Privacy Policy
Last Updated: June 30, 2026 | Effective Date: September 17, 2025
Important: This Policy explains how InsuroAI LLC ("InsuroAI," "we," "us," "our") collects, uses, discloses, and protects Personal Data when you use our websites, applications, and services (collectively, the "Service"). This Policy is not legal advice.
By using the Service, you agree to this Policy and our Terms of Service. If you do not agree, do not use the Service.
Quick Index
1. Definitions
- Personal Data (or Personal Information) means information that identifies, relates to, describes, or can reasonably be linked to an individual.
- Sensitive Personal Data includes data such as government IDs, precise geolocation, health information, financial account numbers with access codes, biometric identifiers, and union, racial/ethnic, or religious information.
- Processing means any operation performed on Personal Data.
2. Scope & Roles
- If you use InsuroAI directly (e.g., you create an account): InsuroAI LLC is the data controller (EEA/UK: "controller").
- If you access InsuroAI through a business customer (e.g., your employer or insurer provisioning access): InsuroAI LLC acts as a processor/service provider to that customer. In those cases, our Data Protection Addendum (DPA) governs processing on their instructions.
3. What We Collect
We collect the categories below. We do not intentionally collect Sensitive Personal Data unless you provide it to us or a customer instructs us to process it.
A. Information you provide
- Account & Profile: name, email, password (hashed), phone, company, job title.
- Content & Uploads: documents you upload (e.g., insurance policy PDFs), prompts, messages, and feedback.
- Support & Communications: messages, tickets, survey responses.
- Payment: payments are handled by Stripe or another processor; we do not store card numbers. We receive limited billing metadata (e.g., last 4 digits, card type, transaction IDs).
B. Information collected automatically
- Log & Usage Data: IP address, device/OS/browser, pages viewed, timestamps, session duration, referring/exit pages, feature usage, error logs. When signed in, we associate this usage and page-view data with your account.
- Approximate Location: derived from IP (city/region level).
- Cookies & Similar Tech: session cookies, analytics cookies, and local storage. See Section 8.
C. Information from third parties
- Single Sign-On (SSO): if you sign in via Google/Microsoft/Okta/etc., we receive identifiers and profile data per your consent.
- Analytics & Diagnostics: events and crash reports from GA4, PostHog, Sentry, Datadog.
- Business Customers: if your employer or insurer gives you access, we may receive your name, work email, and role.
Sensitive Personal Data: We do not want social security numbers, full payment card data, precise geo, or medical records/PHI. Do not upload such data unless you have a lawful basis and a written agreement with us (e.g., a BAA for HIPAA, not currently offered unless expressly agreed).
4. Sources of Personal Data
- Directly from you
- Automatically through your device
- From business customers who authorize your access
- From integrated third-party services (SSO, payment, analytics)
5. How We Use Personal Data
We process Personal Data to:
- Provide and operate the Service, including account creation, authentication, and customer support
- Process transactions and manage billing
- Run & improve features (quality, reliability, safety)
- Analyze usage and performance
- Communicate service updates, security alerts, and marketing (you may opt out)
- Detect, prevent, and investigate fraud, abuse, and security incidents
- Comply with law and enforce agreements
6. Our AI & Model Use Disclosures
- Inputs & Outputs: We process your inputs (e.g., uploaded PDFs, prompts) and generate outputs.
- Retrieval-Augmented Generation (RAG): If you enable document-based Q&A, we may temporarily index and embed your content (chunking + vectorization) to provide results.
- Training/Improvement:
- Default: We do not use customer content (including prompts, uploaded files, or outputs) to train foundation models.
- We may use aggregated, de-identified telemetry (e.g., feature usage metrics) to improve reliability and safety.
- Third-Party Model Providers: With your direction or a customer's, we may send prompts/content to model providers (e.g., OpenAI, Anthropic, Google, or self-hosted/local models) solely to generate responses and operate the Service.
- Sage Word Add-in: Sage is InsuroAI's document-analysis add-in for Microsoft Word. When you use Sage, the text content of the active Word document is sent to InsuroAI's API at sage.insuro.ai for processing, including compliance review, readability analysis, filing-readiness checks, and general Q&A. Authentication is handled via Firebase (Google). All data transmitted between the add-in and our API is encrypted via HTTPS. The same data handling and retention practices described in this Policy apply to data processed through the Sage add-in.
7. Disclosure of Personal Data
We do not sell Personal Data. We do not share Personal Data for cross-context behavioral advertising. If this changes, we will update this Policy and provide required opt-out mechanisms. We disclose data to:
- Service Providers/Processors: hosting (AWS/GCP/Azure/Vercel), storage, analytics, logging/monitoring, customer support, email/SMS, payments (Stripe), and model providers
- Business Transfers: in a merger, acquisition, or asset sale
- Legal/Compliance: to comply with law, respond to lawful requests, and protect rights, safety, and property
- With Your Direction: when you integrate third-party apps or instruct disclosures
8. Cookies & Tracking
We use cookies and similar technologies for authentication, preferences, analytics, and performance.
- Controls: You can manage cookies in your browser and, where required (EEA/UK), via our consent banner/manager.
- Global Privacy Control (GPC): If we ever engage in activities defined as "sale" or "sharing" under California law, we will honor GPC signals and provide a "Do Not Sell or Share" link.
9. Data Retention
We retain Personal Data only as long as necessary for the purposes described in this Policy, or as required by law. In general:
- Account data: while your account is active and for a reasonable period thereafter
- Usage logs & support tickets: for as long as needed to provide the Service, resolve issues, and improve reliability
- Document content & embeddings (RAG): while your account is active or until you request deletion
- Billing records: as required by tax and compliance obligations
We delete or anonymize data when it is no longer needed or upon valid request, subject to legal holds.
10. Security
We use administrative, technical, and physical safeguards, including encryption in transit, access controls, environment isolation, least-privilege, and monitoring. No system is 100% secure. If we discover a breach affecting you, we will notify you as required by law.
11. Your Privacy Rights
Depending on your location, you may have rights to access, correct, delete, port, or restrict/opt-out of certain processing, and to withdraw consent where applicable.
- How to submit: [email protected] or via our rights request web form
- We may ask for information to verify your identity.
- You may appoint an authorized agent where your law permits (e.g., California).
- Marketing: You can opt out of marketing emails via unsubscribe links.
12. International Transfers
We may transfer Personal Data to countries that may not provide the same level of protection. Where required, we use appropriate safeguards (e.g., EU Standard Contractual Clauses and the UK IDTA/Addendum).
13. Children's Privacy
The Service is not for individuals under 18. We do not knowingly collect children's Personal Data. If you believe a child provided data, contact us and we will delete it.
14. Changes to this Policy
We may update this Policy. We will post the revised version with a new "Last Updated" date and, if changes are material, provide additional notice. Your continued use after changes means you accept them.
15. Contact Us
- Email: [email protected]
- Mail: InsuroAI LLC, 7901 4th St N Ste 300, St Petersburg, FL 33702
16. California Notice at Collection (CPRA)
We collect the following categories of Personal Information (Cal. Civ. Code §1798.140) for the purposes described in Sections 5 and 7, and retain them as in Section 9:
- Identifiers: name, email, IP, device IDs
- Customer Records: billing metadata (not full card numbers)
- Commercial Information: subscription tier, transaction history
- Internet/Network Activity: usage logs, interactions with our Service
- Geolocation: approximate (city/region) from IP
- Professional/Employment Information: company, title (if provided)
- Inferences: service usage patterns to improve features
- Sensitive Personal Information: not sought; processed only if you provide and only as necessary to deliver the Service or as allowed by law
Sale/Share: We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link and honor GPC signals.
Right to Know/Delete/Correct/Opt-Out/Limit Use: Submit requests at [email protected]. We will not discriminate against you for exercising rights.
17. GDPR/UK Addendum
Legal Bases (Art. 6):
- Contract: to provide the Service
- Legitimate Interests: service improvement, security, fraud prevention
- Consent: certain cookies, marketing, and optional features
- Legal Obligation: tax, accounting, and regulatory duties
Controller/Processor: See Section 2. For processing as a processor, our DPA applies.
Data Subject Rights: access, rectification, erasure, restriction, portability, and objection.
Automated Decision-Making: We do not make solely automated decisions producing legal or similarly significant effects. Outputs from generative models are reviewed/controlled by you or your organization.
Transfers: safeguarded via SCCs/UK IDTA.
Complaints: You may lodge a complaint with your local supervisory authority.
18. U.S. State Privacy Addendum (CO/CT/VA/UT, etc.)
Where state laws grant rights (access, correction, deletion, portability, opt-out of targeted advertising/sale/profiling), you may exercise them as in Section 11.
Appeals: If we deny your request, you can appeal at [email protected]. If unresolved, you may contact your state attorney general.