Privacy Policy

This Notice describes how we process personal information in two contexts: (1) Website & Business Operations (visitors, prospects, vendors) and (2) Claims Processing Services we provide as an AI-native third-party administrator (TPA) for Property & Casualty insurers. Where our contracts with customers (“Customer Agreements”) differ from this Notice, the contract controls.

We maintain SOC 2 Type II–aligned controls and operate a HIPAA-aligned program for relevant lines of business. See Security and AI Use & Data Governance Addendum for details.

1) Categories of Data We Process

A. Website & Business Operations

• Identifiers & contact data: name, email, phone, employer, role.

• Commercial info & preferences: meeting history, demo interests.

• Internet/technical: IP, device identifiers, pages viewed, referrers, basic analytics and cookie data.

• Communications: emails, support chats, form submissions.

• Recruiting: CV/resume and interview notes (if you apply).

B. Claims Processing Services (on behalf of Customers)

Processed under Customer instructions and contracts; typically includes:

• Policy & claim data: policy numbers, claim numbers, loss details, coverage info.

• Identity & contact: insureds, claimants, adjusters, witnesses.

• Financial & payment data: payout instructions, invoices, ledgers.

• Medical/incident artifacts (where applicable): reports, images, bills, notes (may contain PHI).

• Digital artifacts: call recordings/transcripts, photos, videos, documents, metadata.

• System/operational logs: access logs, workflow events, audit trails, model inference logs.

 

2) Sources

• You (website forms, email, support, calls).

• Our Customers and their systems (FNOL feeds, core systems, TPAs, vendors).

• Authorized third parties (e.g., data enrichment consistent with claims handling).

• Automated collection on our sites and platforms (cookies, logs).

​

3) How We Use Data (Purposes)

Website & Business Operations

• Provide, secure, and improve the website and services.

• Respond to inquiries, demos, and support requests.

• Marketing with consent or as permitted by law (you can opt out).

• Compliance, auditing, fraud detection, and safety.

Claims Processing Services (Processor/Service Provider role)

• Perform end-to-end claims intake, investigation, adjudication, and payment.

• Quality assurance, auditability, and dispute resolution.

• Security monitoring, incident detection, and prevention.

• Model-assisted workflows (see Addendum): classification, extraction, summarization, decision support—under strict governance and contractual limits.

We do not sell personal information. We do not share personal information for cross-context behavioral advertising.

 

4) Legal Bases / Role

• For Website & Business Operations, we act as Controller/Business under US state privacy laws (and as Controller under GDPR if applicable).

• For Claims Processing Services, we act as Processor/Service Provider to our Customer (the insurer). We process only on documented instructions and per the Customer Agreement and Data Protection Addendum.

 

5) Retention

We retain data only as long as necessary for the purposes above, to meet legal/regulatory requirements, to maintain security/auditability, or as otherwise agreed with Customers. Defaults (subject to Customer or legal override):

• Claim files & artifacts: 7 years after claim closure (or longer if required by applicable P&C retention rules or litigation hold).

• Payment/financial records: 7 years (tax/audit requirements).

• Call recordings/transcripts used in claims: align with claim file – 7 years after closure (or per Customer spec).

• System & security logs (platform): 12 months rolling.

• Model inference logs/prompts (service environment): 90 days (for safety, quality audit, and incident response), then delete or de-identify.

• Support tickets: 3 years after last activity.

• Website analytics & cookies: 13 months (or shorter where required).

• Recruiting data: 2 years (unless local law requires otherwise or candidate requests deletion sooner).

Where we process data for a Customer, we will return or delete data at contract end per the Customer Agreement, subject to legally required retention and archival security controls.

 

6) Disclosures & Subprocessors

We may disclose personal information to:

• Customers (and their designees) to perform claims services.

• Authorized subprocessors that host, process, or support our services (e.g., cloud infrastructure, secure communication tools, document OCR/ASR/NLP, ticketing). We perform security and privacy due diligence, maintain written contracts, impose confidentiality, and restrict use to our documented purposes.

• Professional advisors (legal, audit) under confidentiality.

• Authorities when required by law or to protect rights, safety, and security.

• Corporate transactions (merger, acquisition) with appropriate safeguards.

Data Residency: By default, we provision services and store Customer production data in U.S. regions. Customer-approved cross-border transfers (if any) follow applicable law and contract.

We maintain a current list of material subprocessors and will provide notice of material changes per contract. Contact us to request the list.

 

7) Security

We maintain an information security program aligned to SOC 2 Type II controls and HIPAA requirements where applicable, including:

• Governance, risk, and compliance program with executive oversight.

• Access controls & least-privilege (MFA, SSO, role-based access).

• Encryption in transit and at rest; key management.

• Network security, vulnerability management, and penetration testing.

• Secure software development lifecycle and change management.

• Vendor risk management and subprocessor oversight.

• Audit logging, monitoring, and incident response.

• Workforce security, background checks (as appropriate), and training.

Security details and reports may be shared under NDA.

​

8) Cookies and Tracking

We use strictly necessary cookies for site operation and optional analytics cookies to understand site usage. You can manage preferences via our cookie banner or browser settings. We do not use cross-context behavioral advertising cookies.

​

9) Your Privacy Rights

Depending on your location, you may have rights to:

• Access and port your data.

• Correct inaccuracies.

• Delete your data.

• Opt out of sale or sharing for cross-context behavioral advertising (we do not sell or share) and certain profiling for decisions producing legal or similarly significant effects (see Addendum).

• Non-discrimination for exercising your rights.

How to exercise: Email info@strala.ai  We will verify your request and respond within applicable timelines. Authorized agents may submit requests with proof of authority.

​

10) Changes to This Notice

We may update this Notice from time to time. Material changes will be posted on this page with a new effective date, and, where required, we will notify you.

​

11) AI Use & Data Governance Addendum

This Addendum explains how we use AI/ML within our services and our commitments regarding model governance.

 

A1) Model Training & Fine-Tuning

• No training on Customer data by Strala. Strala does not train or fine-tune Strala-owned models on Customer-provided claims data (including PHI/PII/PCI, documents, call audio, or logs) unless explicitly authorized in a signed agreement.

• Third-party model providers. We use vetted AI vendors under written contracts that prohibit use of Customer data for their own model training or product improvement by default, or we configure the service so that Customer data is excluded. Where a vendor’s default terms differ, we obtain contractual assurances or disable data retention/training features. Vendor access is limited to providing the contracted functionality.

If any workflow requires vendor retention for safety/abuse mitigation, we restrict retention to the minimum necessary duration, enforce encryption, and disable training use.

​

A2) De-identification & Evaluation

• We may use de-identified or aggregated data for quality assurance, safety evaluation, benchmarking, and service improvement, with controls to prevent re-identification.

• De-identification follows recognized standards (e.g., HIPAA Safe Harbor or Expert Determination methodologies where applicable) and internal governance (documented transformations, re-identification risk assessments for certain datasets, periodic testing).

• We do not attempt to re-identify de-identified data and contractually prohibit subprocessors from doing so.

 

A3) Inference, Human-in-the-Loop, and Explainability

• AI assists claims workflows (e.g., document ingestion, triage, extraction, summarization, fraud/risk signals, and decision support).

• Qualified personnel oversee outcomes and retain authority for determinations that produce legal or similarly significant effects (e.g., coverage decisions and payment approvals), unless explicitly delegated by the Customer.

• We record audit trails for AI-assisted steps where feasible (inputs, outputs, reviewer identity, decision outcome).

 

A4) Profiling & Automated Decisions

• We do not engage in automated decision-making that produces legal or similarly significant effects without human oversight from Strala or the Customer. Customers may configure decision thresholds; our default posture enforces review for consequential outcomes.

​

A5) Data Residency & Isolation

• Production Customer data is stored and processed in U.S. regions by default. Environment-level isolation, access controls, and encryption are enforced. Non-production use of Customer data (e.g., testing) requires written authorization and de-identification unless otherwise agreed.

​

A6) Logging & Retention (AI Context)

• Inference logs/prompts (service environment): retained 90 days for safety, abuse detection, and QA, then deleted or de-identified.

• Model artifacts (if any): no Customer data incorporated unless expressly permitted by contract.

 

A7) Vendor Oversight

• We conduct security/privacy due diligence and DPIAs (where required) on AI vendors and maintain a subprocessor register.

• Contracts include confidentiality, purpose limitation, no training, security, and deletion obligations.

• We monitor for material changes and will provide Customer notice where required.

​

​