Privacy Policy
Last updated: April 26, 2026
1. Who we are
edi.chat LLC (“edi.chat,” “we,” “us,” or “our”) operates PolicyClear (the “Service”) at policyclear.io. This Privacy Policy explains how we collect, use, disclose, and protect information when you use the Service.
Business address: [TODO — registered business address]
Contact: support@policyclear.io
2. Summary
This summary is for orientation only; the full policy below governs.
- We collect your email, the insurance policy PDF you upload, payment information (processed by Stripe), and the report we generate.
- We delete your policy file within 24 hours of analysis. We retain your report until you request deletion or for 12 months, whichever comes first.
- Your data is never used to train AI models, never combined with other customers’ data, and never sold or shared for marketing.
- You can request deletion of your data at any time by emailing support@policyclear.io. We honor verified requests within 30 days.
3. Information we collect
3.1 Information you provide
- Email address — collected at upload and used for report delivery and account-related communication.
- Policy file — the commercial cyber insurance PDF you upload for analysis.
- Payment information — processed by Stripe. We do not see or store full card details. Stripe shares limited transaction metadata with us (e.g., last four digits of the card, payment status, billing email).
3.2 Information generated by use of the Service
- Extracted policy text — text content extracted from your uploaded PDF, used as input to the analysis.
- Generated report — the structured analysis we produce from your policy.
3.3 Information collected automatically
- Server logs — IP address, request timestamps, user agent, and similar technical information collected by our hosting provider for security and operational purposes. Retained for a limited period (typically 30 days).
We do not use cookies, web analytics, or tracking pixels at this time. If we add them in the future, we will update this Privacy Policy before doing so.
4. How we use information
We use the information we collect to:
- Generate and deliver your report.
- Process your payment.
- Provide customer support.
- Investigate abuse, prevent fraud, and protect the security of the Service.
- Improve the Service, including limited review of failed analyses by authorized engineering personnel under confidentiality.
- Comply with legal obligations (e.g., tax and accounting recordkeeping).
5. Data retention
| Data | Retention |
|---|---|
| Policy PDF | Deleted within 24 hours of analysis |
| Extracted policy text | Deleted with the PDF |
| Generated report | Retained until you request deletion or for 12 months, whichever comes first |
| Email address and payment metadata | Retained as required by tax and accounting law (typically up to 7 years) |
| Server logs | Limited period, typically 30 days |
You can request earlier deletion of any of this data at any time. See Section 9.
6. AI processing
We send the extracted text of your policy to Anthropic’s commercial API to generate the analysis. Anthropic’s commercial API does not train its models on customer inputs. Your policy text:
- is processed in isolation,
- is never combined with other customers’ data,
- is never used to train AI models, and
- is never sold or shared for marketing.
If we change AI providers in the future, we will update this section and ensure equivalent commitments are in place before any change takes effect.
7. Service providers (subprocessors)
We use the following service providers to operate the Service. They process data on our behalf under contract and only for the purposes listed:
| Provider | Purpose | Data processed |
|---|---|---|
| Stripe | Payment processing | Email, payment information |
| Supabase | Database and file storage | Email, policy file, generated report |
| Anthropic | AI analysis | Extracted policy text |
| Resend | Email delivery | Email address, report content |
| Vercel | Application hosting | All request data passing through the Service |
Each provider is bound by its own privacy policy and applicable data processing agreement. We will update this list when subprocessors change.
8. Encryption and security
- Files are encrypted in transit using TLS 1.2 or higher.
- Files are encrypted at rest using AES-256 via our storage provider’s managed encryption.
- Access to customer data is limited to authorized personnel for debugging, abuse investigation, and service improvement, subject to confidentiality obligations.
- We do not sell, trade, or share your data with third parties for their own marketing purposes.
No method of electronic transmission or storage is completely secure. While we use reasonable measures to protect your information, we cannot guarantee absolute security.
9. Your rights and choices
You have the right to:
- Request access to the personal information we hold about you.
- Request correction of inaccurate information.
- Request deletion of your data, including any retained policy report.
- Object to processing in certain circumstances.
To exercise any of these rights, email support@policyclear.io. We will respond to and honor verified requests within 30 days.
Depending on your state of residence (e.g., California, Colorado, Connecticut, Virginia, Utah), you may have additional rights under state privacy law. [TODO — counsel to add specific state-law disclosures.]
10. Children's privacy
The Service is intended for business users and is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, contact support@policyclear.io and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. The “Last updated” date at the top reflects the most recent revision. Material changes will be communicated by email to active customers.
12. Governing law
This Privacy Policy and any disputes arising under it are governed by the laws of the State of Georgia, United States, without regard to its conflict-of-laws principles. [TODO — counsel to confirm specific jurisdictional language.]