Privacy Policy

Original PDF files: Your insurance policy PDF and settlement letter are uploaded to encrypted storage (Supabase, hosted in the United States) solely for AI processing. After the analysis completes — and in any case within 24 hours of upload — the original PDF files are permanently deleted. They cannot be recovered after deletion.

Extracted document text: To enable re-analysis and report verification, the text extracted from your documents (the machine-readable content parsed from your PDFs) is retained as part of your claim record. This extracted text may include policy language, coverage amounts, and claim details from your documents. It is stored encrypted and is deleted upon your request (see Section 5 for how to request deletion).

The AI provider (Anthropic) processes your document text via its API. Anthropic does not use API-submitted content to train its models, per Anthropic's data usage policy.

If you upload health insurance documents (explanation of benefits, denial letters, medical bills, or similar), those documents may contain health or medical information, which is sensitive personal data under applicable law (including GDPR Article 9 for EU residents and HIPAA for U.S. users where applicable).

By uploading health insurance documents, you explicitly consent to ClaimGap processing that health information solely for the purpose of generating your insurance claim analysis. We do not share, sell, or use health data for any other purpose. Health information contained in extracted document text is subject to the same deletion rights described in Section 5.

ClaimGap is not a "covered entity" or "business associate" under HIPAA. If you require HIPAA-covered services, consult a licensed healthcare advocate or attorney.

We use your data to:

• Perform the AI analysis and generate your report
• Deliver your report by email
• Send optional outcome follow-up emails (7, 14, and 30 days post-purchase)
• Build an anonymized aggregate outcome database (insurer + state + claim type + resolution outcome) to improve future analysis quality — no personal identifiers are included

We do not sell, rent, or share your personal information with third parties for marketing purposes. See Section 3a for our aggregated data practices.

We compile anonymized, aggregated statistics from claim metadata — including insurer name, U.S. state, claim type, settlement amount ranges, issue-type frequency, and outcome patterns. This dataset contains no personal identifiers (no name, no email, no postal address, no claim-specific text) and cannot reasonably be used to re-identify any individual.

We may share or license this aggregated, de-identified data with third-party partners, including but not limited to: plaintiff-side insurance and consumer-protection law firms, lemon-law attorneys, journalists and media organizations, consumer advocacy and tenant-rights organizations, insurance industry research firms, issuing banks, and merchant / manufacturer benchmark buyers. Any such sharing is limited to statistical summaries or bucketed per-cohort data and is subject to a cohort-size threshold large enough to prevent re-identification of any individual case. Examples of benchmarks we may publish or license: insurer payout rates by state and claim type, debt-collector violation frequency by normalized collector name, warranty denial pattern frequency by manufacturer, chargeback resistance rates by merchant category.

Minimum cohort size: we enforce a minimum cohort size of 11 claims per published cell. Cells with fewer claims are suppressed or rolled up to a coarser geography (e.g., state instead of metro), coarser time window, or wider dollar-range bucket before publication.

Lawful basis (GDPR, EU/UK users): We process de-identified aggregate data under GDPR Art. 6(1)(f) legitimate interest (improving the product and producing industry benchmarks). You have the right to object under Art. 21 at any time by emailing [email protected].

CCPA & CPRA notice (California residents — Do Not Sell or Share My Personal Information): We do not sell your personal information (name, email, address, or document contents). Our licensing of aggregated, de-identified benchmarks does not meet the CCPA §1798.140(t)(1) definition of "sale" because it contains no personal identifiers and cannot reasonably be used to re-identify you. If you believe any of our practices do constitute a sale or sharing of personal information under the California Consumer Privacy Act (as amended by the CPRA), you have the right to opt out. To exercise this right, email [email protected] with the subject "Do Not Sell or Share My Personal Information" and include the email address you used on ClaimGap. We will honor the request within 15 business days.

You have the right to:

• Access: Request a copy of the data we hold about you
• Deletion: Request deletion of your email address and associated claim records at any time
• Opt-out of outcome emails: Unsubscribe from follow-up emails via the link in any email we send
• Non-discrimination: We will not deny service or charge different prices based on the exercise of privacy rights

To exercise any of these rights, email [email protected] with "Privacy Request" in the subject line. We will respond within 10 business days.