Privacy Policy
Effective Date: February 11, 2026 • Last Updated: February 11, 2026
ClaimFlow ("we," "us," or "our") operates the ClaimFlow web application and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, and protect your personal information when you use our Service. By using ClaimFlow, you consent to the practices described in this policy.
We are committed to protecting the privacy of insurance professionals, roofing contractors, restoration companies, and public adjusters who use our platform. This policy is designed to comply with the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), and other applicable privacy laws.
1. Information We Collect
1.1 Account Information
When you create a ClaimFlow account, we collect:
- Name and email address
- Company or organization name
- Professional role (e.g., insurance adjuster, roofing contractor)
- Organization membership information (if joining a team workspace)
1.2 Claim Documents and Uploaded Content
When you use our Service, you upload insurance claim documents (typically Xactimate PDF estimates). These documents may contain:
- Claimant names, addresses, and contact information
- Policy numbers and claim numbers
- Property details and damage descriptions
- Financial amounts (RCV, ACV, deductibles, payment calculations)
- Line item descriptions and quantities
Important: You are responsible for ensuring you have the legal right to upload and process any documents submitted to ClaimFlow. Do not upload documents containing Protected Health Information (PHI) unless you have a lawful basis and appropriate safeguards in place.
1.3 Payment Information
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We do not store, process, or have access to your credit card numbers. Stripe collects billing name, email, payment method details, and billing address on our behalf. See Stripe's Privacy Policy for details.
1.4 Usage Data
We automatically collect certain information about how you use ClaimFlow, including:
- Features accessed and actions taken within the application
- Number of claims processed and reports generated
- Session duration and timestamps
- Browser type, operating system, and device information
- IP address (used for security monitoring and rate limiting)
2. How We Use Your Information
We use the information we collect for the following purposes:
- Service Delivery: Processing your uploaded documents, extracting claim data, generating reports, and providing the core ClaimFlow functionality
- Account Management: Managing your account, subscription, team workspace, and user preferences
- Billing: Processing subscription payments, tracking usage against plan limits, and managing billing communications
- Security: Detecting and preventing unauthorized access, fraud, and abuse of our platform
- Service Improvement: Monitoring application performance, identifying errors, and improving the reliability and functionality of ClaimFlow
- Communications: Sending you service-related notifications, billing receipts, and important updates about your account or the Service
We do not use your personal information or uploaded documents for marketing purposes, advertising targeting, or profiling.
3. AI-Powered Document Processing
ClaimFlow uses artificial intelligence to extract and analyze data from your uploaded insurance claim documents. We want to be fully transparent about how this works:
3.1 How AI Processing Works
When you upload a document, it is sent to Anthropic's Claude API for processing. The AI analyzes document text, identifies key fields (policy numbers, dates, amounts, descriptions), extracts line items, and generates structured data. This processing is automated and includes optical character recognition, data extraction, categorization, and summarization.
3.2 AI Model Training
Your documents are not used for AI model training. Anthropic's API terms confirm that data submitted through their API is not used for model training unless the customer explicitly opts in. ClaimFlow has not opted in. Documents are processed in real-time and Anthropic retains API logs for up to 30 days for safety and abuse monitoring purposes only, after which they are automatically deleted.
3.3 AI Accuracy Disclaimer
AI-generated outputs may contain errors and should be reviewed by qualified personnel before being relied upon for any claim decisions. ClaimFlow does not guarantee the accuracy, reliability, or completeness of AI-generated outputs. For more details, see our Terms of Service.
4. Data Retention
We retain different categories of data for different periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account information | Duration of account + 2 years | Legal compliance, dispute resolution |
| Uploaded claim documents | Duration of account | Service delivery |
| AI-extracted claim data | Duration of account + 2 years | Audit trail, legal compliance |
| Billing and payment records | 7 years | Tax and financial compliance |
| Authentication logs | 1 year | Security monitoring |
| Error monitoring data (Sentry) | 90 days | Debugging, service improvement |
| Server and API logs | 30 days | Security, debugging |
Upon account termination, we will delete your personal data and uploaded documents within 30 days, except where retention is required by law. You may request data export prior to account closure.
5. Third-Party Services (Subprocessors)
We use the following third-party services to operate ClaimFlow. Each processes certain categories of your data as described below:
| Service | Purpose | Data Processed |
|---|---|---|
| Anthropic (Claude API) | AI document processing and data extraction | Uploaded document text, extracted data |
| Clerk | User authentication and organization management | Email, name, user profile, session data |
| Stripe | Payment processing and subscription management | Name, email, payment method, billing address |
| Railway | Cloud hosting and infrastructure | All application data (in transit and storage) |
| Sentry | Error monitoring and debugging | Error logs, stack traces, IP addresses (personal data scrubbed) |
All subprocessors are based in the United States. We require each subprocessor to maintain appropriate security measures and to process your data only for the purposes described above.
6. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information to third parties. We do not share your data with data brokers. Your claim documents and client information remain private.
We may disclose your information only in the following limited circumstances:
- Service Providers: To our subprocessors listed above, solely for the purposes described
- Legal Requirements: When required by law, subpoena, court order, or governmental regulation
- Safety and Rights: To protect the safety, rights, or property of ClaimFlow, our users, or the public
- Business Transfer: In connection with a merger, acquisition, or sale of assets (with prior notice to you)
7. Your Privacy Rights
7.1 Rights for All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate or incomplete data
- Deletion: Request deletion of your personal data and uploaded documents
- Data Portability: Request your data in a portable, machine-readable format
- Withdraw Consent: Withdraw consent for optional data processing at any time
7.2 California Residents (CCPA/CPRA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions
- Right to Opt-Out of Sale: We do not sell personal information. If this changes, we will provide an opt-out mechanism
- Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
- Right to Limit Use of Sensitive Information: You may limit our use of sensitive personal information to what is necessary for providing the Service
To exercise any of these rights, contact us at privacy@tryclaimflow.com. We will respond within 45 days as required by law.
7.3 European Economic Area (EEA) Residents (GDPR)
If you are located in the EEA, you have additional rights under the General Data Protection Regulation (GDPR):
- Legal Basis: We process your data based on contractual necessity (to provide the Service), legitimate interest (security, service improvement), and consent (where applicable)
- Right to Object: You may object to processing based on legitimate interests
- Right to Restrict Processing: You may request that we restrict processing of your data in certain circumstances
- Right to Lodge a Complaint: You may file a complaint with your local supervisory authority
- International Transfers: Your data is processed and stored in the United States. By using ClaimFlow, you consent to the transfer of your data to the US
8. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- Encryption at Rest: Sensitive data stored in our database is encrypted using Fernet symmetric encryption
- Encryption in Transit: All communication between your browser and our servers is encrypted with TLS/SSL
- Authentication: Enterprise-grade authentication powered by Clerk with support for SSO and multi-factor authentication
- Tenant Isolation: Each organization's data is logically isolated; users can only access data belonging to their own organization
- Access Controls: Role-based access control for team members within organizations
- Input Validation: Parameterized queries, input sanitization, and rate limiting on all API endpoints
- Monitoring: Real-time error tracking and security monitoring via Sentry
For more details about our security practices, see our Security page.
9. Cookies and Tracking
ClaimFlow uses a limited number of cookies, all of which are necessary for the Service to function:
| Provider | Type | Purpose |
|---|---|---|
| Clerk | Strictly Necessary | Session management, user authentication |
| Stripe | Strictly Necessary | Payment fraud prevention, payment session |
| Sentry | Performance | Error tracking and debugging |
We do not use advertising cookies, tracking pixels, or third-party analytics services for behavioral advertising. We honor Global Privacy Control (GPC) browser signals.
10. Children's Privacy
ClaimFlow is a business-to-business (B2B) service designed for insurance professionals. Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will promptly delete it.
11. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting a prominent notice on our website or by sending you an email at least 30 days before the changes take effect. Your continued use of ClaimFlow after the effective date of any changes constitutes acceptance of the updated policy. We will not materially reduce your rights under this policy without your explicit consent.
12. Contact Us
If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have concerns about how we handle your data, please contact us:
- Email: privacy@tryclaimflow.com
- General Support: support@tryclaimflow.com
- Contact Page: tryclaimflow.com/contact
For CCPA requests, we will verify your identity before processing your request. We will respond within 45 days of receiving a verifiable request.