Privacy Policy

1. Information We Collect

Account information: When you register, we collect your name, email address, and organization name. If you sign in with Google, we receive your Google-verified email and profile name.

Billing information: Payment details are processed directly by Stripe. InsurLex stores only the result of the transaction (amount, currency, credits purchased) and a Stripe customer ID. We never store raw card numbers.

Usage data: We log job activity (upload time, page count, document type, processing metrics) to provide the Service, enforce credit limits, and generate analytics for your organization. We do not log document content.

Device and access logs: We collect IP addresses and browser user-agent strings for security, rate limiting, and abuse prevention. These are not linked to your documents.

2. How We Use Your Information

Service delivery: to authenticate you, process translation jobs, apply your glossary, and deliver translated documents.

Billing and payments: to manage credit balances, process subscription renewals, and issue receipts.

Communications: to send transactional emails (job completion, password reset, email verification). We do not send marketing emails without explicit opt-in.

Security and compliance: to detect abuse, enforce rate limits, and protect the integrity of the platform.

Product improvement: we use aggregated, anonymized usage metrics (e.g., average job score, document type distribution) to improve the Service. Individual document content is never used.

3. Document Processing

Source files uploaded for translation are stored temporarily on our servers during processing only. Once a translated document has been generated and made available for download, the source file is automatically and permanently deleted.

Translated output files are retained for download for a limited period after job completion and then deleted. The exact retention window is displayed in the dashboard.

We do not read, analyze, or use the content of your insurance documents for any purpose other than performing the translation you requested.

We do not use your documents — source or translated — to train, fine-tune, or evaluate any AI model, including the models used to provide the Service.

4. Third-Party Services

Stripe: payment processing. Stripe handles all card data under PCI-DSS compliance. See stripe.com/privacy.

Google AI (Gemini API): the primary AI engine used to generate translations. Document content is sent to the Gemini API under Google's enterprise API terms, which prohibit Google from using API input to train its models. See ai.google.dev/terms.

OpenAI API (optional): if enabled, used as an additional quality-auditing layer. The same API data-handling restrictions apply.

SMTP provider: used to send transactional emails. Email addresses and message content necessary for delivery are shared with the configured SMTP service.

Railway / Vercel: cloud infrastructure providers hosting the backend and frontend. Data is processed within their platforms subject to their privacy policies.

5. Data Security

All data is encrypted in transit using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent standards provided by our infrastructure provider.

Organization data is logically isolated: your documents, glossary, and translation memory are never accessible to other organizations.

Access to production systems is restricted to authorized personnel only. We apply principle-of-least-privilege across all internal systems.

6. Data Retention

Account and organization data is retained while your account is active. Upon account closure, your personal data is deleted within 30 days, except where retention is required by law (e.g., financial records).

Payment records and invoices are retained for seven (7) years to comply with applicable accounting and tax regulations.

Job logs (metadata only, not document content) may be retained for up to 12 months to support dispute resolution and analytics.

7. Your Rights

You have the right to access, correct, or delete the personal data we hold about you. You can update most information directly in the dashboard.

You may request a copy of your personal data or request account deletion by contacting us at support@insurlex.ai. We will respond within 30 days.

If you are located in the European Economic Area (EEA) or United Kingdom, you have additional rights under GDPR and UK GDPR, including the right to data portability and the right to lodge a complaint with your local supervisory authority.

8. Cookies

InsurLex uses only technically necessary cookies and browser storage (localStorage) for authentication session management. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email before material changes take effect. The updated policy will always be accessible at this URL.

10. Contact

For privacy-related inquiries or to exercise your data rights, contact us at: support@insurlex.ai