Privacy Policy

Last updated June 14, 2026

Introduction

We at Underflow, Inc. ("Underflow", "we" or "us"), dba Qualified Intelligence, are committed to respecting your privacy and keeping secure any information you share with us. This privacy policy explains how we collect, use, disclose, and process personal data when you visit qualifiedintelligence.com, contact us, apply for roles, or participate in our AI correction cost insurance program.

Qualified Intelligence is a service operated by Underflow, Inc. that underwrites organizations for insurance covering documented costs of correcting AI mistakes. We assess information such as AI usage, business context, workflow criticality, controls, and prior incidents; we do not certify that a model is fair, correct, or suitable for any particular use. This policy describes how we handle information in connection with that program and our website.

This Privacy Policy describes how we handle your information. It does not constitute a contract or create consent-based obligations beyond what is required by applicable law.

Where Underflow processes data on behalf of commercial customers (for example, underwriting submissions, policy records, or correspondence related to coverage), that processing is governed by our customer agreements and, where applicable, a Data Processing Agreement (DPA). This Privacy Policy does not apply to data we process solely on behalf of our customers under those agreements.

1. Data we collect

Data you provide directly

  • Account Information: Your name and email address when you sign up.
  • Payment Information: Payment details if you access paid services.
  • Communications: Your name, contact information, and message contents when you contact us.

Program and underwriting data you provide

When you engage with Qualified Intelligence as a customer, carrier partner, broker, or applicant, we may access and process:

  • Underwriting submissions: AI usage records, control documentation, incident history, workflow descriptions, and other records you provide for assessment.
  • Risk assessments: Findings, recommendations, renewal correspondence, and related underwriting decisions.
  • Policy and program records: Coverage terms, endorsements, claims correspondence, and billing information related to the insurance program.
  • Communications: Messages and related context you provide when using the Service or contacting us.

Data we collect automatically

  • Device Information: Device type, browser, operating system.
  • Log Information: IP address, browser settings, error logs.
  • Usage Data: How you use the Service, features used, actions taken.
  • Cookies and similar technologies: See Section 12 ("Cookies and tracking technologies") for details.

Sensitive data

Qualified Intelligence may process sensitive personal information contained in underwriting submissions, AI usage records, incident documentation, or supporting documents you provide to the Service. Depending on your AI use case, this may include financial information, employment records, customer records, health-related information, government identifiers, or other regulated data connected to workflows where AI is used. We process this data solely to provide the Service on behalf of our customers and apply access controls, encryption, and retention limits to protect it. We do not use sensitive data for advertising or for any purpose outside the agreed scope of the Service.

We do not direct the Service to children under 18. If you are a customer, you are responsible for ensuring you have the rights and permissions necessary to provide any personal information, sensitive personal information, or regulated data to the Service.

2. Program materials and integrations

Qualified Intelligence may receive data from vendors, brokers, carriers, and other parties involved in the insurance program. Depending on your relationship with us, this may include:

  • AI usage and control materials: AI usage records, model or provider information, workflow descriptions, control documentation, incident records, and documentation of how AI-related issues are identified or corrected.
  • Underwriting files: Questionnaires, declarations, correspondence, and supporting evidence submitted for assessment or renewal.
  • Program metadata: Configuration settings, integration logs, event logs, and security records needed to operate the Service.

3. How we use your data

We use your data to:

  • Provide, maintain, and improve the Service
  • Evaluate AI usage risk and underwrite participation in the insurance program
  • Issue, administer, renew, and service coverage for qualified insureds
  • Communicate about assessments, remediation, renewals, claims, and program updates
  • Manage accounts, authentication, permissions, and support requests
  • Monitor, secure, and troubleshoot the Service
  • Communicate with you about the Service
  • Comply with legal obligations

AI and machine learning

Qualified Intelligence may use artificial intelligence to assist with document review, classification of underwriting materials, and preparation of internal assessment artifacts. AI-assisted processing is performed with access controls, encryption, and audit logging appropriate to the sensitivity of the data.

Underflow will not use customer Content to train, or allow any third party to train, general-purpose AI models unless you have explicitly agreed to such use.

We may use anonymized and aggregated data to improve the Service, but only in a way that cannot identify you, your customers, consumers, employees, or other individuals.

4. How we share your data

We may share your data with:

  • Service Providers: Third parties who help us operate the Service, including cloud hosting, AI model providers, payment processors, and analytics services. These parties process data only as necessary to perform services on our behalf.
  • Business Transfers: In connection with a merger, acquisition, restructuring, or sale of assets, your data may be transferred as part of that transaction.
  • With Your Consent: When you give us permission to share, including through features designed to share information with other users or third parties.

5. Compelled disclosure

We may disclose your data if required:

  • Under applicable law or to respond to a legal process, such as a search warrant, court order, or subpoena
  • To protect our safety, your safety, or the safety of others, or in the legitimate interest of any party in the context of national security, law enforcement, litigation, or criminal investigation
  • If required in connection with legal proceedings brought against Underflow, its officers, employees, affiliates, customers, or vendors
  • To establish, exercise, protect, defend, and enforce our legal rights

6. Do Not Sell or Share My Personal Information

Underflow does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration.

Underflow does not share your personal information for cross-context behavioral advertising. We do not share personal data with third parties for targeted advertising purposes.

Because we do not sell or share personal information, there is no need to opt out. However, if you believe your data has been sold or shared in error, or if you wish to exercise your right to opt out, please contact us at legal@useunderflow.com.

Underflow honors Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable state privacy laws.

7. International transfers

Underflow is based in the United States. When you use our Service, your data may be transferred to and processed in the United States or other countries where our service providers operate.

If you are located in the European Economic Area (EEA) or UK, we will ensure appropriate safeguards are in place for any transfer of your data outside these regions, including Standard Contractual Clauses or other legally valid transfer mechanisms.

Your rights and protections will not be diminished by any international transfer of your data.

8. Retention

We retain your data only as long as necessary to operate the Service and meet our legal obligations. The specific retention periods depend on the category of data:

Data categoryRetention period
Account information (name, email)Duration of your account plus 30 days after deletion
Underwriting, incident, and claims recordsRetained according to customer-configured retention periods or customer agreement. Deleted within 30 days of account termination unless a longer period is agreed or legally required.
Policy and program recordsRetained according to customer-configured retention periods, policy terms, or legal requirements for insurance records.
Payment informationAs required by tax and financial regulations (typically 7 years)
Server logs (IP address, error logs)90 days
Analytics data26 months (aggregated; not tied to identifiable individuals)
Communications (support emails)2 years after last contact, unless needed for legal purposes
CookiesSee Section 12 for cookie-specific retention

When you terminate your use of the Service, we delete data from our servers within 30 days, unless a longer retention period is specified in your customer agreement or required by law. Customers requiring multi-year retention for regulatory or audit purposes should specify retention terms in their agreement.

When data is no longer needed, we delete, de-identify, or anonymize it in compliance with applicable laws.

9. Security

We use technical and organizational measures designed to protect your data from unauthorized access, loss, or disclosure.

  • Access Control: Access to personal data is granted only to authorized personnel on a need-to-know basis, and access is logged and monitored.
  • Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
  • Network Security: We use network security controls to help protect the Service.
  • Security Reviews: We review security risks and address vulnerabilities based on severity.
  • Incident Response: We have established protocols for managing and responding to security incidents.

10. Your rights

Depending on where you live, you may have certain rights regarding your personal data. The rights below apply to residents of all applicable jurisdictions, including under the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other U.S. state privacy laws.

  • Right to Know / Access: You have the right to know what personal data we collect, use, and disclose about you, and to request a copy of that data.
  • Right to Correction: Request we correct inaccurate personal data.
  • Right to Deletion: Request we delete your personal data, subject to certain legal exceptions.
  • Right to Portability: Request your data in a structured, commonly used, machine-readable format.
  • Right to Opt Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. As stated in Section 6, Qualified Intelligence does not sell or share your personal information.
  • Right to Limit Use of Sensitive Data: You have the right to limit the use and disclosure of your sensitive personal information. Underflow only uses sensitive data as necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Right to Objection: Object to certain types of processing, including direct marketing.
  • Right to Restriction: Request we temporarily or permanently stop processing some or all of your data.
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent.
  • Rights Related to Automated Decisions: Depending on your jurisdiction, you may have rights to access information about automated decision-making, opt out of automated processing, or appeal automated decisions. See the applicable ADMT, CCPA, or other local regulations for details.

How to exercise your rights

To exercise any of these rights, you may:

  • Email us at legal@useunderflow.com
  • Mail us at Underflow, Inc., 1 Brady Street, A614, San Francisco, CA 94103

We will verify your identity before processing your request. We may ask you to confirm details associated with your account. You may also designate an authorized agent to make a request on your behalf; we may require the agent to provide proof of authorization.

We will respond to your request within 45 days. If we need more time, we will notify you of the extension and the reason (up to an additional 45 days).

Right to appeal

If we decline your request, we will inform you of the reason. You may appeal our decision by contacting us at legal@useunderflow.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days.

If you believe we have not adequately addressed your concerns, you may lodge a complaint with your state attorney general or local data protection authority.

11. Policy changes

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page. If you are a customer or user, we will notify you of material changes by email or through the Service. Your continued use of the Service after any change constitutes acceptance of the updated policy.

12. Cookies and tracking technologies

We use cookies and similar technologies to operate our website and understand how visitors interact with it.

What are cookies?

Cookies are small text files stored on your browser or device when you visit a website. They help the site remember your preferences and understand usage patterns.

Cookies we use

Cookie typePurposeExamplesRetention
Strictly necessaryRequired for the website to function (e.g., session management, security)Session cookies, CSRF tokensSession or up to 24 hours
AnalyticsHelp us understand how visitors use our site so we can improve itGoogle Analytics (_ga, _ga_*)Up to 26 months

What we do not use

We do not use advertising cookies, retargeting pixels, or any third-party cookies for targeted advertising purposes. We do not build behavioral profiles for cross-site tracking.

Google Analytics

We use Google Analytics to collect aggregated usage data such as pages visited, time on site, and referral sources. Google Analytics uses first-party cookies to distinguish unique visitors. We have configured Google Analytics to reduce collection of identifying information where available. Google's use of this data is governed by Google's Privacy Policy.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking strictly necessary cookies may affect the functionality of our website.

You may also send a Global Privacy Control (GPC) signal through your browser, which we honor as a valid opt-out request under applicable state privacy laws.

13. Contact us

If you have any questions about this Privacy Policy, contact us at legal@useunderflow.com.