1. Data Controller
The entity acting as Data Controller depends on where you are located:
Parcy, Inc. — users located outside the European Union or EEA
Your Data Controller is:
Legal name | Parcy, Inc. |
Registered address | 981 Mission Street #87, San Francisco, CA 94103, United States |
Contact email | privacy@parcy.co |
Parcy, Inc. is the US-incorporated entity and Data Controller for all personal data of users located outside the EU/EEA — including users in the United States and all other jurisdictions.
Parcy S.r.l. — users located in the European Union or EEA
Your Data Controller is:
Legal name | Parcy S.r.l. |
Registered address | Via Marsala 29 H, 00185 Roma (RM), Italy |
VAT / P.IVA | IT14900481004 |
Contact email | privacy@parcy.co |
Parcy S.r.l. is the EU-established entity and sole Data Controller for all personal data of EU/EEA residents. Your data is stored and processed within the European Union on EU-based infrastructure (see Section 7). Parcy S.r.l. is the primary point of contact for all GDPR rights, supervisory authority inquiries, and data subject requests from EU/EEA residents.
Common framework
Parcy, Inc. and Parcy S.r.l. operate under this shared Privacy Policy and an intragroup data processing agreement ensuring equivalent standards across both entities. Regardless of which entity is your Data Controller, your data is protected under the same technical and organizational measures described in this Policy. Contact privacy@parcy.co for any inquiry — your request will be routed to the correct entity.
2. Scope of This Policy
This Privacy Policy applies to:
Visitors to parcy.co and subdomains
Users of the Parcy platform (app.parcy.co / eu.parcy.app)
Event attendees whose data is processed through the Parcy platform on behalf of our customers
Prospective customers and contacts
This Policy covers both Parcy, Inc. (Data Controller for users outside the EU/EEA) and Parcy S.r.l. (Data Controller for EU/EEA users), as described in Section 1. The applicable entity is determined by the user's location at the time of account creation.
Parcy operates as both a Data Controller (for website visitors and direct customers) and a Data Processor (for personal data of event attendees submitted by our customers). Where Parcy acts as Processor, the customer's privacy policy governs that processing, and Parcy processes data only pursuant to documented instructions under a Data Processing Agreement (DPA).
3. Personal Data We Collect
3.1 Data you provide directly
Account registration: name, email address, phone number, company name, job title
Billing information: name, billing address, VAT number (payment card data is processed by our payment provider and never stored by Parcy)
Event creation and management: event names, descriptions, attendee lists, scheduling data
Support and communications: content of messages, support tickets, feedback
3.2 Data collected automatically
Usage data: pages visited, features used, click patterns, session duration
Technical data: IP address, browser type and version, operating system, device identifiers
Cookies and tracking: see Section 11 (Cookie Policy)
Log data: server logs including timestamps, request paths, error codes
3.3 Attendee data (processed on behalf of customers)
When customers use Parcy to manage events, they may submit personal data about their attendees (names, email addresses, dietary preferences, registration details, etc.). Parcy processes this data strictly as a Data Processor under a Data Processing Agreement (DPA) with the customer, who remains the Data Controller.
For EU/EEA customers: attendee data submitted through Parcy is stored and processed exclusively on EU-based infrastructure (AWS EMEA and Supabase EU regions). No attendee data from EU customers is transferred outside the EEA unless technically necessary and covered by Standard Contractual Clauses (see Section 7).
For non-EU customers: attendee data may be processed in additional jurisdictions as required for service delivery.
4. Legal Bases for Processing (GDPR Art. 6)
We process your personal data on the following legal bases:
Legal Basis | Processing Activities |
Contract (Art. 6(1)(b)) | Providing the Parcy platform, processing your subscription, managing your account |
Legitimate Interest (Art. 6(1)(f)) | Security and fraud prevention, product improvement, analytics, customer support, direct marketing to existing customers |
Consent (Art. 6(1)(a)) | Marketing communications to non-customers, non-essential cookies and tracking |
Legal Obligation (Art. 6(1)(c)) | Tax and accounting records, compliance with applicable laws |
Where we rely on legitimate interests, you have the right to object (see Section 8). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
5. Purposes of Processing
Providing, maintaining, and improving the Parcy platform
Account management and authentication
Processing payments and managing subscriptions
Sending transactional communications (confirmations, receipts, product updates)
Sending marketing communications where permitted
Providing customer support
Security monitoring and fraud prevention
Compliance with legal obligations (tax, accounting, law enforcement requests)
Aggregated analytics to understand product usage and improve features
6. Data Retention
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law:
Data Category | Retention Period |
Account and user data | Duration of the active subscription, plus 12 months after account closure |
Billing and financial records | 10 years (Italian/EU tax law — D.P.R. 633/1972; US requirements) |
Event and attendee data | As instructed by the customer (Data Controller); deleted upon customer request or account closure |
Website analytics data | 26 months maximum |
Support communications | 3 years from last interaction |
Marketing consent records | Until consent is withdrawn + 1 year |
Security/audit logs | 12 months |
After the applicable retention period, data is securely deleted or anonymized.
7. International Data Transfers
Parcy, Inc. — non-EU/EEA users
For users outside the EU/EEA, data is processed primarily in the United States and may be processed in other jurisdictions as required for service delivery. Parcy, Inc. applies the same technical and organizational security standards regardless of processing location.
Parcy S.r.l. — EU/EEA users
Primary data storage for all EU/EEA accounts resides exclusively within the European Union, hosted on AWS EMEA and Supabase EU infrastructure. Parcy S.r.l. does not transfer EU personal data outside the EEA as a matter of default operation.
Where technical necessity requires transfers to non-EEA subprocessors (WorkOS and Mux, both US-based), Parcy S.r.l. relies on:
European Commission Standard Contractual Clauses (SCCs) — Commission Decision (EU) 2021/914
Supplementary technical measures: encryption in transit (TLS 1.2+) and at rest (AES-256)
Data minimization: only the minimum data necessary is transferred to these vendors
A full list of subprocessors and their locations is provided in Section 9.
8. Your Rights Under GDPR
If you are in the EU/EEA, you have the following rights under the GDPR (Chapter III). If you are outside the EU/EEA, equivalent rights apply under applicable local law.
Right | What it means |
Access (Art. 15) | Request a copy of the personal data we hold about you |
Rectification (Art. 16) | Request correction of inaccurate or incomplete data |
Erasure (Art. 17) | Request deletion of your data ('right to be forgotten'), subject to legal retention obligations |
Data Portability (Art. 20) | Receive your data in a structured, machine-readable format (JSON/CSV) to transfer to another provider |
Restriction (Art. 18) | Request that we limit processing while a dispute is resolved |
Objection (Art. 21) | Object to processing based on legitimate interests or direct marketing at any time |
Withdraw Consent (Art. 7(3)) | Withdraw consent at any time where processing is based on consent, without affecting prior lawful processing |
No Automated Decisions (Art. 22) | Not be subject to decisions based solely on automated processing, including profiling, with legal or significant effects |
How to exercise your rights
Submit requests to: privacy@parcy.co — specify whether you are an EU/EEA user (handled by Parcy S.r.l.) or a non-EU user (handled by Parcy, Inc.). We will respond within 30 days (extendable by 2 months for complex requests, with notice). We may request proof of identity before processing sensitive requests.
Right to lodge a complaint
Parcy, Inc. — US/non-EU users: contact privacy@parcy.co. For California residents, see Section 10.
Parcy S.r.l. — EU/EEA users: you have the right to lodge a complaint with your local supervisory authority. In Italy: Garante per la Protezione dei Dati Personali (garanteprivacy.it). You may also contact the supervisory authority in your country of residence or workplace within the EU/EEA.
9. Subprocessors
Parcy engages the following third-party subprocessors to deliver the platform. All subprocessors operate under written Data Processing Agreements compliant with GDPR Art. 28:
Vendor | Service | Data Processed | Location | Safeguard |
Amazon Web Services (AWS EMEA) | Cloud hosting & infrastructure | Account data, attendee registration, event data | EU | SCCs |
Supabase | Database infrastructure | Account data, attendee data | EU | SCCs |
WorkOS | Authentication & SSO | User identity data | US | SCCs |
MessageBird | Email/SMS communication | Email addresses, phone numbers, messaging metadata | EU | SCCs where applicable |
Mux | Video streaming (RTMP) | Media metadata, limited user identifiers | US | SCCs |
We may update this list as infrastructure evolves. Material changes will be notified to affected customers in advance where required by applicable agreements.
10. California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have the following additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
Right to know what personal information we collect, use, disclose, and sell
Right to delete your personal information
Right to correct inaccurate personal information
Right to opt out of the sale or sharing of personal information
Right to limit use of sensitive personal information
Right to non-discrimination for exercising privacy rights
Parcy does not sell or share personal information as defined under the CCPA/CPRA. All third-party subprocessors qualify as 'Service Providers' or 'Contractors' under California law and are contractually prohibited from using data beyond the services contracted.
To exercise California rights, contact: privacy@parcy.co. We will respond within 45 days (extendable by an additional 45 days with notice).
11. Cookies and Tracking Technologies
We use cookies and similar tracking technologies on parcy.co and the platform. Categories of cookies used:
Category | Legal Basis | Examples & Purpose |
Strictly Necessary | No consent required (legitimate interest / contract) | Session cookies, CSRF tokens, authentication — essential for platform operation |
Analytics & Performance | Consent | Usage analytics, error monitoring — help us understand and improve the platform |
Marketing & Advertising | Consent | Tracking conversions from ads, retargeting (if enabled) |
You can manage cookie preferences at any time via the cookie banner or your browser settings. Withdrawing consent for non-essential cookies does not affect your use of the platform.
Full Cookie Policy: parcy.co/cookies
12. Data Security
Parcy implements appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or destruction, including:
Encryption in transit: TLS 1.2+ for all data transmission
Encryption at rest: AES-256 for stored data
Access controls: role-based access, least-privilege principle, MFA for internal systems
Regular security reviews and penetration testing
Incident response procedures with notification timelines compliant with GDPR Art. 33–34 (72-hour breach notification to supervisory authority)
In the event of a data breach likely to result in high risk to your rights and freedoms, we will notify you without undue delay.
13. Children's Data
The Parcy platform is a B2B service designed for business users. We do not knowingly collect personal data from individuals under the age of 16 (or the applicable age of digital consent in your country). If we become aware that we have inadvertently collected data from a minor, we will delete it promptly. If you believe this has occurred, contact: privacy@parcy.co.
14. Automated Decision-Making and Profiling
Parcy does not use automated decision-making processes that produce legal effects or similarly significant effects on individuals. Analytics and usage data are processed in aggregate to improve the product, not to make individual determinations.
15. Changes to This Policy
We may update this Privacy Policy from time to time. When we do:
Material changes will be notified by email and/or a prominent notice on the platform at least 30 days before taking effect
Minor changes (corrections, clarifications) will be updated with a new effective date
Continued use of the platform after the effective date constitutes acceptance of the updated policy
All previous versions of this policy are available upon request.
16. Contact
For any privacy-related matter, contact us at privacy@parcy.co. Your request will be routed to the correct entity based on your location.
Parcy, Inc. (users outside EU/EEA)
privacy@parcy.co |
Address | 981 Mission Street #87, San Francisco, CA 94103, United States |
Response time | Within 45 days (CCPA) / 30 days (general) |
Parcy S.r.l. (EU/EEA users)
privacy@parcy.co |
Address | Via Marsala 29 H, 00185 Roma (RM), Italy |
Response time | Within 30 days (GDPR Art. 12) |
Parcy, Inc. — parcy.co — privacy@parcy.co