← InsureCheck

Privacy Policy

Effective Date: March 12, 2026

1. Overview

InsureCheck ("we", "our", or "us") operates an AI-powered insurance certificate processing platform. This Privacy Policy explains how we collect, use, store, and protect information when you use our Service. We are committed to protecting the privacy of our customers and the individuals whose information appears in documents processed through our platform.

2. Information We Collect

Account Information

  • Name, email address, and role (provided at account creation)
  • Institution affiliation and organization name
  • Login timestamps and session data

Document Data

When you upload Certificates of Insurance (COIs) and other insurance documents, we process and store:

  • The original document files (PDF, image formats)
  • Extracted structured data: policy numbers, coverage limits, expiration dates, named insured information, carrier names, and additional insured parties
  • Compliance analysis results and rule evaluation outputs
  • Flood zone analysis results tied to property addresses in certificates

Usage and Technical Data

  • IP addresses and browser/client information for security and fraud prevention
  • API access logs and audit trails
  • Error and performance logs

3. How We Use Your Information

  • To provide, operate, and improve the Service
  • To process documents and perform compliance analysis as instructed by your organization
  • To authenticate users and maintain account security
  • To send transactional emails (certificate processing results, review notifications, password resets)
  • To maintain audit logs for security and compliance purposes
  • To detect and prevent fraud, abuse, or security incidents
  • To comply with legal obligations

We do not use your document data or extracted insurance information to train AI models or for any purpose beyond providing the Service to your organization.

4. Third-Party Service Providers

We share data with the following sub-processors to operate the Service. All sub-processors are bound by data processing agreements and are prohibited from using your data for their own purposes.

ProviderPurposeLocation
Amazon Web Services (AWS)Document storage (S3), AI document extraction (Textract), API hosting (App Runner), database (RDS), cache (ElastiCache)United States
AnthropicAI-powered data extraction and compliance analysis (Claude API)United States
CloudflareFrontend hosting (Workers), CDN, DDoS protection, WAFGlobal (US primary)
ResendTransactional email deliveryUnited States
SendGrid (Twilio)Transactional email delivery (backup)United States
Google Maps PlatformGeocoding of property addresses for flood zone analysisUnited States

5. Data Retention

Data TypeRetention Period
Certificate documents and extracted dataDuration of subscription + 30 days after termination
User account dataDuration of subscription + 90 days after account deactivation
Audit logs2 years
Access and error logs90 days
Session data (Redis)7 days (access token: 15 min, refresh token: 7 days)

6. Data Security

We implement the following security measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher
  • Database (RDS PostgreSQL) is encrypted at rest using AES-256
  • Document storage (S3) is encrypted at rest
  • Access tokens are short-lived (15 minutes); refresh tokens are stored as httpOnly cookies
  • Multi-tenant data isolation enforced at the application layer
  • Security headers including HSTS, CSP, X-Frame-Options on all responses
  • Regular security audits (two completed: Dec 2025 and Mar 2026)

7. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of personal data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your personal data (subject to legal retention obligations)
  • Portability: Request a machine-readable export of your data
  • Objection: Object to certain types of processing

To exercise these rights, contact us at privacy@insurecheck.io. We will respond within 30 days.

8. Cookies and Session Data

We use a single first-party session cookie (ic_session) to maintain your authenticated session. This cookie is:

  • HttpOnly — not accessible to JavaScript
  • Secure — only transmitted over HTTPS
  • SameSite: Lax — protected against CSRF
  • Expires after 7 days of inactivity

We do not use advertising cookies, analytics cookies, or third-party tracking pixels.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or in-app notice. The effective date at the top of this policy indicates when it was last updated.

11. Contact Us

For privacy inquiries, contact: privacy@insurecheck.io

InsureCheck
privacy@insurecheck.io

Terms of ServiceSecurityinsurecheck.io