Privacy Policy
Effective Date: March 11, 2026 | Version: 1.0
Introduction
RenewalFlow is operated by OAZO Technologies Inc. ("OAZO", "we", "us"). We operate an insurance renewal document processing platform that uses artificial intelligence to extract, analyze, and generate insurance renewal documents on behalf of our customers ("Subscribers").
This Privacy Policy describes how we collect, use, disclose, and protect personal information processed through our platform. It applies to all individuals whose personal data is processed through RenewalFlow, including policyholders, employees, dependents, and other data subjects whose information appears in insurance renewal documents.
Roles and Responsibilities
RenewalFlow acts as a data processor on behalf of Subscriber organizations (the data controllers). We process personal data only as instructed by Subscribers and in accordance with our contractual obligations. Subscribers are responsible for ensuring they have lawful authority to share personal data with us for processing.
Types of Data Collected
Insurance Renewal Documents
- Policy renewal forms and schedules
- Benefits booklets and plan summaries
- Rate sheets and premium schedules
Employee Demographics
- Names, dates of birth, and gender
- Employment status and job classifications
- Dependent information (names, relationships, dates of birth)
Health Claims Data
- Claims history summaries (aggregate and individual)
- Benefit utilization data (life, health, dental, disability)
- Loss ratios and trend data
Sensitive Identifiers
- Social Insurance Numbers (SINs) — encrypted at rest using AES-256-GCM with unique initialization vectors and authentication tags for tamper detection
- Employee identification numbers
- Policy and certificate numbers
Account and Usage Data
- User account information (name, email, organization membership)
- Platform usage logs and interaction data
- Chat messages with AI assistants (retained 90 days)
How We Use Personal Data
We process personal data exclusively for the following purposes:
- Document extraction — AI-powered extraction of structured data from uploaded insurance documents
- Renewal analysis — Comparing rates, benefits, and claims data across renewal periods
- Document generation — Producing renewal reports, rate comparisons, and benefit summaries
- Platform operations — Authentication, authorization, audit logging, and error monitoring
We do not sell personal data. We do not use personal data for advertising, profiling, or any purpose unrelated to providing our services.
Data Recipients (Sub-processors)
| Recipient | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude AI) | AI extraction, analysis, and chat | Document content (zero data retention agreement in place) |
| E2B | Sandboxed code execution | Document content (ephemeral sandbox, destroyed after use) |
| Cloudflare R2 | Encrypted document storage | Uploaded files (server-side encrypted) |
| Supabase | Database hosting | All structured data, encrypted SINs |
| Clerk | Authentication | User identity only (no PHI) |
| Vercel | Application hosting | Application code only (no PHI) |
| Axiom | Logging | Redacted logs (PHI automatically stripped) |
| Sentry | Error monitoring | Error data (PHI scrubbed before transmission) |
| Upstash | Job queue and background processing | Job metadata (renewal IDs, no document content) |
| Resend | Email delivery | Email addresses only (no PHI) |
Data Retention
| Data Category | Retention Period |
|---|---|
| Renewal records and extracted fields | 7 years |
| Uploaded documents | 7 years or until Subscriber deletion |
| Chat messages | 90 days |
| Audit logs | 1 year |
| Generated documents | 7 years |
| User accounts | Duration of subscription + 30 days |
Data Subject Rights
Depending on applicable law (PIPEDA, provincial privacy legislation, GDPR where applicable), data subjects may exercise the following rights:
- Access — Request a copy of personal data held about you
- Correction — Request correction of inaccurate personal data
- Deletion — Request erasure, subject to legal retention obligations
- Portability — Receive data in a structured, machine-readable format
- Restriction — Request limitation of processing
- Objection — Object to processing based on legitimate interest
- Withdrawal of consent — Where processing is based on consent
Because RenewalFlow processes data on behalf of Subscribers (as a processor), data subject requests should typically be directed to your Subscriber organization. You may also contact us directly.
Security Measures
- Encryption at rest: AES-256-GCM for sensitive identifiers; server-side encryption for stored documents and database
- Encryption in transit: TLS 1.2+ enforced for all communications
- Access controls: Role-based access (Admin, Agent, Viewer) with multi-tenant data isolation
- Audit logging: All data access and modifications logged with user identity and timestamps
- PHI redaction: Automated identification and redaction of personal health information patterns in all logs
- Ephemeral processing: AI sandbox environments destroyed after each operation
Cookies and Tracking
RenewalFlow uses essential cookies for authentication and session management via Clerk. We use Vercel Analytics and Speed Insights for performance monitoring. We do not use advertising cookies, third-party trackers, or behavioral profiling technologies.
International Data Transfers
RenewalFlow infrastructure is hosted on cloud providers with data centers in North America. Where personal data is transferred outside of Canada, we ensure appropriate safeguards are in place through contractual obligations with our sub-processors. For specific data residency questions, please contact us.
Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to Subscribers via email or in-platform notification. The effective date at the top of this page indicates when the policy was last revised.
Contact
For privacy-related inquiries or data subject requests:
privacy@oazo.ca
For security questions or vulnerability reports:
security@oazo.ca
OAZO Technologies Inc.
Canada