Strict-Transport-Security
HSTS forces every connection to parli.family over HTTPS for the next year, so no request to this domain can downgrade to HTTP — even if a link tries.
Security & data
Quiet outside. Careful underneath.
We would rather say less here and mean it than claim more than we have proven. This page covers what the parli.family website actually does today — at the network, the browser, and the early-access form — and what we explicitly will not claim.
In transit
Every connection is HTTPS-only.
HTTPS is enforced by HSTS for the entire domain. Plain-HTTP requests redirect to HTTPS at the edge before any content is served.
In the browser
Six security headers, set on every response.
You can verify any of these yourself with curl -I https://parli.family. We treat header drift as a bug, not a polish item.
Content-Security-Policy
Strict CSP. Scripts run only from our own origin and only those whose SHA-256 hash we publish ahead of time — no `'unsafe-inline'` and no `'unsafe-eval'`. No third-party scripts, no analytics tags, no ad pixels.
X-Frame-Options
DENY. The site cannot be embedded in an iframe — guarding against clickjacking attempts that try to overlay our pages elsewhere.
Referrer-Policy
strict-origin-when-cross-origin. Outbound clicks share only the origin (parli.family), never the full URL or any path/query data.
Permissions-Policy
Camera, microphone, geolocation, payment, accelerometer, gyroscope, USB, and other powerful APIs are explicitly disabled — the website has no use for them.
X-Content-Type-Options
nosniff. Prevents browsers from guessing a different content type than what we declared, closing a small but real attack class.
No third parties
This website loads nothing from anywhere else.
No analytics scripts. No tag managers. No advertising pixels. No font CDNs. No social-network embeds. No A/B testing services. No session-replay tools. The CSP is configured so that even if we accidentally tried to add one of these, the browser would block it.
We use one small cookie — parli_lang — to remember your language choice between visits. That is the only cookie this website sets, it carries no identifier, and it has no marketing purpose. It is documented in the privacy notice.
Early-access form
What happens when you submit the waitlist form.
The form on /early-access posts to the same domain. There is no third-party form provider, no reCAPTCHA, no JavaScript-based fingerprinting. A small honeypot field invisible to people but auto-filled by spam bots gives us a way to silently drop bot submissions without challenging real visitors.
What we receive: the email you typed, the optional name and message, the time of submission, your IP address (used only for rate-limiting — three submissions per hour), and the standard request metadata your browser already sends. The email goes to hello@parli.family, where a real person reads and replies. Nothing is appended to a marketing list, nothing is shared, nothing is sold.
You can ask us to delete your submission at any time. Email hello@parli.family with the address you used and we will erase it.
Transparency
What we will not claim.
We would rather make narrow, supportable statements now and earn trust over time.
End-to-end encryption.
The website uses HTTPS in transit, but we have not implemented or audited E2EE for any product surface. We will not put those words on this page until they are true and externally verified.
SOC 2, HIPAA, or GDPR compliance.
These are formal regimes with formal audits. We have not undergone any of them. When and if we meet a recognized standard, we will say so with the report or audit reference, and not before.
Court-ready records.
Parli is not a legal-evidence tool. Records inside the app are not designed to meet evidentiary standards, and we will not market them that way.
A specific encryption algorithm or key strength as a marketing claim.
Naming a cipher does not make data safer; design does. We would rather under-claim and earn trust over time.
Reach us
Found something? Tell us.
If you spot a security issue — anywhere from a missing header to a configuration drift — please write to us. We will respond personally. Please do not file public issues for vulnerabilities; private email lets us fix and roll out a change without putting other visitors at risk in the meantime.