Privacy Policy

Last updated: March 11, 2026

ParaSarah ("we," "us," or "our") is committed to protecting the privacy of our users and the parties they interact with through our platform. This Privacy Policy describes how we collect, use, store, and share information when you use the ParaSarah platform, website, and services (the "Service").

1. Information We Collect

1.1 Account Information

When you sign up for ParaSarah using Google OAuth, we receive and store:

• Your name and email address (from your Google account)
• Your Google profile picture URL
• Your Google account identifier

We do not receive or store your Google account password. Authentication is handled entirely through Google's OAuth 2.0 protocol.

1.2 Firm and Practice Data

You provide the following information when configuring your firm on ParaSarah:

• Firm name, office addresses, and phone numbers
• Team member names, emails, roles, and office assignments
• Your phone number (for the inbound attorney assistant and morning summary SMS)
• Billing rate (used only for ROI calculations displayed to you)

1.3 File and Party Data

For each file you manage through ParaSarah, we store:

• File name, type, status, property address, and closing date
• Party names, phone numbers, email addresses, roles, and contact preferences
• Checklist items (document names, responsible parties, statuses, due dates)
• Status notes (freeform text you enter describing the current state of a file)
• Commitments extracted from calls (what a party promised, when, and delivery status)

ParaSarah does not store legal documents. We only store references to documents that are needed (e.g., "HO-3 insurance certificate from Maria Rodriguez — pending"). The actual documents are managed through your existing case management system.

1.4 Call Data

When ParaSarah places or receives calls on your behalf, the following data is generated and stored:

• Call metadata: date, time, duration, phone numbers, direction (inbound/outbound), and call type
• Call transcripts: full text transcriptions of each call, generated by our voice AI platform
• Call recordings: audio recordings of calls, stored by our voice AI provider (VAPI.AI)
• Call summaries: AI-generated summaries of each call's outcome
• Extracted data: commitments, scheduling responses, escalation triggers, and other structured information extracted from call content

1.5 SMS Data

When ParaSarah sends or receives text messages on your behalf:

• Outbound SMS content (follow-up summaries, reminders, responses to inbound texts)
• Inbound SMS content (messages received from parties via the firm's phone number)
• SMS metadata: phone numbers, timestamps, delivery status

1.6 Usage and Technical Data

We automatically collect:

• IP addresses and browser/device information when you access the web dashboard
• Pages visited, features used, and actions taken within the platform
• Error logs and performance data to maintain and improve the Service

1.7 Payment Data

Payment processing is handled entirely by Stripe. We do not store your credit card numbers or full payment details. We receive from Stripe: your subscription status, plan type, billing history, and a customer identifier used to manage your subscription.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Place and receive calls, send SMS messages, generate transcripts, extract commitments, and display file information on your dashboard
• Personalize calls: Configure the AI voice agent with your firm name, attorney names, paralegal names, office addresses, and file-specific context so calls sound like they come from your staff
• Automate workflows: Schedule daily document chase calls, weekly status updates, pre-closing reminders, and follow-up retries based on your file data
• Calculate and display ROI: Show you call counts, minutes used, estimated time saved, and estimated revenue recovered
• Process payments: Manage your subscription, track minute usage, and bill for overages
• Improve the Service: Analyze aggregate usage patterns (not individual call content) to improve call quality, voice AI performance, and platform features
• Communicate with you: Send morning summaries, usage alerts, product updates, and respond to support requests
• Ensure security: Detect and prevent fraud, abuse, and unauthorized access

3. Third-Party Services

ParaSarah integrates with the following third-party services. Each has its own privacy policy governing data they process:

3.1 VAPI.AI (Voice AI Platform)

VAPI.AI provides the voice AI infrastructure that powers ParaSarah's calls. When a call is placed or received, VAPI processes:

• The phone number being called or calling
• The AI system prompt (containing file context, firm details, and call instructions)
• Call audio for real-time speech-to-text and text-to-speech processing
• Call recordings and transcripts

VAPI's telephony is powered by Twilio. Call audio is processed using AI models (including OpenAI's GPT-4o for conversation and Deepgram for speech recognition) as subprocessors of VAPI.

3.2 Stripe (Payment Processing)

Stripe processes all payment transactions. When you subscribe to a paid plan, Stripe collects your payment method information, processes charges, and manages your subscription. We do not have access to your full payment card details.

3.3 Google (Authentication)

We use Google OAuth 2.0 for user authentication. When you sign in with Google, Google shares your basic profile information (name, email, profile picture) with ParaSarah. We do not access your Google Drive, Gmail, contacts, or any other Google services beyond what is needed for authentication.

3.4 Google Calendar (Optional Integration)

If you enable Google Calendar integration, ParaSarah can read and write closing dates to your calendar. This integration is optional and requires explicit authorization. You can revoke access at any time through your Google account settings.

4. Data Sharing

We do not sell your personal information or your clients' information. We share data only in the following circumstances:

• With third-party service providers listed above, solely to provide the Service
• With your firm's authorized team members who have accounts on your ParaSarah instance
• To comply with legal obligations such as a valid subpoena, court order, or regulatory request
• To protect rights and safety if we believe disclosure is necessary to prevent harm, investigate fraud, or enforce our Terms of Service
• In connection with a business transfer such as a merger, acquisition, or sale of assets, with notice to affected users

5. Data Retention

• Account and firm data: Retained for the life of your account plus 30 days after cancellation
• File and party data: Retained for the life of your account plus 30 days after cancellation
• Call recordings: Retained by VAPI.AI according to their data retention policy. References to recordings are retained in our system for the life of your account
• Call transcripts and metadata: Retained for the life of your account plus 30 days after cancellation
• Request logs: 30 days
• Error logs: 90 days
• Server metrics: 7 days
• API call logs: 90 days

After the retention period, data is permanently deleted from our systems. You may request earlier deletion of your data by contacting us at privacy@parasarah.com.

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data in transit is encrypted using HTTPS/TLS
• Authentication uses Google OAuth with signed, httponly, secure session cookies
• Database access is restricted to the application server
• Administrative access is limited to authorized personnel via email allowlist
• The AI agent never shares client details without identity verification
• Wire transfer instructions are never communicated via the platform (hardcoded security rule)
• Server infrastructure is maintained with regular security updates

While we strive to protect your data, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately at security@parasarah.com.

7. Your Rights

7.1 All Users

Regardless of your location, you have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (subject to legal retention requirements)
• Export your file data in a machine-readable format
• Withdraw consent for optional data processing (such as Google Calendar integration)

7.2 California Residents (CCPA)

If you are a California resident, you additionally have the right to:

• Know what personal information we collect and how it is used
• Request deletion of your personal information
• Opt out of the sale of personal information (we do not sell personal information)
• Not be discriminated against for exercising your privacy rights

7.3 European Residents (GDPR)

If you are a resident of the European Economic Area, you additionally have the right to:

• Access your personal data and receive a copy in a portable format
• Rectify inaccurate personal data
• Request erasure of your personal data ("right to be forgotten")
• Restrict or object to processing of your personal data
• Lodge a complaint with your local data protection authority

Our legal basis for processing personal data is: (a) performance of our contract with you (providing the Service); (b) our legitimate interest in operating and improving the Service; and (c) your consent, where applicable.

8. Call Recording and Consent

All automated calls placed by ParaSarah begin with a recording consent disclosure. Georgia is a one-party consent state, but as a best practice, we announce recording at the start of every call. This disclosure is configurable per firm but is enabled by default. Parties who do not wish to be recorded can end the call, and the firm is notified.

9. SMS Communications and Opt-Out

Every outbound SMS message sent by ParaSarah includes instructions for opting out ("Reply STOP to opt out"). Opt-out requests are processed immediately and logged. Once a party opts out, they will not receive further automated text messages through ParaSarah. Opt-outs do not affect voice calls unless the party also requests to be removed from call automation.

10. Children's Privacy

ParaSarah is a business-to-business service designed for law firms and legal professionals. We do not knowingly collect personal information from children under the age of 13. If we become aware that we have collected such information, we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the account owner at least 30 days before taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or wish to exercise your privacy rights, contact us at:

ParaSarah — Privacy
Email: privacy@parasarah.com
General: support@parasarah.com
Web: parasarah.com