Underflow

Privacy Policy

Last updated March 26, 2026

Introduction

We at Underflow, Inc. ("Underflow", "we" or "us") are committed to respecting your privacy and keeping secure any information you share with us. This privacy policy explains how we collect, use, disclose, and process your personal data when you use our software, platform, and related services at useunderflow.com.

Underflow is submission management software that connects to your email inbox (Outlook or Gmail), reads submission emails and attachments, extracts data, identifies what's missing, and handles follow-ups. This policy describes how we handle the data involved in that process.

By accessing or using our Service, you acknowledge you have been informed of and consent to our practices with regard to your personal information and data.

This Privacy Policy does not apply where Underflow acts as a data processor on behalf of commercial customers. Our use of that data is governed by our customer agreements.

1. Data we collect

Data you provide directly

  • Account Information: Your name and email address when you sign up.
  • Payment Information: Payment details if you access paid services.
  • Communications: Your name, contact information, and message contents when you contact us.

Data from your connected email

When you connect your email inbox to Underflow, we access and process:

  • Email content and metadata: Subject lines, body text, sender/recipient information, timestamps.
  • Attachments: Documents attached to emails, including ACORD forms, loss runs, schedules of values, supplemental applications, and other insurance documents.
  • Thread history: Conversation threads related to submissions you process through the Service.

Data we collect automatically

  • Device Information: Device type, browser, operating system.
  • Log Information: IP address, browser settings, error logs.
  • Usage Data: How you use the Service, features used, actions taken.
  • Cookies and similar technologies: See Section 12 ("Cookies and tracking technologies") for details.

Sensitive data

Underflow may process insurance documents that contain sensitive personal information such as Social Security numbers, driver's license numbers, financial account numbers, or other government-issued identifiers embedded in policyholder records. We process this data solely to provide the Service on behalf of our customers and apply strict access controls, encryption, and retention limits to protect it. We do not use sensitive data for any purpose other than delivering the Service.

We do not knowingly collect sensitive personal information such as health, biometric, genetic, or religious data (collectively "Special Categories of Personal Data" under GDPR). We do not direct our Service to children under 18. If you are a customer, you agree not to use our Service to process Special Categories of Personal Data.

2. Email integration

Underflow connects to your email inbox to read and process insurance submissions. We support integration with Microsoft Outlook and Google Gmail.

Microsoft (Outlook)

Underflow's use and transfer of information received from Microsoft APIs will adhere to Microsoft's API Terms of Use and applicable policies.

Google (Gmail)

Underflow's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

What we do with your email data

  • Read incoming submission emails and attachments
  • Extract data from insurance documents (ACORD forms, loss runs, schedules of values)
  • Identify missing information and gaps in submissions
  • Draft follow-up emails requesting missing information
  • Route email threads into folders based on submission status
  • Track submission progress until quote-ready

3. How we use your data

We use your data to:

  • Provide, maintain, and improve the Service
  • Process insurance submissions, quotes, binders, endorsements, and renewals from your connected email inbox
  • Extract data from ACORD forms, loss runs, schedules of values, and other insurance documents
  • Identify gaps and missing information in submissions
  • Generate follow-up emails and track responses
  • Create structured submission records and gap lists
  • Create and manage your account
  • Communicate with you about the Service
  • Prevent fraud and ensure security
  • Comply with legal obligations

AI and machine learning

Underflow uses artificial intelligence to read documents, extract data, identify gaps, and draft follow-ups. All AI-driven data processing is performed with strict access controls, encryption, and regular audits to protect your information.

We do not use customer data to train external models or for any purpose beyond the agreed-upon scope of our services.

We may use anonymized and aggregated data to improve our models and Service, but only in a way that cannot identify you or your customers.

4. How we share your data

We may share your data with:

  • Service Providers: Third parties who help us operate the Service, including cloud hosting, AI model providers, payment processors, and analytics services. These parties process data only as necessary to perform services on our behalf.
  • Business Transfers: In connection with a merger, acquisition, restructuring, or sale of assets, your data may be transferred as part of that transaction.
  • With Your Consent: When you give us permission to share, including through features designed to share information with other users or third parties.

5. Compelled disclosure

We may disclose your data if required:

  • Under applicable law or to respond to a legal process, such as a search warrant, court order, or subpoena
  • To protect our safety, your safety, or the safety of others, or in the legitimate interest of any party in the context of national security, law enforcement, litigation, or criminal investigation
  • If required in connection with legal proceedings brought against Underflow, its officers, employees, affiliates, customers, or vendors
  • To establish, exercise, protect, defend, and enforce our legal rights

6. Do Not Sell or Share My Personal Information

Underflow does not sell your personal information. We do not sell, rent, or trade personal data to third parties for monetary or other valuable consideration.

Underflow does not share your personal information for cross-context behavioral advertising. We do not share personal data with third parties for targeted advertising purposes.

Because we do not sell or share personal information, there is no need to opt out. However, if you believe your data has been sold or shared in error, or if you wish to exercise your right to opt out, please contact us at legal@useunderflow.com.

Underflow honors Global Privacy Control (GPC) signals. If your browser or device sends a GPC signal, we will treat it as a valid opt-out request under applicable state privacy laws.

7. International transfers

Underflow is based in the United States. When you use our Service, your data may be transferred to and processed in the United States or other countries where our service providers operate.

If you are located in the European Economic Area (EEA) or UK, we will ensure appropriate safeguards are in place for any transfer of your data outside these regions, including Standard Contractual Clauses or other legally valid transfer mechanisms.

Your rights and protections will not be diminished by any international transfer of your data.

8. Retention

We retain your data only as long as necessary to operate the Service and meet our legal obligations. The specific retention periods depend on the category of data:

Data categoryRetention period
Account information (name, email)Duration of your account plus 30 days after deletion
Email content and attachmentsDuration of your account; deleted within 30 days of account termination
Extracted submission dataDuration of your account; deleted within 30 days of account termination
Payment informationAs required by tax and financial regulations (typically 7 years)
Server logs (IP address, error logs)90 days
Analytics data26 months (aggregated; not tied to identifiable individuals)
Communications (support emails)2 years after last contact, unless needed for legal purposes
CookiesSee Section 12 for cookie-specific retention

When you terminate your use of the Service, we delete all data provided or collected by you from our servers within 30 days, unless legally required to retain it.

When data is no longer needed, we delete, de-identify, or anonymize it in compliance with applicable laws.

9. Security

We implement industry-standard technical and organizational measures to protect your data from unauthorized access, loss, or disclosure.

  • Access Control: Access to personal data is granted only to authorized personnel on a need-to-know basis, and access is logged and monitored.
  • Encryption: Data is encrypted in transit (TLS) and at rest (AES-256).
  • Network Security: We employ secure network architecture, including firewalls and intrusion detection systems.
  • Regular Audits: We conduct regular security audits to identify and address vulnerabilities.
  • Incident Response: We have established protocols for managing and responding to security incidents.

10. Your rights

Depending on where you live, you may have certain rights regarding your personal data. The rights below apply to residents of all applicable jurisdictions, including under the California Consumer Privacy Act (CCPA/CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and other U.S. state privacy laws.

  • Right to Know / Access: You have the right to know what personal data we collect, use, and disclose about you, and to request a copy of that data.
  • Right to Correction: Request we correct inaccurate personal data.
  • Right to Deletion: Request we delete your personal data, subject to certain legal exceptions.
  • Right to Portability: Request your data in a structured, commonly used, machine-readable format.
  • Right to Opt Out of Sale or Sharing: You have the right to opt out of the sale of your personal information or the sharing of your personal information for cross-context behavioral advertising. As stated in Section 6, Underflow does not sell or share your personal information.
  • Right to Limit Use of Sensitive Data: You have the right to limit the use and disclosure of your sensitive personal information. Underflow only uses sensitive data as necessary to provide the Service.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
  • Right to Objection: Object to certain types of processing, including direct marketing.
  • Right to Restriction: Request we temporarily or permanently stop processing some or all of your data.
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent.
  • Right Against Automated Decisions: You have a right not to be subject to decisions based solely on automated processing that significantly affect you.

How to exercise your rights

To exercise any of these rights, you may:

  • Email us at legal@useunderflow.com
  • Mail us at Underflow, Inc., 1 Brady Street, A614, San Francisco, CA 94103

We will verify your identity before processing your request. We may ask you to confirm details associated with your account. You may also designate an authorized agent to make a request on your behalf; we may require the agent to provide proof of authorization.

We will respond to your request within 45 days. If we need more time, we will notify you of the extension and the reason (up to an additional 45 days).

Right to appeal

If we decline your request, we will inform you of the reason. You may appeal our decision by contacting us at legal@useunderflow.com with the subject line "Privacy Rights Appeal." We will respond to your appeal within 60 days.

If you believe we have not adequately addressed your concerns, you may lodge a complaint with your state attorney general or local data protection authority.

11. Policy changes

We may update this Privacy Policy from time to time. When we do, we will publish an updated version and effective date at the top of this page. If you are a customer or user, we will notify you of material changes by email or through the Service. Your continued use of the Service after any change constitutes acceptance of the updated policy.

12. Cookies and tracking technologies

We use cookies and similar technologies to operate our website and understand how visitors interact with it.

What are cookies?

Cookies are small text files stored on your browser or device when you visit a website. They help the site remember your preferences and understand usage patterns.

Cookies we use

Cookie typePurposeExamplesRetention
Strictly necessaryRequired for the website to function (e.g., session management, security)Session cookies, CSRF tokensSession or up to 24 hours
AnalyticsHelp us understand how visitors use our site so we can improve itGoogle Analytics (_ga, _ga_*)Up to 26 months

What we do not use

We do not use advertising cookies, retargeting pixels, or any third-party cookies for targeted advertising purposes. We do not build behavioral profiles for cross-site tracking.

Google Analytics

We use Google Analytics to collect aggregated, anonymized usage data such as pages visited, time on site, and referral sources. Google Analytics uses first-party cookies to distinguish unique visitors. We have configured Google Analytics with IP anonymization enabled. Google's use of this data is governed by Google's Privacy Policy.

Managing cookies

You can control cookies through your browser settings. Most browsers allow you to block or delete cookies. Please note that blocking strictly necessary cookies may affect the functionality of our website.

You may also send a Global Privacy Control (GPC) signal through your browser, which we honor as a valid opt-out request under applicable state privacy laws.

13. Contact us

If you have any questions about this Privacy Policy, contact us at legal@useunderflow.com.