Privacy Policy
Last updated: March 15, 2026
This Privacy Policy describes how CodiHarbor ("we," "us," or "our") collects, uses, and shares your personal data when you use Parlats ("the Service"), available at parlats.com.
CodiHarbor is a company registered in Croatia. For any privacy-related questions, contact us at [email protected].
1. Data Controller
CodiHarbor is the data controller for your personal data under the EU General Data Protection Regulation (GDPR).
Supervisory authority: Agencija za zaštitu osobnih podataka (AZOP), Republic of Croatia.
2. What Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address — to identify your account and send transactional emails
- Name — to display in the app and to your team members
- Password (hashed) — if you register with email/password. We never store your password in plain text.
2.2 OAuth Data
If you sign in with Google, we receive your name, email address, and profile picture URL from Google. We do not receive or store your Google password.
2.3 Usage Data
When you use the Service, we collect:
- Translation content — the translation keys and values you create, edit, and import
- Organization and project data — names, settings, and membership information you configure
- Change history — a log of who changed what and when, for audit trail purposes
- Comments — comments you leave on translation keys
2.4 Technical Data
We automatically collect:
- IP address — for security (rate limiting, abuse prevention)
- Request data — HTTP method, URL path, response status, and timing (for performance monitoring)
- Browser information — via standard HTTP headers
2.5 Cookies
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
| parlats_session | Keeps you logged in | Essential | 30 days |
| oauth_state | Prevents OAuth CSRF attacks | Essential | 10 minutes |
| oauth_verifier | OAuth PKCE verification | Essential | 10 minutes |
We do not use advertising cookies or third-party tracking cookies.
3. How We Use Your Data
We use your personal data for:
- Providing the Service — account management, authentication, team collaboration
- Transactional emails — email verification, password resets, team invitations, notification digests
- Security — rate limiting, login lockout, abuse detection
- Product improvement — anonymized usage analytics to understand how the Service is used
- Legal compliance — responding to legal requests, enforcing our Terms of Service
Legal Basis (GDPR Art. 6)
| Purpose | Legal Basis |
|---|---|
| Providing the Service | Performance of contract (Art. 6(1)(b)) |
| Transactional emails | Performance of contract (Art. 6(1)(b)) |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) |
| Product analytics | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance | Legal obligation (Art. 6(1)(c)) |
4. Third-Party Services
We share data with the following processors:
4.1 PostHog (Analytics)
- Data shared: Hashed email, user ID, IP address, usage events
- Purpose: Product analytics and error tracking
- Privacy: We hash email addresses before sending. Raw emails are never sent to PostHog.
4.2 Resend (Email)
- Data shared: Email address, name, email content
- Purpose: Delivering transactional emails (verification, invitations, password resets, notification digests)
4.3 Google (OAuth)
- Data shared: OAuth tokens (only when you choose to sign in with Google)
- Purpose: Authentication
We do not sell your personal data to anyone.
5. Data Retention
| Data | Retention |
|---|---|
| Account data | Until you delete your account |
| Sessions | 30 days, auto-deleted on expiry |
| Email verification tokens | Until used or expired |
| Password reset tokens | 1 hour |
| Change history | Retained indefinitely (anonymized when account is deleted) |
6. Your Rights (GDPR)
Under the GDPR, you have the right to:
- Access — Request a copy of all personal data we hold about you
- Rectification — Correct inaccurate personal data
- Erasure — Delete your account and all associated data
- Data portability — Export your data in a machine-readable format
- Restriction — Request that we limit processing of your data
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw at any time
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
You also have the right to lodge a complaint with your local supervisory authority, or with AZOP in Croatia.
7. Account Deletion
You can delete your account at any time from your account settings. When you delete your account:
- Your profile, sessions, and authentication data are permanently deleted
- Your organization memberships are removed
- Your comments and notifications are deleted
- Your name is removed from audit history (entries are anonymized, not deleted)
- API keys you created are disassociated from your account
If you are the sole owner of an organization, you must transfer ownership before deleting your account.
Data already sent to third-party processors (PostHog, Resend) is subject to their retention policies. We will submit deletion requests on your behalf where possible.
8. Security
We protect your data with:
- Password hashing using argon2id
- Session tokens hashed with SHA-256 (plaintext never stored)
- API keys hashed with argon2 (shown once at creation, never stored)
- HTTPS in production
- HttpOnly, SameSite cookies
- CSRF protection on all forms
- Content Security Policy with nonce-based script sources
- Per-account login lockout after failed attempts
9. International Transfers
Your data is processed in the European Union. If data is transferred outside the EU (e.g., to US-based sub-processors), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.
10. Children
The Service is not intended for anyone under the age of 16. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us at [email protected] and we will delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service. The "Last updated" date at the top indicates the most recent revision.
12. Contact
For any questions about this Privacy Policy or your personal data:
CodiHarbor
Email: [email protected]