Privacy Policy

1. Information We Collect

1.1 Account Information

When you register for an account, we collect:

• Identity Data: First name, last name, email address
• Contact Data: Phone number (optional)
• Organization Data: Group/company name (optional, for Secure File Transfer)
• Authentication Data: Password (encrypted) or OAuth credentials

1.2 Life Insurance Quote Data

When requesting a life insurance quote, we collect:

• Personal Information: Name, date of birth, gender, height, weight
• Employment Information: Job title, employer name
• Health Information: Smoking status, medications, health conditions
• Family Information: Marital status, spouse details (if applicable), children information
• Coverage Preferences: Desired insurance coverage

1.3 OAuth Authentication Data

If you sign in with Google or Microsoft, we receive:

• From Google: Email, first name, last name, profile picture URL
• From Microsoft (Personal): Email, first name, last name
• From Microsoft (Work): Email, first name, last name, company name, job title

Note: We do not receive or store your Google/Microsoft password.

1.4 File Upload Data

When using Secure File Transfer:

• File Metadata: File name, size, upload timestamp
• File Content: Documents uploaded to SharePoint
• Transfer Records: Upload history, SharePoint links

1.5 Technical Data

We automatically collect:

• Device Information: Browser type, operating system
• Usage Data: Pages visited, actions taken, session duration
• Network Data: IP address, geographic location (city/state)
• Cookies: Session cookies, authentication tokens

2. How We Use Your Information

2.1 To Provide Services

• Process insurance quote requests
• Manage your account and authentication
• Store and organize uploaded files
• Send email notifications (confirmations, quotes, updates)
• Enable cross-device quote continuation

2.2 To Communicate With You

• Respond to your inquiries and support requests
• Send account-related notifications (email verification, password reset)
• Provide insurance quotes and policy information
• Send service updates and important notices

2.3 To Improve Our Services

• Analyze usage patterns and trends
• Troubleshoot technical issues
• Enhance security and prevent fraud
• Optimize user experience

2.4 Legal and Compliance

• Comply with legal obligations
• Enforce our Terms of Service
• Protect against fraud and abuse
• Maintain business records

3. How We Store and Protect Your Data

3.1 Data Storage

• User Data: Stored in Azure SQL Database (encrypted at rest)
• Files: Stored in Microsoft SharePoint Online (encrypted in transit and at rest)
• Passwords: One-way hashed using industry-standard algorithms
• OAuth Tokens: Securely stored using ASP.NET Identity

3.2 Security Measures

• Encryption: HTTPS/TLS for all data transmission
• Access Control: Role-based access restrictions
• Authentication: Multi-factor authentication support
• Monitoring: Continuous security monitoring and logging
• Backups: Regular automated backups

3.3 Data Location

Your data is stored in:

• Primary: Microsoft Azure (United States)
• Files: Microsoft SharePoint Online (United States)

3A. HIPAA Compliance and Health Information

3A.1 Health Information We Collect

When you request a life insurance quote, we collect health information including:

• Medical conditions and diagnoses
• Medications and treatments
• Smoking status and health habits
• Height, weight, and biometric data
• Family medical history

3A.2 HIPAA Safeguards

We implement administrative, physical, and technical safeguards to protect your health information:

• Administrative Safeguards:
  • Staff training on privacy and security
  • Access limited to authorized personnel only
  • Regular security risk assessments
  • Incident response procedures
• Physical Safeguards:
  • Secure data centers (Microsoft Azure)
  • Access controls to facilities
  • Workstation security
• Technical Safeguards:
  • Encryption of data in transit (HTTPS/TLS 1.3)
  • Encryption of data at rest (AES-256)
  • Audit controls and logging
  • Automatic logoff after inactivity
  • Unique user identification

3A.3 Business Associate Agreements

We maintain Business Associate Agreements (BAAs) with our service providers who may access protected health information:

• Microsoft Azure (data storage)
• Microsoft SharePoint (file storage)
• Insurance carriers (quote processing)

3A.4 Your HIPAA Rights

Under HIPAA, you have the right to:

• Access: Obtain a copy of your health information
• Amendment: Request corrections to your health information
• Accounting: Receive an accounting of disclosures
• Restriction: Request restrictions on use and disclosure
• Confidential Communication: Request communications by alternative means
• Notice: Receive a copy of this privacy notice

3A.5 Breach Notification

In the event of a breach of unsecured protected health information, we will notify affected individuals within 60 days as required by HIPAA.

4. Data Sharing and Disclosure

4.1 We Share Your Data With:

• Insurance Carriers: To process quote requests and applications
• Service Providers: Microsoft (Azure, SharePoint, Graph API)
• Legal Authorities: When required by law or legal process

4.2 We Do NOT:

• Sell your personal information to third parties
• Share your data for advertising purposes
• Provide your information to unaffiliated third parties without consent

5. Cookies and Tracking Technologies

5.1 Cookies We Use

• Essential Cookies: Required for authentication and security
• Session Cookies: Maintain your login state
• Preference Cookies: Remember your settings

5.2 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may prevent you from using certain features.

6. Your Privacy Rights

6.1 Access and Correction

You have the right to:

• Access your personal information
• Correct inaccurate data
• Update your account information

6.2 Data Portability

You can request a copy of your data in a portable format.

6.3 Deletion

You can request deletion of your account and personal data, subject to:

• Legal retention requirements
• Legitimate business purposes
• Outstanding obligations or disputes

6.4 Opt-Out

You can opt out of:

• Marketing emails (via unsubscribe link)
• Non-essential communications

Note: You cannot opt out of essential service notifications (e.g., security alerts, account changes).

7. Data Retention

We retain your data for as long as:

• Your account is active
• Needed to provide services
• Required by law (typically 7 years for financial records)
• Necessary for legitimate business purposes

After the retention period, we securely delete or anonymize your data.

8. Children's Privacy

Our Services are not intended for children under 13 years of age. We do not knowingly collect personal information from children. If you believe we have inadvertently collected such information, please contact us immediately.

8A. State-Specific Privacy Rights

We operate in multiple states, each with specific privacy and insurance regulations:

8A.1 New York

• NY Insurance Regulation 23 NYCRR 500: Enhanced cybersecurity requirements for financial services companies
• Data Security: Multi-factor authentication, encryption, and annual penetration testing
• Breach Notification: Must notify NY Department of Financial Services within 72 hours of breach
• Consumer Rights: Right to access and correct personal information

8A.2 Pennsylvania

• PA Breach of Personal Information Notification Act: Notification required without unreasonable delay
• Insurance Information Privacy: Right to access insurance records and request corrections
• Data Security: Reasonable security measures required to protect personal information

8A.3 Delaware

• DE Data Breach Notification Law: Notice must be provided without unreasonable delay
• Insurance Privacy: Regulated under Delaware Insurance Code
• Consumer Rights: Right to opt-out of information sharing with non-affiliates

8A.4 New Jersey

• NJ Insurance Information and Privacy Protection Act: Strict requirements for handling insurance information
• Breach Notification: Notice required "in the most expedient time possible"
• Consumer Access: Right to access personal information collected by insurers
• Marketing Restrictions: Opt-out rights for marketing communications

8A.5 Florida

• FL Information Protection Act: Security measures required for personal information
• Breach Notification: Notice within 30 days of determination of breach
• Insurance Code: Regulated under Florida Insurance Code Chapter 626
• Consumer Rights: Right to request disclosure of personal information practices

8A.6 Multi-State Compliance

We comply with the most stringent requirements across all states we operate in, including:

• Fastest notification timelines (72 hours when required)
• Strongest data security measures
• Broadest consumer rights
• Strictest opt-out provisions

8A.7 Additional State Rights

Depending on your state of residence, you may have additional rights including:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of sale of personal information
• Right to deletion of personal information
• Right to non-discrimination for exercising privacy rights

9. Third-Party Services

9.1 OAuth Providers

When you use Google or Microsoft sign-in:

• You are subject to their privacy policies
• We receive only the data you authorize
• You can revoke access at any time through your Google/Microsoft account

9.2 Microsoft Services

We use Microsoft Azure and SharePoint:

• Microsoft Privacy Statement
• Microsoft Trust Center

9.3 Google Services

If you use Google sign-in:

• Google Privacy Policy

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be effective immediately upon posting. We will notify you of significant changes via:

• Email notification
• Notice on our website

Your continued use of our Services after changes constitutes acceptance of the updated policy.

11. Contact Us About Privacy

If you have questions, concerns, or requests regarding your privacy: