Privacy Policy

1. Introduction

Spectro AI Inc. ("Spectro AI," "we," "us," or "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you use our fraud detection platform and related services (the "Services").

This Privacy Policy applies to all users of our Services, including insurance companies, claims adjusters, and other authorized enterprise users. By using our Services, you consent to the practices described in this Policy.

2. Information We Collect

2.1 Information You Provide

• Account Information: Name, email address, phone number, organization name, and job title
• Authentication Data: Passwords, security questions, and multi-factor authentication details
• Billing Information: Company billing address and payment processing details (processed by third-party payment providers)
• Communications: Content of support requests, feedback, and other communications with us

2.2 Information Processed Through Services

• Analysis Data: Images, documents, and PDFs submitted for fraud detection analysis
• Metadata: EXIF data, file properties, and document metadata
• Case Information: Claim details, case notes, and investigation records
• Results Data: Analysis results, fraud indicators, and generated reports

2.3 Automatically Collected Information

• Usage Data: Features used, analysis performed, and interaction patterns
• Device Information: IP address, browser type, operating system, and device identifiers
• Log Data: Access times, pages viewed, and system performance metrics
• Cookies and Tracking: Session cookies, analytics cookies (via PostHog), and preference settings

3. How We Use Information

3.1 Primary Purposes

• Provide, maintain, and improve our fraud detection Services
• Process and analyze submitted documents for fraud indicators
• Generate analysis reports and fraud risk assessments
• Maintain case histories and investigation records
• Authenticate users and manage accounts
• Process payments and maintain billing records

3.2 Additional Uses

• Improve our fraud detection algorithms and machine learning models
• Conduct research and development for new features
• Provide customer support and respond to inquiries
• Send service updates, security alerts, and administrative messages
• Detect, prevent, and address technical issues or security threats
• Comply with legal obligations and enforce our Terms of Service

4. Legal Basis for Processing

We process personal data based on the following legal grounds:

• Contract Performance: Processing necessary to fulfill our contractual obligations
• Legitimate Interests: Processing for fraud prevention, security, and service improvement
• Legal Obligations: Processing required by law or regulatory requirements
• Consent: Where you have provided explicit consent for specific processing activities
• Vital Interests: Processing necessary to protect vital interests in emergency situations

5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal data. We may share information in the following circumstances:

5.1 Service Providers

We engage trusted third-party service providers who assist in operating our Services, including:

• Cloud infrastructure providers (AWS)
• Database and storage services (Supabase, Upstash Redis)
• Analytics providers (PostHog)
• Payment processors
• Customer support tools

5.2 Legal Requirements

We may disclose information when required by law, court order, or other legal process, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of the business transaction, subject to the same privacy protections.

5.4 Aggregated Data

We may share aggregated, anonymized data that cannot identify individuals for research, marketing, or other purposes.

6. Data Security

We implement comprehensive security measures to protect your data, including:

• Encryption of data in transit using TLS/SSL protocols
• Encryption of sensitive data at rest using AES-256
• Role-based access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Security incident response procedures
• Employee training on data protection and security
• ISO 27001 certification (in progress)

While we implement industry-standard security measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes outlined in this Policy:

• Account Data: Retained for the duration of your account plus 90 days after closure
• Analysis Data: Retained according to your organization's retention policy or 7 years for compliance
• Case Records: Retained for 7 years or as required by insurance regulations
• Billing Records: Retained for 7 years for tax and accounting purposes
• Marketing Communications: Until you unsubscribe or request deletion
• Legal Hold: Extended retention when required for legal proceedings

8. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal data:

8.1 Access and Portability

Request access to your personal data and receive a copy in a structured, machine-readable format.

8.2 Correction

Request correction of inaccurate or incomplete personal data.

8.3 Deletion

Request deletion of your personal data, subject to legal retention requirements.

8.4 Restriction

Request restriction of processing in certain circumstances.

8.5 Objection

Object to processing based on legitimate interests or for direct marketing.

8.6 Withdrawal of Consent

Withdraw consent for processing where consent is the legal basis.

To exercise these rights, contact us at privacy@spectrorisk.com. We will respond within 30 days or as required by law.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your country of residence. We ensure appropriate safeguards are in place for international transfers, including:

• Standard Contractual Clauses approved by regulatory authorities
• Adequacy decisions recognizing equivalent data protection standards
• Binding Corporate Rules for intra-group transfers
• Your explicit consent where required

10. Cookies and Tracking Technologies

We use cookies and similar technologies for the following purposes:

• Essential Cookies: Required for authentication and core functionality
• Analytics Cookies: Used by PostHog to analyze usage patterns and improve services
• Preference Cookies: Remember your settings and preferences
• Security Cookies: Detect authentication anomalies and prevent fraud

You can manage cookie preferences through your browser settings. Disabling certain cookies may limit functionality.

11. Children's Privacy

Our Services are intended for business use by adults. We do not knowingly collect personal data from individuals under 18 years of age. If we become aware of such collection, we will promptly delete the information.

12. California Privacy Rights

California residents have additional rights under the California Consumer Privacy Act (CCPA), including:

• Right to know what personal information is collected, used, shared, or sold
• Right to delete personal information held by us and our service providers
• Right to opt-out of the sale of personal information (we do not sell personal information)
• Right to non-discrimination for exercising privacy rights

To exercise these rights, contact us at privacy@spectrorisk.com or call 1-800-XXX-XXXX.

13. European Privacy Rights

If you are located in the European Economic Area (EEA) or United Kingdom, you have rights under the General Data Protection Regulation (GDPR), including:

• Right to lodge a complaint with your local supervisory authority
• Right to appoint a representative in the EEA
• Right to withdraw consent at any time
• Right to object to automated decision-making and profiling

Our EU Representative can be contacted at eu-privacy@spectrorisk.com.

14. Updates to This Policy

We may update this Privacy Policy to reflect changes in our practices, technologies, legal requirements, or other factors. We will notify you of material changes by posting the updated Policy and updating the effective date. For significant changes, we may provide additional notice via email or through the Services.

15. Contact Information

For privacy-related questions, concerns, or to exercise your rights, please contact: