Skip to main content

Last updated: March 2026

Privacy Policy

1. Introduction

N MARKETING SAS, trading as ParseField, a French société par actions simplifiée registered at 10 rue de Penthièvre, 75008 Paris, France (SIRET: 890 496 565 00015) ("we", "us", "our", or "ParseField") operates parsefield.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our Service.

As a company established in the European Union, we are directly subject to Regulation (EU) 2016/679 (the General Data Protection Regulation, or "GDPR"). We process personal data in accordance with the GDPR and applicable French data protection legislation, including the Loi Informatique et Libertés (Law No. 78-17 of 6 January 1978, as amended).

By using ParseField, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our data practices, please do not use the Service.

2. Data Controller

For the purposes of the GDPR, the data controller for personal data collected through the Service (such as account information and usage data) is:

N MARKETING SAS
10 rue de Penthièvre, 75008 Paris, France
SIRET: 890 496 565 00015
Email: privacy@parsefield.com

When you upload documents containing personal data of third parties (such as client financial records), you act as the data controller for that personal data and we act as a data processor on your behalf. The terms of that processing relationship are set out in our Data Processing Agreement.

3. Information We Collect

Account Information: When you register, we collect your email address, name, and password (stored in hashed form only). If you sign in via Google OAuth, we receive your name, email address, and profile photo from Google. If you sign in via Microsoft OAuth (Azure Active Directory), we receive your name, email address, and account identifier from Microsoft.

Documents You Upload: PDF files you submit for extraction are stored for a user-configured retention period of either 3 or 7 days from the date of upload. You may extend this period up to two times; the maximum retention for any uploaded document is 21 days (7-day base period plus two extensions). After the retention period expires, the original PDF is permanently and irrecoverably deleted -- there is no soft-delete or recovery mechanism. Extracted data (structured fields and text) is retained in your account until you choose to delete it or your account is terminated.

Usage Data: We collect information about how you use the Service, including pages processed, document types, feature usage, and error logs, to improve the Service and monitor system performance.

Activity Log (Audit Trail): For accounts on paid plans, we record an audit trail of actions taken within your organization. This includes: the action type (such as document upload, extraction export, document deletion, field correction, or team member change), the identifier of the affected resource, relevant metadata (such as a document filename or the before/after values of an edited field), and a timestamp. This data is associated with your user account and organization. It is used solely to provide the audit trail feature to your organization and is not used for any other purpose. If your user account is deleted, your user identifier in audit records is removed (set to null) but the action records themselves remain for your organization's compliance purposes until the organization is deleted, at which point all audit records for the organization are permanently deleted.

Correction Data: When you edit an extracted field in the review interface, we record that correction. While the correction is linked to your account, the information we store includes: the field type (such as “amount” or “date”), the document type, the original confidence score at extraction time, whether the source document was digital or scanned, and a timestamp. We also temporarily store the original extracted value and your corrected value. If the associated document, user account, or organization is deleted, the original and corrected values are permanently set to null and all identifying references (user, document, and organization identifiers) are removed. What is retained after that process is anonymous statistical data only — field type, document type, confidence score, and timestamp — which does not identify any individual and is used solely to calibrate extraction accuracy over time.

Payment Information: Billing is handled by Stripe. We do not store your full payment card details on our servers. We receive and store subscription status, billing history, and payment method metadata from Stripe.

Communications: If you contact us via our contact form, email, or subscribe to communications, we retain your email address and message content.

Technical Data: We automatically collect certain technical information, including your IP address, browser type, and device information, through server logs. This data is used for security monitoring and service improvement.

4. Legal Bases for Processing (GDPR Article 6)

We process your personal data on the following legal bases:

  • Performance of a contract (Article 6(1)(b)): To provide and maintain the Service, process your documents, manage your account and subscription, and process payments.
  • Legitimate interests (Article 6(1)(f)): To improve and secure the Service, detect fraud and abuse, send transactional communications, and analyse anonymised correction signals to calibrate extraction accuracy. For non-EU visitors, website analytics via Google Analytics 4 are operated on this basis. Our legitimate interests do not override your fundamental rights and freedoms.
  • Consent (Article 6(1)(a)): For EU/EEA/UK visitors, analytics cookies (Google Analytics 4) and related ad storage are processed only on the basis of your explicit consent via the cookie banner. You may withdraw consent at any time (see Section 12). Also applies to optional product update communications.
  • Legal obligation (Article 6(1)(c)): To comply with applicable laws, regulations, and legal processes.

5. How We Use Your Information

  • To provide, maintain, and improve the Service
  • To process your documents and return extraction results to you
  • To manage your account, subscription, and billing
  • To send transactional emails (account confirmation, password reset, billing receipts, extraction completion notifications)
  • To send product updates and tips (only with your consent, with unsubscribe option in every communication)
  • To detect and prevent fraud, abuse, and unauthorized access
  • To comply with legal obligations
  • To enforce our Terms of Service

6. Data Sharing and Sub-processors

We do not sell, rent, or trade your personal data. We share data only with trusted sub-processors necessary to operate the Service:

  • Supabase (hosted on AWS us-east-1, North Virginia) -- Database, authentication, and file storage. Your documents and account data are stored and processed in the United States.
  • Stripe -- Payment processing (USA)
  • Google LLC -- Website analytics (Google Analytics 4) and server-side conversion tracking (Measurement Protocol). Usage data and, where consented, identifiers such as hashed email addresses are transmitted to Google (USA). See Section 12 for details on consent and cookie controls.
  • Google Vertex AI (us-central1) -- Document processing and data extraction via large language models (USA)
  • Microsoft Azure OpenAI Service -- Document classification and data extraction fallback via large language models (USA)
  • Microsoft Azure Active Directory -- Microsoft OAuth authentication (optional sign-in method) (USA)
  • Hetzner Online GmbH -- Application hosting and document processing infrastructure (Germany)
  • Cloudflare, Inc. -- Content delivery, DDoS protection, and bot verification (Global)
  • Resend, Inc. -- Transactional email delivery (extraction completion notifications, billing alerts, organization invites). Only recipient email address and message content are transmitted.

Each sub-processor is bound by contractual obligations to protect your data. Documents transmitted to large language model providers are processed in real time and are not retained by those providers beyond the processing request. For full details on sub-processor obligations, see our Data Processing Agreement.

We may also disclose your information where required by law, regulation, or legal process, or to protect our legal rights, property, or safety.

7. International Data Transfers

N MARKETING SAS is established in France. Your uploaded documents and account data are stored in the United States (Supabase on AWS us-east-1, North Virginia). Document processing infrastructure is hosted in Germany (Hetzner Online GmbH) within the European Economic Area. AI-based extraction is performed in the United States (Google Vertex AI on us-central1; Microsoft Azure OpenAI Service). Website analytics are processed by Google LLC in the United States (Google Analytics 4). Personal data transferred outside the EEA is protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, the EU-U.S. Data Privacy Framework. You may request a copy of the applicable transfer mechanisms by contacting us at privacy@parsefield.com.

8. Data Retention

Uploaded documents: Original PDF files are retained for a user-configured period of 3 or 7 days from the date of upload. You may extend this period up to two times, for a maximum retention of 21 days. After the retention period expires, the original PDF is permanently and irrecoverably deleted with no possibility of recovery. Deletion is automated and cannot be reversed.

Extracted data: Structured fields, transaction records, and text results are kept in your account until you choose to delete them or your account is terminated.

Account data: Retained while your account is active. If you request account deletion, we will delete your personal data within 30 days, except where retention is required by applicable law (including French commercial record-keeping obligations).

Correction calibration data: When a document, user account, or organization is deleted, correction records linked to that document, user, or organization are anonymised: the original and corrected field values are permanently set to null and all identifying references are removed. The remaining data — field type, document type, confidence score, and timestamp — contains no personal data and is retained indefinitely for extraction accuracy calibration. It is not subject to the deletion schedules described above and is outside the scope of the right to erasure under Article 17 of the GDPR, as it does not relate to an identifiable individual.

Audit trail (activity log) data: Audit trail records for paid-plan accounts are retained for the duration of your organization's active subscription. If your user account is deleted, your user identifier in existing audit records is removed (set to null); the action records themselves persist under the organization until the organization is deleted. Upon organization deletion or account termination, all audit trail records for that organization are permanently deleted.

9. Security

We implement appropriate technical and organizational measures to protect your personal data, including: TLS 1.2+ encryption for all data in transit; AES-256 encryption for data at rest; row-level security policies in our database enforcing per-organization data isolation; security headers (Content Security Policy, HSTS, X-Frame-Options); automated PDF deletion at the end of each retention period; and access controls limiting personnel access to personal data. No method of transmission over the Internet or electronic storage is 100% secure; while we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

10. Your Rights Under the GDPR

As a data subject, you have the following rights under the GDPR:

  • Right of access (Article 15): Obtain confirmation of whether we process your personal data and request a copy of that data.
  • Right to rectification (Article 16): Request correction of inaccurate personal data.
  • Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations. Anonymised correction calibration data — from which all identifiers and field values have been permanently removed — does not constitute personal data and falls outside the scope of this right.
  • Right to restriction of processing (Article 18): Request that we restrict the processing of your personal data in certain circumstances.
  • Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@parsefield.com. We will respond within one month of receiving your request, as required by the GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

11. Supervisory Authority

Our lead supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL), the French data protection authority:

CNIL
3 Place de Fontenoy, TSA 80715
75334 Paris Cedex 07, France
Website: www.cnil.fr

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with the CNIL or with the supervisory authority in your Member State of habitual residence, place of work, or place of the alleged infringement.

12. Cookies and Analytics

We use a small number of cookies and browser storage items for authentication, analytics, and attribution purposes. The table below describes each category.

Strictly necessary cookies

These cookies are required for the Service to function and cannot be declined:

  • Supabase Auth session cookies -- Set by Supabase Auth to maintain your authenticated session. Expire when the session ends or when you sign out. Without these cookies the Service cannot verify your identity.
  • pf_geo -- Set by our server on your first request. Contains a two-value geo flag (“EU” or “US”) derived from your country code (supplied by Cloudflare). Used solely to determine whether to show the cookie consent banner and whether to apply Google Consent Mode v2 defaults. Does not contain your IP address or precise location. Expires after 90 days. This cookie is not transmitted to any third party and is not used for advertising.
  • _pf_gclid -- Set when you arrive via a Google Ads click (URL contains a gclid parameter). Stores the Google click ID for server-side conversion attribution only. HttpOnly (not readable by JavaScript). Expires after 90 days. Set only if a gclid parameter is present in the URL.
  • _pf_utm_source, _pf_utm_medium, _pf_utm_campaign -- Set when you arrive via a URL containing UTM campaign parameters. Used for internal traffic-source analysis. HttpOnly. Expire after 90 days. Set only if the corresponding UTM parameter is present in the URL.

Analytics cookies (Google Analytics 4)

We use Google Analytics 4 (GA4), operated by Google LLC (USA), to understand how the Service is used. GA4 sets the following cookies in your browser:

  • _ga -- Distinguishes unique visitors. Expires after 2 years.
  • _ga_[PROPERTY_ID] -- Persists session state for the GA4 property. Expires after 2 years.
  • _gid -- Distinguishes users within a 24-hour window. Expires after 24 hours.
  • _gat -- Used to throttle request rates. Expires after 1 minute.

GA4 data is transmitted to Google servers in the United States. Data collected includes page views, navigation patterns, feature interactions, and conversion events (such as account creation and subscription purchases). Where you provide your email address (for example, at sign-up), we transmit a SHA-256 hash of your email address to Google for Enhanced Conversions purposes only; the plaintext email address is never sent to Google. Server-side conversion events (such as subscription purchases) are sent via the GA4 Measurement Protocol from our payment processing infrastructure.

Data collected by GA4 is governed by Google's privacy policy (policies.google.com/privacy). You can opt out of GA4 tracking at any time by using the Google Analytics opt-out browser add-on.

Consent and Consent Mode v2

EU/EEA/UK visitors: If you are located in the European Union, European Economic Area, or United Kingdom, GA4 operates under Google Consent Mode v2. All analytics and advertising storage is denied by default when you first visit the Service. A cookie consent banner is displayed asking for your choice:

  • If you accept: analytics_storage, ad_storage, ad_user_data, and ad_personalization are granted, and GA4 cookies are set in your browser. Your choice is saved in your browser's localStorage under the key pf_cookie_consent.
  • If you decline: All storage remains denied. GA4 may collect limited, cookieless, aggregated signals (as permitted by Google Consent Mode v2), but no GA4 cookies are set in your browser. Your choice is saved in localStorage under pf_cookie_consent.

Non-EU visitors: GA4 is active immediately, without a consent prompt, in accordance with applicable law. GA4 analytics cookies (_ga, _gid, etc.) are set on your first visit.

You may withdraw consent at any time by clearing your browser cookies and localStorage, or by using your browser's privacy settings to block cookies from google-analytics.com and googletagmanager.com.

Browser storage (not cookies)

pf_cookie_consent -- Stored in your browser's localStorage (not a cookie). Contains your cookie consent choice (“accepted” or “declined”). Persists until you clear your browser storage. Not transmitted to any server.

You can disable all cookies in your browser settings. Disabling strictly necessary cookies (Supabase Auth) will prevent you from using the authenticated Service. Disabling analytics cookies does not affect your ability to use the Service.

13. Children's Privacy

The Service is a professional tool intended for business use and is not directed to children under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately at privacy@parsefield.com and we will promptly delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes via email or prominent in-app notice at least 30 days before the changes take effect. Your continued use of the Service after the effective date of the revised policy constitutes acceptance of the updated terms. We encourage you to periodically review this page.

15. Contact Us

For privacy inquiries or to exercise your data protection rights:
privacy@parsefield.com

N MARKETING SAS, trading as ParseField
10 rue de Penthièvre, 75008 Paris, France
SIRET: 890 496 565 00015

Terms of ServiceData Processing Agreement