parloh Back

Privacy Policy

Last updated: 6 May 2026
Contents
  1. Who we are
  2. Information we collect
  3. How we use your information
  4. Sharing your information
  5. Legal basis for processing
  6. International transfers
  7. Retention periods
  8. Your rights under GDPR
  9. Cookies and device identifiers
  10. Contact and complaints

1. Who we are

parloh is a loyalty and discount platform for travellers visiting independent local businesses across Southeast Asia. It is operated by [Legal entity name — to be completed before launch], registered at [Registered address] ("parloh", "we", "us", "our").

parloh is the data controller for personal data collected through this platform. For any privacy-related enquiries, contact us at privacy@parloh.app.

2. Information we collect

2a. When you check in at an active parloh business

When you scan a parloh QR code and submit the check-in form, we collect:

  • Your first name — stored as entered. Used to personalise your discount code email and the business owner's view of their contacts.
  • Your phone number — we store two derived forms:
    • A one-way SHA-256 hash: we cannot reverse this to your actual number. Used for cross-business fraud and abuse detection and loyalty tier calculation.
    • An AES-256-GCM encrypted copy: this can be decrypted only by the business you checked into, to enable them to contact you via WhatsApp. It is never accessible to other businesses or to parloh staff in routine operations.
  • Your email address — stored as entered. Used to send your discount code and, if you opt in, travel updates from businesses you have visited.
  • Your stated length of stay — the option you select (e.g., "2–3 days", "local"). Used to calculate your loyalty tier and to help businesses identify travellers who are leaving soon.
  • A device fingerprint hash — an anonymous hash derived from your browser and device characteristics. Not linked to your identity. Used only to detect and block automated or repeat abuse within a short time window.

2b. When you scan a QR code for a pre-listed (unclaimed) business

Some parloh QR codes are placed on businesses that have not yet activated a paid account. If you submit the interest-capture form for one of these businesses, we collect your name, email address, phone number, and stated length of stay. In this case the phone number is stored in its original form (not hashed), so the business owner can see it when they claim their listing. No discount code is issued. You will not receive loyalty tier credit for this visit.

2c. If you hold a parloh Pass

A parloh Pass is a paid city-wide discount pass. If you purchase one:

  • Payment information — processed entirely by Stripe. parloh never receives or stores your card number, CVV, or bank details.
  • Your email address — used to authenticate your Pass and send confirmation and expiry notices.
  • Pass type, city, and expiry date — stored so participating businesses can verify your Pass entitlement at check-in.

2d. If you are a business owner

  • Business name, address, city, and category — displayed on your public listing.
  • Your email address — used for account authentication and billing notices.
  • Password — stored as a bcrypt hash only. We cannot read your password.

2e. Automatic data

Our servers log standard HTTP request metadata (IP address, request path, timestamp, HTTP status code) for security and operational purposes. These logs are not linked to tourist profiles and are not retained indefinitely.

3. How we use your information

  • Issuing and delivering your discount code — we send your personalised code to your email address immediately after check-in.
  • Cross-business loyalty tier calculation — we use your phone hash to count how many distinct parloh businesses you have visited across the city, and to assign you a Bronze, Silver, or Gold tier. This calculation uses only the hash — never your actual phone number.
  • Fraud and abuse prevention — we use your phone hash, device fingerprint hash, and IP address to detect and block misuse of the discount system, including automated check-ins and excessive redemptions within a short period.
  • Connecting you with the business you visited — the business owner can decrypt your phone number to send you a WhatsApp message (e.g., a follow-up offer or travel tip). They are bound by our Terms of Service to contact you only in ways you would reasonably expect.
  • Sending you platform communications — if you return to a city after 60 or more days, we may send you a welcome-back email to the address you used at check-in. You can opt out at any time by emailing privacy@parloh.app.
  • Aggregate, anonymous analytics — we analyse aggregated, non-identifiable data (e.g., total check-ins per city per day, category distribution) to improve the platform. This analysis cannot be traced back to individual tourists.
  • Platform quality and safety — we use voluntary price submissions (reported after you redeem a discount) and visit patterns to verify business quality and detect problems with the platform.

4. Sharing your information

Business owners (the business you checked into)

The owner of the specific business you checked into can see your first name, email address, the discount you received, your stay length, and — after decryption — your phone number. They cannot see data from your visits to other businesses. Other businesses on the parloh platform cannot see your personal information.

Other tourists

Your personal data is never shared with other tourists.

Third-party service providers (sub-processors)

Provider Role Location
Brevo Transactional email delivery (discount codes, magic links, welcome-back emails) EU (France)
Stripe Payment processing for parloh Pass. Stripe receives your card details directly — parloh does not US (PCI-DSS compliant, SCCs in place)
Hetzner Server infrastructure — all parloh databases and application servers run here EU (Germany)
Netlify Static file hosting for the web application frontend US (Data Processing Agreement available for EU users)
Twilio SMS/WhatsApp delivery for OTP verification US (Standard Contractual Clauses in place)

We only share the minimum data each sub-processor needs to perform their specific function. We do not sell personal data.

Law enforcement and legal process

We will disclose personal data to law enforcement or courts only in response to a valid legal process (court order, warrant, or statutory obligation) and only to the extent required. Where legally permitted, we will notify you before disclosing.

5. Legal basis for processing

We process personal data only where we have a valid legal basis under GDPR Article 6.

Data Purpose Legal basis
Name, email, stay length Issuing and delivering the discount code; loyalty tier calculation Contractual necessity (Art. 6(1)(b)) — these are required to provide the service you requested
Phone hash Cross-business fraud prevention; duplicate redemption check; loyalty calculation Legitimate interests (Art. 6(1)(f)) — preventing abuse of the discount system
Phone encrypted Business owner WhatsApp contact Contractual necessity — you submit your number to receive the discount and enable follow-up contact
Device fingerprint hash Velocity rate limiting; automated abuse detection Legitimate interests (Art. 6(1)(f)) — protecting the integrity of the platform
Business owner email and password hash Account authentication and billing Contractual necessity (Art. 6(1)(b))
Pass member email and Pass details Pass authentication and entitlement verification Contractual necessity (Art. 6(1)(b))
Welcome-back emails Notifying returning travellers of city updates Legitimate interests (Art. 6(1)(f)) — you can object at any time (see Section 8)

6. International transfers

All parloh databases and application servers are located in Germany (Hetzner). Transactional email is delivered via Brevo, which is based in France. Both are within the European Economic Area (EEA) and no transfer mechanism is required.

For services provided by US-based sub-processors (Stripe, Twilio, Netlify), personal data is transferred to the United States. These transfers are covered by Standard Contractual Clauses (SCCs) approved by the European Commission, or — in the case of Stripe — by their PCI-DSS certified processing infrastructure and their Data Processing Agreement.

If you are based in the EU, your personal data is stored and processed within the EEA except where you use features that depend on the US sub-processors listed above.

7. Retention periods

Data category Retention period
Check-in records (name, email, phone hash, phone encrypted, stay length, discount issued) Retained for the duration of the business relationship and for 12 months after your last check-in. You may request earlier deletion — see Section 8.
Tourist profile (phone hash, email, loyalty tier, city history) Retained until you request deletion. Tier data decays automatically if you are inactive for 12–18 months.
Interest captures for unclaimed businesses (name, phone, email) Retained until the business claims their listing, or for 12 months, whichever comes first.
Device fingerprint velocity log Automatically deleted every hour — only records from the past 24 hours are retained at any given time.
Featured business impression records Automatically deleted after 30 days.
Business owner account data Retained for the duration of the subscription plus 24 months for legal and financial record-keeping obligations.
Pass membership records Retained for 24 months after Pass expiry for financial record-keeping.
Magic link authentication tokens Expire after 24 hours. One-time use only.

8. Your rights under GDPR

If you are located in the European Economic Area or the United Kingdom, you have the following rights under GDPR Articles 15–22. To exercise any of them, email privacy@parloh.app. We will respond within 30 days.

  • Right of access (Art. 15) — you may request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — you may ask us to correct inaccurate data or complete incomplete data.
  • Right to erasure (Art. 17) — you may ask us to delete your personal data. We will comply unless we are required to retain it by law or for legitimate fraud-prevention purposes.
  • Right to restrict processing (Art. 18) — you may ask us to pause processing of your data in certain circumstances, for example while a rectification request is under review.
  • Right to data portability (Art. 20) — where processing is based on your contract or consent, you may ask for your data in a structured, machine-readable format.
  • Right to object (Art. 21) — you may object at any time to processing based on legitimate interests (e.g., welcome-back emails, device fingerprint logging). We will stop that processing unless we can demonstrate compelling legitimate grounds that override your interests.
Because phone numbers are stored as one-way hashes for active check-ins, we cannot identify your check-in records from your phone number alone. To submit an access or erasure request, please include the email address you used at check-in.

9. Cookies and device identifiers

parloh does not use advertising cookies, tracking pixels, or third-party analytics cookies.

We use the following strictly necessary technical mechanisms:

  • Session cookies — set for authenticated business owner and traveller sessions. These are httpOnly, Secure, and SameSite=Strict. They contain no personal data and expire when you close your browser or after your session timeout. Strictly necessary cookies do not require consent under GDPR.
  • Referral cookies — if you follow a parloh referral link, a short-lived cookie (parloh_ref) is set in your browser for 72 hours. This cookie stores only a referral token — it contains no personal data and is used solely to credit the person who referred you.
  • Device fingerprint hash — when you submit the check-in form, your browser generates a hash from publicly available browser characteristics (user-agent, screen size, language settings). This hash is submitted with your check-in and stored temporarily for abuse prevention. It is not a cookie — it is not stored in your browser — and it is deleted from our servers within 24 hours.

10. Contact and complaints

For any privacy-related questions or to exercise your rights, contact our data protection contact:

Data controller: [Legal entity name — to be completed before launch]

Registered address: [Registered address — to be completed before launch]

Email: privacy@parloh.app

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with your local data protection authority. In the EU, a list of national authorities is available at edpb.europa.eu. In the UK, the relevant authority is the Information Commissioner's Office (ICO).