Privacy Policy
Last updated: March 2026
1. Data Controller
PeterParser ("we", "us", "our") operates the document parsing API and related services at peterparser.com. We act as the data controller for the personal data processed through our services, in compliance with the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the German Federal Data Protection Act (Bundesdatenschutzgesetz / BDSG), the German Telemediengesetz (TMG), and the California Consumer Privacy Act (CCPA).
2. Legal Basis for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
- Contract performance (Art. 6(1)(b)): processing necessary to provide our API services, manage your account, and process billing.
- Legitimate interest (Art. 6(1)(f)): security monitoring, fraud prevention, and service improvement.
- Consent (Art. 6(1)(a)): optional email notifications (parse completion, marketing). You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): tax records, regulatory compliance.
3. Data We Collect
- Account data: email address, name, company (optional) when you sign up via Firebase Authentication.
- API usage data: API key identifiers, request timestamps, document types, page counts, IP addresses for rate limiting and security.
- Document data: files you upload are processed transiently. We do not store your documents after processing unless caching is enabled (configurable TTL, max 7 days). Cached data is automatically purged.
- Payment data: handled exclusively by Stripe (PCI-DSS Level 1 certified). We never see or store full card numbers. We store only Stripe customer ID and last-4 card digits for display.
- Technical data: browser type, OS, referring URL — collected only for security and not shared with third parties.
4. How We Use Your Data
- Provide and operate our document parsing services.
- Bill for usage, process payments, and prevent abuse.
- Send transactional emails (welcome, parse completion) — only when you opt in.
- Enforce rate limits and detect fraudulent activity.
- Comply with legal obligations.
We do not sell, rent, or trade your personal data. We do not use your data for profiling, automated decision-making, or advertising.
5. Data Residency & Regional Processing
We operate in two regions: US (Iowa, us-central1) and EU (Frankfurt, Germany, europe-west3). Your API key is assigned to a region, and all data processing occurs exclusively within that region. EU data is processed and stored exclusively within Germany (Frankfurt, europe-west3) and never leaves the European Economic Area.
Google Cloud AI for EU keys runs in europe-west3 (Frankfurt). MongoDB Atlas for EU runs in the Frankfurt region. GCS buckets are located in europe-west3.
6. International Data Transfers
For US-region API keys, data is processed in the United States. For EU-region keys, no data leaves the EEA. Where international transfers are necessary (e.g., Stripe payment processing), they are protected by EU Standard Contractual Clauses (SCCs) or adequacy decisions per GDPR Chapter V.
7. Data Retention
- Documents: deleted immediately after processing (or after cache TTL expires, max 7 days).
- Account data: retained while your account is active. Permanently deleted upon account deletion.
- Transaction records: retained for 7 years for tax/legal compliance (GDPR Art. 6(1)(c)), then deleted.
- API access logs: retained for 90 days for security and debugging, then purged.
- Webhook logs: auto-deleted after 72 hours.
8. Your Rights (GDPR Art. 12-23 / CCPA / BDSG)
You have the right to:
- Access (Art. 15): obtain a copy of your personal data.
- Rectification (Art. 16): correct inaccurate personal data.
- Erasure (Art. 17): delete your data ("right to be forgotten"). You can delete your account from your dashboard Settings tab — the process is immediate and irreversible.
- Restriction (Art. 18): restrict processing of your data.
- Portability (Art. 20): receive your data in a machine-readable format.
- Object (Art. 21): object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): withdraw consent for optional processing at any time.
- CCPA opt-out: we do not sell personal information. You may request deletion at any time.
To exercise any right, use the self-service account deletion in your dashboard or email privacy@peterparser.com. We respond within 30 days (GDPR) or 45 days (CCPA).
9. Sub-processors
We use the following sub-processors, each bound by Data Processing Agreements (DPAs):
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Infrastructure, AI document processing | US (Iowa) / EU (Frankfurt, DE) |
| MongoDB Atlas | Database | US / EU (Frankfurt, DE) |
| Redis Cloud | Caching, job queue | US / EU |
| Stripe | Payment processing | US (PCI-DSS Level 1) |
| Firebase | Authentication, frontend hosting | US |
| Cloudflare | DNS, CDN, DDoS protection | Global (edge) |
| AWS SES | Transactional email delivery | US |
10. Security Measures (GDPR Art. 32)
We implement appropriate technical and organizational measures:
- All data encrypted in transit (TLS 1.3) and at rest (AES-256).
- API keys use cryptographically secure random generation (32-byte entropy).
- Webhook payloads signed with HMAC-SHA256.
- Role-based access control (RBAC) with Firebase Auth + superAdmin flag.
- Rate limiting and IP-based abuse detection.
- Regular security audits and dependency scanning.
- Infrastructure hardened with VPC isolation and firewall rules.
11. Cookies
We use only strictly necessary cookies for authentication (Firebase session). We do not use tracking cookies, third-party analytics, or advertising pixels. No cookie consent banner is required as we only use essential cookies (GDPR Recital 30, ePrivacy Directive Art. 5(3)).
12. Children's Privacy
Our Service is not directed at individuals under 16. We do not knowingly collect data from minors. If you believe a child has provided personal data, contact us and we will delete it.
13. Data Breach Notification
In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and affected individuals without undue delay where the breach poses a high risk to rights and freedoms (GDPR Art. 34).
14. Supervisory Authority
EU users have the right to lodge a complaint with their local data protection authority. For Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI), Husarenstraße 30, 53117 Bonn, Germany.
15. Changes to This Policy
We may update this policy with 30 days notice via email or dashboard notification. The "last updated" date at the top reflects the latest revision.
16. Contact / Data Protection Officer
Data Protection Officer: privacy@peterparser.com
General inquiries: support@peterparser.com