Privacy Policy
Last updated: June 25, 2026
This Privacy Policy explains what personal data Parsaa collects, why, who we share it with, how long we keep it, and the choices you have. We aim to describe what the product actually does, not an idealized version of it.
Who we are
- Controller: VINICIUS FRANCA NUNES SILVA DESENVOLVIMENTO DE SISTEMAS LTDA ("Parsaa", "we", "us")
- CNPJ: 43.633.994/0001-96
- Privacy contact: hello@parsaa.app
- Data Protection Officer (DPO): Vinicius França, reachable at hello@parsaa.app
We collect only the data we need to run the Services, and we do not sell personal data.
This policy covers the Parsaa macOS app, the website at parsaa.app, and the Parsaa API that powers them (together, the "Services").
1. Data we collect
Account and billing
- Name and email address.
- Password, stored only as a salted hash using strong industry-standard hashing. We never see your plain password.
- Sign-in with Google (and other providers, if enabled): the provider account ID, email, and basic profile returned during sign-in.
- Subscription and billing data held by our payment processor: your customer and subscription IDs, plan, and billing period. Card numbers and CVV are handled by our PCI-compliant payment processor and are not stored by us.
- Messages you send to support.
Device, security, and usage
- Device details (name, type, OS) and a device fingerprint, used for sessions and abuse prevention.
- IP address at registration and last login, and session refresh tokens (stored as hashes) with the device and IP that issued them.
- Signals used to detect suspicious activity (for example, IP and a risk score).
- Product analytics: which features you use and your plan, collected through our analytics provider. This does not include your code or prompts. You can opt out of app analytics in Settings.
- Operational request metadata: model, provider, token counts, and latency. This metadata does not include the content of your prompts.
Content you submit for AI
To do its job, Parsaa sends the content you ask it to work on to our servers, and from there to a third-party AI model provider. Depending on the feature, this can include your prompts and conversation, the code and files you select or reference, images (for vision), audio (for voice transcription), and code around your cursor (for autocomplete). How long this content is kept depends on your Privacy Mode. See Retention.
What we do not collect
- Keystrokes outside your interactions with Parsaa, screen recordings, your browsing history, or files you do not share with the agent.
- Your own provider API keys when you use Bring Your Own Key (BYOK): those are stored in your macOS Keychain and used to call the provider directly. See How your data flows.
- Chat history and codebase indexes are kept on your Mac, not on our servers (see On-device data).
2. How we use data and our legal basis
Under the LGPD (Brazil) and GDPR (EU), we rely on these bases:
- To provide the Services (contract): run your AI requests, autocomplete, embeddings and search, authenticate you, process payments, and deliver support.
- Security and fraud prevention (legitimate interest and legal obligation): protect accounts, enforce limits, and investigate abuse.
- Improving the product (legitimate interest, and consent where applicable): understand usage and fix bugs. Where this involves the content of your requests, it only applies in Training Mode, which is a setting you can turn off (see Retention).
- Communications (contract / consent): service and security notices, and marketing only if you opt in.
- Legal compliance (legal obligation): tax, accounting, and lawful requests.
3. How your data flows
- Parsaa-hosted models: your request goes over TLS to our servers, which forward it to a third-party AI model provider. The response streams back to the app.
- Bring Your Own Key (BYOK): requests using your own key go directly from the app to your chosen provider and do not pass through Parsaa servers.
- On-device models: when enabled, inference runs locally on your Mac and the content is not sent to us or to a provider.
- Embeddings and search: code chunks are sent to our servers and a third-party provider to generate vectors. The resulting vectors and search indexes are stored on your Mac, not on our servers.
4. Service providers (subprocessors)
We share data with third-party providers only as needed to run the Services, and we do not sell personal data. We engage providers in these categories:
- AI model providers: chat, voice transcription, code autocomplete, embeddings, applying code edits, and search ranking. United States and European Union.
- Cloud infrastructure and hosting: running our API, database, and website. Primarily United States.
- Payment processing: subscriptions and billing. PCI DSS compliant.
- Email delivery: transactional email such as verification, password reset, and receipts.
- Analytics and observability: product analytics and operational logging, without your code or prompts.
- Authentication: third-party sign-in (such as Google), when you choose it.
Where a provider offers it, we use no-training and reduced-retention options. A current list of our subprocessors, with their roles and jurisdictions, is available on request at hello@parsaa.app. If we add or replace a subprocessor in a way that materially affects your data, we will update this policy; you may object by contacting us.
5. Retention
The honest version, because this matters:
- AI content (prompts, code, conversations): retention depends on your Privacy Mode in the app.
- Training Mode (default): we may retain your chat requests and autocomplete to operate and improve Parsaa. Indexing of full codebases is off by default. You can disable each of these.
- Private Mode: your content is used only to produce the response and is not retained beyond processing.
- BYOK: not retained by us, because it never reaches our servers.
- Operational logs: short-lived (around 30 days). Any prompt or error text is sampled and truncated.
- Product analytics: up to about 12 months.
- Account data: kept while your account exists. Deleting your account removes your account data and associated records.
- Session refresh tokens: expire after about 30 days.
- Billing records: kept as long as required by tax and accounting law (commonly five years).
- Security data (IP, device, abuse signals): kept as long as needed for security and legal purposes.
- On-device data (chat history, embeddings): stays on your Mac under your control. We cannot access it. Uninstalling the app does not delete it automatically.
6. International transfers
Parsaa is operated from Brazil, and most providers are in the United States or the European Union. When we transfer data internationally, we rely on the legal mechanisms required by the LGPD and GDPR, such as standard contractual clauses or an adequacy decision, depending on the destination.
7. Your rights
Depending on where you live, you can:
- LGPD (Brazil), Art. 18: confirm whether we process your data; access it; correct it; anonymize, block, or delete unnecessary or non-compliant data; port it to another provider; get information about who we share it with; delete data processed with your consent; withdraw consent; and ask for review of decisions made solely by automated means.
- GDPR (EU/UK): access, rectification, erasure, restriction, portability, and objection.
- CCPA (California): know, access, delete, and opt out. We do not sell personal data.
To exercise these, email hello@parsaa.app, or delete your account from the app or at parsaa.app. We respond within the timeframes set by applicable law (15 days under the LGPD; about 30 days under the GDPR). In Brazil, you may also contact the ANPD (Brazil's National Data Protection Authority).
8. On-device data
Your chat history and codebase indexes live on your Mac, in Parsaa's application-support folder. BYOK keys and session tokens are stored in the macOS Keychain. To remove local data, use the app's data controls in Settings, or quit Parsaa and delete that folder.
9. Security
- TLS for data in transit; passwords hashed with strong industry-standard hashing; BYOK keys encrypted at rest.
- Token-based authentication with hashed, expiring refresh tokens.
- Role-based access controls and rate limiting on sensitive endpoints.
- No system is perfectly secure; we work to protect your data.
Incident notification: if a security incident occurs that may pose a risk or harm to you, we will notify affected users and the ANPD without undue delay, as required by the LGPD (Art. 48) and applicable law.
10. Cookies and analytics
- Website: essential cookies keep you signed in; analytics and session replay load only with your consent.
- App: no browser cookies. Product analytics can be turned off in Settings.
- Session replay: our analytics provider may record a session replay of your interface interactions to help us fix issues. Text inputs are masked, and it is covered by the analytics consent above.
11. Children
Parsaa is for users 18 and older. We do not knowingly collect data from anyone under 18.
12. Changes
We may update this policy. For material changes we will give notice (in-app, by email, or on the website) before they take effect, and we will update the date below.
13. Contact
- Privacy: hello@parsaa.app
- Support: hello@parsaa.app
- Legal: hello@parsaa.app