First draft — not yet reviewed by a lawyer. This page is a placeholder for real legal language and should not be relied on as-is. Replace before onboarding any paying customer or handling data outside the pilot.

Privacy Policy

Last updated: pilot draft, not yet dated for real use.

What we collect

When you use Coverloop, we collect: account information (name, work email) for you and your team members; organization information you provide during onboarding (company name, legal entity names, insurance requirements); vendor information you add (vendor name, contact email); and the certificate of insurance documents your vendors upload, along with the data our AI extracts from them (policy limits, dates, carrier, policy number, additional-insured status, and similar fields).

How AI processing works

Uploaded certificates are sent to Anthropic's API to extract structured data. Anthropic processes this data to return extraction results to Coverloop; see Anthropic's privacy policy for how they handle data sent to their API. Compliance decisions (pass/fail) are made by a deterministic, non-AI rules engine running on our own infrastructure — the AI model never decides compliance, only reads the document.

Where data is stored

Application data (accounts, vendors, extractions, verdicts, audit logs) and uploaded documents are stored with Supabase (Postgres database and object storage), hosted in the United States. Documents are kept in a private storage bucket; access requires an authenticated session scoped to your organization and short-lived signed links — they are never publicly listable or browsable.

Subprocessors

We rely on the following subprocessors to operate Coverloop:

  • Supabase — database, authentication, file storage
  • Anthropic — AI extraction of certificate data
  • Vercel — application hosting
  • Railway — background document-processing worker
  • Inngest — background job orchestration
  • Resend — transactional and vendor-chase email delivery (only if configured)

Data retention and deletion

We retain your organization's data for as long as your account is active. You can request deletion of your organization's data, including uploaded documents, by contacting us — see below. During the pilot, deletion requests are handled manually; a self-service option will be added before general availability.

Your rights

You may request access to, correction of, or deletion of personal data we hold about you or your organization by contacting us. We have not yet determined which specific regional privacy frameworks (e.g. GDPR, CCPA) apply to pilot usage — this will be finalized with legal counsel before general availability.

Contact

Questions about this policy or your data: hello@coverloop.io.