Privacy Policy

ExtractFlow, Inc. (“ExtractFlow,” “we,” “us,” or “our”) provides a Private AI platform for intelligent document processing used by insurance and healthcare carriers and their service partners. This policy explains what information we collect, how we use it, and the choices and rights available to you.

This policy covers two distinct relationships. The first is our public marketing website, where visitors browse our pages, request a demo, or contact our team. The second is the ExtractFlow platform itself, which our customers run to process their own documents. The way we handle information differs between these two settings, and we call out those differences throughout. Where a customer engages us under a separate master services agreement, data processing agreement, or order form, those terms govern our handling of their data and prevail over this policy in the event of a conflict.

We collect the following categories of information, depending on how you interact with us.

Account and contact information. When you request a demo, start an evaluation, or open an account, we collect details such as your name, work email address, company name, job title, and phone number. For provisioned customer accounts we also store the credentials and role assignments needed to authenticate and authorize users.

Usage and telemetry data. We collect operational metadata about how the platform performs, including log timestamps, feature usage counts, error events, throughput, and queue latency. This telemetry describes how the system runs. It does not include the content of the documents being processed.

Customer documents and processing data. Customers submit documents such as claims, policies, medical records, and forms to the platform for extraction and review. These documents, together with any human corrections and approvals made during review, are processed solely on the customer’s instruction and for the customer’s own purposes. For these materials the customer is the data controller and ExtractFlow acts as a processor.

Website data. When you visit our marketing site we collect standard web data such as IP address, browser type, referring page, and pages viewed, as described in the Cookies and analytics section below.

We use the information we collect to:

• Provide, operate, secure, and maintain the platform and our website.
• Authenticate users, manage accounts, and enforce role-based access controls.
• Respond to demo requests, sales inquiries, and support tickets.
• Monitor performance, diagnose errors, and improve the reliability of the service.
• Send service and security notices, and, where permitted, relevant product updates.
• Meet our legal, regulatory, and contractual obligations.

We do not sell personal information, and we do not use customer document content for advertising or for any purpose other than delivering the service the customer has asked us to perform.

ExtractFlow is built as Private AI. This is the core of how the platform handles sensitive data, so we describe it plainly.

Customer documents, extractions, and human corrections are processed inside the customer’s own environment, typically a virtual private cloud (VPC), private cloud, or on-premise deployment that the customer controls. The models that read and extract from documents are self-hosted within that environment.

We do not use customer document content or corrections to train shared or cross-customer models. A model improvement that a customer trains on their own data stays scoped to that customer. No document content is sent to third-party or frontier model APIs. Extraction runs against models that operate inside the customer boundary, so document content does not leave that boundary as part of normal processing.

The operational telemetry described above may flow to ExtractFlow to support monitoring and service health, but that telemetry is metadata about system behavior and does not contain document content. Where a customer requires a fully air-gapped or offline deployment, telemetry can be retained inside the customer environment and shared with us only on the customer’s terms.

We maintain administrative, technical, and physical safeguards designed to protect information against unauthorized access, loss, and misuse. These include:

• Encryption of data in transit using TLS and encryption of data at rest using industry-standard ciphers.
• Role-based access controls and the principle of least privilege for all platform and administrative access.
• Audit logging on extractions, corrections, approvals, and administrative actions.
• Network segmentation, secrets management, and regular vulnerability scanning.
• Background checks, security training, and access reviews for personnel.

Our security program is aligned with ISO 27001 and SOC 2 control frameworks. Current reports and certificates are available to customers and prospects under a non-disclosure agreement on request. No method of transmission or storage is perfectly secure, but we work to protect your information and to respond promptly if an incident occurs.

Many of our healthcare and insurance customers process protected health information (PHI) as defined under the Health Insurance Portability and Accountability Act (HIPAA). For these customers, ExtractFlow will enter into a Business Associate Agreement (BAA) that governs the permitted uses and disclosures of PHI.

Because the platform runs inside the customer’s own environment, PHI contained in documents stays within that environment during processing. ExtractFlow does not receive or store PHI outside the customer boundary as part of normal operation. Where a BAA is in place, our handling of PHI is governed by that agreement together with applicable HIPAA requirements.

We retain account and contact information for as long as your account is active and for the period afterward needed to meet our legal, accounting, and contractual obligations. We retain website and telemetry data for a limited period consistent with operational and security needs, after which it is deleted or aggregated.

Customer documents and processing data are retained according to the retention settings the customer configures and the terms of the customer’s agreement. Because these materials reside in the customer’s environment, the customer controls their retention and deletion. On termination, we follow the agreed-upon process for return or deletion of data.

Depending on where you live, you may have rights over your personal information under laws such as the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended. These may include the right to:

• Access the personal information we hold about you.
• Correct inaccurate or incomplete information.
• Request deletion of your personal information.
• Receive a portable copy of information you provided to us.
• Object to or restrict certain processing.
• Withdraw consent where processing is based on consent.

To exercise these rights, contact us using the details below. We will verify your request and respond within the timeframes required by applicable law, and we will not discriminate against you for exercising your rights. If your personal information sits inside a customer’s document data, where ExtractFlow acts as a processor, we will refer your request to that customer as the controller and support them in responding.

ExtractFlow operates from the United States and may process marketing-site and account information in the United States and other countries where we or our service providers operate. Where we transfer personal information across borders, we rely on lawful transfer mechanisms such as the European Commission’s Standard Contractual Clauses and the UK International Data Transfer Addendum, along with appropriate supplementary measures.

For the platform itself, customer documents are processed inside the customer’s chosen environment and region, so the customer controls where that data is processed and stored.

Our marketing website uses cookies and similar technologies to keep the site working, remember your preferences, and understand how visitors use our pages. We use a small number of analytics tools to measure traffic and improve content. These tools apply only to the marketing site and do not have access to the ExtractFlow platform or to customer documents.

You can control cookies through your browser settings and, where we offer one, through our cookie preferences control. Blocking some cookies may affect how parts of the site function.

We use a limited set of vetted service providers to help run our business, such as cloud hosting for our marketing site, email delivery, customer support tooling, and analytics. These sub-processors act on our instructions under contractual data protection commitments and only receive the information needed to perform their function.

Because customer document processing runs inside the customer’s environment, our marketing and corporate sub-processors do not have access to customer documents. A current list of sub-processors is available to customers on request, and customers receive advance notice of material changes as set out in their agreement.

We may update this policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will update the “Last updated” date above and, where appropriate, provide additional notice. Your continued use of the website or the service after an update takes effect means you accept the revised policy.

If you have questions about this policy or how we handle information, or if you want to exercise your rights, reach our privacy team: