50% off setup · First 5 agencies only · Claim your seat →

Legal

Privacy Policy

This policy explains what data ClaimFlow collects, how we use and protect it, who processes it on our behalf, and the rights you have over it.

Updated July 2026

Who we are

ClaimFlow is a compliance and lead-attribution platform for insurance agencies and call centers, operated by GTMVP Inc (“ClaimFlow,” “we,” “us”), Dover, Delaware, USA. For anything in this policy, contact privacy@claimflow.health.

The three kinds of data we handle

ClaimFlow is a business-to-business service. It helps to separate the data we handle into three categories, because different rules apply to each:

  • Visitor data — limited technical information when you browse this website.
  • Account data — information about you and your agency when you sign up: name, work email, role, agency name, and billing details. For this data, we decide how it is used and this policy governs.
  • Customer Data — the records your agency uploads or generates inside the platform: leads, calls, consent records, quotes, policies, commissions. Your agency owns and controls this data; we process it only to provide the service, under our agreement with your agency. If you are a consumer whose information an agency stored in ClaimFlow, your relationship is with that agency — we will route any request you send us to them.

What we collect and why

DataSourceWhy we process it
Name, work email, role, agencyYou, at signupCreate and secure your account; support
Billing detailsYou, via StripeSubscription billing. Card numbers go directly to Stripe — we never store them
Usage and log dataAutomaticSecurity, audit trails, debugging, and improving the service
Customer DataYour agencyProviding the platform: compliance tracking, attribution, and reporting
Support communicationsYouAnswering questions and resolving issues

We do not sell personal information, we do not share it for cross-context behavioral advertising, and we do not run third-party advertising trackers on this site.

AI features

ClaimFlow includes AI-assisted analytics (“Ask ClaimFlow”). These features are built so that only de-identified aggregates — counts, totals, rates, and per-source or per-agent summaries — are sent to our AI provider. Names, phone numbers, email addresses, policy numbers, recordings, transcripts, and record identifiers never leave your database as part of an AI request. Our AI provider processes these aggregates to answer your question and does not use them to train its models.

Who processes data on our behalf

We use a small set of vetted service providers (subprocessors), each bound by contracts restricting them to processing data only to provide their service to us:

ProviderPurposeLocation
SupabaseDatabase, authentication, and storageUnited States
VercelWebsite and application hostingUnited States
StripePayment processingUnited States
OllamaAI processing of de-identified aggregates onlyUnited States

Protected health information (PHI) and HIPAA

Where an agency’s Customer Data includes protected health information, GTMVP Inc acts as a business associate to that agency. A Business Associate Agreement (BAA) is executed with the agency before PHI is processed on the platform, and PHI is handled in accordance with that BAA and the HIPAA Security Rule’s administrative, physical, and technical safeguards. Our Terms of Service prohibit uploading PHI before a BAA is in place.

Cookies

We use only essential cookies: they keep you signed in and secure your session. We do not use advertising cookies or cross-site tracking, which also means there is no “sale” or “sharing” of personal information to opt out of under state privacy laws.

How long we keep data

  • Account data — for the life of your account, then deleted or de-identified within 90 days unless the law requires longer.
  • Customer Data— per your agency’s configured retention schedule. Because CMS imposes minimum retention periods on Medicare marketing and enrollment records, agencies typically configure multi-year retention; that schedule is your agency’s choice and obligation.
  • Billing records — as required by tax and accounting law.

How we protect data

Data is encrypted in transit and at rest. Every agency’s data is isolated with database-level tenant controls enforced on every query. Access is role-based and logged in an audit trail. Payment credentials are handled entirely by Stripe.

Your privacy rights

Depending on your state, you may have the right to access, correct, delete, or obtain a portable copy of your personal information, and to not be discriminated against for exercising those rights. To exercise them, email privacy@claimflow.health from the address associated with your account (or with enough information for us to verify you). We respond within 45 days, extendable once by 45 days where the law allows. If your request concerns records an agency keeps about you inside ClaimFlow, we will forward it to that agency and assist them in fulfilling it.

Children

ClaimFlow is a business tool and is not directed to anyone under 18. We do not knowingly collect personal information from children.

Changes to this policy

If we make material changes, we will update the date at the top of this page and notify account holders by email or in-app notice before the changes take effect.

Contact

GTMVP Inc · 8 The Green, Ste A, Dover, DE 19901, USA · privacy@claimflow.health