Privacy Policy

Last updated January 8, 2026

Introduction

We at Underflow, Inc. ("Underflow", "we" or "us") are committed to respecting your privacy and keeping secure any information you share with us. This privacy policy explains how we collect, use, disclose, and process your personal data when you use our software, platform, and related services at useunderflow.com.

Underflow is submission management software that connects to your email inbox (Outlook or Gmail), reads submission emails and attachments, extracts data, identifies what's missing, and handles follow-ups. This policy describes how we handle the data involved in that process.

By accessing or using our Service, you acknowledge you have been informed of and consent to our practices with regard to your personal information and data.

This Privacy Policy does not apply where Underflow acts as a data processor on behalf of commercial customers. Our use of that data is governed by our customer agreements.

1. Data we collect

Data you provide directly

  • Account Information: Your name and email address when you sign up.
  • Payment Information: Payment details if you access paid services.
  • Communications: Your name, contact information, and message contents when you contact us.

Data from your connected email

When you connect your email inbox to Underflow, we access and process:

  • Email content and metadata: Subject lines, body text, sender/recipient information, timestamps.
  • Attachments: Documents attached to emails, including ACORD forms, loss runs, schedules of values, supplemental applications, and other insurance documents.
  • Thread history: Conversation threads related to submissions you process through the Service.

Data we collect automatically

  • Device Information: Device type, browser, operating system.
  • Log Information: IP address, browser settings, error logs.
  • Usage Data: How you use the Service, features used, actions taken.
  • Cookies: We use cookies to operate and improve the Service.

Data we do not collect

We do not knowingly collect sensitive personal information such as health, biometric, genetic, or religious data (collectively "Special Categories of Personal Data" under GDPR). We do not direct our Service to children under 18. If you are a customer, you agree not to use our Service to process Special Categories of Personal Data.

2. Email integration

Underflow connects to your email inbox to read and process insurance submissions. We support integration with Microsoft Outlook and Google Gmail.

Microsoft (Outlook)

Underflow's use and transfer of information received from Microsoft APIs will adhere to Microsoft's API Terms of Use and applicable policies.

Google (Gmail)

Underflow's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we do with your email data

  • Read incoming submission emails and attachments
  • Extract data from insurance documents (ACORD forms, loss runs, schedules of values)
  • Identify missing information and gaps in submissions
  • Draft follow-up emails requesting missing information
  • Route email threads into folders based on submission status
  • Track submission progress until quote-ready

3. How we use your data

We use your data to:

  • Provide, maintain, and improve the Service
  • Process insurance submissions, quotes, binders, endorsements, and renewals from your connected email inbox
  • Extract data from ACORD forms, loss runs, schedules of values, and other insurance documents
  • Identify gaps and missing information in submissions
  • Generate follow-up emails and track responses
  • Create structured submission records and gap lists
  • Create and manage your account
  • Communicate with you about the Service
  • Prevent fraud and ensure security
  • Comply with legal obligations

AI and machine learning

Underflow uses artificial intelligence to read documents, extract data, identify gaps, and draft follow-ups. All AI-driven data processing is performed with strict access controls, encryption, and regular audits to protect your information.

We do not use customer data to train external models or for any purpose beyond the agreed-upon scope of our services.

We may use anonymized and aggregated data to improve our models and Service, but only in a way that cannot identify you or your customers.

4. How we share your data

We may share your data with:

  • Service Providers: Third parties who help us operate the Service, including cloud hosting, AI model providers, payment processors, and analytics services. These parties process data only as necessary to perform services on our behalf.
  • Business Transfers: In connection with a merger, acquisition, restructuring, or sale of assets, your data may be transferred as part of that transaction.
  • With Your Consent: When you give us permission to share, including through features designed to share information with other users or third parties.

5. Compelled disclosure

We may disclose your data if required:

  • Under applicable law or to respond to a legal process, such as a search warrant, court order, or subpoena
  • To protect our safety, your safety, or the safety of others, or in the legitimate interest of any party in the context of national security, law enforcement, litigation, or criminal investigation
  • If required in connection with legal proceedings brought against Underflow, its officers, employees, affiliates, customers, or vendors
  • To establish, exercise, protect, defend, and enforce our legal rights

6. International transfers

Underflow is based in the United States. When you use our Service, your data may be transferred to and processed in the United States or other countries where our service providers operate.

If you are located in the European Economic Area (EEA) or UK, we will ensure appropriate safeguards are in place for any transfer of your data outside these regions, including Standard Contractual Clauses or other legally valid transfer mechanisms.

Your rights and protections will not be diminished by any international transfer of your data.

7. Retention

We retain your data only as long as necessary to operate the Service and meet our legal obligations. The retention period depends on the type of data, its sensitivity, and applicable legal requirements.

When you terminate your use of the Service, we may delete all data provided or collected by you from our servers, unless legally required to retain it.

When data is no longer needed, we delete, de-identify, or anonymize it in compliance with applicable laws.

8. Security

We implement industry-standard technical and organizational measures to protect your data from unauthorized access, loss, or disclosure.

  • Access Control: Access to personal data is granted only to authorized personnel on a need-to-know basis, and access is logged and monitored.
  • Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
  • Network Security: We employ secure network architecture, including firewalls and intrusion detection systems.
  • Regular Audits: We conduct regular security audits to identify and address vulnerabilities.
  • Incident Response: We have established protocols for managing and responding to security incidents.

9. Your rights

Depending on where you live, you may have certain rights regarding your personal data:

  • Right to Be Informed: You have a right to know how your data is collected and used.
  • Access: Request a copy of your data.
  • Correction: Request we correct inaccurate data.
  • Deletion: Request we delete your data.
  • Portability: Request your data in a portable format.
  • Objection: Object to certain types of processing, including direct marketing.
  • Restriction: Request we temporarily or permanently stop processing some or all of your data.
  • Withdrawal: Withdraw consent where processing is based on consent.
  • No Automated Decisions: You have a right not to be subject to decisions based solely on automated processing that significantly affect you.

To exercise these rights, contact us at legal@useunderflow.com. We may request information to verify your identity before processing your request.

If you believe we have not adequately addressed your concerns, you may lodge a complaint with your local data protection authority.

10. Policy changes

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page. If you are a customer or user, we will notify you of material changes by email or through the Service. Your continued use of the Service after any change constitutes acceptance of the updated policy.

11. Contact us

If you have any questions about this Privacy Policy, contact us at legal@useunderflow.com.