Privacy Policy
Effective Date: March 19, 2026
This Privacy Policy describes how Parolly (“we,” “us,” or “our”), a Software-as-a-Service (SaaS) platform, processes personal data when our clients (“Clients” or “Data Controllers”) use our services to manage customer communications and sales through digital channels, primarily Instagram and Facebook (Meta).
At Parolly, we are committed to protecting the privacy and security of personal data. This policy outlines our practices in compliance with European data protection laws, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive.
1. Introduction
Parolly provides an automated customer communication management platform designed to function as a central system for customer support and sales. Our platform enables businesses to respond to messages, process requests, and convert conversations into orders, combining automation, AI processing, and operational tools for efficient and controlled customer communication.
This Privacy Policy applies to the processing of personal data by Parolly in its capacity as a Data Processor on behalf of its Clients. It also describes how we handle certain data in our capacity as a Data Controller for our own operational purposes, such as billing and service improvement.
2. Definitions
- Personal Data:Any information relating to an identified or identifiable natural person (“data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. In most cases, our Clients are the Data Controllers.
- Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. Parolly acts as a Data Processor for the personal data of end-users communicating with our Clients.
- End-User: An individual who communicates with our Clients via platforms like Instagram or Facebook, whose personal data is processed by Parolly on behalf of our Clients.
- Client Data: Personal data and other information that our Clients provide to us or that we process on their behalf through the Parolly platform.
3. Our Role in Data Processing
In the vast majority of cases, Parolly acts as a Data Processor. Our Clients, who utilize the Parolly platform, are the Data Controllers. This means that:
- Clients (Data Controllers) determine the purposes and means of processing the personal data of their end-users. They are responsible for ensuring that they have a lawful basis for processing such data (e.g., consent, contractual necessity, legitimate interest) and for fulfilling all obligations under applicable data protection laws, including providing privacy notices to their end-users and responding to data subject requests.
- Parolly (Data Processor) processes personal data strictly on behalf of and under the documented instructions of our Clients. We do not use the data processed through our platform for our own commercial purposes, except as necessary to provide, maintain, and improve the Parolly service, and for billing and analytics related to our service provision, as further detailed below. Our obligations as a Data Processor are governed by the Data Processing Agreement (DPA) we enter into with each Client, in accordance with Article 28 of the GDPR.
4. Types of Data Processed
Parolly processes various categories of data, depending on how our platform is used by our Clients. This includes:
- Message Content: The actual content of messages exchanged between end-users and our Clients via integrated platforms (e.g., Instagram, Facebook). This may include text, images, videos, and other media.
- Communication Metadata: Data related to the communication itself, such as the time and date of messages, the communication channel (e.g., Instagram Direct, Facebook Messenger), unique identifiers associated with the conversation or end-user, and AI-derived metadata such as conversation intent classification (e.g., product inquiry, order status, complaint) and risk/sentiment assessment.
- Personal Data Shared by End-Users: Any personal data that end-users voluntarily share within their conversations with our Clients, such as their name, phone number, email address, physical address for delivery, or other contact information.
- Order-Related Data: When our platform facilitates order capture, we process data necessary to fulfill an order, including product details, quantity, delivery address, and contact information, after explicit confirmation from the end-user. When configured by the Client, order confirmation emails may be sent to end-users via email.
- Client-Provided Knowledge Base Data: Information that Clients upload or integrate into Parolly to train the AI and inform responses, such as website content (crawled from Client-provided URLs), PDF documents, spreadsheets, price lists, product catalogs, and business policies. Uploaded files are stored securely in cloud storage. This data is converted into mathematical vector representations (embeddings) for semantic search purposes; these embeddings are one-way transformations and cannot be reversed to recover the original text. This data may contain personal data if included by the Client.
- AI Classification Data: Each incoming message is automatically classified by AI to determine intent category (e.g., product inquiry, complaint, order status) and conversation risk level. This classification data is stored alongside the conversation record.
- Knowledge Gap Data:When the AI cannot find a relevant answer in the Client's knowledge base, the unanswered question is recorded along with its frequency and timestamps. This data is used to help Clients identify gaps in their knowledge base content.
- Language Data: Information related to the language used in communications for multilingual processing and automatic language detection.
- Usage Metrics and Billing Data: Data collected by Parolly for its own operational purposes, such as the number of messages, conversations, and other usage statistics for billing purposes. This may include Client company details and billing information, which are often managed via third-party payment providers.
- System Logs: Technical data generated by the platform for monitoring, security, and troubleshooting purposes, including AI decision logs that record which knowledge sources were used and what tools were invoked during response generation.
5. Purposes and Legal Basis for Processing
5.1. Processing on Behalf of Clients (Parolly as Data Processor)
Parolly processes end-user personal data solely for the purposes defined by our Clients, which typically include:
- Automated Customer Communication: To enable automated responses, manage conversations, and facilitate customer support and sales interactions.
- AI Analysis and Response Generation:To analyze message content using artificial intelligence, classify message intent (e.g., product inquiry, complaint, order status), assess conversation risk and sentiment, and generate relevant responses based on the Client's knowledge base. This processing involves sending message content to third-party AI providers as described in Section 7.
- Semantic Search and Knowledge Retrieval: To convert knowledge base content into vector embeddings and perform similarity-based search to find relevant information for response generation.
- Order Capture and Processing: To identify purchase intent, collect necessary order details, and create structured order records upon end-user confirmation. When configured, to send order confirmation emails to end-users.
- Multilingual Communication: To detect language and facilitate communication in multiple languages.
- Human Escalation and Intervention: To display conversation data to human operators when a conversation is escalated based on configured rules or AI-assessed risk level, ensuring continuity.
- Follow-up Mechanisms: To initiate follow-up communications in accordance with Client instructions and applicable platform rules (e.g., Meta), aiming to keep conversations active and increase conversion.
- Service Improvement for the Client: To provide analytics and insights to the Client regarding their customer interactions, including conversation volumes, resolution rates, response times, revenue metrics, and top product performance.
The legal basis for this processing is determined by our Clients (Data Controllers). Parolly processes this data based on the contractual agreement with the Client and their documented instructions, as required by Article 28 of the GDPR. Clients are responsible for establishing the appropriate legal basis (e.g., consent of the end-user, necessity for the performance of a contract with the end-user, legitimate interests of the Client) for their processing activities.
5.2. Processing for Parolly's Own Operational Purposes (Parolly as Data Controller)
Parolly also processes certain data for its own legitimate operational purposes. In these instances, Parolly acts as a Data Controller.
- Purpose: Billing and Subscription Management.
- Data Processed: Client company details, usage metrics (e.g., number of messages, conversations), and billing information.
- Legal Basis: Performance of a contract with our Client (the Master Subscription Agreement) and legitimate interests (for accurate billing and service provision).
- Purpose: Service Improvement, Analytics, and Security.
- Data Processed: Aggregated and anonymized usage data, system logs, technical metadata, and knowledge gap data (unanswered questions tracked to improve service quality). Where personal data is involved, it is limited to what is strictly necessary.
- Legal Basis: Legitimate interests (to monitor service performance, identify and fix bugs, enhance features, and ensure the security and integrity of our platform).
- Purpose: Compliance with Legal Obligations.
- Data Processed: Any data required to comply with legal obligations (e.g., tax, accounting, regulatory requirements).
- Legal Basis: Compliance with a legal obligation.
6. Data Minimization and Purpose Limitation
Parolly adheres to the principles of data minimization and purpose limitation, as outlined in Article 5(1)(c) and Article 5(1)(b) of the GDPR. We only process personal data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
7. Data Flow, Third-Party Integrations, and Sub-Processors
Parolly integrates with third-party platforms and services to provide its functionality. The following is an exhaustive list of categories of sub-processors and third-party services through which personal data may flow:
- Meta Platforms (Facebook, Instagram):When an end-user sends a message via Instagram or Facebook, the message is transmitted via Meta's official Graph API to Parolly. Our system analyzes the content, generates a response, and sends it back through the same channel. This involves the exchange of message content and user-related data with Meta. Incoming webhook payloads are cryptographically verified using HMAC-SHA256 signature validation to ensure authenticity.
Parolly does not provide electronic communication services and does not operate as a telecommunications provider. All communications are transmitted via third-party platforms (such as Meta), and Parolly acts solely as a processing layer that enables automation and management of such communications. - Google Cloud AI (Gemini):Parolly uses Google's Gemini family of AI models for the following processing activities:
- Response generation: Message content, conversation context, and relevant knowledge base excerpts are sent to Google Gemini 2.5 Flash to generate AI responses.
- Intent classification: Message text and recent conversation history are sent to Google Gemini 2.5 Flash Lite for automatic intent categorization.
- Embedding generation:Knowledge base text chunks are sent to Google's text embedding model to generate vector representations for semantic search. These embeddings are mathematical transformations that cannot be reversed to recover the original text.
- Cloud Database and Storage (Supabase):All structured data (user accounts, conversations, messages, orders, knowledge base content, analytics) is stored in a PostgreSQL database hosted by Supabase. Uploaded files (PDFs, spreadsheets) are stored in Supabase's cloud storage service. Supabase also provides authentication services for Client login via Facebook OAuth.
- Message Queue (Redis/Upstash): Incoming messages and knowledge base synchronization tasks are temporarily queued through a Redis-based message queue for asynchronous processing. Message data (including message text, sender identifiers, and workspace context) passes through this queue transiently and is removed after processing.
- Payment Provider (cPay): For billing and subscription management, Parolly uses cPay as its payment processor. When Clients make payments, their billing information is processed directly by cPay. Parolly does not store sensitive payment card details.
- Email Service (SMTP): When order confirmation emails are enabled, Parolly sends transactional emails to end-users via a configurable SMTP email service. These emails contain order details (items, quantities, prices, total) and customer information (name, order ID). The email service provider processes the recipient email address and email content for delivery purposes only.
- E-Commerce Integrations (Shopify): When a Client connects their Shopify store, Parolly may access product catalog data, create orders, and look up order statuses via the Shopify API. This involves exchanging product information, order details, and customer data with Shopify on behalf of the Client.
Parolly ensures that any third-party service providers or sub-processors are bound by contractual obligations to protect personal data in accordance with GDPR requirements and our instructions.
7.1. Authorized Sub-Processor List
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase Inc. | Database hosting, file storage, authentication | All structured data, uploaded files, auth tokens | Cloud (US/EU depending on project region) |
| Google Cloud (Vertex AI) | AI response generation, intent classification, text embeddings | Message text, conversation context, knowledge base content | Global (Google Cloud regions) |
| Stripe Inc. | Payment processing | Client billing information, subscription data | Global |
| Upstash / Redis Labs | Message queue processing | Transient message and job data | Cloud |
| Configurable SMTP Provider | Transactional email delivery | Recipient email, order details | Depends on Client configuration |
| Shopify Inc. | E-commerce integration | Product data, order data, customer details | Global |
| Meta Platforms Inc. | Messaging platform | Messages, user identifiers, page data | Global |
Clients may request access to the current sub-processor list at any time by contacting us at the address provided in Section 19.
Parolly will notify Clients of any significant changes to sub-processors in accordance with the Data Processing Agreement. Clients will have the opportunity to object to new sub-processors within a reasonable period.
7.2. Use of Meta Platform Data
Parolly accesses Meta Platform Data through the following permissions, each used for a specific and limited purpose:
- pages_show_list: To display and allow Clients to select which Facebook Pages to connect to Parolly.
- pages_messaging: To send and receive messages on behalf of connected Facebook Pages via Messenger.
- pages_manage_metadata: To subscribe connected Pages to webhook events so Parolly receives incoming messages in real time.
- instagram_basic:To retrieve basic information about the Client's connected Instagram Business accounts.
- instagram_manage_messages: To send and receive Instagram Direct Messages on behalf of the Client.
- pages_read_engagement: To read page engagement data necessary for message processing and delivery.
Meta Platform Data received by Parolly is:
- Used solely for the purposes described in this Privacy Policy and as instructed by the Client.
- Not sold to third parties.
- Not used for purposes unrelated to the Client's use of Parolly.
- Not used to build or augment user profiles for advertising or targeting purposes.
- Subject to the data deletion and deauthorization procedures described in Section 9.
When a Facebook user removes or deauthorizes the Parolly app, Meta notifies Parolly via a callback. Parolly will then initiate deletion of all data associated with that user in accordance with Meta's Platform Terms and the procedures described in Section 9.
8. Confidentiality of Communications and Security Measures
Parolly recognizes the critical importance of confidentiality for communications.
Confidentiality:We are committed to ensuring the confidentiality of communications and related traffic data transmitted via our platform, in line with Article 5(1) of the ePrivacy Directive. This provision prohibits unauthorized listening, tapping, storage, or interception of communications. While our platform stores data for analytics, service improvement, and operational needs (such as conversation records or orders), any storage beyond what is “necessary for the sole purpose of conveying a communication” is carefully assessed and performed under the instructions of our Clients.
Security Measures: We implement appropriate technical and organizational measures to safeguard the security of our services and the personal data we process, as required by Article 32 of the GDPR and Article 4(1) of the ePrivacy Directive. These measures include:
- Encryption: Data is encrypted both in transit (TLS/SSL) and at rest (database-level encryption).
- Access Controls: Strict access controls are in place to limit access to personal data only to authorized personnel who require it for their duties. Role-based access (owner, admin, agent) ensures principle of least privilege.
- Webhook Signature Verification: All incoming Meta webhook payloads are verified using HMAC-SHA256 cryptographic signatures to prevent tampering and ensure data authenticity.
- AI Decision Audit Logging: Each AI-generated response is logged with the knowledge sources consulted, tools invoked, and reasoning used, providing a full audit trail for accountability and review.
- Activity Logging: Comprehensive logging of activities within the platform to monitor for unauthorized access or suspicious behavior.
- Backup Systems: Robust backup and disaster recovery procedures to ensure data availability and resilience.
- Regular Security Audits: Periodic security assessments and penetration testing to identify and address vulnerabilities.
- Token Handling: Secure handling and storage of API tokens and other credentials. Meta access tokens are stored encrypted in the database and are never exposed to the client-side application.
In the event of a personal data breach, Parolly will notify affected Clients without undue delay and, where feasible, within 72 hours, in accordance with Article 33 and Article 34 of the GDPR.
9. Data Retention and Deletion
Parolly stores various types of data, including conversations, knowledge base content, orders, and system logs.
- Retention Policies: We retain personal data processed on behalf of our Clients for as long as necessary to provide the services, as instructed by the Client, and in accordance with the terms of our Data Processing Agreement. Clients are responsible for defining their own data retention policies and instructing Parolly accordingly.
- Configurable Retention Periods: Parolly provides Clients with configurable data retention settings, allowing them to set retention periods for messages, conversations, and attachments according to their legal and business requirements.
- Default Retention Periods: Unless otherwise configured by the Client, Parolly applies the following default retention periods:
- Messages and conversations: up to 12–24 months
- Order-related data: up to 5 years (for operational and legal purposes)
- System logs and technical metadata: 30–90 days
- Deletion and Export: Parolly provides mechanisms for Clients to delete or export their data from the platform, enabling them to comply with their own legal obligations and data subject requests, in line with Article 5(1)(e) of the GDPR.
- Meta Platform Data Deletion: When a Facebook user removes the Parolly app from their Facebook account, Meta sends a data deletion callback to Parolly. Upon receiving this callback, Parolly will:
- Verify the authenticity of the request using cryptographic signature validation.
- Identify all data associated with the user.
- Delete all associated data, including conversations, messages, orders, knowledge base content, and account information.
- Provide a confirmation code and status URL to track the deletion progress.
- Complete deletion within a reasonable timeframe.
- Deauthorization: When a user deauthorizes Parolly (removes permissions without requesting full deletion), Parolly will revoke the associated access tokens and deactivate connected channels, preventing further data collection.
- Our Own Data: For data where Parolly acts as a Data Controller (e.g., billing information, usage metrics), we retain this data for as long as necessary to fulfill the purposes for which it was collected, including for legal, accounting, or reporting requirements.
10. International Data Transfers
Parolly may transfer personal data to countries outside the European Economic Area (EEA) if necessary for the provision of our services (e.g., through cloud hosting providers or other sub-processors listed in Section 7.1). In such cases, Parolly ensures that appropriate safeguards are in place to protect the data, in compliance with Chapter V of the GDPR. These safeguards may include:
- Standard Contractual Clauses (SCCs) approved by the European Commission.
- Adequacy decisions by the European Commission for specific countries.
- Binding Corporate Rules (BCRs).
Specifically, data transfers to the United States (where several of our sub-processors are based) are covered by the EU-U.S. Data Privacy Framework where applicable, or by Standard Contractual Clauses.
11. Data Subject Rights
As a Data Processor, Parolly assists its Clients (Data Controllers) in fulfilling their obligations to respond to requests from data subjects exercising their rights under the GDPR (Articles 12-22). These rights include:
- Right to Access: To obtain confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data.
- Right to Rectification: To obtain the rectification of inaccurate personal data concerning them.
- Right to Erasure (“Right to be Forgotten”): To obtain the erasure of personal data concerning them without undue delay under certain conditions.
- Right to Restriction of Processing: To obtain restriction of processing under certain conditions.
- Right to Data Portability: To receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance.
- Right to Object: To object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.
End-users wishing to exercise their data subject rights should direct their requests to the relevant Client (Data Controller) with whom they have communicated. Parolly will cooperate with its Clients to facilitate these requests as per our Data Processing Agreement.
For Facebook and Instagram users who wish to revoke Parolly's access to their data, they may do so directly through their Facebook Settings under “Apps and Websites.” This will trigger Parolly's data deletion process as described in Section 9.
12. Cookies and Tracking Technologies
Parolly's platform (the Client dashboard) uses the following cookies and similar technologies:
- Authentication Cookies (Strictly Necessary): Supabase authentication session cookies that maintain the Client's login state. These are essential for the platform to function and do not require consent.
- OAuth Redirect Cookie (Strictly Necessary): A temporary
oauth_nextcookie used during the Facebook OAuth login flow to redirect the Client to the correct page after authentication. This cookie is cleared immediately after use.
Parolly does not use third-party analytics cookies, advertising trackers, or similar tracking technologies on its platform. Parolly does notplace cookies or tracking technologies on end-users' devices. All end-user interactions occur through Meta's platforms (Instagram, Facebook Messenger), and Parolly does not have direct access to end-user devices.
If Parolly's tracking of usage metrics or analytics involves storing or accessing information on an end-user's device (e.g., through cookies, local storage, or similar identifiers), the end-user's prior consent is generally required, as per Article 5(3) of the ePrivacy Directive. This consent must be informed by clear and comprehensive information about the purposes of such processing.
Exceptions exist for technical storage or access that is strictly necessary for: 1. Carrying out the transmission of a communication over an electronic communications network. 2. Providing an information society service explicitly requested by the subscriber or user.
Unless falling under these narrow exceptions, Parolly ensures that its Clients are aware of their obligation to obtain consent for such tracking technologies if they are deployed through the platform and access end-user devices.
13. Direct Marketing and Follow-up Communications
Parolly's ‘follow-up mechanism,’ which initiates communication when a conversation is unfinished or a client has not responded, may fall under direct marketing.
- Consent Requirement: The use of electronic communication for direct marketing purposes generally requires the prior consent of the subscriber, as stipulated in Article 13(1) of the ePrivacy Directive.
- Soft Opt-in Exception: An exception exists under Article 13(2) if electronic contact details are obtained in the context of a sale of a product or service, allowing their use for direct marketing of similar products or services, provided the customer is given a clear opportunity to object (opt-out) at the time of collection and with each subsequent message.
- Transparency: In any direct marketing communication, the identity of the sender must be clear, and a valid address to which the recipient may send a request to cease such communications must be provided, as per Article 13(4).
Clients using Parolly's follow-up mechanism are responsible for ensuring they comply with these consent and transparency requirements under the ePrivacy Directive and other applicable direct marketing laws.
14. AI-Generated Responses Disclaimer
Parolly utilizes artificial intelligence to analyze communications and generate responses. While our system is designed to operate based on Client-provided knowledge and aims to minimize inaccurate or fabricated information, AI systems are not infallible.
- Limitation of Liability:Parolly does not guarantee the absolute accuracy, completeness, or suitability of AI-generated responses. Clients acknowledge and agree that they are ultimately responsible for the content of communications with their end-users, including those generated by Parolly's AI. Clients should review and, if necessary, override AI-generated content to ensure accuracy and appropriateness.
- Human Escalation: The platform includes a human escalation feature to allow for manual intervention in complex or sensitive situations, further mitigating risks associated with AI responses. Escalation can be triggered automatically based on configured rules or AI-assessed risk levels.
Parolly does not perform automated decision-making that produces legal or similarly significant effects on individuals within the meaning of Article 22 of the GDPR.
15. AI Training and Data Usage
Parolly uses Google's Gemini family of large language models (specifically Google Gemini 2.5 Flash for response generation and Gemini 2.5 Flash Lite for intent classification) to process messages and generate responses. These models are accessed via Google's Cloud AI API.
Parolly does not use Client Data or end-user personal data processed through the platform to train, retrain, or improve general artificial intelligence models, unless explicitly agreed with the Client. Google's Cloud AI API terms similarly prohibit Google from using API input data to train its general models.
All AI processing is performed within the scope of the Client's instance and based solely on Client-provided knowledge and configuration. Knowledge base content is converted into vector embeddings (768-dimensional mathematical representations) using Google's text embedding model. These embeddings enable semantic search but are irreversible — they cannot be decoded back into the original text.
Parolly ensures that Client Data remains isolated and is not used for cross-client learning or shared model training.
16. Order Capture Disclaimer
Parolly's order capture functionality automates the recognition of purchase intent and collection of order details.
- Order Confirmation Responsibility: While Parolly facilitates the collection of necessary data (product, quantity, address, contact information) and seeks explicit confirmation from the end-user, the ultimate responsibility for verifying order details, confirming the order with the end-user, and fulfilling the order lies with the Client.
- Processor, Not Merchant: Parolly acts solely as a processor of order-related data on behalf of the Client and is not a merchant or party to the sales transaction between the Client and the end-user.
- Order Notification Emails: When configured by the Client, Parolly may send transactional order confirmation emails to end-users containing order details (items, quantities, prices, and total). These emails are sent solely for the purpose of order confirmation and do not constitute marketing communications.
17. Transparent and Dispute-Proof Billing Definitions
Parolly tracks usage metrics (e.g., number of messages and conversations) to calculate subscription fees. Our billing definitions are designed to be transparent and clearly communicated to Clients in our Master Subscription Agreement. Any disputes regarding billing will be handled according to the terms outlined in that agreement.
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify our Clients of any material changes by posting the updated policy on our website or through other appropriate communication channels. We encourage you to review this Privacy Policy periodically.
19. Contact Information
If you have any questions about this Privacy Policy or our data processing practices, please contact us at:
Parolly
ul. Branislav Nushikj 13/3
admin@artefix.info
+38975497006
For requests related to your personal data as an end-user, please contact the specific Client (Data Controller) with whom you have communicated.
For data deletion requests related to your Facebook or Instagram account, you may remove the Parolly app from your Facebook Settings under “Apps and Websites,” which will automatically trigger our data deletion process.