2025 Wrapped — See what we built
openinsurance

Legal

Privacy Policy

Your privacy matters to us. This policy explains how we handle your information with care and transparency.

I.

Preamble and Scope

Open Insurance AI, a Delaware corporation (“Company,” “we,” “us,” or “our”), is the developer and operator of the world's most advanced AI-native insurance and healthcare operating system. We are headquartered at 3399 NW 72nd Ave Suite 228, Miami, FL 33122.

This Privacy Policy (“Policy”) governs the access to and use of all our services, including but not limited to our website located at www.openinsurance.ai, our specialized customer relationship management platform located at crm.openos.app (the “Medical CRM” or “Clinical CRM”), our mobile applications, application programming interfaces (APIs), proprietary artificial intelligence models, and any future products, platforms, or services we may acquire or develop (collectively, the “Ecosystem” or “Services”).

This Policy is designed to be a “living document,” comprehensive enough to cover our current operations—including our medical and clinical CRM capabilities—and future-proofed to encompass potential new technologies such as blockchain distributed ledgers, autonomous AI agents, telemedicine integrations, and Internet of Things (IoT) connectivity.

BY ACCESSING OR USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ THIS POLICY AND CONSENT TO THE DATA PRACTICES DESCRIBED HEREIN.

II.

Information We Collect

We employ a multi-faceted approach to data collection to power our “Single Canvas” experience. We collect data directly from you, automatically through your device, and from third-party sources.

A. Information You Provide Directly

We collect information you explicitly provide to us via forms, chat interfaces, voice commands, or account settings.

  • Account & Identity Data: Full name, email address, postal address, phone number, date of birth, Social Security Number (SSN), National Provider Identifier (NPI), tax identification numbers, and government-issued ID copies.
  • Protected Health Information (PHI) & Medical Data: Through our Medical/Clinical CRM, we may ingest patient intake forms, electronic health records (EHR), diagnosis codes (ICD-10), procedure codes (CPT), treatment plans, prescription history, lab results, and provider notes.
  • Financial & Transactional Data: Credit card numbers, bank account details (ACH), billing addresses, claims history, premium payments, and insurance policy details (coverage limits, deductibles, beneficiaries).
  • Biometric Data: In future iterations offering advanced security or telehealth features, we may collect voiceprints (for authentication) or facial geometry (for identity verification), subject to explicit consent.
  • User Content: Data input into our AI interfaces, including text prompts, document uploads (PDFs, images), and voice memos.

B. Information Collected Automatically

We use advanced telemetry to ensure security and performance.

  • Device & Connection Data: Internet Protocol (IP) address, browser type and version, time zone setting, operating system, device hardware model, and mobile network information.
  • Authentication Data: We utilize Google Login and other Single Sign-On (SSO) providers. When you use these, we collect your public profile data and authentication tokens.
  • Security & Infrastructure Data: To maintain our Zero-Trust architecture, we log SSL/TLS handshake data (utilizing our multi-SSL/TLS architecture for tenant isolation), API call volumes, and latency metrics.
  • Usage Data: Clickstreams, heatmaps, scroll depth, feature usage duration, and interaction with AI suggestions.

C. Information from Third Parties

We enrich our data ecosystem by connecting with external sources to provide a unified view of risk and health.

  • Integration Partners: We pull data from third-party Electronic Medical Records (EMRs), billing systems, insurance carrier portals, and ERPs.
  • Data Brokers & Credit Bureaus: We may obtain credit scores, demographic data, purchasing behavior, and fraud risk scores to assist in underwriting or identity verification.
  • Wearables & IoT: With your permission, we may connect to devices (e.g., smartwatches, glucometers, telematics devices) to stream real-time health or driving data into the Clinical CRM.
  • Social Media & Public Sources: Information available from public profiles, sanctions lists, and professional directories.

III.

How We Use Your Information

We use your data to power the Open OS intelligence engine.

Core Service Delivery

  • To provision and manage your accounts on crm.openos.app.
  • To facilitate insurance quoting, binding, issuance, and claims processing.
  • To coordinate clinical care, patient intake, and provider workflows.

AI & Machine Learning (R&D)

  • To train and fine-tune our proprietary AI models. Note: We utilize strict de-identification protocols before using any PHI for general model training, ensuring compliance with HIPAA.
  • To generate predictive analytics (e.g., risk scoring, churn prediction, health outcome forecasting).

Security & Fraud Prevention

  • To detect anomalies using behavioral biometrics.
  • To enforce multi-factor authentication (MFA) and manage digital certificates via our multi-SSL infrastructure.

Commercial & Marketing

  • To recommend relevant insurance products or health management programs (“Next Best Action”).
  • To measure the effectiveness of our campaigns.

Future Product Development

  • To develop decentralized finance (DeFi) insurance pools or smart-contract-based policies.
  • To build autonomous agents capable of negotiating claims on your behalf.

IV.

Disclosure of Your Information

We operate a connected ecosystem but maintain strict control over data egress.

  • The “Connected Stack” (Integrations): When you utilize our platform to connect with carriers, hospitals, or third-party apps, we transfer data via API as instructed by you.
  • Service Providers: We share data with trusted vendors for cloud hosting (e.g., AWS/GCP/Azure), payment processing (e.g., Stripe), customer support, and legal compliance.
  • Affiliates & Subsidiaries: We may share data within our corporate family, including future subsidiaries established for specific insurance lines or technology verticals.
  • Legal & Regulatory: We disclose data to insurance commissioners, health regulators, law enforcement, or in response to valid subpoenas.
  • Business Transfers: In the event of a merger, acquisition, divestiture, or bankruptcy, user data is considered a transferable asset.

V.

Your Privacy Rights & Choices

A. General Rights

Regardless of your location, we strive to provide you with the ability to:

  • Access and export your data.
  • Update or correct inaccuracies.
  • Delete your account (subject to retention laws).

B. HIPAA (United States)

If you are a patient whose data is stored in our Medical CRM by a healthcare provider (our Client):

  • We act as a Business Associate. Your data is governed by the provider's Notice of Privacy Practices.
  • We protect your PHI with administrative, physical, and technical safeguards in accordance with 45 CFR Part 160 and 164.

C. California Privacy Rights (CCPA/CPRA)

If you are a California resident:

  • Right to Know: You may request the specific pieces of personal information we have collected, the sources, and the business purpose.
  • Right to Delete: You may request the deletion of your personal information.
  • Right to Opt-Out of Sale/Sharing: We do not “sell” data for money. However, under the broad definition of “share” for cross-context behavioral advertising, you may opt-out of such sharing.
  • Sensitive Personal Information: You have the right to limit the use of your Sensitive Personal Information (e.g., SSN, health data, precise geolocation) to that which is necessary for the Services.
  • Non-Discrimination: We will not deny services or charge different rates for exercising these rights.

D. GDPR / UK GDPR (Europe & UK)

If you are in the EEA or UK:

  • Data Controller vs. Processor: Open Insurance AI acts as a Data Controller for direct user accounts and a Data Processor for patient data managed by our enterprise clients.
  • Legal Basis: We process data based on Contract Performance, Legal Obligation, Legitimate Interests, and Consent.
  • Cross-Border Transfers: We transfer data to the US using Standard Contractual Clauses (SCCs) and supplementary measures to ensure equivalent protection.
  • Rights: You have rights to object to processing, restrict processing, and data portability.

VI.

Data Retention and Security

A. Retention

We retain personal data only as long as necessary to fulfill the purposes for which it was collected, including legal, accounting, or reporting requirements.

  • Medical Records: Retained for a minimum of 6-10 years dependent on state laws.
  • Insurance Records: Retained for the life of the policy plus the statute of limitations for claims.

B. Security Architecture

We employ “Defense-in-Depth” strategies:

  • Encryption: AES-256 encryption at rest; TLS 1.3 for data in transit.
  • Access Control: Role-Based Access Control (RBAC) and Just-In-Time (JIT) provisioning.
  • Multi-SSL/TLS Management: We utilize distinct SSL certificates for different tenant environments to prevent cross-contamination.
  • Vulnerability Management: Regular penetration testing and code audits.

VII.

Cookies and Tracking Technologies

We use cookies, pixel tags, and local storage to recognize you.

  • Essential Cookies: For authentication (including Google Login sessions) and security.
  • Analytics Cookies: To understand how you use the Open OS canvas.
  • Advertising Cookies: To show you relevant industry insights.
  • Do Not Track: Our systems currently do not respond to “Do Not Track” signals, but we honor Global Privacy Control (GPC) signals where required by law.

VIII.

Contact Us

For any privacy-related inquiries, Data Subject Access Requests (DSAR), or to contact our Data Protection Officer (DPO):

Open Insurance AI

Legal & Compliance Department

3399 NW 72nd Ave, Suite 228

Miami, FL 33122, USA

Email: hello@openinsurance.ai

By using Open Insurance AI services, you agree that any dispute regarding privacy is subject to this Policy and our Terms of Service, including limitations on damages and resolution of disputes.

Last updated: January 12, 2026