We process personal data on behalf of our customers (data controllers) when they submit documents to the API. This page describes the categories of data we process, the legal basis, and your rights.

Data we process

• Documents you submit (PDFs, images) and the extracted JSON.
• Account metadata: email, hashed password, API key prefixes.
• Usage telemetry: page counts, status codes, request IDs.
• Billing records via Stripe (we never see card numbers).

Where it lives

EU customer data stays in the EU (Exoscale Zürich + Cloudflare R2 jurisdiction='eu' + Neon EU). US customer data stays in the US (Hetzner Ashburn + R2 location='enam'). Region binding is enforced at API-key level — we cannot accidentally cross regions.

Sub-processors

Authoritative list at docs.tryparsr.dev/security/sub-processors. We notify customers of changes within 30 days.

Retention

Default retention is 30 days for both source documents and parsed results. Configurable downward on Starter and above. On account deletion: source + result are erased within 30 days, audit logs are retained for 12 months for fraud-prevention purposes.

Your rights (GDPR)

You have the right of access, rectification, erasure, restriction, and portability. Email privacy@tryparsr.dev for any of these. We respond within 30 days and never charge a fee.

International transfers

We do not transfer EU customer data outside the EU. If you operate on US infrastructure (sk_us_… key), data stays in the US. We do not offer cross-region storage of the same dataset.

Supervisory authority: the Belgian Data Protection Authority (Gegevensbeschermingsautoriteit / Autorité de protection des données).