Parasource · Legal
Privacy Policy
Last updated: 2026-06-10
This Privacy Policy explains what personal information Parasource, Inc. (“Parasource,” “we,” “us,” or “our”) collects, why we collect it, how we use and share it, how we keep it secure, and the choices and rights you have over it. The English version of this Policy is authoritative; translations are provided as a convenience.
1. Who this Policy applies to
This Policy applies to: visitors to parasource.aiand related subdomains; staff users of partner organizations (caseworkers, organization administrators, and viewers) who use the Parasource product to manage applicant intake; applicants whose information is submitted to Parasource through a partner organization; and clients of partner organizations who use the optional client portal to track a filed case and ask questions. Where applicants interact with Parasource directly (for example, by completing intake through a magic-link session), this Policy explains what we collect and the rights available to them. The client portal is deliberately data-minimal: it stores an email address and a language preference for each invited client, and does not store the client's name, address, date of birth, phone number, or government identifiers.
2. The categories of information we collect
In the past twelve (12) months we have collected the following categories of personal information, as defined by the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
| CCPA category | Examples | Sources | Disclosed for a business purpose to |
|---|---|---|---|
| Identifiers | Name, email address, phone number, account identifier (Cognito sub), IP address. | Directly from you; from the partner organization that invited you. | Cloud infrastructure providers; email delivery provider. |
| Customer records (Cal. Civ. Code §1798.80(e)) | Account profile, organization affiliation, role, language preference. | Directly from you. | Cloud infrastructure providers. |
| Protected classifications | National origin, marital status, age (where the underlying immigration form requires it). | Directly from you (intake answers). | Stored encrypted at rest; not disclosed to third parties. |
| Internet or other electronic activity | Pages viewed inside the product, in-product chat content with Parasource's AI, time stamps of key actions, browser-supplied headers (User-Agent, language). | Automatically as you use the Service. | Cloud infrastructure providers; AI model provider (in pseudonymized form). |
| Geolocation data (coarse) | Approximate region inferred from IP address. | Automatically as you use the Service. | Cloud infrastructure providers (used for routing and abuse prevention). |
| Sensitive personal information (CPRA §1798.140(ae)) | Government identifiers (Alien Registration Number, Social Security Number where required by the underlying form, USCIS receipt number); date of birth; precise immigration history. Account credentials managed by our identity provider. | Directly from you (intake answers). | Used only for the purpose for which it was collected (preparing your immigration filing) and stored encrypted at rest. Not used to infer characteristics, not sold, and not shared for cross-context behavioral advertising. You may request that we limit our use of sensitive information at any time (see Section 8). |
| Inferences | Eligibility evaluations and red-flag determinations produced by the Parasource AI based on the answers you provide. | Generated internally from intake answers. | Shared with the partner organization that is assisting you. |
We do not collect biometric information, audio/video recordings, precise geolocation, union membership, philosophical or religious beliefs, or genetic data.
3. Why we collect this information (purposes of use)
- Provide the Service. Manage your account, walk you through intake in your preferred language, run eligibility checks, generate filing-ready forms, and surface USCIS case status.
- Detect issues that need attorney review. Run deterministic and AI-assisted checks for situations (e.g., extended travel outside the U.S., criminal history) that may complicate a filing, and surface them to your caseworker.
- Maintain your organization's private knowledge base. For partner organizations on plans that include it, Parasource captures the organization's own work product — caseworker corrections, replies a staff member approved or edited, and case outcomes — into a knowledge base that belongs to that organization. Entries are used only to ground answers for that same organization, are encrypted at rest, are never shared across organizations, and are never used to train shared or third-party models.
- Operate, secure, and improve the Service. Detect fraud and abuse, debug and harden the platform, enforce our Terms of Service, and produce aggregate usage statistics. We do not use your sensitive personal information to develop or improve models.
- Communicate with you. Send transactional messages (email confirmations, deadline reminders, security alerts) and, if you are a partner-organization administrator, occasional service announcements.
- Comply with legal obligations. Respond to lawful requests from courts, regulators, and government authorities; respond to verified privacy-rights requests; and retain records required by law.
Parasource does not sell your personal information, and does not share it for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
4. How information is shared
We share personal information only with the following categories of recipients, and only as needed for the purposes above:
- The partner organization assisting you(if you are an applicant accessing Parasource through a nonprofit, legal-aid organization, or law firm). The organization's caseworkers and administrators see your intake answers, generated forms, and any flags raised during review.
- Service providers we engage to operate the platform: cloud hosting, database, and storage (Amazon Web Services, in the United States); web hosting and delivery (Vercel); DNS and network security (Cloudflare); identity and access management (Amazon Cognito); transactional email delivery (Resend, with Amazon SES as a fallback); large-language-model inference (Anthropic); embedding generation for search (Voyage AI); AI observability (LangSmith, which receives traces only after direct identifiers are redacted); and error monitoring (Sentry, which receives reports only after personal information is scrubbed). Each is contractually obligated to use your information only to provide services to us.
- Legal authorities when we are required by law, court order, or other legal process, or where we have a good-faith basis to do so to protect the rights, property, or safety of any person.
- Successors in connection with a merger, acquisition, financing, or sale of all or part of Parasource. We will notify you (where required) before your information is transferred and becomes subject to a different privacy policy.
5. How long we keep information
We keep personal information only for as long as needed to provide the Service and to meet the legitimate retention periods listed below. After that, we delete or anonymize it.
- Account profile. For the life of your account. Deleted within 30 days of account closure, except where law requires longer retention.
- Chat sessions and AI interactions. Active sessions for the life of the account; soft-deleted sessions are permanently purged after 14 days.
- Intake answers, eligibility results, and generated forms.For the duration of the partner organization's engagement plus the records-retention period applicable to immigration legal services. Partner organizations may direct deletion at any time.
- Audit and security logs. Up to 7 years, redacted to remove direct identifiers where possible. We may retain log data longer where required to investigate suspected fraud or comply with subpoenas.
- AI model traces. Stripped of A-Number, SSN, date of birth, and USCIS receipt number before they reach our tracing provider. Retained for the standard observability window of that provider.
- Organization knowledge base.Knowledge entries derived from a partner organization's own work product are retained for the life of that organization's engagement. When an organization ends its engagement, it receives a full export of its data — including its knowledge base — and we delete the data on a defined offboarding schedule, no later than ninety (90) days after the engagement ends.
6. How we secure information
- HTTPS/TLS in transit; HSTS preload on all production domains.
- Sensitive fields (USCIS receipt number, intake chat content, adaptive follow-up content) encrypted at rest using authenticated symmetric encryption (Fernet/AES) with keys held in AWS Secrets Manager.
- Form PDFs stored with AES-256 server-side encryption; access via short-lived pre-signed URLs only.
- Multi-factor authentication and audit logging for staff access to production systems; least-privilege IAM; rate limiting on all public endpoints.
- Direct identifiers (A-Number, SSN, DOB, receipt number) are redacted before any AI prompt is logged or persisted.
- Annual review of access controls and a documented incident- response process. Eligible privacy or security incidents will be notified in accordance with applicable law.
7. Cookies and similar technologies
Parasource uses a small set of first-party cookies and browser-storage values. We do not use third-party advertising cookies, tracking pixels, or analytics that profile you across other sites. The categories below mirror those in our cookie banner and on the Your Privacy Choices page.
- Strictly necessary — sign-in session, applicant magic-link session, CSRF protection, theme selection. These are required for the Service to function and cannot be turned off.
- Functional— language preference (so you don't have to re-select it on each visit). On by default; you may turn this off without losing access to the Service.
- Analytics — currently none. If we add analytics in the future, we will update this Policy and will not load any analytics script unless your saved consent preference permits it.
- Marketing — currently none. We do not run advertising or remarketing campaigns and have no plans to do so without a Policy update.
Parasource honors the Global Privacy Control (GPC) signal as a valid opt-out request under the CCPA and similar U.S. state laws. If your browser sends GPC, we treat it as your direction to opt out of any sharing for advertising or sale; today, that signal also disables the analytics and marketing cookie categories on the spot.
8. Your privacy rights
Depending on where you live, you have some or all of the rights below. We grant California rights to all U.S. users as a baseline because California's framework is the most comprehensive.
- Right to know / right to access. Request a copy of the personal information we hold about you, including the categories collected, sources, recipients, and business purposes.
- Right to delete. Request deletion of your personal information, subject to legal retention obligations and except where retention is necessary to complete a transaction you initiated, prevent fraud, or comply with a legal obligation.
- Right to correct. Request correction of inaccurate personal information.
- Right to opt out of sale or sharing. Parasource does not sell or share personal information for cross-context behavioral advertising; you nonetheless have the right to direct us not to. Sending a Global Privacy Control signal exercises this right automatically.
- Right to limit use of sensitive personal information. We already use sensitive information only for the purpose for which it was collected (preparing your immigration filing). You may submit a request to confirm this limitation; we will respond accordingly.
- Right to non-discrimination. We will not deny you service, charge a different price, or provide a different level of quality because you exercised a privacy right.
- Right to data portability. Your access export is provided in a portable, machine-readable JSON format.
- Authorized agents. You may use an authorized agent to submit requests on your behalf. We will require the agent to demonstrate written authorization and may require you to verify your identity directly.
How to exercise your rights
Account holders can use the Privacy tab in account settings to download a copy of their data, correct their profile, or delete their account. Anyone (including applicants without a Parasource account, and authorized agents) can submit a request by emailing privacy@parasource.ai or by using the form on Your Privacy Choices.
We will acknowledge your request within ten (10) business days and respond substantively within forty-five (45) days, with one forty-five-day extension where reasonably necessary and where we notify you of the extension. We will verify your identity in a manner proportionate to the sensitivity of the request, typically by sending a code to the email address on file.
If you are a resident of California, you may also designate someone to submit a request on your behalf in writing or through a power of attorney. If we deny your request, you may appeal to privacy@parasource.aiwith the word “Appeal” in the subject line; we will respond within sixty (60) days.
9. California Shine the Light (Cal. Civ. Code §1798.83)
California residents may request once per calendar year a list of the categories of personal information disclosed to third parties for those third parties' direct-marketing purposes. Parasource does not disclose personal information for direct-marketing purposes; the answer to a Shine the Light request will therefore be a confirmation of that fact.
10. Other U.S. state privacy laws
Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Montana, New Hampshire, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia have similar rights under their respective state privacy laws (CPA, CTDPA, DPDPA, ICDPA, ICDPA-equivalents, MCDPA, NHPA, NJDPA, OCPA, TIPA, TDPSA, UCPA, VCDPA). The same request channels listed above honor those rights.
11. Children's privacy
The Parasource Service is not directed to children under 16, and we do not knowingly collect personal information from children under 16 without verifiable parental consent. If you believe a child under 16 has provided us with personal information, contact privacy@parasource.ai and we will delete it.
12. International data transfers
Parasource is operated from the United States and stores data in AWS facilities in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.
13. AI and automated processing
Parasource uses an AI assistant to help you complete intake. The AI does not make legally significant decisions about you; eligibility signals and red flags surfaced by the AI are reviewed by a human caseworker (or, where you are using Parasource without a partner organization, surfaced to you for action). You may opt out of AI- assisted intake by contacting your caseworker and requesting a manual workflow.
Where a partner organization enables question-and-answer in the client portal, the AI may answer general informational questions automatically, with citations to official sources. Anything individualized to your case — anything that could amount to legal advice — is not answered automatically: it is routed to the organization's review queue and is only sent to you after a member of the organization's staff approves or edits it. Replies that staff approve or edit may be saved to that organization's private knowledge base (see Section 3). Parasource provides general legal information only and never provides legal advice.
14. Changes to this Policy
We will post any changes to this Policy on this page and update the “Last updated” date at the top. If the changes are material we will provide additional notice (for example, an in- product banner or email to account holders) before the changes take effect.
15. Contact us
Parasource, Inc.
Email: privacy@parasource.ai
Postal mail: contact us at the email above to be provided with a current correspondence address.
For California residents, this email address is the designated method to exercise privacy rights under Cal. Civ. Code §1798.130.