Draft for attorney review

This document is a working draft created as a starting point. It has not been reviewed by an attorney licensed to practice in your jurisdiction and should not be relied upon as legal advice or as a final, binding agreement until counsel approves it. Replace this banner with a clean header before launch.

Effective date: June 15, 2026

Privacy Policy

This Privacy Policy explains how QuotFlo, an operating name of Garden State Benefits LLC (“QuotFlo,” “we,” “us,” or “our”), collects, uses, and shares information when you access or use our software platform and related services (the “Services”).

1. Who this policy covers

This policy applies to two distinct groups of people whose information may flow through the Services:

  • Agent users — the licensed insurance producers and agency staff who hold QuotFlo accounts and use the Services to prepare quotes for their clients.
  • Client recipients — the prospective insurance customers whose information an Agent enters into the Services and to whom Agents send branded quote links.

2. What we collect

2.1 From Agent users

  • Account details such as name, agency name, business email, password (stored as a salted hash by our auth provider), business phone, title, optional headshot, optional National Producer Number (NPN), and state license numbers;
  • Billing details such as Stripe customer and subscription identifiers — but not your payment card number, which is collected directly by Stripe;
  • Authentication metadata such as IP address, user agent, sign-in timestamps, and (if you enable it) TOTP factor metadata;
  • Communications you send us, including support requests.

2.2 From or about Client recipients

  • Name, email address, and optional phone number that the Agent enters when creating a contact record so the Agent can send the quote link and follow up;
  • Quote content the Agent builds, including carrier names, plan names, premiums, and coverage details (general product data, not personal health information);
  • When the Client opens a shared quote link: the IP address, approximate timestamp, and user agent of the device used to view the quote, used solely to notify the Agent that the quote was viewed.

2.3 What we deliberately do not collect

We have designed the Services to minimize sensitive personal data. We do not collect or store:

  • Dates of birth, ages, or other demographic identifiers;
  • Information about dependents — including names, relationships, or dates of birth;
  • Social Security numbers, government identification numbers, or driver's license numbers;
  • Financial account information from clients;
  • Medical history, diagnoses, prescriptions, claim information, or any other clinical data;
  • Plan selections linked to client identifiers on the publicly shared quote page itself.

Agents are contractually prohibited from entering this information into the Services. The shared quote page that a Client receives does not display the Client's name; the Client identifies the quote as their own because the link was sent directly to them.

3. How we use information

  • To operate, maintain, and improve the Services;
  • To authenticate users and protect against fraud, abuse, and unauthorized access;
  • To process subscription payments and send transactional emails such as quote-viewed notifications, password resets, and account confirmations;
  • To provide AI-assisted plan extraction from carrier PDFs that Agents upload (see section 6 for details);
  • To respond to support requests and communicate about the Services;
  • To comply with legal obligations, including responding to lawful requests from government authorities.

4. How we share information

We do not sell personal information. We share information with third-party service providers who help us operate the Services, and only as needed for them to perform their function. Current providers include:

  • Supabase — database hosting, authentication, and file storage;
  • Resend — transactional email delivery;
  • Stripe — payment processing and subscription management;
  • Google (Gemini) — AI extraction of plan details from PDFs that Agents upload;
  • DigitalOcean — virtual server hosting;
  • DuckDuckGo — carrier favicon lookup (for logos rendered on quote pages).

We may also disclose information when we have a good-faith belief that disclosure is required by law, to enforce our Terms, to protect against fraud, or to protect the rights, property, or safety of QuotFlo, our users, or the public.

5. Agents and HIPAA

Insurance brokerage activities may involve protected health information (“PHI”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). QuotFlo is designed to be used as a non-clinical quoting workflow tool and is not a HIPAA Business Associate by default. Agents are responsible for assessing whether their use of the Services requires a Business Associate Agreement (“BAA”) and for not entering information into the Services that would require one. If your professional obligations require a BAA, contact us at support@quotflo.com to discuss our BAA-eligible plan.

6. AI plan extraction

When an Agent uploads a carrier brochure or rate sheet, we forward the file to Google's Gemini API in order to extract structured plan details for the form. We instruct Gemini to treat the document strictly as data and we sanitize the response before applying it to the form. Agents are instructed only to upload carrier-provided materials and not to upload documents containing client personally identifiable health information. On free Google AI plans, Google may use uploaded content to improve its models; if this is a concern for your workflow, do not use the extraction feature or contact us about BAA-eligible alternatives.

7. Security

We use industry-standard administrative, technical, and physical safeguards designed to protect personal information. These include encryption in transit and at rest, row-level access policies in the database, rate limiting, magic-byte file checks, restricted server access, automatic dependency monitoring, and optional two-factor authentication for Agent accounts. No system is perfectly secure, and we cannot guarantee absolute security.

8. Retention

We retain Customer Data for as long as an Agent's account is active and for a reasonable period afterward to comply with our legal obligations, resolve disputes, and enforce our agreements. Agents can request deletion of their account and associated data by contacting support@quotflo.com.

9. Your rights

Depending on your location you may have rights to access, correct, delete, or restrict our use of your personal information, and to opt out of certain disclosures. To exercise these rights, contact us at support@quotflo.com. We will respond within the time required by applicable law.

10. Cookies and similar technologies

We use cookies and similar technologies that are strictly necessary to operate the Services, including session authentication. We do not use third-party advertising cookies. The public client quote page sets no analytics cookies; it only records a server-side view event with the visitor's IP address and user agent so the Agent can be notified that the quote was opened.

11. Children's privacy

The Services are intended for licensed insurance professionals and are not directed to children. We do not knowingly collect personal information from anyone under the age of 18 other than dependent information that an Agent enters as part of a household quote.

12. International users

The Services are operated from the United States and intended for users in the United States. If you access the Services from outside the United States, you understand that information about you will be transferred to and processed in the United States, where data protection laws may differ from those of your country.

13. Changes to this policy

We may update this Privacy Policy from time to time. If we make a material change we will provide notice through the Services or by email. The effective date at the top of this page indicates when the policy was last revised.

14. Contact

Questions about this Privacy Policy or about how we handle personal information can be sent to support@quotflo.com or to QuotFlo, Garden State Benefits LLC, Burlington County, New Jersey.

← Back to home
TermsPrivacy