Privacy Policy
Last updated: pilot draft, not yet dated for real use.
What we collect
When you use Coverloop, we collect: account information (name, work email) for you and your team members; organization information you provide during onboarding (company name, legal entity names, insurance requirements); vendor information you add (vendor name, contact email); and the certificate of insurance documents your vendors upload, along with the data our AI extracts from them (policy limits, dates, carrier, policy number, additional-insured status, and similar fields).
How AI processing works
Uploaded certificates are sent to Anthropic's API to extract structured data. Anthropic processes this data to return extraction results to Coverloop; see Anthropic's privacy policy for how they handle data sent to their API. Compliance decisions (pass/fail) are made by a deterministic, non-AI rules engine running on our own infrastructure — the AI model never decides compliance, only reads the document.
Where data is stored
Application data (accounts, vendors, extractions, verdicts, audit logs) and uploaded documents are stored with Supabase (Postgres database and object storage), hosted in the United States. Documents are kept in a private storage bucket; access requires an authenticated session scoped to your organization and short-lived signed links — they are never publicly listable or browsable.
Subprocessors
We rely on the following subprocessors to operate Coverloop:
- Supabase — database, authentication, file storage
- Anthropic — AI extraction of certificate data
- Vercel — application hosting
- Railway — background document-processing worker
- Inngest — background job orchestration
- Resend — transactional and vendor-chase email delivery (only if configured)
Data retention and deletion
We retain your organization's data for as long as your account is active. You can request deletion of your organization's data, including uploaded documents, by contacting us — see below. During the pilot, deletion requests are handled manually; a self-service option will be added before general availability.
Your rights
You may request access to, correction of, or deletion of personal data we hold about you or your organization by contacting us. We have not yet determined which specific regional privacy frameworks (e.g. GDPR, CCPA) apply to pilot usage — this will be finalized with legal counsel before general availability.
Contact
Questions about this policy or your data: hello@coverloop.io.