Parallel World Privacy Policy

Effective date: 1 June 2026 Version: 2.0 Last updated: 15 June 2026

This Privacy Policy explains how Parallel World collects, uses, and protects data through the Parallel World browser extension and related services (together, the "Service"). Please read it together with the consent disclosures shown inside the extension.

Plain-language summary

This summary is here to be read first. It is not a substitute for the full policy below. Each line links to the section with the complete legal detail.

What this is. Parallel World is a paid, opt-in data panel. You choose to share data about how you browse, and we reward you in USDC or your local currency. (Section 3)
What we collect. In the base tier we collect behavioral metadata only: which sites and products you view, your searches, your engagement, and signals about your use of AI tools. We do not collect the content of your messages, your prompts, your passwords, or your payment details in the base tier. (Section 4)
What we do not touch. We do not operate on banking, health, government, payroll, password-manager, webmail, dating, adult, and similar sensitive sites. This blocklist is built into the extension and fails closed, meaning when in doubt we collect nothing. (Section 5)
What we do with it. We do not sell your data. We keep it and use it to develop, train, and improve our own artificial-intelligence models and agents. We say this plainly because it is the whole point of the product. (Section 9 and Section 12)
What you control. You pick a consent tier (Basic, Enhanced, or Full), you can opt out per site, you can withdraw consent at any time, you keep the rewards you have already earned, and you can ask us to delete your data. (Section 6 and Section 17)
Who we are. Parallel World Fund LLC is the data controller. You can reach us at dpo@parallelworld.co. (Section 1)

We are honest about one more thing up front. Using your behavioral data to train our own AI is the core of this product, so we describe our actual practices truthfully, and where a protection is something we are committed to delivering rather than something already in place, we say so.

1. Who we are and how to contact us

Data controller. Parallel World Fund LLC, 850 New Burton Road, Suite 201, Dover, DE 19904, United States ("Parallel World," "we," "us," "our"), is the data controller responsible for the personal data described in this policy.

Privacy contact. For any privacy question or to exercise your rights, contact us at dpo@parallelworld.co or by mail at the address above.

Data Protection Officer. Because our core activity involves large-scale, regular, and systematic monitoring of browsing behavior through a content script that can run on all websites, we have designated a Data Protection Officer under Article 37 of the GDPR. You can reach our DPO at dpo@parallelworld.co.

EU representative (Article 27). Because Parallel World Fund LLC is established outside the European Union but offers the Service to, and monitors the behavior of, individuals in the EU, we have appointed a representative in the Union under Article 27 of the GDPR. Our EU representative is Greg Rocher, 215 rue Jean Jaurès, 83000 Toulon, France. You may contact our representative on any matter relating to the processing of your personal data, in addition to or instead of contacting us directly.

2. Scope and definitions

This policy applies to the Parallel World browser extension, our backend services, and our website to the extent it concerns the panel.

Behavioral metadata. Information about how you interact with web pages (for example, which page you viewed, how far you scrolled, how long you stayed), as distinct from the content you type or read.
Pseudonymized data. Data from which your direct identifiers (such as your email) have been separated and replaced with an internal pseudo-identifier. Pseudonymized data is still personal data under the GDPR. We can still link it back to you using information we hold separately.
De-identified and aggregated data. Data that has been grouped, de-identified, and subjected to k-anonymity thresholds, so that it is engineered not to single you out. We do not claim re-identification is mathematically impossible.
Consent tier. The level of data sharing you choose: Basic, Enhanced, or Full.
Processor. A service provider that processes data on our behalf and under our instructions (for example, our hosting provider).

3. The deal in plain terms (our business model)

Parallel World is a paid data panel. You choose to share data about how you browse, we reward you in USDC or your local currency, and we keep that data and use it to develop, train, and improve our own artificial-intelligence models and agents. We tell you this plainly because it is the whole point of the product.

We do not sell your data. We do not sell or transfer raw event streams, aggregated datasets, de-identified data, or any data derived from your activity to AI research labs, advertising platforms, data brokers, commerce buyers, or any other third party. How we use your data is described in Section 9 and Section 12, and how we de-identify it inside our own systems is described in Section 10.

4. What data we collect

What we collect depends on the consent tier you choose (Section 6). The extension runs a content script that can operate on all websites, except the sensitive sites we exclude by design (Section 5).

4.1 Behavioral metadata (collected from the Basic tier upward)

Category	What it includes	Purpose
Page views	Page URL, domain, page title, referrer	Operate the panel; train our AI models
Site visit frequency and time on page	Derived from event timestamps and tab visibility	Measure engagement; train our AI models
Search queries	Search terms you enter (anonymized at our backend; not stored raw in full form)	Train our AI models
Browser context	Timezone coarsened to region, language, device type, connection type	Quality and jurisdiction control; train our AI models
AI-tool usage signals	Metadata only, as described in Section 4.4	Train our AI models

Note on IP address: your IP address is detected at our gateway and used only to infer your coarse jurisdiction (for example, a region code). It is not stored alongside your behavioral events. It is recorded with your consent records for audit purposes, as described in Section 6.4.

Category	What it includes	Purpose
Navigation paths	Page-to-page transitions reconstructed from browser navigation events	Train our AI models
Tab-switching patterns	Tab created, activated, closed, audible, muted, window focus changes	Train our AI models
Scroll depth and reading behavior	Pixel scroll distance and direction, time a section spends in view	Train our AI models
Form-interaction metadata	Field focus and blur events, character-count estimates only, never the characters you type	Train our AI models
Coarse (city-level) location	A coarsened location signal	Train our AI models

Category	What it includes	Purpose
Product data	Product name, price, URL, category (read from structured page data)	Train our AI models
Cart state	Items, quantities, totals	Train our AI models
Funnel and abandonment	Search to listing to product to cart to checkout transitions, and abandonment with context	Train our AI models
Price comparisons	Detected on comparison-shopping pages	Train our AI models
Social impressions and engagement	Feed items viewed, and likes, comments, shares as metadata only, never the text	Train our AI models
Deeper DOM content extraction	Enabled only at the Full tier together with a separate per-site opt-in	Train our AI models

4.4 AI-tool (LLM) usage signals: metadata only (Enhanced tier and up)

We capture signals about how you use AI tools on the following 13 providers: Claude, ChatGPT, Gemini, Perplexity, Copilot, Meta AI, Mistral, Grok, DeepSeek, HuggingChat, Poe, You.com, and Phind.

This capture begins only at the Enhanced tier, and it is metadata only at every tier. We do not capture the content of your prompts or the AI's responses. Concretely, we record signals such as:

character-count estimates of what you type (never the text itself),
specific recorded key combinations (for example, command-enter, command-k, escape), not full keystrokes,
focus duration on input areas,
button classifications (for example, submit, regenerate, stop, copy, share, export, new chat, voice, file attach),
text-selection length only (never the selected text),
scroll direction and distance,
drag-and-drop file type and size only (never the file bytes),
clipboard size and type only (never the clipboard content),
response timing and response character length (never the response text),
thread actions classified as regenerate, edit-and-resend, or new branch,
the fact that a share link was created (not the link),
export format (for example, JSON, Markdown, PDF), not the exported content,
request metadata for calls to AI provider endpoints (character count, inferred model, response timing), never the request or response body.

We do not intercept, read, or store the content of your AI conversations. The only way any actual prompt or response content could ever be collected is under the Full tier together with a separate, explicit per-site opt-in. It is never collected automatically and is never part of the Basic or Enhanced experience.

4.5 Account, payment, and identity data

Category	What it includes	Purpose	Legal basis
Account data	Email address, username, account credentials	Operate your account	Consent / contract
Payout data	Payout wallet address and chain (for USDC), or payout account details (for local-currency payments)	Pay your rewards in USDC or local currency	Contract
KYC and sanctions-screening data	Identity verification information collected at cashout	Legal and AML obligations; sanctions screening	Legal obligation

The payout, KYC, and sanctions-screening systems are not yet operational. See Section 16 for the current status.

4.6 Profiling

We derive inferred signals from your behavior (for example, an inferred AI model, an inferred e-commerce funnel stage, comparative and workflow patterns). This is profiling under the GDPR, and we disclose it here. This profiling is used to develop and improve our own AI models and agents. It does not produce legal effects concerning you or similarly significant effects on you, and we do not make solely automated decisions about you under Article 22 of the GDPR.

5. What we deliberately do NOT collect (exclusions)

We do not collect the content of what you type, your passwords, your payment-card details, your private messages, or the contents of your AI prompts and responses in the base tier.

Sensitive-domain blocklist. The extension carries a hardcoded blocklist of sensitive sites and sensitive URL paths. As implemented, this covers on the order of 700 domain suffixes and dozens of sensitive path fragments, spanning banking, brokerages, crypto exchanges, payments, healthcare, government, payroll, password managers, dating and adult sites, webmail, and authentication and login surfaces, across multiple countries and languages. On these surfaces the extension collects nothing.

Fail-closed design and detection layers. This detection fails closed, meaning that when there is doubt about whether a surface is sensitive, the extension collects nothing rather than risk capturing sensitive data. The extension applies three layers of detection that run inside your browser:

Layer 1, the hardcoded domain and path blocklist;
Layer 2, page-level heuristics that detect sensitive inputs such as password fields and payment fields and decline to collect; and
Layer 3, a live page-mutation watcher that re-checks sensitivity as a page changes, including in single-page applications.

A planned fourth layer, Layer 4, would be a server-side ingest filter that rejects sensitive data missed by the three in-browser layers. Layer 4 is not yet implemented. Today, the protection against sensitive capture is the three in-browser layers plus the client-side scrubbing described in Section 10.

No password or payment capture. We do not capture password fields or payment fields. We do not store passwords or authentication tokens; identifiers such as tokens and keys are stripped from data before it is uploaded.

Clipboard and files. We record clipboard size and type only, never clipboard content. We record file drag-and-drop type and size only, never file content.

Honesty about limits. We maintain and refresh this blocklist, and we are committed to publishing a publicly auditable version of it. It is not exhaustive and we do not claim it guarantees zero collection on sensitive sites. New or regional sensitive sites (for example, smaller regional banks or niche health vendors) may not yet be on the list. If sensitive data is incidentally captured, we filter and delete it and do not use it (Section 11).

Breach-risk disclosure. Because collection is broad by default, it is possible for data from an unlisted sensitive surface to be received before our filters catch it. If that happens, our policy is to scrub and suppress it, but receipt of such data may still trigger notification or other obligations under laws such as HIPAA, GLBA, the GDPR, or US state breach-notification laws. We are reviewing these scenarios with counsel and maintaining our exclusion lists accordingly.

You choose how much you share. You can move down a tier, opt a site out, pause, or withdraw at any time, and doing so never removes you from the panel for asking and never forfeits rewards you have already earned.

Tier	What it unlocks
Basic	Page titles, site-visit frequency, time on page, anonymized search queries
Enhanced	Everything in Basic, plus navigation paths, scroll depth, tab-switching patterns, reading behavior, city-level location, and AI-tool usage metadata (Section 4.4)
Full	Everything in Enhanced, plus e-commerce product data, price comparisons, cart states, detailed e-commerce signals, social signals, and (with a separate per-site opt-in) deeper DOM content extraction

Your consent is granular and unbundled. You consent separately and specifically to each purpose, including (a) collection of behavioral metadata, (b) the use of your data to develop, train, and improve Parallel World's own AI models and agents, and (c) deeper DOM content extraction at the Full tier. There is no single "accept all."

Before any collection begins, the extension shows you a prominent disclosure describing what each tier collects and how it is used, and asks for your affirmative agreement. Collection is paused until you have given consent, and the extension re-checks page sensitivity as you navigate. On our backend, every behavioral ingest endpoint checks your active consent record before accepting data. If no consent record exists, or your tier is set to none, data is refused. This check fails closed.

Registration gate (current status). We intend to require that you complete panel signup on the Parallel World website before the extension begins collecting. This registration gate is not yet enforced in the current build. We disclose this because we do not claim a control we have not yet shipped.

You can withdraw consent at any time, as easily as you gave it, from the extension. Withdrawal does not affect the lawfulness of processing carried out before you withdrew. Withdrawing does not forfeit rewards you have already earned. When you withdraw, we begin deleting your data as described in Section 13 and Section 17.

We keep versioned, hash-chained consent records as evidence of the consent you gave and any changes to it, including the IP address recorded at the time of each consent change for the audit trail. We describe these as records we keep, accurately, not as a legal guarantee. These records are kept as described in Section 13.

For users in the European Union and the wider EEA, we rely on the following legal bases under Article 6 of the GDPR.

Purpose	Legal basis
Collecting behavioral data	Consent, Article 6(1)(a)
Using your data to develop, train, and improve our own AI models and agents	Consent, Article 6(1)(a)
Deeper DOM content extraction (Full tier, per-site opt-in)	Consent, Article 6(1)(a)
Anti-fraud, integrity, and security controls	Legitimate interests, Article 6(1)(f), being our interest in protecting the panel and our data from fraud and abuse
Paying your rewards and operating your account	Performance of a contract, Article 6(1)(b)
KYC, sanctions screening, and retaining payout and KYC records	Legal obligation, Article 6(1)(c)

We do not sell your personal data. Using your data to train our own AI models and agents rests on your explicit consent.

We have conducted a Data Protection Impact Assessment under Article 35 of the GDPR, given the large-scale systematic monitoring involved, and we maintain records of processing under Article 30 and the security measures described in Section 15.

8. How we use the data (purposes)

We use the data to:

operate the panel and your account,
compute and pay your rewards,
develop, train, and improve our own AI models and agents (Section 12),
detect and prevent fraud and abuse and protect the integrity of the panel,
meet legal, regulatory, tax, and AML obligations, and
respond to your requests and to lawful requests from authorities.

9. How we use your data

9.1 We use your data to train our own AI, and we do not sell it

We use the data we collect to develop, train, and improve Parallel World's own artificial-intelligence models and agents, and to operate the panel.

We do not sell or transfer your personal data to third parties. We do not sell or share raw event streams, aggregated datasets, de-identified data, or any data derived from your activity with AI research labs, advertising platforms, data brokers, commerce buyers, or any other third party. Your data stays within Parallel World and is used only for the purposes described in this policy.

9.2 Service providers (processors)

The only outside parties that ever handle your data are our own service providers, who process it on our behalf and under our instructions, not for their own purposes:

Scaleway, our hosting provider in the European Union, processes data on our behalf under a data processing agreement (Article 28 GDPR).
A KYC and sanctions-screening vendor will process identity-verification data at cashout once payouts are live (Section 16).
A payout provider (for USDC and local-currency payments) will process payout transactions once payouts are live (Section 16).

9.3 Other disclosures

We may disclose data to comply with the law, to respond to lawful requests from public authorities, to enforce our rights, or in connection with a merger, acquisition, or sale of assets. If a corporate transaction would transfer your data for purposes inconsistent with this policy, we will seek your consent where required.

10. Pseudonymization, anonymization, and de-identification

We want to be precise and honest here, because over-claiming de-identification is itself a regulatory risk.

Data we hold internally is pseudonymized, not anonymous. Your email is stored separately from your pseudo-identifier in a protected vault, so day to day we work with the pseudo-identifier rather than your identity. Because we can still link the two, this data remains personal data under the GDPR (Recital 26). We do not claim that we cannot identify you internally.

Client-side scrubbing before upload. Before any event leaves your browser, the extension scrubs it. The URL and all data fields are checked against patterns for emails, phone numbers, national identifiers, payment-card numbers, government IDs, crypto wallet addresses, JWTs, cloud access keys, and code-hosting tokens. Matched values are replaced with a redaction marker, and the record is flagged as scrubbed. A server-side safety net at ingest, intended to catch sensitive data that client-side scrubbing might miss (Layer 4 in Section 5), is planned but not yet implemented.

Internal de-identification before we use your data. Your data is not sold or sent to any third party. Within our own systems, before data is used to train our models:

identifiers, including session IDs, are replaced using keyed-HMAC pseudonymization (domain-separated HMAC-SHA256 with a server-held key of at least 32 bytes), so the pseudonym cannot be reversed to recover the original value, while rows that share the same pseudonym can still be joined for analysis;
k-anonymity thresholds are enforced per cohort, and rows that do not meet the threshold for their cohort are dropped before the data is used for training;
any row whose identifier cannot be hashed is suppressed rather than used in the clear;
rows with an unknown jurisdiction are excluded.

We do not claim re-identification is mathematically impossible. We claim we have engineered against it.

11. Special-category and incidental sensitive data

We do not intentionally collect special-category data within the meaning of Article 9 of the GDPR (such as data revealing health, sexual orientation, religion, political opinions, or biometric data). Our strategy is avoidance, through the fail-closed sensitive-domain blocklist and exclusions described in Section 5.

Because browsing behavior can reveal sensitive characteristics by inference, we rely on the combination of avoidance, pseudonymization, and k-anonymity to keep the model defensible. If special-category or otherwise sensitive data is incidentally captured despite these controls, we filter and delete it, and we do not use it to train our models. We acknowledge that incidental capture on an unlisted sensitive surface remains possible and that receipt of such data may trigger notification or other obligations; we are completing our incident-response procedures for this scenario.

12. AI-training transparency

We use the data we collect to develop, train, and improve our own artificial-intelligence models and agents. This is the core purpose of the Service, so we disclose it prominently, and we capture your consent to this use as a distinct, separately named purpose in the consent flow before any collection begins.

We do not sell your data or supply it to third-party model developers. The models and agents trained on your data are Parallel World's own.

If and when Parallel World places a general-purpose AI model on the market, the transparency obligations of the EU AI Act for providers of general-purpose AI models (for example, the training-content summary under Article 53) would apply to us as the provider of that model, and we will meet them.

13. Data retention

We keep data for no longer than necessary for the purpose for which it was collected. We treat the periods below as commitments we hold ourselves to, and we describe our actual practice rather than promising perfection.

Data category	Retention	Basis / rationale
Raw behavioral events	Purged or anonymized within approximately 30 to 90 days (a precise-location signal carries a 30-day limit)	Storage limitation, Article 5(1)(e)
De-identified data used to train our models	Retained, in pseudonymized or de-identified form, for as long as necessary to develop and improve our models and agents	Storage limitation, Article 5(1)(e); the purpose you consented to
Consent records	Retained indefinitely, as an immutable, versioned, hash-chained audit log	Evidence of consent and defense of legal claims, Article 7 accountability
Account email vault	Retained for the life of the account, encrypted	Operate your account
Payout and KYC records	Retained for 7 years, once payouts are live	Legal obligation (AML and tax), Article 6(1)(c)

Important: the 7-year retention of payout and KYC records rests on a legal obligation, not on your panel consent. This means that if you ask us to erase your panel data, we will still retain the KYC and payout records the law requires us to keep. Erasing your panel data does not wipe these legally mandated financial records.

14. International transfers and hosting

We host all personal data in the European Union on Scaleway, with production in Paris and disaster recovery in Amsterdam. Your behavioral data is stored and processed in the EU. We do not transfer your personal data to the United States for our own processing, and we do not grant our US-incorporated parent routine access to it. Extension uploads travel over HTTPS to our EU gateway. Keeping data within the EU is itself a core protection.

Please note that Parallel World Fund LLC is incorporated in the United States. We have designed the system so the data stays in the EU, but US incorporation can in principle create exposure to US legal process. We are reviewing this with counsel and rely on EU-only hosting and the safeguards in this policy to mitigate it.

We do not sell or transfer your personal data to third parties or to other countries; it stays within our EU infrastructure and is used only for the purposes described in this policy. The limited processor relationships in Section 9.2 are governed by data processing agreements, and where any processor would handle data outside the EEA we rely on the EU Standard Contractual Clauses (2021) together with a transfer impact assessment. You can request a copy of the safeguards we use by contacting dpo@parallelworld.co.

15. Security

We apply technical and organizational measures appropriate to the risk (Article 32 GDPR), including:

transmission of data over secure connections (HTTPS), with extension uploads authenticated by short-lived, rotated tokens, and no long-lived secrets passed;
a pseudonymization vault separating your email from your pseudo-identifier;
keyed-HMAC pseudonymization of identifiers before they are used to train our models;
encryption at rest for the email vault and for sensitive account fields using strong encryption (AES-256), and hashing of passwords (bcrypt);
an append-only, hash-chained (SHA-256), tamper-evident audit log;
access controls.

No system is perfectly secure, and we do not claim that ours is. We describe the measures we actually have in place.

16. Rewards and payments

You earn rewards for participating, paid in USDC or your local currency, tied to your consent tier and activity. Rewards you have already earned are yours to keep even if you lower your tier or withdraw.

Wallet safety (USDC payouts). If you choose to be paid in USDC, wallet interaction does not happen inside the extension. All custody and any staking take place on the Parallel World website. Never paste a recovery phrase, mnemonic, or private key into the extension. We will never ask you to, and the extension does not store wallet secrets.

Current status. The payout system is not yet operational. There is no live payout path (USDC or local currency), and KYC identity verification and sanctions screening (including OFAC screening) at cashout are planned but not yet implemented. We will update this policy before any of these go live. When KYC and payouts go live, KYC and payout records will be retained for 7 years to meet anti-money-laundering and tax obligations, as described in Section 13, separately from your behavioral data.

17. Your rights and how to exercise them

You have the right to:

access your personal data (Article 15);
rectify inaccurate data (Article 16);
erasure, the right to be forgotten (Article 17), including across data we have derived from yours. Because we do not sell or transfer your data to third parties, there are no external datasets to recall; we delete your data from our own systems. Note that data already incorporated into a trained model in de-identified form cannot always be fully removed from the model itself, though the model does not retain your direct identifiers;
restrict processing (Article 18);
data portability, to receive your data in a structured, commonly used, machine-readable format (Article 20);
object to processing based on legitimate interests, such as our anti-fraud processing (Article 21);
withdraw consent at any time, as easily as you gave it (Article 7(3)), through the extension;
not be subject to solely automated decisions producing legal or similarly significant effects (Article 22); as noted in Section 4.6, we do not make such decisions about you;
lodge a complaint with a supervisory authority (Article 13(2)(d)). Because we do not have an establishment in the EU, the one-stop-shop mechanism does not apply, and you may lodge your complaint with the supervisory authority in your country of residence or work. Our EU representative is located in France, where the supervisory authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).

We will respond within one month, extendable by two further months for complex requests, and free of charge. Because we hold your data under a pseudo-identifier, we may need additional information to locate your records and to verify your identity (Articles 11 and 12).

17.2 In-product controls

From the extension you can: switch your consent tier, opt a site out, pause collection, withdraw from the panel, export your data, and request deletion. Deletion requests are queued and processed through an automated flow, with our aim to complete erasure within 30 days. Your immutable consent record (the audit trail) is preserved as described in Section 13.

17.3 California and other US state rights (CCPA/CPRA)

If you are a California resident (or in another US state with similar rights), you have the right to:

know and access the categories and specific pieces of personal information we have collected, the sources, and the business and commercial purposes, with a 12-month look-back;
delete your personal information;
correct inaccurate personal information;
opt out of the sale or sharing of your personal information. We do not sell or share your personal information, so there is nothing to opt out of, but you can withdraw consent at any time (Section 18);
limit the use of your sensitive personal information, through our "Limit the Use of My Sensitive Personal Information" mechanism. Our sensitive-information footprint is reduced because we use coarse region-level location rather than precise geolocation, but the right is still available to you;
non-discrimination: we will not discriminate or retaliate against you for exercising any of these rights.

We do not sell or share your personal information. As those terms are defined by the CCPA and CPRA, we do not sell or share your personal information. We use it as a first-party controller to develop, train, and improve our own AI models and agents, as described in Section 9 and Section 12.

Notice of Financial Incentive. Our paid panel is a financial incentive under California law. The incentive is the reward you earn (in USDC or your local currency) in exchange for sharing the categories of data described in Section 4 (web browsing activity, search, engagement, AI-tool usage metadata, and, at higher tiers, e-commerce, social, and website-content signals). You opt in by choosing a consent tier, and you can opt out at any time by lowering your tier or withdrawing, without losing rewards already earned. We make a good-faith estimate of the value of your data calculated by reference to the rewards we pay you and the value the corresponding data contributes to developing and improving our AI models and agents. This estimate does not assign a market price to your individual data and is made solely to comply with the California Consumer Privacy Act. Participation is entirely voluntary, and declining or withdrawing has no penalty beyond no longer earning rewards.

18. Your opt-out and control choices

Because we do not sell or share your personal information (see Section 17.3), the "Do Not Sell or Share My Personal Information" requirement and the obligation to honor opt-out preference signals for sales do not apply to us. We are not a data broker, because we do not sell data.

You remain in full control. At any time, from the extension, you can lower your consent tier, opt a site out, pause collection, withdraw consent entirely, export your data, or request deletion (Section 17.2). We honor a withdrawal of consent as a stop to all further collection and use.

If our practices ever change such that we would sell or share personal information, we will update this policy, obtain any consent the law requires, and provide the opt-out mechanisms and any data-broker registrations the law requires before doing so.

19. Children

The Service is not directed to, and is not available to, minors. You must be at least 18 years old to use Parallel World. We do not knowingly collect or use the data of minors.

If we learn that we have collected data from someone under 18, we will delete it. Under the US Children's Online Privacy Protection Act (COPPA), including its 2025 amendments, we do not knowingly collect personal information from children under 13, we do not use children's data to train AI or disclose it to third parties without the separate verifiable parental consent the law requires, and we will delete any such data immediately if discovered. Our posture is not to rely on parental consent at all; we exclude minors entirely.

Current status. A hard age gate at signup is not yet enforced in the current build. We are implementing it. A real age check also occurs at the KYC stage at cashout once that system is live (Section 16). If you believe a minor has enrolled, contact us at dpo@parallelworld.co and we will delete the data.

20. Automated decision-making and profiling

As described in Section 4.6, we carry out profiling to develop and improve our AI models and agents. We do not make decisions about you that are based solely on automated processing and that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR).

21. Changes to this policy

We may update this policy. When we make a material change, we will update the version number and effective date and notify you through the extension or by other reasonable means. Where a change requires your consent, or expands what we collect, we will ask for fresh consent before the change applies to you and before any new collection begins.

22. Chrome Web Store, permissions, and Manifest V3

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Data collected through the extension is used solely by Parallel World as a first-party controller to operate the panel and to train our own AI models and agents. We do not sell or transfer user data to third parties, and we do not use or transfer user data for personalized advertising or to determine creditworthiness or for lending.

The extension is built on Manifest V3. It does not contain or load remotely hosted code, and it does not use eval. All logic ships inside the submitted package. External endpoints receive data only; they never deliver executable logic. Our sensitive-domain blocklist and configuration ship inside the package; any remote update to them is data and configuration, not code.

The extension requests the following permissions, each justified by the user-facing panel feature it supports:

storage and unlimitedStorage: maintain the local event queue inside your browser before upload.
alarms: schedule periodic upload cycles, navigation-graph cleanup, and token refresh.
idle: pause collection while you are idle.
activeTab: read the active tab's URL for navigation events.
webNavigation: reconstruct cross-site journeys, which is a core part of the panel.
webRequest: observe only the metadata of requests to AI-provider endpoints. We do not block requests, and we do not read request or response bodies.
host permissions (<all_urls>): required because the panel measures cross-site behavior, e-commerce funnels, and AI-tool usage broadly, which is the visible feature you join the panel for. This breadth is mitigated by the fail-closed sensitive-domain exclusions and the three layers of in-browser detection described in Section 5.
identity (optional): Google Sign-In, used only if you choose it.

23. Contact and complaints

Privacy contact: dpo@parallelworld.co
Data Protection Officer: dpo@parallelworld.co
Postal address: Parallel World Fund LLC, 850 New Burton Road, Suite 201, Dover, DE 19904, United States
EU representative (Article 27): Greg Rocher, 215 rue Jean Jaurès, 83000 Toulon, France
Supervisory authority: You may lodge a complaint with the supervisory authority in your country of residence or work. Our EU representative is located in France, where the authority is the Commission Nationale de l'Informatique et des Libertés (CNIL).
California / US requests: contact dpo@parallelworld.co. We do not sell or share personal information (Section 18).