← Back to home

PAREMY

Privacy Policy

Last Updated: March 24, 2026

1. Controller Identity and Contact

This Privacy Policy describes how Paremy Sp. z o.o. ("Paremy", "we", "us", or "our") collects, uses, and handles personal data when you use our website, platform, and AI-assisted legal tooling services (collectively, the "Services").

Data Controller: Paremy Spółka z ograniczoną odpowiedzialnością

Registered address: ul. Władysława Sikorskiego 34/5, 61-537 Poznań, Poland

KRS: 0001231051

NIP: 7831950179

REGON: 544326743

General contact: contact@paremy.com | www.paremy.com

1.1 Data Protection Officer (DPO)

Paremy has designated a Data Protection Officer. You may contact the DPO for any matter relating to the processing of your personal data or the exercise of your rights under GDPR:

DPO: Jakub Idziak

Email: privacy@paremy.com

Address: ul. Władysława Sikorskiego 34/5, 61-537 Poznań, Poland

YOUR RIGHT TO LODGE A COMPLAINT

You have the right to lodge a complaint with the Polish supervisory authority at any time:

Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa | uodo.gov.pl | kancelaria@uodo.gov.pl

If you are located in another EU/EEA member state, you may also contact your local supervisory authority.

2. Scope and Applicability

This Privacy Policy applies to all personal data processed by Paremy in connection with:

  • use of the Paremy web platform and associated applications;

  • use of the Paralegal MCP Server and AI agent tooling;

  • communications between you and Paremy (email, support, sales);

  • processing carried out by Paremy as a data controller on behalf of users of its Services.

The Services are provided exclusively to business customers (B2B). Paremy processes personal data of Authorised Users --- employees, contractors, and agents of law firms and in-house legal teams --- on behalf of the Customer entity. The processing of personal data contained in legal documents uploaded to the Services is governed separately by the Data Processing Agreement (DPA), under which Paremy acts as data processor and Customer acts as data controller.

IMPORTANT: TWO DISTINCT ROLES

This Privacy Policy describes Paremy's processing as DATA CONTROLLER --- covering account data, usage data, billing contacts, and communications with Paremy.

When you upload legal documents, templates, or other Customer Content to the Services, Paremy acts as DATA PROCESSOR on behalf of your organisation (the data controller). Processing of Customer Content is governed by the Data Processing Agreement (DPA), not this Privacy Policy.

If you receive a data subject access request concerning personal data in a legal document you uploaded, that request should be directed to your organisation, not to Paremy.

3. Personal Data We Collect

3.1 Account and Identity Data

When you or your organisation registers for the Services, we collect:

  • full name and job title of Authorised Users;

  • business email address;

  • name, registered address, and VAT number of the Customer entity;

  • phone number (optional).

3.2 Usage and Technical Data

We automatically collect technical data when you access the Services:

  • IP address, device type, operating system, and browser information;

  • pages visited, features used, session duration, and interaction timestamps;

  • error logs and performance diagnostics;

  • MCP Server API call metadata (not content of legal documents).

3.3 Legal Document Content (Customer Content)

When you use the AI features, you may submit legal documents, templates, and associated data ("Customer Content"). This content may include personal data of your clients or counterparties. Key commitments regarding Customer Content:

PAREMY'S COMMITMENTS ON CUSTOMER CONTENT

We never use Customer Content to train, fine-tune, or improve any AI model.

Customer Content is processed solely to deliver the Services you have requested.

Customer Content is encrypted in transit (TLS 1.2+) and at rest (AES-256).

Customer Content is not shared with any third party except sub-processors listed in Section 8 of this Policy.

Paremy treats all Customer Content as potentially subject to legal professional privilege (tajemnica zawodowa).

3.4 Payment Data

Payment card and billing information is processed exclusively by Stripe, Inc. Paremy does not store payment card numbers. Stripe's privacy policy is available at stripe.com/privacy.

3.5 Communications Data

We retain records of communications you send to us, including support requests, sales correspondence, and feedback. These are used solely to respond to your queries and improve service quality.

3.6 Publicly Available Legal Data

The Services may in the future incorporate access to publicly available legal information, such as court judgments, regulatory decisions, legislative texts, and legal commentary ("Public Legal Data"). Some Public Legal Data may include personal data of natural persons (for example, names of parties in court proceedings).

Where the Services process personal data included in Public Legal Data, such processing is carried out solely to enable the Services to provide accurate and contextually relevant responses. Paremy does not process such data to intentionally identify or profile individuals, and does not link Public Legal Data to Customer Content or account data for any purpose other than direct service delivery.

CURRENT STATUS

As of the effective date of this Privacy Policy, Paremy does not process Public Legal Data as part of its core Services. This section is included to govern such processing if and when it is introduced. Paremy will update this Policy and notify Customers before introducing any Public Legal Data processing.

4. Lawful Basis for Processing

In accordance with Article 13 and Article 6 of GDPR, Paremy processes personal data on the following legal bases:

Processing purposeLawful basis (Art. 6 GDPR)Notes
Service delivery & account managementArt. 6(1)(b) --- contract performanceCore B2B SaaS operation
Billing & invoicingArt. 6(1)(b) + Art. 6(1)(c) --- legal obligationPolish Accounting Act; VAT legislation
Security, fraud prevention & abuse detectionArt. 6(1)(f) --- legitimate interestsOverriding interest; not outweighed by data subject rights in B2B context
Service analytics & improvementArt. 6(1)(f) --- legitimate interestsAnonymised where possible; no profiling
Legal compliance & regulatory obligationsArt. 6(1)(c) --- legal obligationGDPR, AML, tax, court orders
Direct marketing to existing customersArt. 6(1)(f) --- legitimate interestsSoft opt-in; easy opt-out; no third-party marketing

Paremy does not carry out automated decision-making or profiling with legal or similarly significant effects within the meaning of Article 22 GDPR.

DATA TYPES PROCESSED PER PURPOSE

Service delivery --- account & identity data, usage metadata, MCP API call logs.

Billing & invoicing --- account data, billing contact details, invoice records, VAT information.

Security & fraud prevention --- IP addresses, session logs, access records, device information.

Service analytics & improvement --- anonymised and aggregated usage data only; no Customer Content.

Legal & regulatory compliance --- all categories as required by applicable law or court order.

Customer communications --- account email address, name, and stated communication preferences.

5. Purposes of Processing

We use the personal data described in Section 3 for the following purposes:

5.1 Service Delivery

To create and manage your account, provide access to the Services, process transactions, authenticate users, and operate the Paralegal AI agent. Legal basis: Art. 6(1)(b) GDPR.

5.2 Security and Fraud Prevention

To monitor for unauthorised access, detect abuse of the Services, investigate security incidents, and maintain the integrity of the platform. Legal basis: Art. 6(1)(f) GDPR.

5.3 Legal and Regulatory Compliance

To comply with applicable laws including Polish accounting and tax law, GDPR obligations, and any lawful order from a court or competent authority. Legal basis: Art. 6(1)(c) GDPR.

5.4 Service Improvement and Analytics

To analyse aggregated and anonymised usage patterns to improve features and user experience. We do not build individual profiles for this purpose. Legal basis: Art. 6(1)(f) GDPR.

5.5 Customer Communications

To send service-related notifications (e.g., downtime alerts, billing notices) and, where you have not opted out, to inform you of product updates relevant to your use of the Services. Legal basis: Art. 6(1)(b) and Art. 6(1)(f) GDPR. You may opt out of non-essential communications at any time by contacting privacy@paremy.com.

Paremy does not engage in digital advertising or sell personal data to third parties for marketing purposes.

6. Cookies and Tracking Technologies

Paremy uses cookies and similar technologies on its website and platform. The following categories of cookies are used:

  • Strictly necessary cookies: Required for authentication, session management, and security. These cannot be disabled.

  • Functional cookies: Remember your preferences (e.g., language, display settings). Disabled by default; enabled with your consent.

  • Analytics cookies: Aggregate, anonymised usage statistics (e.g., page views). Disabled by default; enabled with your consent.

Paremy does not use advertising cookies or permit third-party advertising networks to place cookies on its Services. You can manage cookie preferences via the cookie banner or your browser settings. Withdrawing consent for non-essential cookies will not affect your ability to use the core Services.

7. Data Retention

We retain personal data only for as long as necessary for the purposes set out in this Policy or as required by applicable law. The following retention periods apply:

Data categoryRetention periodBasis / Notes
Account & contact dataDuration of contract + 3 yearsLegitimate interest; statutory limitation periods
Legal document content (Customer Content)Duration of contract; deleted within 30 days of termination on requestContractual performance; professional privilege
Payment & billing records10 yearsArt. 74 Polish Accounting Act (ustawa o rachunkowości)
Usage & technical logs12 monthsSecurity & fraud prevention; legitimate interest
AI prompt/output logs (anonymised)6 monthsService improvement; no personal data retained after anonymisation
Correspondence & support tickets3 years from last interactionLegitimate interest; potential dispute resolution

On expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. If you request earlier deletion, we will action this within 30 days subject to any overriding legal obligation to retain the data.

Please note that even where we delete or anonymise personal data in our active systems, residual copies may temporarily remain in encrypted backup archives or disaster-recovery storage maintained by our infrastructure sub-processors (Supabase, Vercel). Such residual data is isolated from active processing and is overwritten or purged in the normal course of our backup rotation cycle, typically within 30 to 90 days depending on the sub-processor. We do not access or use residual backup data for any operational purpose pending its deletion.

8. Sub-processors and International Transfers

8.1 Sub-processors

Paremy uses the following third-party sub-processors to operate the Services. All sub-processors are bound by data processing agreements and are permitted to process personal data only as instructed by Paremy:

Sub-processorCountryServiceSafeguard / Reference
Supabase, Inc.USADatabase & auth hostingSCCs (Art. 46(2)(c) GDPR); Supabase DPA
Stripe, Inc.USAPayment processingSCCs; Stripe Privacy Shield successor; Stripe DPA
Vercel, Inc.USAApplication hosting & CDNSCCs; Vercel DPA

An up-to-date list of sub-processors is available at paremy.com/sub-processors. We will provide at least 14 days' notice of any intended addition or replacement of a sub-processor, giving Customers the opportunity to object.

8.2 International Data Transfers

All sub-processors listed above are incorporated in the United States. Transfers of personal data to these sub-processors are made pursuant to Standard Contractual Clauses (SCCs) adopted under Article 46(2)(c) GDPR, as supplemented by a Transfer Impact Assessment (TIA) confirming an essentially equivalent level of protection.

SCC COMPLIANCE NOTE

Paremy relies on the EU Commission's standard contractual clauses (2021/914) as the primary transfer mechanism for all EEA-to-USA data flows. Copies of executed SCCs are available to Customers on request at privacy@paremy.com.

9. Security

Paremy implements technical and organisational measures appropriate to the risk posed by the processing, including:

  • encryption of data in transit (TLS 1.2 minimum) and at rest (AES-256);

  • access controls and role-based permissions for all personnel;

  • regular security reviews and vulnerability assessments;

  • audit logging of access to Customer Content;

  • contractual security obligations imposed on all sub-processors.

No method of electronic transmission or storage is 100% secure. In the event of a personal data breach likely to result in a risk to your rights and freedoms, Paremy will notify the relevant supervisory authority (UODO) without undue delay and within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay in accordance with Article 34 GDPR.

10. Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. These rights apply to personal data for which Paremy acts as data controller (i.e., account data, usage data, communications data --- not Customer Content, in respect of which the Customer entity is the controller):

  • Right of access (Art. 15 GDPR): Obtain confirmation of whether we process your personal data and receive a copy.

  • Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.

  • Right to erasure (Art. 17 GDPR): Request deletion of your personal data where the processing no longer has a legal basis.

  • Right to restriction (Art. 18 GDPR): Request that we restrict processing in certain circumstances.

  • Right to data portability (Art. 20 GDPR): Receive your personal data in a structured, machine-readable format and transmit it to another controller.

  • Right to object (Art. 21 GDPR): Object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.

  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact our DPO at privacy@paremy.com. We will respond within one month. We may need to verify your identity before processing your request. There is no fee for making a request; if a request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse to act.

SUPERVISORY AUTHORITY

You have the right to lodge a complaint with the Polish data protection authority (UODO) at any time, regardless of whether you have first raised the matter with us:

Urząd Ochrony Danych Osobowych | ul. Stawki 2, 00-193 Warszawa | +48 22 531 03 00 | kancelaria@uodo.gov.pl | uodo.gov.pl

11. Minimum Age

The Services are designed exclusively for legal professionals acting on behalf of business entities. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware that we have inadvertently collected personal data from a minor, we will delete it promptly.

12. Third-Party Links and Integrations

The Services may include links to or integrations with third-party websites, applications, and services (for example, Microsoft Copilot, Claude.ai, or document management systems). Paremy is not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party service you connect to the Paremy platform.

13. AI Processing and the EU AI Act

Paremy's Services incorporate large language model (LLM) AI features. In accordance with Article 13 of Regulation (EU) 2024/1689 (EU AI Act) and GDPR transparency requirements, we disclose the following:

  • AI model provider: Paremy currently uses Anthropic's Claude API to power AI features. Anthropic does not use Customer Content to train its models; data is processed under Anthropic's data processing terms.

  • Human oversight: All AI-generated outputs are presented as suggestions only. Authorised Users are responsible for reviewing, verifying, and approving all outputs before use in any legal context.

  • No high-risk classification: Paremy's current AI use cases (document drafting assistance, template population) do not fall within the high-risk categories enumerated in Annex III of the EU AI Act as assessed at the date of this Policy. This assessment will be reviewed as the EU AI Act implementation timeline progresses.

  • No automated decisions: Paremy does not make automated decisions with legal or similarly significant effects on individuals within the meaning of Article 22 GDPR.

  • No AI training on Customer Content: Paremy does not and will not use Customer Content to train, fine-tune, or evaluate any AI model.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our processing activities, applicable law, or best practices. The date at the top of this Policy indicates when it was last updated.

If a change materially reduces your rights or significantly alters how we process your personal data, we will notify you by email to the address associated with your account or by prominent notice within the Services, with a minimum of 30 days' prior notice. Continued use of the Services after the effective date of the revised Policy constitutes acceptance of the changes.

15. Contact

For any questions about this Privacy Policy or to exercise your data subject rights, please contact:

Data Protection Officer: Jakub Idziak

Email: privacy@paremy.com

Post: Paremy Sp. z o.o., ul. Władysława Sikorskiego 34/5, 61-537 Poznań, Poland

We will acknowledge receipt of your request within 5 business days and provide a substantive response within one calendar month. In complex cases we may extend this period by a further two months; we will inform you of any such extension within the initial one-month period.