-category personal data (GDPR Art. 9) by design.

3.3 Information collected automatically

• Usage and telemetry data: pages visited, features used, performance and error metrics, session timing.
• Technical data: IP address, browser type and version, device type, operating system, language preferences, referring URLs.
• Cookies and similar technologies: see Section 12.

3.4 Information from third parties

• From your organization’s identity provider, when you sign in using Google SAML, Microsoft Entra, Okta, or another SSO/SAML provider — typically your name, email, and group memberships.
• From integrated services, where your organization has authorized Parry to access calendars, CRMs, or document repositories on its behalf.

We use the information described above to:

1. Provide and operate the services — process contracts, generate analyses, deliver real-time advice, manage user accounts and entitlements.
2. Improve and secure the services — detect and prevent abuse, fraud, and security incidents; investigate technical issues; monitor performance.
3. Communicate with you — respond to support requests, send service-related notices, provide product updates (transactional only by default).
4. Comply with legal obligations — respond to lawful requests from competent authorities, meet our contractual and regulatory obligations.
5. Service improvement — analyze aggregated, anonymized, or synthetic data to improve our services.

We do not use customer-scoped data to train our own AI models or those of any third-party LLM provider (see Section 9).

Where the General Data Protection Regulation applies, we rely on the following legal bases:

• Performance of a contract (Art. 6(1)(b)) — to provide the services to our customers and their users.
• Legitimate interests (Art. 6(1)(f)) — to operate, secure, improve, and protect our services, where our interests are not overridden by your rights.
• Compliance with a legal obligation (Art. 6(1)(c)) — to meet applicable laws and regulatory obligations.
• Consent (Art. 6(1)(a)) — where required by law (e.g., certain cookies or marketing communications), with the right to withdraw at any time.

When acting as a Processor on behalf of a customer, the customer is responsible for determining and demonstrating the lawful basis for processing of the personal data they entrust to us.

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected and to meet our contractual, legal, and regulatory obligations.

6.1 Retention by data category

6.2 Customer-directed retention

Customers can configure shorter retention windows for their tenant by contractual agreement. We will honor any reduced retention window agreed in writing.

6.3 Right to erasure

You can request deletion of your personal data by contacting us using the details in Section 13. Requests are processed within 30 days where legally feasible. Where the data is processed on behalf of a customer, we will forward the request to that customer (the Data Controller) without undue delay.

6.4 Backup retention

Production backups follow a defined retention window after which data is irreversibly deleted by our cloud provider. Backups containing personal data subject to a deletion request will be allowed to expire from the backup retention window rather than be individually restored to extract that data.

We share personal data only with the parties listed below, each of whom has executed appropriate data protection terms with us and is bound to use the data only as instructed.

7.1 Direct subprocessors

Each subprocessor processes personal data only under our documented instructions and is contractually bound by data protection and security obligations equivalent to those in this Policy. Bespoke countersigned Data Processing Addenda with each direct subprocessor are being executed in parallel under our SOC 2 Type I engagement (initiated May 2026).

7.2 Sub-processors of subprocessors (4th/Nth parties)

Each direct subprocessor is required by its DPA with Parry to impose materially equivalent data protection obligations on its own subcontractors. We rely on each subprocessor’s independent SOC 2 Type II and/or ISO 27001 attestations as the assurance mechanism for their vendor management program.

7.3 Other recipients

• Service providers (e.g., legal counsel, accountants) bound by confidentiality and professional-licensing obligations.
• Legal disclosures required by court order, subpoena, or regulatory request, where we are legally compelled to disclose.
• In connection with a business transition (merger, acquisition, financing), subject to confidentiality and equivalent privacy commitments.

7.4 No sale, no behavioral advertising

We do not sell personal data, do not share personal data for cross-context behavioral advertising, and do not allow advertising tracking through our services.

7.5 Notification of changes to subprocessors

We will notify customers of material changes to our subprocessor list through updates to this Policy, with reasonable advance notice where commercially feasible. Customers may also subscribe to direct notification through their account.

Our default production environment is located in the European Union (Google Cloud europe-west3 — Frankfurt; AWS EU regions). Where personal data is transferred outside the EU/EEA, we rely on appropriate transfer mechanisms including:

• The EU Standard Contractual Clauses (SCCs, 2021 modules) incorporated into our subprocessors’ data processing terms.
• Adequacy decisions of the European Commission, where applicable.
• Supplementary technical and contractual measures including encryption in transit and at rest, access controls, and rights to challenge legal requests.

A list of the specific transfer mechanism applied to each subprocessor relationship is available on request.

9.1 Data minimization

We collect and process only the personal data necessary to provide the services. Access to personal data within Parry is limited to authorized personnel on a least-privilege, need-to-know basis.

9.2 No training on customer data

Customer-scoped data is not used to train Parry’s own AI models or any third-party LLM provider’s models. This commitment is enforced contractually with each LLM provider:

• OpenAI — API data is not used to train OpenAI models (per OpenAI API terms).
• Anthropic — commercial customer data is not used to train Anthropic models (per Anthropic Commercial Terms).
• AWS Bedrock — provider-side training on customer prompts is contractually disallowed; inference is stateless by design.
• Google Vertex AI — customer prompts and outputs are not used to train Google’s foundation models (per Vertex AI generative AI data governance).

9.3 Zero data retention for inference

Where supported by the provider, we configure third-party LLM inference for zero data retention so that prompts and outputs are not persisted on the provider’s side beyond the duration required to complete the inference request. Customer-specific zero-data-retention configurations across the LLM stack can be enabled on request as part of engagement scoping.

9.4 Chrome Web Store — Limited Use

Where the Parry Chrome extension accesses data covered by the Chrome Web Store User Data Policy:

• Use of that data is limited to providing or improving user-facing features that are prominent in the extension’s user experience.
• We do not transfer that data for advertising, credit-worthiness, or for any purpose unrelated to providing the user-facing features.
• We do not allow humans to read that data, except (a) with the user’s affirmative consent, (b) for security investigations, (c) to comply with applicable law, or (d) where the data has been aggregated and used for internal operations in accordance with the Chrome Web Store policies.

We implement administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption at rest with managed keys (Google Cloud CMEK, AWS KMS) for all customer-scoped data stores; OAuth and integration tokens encrypted at rest with application-managed keys stored in Google Secret Manager.
• Encryption in transit using TLS 1.2 or above on all external and internal endpoints.
• Multi-tenant logical isolation at every layer — client_id scoping at every query, per-tenant event channels, per-client storage partitioning, RBAC enforcement, end-to-end tenant context propagation.
• Identity and access — single sign-on (WorkOS) with mandatory multi-factor authentication for all production access via Identity-Aware Proxy.
• Least-privilege access to customer-scoped data, with quarterly access reviews and named-personnel records.
• Centralized logging and continuous monitoring of authentication events, administrative actions, and security signals.
• Secure software development lifecycle — peer-reviewed pull requests, automated SAST and dependency scanning, secret scanning, container-image scanning, GCP Security Command Center.
• Defined remediation SLAs for vulnerabilities by CVSS severity (Critical 48 hours, High 7 days, Medium 30 days, Low 90 days).

We are in an active SOC 2 Type I engagement with EY (initiated May 2026); SOC 2 Type II will follow. Reports will be made available under NDA on request once issued.

No security control or program can guarantee absolute security. We will notify affected customers and individuals of confirmed security incidents involving personal data as required by applicable law and contract.

11.1 GDPR / UK GDPR rights (EU/EEA and UK residents)

You have the right to:

• Access personal data we hold about you.
• Rectify inaccurate or incomplete personal data.
• Erase personal data (“right to be forgotten”) where applicable conditions are met.
• Restrict processing in certain circumstances.
• Data portability — receive a copy of your data in a structured, commonly used machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time, where processing is based on consent.
• Lodge a complaint with a supervisory authority in your EU/EEA Member State or with the UK Information Commissioner’s Office.

Where Parry acts as a Data Processor on behalf of a customer, requests to exercise your rights should generally be directed to that customer first; we will assist them in fulfilling those requests as required by our DPAs.

11.2 California rights (CCPA / CPRA)

California residents have the right to:

• Know what personal information we collect, the sources, the purposes, and to whom we disclose it.
• Delete personal information we have collected (subject to exceptions).
• Correct inaccurate personal information.
• Opt out of the “sale” or “sharing” of personal information — Parry does not sell personal information and does not share it for cross-context behavioral advertising.
• Limit the use of sensitive personal information.
• Non-discrimination for exercising your rights.

To exercise these rights, contact us as described in Section 13.

11.3 Verification

We may request additional information to verify your identity before fulfilling a rights request, to protect against unauthorized access.

We use cookies and similar technologies only as necessary to operate the services:

• Strictly necessary cookies — authentication state, session integrity, security.
• Functional cookies — user preferences (language, UI state).
• Performance/analytics cookies — aggregated usage metrics to operate and improve the services.

We do not use advertising cookies and do not allow third-party advertising trackers on parry-io.com or in the Parry Chrome extension.

Where required by applicable law, we will request consent before placing non-essential cookies and provide controls to manage cookie preferences.

For privacy-related questions, requests, or to exercise your rights:

• Privacy contact: privacy@parry-io.com
• Acting Data Protection lead: yehonatan@parry-io.com (Yehonatan Blubstein, Founder & CEO)
• Mail: Parry.io Ltd., Ein Harod 4/2, Tel Aviv-Yafo, Israel

We respond to verifiable privacy requests within 30 days where legally feasible (and within the timeline required by applicable law). For GDPR-related supervisory complaints, you may also contact your local supervisory authority.

A formal Data Protection Officer will be designated if and when our scale or contractual obligations trigger the GDPR Article 37 threshold.

Parry is a business-to-business service and is not directed to, marketed to, or intended for use by children under 16 (or the equivalent minimum age in the applicable jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps to delete it.

We may update this Privacy Policy from time to time. The “Last Updated” date at the top reflects the most recent revision. Material changes will be communicated through one or more of:

• A prominent notice on parry-io.com.
• An update to the in-product privacy notice.
• Direct notification to account administrators.

Where consent is the legal basis for processing, we will obtain renewed consent for changes that materially expand the purposes for which personal data is used.

A change log of material revisions is maintained internally and is available on request.

This Annex applies specifically to the Parry Real-Time Agent (parry-realtime) and the associated Chrome extension.

16.1 What the extension accesses

The Parry Real-Time Agent accesses the following data only when actively engaged by the user during a call session:

• Audio stream from the meeting — to generate speech-to-text transcription via Deepgram.
• Meeting metadata — participant names where displayed in the meeting interface, meeting times.
• User-provided context — anything the user explicitly enters or attaches to the session.

The extension does not read browser content outside the active meeting context. Permissions are declared in the extension manifest and reviewed by Google at every Chrome Web Store submission.

16.2 Chrome Web Store User Data Policy / Limited Use

Our use of any data accessed by the Chrome extension complies with the Chrome Web Store User Data Policy, including the Limited Use requirements:

• Use of the data is limited to providing or improving the user-facing real-time advice and transcription features.
• Data is not transferred or sold for advertising, credit-worthiness, or unrelated purposes.
• Human review of the data is limited as described in Section 9.4.

16.3 Transcripts and AI advice

• Transcripts and AI-generated advice are stored under the customer’s tenant, subject to the customer’s configured retention.
• Where the customer enables zero-data-retention for inference, prompts and outputs are not persisted at the LLM provider beyond the duration of the inference request.
• End-of-session deletion controls are available to the customer.

16.4 Version of this Annex

This Annex is versioned and dated independently for clarity. Current version: 1.0, dated May 29, 2026.