Parational Solutions Corporation — Privacy Policy

Effective Date: 2025-08-14

Parational Solutions Corporation ("Parational," "we," "us," or "our") respects your privacy. This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit or use our websites, Microsoft Office add-ins, and cloud services including Parational Sync, Parational Transcript, and Parational Agent (collectively, the "Services"). It also describes your rights and how to contact us.

By using the Services, you agree to this Privacy Policy. If you do not agree, do not use the Services.

1. Who we are and our role

Controller: For business contact, account, billing, marketing, and website data, Parational is the data controller.
Processor/Service Provider: For Client Data that you submit to or generate in the Services (e.g., emails, documents, matter metadata, transcripts), Parational acts as a processor/service provider and processes such data under your instructions, per our EULA and any Data Processing Addendum (DPA).

See also: EULA Section 3 (Client Data; Privacy; Security) and the DPA (available upon request).

2. Scope

This Policy applies to:

Our public websites, product documentation, and support portals
Our services: Parational Sync, Parational Transcript, and Parational Agent
Interactions with our sales, support, and marketing teams

This Policy does not apply to third-party services (e.g., Microsoft, Clio, Zoom, Google) that you connect to our Services. Those services are governed by their own privacy policies.

3. Key definitions

Client Data: Data, content, files, messages, and other information submitted to, processed by, or generated within the Services by you or on your behalf, including personal data.
Personal Data: Any information relating to an identified or identifiable natural person.
Third-Party Services: External platforms you connect (e.g., Microsoft 365/Outlook/OneDrive, Clio, Zoom, Google Meet).

4. What we collect

We collect the following categories of information, depending on which Services you use and your configuration:

4.1 Account and contact information (Controller)

Name, business title/role, firm name
Email address, phone number, mailing address
Authentication and account identifiers

4.2 Billing and transactions (Controller)

Subscription details, seat counts, and entitlements
Billing contact, invoicing records, payment confirmations (processed by PCI-compliant payment providers; we do not store full card numbers)

4.3 Service configuration and integrations (Controller/Processor)

Tenant IDs, organization identifiers
Integration settings and tokens/credentials you provide for Third-Party Services (e.g., Microsoft Graph, Clio)
User authorization scopes and consent state

4.4 Client Data processed in the Services (Processor)

Parational Sync: Email headers/metadata, message bodies, attachments, document files, matter identifiers and folder structures, and related audit logs
Parational Transcript: Audio/video content you submit or record, generated transcripts, summaries, and action items
Parational Agent: Prompts and context you provide, generated outputs, and optional firm template content

4.5 Usage, diagnostic, and telemetry data (Controller)

Device and technical data: IP address, device identifiers, OS, browser, app version
Event logs, API call metadata, performance metrics, error reports
Limited cookie/SDK analytics data (see Cookies & Tracking)

4.6 Support and communications (Controller)

Emails, chat transcripts, and support tickets
Feedback, surveys, testimonials (with consent)

We do not intend to collect special categories of data (e.g., health, biometric, or sensitive personal data) unless you choose to include such information within Client Data. You remain responsible for lawfully collecting and submitting Client Data.

5. Sources of data

Directly from you and your authorized users
Automatically from your use of the Services (telemetry, logs)
From Third-Party Services you connect (e.g., Microsoft Graph, Clio, conferencing platforms) as instructed by you
From public sources or vendors that support our sales/marketing operations, as permitted by law

6. How we use data and legal bases

We process personal data for these purposes and legal bases (where applicable):

Provide and operate the Services (contract necessity): create accounts, authenticate users, process and store Client Data, run sync/transcription/agent features
Security and integrity (legitimate interests/legal obligations): monitor, prevent, detect, and respond to security incidents, abuse, and system failures
Improve and develop the Services (legitimate interests): analyze usage, quality, and performance; develop new features; enhance reliability
Customer support (contract necessity/legitimate interests): respond to requests, troubleshoot issues
Communications (contract/legitimate interests for service notices; consent for marketing): service notices, onboarding, and product updates; promotional and marketing communications only with prior opt-in consent (you may withdraw at any time)
Compliance (legal obligations): tax, accounting, regulatory, and requests from authorities, where lawful

When we rely on consent, you may withdraw it at any time where feasible without affecting prior processing.

7. Cookies and tracking

We use:

Strictly necessary cookies for authentication, session management, and security
Limited analytics/telemetry to improve reliability and user experience

Controls:

Browser settings to block/clear cookies
In-product or site-level controls where available
Email unsubscribe links for marketing and withdrawal of consent

We do not sell personal data or use cross-context behavioral advertising. We do not honor browser Do Not Track signals, but where applicable, we will respect Global Privacy Control (GPC) signals for opt-outs required by law.

We do not currently target or serve EU/UK users; if this changes, we will implement an appropriate cookie consent mechanism and related controls.

We do not sell personal information. We disclose information only as described:

Service providers and subprocessors: Cloud hosting, email delivery, logging/monitoring, customer support tools, and payment processors. We require appropriate confidentiality, security, and data protection commitments.
Third-Party Services at your instruction: When you connect Microsoft 365/Graph/OneDrive/Outlook, Clio, Zoom, Google Meet, or other integrations, data flows per your configuration and those providers’ policies.
Affiliates: To operate our business, subject to this Policy.
Business transfers: In connection with mergers, acquisitions, financing, or sale of assets, subject to continuing protections.
Legal disclosures: To comply with law, lawful requests, or to protect rights, safety, and security.

A current subprocessor list is available at https://parational.com/privacy. We will provide notice of material changes to subprocessors as required by the DPA.

9. International transfers

We prioritize processing and storage in Canada. For reliability, redundancy, and specific subprocessor services, data may also be processed or stored in the United States and other countries where we or our providers operate. Where required, we use appropriate transfer mechanisms (e.g., Standard Contractual Clauses) and implement technical and organizational measures consistent with our EULA and DPA.

10. Security

We implement appropriate technical and organizational measures to protect personal data against unauthorized access, disclosure, alteration, and destruction, including:

Encryption in transit; encryption at rest where supported by the platform
Access controls based on least privilege and role
Network security, monitoring, and alerting
Secure development practices and vulnerability management
Incident response procedures

If we confirm a security incident affecting Client Data, we will notify you without undue delay and in any event within 72 hours, consistent with our EULA and incident response procedures, and provide information we can reasonably disclose.

11. Data retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, including to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Illustrative periods:

Account and billing records: for the subscription term and up to 7 years thereafter, as required by tax/accounting laws
Telemetry and logs: retained for operational needs and security; typical windows range from 7–180 days depending on data type
Marketing contact data: until you withdraw consent or opt out, or we delete inactive contacts per internal schedules
Client Data: for the subscription term and in accordance with your configuration and our EULA/DPA. Upon termination, we will make export tools available upon request for 30 days. Thereafter, Client Data in production systems is deleted within 30 days and in backups within 90 days via routine cycles, subject to legal holds.

12. Your privacy rights

Your rights depend on your location and applicable law. Subject to exceptions, you may have rights to:

Access, correct, or delete your personal data
Object to or restrict processing, or withdraw consent where processing is based on consent
Data portability, where technically feasible
Lodge a complaint with a supervisory authority

EU/UK: You may have rights under GDPR/UK GDPR. You may contact your local authority and us using the details below.

California (CCPA/CPRA) and certain U.S. states: You may have rights to know/access, correct, delete, and opt out of certain disclosures deemed a “sale” or “sharing.” Parational does not sell personal information and does not share personal information for cross-context behavioral advertising. You may still exercise your rights using the contact method below.

Canada (PIPEDA/provincial laws): You may request access and correction, and inquire about our practices and transfers.

To exercise rights, contact us at the address or email in Contact Us. We will verify your request and respond within statutory timeframes. Authorized agents may submit requests where permitted by law.

13. Children’s privacy

The Services are not directed to children, and we do not knowingly collect personal data from individuals under 16. If you believe a child provided personal data, contact us to request deletion.

14. Product-specific notices

Parational Sync

Processes email and document data, matter identifiers, and folder structures you configure.
Interacts with Microsoft 365, OneDrive, and legal case management systems (e.g., Clio) per your instructions.

Parational Transcript

Processes audio/video content and generates transcripts, summaries, and action items.
You are responsible for obtaining and maintaining all legally required notices and consents from participants for recording and processing, as stated in the EULA.

Parational Agent

Processes prompts and context you provide and generates outputs. Outputs may contain errors and must be reviewed before use. Do not submit data you are not authorized to process.

AI and automated processing

We use AI features to assist your workflows. We do not use automated decision-making that produces legal or similarly significant effects without human review. You retain responsibility for reviewing outputs.

15. Third-Party Services and links

Your use of Third-Party Services is governed by those providers’ policies and terms. We are not responsible for their privacy practices. Links within our websites or Services to third-party sites are provided for convenience only.

16. Changes to this Policy

We may update this Policy to reflect changes to our practices or for legal, technical, or business reasons. If we make material changes, we will post the updated Policy with a new Effective Date and, where required, provide additional notice.

17. Contact us

Parational Solutions Corporation
Email: support@parational.com

If you are in the EU/UK, you may also lodge a complaint with your local data protection authority. If required by law, we will designate an EU/UK representative and update this Policy.