Last updated: November 1, 2025
Paragex, Inc. ("Paragex," "we," "our," or "us") is committed to protecting the privacy of the individuals and organizations that use our platform and visit our website. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal data, and describes the rights you have with respect to that data.
This policy applies to personal data processed through our website (paragex.com), our regulatory document parsing and compliance gap analysis platform (the "Service"), and any other interactions you have with us - including sales inquiries, support communications, and marketing correspondence.
Paragex, Inc. is headquartered at 580 California Street, San Francisco, CA 94104, United States. For users in the European Economic Area (EEA), Paragex acts as a data controller with respect to the personal data described in this policy, and as a data processor with respect to any personal data contained in the regulatory documents and compliance materials that customers upload to or process through the Service.
If you have questions about this policy or our data practices, please contact us at info@paragex.com.
We collect different categories of personal data depending on how you interact with Paragex.
Account registration and contact information: When you request a demo, register for a trial, or create a Paragex account, we collect your name, work email address, job title, company name, and phone number (optional). This information is used to provide access to the Service and to communicate with you about your account.
Communications: When you contact us by email, through our website contact form, or through the support channel, we collect the content of your communications together with any personal data you include in those communications.
Payment and billing information: For customers on paid subscription plans, we collect billing contact information (name, company name, billing address). Payment card information is processed by our payment processor and is not stored by Paragex. We retain records of transaction amounts, dates, and plan details for accounting and support purposes.
Survey and feedback responses: We periodically invite users to participate in surveys and user research. Participation is voluntary, and we collect the responses you provide together with any demographic or professional information you choose to share.
Usage and log data: When you access our website or the Service, our servers automatically record information including your IP address, browser type, operating system, referring URL, pages visited, features accessed, and the time and date of your interactions. This information is used for service operation, security monitoring, and analytics.
Cookies and similar technologies: We use cookies and similar tracking technologies on our website and within the Service. Essential cookies are required for the Service to function and are set automatically. Analytics and preference cookies require your consent, which you can provide or withdraw through our cookie consent interface. For full details on our cookie practices, please see our Cookie Policy.
Device and environment information: We collect information about the device and software environment used to access the Service, including screen resolution, time zone, and browser settings, for compatibility and support purposes.
The core function of the Paragex Service involves processing regulatory documents and compliance materials. These materials may contain personal data - for example, references to named regulatory officials, external auditors, or compliance officers in examination reports. Paragex processes this data solely in accordance with customer instructions, as described in Section 8 (Data Processing Under Customer Contracts) below. Customers bear responsibility for ensuring that their use of the Service in connection with personal data contained in compliance materials complies with applicable data protection law.
We use personal data collected through the categories described above for the following purposes:
Service provision: To create and manage your account, provide access to the Service features you are authorized to use, process transactions, and deliver the regulatory document parsing and compliance gap analysis outputs that constitute the Service.
Communications: To respond to your inquiries and support requests, to send transactional notifications (account confirmations, subscription renewals, password resets), and to provide service status updates and security notices that are necessary for account management.
Product improvement: To analyze aggregated and anonymized usage patterns to identify opportunities to improve the accuracy of our document parsing models, the coverage of our regulatory framework library, and the usability of the Service interface. We do not use the content of your regulatory documents to train our models without explicit authorization.
Marketing communications: With your consent (or on the basis of our legitimate interest where permitted by applicable law), to send information about new features, regulatory coverage updates, webinars, and other Paragex news that may be relevant to your work. You can opt out of marketing communications at any time using the unsubscribe link in any marketing email.
Security and fraud prevention: To detect, investigate, and respond to unauthorized access, security incidents, and fraudulent activity on our platform.
Legal compliance: To comply with legal obligations including tax reporting, accounting requirements, and responses to lawful requests from regulatory and law enforcement authorities.
For users in the European Economic Area, we process personal data on the following legal bases under the General Data Protection Regulation (GDPR):
Contract performance (Article 6(1)(b)): Processing necessary to provide the Service in accordance with our Terms of Service - including account management, service delivery, billing, and support.
Legitimate interests (Article 6(1)(f)): Processing for our legitimate interests in operating and improving the Service, preventing fraud, and sending business-to-business marketing communications to existing customers and prospects about products and services relevant to their professional roles, where those interests are not overridden by your data protection rights.
Consent (Article 6(1)(a)): Processing of analytics cookies and certain direct marketing communications, where we have obtained your consent. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal and regulatory obligations, including accounting and tax requirements.
Paragex does not sell personal data to third parties. We share personal data only in the circumstances described below.
Service providers and subprocessors: We engage third-party service providers to assist in operating the Service - including cloud infrastructure providers, payment processors, analytics platforms, customer support tools, and email service providers. These providers are authorized to process personal data only in accordance with our instructions and are contractually required to maintain appropriate security standards. A list of current subprocessors is available on request at info@paragex.com.
Regulatory and legal requirements: We may disclose personal data in response to a lawful request from a regulatory authority, court order, or law enforcement agency. Where permitted by law, we will notify affected customers before disclosing their data in response to such requests.
Business transfers: In the event of a merger, acquisition, restructuring, or sale of substantially all of our assets, personal data held by Paragex may be transferred to the acquiring entity. We will notify affected users of any such transfer and provide information about their choices with respect to the transferred data.
With your consent: We share personal data in other circumstances only with your explicit consent.
Paragex is based in the United States. If you access the Service from the EEA, United Kingdom, or Switzerland, your personal data will be transferred to and processed in the United States. The United States does not benefit from an EU adequacy decision that establishes an equivalent level of personal data protection to that provided by EEA law.
We transfer personal data to the US on the basis of the European Commission's Standard Contractual Clauses (SCCs), which provide contractual safeguards for the protection of personal data transferred to countries outside the EEA. A copy of the applicable SCCs is available on request. Where required by applicable law, we conduct transfer impact assessments and implement supplementary technical measures to protect transferred personal data.
Account and contact data: Retained for the duration of your account relationship with Paragex and for a period of up to 3 years following account closure, for the purposes of legal compliance, dispute resolution, and business records. After the retention period, account data is deleted or anonymized.
Regulatory documents and compliance materials: Document uploads and processed outputs are retained for the period specified in your subscription agreement, with a default retention period of 90 days following processing unless you opt for extended retention or export the data through the Service. Paragex does not store the content of regulatory documents beyond the processing window except where extended retention is explicitly requested and configured by the customer.
Usage and log data: Access logs and usage data are retained for 12 months for security and operational purposes and are thereafter deleted or aggregated.
Financial records: Billing and transaction records are retained for 7 years to comply with applicable accounting and tax requirements.
When customers upload regulatory documents and compliance materials to the Service, Paragex processes any personal data contained in those materials as a data processor acting on the customer's instructions. The legal basis for such processing is the customer's instruction, documented in the Data Processing Agreement (DPA) that forms part of our subscription terms.
Our standard DPA includes the provisions required under GDPR Article 28, including obligations on Paragex as processor to: process personal data only on documented instructions from the customer; ensure that persons authorized to process personal data are subject to a confidentiality obligation; implement appropriate technical and organizational security measures; assist the customer in fulfilling obligations to respond to requests from data subjects exercising their rights; and, upon termination of the processing relationship, delete or return personal data to the customer.
Customers who require a DPA as part of their subscription arrangement should contact info@paragex.com to confirm DPA terms before uploading personal data to the Service.
Subject to the conditions and limitations set out in applicable data protection law, you have the following rights with respect to personal data Paragex holds about you:
Right of access: The right to receive a copy of the personal data we hold about you and information about how we use it.
Right to rectification: The right to request correction of inaccurate personal data.
Right to erasure: The right to request deletion of personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent (for consent-based processing), or where the processing is unlawful.
Right to restriction: The right to request that we restrict the processing of your personal data in certain circumstances - for example, while you contest the accuracy of the data.
Right to data portability: The right to receive personal data you have provided to us in a structured, commonly used, machine-readable format and to transmit that data to another controller, where the processing is based on consent or contract.
Right to object: The right to object to processing based on our legitimate interests, including profiling for direct marketing purposes. Where you object to processing for direct marketing purposes, we will cease that processing immediately.
Rights related to automated decision-making: The right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you, unless such processing is necessary for a contract, authorized by law, or based on your explicit consent.
To exercise any of these rights, please contact us at info@paragex.com. We will respond to your request within 30 days. If you are located in the EEA and believe that our processing of your personal data is not compliant with applicable data protection law, you have the right to lodge a complaint with the supervisory authority in your member state of residence.
Paragex implements technical and organizational security measures appropriate to the risks associated with the processing of personal data through the Service. These measures include: encryption of data in transit using TLS 1.3; encryption of data at rest using AES-256; access controls limiting access to personal data to authorized personnel on a need-to-know basis; two-factor authentication requirements for administrative access to production systems; regular security assessments including annual third-party penetration testing; and an information security management program maintained in accordance with ISO 27001 principles.
The Service is hosted on AWS GovCloud infrastructure, which provides the physical and environmental security controls appropriate for financial services applications. Our SOC 2 Type II certification covers the security, availability, and confidentiality trust service criteria and is available to customers under a non-disclosure agreement on request.
In the event of a personal data breach that affects your data, we will notify you without undue delay in accordance with applicable legal requirements. If you believe you have identified a security vulnerability in the Paragex platform or website, please report it to info@paragex.com.
The Paragex Service is a professional platform designed for use by compliance professionals, legal teams, and financial institutions. It is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from individuals under 18. If we become aware that we have inadvertently collected personal data from a minor, we will take steps to delete that data promptly.
We may update this Privacy Policy from time to time to reflect changes in our data processing practices, legal requirements, or service offerings. When we make material changes, we will notify you by email (using the address associated with your account) and by posting a notice on our website at least 30 days before the changes take effect. The date at the top of this policy reflects the date of the most recent revision. Continued use of the Service after the effective date of a revised policy constitutes acceptance of the revised terms.
If you have questions about this Privacy Policy, wish to exercise your data protection rights, or wish to request a copy of our DPA or subprocessor list, please contact us:
Paragex, Inc.
580 California St
San Francisco, CA 94104
United States
Email: info@paragex.com
For users in the EEA, our EU representative for GDPR purposes can be reached through the same email address.