Legal

Privacy policy

Last updated July 3, 2026 · Effective date July 3, 2026

This policy explains what personal data ParityRail collects, why, who it’s shared with, and how long it’s kept. It covers both the ParityRail service itself (your account, your workspace) and — separately, because the rules differ — the Stripe and database data ParityRail processes on your behalf, which is governed by our data processing addendum.

This is a product-accurate starting template, not legal advice. It hasn’t been reviewed by a lawyer. Have counsel review it before you rely on it.

Before launch: ParityRail is operated by ArcheLab (아르케랩), a sole proprietorship in the Republic of Korea (대표 김준태). This policy reflects our real data practices; under Korea’s PIPA the operator is the personal-information controller for account data and a processor for the customer data described below. Have counsel review it before you rely on it, and before any regional disclosure requirements (e.g. GDPR, CCPA) are finalized.

1. Who this policy covers

This policy applies to ParityRail (operated by ArcheLab (아르케랩)) and the personal data of people who visit our website or hold an account: workspace owners, invited teammates, and anyone we correspond with directly.

It does notseparately govern the Stripe and database data ParityRail reads and, where authorized, repairs on behalf of a customer’s own end users. For that data, the customer is the data controller and ParityRail is the data processor, acting only on the customer’s documented instructions — the full terms are in our data processing addendum. If you’re an end user of a ParityRail customer with a question about your own data, the fastest path is your provider (the ParityRail customer), since they hold the relationship with you.

2. What we collect

  • Account data. Name, email address, and authentication records (including hashed passwords) when you create an account or accept a workspace invite.
  • Workspace configuration.The integrations, mappings, rules, alert channels, and team roles you set up — these describe how the service should behave for you, and can contain identifiers you choose to include (for example, a Slack channel or a colleague’s email in an invite).
  • Billing contact data. For paid plans, your billing email and subscription status, as returned to us by Lemon Squeezy (our Merchant of Record). We do not receive or store your full card number — Lemon Squeezy handles the payment itself.
  • Support & correspondence. Anything you send us at our support, legal, or security addresses.
  • Technical & log data. Standard request metadata (IP address, user agent, timestamps) generated by using the app, retained only as needed to operate and secure the service.

We don’t run third-party advertising trackers or sell personal data. We use cookies only as needed to keep you signed in and to secure your session — no cross-site ad-tracking cookies.

3. How we use personal data

  • To create and operate your account and workspace.
  • To run the service you configured — scans, alerts, and (where you’ve approved or enabled it) repairs.
  • To send service, security, and billing communications (verification emails, incident alerts, invoices) and, where you opt in, product updates.
  • To provide support when you contact us.
  • To maintain the security, integrity, and tenant isolation of the service, including the append-only audit log.
  • To comply with legal obligations and enforce our terms.

4. How we share personal data

We share personal data only with the subprocessors below, each engaged to help us run the service — never to sell or rent your data to third parties.

SubprocessorPurposeRegion
VercelApplication hosting and serverless computeUnited States
Managed Postgres hostParityRail's own database — encrypted credentials, incidents, audit logUnited States
ResendTransactional and alert email deliveryUnited States
Lemon SqueezyPayment processing for ParityRail's own subscriptions, as Merchant of Record (billing contact details, subscription status)United States

The engineering subprocessor list for data ParityRail processes on customers’ behalf (as processor) lives in the data processing addendum. We may also disclose personal data where required by law, or in connection with a merger, acquisition, or sale of assets — subject to the same protections described here.

5. International transfers

Our subprocessors currently operate in the United States. Where applicable law requires a transfer mechanism for personal data leaving your region, we rely on the safeguards our subprocessors offer (such as standard contractual clauses) and will document these more formally as we scale — see the trust & security page for our current posture.

6. Data retention

  • Account data is retained while your account is active and for a reasonable period afterward for legal, security, and support purposes.
  • State snapshots captured during reconciliation are retained on a rolling 90-day window and pruned automatically after that.
  • Incidents and audit records are retained for the life of your workspace so your Access Ledger stays complete and audit-ready.
  • Billing records are retained as required by tax and accounting law, and as held by Lemon Squeezy as Merchant of Record.

Deleting a project removes its configuration and connected credentials. To request deletion of your account or workspace outright, write to legal@parityrail.com, subject to retention required by law.

7. Security

Credentials are sealed with AES-256-GCM before storage; all traffic is encrypted in transit with TLS. Access to customer database connections is read-only by default, enforced at the database level. Every workspace is strictly tenant-isolated, and state-changing actions are written to a tamper-evident, append-only audit log. ParityRail is not SOC 2 certified at this time — see our trust & security page for the full, honest picture of where we stand.

8. Your rights & choices

Depending on where you live, you may have rights to access, correct, export, or delete your personal data, or to object to or restrict certain processing. To exercise any of these rights over your ParityRail account data, email legal@parityrail.com.

If your request concerns data ParityRail processes on behalf of a customer (as processor, under our data processing addendum), the fastest resolution is usually through that customer directly, since the underlying data lives in their Stripe account and database. We will provide reasonable assistance to our customers in fulfilling such requests, as described in section 7 of the data processing addendum.

9. Children's privacy

ParityRail is a business tool and is not directed to children. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, contact legal@parityrail.com and we’ll delete it.

10. Changes to this policy

We may update this policy as the service evolves. Material changes will be posted here with an updated “Last updated” date. Continued use of the service after a change takes effect means you accept the updated policy.

11. Contact

Privacy questions or data requests: legal@parityrail.com. Security reports: security@parityrail.com. See also our full contact page.