Privacy Policy
Owl processes some of the most sensitive records that exist: the medical, financial and personal files behind insurance claims. This policy explains what we collect, how we use it, and the commitments that are not negotiable. The short version: claimant data is processed on our customers’ behalf, in single-tenant isolation, and is never used to train shared models.
Who this policy covers
This Privacy Policy describes how Owl Technologies, Inc. (“Owl,” “we,” “us”) handles personal information across three distinct relationships, each governed by different rules:
- a.Claimant data. The records inside the claim files our customers send us. Here Owl acts as a data processor (or “service provider” / “business associate”): the carrier or program is the controller, and their agreement with us governs.
- b.Customer users. The examiners, adjudicators and administrators who log in to Owl. We act as controller for their account data.
- c.Website visitors. People who browse owl.co or contact us. We act as controller for the limited data described below.
Information we collect
The categories of information we handle depend on the relationship above.
- a.Claim file contents processed on a customer’s behalf: medical records, statements, correspondence, imaging reports, financial documents, and any personal or health information they contain. We do not decide what is in these files; our customers do.
- b.Account & usage data for customer users: name, work email, role, organization, authentication metadata, and audit logs of actions taken in the product.
- c.Website data: IP address, device and browser metadata, pages viewed, and anything you submit through a contact or demo form.
We do not use third-party advertising trackers, sell personal information, or build cross-site advertising profiles.
How we use information
Claimant data is used only to provide the contracted service to the customer that submitted it: reading, summarizing, citing and flagging the file so a human adjudicator can decide faster and more fairly. We use account and website data to operate, secure and improve the product, to communicate with customers, and to meet our legal obligations.
We never use claimant data for our own purposes, for advertising, or to make adverse claim decisions automatically. Adverse determinations always require a licensed human reviewer.
Training and machine learning
This is the commitment we are asked about most, so we state it plainly: customer claim files are never used to train shared or foundation models. Files are processed in single-tenant, customer-isolated environments. Model improvements that benefit from production data happen only within a customer’s own tenant, under their agreement, and only when they opt in.
Data retention
Claimant data is retained only for the period defined in the customer’s agreement, and is returned or irreversibly destroyed on offboarding. Account data is kept for the life of the account plus the period required for legal and audit purposes. Website analytics data is retained for up to 14 months.
Security
We maintain a security program independently assessed against SOC 2 Type II, HIPAA, and ISO 27001. Data is encrypted in transit and at rest, access is least-privilege and logged, and claim files are processed in isolated single-tenant VPCs. The full posture is described on our Security page.
Your rights and choices
For claimant data, rights requests are directed to the carrier or program that controls the file; we support our customers in fulfilling them. For account and website data, depending on your jurisdiction you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to object or withdraw consent.
To exercise any right, write to privacy@owl.co. We will respond within the timeframe required by applicable law.
International data transfers
Owl operates in Canada, the United States and the United Kingdom. Where personal information crosses borders, we rely on appropriate safeguards: Standard Contractual Clauses, the UK Addendum, and customer-elected data residency where contracted. Customers may require that claimant data remain within a specified region.
Children’s privacy
Owl’s services are not directed to children and we do not knowingly collect personal information from anyone under 16 outside of a claim file submitted by a customer in the course of adjudicating a claim.
Changes to this policy
We may update this policy as our practices, products or the law evolve. Material changes are announced to customers in advance through the product or by email, and the “last updated” date above always reflects the current version. Prior versions are available on request.
Contact us
Owl’s Data Protection Officer can be reached at privacy@owl.co. For EU/UK matters, our Article 27 representative details are available on request.
Owl Technologies, Inc. 1 East Pender St, Vancouver, BC. 110 Greene St, New York, NY.