COIflow← Back to home
Legal · Last updated June 10, 2026

Privacy Policy

This Privacy Policy describes how COIflow, Inc. (“COIflow,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects information in connection with the COIflow software-as-a-service platform, websites, mobile experiences, APIs, and related services (collectively, the “Service”). By accessing or using the Service, you acknowledge that you have read and understood this Policy.

COIflow is a business-to-business tool used by licensed insurance agencies and their authorized counterparties (e.g., insureds, vendors, general contractors, and policyholders) to automate the lifecycle of certificates of insurance (“COIs”), including ingestion, parsing, verification, chasing, storage, and reporting. The Service is not directed to consumers or to children, and COIflow does not knowingly process personal information of any individual under the age of eighteen.

1. Roles and Responsibilities

For information uploaded, forwarded, or otherwise submitted to the Service by or on behalf of an agency customer (a “Customer”), the Customer is the controller (or business) and COIflow acts as a processor (or service provider) operating on the Customer’s documented instructions. COIflow acts as an independent controller solely for information it collects directly to operate, secure, market, and improve the Service (for example, account credentials, usage analytics, and support communications).

2. Information We Collect

2.1 Information you provide

  • Account data: name, business email, agency name, role, telephone, password hashes, multi-factor authentication factors.
  • Billing data: payment card last-four, billing address, tax identifiers, and transaction history processed through our payment processor.
  • Customer Content: COIs, ACORD forms, endorsement pages, policy declarations, requirement profiles, communication templates, vendor/insured contact records, and any related metadata you submit.
  • Support and feedback you send to us, including attachments.

2.2 Information collected automatically

  • Device, browser, IP address, language, time zone, referring/exit pages, and approximate geolocation.
  • Product telemetry: feature use, parse times, queue depth, error events, and audit-log entries created by your actions.
  • Cookies and similar technologies as described in our cookie banner and Section 9.

2.3 Information from third parties

  • Authentication providers (e.g., Google) where you elect to use SSO.
  • Email service providers, when documents are forwarded to your COIflow intake address.
  • Payment processors, fraud-prevention vendors, and identity-verification partners.

3. How We Use Information

  • To provide, maintain, secure, and improve the Service, including parsing COIs, verifying against requirements, and triggering automated chases.
  • To authenticate users, prevent fraud and abuse, and enforce our agreements.
  • To bill, collect, and reconcile payments.
  • To provide support, send service notices, and respond to legal requests.
  • To produce de-identified or aggregated analytics that do not identify any individual or Customer.
  • To comply with applicable law, including insurance, anti-money-laundering, and tax obligations.

We do not sell personal information and we do not use Customer Content to train third-party generative AI models. Limited, narrowly scoped use of machine-learning models within the Service to read and classify COIs is performed under contracts that prohibit re-use of Customer Content for model training outside the Service.

4. Legal Bases (EEA/UK)

Where the GDPR or UK GDPR applies, we rely on the following bases: performance of a contract (to deliver the Service), legitimate interests (to secure, improve, and market the Service in a balanced way), legal obligation, and, where required, consent (which you may withdraw at any time).

5. How We Share Information

  • Sub-processors: cloud hosting, database, email delivery, document storage, payment processing, error monitoring, and customer-support providers, each bound by written confidentiality and data-protection terms. A current list is available on request.
  • Customer-directed sharing: recipients you select inside the Service, including vendors, insureds, and counterparties accessing client portals or magic-link uploads.
  • Corporate transactions: in connection with a merger, financing, acquisition, reorganization, or sale of assets, subject to confidentiality.
  • Legal and safety: to comply with law, valid legal process, or to protect the rights, property, or safety of COIflow, our users, or others.

6. International Transfers

COIflow is operated from the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses, the UK Addendum, or other lawful transfer mechanisms, supplemented where required by additional safeguards.

7. Retention

COIflow retains Customer Content for the duration of the applicable subscription and for a commercially reasonable period thereafter to support audit, dispute resolution, and legal compliance, typically up to seven (7) years for documents and audit logs given the long-tail nature of insurance E&O claims. Account and billing records are retained for the period required by applicable law. Backups are retained on rolling cycles and may persist briefly after deletion from primary storage.

8. Your Rights

Depending on your jurisdiction, you may have rights to access, correct, delete, restrict, or port personal data we hold about you, to object to certain processing, or to lodge a complaint with a supervisory authority. To exercise rights with respect to Customer Content, please contact the Customer (your agency); for information COIflow controls directly, contact hello@coiflow.app. We will respond within the timeframes required by applicable law. California residents may exercise rights under the CCPA/CPRA and will not be discriminated against for doing so.

9. Cookies and Tracking

We use strictly necessary cookies to operate the Service and a limited set of analytics and product-telemetry cookies. You may control cookies through your browser settings; disabling required cookies may impair the Service. We honor Global Privacy Control signals where required by law.

10. Security

COIflow implements administrative, technical, and physical safeguards designed to protect information as described in our Data Security page. No system is perfectly secure, and we cannot guarantee absolute security. You are responsible for safeguarding your credentials and for promptly notifying us of any suspected unauthorized access.

11. Changes to this Policy

We may update this Policy from time to time. Material changes will be communicated through the Service or by email. Continued use of the Service after the effective date constitutes acceptance.

12. Contact

COIflow, Inc. — Attn: Privacy. Email hello@coiflow.app.

Questions? Email hello@coiflow.app.