parryai.dev
Legal

Privacy Policy

How Parry collects, uses, retains, and protects personal data. GDPR-aligned. Written to be linkable for procurement reviews as much as for end users.

Effective May 15, 2026

1. Who we are

Parry AI (“Parry”, “we”) operates the security scanning service available at parryai.dev. We are the controller of personal data described in this policy. Contact: hello@parryai.dev.

2. What we collect

  • Account data

    GitHub user id, login handle, primary email, avatar URL, and the organizations you administer on GitHub. Provided by GitHub when you sign in.

  • Session data

    An opaque session token (random, server-hashed) stored in the ss_session cookie, plus the active-org id stored in the ss_active_org cookie. No personal data is encoded in either cookie.

  • Installation + repository metadata

    Repository names, default branches, commit SHAs, PR numbers, and webhook payloads for repositories where you install the Parry GitHub App.

  • Scan output

    Findings (rule id, severity, file path, matched-line snippet, stable fingerprint), software bills of materials, and raw scanner reports. Snippets contain only the lines a scanner flagged — never the full file.

  • Billing data

    When you upgrade, Stripe processes payment. Parry stores a Stripe customer id, subscription tier, and invoice references. We never see or store card numbers.

  • Operational logs

    Request paths, response codes, latencies, and error traces. Retained for diagnostics and abuse prevention.

3. Why we use it

  • Provide the service

    Run scans, render findings, gate pull requests, and enforce role-based access. Lawful basis: contract (Art. 6(1)(b) GDPR).

  • Account + security

    Authenticate users, prevent abuse, and produce the audit trail of mutations (suppress, accept, billing, role changes). Lawful basis: legitimate interest in operating a secure service.

  • Billing

    Process paid subscriptions through Stripe. Lawful basis: contract.

  • AI Review (opt-in only)

    Send pull-request diffs to the named AI provider for review when the org owner has explicitly enabled it. Lawful basis: explicit consent (Art. 6(1)(a)). Withdraw any time from the org's billing settings.

  • Product communication

    Transactional email about scans, billing events, and security advisories. We do not send marketing email today; if we ever do, it will be opt-in.

4. Who we share it with

Parry does not sell personal data. We share data only with the processors required to run the service:

  • GitHub

    Cloning code, posting Check Runs, and PR review comments occur through the GitHub API under your app installation.

  • Stripe

    Payment processor for paid plans. Stripe is a separate data controller for cardholder data.

  • AI provider (only when enabled)

    When AI Review is on for an org, the diff and surrounding context cross to the named provider. The provider is shown by name on the consent screen so you can verify their current data-handling policy.

  • Infrastructure providers

    Hosting, managed Postgres, and Redis run on our cloud provider under standard data-processing terms.

5. How long we keep it

  • Scan output

    Findings, snippets, SBOMs, and raw reports are retained for the life of the organization. Per-org retention controls (default 90 days, configurable) are on the roadmap and will land before retention becomes a paid feature.

  • Cloned source code

    Removed from disk within seconds of scan completion. See the Trust page for the full lifecycle.

  • Sessions

    Session rows expire 30 days after issue. Sign-out invalidates the row immediately.

  • Operational logs

    Up to 30 days.

  • Account deletion

    When you delete your account, personal data is removed within 30 days, except where retention is required by law (e.g. billing records for tax purposes).

6. Your rights

Under the GDPR and equivalent laws you have the following rights regarding your personal data. Email hello@parryai.dev to exercise any of them.

  • Access — request a copy of personal data we hold about you.
  • Rectification — correct inaccurate data.
  • Erasure — request deletion of your account and associated personal data.
  • Restriction — ask us to limit processing while a dispute is resolved.
  • Portability — receive your data in a machine-readable format.
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — turn AI Review off; revoke the GitHub App installation.
  • Complain — to your local supervisory authority. We would prefer to hear from you first.

7. Security

Transport is TLS end-to-end. Session tokens are stored as hashes. Scanners run sandboxed with no network egress by default. The full security boundary is documented on the Trust page.

8. International transfers

Our infrastructure and sub-processors may process data outside the EEA. Where they do, transfers rely on the European Commission's Standard Contractual Clauses or an adequacy decision.

9. Children

Parry is a developer tool intended for use by professionals. We do not knowingly collect data from anyone under 16.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced by email to active org owners and reflected in the effective date above.

Related