1. Who We Are
This privacy notice explains how Parrot Systems Ltd collects, uses, and protects personal data when you use Truvis, our AML risk scanning and SAR filing tool, available at getparrot.io/truvis.
Parrot Systems Ltd is the data controller for the purposes of UK GDPR and the Data Protection Act 2018.
If you have any questions about this notice or how we handle your data, contact us at: hello@getparrot.io

2. What Data We Collect
Truvis collects and processes the following categories of personal data:
AML Scan (Standard - £10):
- The name or entity name you enter for screening
- Your email address (collected by Stripe at payment and used to deliver your access token)
- Payment information (processed directly by Stripe - we do not store card details)

AML + SAR Report (Premium - £15):
- All of the above
- Identity documents you upload (e.g. passport scans) - special category biometric data under UK GDPR Article 9
- Financial documents you upload (e.g. bank statements)

3. How We Use Your Data
We process your data for the following purposes:
- To perform AML risk screening against publicly available OSINT sources
- To generate a Suspicious Activity Report (SAR) narrative based on submitted information and documents
- To process your payment and deliver your access token via email
- To manage your access credits and prevent misuse of the service

4. Legal Basis for Processing
We rely on the following lawful bases under UK GDPR:
- Contract (Article 6(1)(b)): Processing your name, email, and payment information is necessary to provide the service you have purchased.
- Legitimate interests (Article 6(1)(f)): Running OSINT queries against publicly available information to generate risk assessments is necessary for the functioning of the tool.
- For special category data (passports, biometric data) under Article 9: We rely on explicit consent given when you voluntarily upload documents to the SAR tool. You are not required to upload documents - the SAR tool functions without them.

5. How Your Data Flows Through Truvis
When you use Truvis, your data passes through the following systems:
- Your browser: Documents and names are submitted directly from your browser.
- Cloudflare Workers (our serverless backend): Receives your request, validates your token, manages rate limits, and forwards data to Anthropic. Cloudflare does not retain your document content.
- Anthropic API: Processes your submitted name and any uploaded documents to perform OSINT searches and generate the compliance narrative. Anthropic retains API input and output logs for up to 30 days before automatic deletion. Anthropic does not use commercial API data for model training.
- Cloudflare KV (key-value store): Stores only your access token, credit balance, and email address. No scan results or document content are stored here.
- Resend: Sends your access token to the email address provided at payment. No document content is transmitted via Resend.
- Stripe: Processes your payment and provides your email to us for token delivery. Stripe's own privacy policy governs their data handling.

6. Data Retention
Truvis is designed to minimise data retention:
- Scan results and SAR outputs: Not stored by Parrot Systems Ltd. You must save your results yourself.
- Uploaded documents (passports, bank statements): Not stored by Parrot Systems Ltd. Transmitted transiently to Anthropic's API and not retained on our systems.
- Anthropic API logs: Retained by Anthropic for up to 30 days before automatic deletion. We have requested a reduction in this retention period.
- Access tokens and email addresses: Stored in Cloudflare KV for as long as your account remains active. Contact us to request deletion.
- SAR records (reference numbers only): Retained in Cloudflare KV for 90 days for audit trail purposes, in accordance with MLR 2017 obligations.

7. Third-Party Data Processors
We use the following data processors, each subject to appropriate data processing agreements:
- Anthropic (USA): AI model and web search processing. Data processed under Anthropic's commercial API terms. API logs retained for up to 30 days.
- Cloudflare (USA/EU): Serverless infrastructure and token storage. Subject to Cloudflare's Data Processing Addendum.
- Stripe (USA/EU): Payment processing. Subject to Stripe's Data Processing Agreement.
- Resend (USA): Transactional email delivery. Processes your email address only.
- Data may be transferred outside the UK/EEA to the United States. These transfers are made under standard contractual clauses or equivalent adequacy mechanisms.

8. Your Rights
Under UK GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to erasure: Request deletion of your personal data, subject to legal obligations.
- Right to rectification: Request correction of inaccurate data.
Right to restrict processing: Request that we limit how we use your data.
- Right to object: Object to processing based on legitimate interests.
- Right to data portability: Receive your data in a portable format where applicable.
- To exercise any of these rights, contact us at hello@getparrot.io. We will respond within 30 days.
- You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

9. Compliance Disclaimer
Truvis is a decision-support tool designed to assist qualified compliance analysts. It does not make compliance decisions, file SARs on your behalf, or constitute regulated advice. All outputs require human review before any action is taken. Truvis is designed to support FCA SAR reporting under the Money Laundering Regulations 2017. Human review is mandatory before filing any report with the National Crime Agency.

10. Changes to This Notice
We may update this privacy notice from time to time. The current version will always be available at getparrot.io/truvis. Material changes will be communicated to active users by email.