Privacy Policy

Effective: April 15, 2026·Version 1.2

This Privacy Policy describes how Inori ("Inori," "we," "us," or "our") collects, uses, and discloses information when you use our certificate of insurance compliance platform and related services (the "Service").

Information We Collect

Account Information. When you create an account, we collect your name, email address, organization name, and role within your organization.

Certificate Data. When you or your vendors upload certificates of insurance, we process the document content to extract coverage details, limits, endorsements, dates, and certificate holder information. This data is used solely for compliance analysis.

Usage Data. We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, and IP address.

Payment Information. If you subscribe to a paid plan, payment details are collected and processed by our payment processor, Stripe. We do not store full credit card numbers on our servers.

How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Analyze uploaded certificates for compliance with your configured requirements.
Send transactional emails (verification, invitations, notifications, and reports).
Monitor usage for billing and capacity planning.
Detect, prevent, and respond to security incidents.

Third-Party Service Providers

We share data with third-party providers only as necessary to operate the Service:

Stripe — Payment processing.
Anthropic — AI-powered certificate analysis (document content only, not account data).
Google Cloud Platform (Firebase) — Application hosting and delivery.
Google Cloud Platform (Firestore) — Database hosting.

We do not sell your personal information to third parties.

AI Processing

Certificates you upload are processed by Anthropic's Claude AI for data extraction and compliance analysis. Your documents are not used to train AI models. Processing is ephemeral — the AI receives the document content for analysis and returns structured data. Only the extracted structured data (field values, coverage amounts, dates) is retained in our database. The original document is stored in encrypted cloud storage and is accessible only to your organization's administrators.

Data Retention

We retain your account data for as long as your account is active. When you delete your account from within the platform, all tenant-scoped data is immediately soft-deleted (hidden from the dashboard and from any API response) and a hard purge is automatically scheduled for 90 days from the deletion date. At the scheduled time, an automated daily job performs a physical DELETE across every table containing your data. Billing records retained by our payment processor (Stripe) for U.S. tax and fraud-prevention obligations are the only exception — those records are retained for the period required by law and are outside the scope of the hard purge.

You may request earlier deletion by contacting support. After the hard purge, only a cryptographic hash of your tenant identifier plus the action performed ("hard_purge") is retained in a separate audit ledger for record-of-processing purposes (GDPR Art. 30 / CCPA §1798.130) — no personal information remains.

Your Rights

Depending on your jurisdiction, you may have the right to:

Access the personal information we hold about you.
Correct inaccurate or incomplete information.
Delete your personal information, subject to legal retention requirements.
Export your data in a portable format.
Opt out of non-essential communications.

CCPA / CPRA (California). California residents may request disclosure of the categories and specific pieces of personal information collected, and may request deletion of personal information. We do not sell or share personal information as defined by the CCPA.

Global Privacy Control (GPC). We honor the Global Privacy Control signal as a valid opt-out of sale or sharing of personal information. Browsers or extensions that send the Sec-GPC: 1 header will see their preference automatically persisted for 12 months. When present, our analytics (PostHog) and error-monitoring (Sentry) providers are disabled for that session, and responses include an X-GPC-Honored: true header for verification.

GDPR (European Economic Area). Inori is a U.S.-based service primarily intended for U.S. customers. We do not actively target EU residents. If you are located in the EEA and choose to use the Service, our lawful basis for processing is contractual necessity and legitimate interest; data transfers to the United States are covered by Standard Contractual Clauses (SCCs) where applicable. You retain rights to restrict processing, object, and lodge a complaint with a supervisory authority.

To submit a data rights request, use the self-service form in Settings → Privacy, or email ask@askinori.com with the subject line "Privacy Request — [type]". We respond within 30 days.

U.S. State Privacy Rights

The following disclosures apply to residents of U.S. states with comprehensive privacy laws. In all cases, you may exercise your rights via Settings → Privacy or by emailing ask@askinori.com. Inori applies California (CCPA/CPRA) protections by default to residents of any U.S. state not explicitly listed below — this is an intentional "most-restrictive" posture consistent with our principle that over-compliance is preferable to under-compliance.

California (CCPA / CPRA — Cal. Civ. Code § 1798.100 et seq.)

California residents have seven rights under CCPA as amended by CPRA:

Right to know — request disclosure of the categories and specific pieces of personal information collected, the categories of sources, the business purposes for collection, and the categories of third parties with whom the information is shared
Right to correct — request correction of inaccurate personal information
Right to delete — request deletion of personal information, subject to legal retention exceptions
Right to portability — receive personal information in a structured, commonly-used, machine-readable format
Right to opt out of sale or sharing — Inori does not sell personal information and does not share it for cross-context behavioral advertising
Right to limit use of sensitive personal information — Inori does not use sensitive personal information beyond the purposes disclosed in this policy
Right to non-discrimination — we will not discriminate against you for exercising any CCPA right

Global Privacy Control (GPC): Inori honors the GPC browser signal (Sec-GPC: 1) as a valid opt-out of sale or sharing of personal information, per CCPA § 1798.135(b). The signal is persisted via a 12-month cookie and our analytics/error-monitoring providers (PostHog, Sentry) are automatically disabled for GPC-enabled sessions.

Cure period: Zero. California's CCPA cure period expired on January 1, 2023. Inori treats all CCPA violations as requiring immediate remediation.

Response time: 45 days, extendable once by 45 days for complex requests. Authorized agents may submit requests on behalf of consumers with written permission.

Virginia (CDPA — Va. Code § 59.1-575 et seq.)

Virginia residents have the right to: (1) confirm whether we process personal data about you; (2) access that data; (3) correct inaccuracies; (4) delete personal data you provided or we collected; (5) obtain a portable copy; and (6) opt out of targeted advertising, sale of personal data, or profiling for consequential decisions. To appeal a denied request, email ask@askinori.com with subject "CDPA Appeal." We respond within 45 days (extendable once).

Colorado (CPA — C.R.S. § 6-1-1301 et seq.)

Colorado residents have the same six rights as Virginia residents above. Inori does not engage in targeted advertising as defined by the CPA. Appeals must be submitted within 45 days of our denial and are resolved within 45 days (extendable once by 60 days for complex requests).

Connecticut (CTDPA — Conn. Gen. Stat. § 42-515 et seq.)

Connecticut residents have rights to access, correct, delete, portability, and opt out of targeted advertising and sale. We respond within 45 days. Appeal window: 60 days from denial.

Utah (UCPA — Utah Code § 13-61-101 et seq.)

Utah residents have rights to confirm processing, access, delete personal data you provided, and obtain a portable copy. We respond within 45 days.

Texas (TDPSA — Tex. Bus. & Com. Code § 541.001 et seq.)

Texas residents have rights to access, correct, delete, and portability. Inori does not sell sensitive data or engage in targeted advertising. We respond within 45 days.

New York (NY SHIELD Act — N.Y. Gen. Bus. Law § 899-aa)

We maintain reasonable administrative, technical, and physical safeguards to protect your private information as required by the SHIELD Act. In the event of a breach of private information, we will notify affected New York residents without unreasonable delay and in the most expedient time possible, consistent with the legitimate needs of law enforcement.

Massachusetts (201 CMR 17.00 — WISP)

Inori maintains a Written Information Security Program (WISP) covering administrative, technical, and physical safeguards for personal information of Massachusetts residents. Key controls include: encryption of personal information transmitted over public networks and stored on laptops and portable devices; access controls limited to those with a business need; regular security training for personnel handling personal information; and an incident response plan. Our WISP is reviewed annually. Requests for a summary of our security measures may be directed to ask@askinori.com.

Florida (FDBR — Fla. Stat. § 501.701 et seq.)

Florida residents have rights to confirm processing, access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling. Inori is not a "controller" under FDBR's $1B revenue threshold, so these rights are extended voluntarily. We respond within 45 days.

Oregon (OCPA — Or. Rev. Stat. § 646A.570 et seq.)

Oregon residents have rights to confirm, access (including a list of specific third parties that received your personal data), correct, delete, portability, and opt out of targeted advertising, sale, and profiling. We respond within 45 days. Cure period expired January 1, 2026 — violations are enforced without cure.

Montana (MCDPA — Mont. Code § 30-14-2801 et seq.)

Montana residents have the standard six rights (confirm, access, correct, delete, portability, opt out of targeted advertising/sale/profiling). We respond within 45 days.

Indiana (INCDPA — Ind. Code § 24-15-1-1 et seq.)

Indiana residents will have rights to access, correct, delete, portability, and opt out effective January 1, 2026. INCDPA does not include a right to correction for certain categories. Cure period: 30 days.

Tennessee (TIPA — Tenn. Code § 47-18-3201 et seq.)

Tennessee residents have rights to access, correct, delete, portability, and opt out. TIPA provides an NIST CSF-based affirmative defense. Cure period: 60 days.

Delaware (DPDPA — Del. Code § 12D et seq.)

Delaware residents have rights to access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling. Inori honors Universal Opt-Out Mechanisms (including GPC). We respond within 45 days.

Iowa (Iowa CDPA — Iowa Code § 715D)

Iowa residents have rights to confirm processing, access, delete, and portability. Notable: Iowa does not grant a right to correction. Response window: 90 days (longest in the U.S.). Cure period: 90 days active.

Nebraska (NDPA — Neb. Rev. Stat. § 87-1101 et seq.)

Nebraska residents have the standard six rights. We respond within 45 days. Cure period: 30 days (permanent, not sunset).

Maryland (MODPA — Md. Code § 14-4601 et seq.)

Maryland residents have enhanced rights under MODPA, including the strictest data minimization standard in the U.S. Inori limits collection to what is "reasonably necessary and proportionate" for the specific services requested, per MODPA § 14-4607. We do not sell personal data and do not process sensitive data without explicit consent. We respond within 45 days.

Minnesota (MNDPA — Minn. Stat. § 325O.01 et seq.)

Minnesota residents have rights to confirm, access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling. MNDPA includes an explicit right to question the results of profiling and request human review for consequential decisions. We respond within 45 days.

New Jersey (NJDPA — N.J. Stat. § 56:8-166.4 et seq.)

New Jersey residents have rights to confirm, access, correct, delete, portability, and opt out of targeted advertising, sale, and profiling. NJDPA honors Universal Opt-Out Mechanisms. We respond within 45 days. Cure period: 30 days (sunsets July 15, 2026).

Kentucky (KCDPA — Ky. Rev. Stat. § 367.3611 et seq.)

Kentucky residents will have rights to access, correct, delete, portability, and opt out effective January 1, 2026. Cure period: 30 days.

New Hampshire (NHPA — N.H. RSA § 507-H)

New Hampshire residents have the standard six rights. We respond within 45 days. Cure period: 60 days (sunsets December 31, 2025 — after which violations are enforced without cure).

Cookies

We use essential cookies to maintain your session and remember your preferences. We use analytics cookies to understand how the Service is used. You can disable non-essential cookies in your browser settings.

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the Service at least 30 days before the changes take effect.

Contact

If you have questions about this Privacy Policy, contact us at ask@askinori.com.