Legal

Privacy Policy

Last updated: May 2026

1. Introduction

Capturra Ltd ("Capturra", "we", "us", or "our") is committed to protecting the privacy of our users and clients. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, request a demo, or use our platform and services.

Capturra provides an AI-powered pre-bind intelligence platform for specialty and commercial insurance brokers. In doing so, we process data both as a data controller (for account information, website analytics, and marketing) and as a data processor (for Client Data uploaded or created within the platform on behalf of our clients). Where we act as a data processor, we process Client Data strictly in accordance with our clients' instructions and applicable Data Processing Agreements.

2. Information We Collect

Account Information

When you create an account, request a demo, or contact us, we collect your name, email address, company name, job title, phone number, and other contact details you provide.

Usage Data

We automatically collect information about how you interact with our platform and website, including pages visited, features used, session duration, IP address, browser type, operating system, and referring URLs.

Client Data

In the course of providing our services, you may upload or input insurance-related data including placement details, policy documents, market sheets, bordereaux, claims information, emails, attachments, and other business data ("Client Data"). You retain full ownership of your Client Data at all times. We process Client Data solely to provide and improve our services to you.

3. Legal Basis for Processing

Where the UK General Data Protection Regulation (UK GDPR) or EU General Data Protection Regulation (EU GDPR) applies, we rely on the following legal bases:

  • Contractual necessity — to provide our platform and services, manage your account, and fulfil our obligations under your subscription agreement
  • Legitimate interests — to improve our platform, ensure security, prevent fraud, and communicate service updates, where these interests are not overridden by your rights
  • Consent — for optional marketing communications and non-essential cookies, which you may withdraw at any time
  • Legal obligation — where we are required to process data to comply with applicable laws or regulations

4. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our platform and services
  • Process and respond to your enquiries and demo requests
  • Run AI-powered document extraction and analysis on Client Data you upload (see Section 5)
  • Send service-related communications (e.g. updates, security alerts, product changes)
  • Analyse usage patterns to improve user experience and platform performance
  • Enforce multi-tenant data isolation and ensure platform security
  • Comply with legal obligations and respond to lawful requests

5. AI and Automated Processing

Capturra uses artificial intelligence and machine learning to extract, structure, and analyse information from documents and emails you upload to the platform. This includes, but is not limited to, extracting placement details, identifying market terms, parsing bordereaux, and generating analytical insights.

How AI processing works:

  • Documents and data you upload may be sent to third-party AI service providers (including large language model providers) for processing. These providers act as sub-processors under contractual terms that prohibit using your data to train or improve their models.
  • Your Client Data is not used to train AI models. AI providers we use may retain API inputs and outputs for a limited period (typically no longer than 30 days) solely for abuse monitoring and platform safety, after which the data is deleted.
  • AI-generated outputs (extracted fields, suggestions, analytics) are stored within your tenant environment and are subject to the same access controls and isolation as all other Client Data.
  • No automated decisions with legal or similarly significant effects are made solely by AI without human oversight.

6. Cookies and Tracking

We use the following categories of cookies:

  • Essential cookies — required for authentication, session management, and platform security. These cannot be disabled.
  • Analytics cookies — help us understand how our website and platform are used, so we can improve the experience. These are only set with your consent.

We do not use advertising or third-party tracking cookies. You can manage your cookie preferences through your browser settings. Disabling essential cookies may prevent you from using the platform.

7. Third-Party Services and Sub-processors

We use select third-party services to operate our platform. Key categories of sub-processors include:

  • Cloud infrastructure and database — for hosting, data storage, and authentication
  • AI service providers — for document extraction and natural language processing
  • Email and communication — for transactional emails and platform notifications
  • Analytics — for website and product usage analytics

All sub-processors are bound by Data Processing Agreements that require them to protect your data to a standard consistent with this policy and applicable law. A current list of sub-processors is available upon request.

8. Data Sharing

We do not sell, rent, or trade your personal information or Client Data. We may share your information only in the following circumstances:

  • With your consent or at your direction
  • With sub-processors who assist in operating our platform, as described in Section 7
  • To comply with legal obligations, court orders, or regulatory requests from competent authorities
  • To protect the rights, safety, or property of Capturra, our users, or the public
  • In connection with a merger, acquisition, or sale of assets, in which case you will be notified of any change in data controller

Multi-tenant isolation: Client Data is strictly isolated between tenants at the database level. No client can access another client's data under any circumstances.

9. Data Retention

We retain your data according to the following principles:

  • Account information — retained for as long as your account is active, plus a reasonable period for legal and audit purposes (typically 12 months after account closure)
  • Client Data — retained for the duration of your subscription. We do not delete Client Data while your account is active. Upon offboarding, Client Data is made available for export and securely deleted within a reasonable period unless a longer retention period is required by law or agreed in your subscription terms
  • Usage data — aggregated and anonymised usage data may be retained indefinitely for analytics purposes
  • Contact form and demo requests — retained for up to 24 months from submission

When data is no longer required, we securely delete or irreversibly anonymise it using industry-standard methods.

10. Data Security

We implement robust security measures to protect your data, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Multi-factor authentication supported for platform access
  • Role-based access controls with principle of least privilege
  • Strict multi-tenant data isolation enforced at the database level via row-level security
  • Continuous automated vulnerability scanning of dependencies and code, peer code review on production changes, and periodic security reviews
  • Access logging and audit trails

No system is completely secure. If you discover a potential security vulnerability, please report it to us responsibly at security@capturra.com.

11. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by applicable data protection law. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, providing details of the breach and the measures taken in response.

12. Your Rights

Under the UK GDPR, EU GDPR, and other applicable data protection laws, you may have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — request correction of inaccurate or incomplete data
  • Erasure — request deletion of your personal data ("right to be forgotten")
  • Restriction — request that we limit how we process your data
  • Portability — request your data in a structured, commonly used, machine-readable format
  • Objection — object to processing based on legitimate interests or for direct marketing
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing
  • Automated decision-making — not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

To exercise any of these rights, please contact us using the details in Section 16. We will respond to your request within one month, or inform you if an extension is needed. You also have the right to lodge a complaint with a supervisory authority, including the UK Information Commissioner's Office (ICO).

13. International Data Transfers

Your data may be processed in countries other than your own, including countries outside the UK and European Economic Area. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

  • Transfers to countries with an adequacy decision from the UK Secretary of State or the European Commission
  • Standard Contractual Clauses (SCCs) approved by the European Commission or the UK International Data Transfer Agreement / Addendum
  • Additional technical and organisational measures where required by the circumstances of the transfer

14. Children's Data

Our platform and services are designed for business use and are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us and we will promptly delete it.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will notify you of material changes by posting the updated policy on our website, updating the "Last updated" date above, and where appropriate, notifying you directly via email. We encourage you to review this page periodically.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, request our current list of sub-processors, or report a privacy concern, you can contact us using the details below. We aim to respond to all privacy enquiries within one month.

Registered office: 133 Whitechapel High Street, London, England, E1 7QA
Company number: 16587015
ICO registration reference: ZC025748

Privacy enquiries: privacy@capturra.com
Security concerns or vulnerability reports: security@capturra.com

We have not appointed a Data Protection Officer (DPO), as one is not required for our processing activities under UK GDPR Article 37. Privacy queries are handled by Capturra Ltd at the address and email above.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk, or with another supervisory authority in your jurisdiction.