Privacy Policy

This Privacy Policy describes how Parceled ("we," "us," "Parceled") collects, uses, stores, and shares information when you use the Parceled API and Model Context Protocol (MCP) server at https://parceled.ai and its associated endpoints (the "Service"). Parceled is a developer-facing platform and is distinct from our consumer product Hail Pro, which has a separate Privacy Policy.

1. Information we collect

Account information. When you create a Parceled account, we may collect an email address (optional on anonymous accounts created via POST /api/v1/accounts; required for accounts that make payments or use OAuth) and an optional organization name. For OAuth-authenticated clients, we record the registered client_id, client name, and redirect URIs (RFC 7591 Dynamic Client Registration).

API usage data. We log each API call's timestamp, endpoint, coordinate or identifier queried, requested fields, credit cost, success/failure status, and response time. These logs are tied to your API key and used for billing, usage history, and abuse detection.

Technical data. We collect the IP address and HTTP headers of API requests to enforce rate limits, detect abuse, and serve the correct content (parceled.ai vs. hailpro.dev). IP-based rate-limit counters are stored in short-lived Redis keys.

Payment information. When you purchase credits or enable Pay-As-You-Go billing, payment card information is collected and processed exclusively by Stripe, our PCI-DSS-compliant payment processor. We never see or store your full card number. We retain the Stripe customer ID, payment status, subscription state, and amounts charged. For anonymous accounts that pay, we retain the email address Stripe collects at checkout so your account remains recoverable.

Authentication tokens. API keys are hashed using SHA-256 and the plaintext is never stored on our side. OAuth authorization codes and magic-link tokens are JWE-encrypted and have short lifetimes (5 minutes for authorization codes, 10 minutes for magic links). Replay protection is enforced via Upstash Redis.

2. How we use your information

• Provide, maintain, and improve the Service.
• Authenticate API requests and enforce rate limits, budget caps, and free-tier quotas.
• Process payments, issue invoices, and prevent billing fraud via Stripe.
• Detect, investigate, and respond to abuse, security incidents, and violations of our Terms of Service.
• Send transactional email (magic-link authentication, receipts, security notices). We do not send marketing email to API customers without opt-in.
• Produce aggregated, de-identified usage analytics to improve product performance and reliability.

3. Data the API returns to you

The Service returns US property data that originates from public records, including:

• Parcel boundaries, addresses, APNs, owner names, and owner mailing addresses sourced from county assessor and recorder offices.
• Building and roof permits sourced from jurisdictional permit offices.
• Hail swath data sourced from the U.S. National Weather Service Storm Prediction Center (NWS SPC).

Parceled does not profile individual property owners and does not enrich this data with proprietary PII beyond what is in the public record. Callers of the API are responsible for using returned property-owner information in compliance with any applicable federal, state, and local laws, including jurisdiction-specific restrictions on commercial use of assessor or recorder data.

4. Third-party processors

We share the minimum necessary information with the following sub-processors to operate the Service:

• Stripe (payment processing, customer billing records) · stripe.com/privacy
• Upstash (Redis for rate limiting and OAuth replay protection) · upstash.com/privacy
• Vercel (application hosting) · vercel.com/legal/privacy-policy
• Mapbox (vector tile rendering for the render_map tool) · mapbox.com/legal/privacy
• Amazon Web Services (object storage, infrastructure services) · aws.amazon.com/privacy

We do not sell your personal information to advertisers or third parties, and we do not share it for advertising purposes.

5. Data retention

• Account records: retained while your account is active. Deleted within 30 days of written request at hello@parceled.ai, subject to overriding legal or billing-reconciliation obligations.
• API usage logs: retained for 12 months for billing and audit purposes, then aggregated and de-identified.
• API keys: hashed at rest; active keys retained until revoked. Hashes of revoked keys kept for 30 days for incident response, then purged.
• OAuth codes and magic links: 5 minutes (authorization codes) and 10 minutes (magic links) TTL. Replay-protection records kept for 5 minutes past expiration.
• Stripe records: retained per Stripe's own retention policy; we retain the Stripe customer ID and subscription state while your account is active.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, port, or delete personal information we hold about you, and to object to or restrict certain processing. To exercise any of these rights, email hello@parceled.ai.

A note on property-owner data: records returned by the API originate from public county and municipal sources. Parceled is not the system of record for that data, and requests to correct or remove a property-owner record generally must be directed to the originating county or jurisdiction.

7. Security

• All traffic to and from the Service is TLS-encrypted.
• API keys are hashed with SHA-256 and never stored in plaintext.
• OAuth authorization codes and magic links are JWE-encrypted (A256CBC-HS512).
• Payment card data is handled exclusively by Stripe under PCI-DSS. We never see full card numbers.
• Security-related reports should be sent to security@parceled.ai.

8. International users

The Service is operated from the United States. If you access the Service from outside the U.S., you consent to your information being transferred to and processed in the U.S. The Service is designed for use with U.S. property data and is not tailored to non-U.S. regulatory regimes.

9. Children's privacy

The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If you believe we have, contact hello@parceled.ai.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will update the "Last updated" date at the top of this page and, for material changes, notify active account holders by email.

11. Contact

Questions about this Privacy Policy or about data we hold about you can be directed to hello@parceled.ai.