We collect the following categories of information: 

• Information you provide. Name, business email, phone number, employer, job title, billing details, support requests, and any content you submit through forms, demos, or communications with us. 

• Information collected automatically. IP address, device identifiers, browser type, operating system, referring URLs, pages viewed, timestamps, and similar usage data, collected through cookies, server logs, and analytics tools. 

• Information from third parties. Business contact data from publicly available sources, partners, and authorized referrers, used for sales and account management. 

• Customer data and PHI. Data processed through the platform on behalf of our customers, including PHI under HIPAA where applicable. We process this data only as a service provider, processor, or Business Associate under the applicable customer agreement. 

We do not knowingly collect Social Security numbers, payment card data, or government identifiers from website visitors. Customer environments may contain such data; in those cases, our handling is governed by the customer agreement

We use information for the following purposes: 

• To provide, operate, secure, and improve the Services. 

• To respond to inquiries, provide support, and manage customer relationships. 

• To process transactions, billing, and contract administration. 

• To send service announcements, security notices, and, where permitted, marketing communications (which you may opt out of at any time). 

• To detect, investigate, and prevent fraud, abuse, and security incidents. 

• To comply with legal obligations and enforce our agreements. 

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We do not use customer data or PHI to train public or third-party AI models. See Section 5 for our AI governance commitments. 

We share information only as described below: 

• Service providers and subprocessors. Vendors who host, secure, monitor, or support the Services under written contracts that include confidentiality and data protection obligations equivalent to those in this Policy. A current list of subprocessors is available at https://www.insightally.ai/subprocessors or on request to privacy@insightally.ai. 

• Customers. Where you interact with the Services on behalf of a customer (for example, an employer or healthcare organization), we share information with that customer as the data controller or covered entity. 

• Legal and safety. When required by law, subpoena, or court order; to protect rights, property, or safety; or to investigate suspected violations of our agreements. 

• Business transactions. In connection with a merger, acquisition, financing, or sale of assets, subject to confidentiality and continuity of this Policy. 

• With your direction. Where you authorize a specific disclosure. 

We do not sell personal information, and we have not done so in the preceding 12 months. 

Where the Services involve PHI as defined under HIPAA, InsightAlly operates as a Business Associate. We process PHI only: 

• Pursuant to a signed Business Associate Agreement (BAA) with the covered entity or upstream business associate; 

• For the purposes permitted by the BAA and the HIPAA Privacy, Security, and Breach Notification Rules; and 

• Subject to administrative, physical, and technical safeguards required under 45 CFR Part 164. 

We do not use or disclose PHI for marketing, sale, or AI model training. PHI is not subject to the rights described in Section 9; individuals seeking to exercise rights over PHI must contact the applicable covered entity. 

InsightAlly uses artificial intelligence, including large language models, optical character recognition, and machine learning, to deliver the Services. Our AI commitments: 

• No training on customer data. We do not use customer data, PHI, or personal information to train, fine-tune, or improve public or third-party foundation models. 

• Model providers as subprocessors. Where we use third-party model providers, they are contracted as subprocessorswith zero-retention or no-training terms, and they are listed on our subprocessor page. 

• No model retention. PHI and customer data are not retained by model providers beyond the duration required to process a request. 

• Internal model development. Where we develop or improve our own models, we use de-identified, aggregated, or synthetic data, or data we are expressly authorized to use under a customer agreement. 

• Human review of consequential outputs. AI outputs that materially affect an individual (for example, eligibility, enrollment, or claims decisions) are designed for human review by the customer. Customers are responsible for the final decision and for compliance with applicable laws governing automated decision-making. 

• No solely automated decisions with legal effect. InsightAlly is designed to support human-reviewed decision workflows and does not independently execute solely automated decisions that produce legal or similarly significant effects on individuals. Where a customer configures such workflows, the customer is the controller of that decision and is responsible for any required disclosures, opt-outs, and human review under GDPR Article 22, CCPA/CPRA, Colorado AI Act, and similar laws. 

We maintain a written information security program with administrative, physical, and technical safeguards designed to protect personal information and PHI. Controls include: 

• Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent). 

• Role-based access control, least-privilege provisioning, and multi-factor authentication for production systems. 

• Continuous logging, monitoring, and intrusion detection. 

• Vulnerability management, penetration testing, and secure development practices. 

• Vendor risk management and subprocessor due diligence. 

• Workforce training, background checks, and confidentiality obligations. 

• Independent third-party audits including SOC 2 Type II. HIPAA Security Rule controls are mapped to NIST and HITRUST frameworks. 

No system is fully secure. We cannot guarantee that information will never be accessed without authorization. 

If we discover a breach of unsecured personal information or PHI, we will: 

• Notify affected customers without undue delay and in accordance with applicable law and customer agreements. 

• Cooperate with covered entities on HIPAA Breach Notification Rule timelines (45 CFR §§ 164.400-414), including providing information necessary for the covered entity’s notifications to individuals, HHS, and media where applicable. 

• Notify regulators and individuals directly where required by GDPR (within 72 hours to the supervisory authority), state breach notification laws, or other applicable laws where InsightAlly is the controller. 

Notifications will describe the nature of the incident, the categories of data involved, the likely consequences, and the measures taken or proposed to address the incident. 

We retain personal information only for as long as necessary to fulfill the purposes described in this Policy, comply with legal obligations, resolve disputes, and enforce agreements. Default retention periods: 

​

• Website visitor and analytics data: Retained for 13 months from the date of collection.

• Marketing and prospect contact data: Retained until the individual opts out, and then maintained for an additional 30 days for suppression purposes.

• Customer account and contract data: Retained for the duration of the agreement plus 7 years.

• Customer data and PHI in the platform: Retained according to each customer agreement; by default, data is deleted within 60 days of termination unless a legal hold applies.

• Security logs and audit records: Retained for a minimum of 12 months, or longer if required by law or contract.

• Financial and tax records: Retained for 7 years.

Customers may request earlier deletion of their data. We will return or destroy customer data and PHI in accordance with the applicable customer agreement, BAA, or DPA. 

Depending on where you live, you may have the following rights regarding personal information we hold as a controller: 

• Access: confirm whether we process your information and obtain a copy. 

• Correction: correct inaccurate or incomplete information. 

• Deletion: request deletion of your information. 

• Portability: receive your information in a portable format. 

• Opt-out: opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects (we do not engage in these activities, but you may submit a request). 

• Restriction or objection: limit or object to certain processing. 

• Withdraw consent: where processing is based on consent. 

• Non-discrimination: we will not discriminate against you for exercising these rights. 

Submit requests to privacy@insightally.ai or through https://www.insightally.ai/privacy-request. We will verify your identity before responding. We will respond within 45 days for CCPA/CPRA and TDPSA requests (extendable by 45 days where reasonably necessary), and within 30 days for GDPR requests (extendable by 60 days for complex requests). 

California and other state residents may designate an authorized agent to submit requests on their behalf. We will require written authorization and identity verification. 

If we deny your request, you may appeal by emailing privacy@insightally.ai with the subject line “Privacy Request Appeal.” We will respond within 45 days (Texas, Virginia, Colorado, Connecticut) or 60 days (other applicable states). If we deny your appeal, you may contact your state attorney general. 

If you are an employee, patient, or end user of an InsightAlly customer, please direct rights requests to that customer. We will assist the customer in responding as required by the customer agreement. 

California (CCPA/CPRA) 

In the preceding 12 months, we have collected the following categories of personal information: identifiers, commercial information, internet or network activity, geolocation (general), professional or employment information, and inferences. We collect this information from the sources listed in Section 1 and use and disclose it for the purposes listed in Sections 2 and 3. We do not sell personal information and do not share it for cross-context behavioral advertising. We do not knowingly collect or sell the personal information of consumers under 16. California residents have the rights described in Section 9, including the right to limit use of sensitive personal information (we do not use sensitive personal information for purposes beyond those permitted under CPRA § 7027). 

Texas (TDPSA) 

Texas residents have the rights described in Section 9. You may appeal a denied request as described above. If your appeal is denied, you may contact the Texas Attorney General at https://www.texasattorneygeneral.gov/. 

Virginia, Colorado, Connecticut, Utah, and Other State Laws 

Residents of states with comprehensive privacy laws have the rights described in Section 9, subject to the requirements of their respective state laws. 

Colorado AI Act and Similar Laws 

Where InsightAlly is a developer or deployer of a covered AI system under applicable law, we will provide notices, risk assessments, and documentation as required. Customers configuring AI workflows that make consequential decisions about individuals are responsible for their obligations as deployers.

We are headquartered in the United States, and information we collect is processed in the United States. Where required by customer agreement, InsightAlly supports region-specific data handling and transfer controls. For transfers from the European Economic Area, United Kingdom, or Switzerland, we rely on the following safeguards: 

• Standard Contractual Clauses (SCCs) approved by the European Commission, including the UK Addendum where applicable. 

• Supplementary technical and organizational measures, including encryption and access controls. 

• Transfer impact assessments where required. 

You may request a copy of the relevant SCCs by emailing privacy@insightally.ai. 

We use cookies and similar technologies to operate the Services, remember preferences, analyze usage, and support marketing. We use the following categories: 

• Strictly necessary. Required for the Services to function. Cannot be disabled. 

• Functional. Remember preferences and settings. 

• Analytics. Help us understand how the Services are used. 

• Marketing. Used with your consent where required. 

EU/EEA and UK visitors are presented with a consent banner on first visit and may withdraw consent at any time through the cookie preference center. We honor Global Privacy Control (GPC) signals as opt-out requests for sale and sharing under CCPA/CPRA. You may also adjust browser settings to reject cookies; some Services may not function properly without them. 

The Services are directed to businesses and are not intended for children under 13 (or under 16 in the EU/EEA). We do not knowingly collect personal information from children. If you believe a child has provided information to us, contact privacy@insightally.ai and we will delete it. 

We may update this Policy from time to time. The “Last Updated” date at the top reflects the most recent revision. Material changes will be communicated through the Services or by email at least 30 days before they take effect, where required. Continued use of the Services after the effective date constitutes acceptance. 

Questions, requests, and complaints may be directed to: 

InsightAlly, Inc. 

Attn: Privacy Office 

Email: privacy@insightally.ai 

Website: https://www.insightally.ai/ 

Data Protection Officer 

Where required, our Data Protection Officer can be reached at dpo@insightally.ai.