Last updated: 13 May 2026
Privacy Policy & Data Processing Agreement
1. Data Controller
The data controller for your personal data is:
Parat ASEmail: dpo@parat.ai
Organisation number: [ORG NR PLACEHOLDER]
Address: [ADDRESS PLACEHOLDER]
For any questions about the processing of your personal data, please contact us at dpo@parat.ai.
2. What Data We Collect
We process the following categories of personal data:
- Account data — email address, used for one-time password (OTP) login and service-related communications.
- Case content — uploaded documents, interview responses, extracted facts, and generated case summaries. Content is user-controlled and stored securely.
- Usage data — feature interactions and credit usage, used for service improvement.
- Billing data — subscription tier and status. Payment details are handled entirely by Polar.sh — we do not store card data.
3. Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Case content and account data | Performance of a contract (Art. 6(1)(b)) |
| Usage analytics | Legitimate interest (Art. 6(1)(f)) — improving the service |
| Billing records | Legal obligation (Art. 6(1)(c)) — Norwegian accounting law |
4. Retention
- Account and case data — retained while the account is active, plus 12 months after cancellation. A shorter retention period can be arranged on request via dpo@parat.ai.
- Billing records — 5 years in accordance with Norwegian accounting law.
5. Sub-processors (GDPR Art. 28)
We use the following approved sub-processors.
| Provider | Purpose | Location | Basis |
|---|---|---|---|
| Anthropic | AI inference — Claude API for document analysis, interview assistance, and case summaries | US (Standard Contractual Clauses) | Anthropic Data Processing Addendum — customer data never used to train AI models |
| Supabase | Database, authentication, and file storage (uploaded documents) | EU (Frankfurt / eu-central-1) | Supabase DPA |
| Vercel | Web hosting and edge functions | EU/US (Standard Contractual Clauses) | Vercel DPA |
| Polar.sh | Subscription billing and payment processing | EU/US (Standard Contractual Clauses) | Polar privacy policy |
| [Transactional email provider — to be confirmed] | OTP codes and billing receipts | [To be confirmed] | [To be confirmed] |
No-AI-training guarantee: We provide a contractual guarantee that data you upload to Parat is never used to train AI models, by us or by Anthropic.
The full sub-processor register is available at /sub-processors.
6. Your Rights under GDPR
You have the following rights under the General Data Protection Regulation:
- Right of access (Art. 15) — the right to confirm whether we process data about you and to receive a copy.
- Right to rectification (Art. 16) — the right to have inaccurate data corrected.
- Right to erasure (Art. 17) — the right to have your data deleted (“right to be forgotten”).
- Right to data portability (Art. 20) — the right to receive your data in a machine-readable format.
- Right to object (Art. 21) — the right to object to processing based on legitimate interest.
- Right to restriction (Art. 18) — the right to restrict processing in certain circumstances.
To exercise your rights, contact us at dpo@parat.ai. We will respond to your request within 30 days.
You also have the right to lodge a complaint with the Norwegian Data Protection Authority, Datatilsynet (datatilsynet.no), if you believe that the processing of your data is in breach of data protection law.
7. Cookies and Local Storage
We use no advertising cookies and no third-party analytics that track you across websites. We use the browser's localStorage solely to improve your experience:
- Theme preference (light/dark) — local only, never transmitted.
- Language preference (Norwegian/English) — stored in localStorage and as a functional cookie. The cookie is sent with requests so the server can deliver the correct language version.
- Interview session and workspace state — cached locally to restore your progress. The session ID is sent to the server as part of chat requests to maintain conversation continuity.
- Email thread review state — cached locally; cleared after completion.
8. International Transfers
Supabase processes data exclusively in EU regions for this service. Anthropic, Vercel, and Polar.sh may process data outside the EU/EEA under Standard Contractual Clauses (SCCs) in accordance with GDPR Art. 46(2)(c).
9. Changes to This Policy
We may update this privacy policy from time to time. For material changes, we will notify registered users by email before the changes take effect. The date of the most recent update is shown at the top of this page.
10. Contact
For privacy questions or to exercise your rights:
Parat ASEmail: dpo@parat.ai
Organisation number: [ORG NR PLACEHOLDER]
Address: [ADDRESS PLACEHOLDER]
See also our sub-processor register.