Privacy Policy - Claimpal

Last Updated: June 17, 2025

Thank you for using Claimpal Business ("Claimpal", "we", "our", "us"). We are committed to helping organisations understand and manage their insurance documentation through powerful AI-powered analysis. Protecting your privacy and the confidentiality of your data is fundamental to our business and the trust you place in us.

This Privacy Policy explains in detail:

Who is responsible for your data.
What information we collect and why.
The legal grounds we rely on for processing data (in line with GDPR, POPIA, and CCPA principles).
How we use, store, and secure your data.
When and how data is shared, particularly with our AI partner, Google Gemini.
Your rights regarding your data, including international transfers and retention policies.
How you can contact us with questions or requests.

Please read this Policy carefully. If you do not agree with its terms, you should not access or use our Services.

1. Who is Responsible for Your Data?

The entity responsible for processing your data, known as the Data Controller, is Claimpal (Pty) Ltd., a company registered in South Africa.

Legal Entity	Claimpal (Pty) Ltd., South Africa
Registered Address	42 Harley Street, Randburg, Johannesburg
Data Protection Officer	For specific privacy inquiries, you can reach our DPO at hello@claimpal.ai.
General Support	For all other questions, please contact hello@claimpal.ai.

2. Scope of This Policy

This policy governs the data processed through our official digital products and services, including our:

Web application (accessible via *.claimpal.com)
Android and iOS mobile applications
Backend services, including our REST & GraphQL APIs and webhooks.

This Policy does not extend to third-party websites or services that we may link to, such as an insurer's online portal. We are not responsible for their privacy practices.

3. Key Definitions

Personal Data: Any information that relates to an identified or identifiable living person, such as an email address or a name on a document.
Business Data: Information about a company, one of its sites, or a specific asset that is not inherently linked to a natural person.
Processing: Any action we perform on data, including its collection, analysis, storage, sharing, and deletion.
GDPR: The European Union's General Data Protection Regulation 2016/679, a global standard for data protection.
AI Processing Partner: Our trusted third-party AI service provider that powers our document analysis and chat features. This partner operates under strict data processing agreements.

4. The Information We Collect

We collect several types of data to provide and improve our services.

4.1. Account and Identity Data

To create and manage your account, we collect basic information. We only ask for what is necessary.

Email address (Required): This serves as your primary identifier and login credential.
Display name (Optional): A name you provide to be displayed within the app and in notification emails.
Authentication token (Automatic): When you log in (via methods like OAuth or a secure magic link), we create a token to maintain your session securely without needing to store a password.

We will never ask for sensitive personal details like your physical address, date of birth, or credit card numbers for account creation.

4.2. Business and Asset Metadata

Our system generates unique identifiers to organize the information related to your business. You can also add your own descriptive names.

Examples: biz_abc123 (for your business), site_jhb01 (for a location), asset-1718623470 (for a piece of equipment).
Custom Names: You provide meaningful labels like "Head Office" or "Excavator 123" for easy management.

4.3. Uploaded Content

The core of our service involves the analysis of documents you provide. You may upload various file types (PDFs, DOCX, images, etc.) which can contain a wide range of information, including:

Insurance Details: Policy numbers, coverage limits, and effective dates.
Operational Records: Maintenance logs and invoices from service providers.
Visual Records: Photos of assets, property damage, or receipts.
Incidental Personal Data: Information that may appear on these documents, such as a signature, name, or phone number on an invoice.

4.4. Derived Analysis and Context

Our AI processes your uploaded content to extract structured, usable data. This derived information is then linked to the relevant asset in our system. Examples include:

asset_policy_details.coverage_amount
maintenance_details.next_maintenance_due_date
Patterns and insights, such as frequently replaced parts or recurring issues.

All this extracted data is stored securely in our database.

4.5. Usage and Device Data

To ensure our service is secure, reliable, and user-friendly, we automatically collect technical data:

Basic connection details like your IP address, browser type, and operating system version.
Timestamps of key activities, such as logins, file uploads, and API calls.
Feature usage events (e.g., tracking when a dashboard is opened) to understand how our product is used.

We do not collect precise GPS location data or access device sensors.

4.6. Cookies and Local Storage

We use functional cookies that are essential for secure session authentication. We also offer optional analytics cookies to help us improve our service. You have full control to opt-out of these optional cookies via the cookie banner.

5. Why and How We Use Your Data

We process your data for specific purposes and rely on established legal bases under GDPR.

Purpose	How We Use Your Data	Legal Basis (GDPR)
Provide the Core Service	We use your account details and uploaded files to enable account creation, perform AI analysis, and display your dashboards.	Art. 6(1)(b) – Contract: This processing is necessary to deliver the service you signed up for.
Enable AI Chat & Suggestions	We send text from your documents and your queries to our AI partner to generate intelligent summaries and answers.	Art. 6(1)(b) – Contract: This is a core feature of the service we provide.
Ensure Security & Prevent Abuse	We monitor usage logs and network traffic to detect threats, prevent misuse, and maintain service integrity.	Art. 6(1)(f) / (c) – Legitimate Interest / Legal Obligation: We have a duty to protect our platform and user data.
Legal Compliance	We may need to process data to respond to lawful requests from authorities or comply with tax and insurance regulations.	Art. 6(1)(c) – Legal Obligation: We must comply with the laws in jurisdictions where we operate.

Important: We never use your data for automated decisions regarding credit-worthiness or for marketing profiling.

6. AI Processing: A Closer Look

Your trust is paramount, especially when it comes to AI. Here is a transparent breakdown of how we use our AI partner while protecting your data's confidentiality:

Trigger: When you upload a document or send a chat message, Claimpal securely extracts the relevant text to create a prompt for the AI.
Secure Transmission: This prompt is sent over an encrypted connection to our AI partner running in secure cloud infrastructure.
Confidential Processing: Our AI partner acts as our data processor and is bound by stringent data processing agreements. Your content is processed transiently in memory and is never used to train or improve their models.
Data Return: The AI returns a structured response with the extracted information or chat reply to us. We then save this analysis and link it to your asset in our database.
Immediate Deletion: Our AI partner discards the transient data from the request immediately after the task is complete. Short-term logs for billing and abuse detection are purged automatically within 30 days.

7. How and When We Share Information

We will never sell, rent, or otherwise monetize your data to advertisers or insurers. We only share information with a limited number of essential partners who act on our behalf.

Recipient	Reason for Sharing	Safeguards in Place
Cloud Infrastructure Provider	Provides the core infrastructure for our service, including hosting databases, file storage, and AI processing.	Acts as our data processor under strict agreements (DPA), with world-class certifications like ISO 27001 and SOC 2.
Email Provider	Delivers essential notifications that you request, such as alerts or reports.	All communications are secured with SMTP TLS encryption, and they are bound by a Data Processing Addendum (DPA).
Legal Authorities	We will only disclose information if compelled by a lawful order, such as a court-issued subpoena.	We carefully validate every request to ensure it is legitimate and lawful.

8. Our Data Security Measures

We employ a multi-layered security strategy to protect your data at all times.

Encryption in Transit: All web, mobile, and internal network traffic is encrypted using modern TLS 1.2 or higher.
Encryption at Rest: Your data is encrypted when stored using industry-standard AES-256 encryption.
Access Control: We enforce strict, role-based access controls and use multi-factor authentication (MFA) for all employees.
Network Security: We utilize robust firewall rules and automatic DDoS mitigation.
Monitoring and Auditing: We maintain centralized logs, employ anomaly detection to spot threats, and conduct regular security assessments.
Incident Response: We have a 24/7 on-call team ready to respond to security incidents. In the event of a data breach, we are committed to providing notification within 72 hours, as required by GDPR.

9. International Data Transfers

Our production data is hosted by default in secure cloud regions. If you are accessing our services from outside your local region, your data will necessarily travel across international borders via the internet. To ensure its protection, we rely on:

Cloud Provider Certifications: Including ISO 27001 and SOC 2.
Standard Contractual Clauses (SCCs): These are included in our service terms with our cloud providers to ensure a GDPR-compliant level of data protection.
Adequacy Decisions: We recognize the mutual adequacy between South Africa's POPIA and the EU's GDPR, which facilitates secure data flows.

10. Data Retention and Deletion

We retain data only for as long as it is needed.

Data Category	Active Retention Period	Post-Deletion Backup Retention
Account Data	For the duration of your active account.	30 days
Uploaded Files	Until you manually delete the file or asset.	30 days
AI Analysis Results	Same as the associated asset.	30 days
Server Logs	90 days for security and troubleshooting.	None
Anonymised Analytics	24 months for trend analysis.	None

When you close your account, we initiate a 30-day grace period. After this period, all your personal data is permanently purged from our production systems and backups, unless we are required by law to retain it for a longer period.

11. Your Rights and Control Over Your Data

You have rights and control over your personal data. Depending on your jurisdiction, you may:

Access: Request a copy of the personal data we hold about you.
Rectify: Ask us to correct any data that is inaccurate or incomplete.
Erase: Request the deletion of your personal data (the "right to be forgotten").
Restrict: Temporarily pause our processing of your data, for example, during a dispute.
Data Portability: Request an export of your data in a common machine-readable format (like JSON or CSV).
Object: Object to our processing of your data where we rely on legitimate interests.
Withdraw Consent: Withdraw your consent at any time for processing activities like analytics cookies or marketing alerts.
Complain: Lodge a complaint with your local data protection authority.

To exercise any of these rights, please email our Data Protection Officer at hello@claimpal.ai. We are committed to responding to all requests within 30 days.

12. Children's Privacy

Our Services are designed for and directed at commercial businesses. They are not intended for use by individuals under the age of 18. We do not knowingly collect data from children. If you believe a minor has provided us with their data, please contact us immediately for its prompt deletion.

13. Automated Decision-Making

Claimpal uses AI to provide powerful suggestions, summaries, and data extraction. However, our service does not make automated decisions that have a legal or significant financial effect on you without human review. You are always in control and can contact our support team to challenge or seek clarification on any AI-generated output.

14. Third-Party Links

Our user interface may contain links to external sites, such as insurer portals or mapping services. These services operate independently and have their own privacy policies. We encourage you to review their policies before sharing any data with them.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect technological advancements, legal requirements, or changes in our practices. If we make a material change, we will:

Notify you via an in-app banner or by email at least 14 days before the new policy takes effect.
Update the "Last Updated" date at the top of this page.

Your continued use of our Services after the effective date will constitute your acceptance of the revised policy.

16. How to Contact Us

For any questions, concerns, or requests related to your data and privacy:

If you reside in the EU/EEA, UK, South Africa, or California, you have the right to lodge a complaint with your respective local supervisory authority (e.g., the Information Regulator in South Africa, the ICO in the UK, or the CPPA in California).

Method	Contact Details
General Inquiries	hello@claimpal.ai
Privacy-Specific Matters	hello@claimpal.ai
Postal Mail	Data Protection Officer, Claimpal (Pty) Ltd., 42 Harley Street, Randburg, Johannesburg 2000, South Africa

Thank you for trusting Claimpal with your data. We are dedicated to protecting it and providing you with a powerful, secure, and transparent service.

This policy was last updated on June 17, 2025
For questions about this policy, please contact hello@claimpal.ai