Legal
Privacy Policy
This policy explains what data ClaimFlow collects, how we use and protect it, who processes it on our behalf, and the rights you have over it.
Updated July 2026
Who we are
ClaimFlow is a compliance and lead-attribution platform for insurance agencies and call centers, operated by GTMVP Inc (“ClaimFlow,” “we,” “us”), Dover, Delaware, USA. For anything in this policy, contact privacy@claimflow.health.
The three kinds of data we handle
ClaimFlow is a business-to-business service. It helps to separate the data we handle into three categories, because different rules apply to each:
- •Visitor data — limited technical information when you browse this website.
- •Account data — information about you and your agency when you sign up: name, work email, role, agency name, and billing details. For this data, we decide how it is used and this policy governs.
- •Customer Data — the records your agency uploads or generates inside the platform: leads, calls, consent records, quotes, policies, commissions. Your agency owns and controls this data; we process it only to provide the service, under our agreement with your agency. If you are a consumer whose information an agency stored in ClaimFlow, your relationship is with that agency — we will route any request you send us to them.
What we collect and why
| Data | Source | Why we process it |
|---|---|---|
| Name, work email, role, agency | You, at signup | Create and secure your account; support |
| Billing details | You, via Stripe | Subscription billing. Card numbers go directly to Stripe — we never store them |
| Usage and log data | Automatic | Security, audit trails, debugging, and improving the service |
| Customer Data | Your agency | Providing the platform: compliance tracking, attribution, and reporting |
| Support communications | You | Answering questions and resolving issues |
We do not sell personal information, we do not share it for cross-context behavioral advertising, and we do not run third-party advertising trackers on this site.
AI features
ClaimFlow includes AI-assisted analytics (“Ask ClaimFlow”). These features are built so that only de-identified aggregates — counts, totals, rates, and per-source or per-agent summaries — are sent to our AI provider. Names, phone numbers, email addresses, policy numbers, recordings, transcripts, and record identifiers never leave your database as part of an AI request. Our AI provider processes these aggregates to answer your question and does not use them to train its models.
Who processes data on our behalf
We use a small set of vetted service providers (subprocessors), each bound by contracts restricting them to processing data only to provide their service to us:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, and storage | United States |
| Vercel | Website and application hosting | United States |
| Stripe | Payment processing | United States |
| Ollama | AI processing of de-identified aggregates only | United States |
Protected health information (PHI) and HIPAA
Where an agency’s Customer Data includes protected health information, GTMVP Inc acts as a business associate to that agency. A Business Associate Agreement (BAA) is executed with the agency before PHI is processed on the platform, and PHI is handled in accordance with that BAA and the HIPAA Security Rule’s administrative, physical, and technical safeguards. Our Terms of Service prohibit uploading PHI before a BAA is in place.
Cookies
We use only essential cookies: they keep you signed in and secure your session. We do not use advertising cookies or cross-site tracking, which also means there is no “sale” or “sharing” of personal information to opt out of under state privacy laws.
How long we keep data
- •Account data — for the life of your account, then deleted or de-identified within 90 days unless the law requires longer.
- •Customer Data— per your agency’s configured retention schedule. Because CMS imposes minimum retention periods on Medicare marketing and enrollment records, agencies typically configure multi-year retention; that schedule is your agency’s choice and obligation.
- •Billing records — as required by tax and accounting law.
How we protect data
Data is encrypted in transit and at rest. Every agency’s data is isolated with database-level tenant controls enforced on every query. Access is role-based and logged in an audit trail. Payment credentials are handled entirely by Stripe.
Your privacy rights
Depending on your state, you may have the right to access, correct, delete, or obtain a portable copy of your personal information, and to not be discriminated against for exercising those rights. To exercise them, email privacy@claimflow.health from the address associated with your account (or with enough information for us to verify you). We respond within 45 days, extendable once by 45 days where the law allows. If your request concerns records an agency keeps about you inside ClaimFlow, we will forward it to that agency and assist them in fulfilling it.
Children
ClaimFlow is a business tool and is not directed to anyone under 18. We do not knowingly collect personal information from children.
Changes to this policy
If we make material changes, we will update the date at the top of this page and notify account holders by email or in-app notice before the changes take effect.
Contact
GTMVP Inc · 8 The Green, Ste A, Dover, DE 19901, USA · privacy@claimflow.health