parloh is a loyalty and discount platform for travellers visiting independent local businesses across Southeast Asia. It is operated by [Legal entity name — to be completed before launch], registered at [Registered address] ("parloh", "we", "us", "our").
parloh is the data controller for personal data collected through this platform. For any privacy-related enquiries, contact us at privacy@parloh.app.
2a. When you check in at an active parloh business
When you scan a parloh QR code and submit the check-in form, we collect:
2b. When you scan a QR code for a pre-listed (unclaimed) business
Some parloh QR codes are placed on businesses that have not yet activated a paid account. If you submit the interest-capture form for one of these businesses, we collect your name, email address, phone number, and stated length of stay. In this case the phone number is stored in its original form (not hashed), so the business owner can see it when they claim their listing. No discount code is issued. You will not receive loyalty tier credit for this visit.
2c. If you hold a parloh Pass
A parloh Pass is a paid city-wide discount pass. If you purchase one:
2d. If you are a business owner
2e. Automatic data
Our servers log standard HTTP request metadata (IP address, request path, timestamp, HTTP status code) for security and operational purposes. These logs are not linked to tourist profiles and are not retained indefinitely.
Business owners (the business you checked into)
The owner of the specific business you checked into can see your first name, email address, the discount you received, your stay length, and — after decryption — your phone number. They cannot see data from your visits to other businesses. Other businesses on the parloh platform cannot see your personal information.
Other tourists
Your personal data is never shared with other tourists.
Third-party service providers (sub-processors)
| Provider | Role | Location |
|---|---|---|
| Brevo | Transactional email delivery (discount codes, magic links, welcome-back emails) | EU (France) |
| Stripe | Payment processing for parloh Pass. Stripe receives your card details directly — parloh does not | US (PCI-DSS compliant, SCCs in place) |
| Hetzner | Server infrastructure — all parloh databases and application servers run here | EU (Germany) |
| Netlify | Static file hosting for the web application frontend | US (Data Processing Agreement available for EU users) |
| Twilio | SMS/WhatsApp delivery for OTP verification | US (Standard Contractual Clauses in place) |
We only share the minimum data each sub-processor needs to perform their specific function. We do not sell personal data.
Law enforcement and legal process
We will disclose personal data to law enforcement or courts only in response to a valid legal process (court order, warrant, or statutory obligation) and only to the extent required. Where legally permitted, we will notify you before disclosing.
We process personal data only where we have a valid legal basis under GDPR Article 6.
| Data | Purpose | Legal basis |
|---|---|---|
| Name, email, stay length | Issuing and delivering the discount code; loyalty tier calculation | Contractual necessity (Art. 6(1)(b)) — these are required to provide the service you requested |
| Phone hash | Cross-business fraud prevention; duplicate redemption check; loyalty calculation | Legitimate interests (Art. 6(1)(f)) — preventing abuse of the discount system |
| Phone encrypted | Business owner WhatsApp contact | Contractual necessity — you submit your number to receive the discount and enable follow-up contact |
| Device fingerprint hash | Velocity rate limiting; automated abuse detection | Legitimate interests (Art. 6(1)(f)) — protecting the integrity of the platform |
| Business owner email and password hash | Account authentication and billing | Contractual necessity (Art. 6(1)(b)) |
| Pass member email and Pass details | Pass authentication and entitlement verification | Contractual necessity (Art. 6(1)(b)) |
| Welcome-back emails | Notifying returning travellers of city updates | Legitimate interests (Art. 6(1)(f)) — you can object at any time (see Section 8) |
All parloh databases and application servers are located in Germany (Hetzner). Transactional email is delivered via Brevo, which is based in France. Both are within the European Economic Area (EEA) and no transfer mechanism is required.
For services provided by US-based sub-processors (Stripe, Twilio, Netlify), personal data is transferred to the United States. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or — in the case of Stripe — by their PCI-DSS certified processing infrastructure and their Data Processing Agreement.
If you are based in the EU, your personal data is stored and processed within the EEA except where you use features that depend on the US sub-processors listed above.
| Data category | Retention period |
|---|---|
| Check-in records (name, email, phone hash, phone encrypted, stay length, discount issued) | Retained for the duration of the business relationship and for 12 months after your last check-in. You may request earlier deletion — see Section 8. |
| Tourist profile (phone hash, email, loyalty tier, city history) | Retained until you request deletion. Tier data decays automatically if you are inactive for 12–18 months. |
| Interest captures for unclaimed businesses (name, phone, email) | Retained until the business claims their listing, or for 12 months, whichever comes first. |
| Device fingerprint velocity log | Automatically deleted every hour — only records from the past 24 hours are retained at any given time. |
| Featured business impression records | Automatically deleted after 30 days. |
| Business owner account data | Retained for the duration of the subscription plus 24 months for legal and financial record-keeping obligations. |
| Pass membership records | Retained for 24 months after Pass expiry for financial record-keeping. |
| Magic link authentication tokens | Expire after 24 hours. One-time use only. |
If you are located in the European Economic Area or the United Kingdom, you have the following rights under GDPR Articles 15–22. To exercise any of them, email privacy@parloh.app. We will respond within 30 days.
parloh does not use advertising cookies, tracking pixels, or third-party analytics cookies.
We use the following strictly necessary technical mechanisms:
httpOnly, Secure, and SameSite=Strict.
They contain no personal data and expire when you close your browser or after your session
timeout. Strictly necessary cookies do not require consent under GDPR.
parloh_ref) is set in your browser for 72 hours. This cookie stores
only a referral token — it contains no personal data and is used solely to credit the
person who referred you.
For any privacy-related questions or to exercise your rights, contact our data protection contact:
Data controller: [Legal entity name — to be completed before launch]
Registered address: [Registered address — to be completed before launch]
Email: privacy@parloh.app
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority. In the EU, a list of national authorities is available at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ICO).