Legal

Privacy Policy

Last updated: March 16, 2026  ·  Effective: March 16, 2026

1. Introduction & Controller Identity

Parsify, Inc. ("Parsify", "we", "us", or "our") operates a provider-agnostic payroll document extraction and normalization platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with the Service.

Parsify acts as a data processor, not a data controller, with respect to the payroll documents and the personal data they contain. Our customers — Human Capital Management (HCM) vendors and other organizations that use the Service to process payroll documents on behalf of their end-clients — are the data controllers who determine the purposes and means of processing the personal data submitted to Parsify. When you are an employee whose payroll data is processed through the Service, your rights should be exercised primarily through the organization (controller) that submitted your data.

This policy also describes how we handle personal data we collect directly (e.g., contact information from visitors to our marketing site and from our customer's account users).

2. Categories of Personal Data

Parsify processes the following categories of personal data, submitted by customers as part of payroll journal or payroll report documents:

  • Identifiers: Full legal names, employee IDs
  • Government identifiers: Social Security Numbers (SSNs), Taxpayer Identification Numbers (TINs / EINs), Individual Taxpayer Identification Numbers (ITINs)
  • Contact & demographic information: Home addresses, dates of birth
  • Compensation & payroll data: Gross wages, net wages, hourly rates, salary figures, overtime, bonuses, commissions
  • Deductions & benefits: Pre- and post-tax deductions, retirement contributions (401k, 403b), health insurance premiums, garnishments, child support withholdings
  • Tax information: Federal and state income tax withholdings, FICA (Social Security and Medicare) withholdings, local tax withholdings
  • Banking information: Bank account numbers, routing numbers used for direct deposit (where present in submitted documents)
  • Employment information: Employer names, pay periods, department codes, cost center assignments

We also collect limited personal data from visitors to our marketing site (such as name, business email, and company name when submitting a demo request) and from authorized users of customer accounts (name, email address, role).

For customers and their users in the European Economic Area (EEA), United Kingdom, or Switzerland, our legal bases for processing personal data are:

  • Contractual necessity (GDPR Art. 6(1)(b)): Processing payroll document data is necessary to perform the extraction, normalization, and migration support services described in our Terms of Service and any applicable Data Processing Agreement (DPA).
  • Legitimate interests (GDPR Art. 6(1)(f)): We may process limited data for security monitoring, fraud prevention, product improvement (using aggregated, de-identified data only), and enforcing our agreements.
  • Legal obligation (GDPR Art. 6(1)(c)): We may process data to comply with applicable law, court orders, or regulatory requirements.
  • Consent (GDPR Art. 6(1)(a)): Where we send marketing communications to visitors who have opted in, we rely on consent, which can be withdrawn at any time.

For payroll data of employees, the legal basis for Parsify's processing is the contractual relationship with the controller (our customer), acting on the controller's instructions under GDPR Art. 28.

4. How We Use Data

Parsify uses personal data strictly for the following purposes:

  • Service delivery: Parsing, extracting, normalizing, and returning structured payroll data from uploaded documents in accordance with customer instructions.
  • Migration support: Facilitating payroll provider migration workflows by comparing source and target payroll runs for customers.
  • Security & integrity: Detecting and preventing unauthorized access, fraud, and abuse of the Service.
  • Support & troubleshooting: Diagnosing errors in extraction jobs and providing technical support to customers.
  • Legal compliance: Responding to lawful requests from government authorities or courts of competent jurisdiction.

We do not sell personal data. We do not use payroll data for advertising, profiling, or any secondary commercial purpose. We do not share personal data with third parties except as described in Section 5 (Sub-Processors) or as required by law.

5. Sub-Processors

Parsify uses the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements consistent with applicable privacy law:

  • Amazon Web Services (AWS S3): Cloud object storage for uploaded payroll documents and extracted results. Data is stored in encrypted buckets. Location: United States (or EU regions for EU customers — see Section 6).
  • Clerk: Authentication and user identity management for dashboard users. Clerk processes account holder names and email addresses. Location: United States.
  • ML Inference Sidecar: Internal machine-learning microservice responsible for extracting structured data from PDF payroll documents. This service operates within Parsify's infrastructure and does not independently store personal data. Location: Parsify-controlled infrastructure.

We will provide at least 30 days' prior written notice to customers of any addition or replacement of sub-processors via email to the account's registered address and/or an in-app notice. Customers who object to a change may terminate their agreement as described in our Terms of Service.

6. International Data Transfers

Parsify is based in the United States. If you are located in the EEA, United Kingdom, or Switzerland, your personal data may be transferred to and processed in the United States or other countries whose data protection laws may differ from those in your jurisdiction.

We rely on the following transfer mechanisms for international transfers:

  • Standard Contractual Clauses (SCCs): We execute EU Standard Contractual Clauses (as adopted by the European Commission) with our EEA-based customers and, where applicable, with our sub-processors.
  • UK International Data Transfer Agreements (IDTAs): For transfers from the United Kingdom, we rely on the UK IDTA or the UK Addendum to EU SCCs.
  • AWS EU Regions: For customers who require data residency within the European Union, Parsify can configure document storage within AWS EU regions (e.g., eu-west-1, eu-central-1) upon request. Please contact us at legal@parsifyhq.com to discuss data residency requirements.

7. Data Retention

Parsify retains personal data only for as long as necessary to fulfil the purposes described in this policy, subject to the following:

  • Uploaded documents: Stored for the duration of the customer's active subscription plus a configurable retention period (default: 90 days after last access).
  • Extraction results: Retained for the duration of the subscription plus the same configurable period.
  • Account data (customer users): Retained until the account is closed, then deleted within 30 days.
  • Deletion on termination: Upon termination of a customer's account, Parsify will delete all associated payroll documents and extracted data within 90 days, following a 30-day export window during which the customer may retrieve their data.
  • Customer-configurable retention: Customers may configure shorter retention periods or request immediate deletion via the API or by contacting legal@parsifyhq.com.
  • Legal holds: We may retain data longer if required by applicable law, regulation, or a lawful legal hold.

We do not retain payroll documents or extracted data for any purpose beyond those described above. Backups are purged on the same schedule as production data.

8. Security Measures

Parsify implements technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:

  • Encryption at rest: All payroll documents and extracted results are encrypted using AES-256 at rest in AWS S3.
  • Encryption in transit: All data transmitted between clients and Parsify's API is protected using TLS 1.2 or higher.
  • Access controls: Access to personal data is restricted to authorized Parsify personnel on a need-to-know basis. All access is logged and audited.
  • API key security: Programmatic API keys are stored as bcrypt hashes — the plaintext key is shown only once at creation and never stored.
  • Organizational scoping: All data is scoped to the customer's organization; no cross-tenant data access is possible.
  • Infrastructure security: The Service is operated in a hardened cloud environment with network-level isolation, vulnerability scanning, and patching processes.
  • Incident response: Parsify maintains an incident response policy. In the event of a personal data breach, we will notify affected customers within 72 hours of becoming aware, as required by GDPR Art. 33.

No method of transmission or storage is 100% secure. We cannot guarantee absolute security, but we are committed to continuously improving our security posture.

9. Data Subject Rights

If you are an employee whose data has been processed through the Service, your rights under applicable law (including GDPR Arts. 15–22 and applicable state laws) should be exercised primarily through the organization (controller) that submitted your payroll data to Parsify, as Parsify processes that data solely on the controller's instructions.

For individuals whose data Parsify controls directly (such as website visitors and customer account users), you have the following rights, subject to applicable law:

  • Access (Art. 15): Request a copy of the personal data we hold about you.
  • Rectification (Art. 16): Request correction of inaccurate personal data.
  • Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction of processing (Art. 18): Request that we restrict how we process your data in certain circumstances.
  • Data portability (Art. 20): Receive your personal data in a structured, machine-readable format.
  • Objection (Art. 21): Object to processing based on legitimate interests.
  • Withdrawal of consent (Art. 7(3)): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Complaints: You have the right to lodge a complaint with a supervisory authority in your EEA member state.

To exercise these rights, contact us at legal@parsifyhq.com. We will respond within the timeframes required by applicable law (generally 30 days, extendable by an additional 60 days for complex requests).

10. CCPA / CPRA (California Residents)

This section applies to California residents under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. As a B2B service, the payroll data we process concerns employees of our customers' clients — it is not submitted or used for consumer-facing purposes.

California residents who are direct users of the Service (e.g., account holders) have the following rights:

  • The right to know what personal information we collect, use, disclose, and sell (we do not sell).
  • The right to delete personal information, subject to certain exceptions.
  • The right to correct inaccurate personal information.
  • The right to opt out of the sale or sharing of personal information (not applicable — we do not sell or share).
  • The right to non-discrimination for exercising these rights.

To submit a CCPA request, contact us at legal@parsifyhq.com. We may need to verify your identity before fulfilling your request.

11. FCRA Disclaimer

Parsify is not a consumer reporting agency as defined by the Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 et seq. The Service is designed for payroll document extraction and normalization in the context of employer-to-employer HCM migrations. The data Parsify extracts is not intended to be used, and must not be used, as a consumer report or for any FCRA-regulated purpose, including employment screening, credit evaluation, or tenant screening.

12. Cookies & Tracking

Our marketing site (parsifyhq.com) uses minimal cookies:

  • Session cookies: Used to maintain state during your visit (e.g., form submission state). These expire when you close your browser.
  • No advertising or cross-site tracking: We do not use advertising cookies, tracking pixels, or third-party analytics that track you across sites.

The Parsify dashboard application uses session authentication cookies managed by Clerk. These are strictly necessary for authentication and cannot be disabled without preventing login.

We do not use Google Analytics, Meta Pixel, or similar advertising-oriented tracking tools.

13. Children's Data

The Service is a business-to-business platform not directed at individuals under the age of 18, and we do not knowingly collect personal data from minors. If you believe that a child's data has been inadvertently submitted, please contact us immediately at legal@parsifyhq.com and we will take steps to delete it promptly.

14. Contact & DPO Contact

For privacy-related inquiries, requests, or complaints, please contact:

If you are in the EEA or UK and require the contact details of our Data Protection Officer (DPO) or EU/UK representative, please contact us at the email above and we will provide those details.

We reserve the right to update this Privacy Policy from time to time. We will notify customers of material changes at least 30 days before they take effect via email to the registered account address and/or an in-app notice. Continued use of the Service after the effective date of a material change constitutes acceptance of the updated policy.