Privacy Policy

MyInsureFlow (“we”, “us”, or “our”) operates the MyInsureFlow platform (the “Service”). This Privacy Policy explains how we collect, use, disclose, and protect information about you when you use our Service. We are committed to complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Canadian provincial privacy laws.

By using MyInsureFlow, you consent to the practices described in this policy.

1. Who We Are

MyInsureFlow is a customer relationship management (CRM) platform designed for independent insurance advisors licensed under the Life License Qualification Program (LLQP) in Canada. The Service is operated from British Columbia, Canada.

For privacy-related questions, contact us at: support@myinsureflow.com

2. Information We Collect

2.1 Information you provide directly

• Account registration: your name, email address, password (hashed), and agency name
• Client records you enter: names, contact details, policy information, notes
• Lead records: prospect names, contact details, profession, income estimates
• Communication templates you create
• Any notes, tasks, or documents you upload

2.2 Information collected automatically

• IP address and approximate location (country/region)
• Browser type and operating system
• Pages visited and features used (via Vercel Analytics)
• Error logs and crash reports (via Sentry)
• Authentication session tokens (stored in secure cookies)

2.3 Google Calendar integration (optional)

If you choose to connect your Google Calendar account, we request permission to create and update events in your primary Google Calendar (https://www.googleapis.com/auth/calendar scope). We collect and store only your Google OAuth refresh token, which allows us to create calendar events on your behalf without requiring you to re-authorize each time.

• We do not read any existing calendar events, contacts, or other Google account data
• We only write new events for lead follow-up dates and task due dates you set in MyInsureFlow
• The Google Calendar integration is entirely optional — you can use MyInsureFlow without connecting Google Calendar
• You can disconnect at any time from Settings, which immediately deletes your stored refresh token

2.4 Billing information

Payment processing is handled by Stripe. We do not store credit card numbers on our servers. Stripe's privacy policy applies to payment data:stripe.com/privacy

3. How We Use Your Information

We use the information we collect to:

• Provide and operate the MyInsureFlow Service
• Send daily digest emails you have configured
• Display reminders, tasks, and follow-up notifications
• Process subscription payments
• Detect and fix technical errors
• Respond to support requests
• Send important service announcements (not marketing, unless you opt in)
• Comply with applicable laws
• Create and update Google Calendar events for follow-up dates and task due dates (only if you connect Google Calendar)

We do not sell, rent, or share your personal information or your clients' information with third parties for advertising or marketing purposes.

Data obtained through Google APIs is used only to provide the Google Calendar sync feature you explicitly enable. It is never used for advertising, profiling, or shared with any third party.

4. Your Clients' Data

You enter information about your clients and prospects into MyInsureFlow. You are the “data controller” of that information — you collected it from your clients, and you are responsible for having the appropriate basis (consent or legitimate interest) to store and process it.

MyInsureFlow acts as a “data processor” — we store and process this data only to provide you with the Service and will not use it for any other purpose.

You should inform your clients that their contact and policy information is stored in a CRM system, as required under PIPEDA and your provincial advisor regulations.

5. Data Storage & Security

Your data is stored on:

• Neon (PostgreSQL) — database hosted on AWS infrastructure in the United States (us-west-2 region)
• Vercel — application hosting, edge network

Because data is stored on US servers, cross-border transfer provisions of PIPEDA apply. Both providers maintain SOC 2 compliance and industry-standard security practices.

We protect your data by:

• Encrypting all data in transit (TLS/HTTPS)
• Encrypting passwords using bcrypt (we never store plaintext passwords)
• Isolating each agency's data by agency ID — no user can see another agency's data
• Using short-lived JWT session tokens
• Monitoring errors and anomalies via Sentry

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account or your subscription lapses without renewal, we will:

• Retain your data for 30 days so you can request an export
• Permanently delete all data associated with your account after 30 days

Error logs and analytics data are retained for a maximum of 90 days.

7. Your Rights Under PIPEDA

You have the right to:

• Access — request a copy of all personal information we hold about you
• Correction — request correction of inaccurate information
• Deletion — request deletion of your account and all associated data
• Export — request a machine-readable export of your data (CSV)
• Withdraw consent — close your account at any time

To exercise any of these rights, email support@myinsureflow.com. We will respond within 30 days, as required by PIPEDA.

8. Cookies & Tracking

We use:

• Session cookies — required for authentication. Cannot be disabled without breaking the Service.
• Vercel Analytics — privacy-friendly, no cross-site tracking, no fingerprinting
• Sentry — error tracking only, not used for advertising

We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

9. Third-Party Services

We share limited data with these providers solely to operate the Service:

10. Google API Services — Limited Use Disclosure

MyInsureFlow's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• What we access: We request write-only access to your primary Google Calendar to create and update all-day events for lead follow-up dates and task due dates.
• What we do not access: We never read existing calendar events, contacts, emails, Drive files, or any other Google account data.
• What we store: Only your OAuth refresh token, stored encrypted in our database. We do not store access tokens beyond the duration of a single sync operation.
• How it's used: Solely to write calendar events on your behalf when you set follow-up dates or task due dates in MyInsureFlow. This data is never used for advertising, analytics, profiling, or shared with any third party.
• Revoking access: You can disconnect Google Calendar at any time in Settings → Integrations. This immediately deletes your stored refresh token and stops all calendar sync. You can also revoke access directly at myaccount.google.com/permissions.

12. Children's Privacy

MyInsureFlow is designed for licensed insurance professionals. We do not knowingly collect information from anyone under 18 years of age.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email and by displaying a notice in the application at least 14 days before any material change takes effect. Continued use after the effective date constitutes acceptance.

14. Contact Us

For privacy questions, access requests, or complaints, contact our Privacy Officer:

If you are not satisfied with our response, you may file a complaint with the Office of the Privacy Commissioner of Canada.