Privacy Policy

1. Overview

CostCast Inc. (“CostCast,” “we,” “us,” or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, share, and safeguard personal information when you visit our website, interact with our team, or use our services. It also describes your choices regarding that information.

This Policy covers two contexts: (a) our website and general business operations (visitors, prospective customers, vendors, and applicants) and (b) claims analytics and reserve prediction services we provide on behalf of our customers. Where a separate customer agreement governs data processing, that agreement takes precedence to the extent of any conflict.

2. Information We Collect

Information You Provide

Contact details such as your name, email address, phone number, company, and role. Communications you send through forms, email, or phone. If you apply for a position, your resume and related materials.

Information Collected Automatically

When you visit our website, we may automatically collect technical data, including IP address, browser type, operating system, device identifiers, pages viewed, referring URLs, and interaction data. We collect this information through cookies, server logs, and similar technologies.

Information Processed on Behalf of Customers

When delivering claims analytics services, we process data under the direction of our customers. This may include claims and policy information, claimant identity and contact details, financial and reserve data, medical or incident records where applicable, documents and supporting files, and system logs. Our handling of this data is governed by our agreements with those customers.

3. How We Use Information

We use collected information to:

• Operate, maintain, and improve our website and services.
• Respond to inquiries and provide support.
• Communicate about our services, including marketing where you have consented.
• Evaluate job applications.
• Perform claims analytics and reserve prediction services on behalf of customers, including data ingestion, modeling, quality assurance, and reporting.
• Support AI-assisted workflows such as data processing, classification, and predictive modeling, subject to appropriate human oversight.
• Detect, prevent, and respond to fraud, security incidents, and misuse.
• Comply with legal obligations and enforce our agreements.

4. Legal Bases for Processing

For website visitors and business contacts, we process personal information based on legitimate interests (operating and improving our services, security, fraud prevention), consent (where required, such as for marketing), contractual necessity (to fulfill requests or agreements), and legal obligations.

For customer-directed services, we act as a service provider or processor. We process personal information only as instructed by the customer and as permitted under our agreements and applicable law.

5. How We Share Information

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising. We may share personal information with:

• Service providers who perform functions on our behalf (hosting, infrastructure, analytics), bound by contractual obligations to use data only for specified purposes.
• Our customers and their designees, as necessary to deliver services.
• Professional advisors, including legal counsel and auditors, under confidentiality obligations.
• Law enforcement or government authorities when required by law or to protect rights, safety, or property.
• Parties involved in a corporate transaction such as a merger or acquisition, with appropriate safeguards.

6. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, to comply with legal and regulatory requirements, to resolve disputes, and to enforce our agreements. Typical retention periods include:

• Website analytics and cookie data: up to 13 months.
• Support and inquiry records: 3 years after the last interaction.
• Recruiting data: 2 years unless you request earlier deletion or local law requires otherwise.
• Customer data and claims records: 7 years after engagement ends or as required by regulation or customer agreement.
• Financial records: 7 years for tax and audit purposes.
• System and security logs: 12-month rolling basis.
• AI inference logs: 90 days for safety and quality purposes, then deleted or de-identified.

When processing data on behalf of a customer, we return or delete data at the end of the engagement as directed by the customer agreement, subject to legally required retention.

7. Cookies and Tracking

We use cookies and similar technologies on our website. Strictly necessary cookies enable core functionality. Analytics cookies help us understand how visitors use our site. We do not use cookies for cross-context behavioral advertising. You can manage preferences through your browser settings. Disabling certain cookies may affect functionality.

8. Security

We maintain a security program designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. Measures include access controls with role-based permissions, encryption of data in transit and at rest, network monitoring and vulnerability management, secure development practices, vendor risk assessment, audit logging and incident response procedures, and employee training.

9. International Transfers

We store and process data in the United States. If you are located outside the United States, your information may be transferred to and processed here, where data protection laws may differ. Where applicable, we implement appropriate safeguards for cross-border transfers in accordance with applicable law.

10. Your Rights

Depending on your location and applicable law, you may have the right to:

• Access and obtain a copy of your personal information.
• Correct inaccurate or incomplete information.
• Request deletion of your personal information.
• Data portability.
• Opt out of the sale of personal information (we do not sell personal information).
• Non-discrimination for exercising your privacy rights.

To exercise your rights, contact us at founders@costcast.ai. If we process your information on behalf of a customer, please direct your request to that customer.

11. AI and Automated Processing

Our services use AI and machine learning to assist with claims analytics, including data ingestion, feature extraction, predictive modeling, and reserve recommendations.

We do not use customer data to train CostCast-owned models unless expressly authorized in a signed agreement. Third-party AI vendors are contractually prohibited from using customer data for their own training or improvement.

We do not make automated decisions producing legal or similarly significant effects without human oversight. We maintain audit trails for AI-assisted outputs where feasible.

12. Children’s Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn that we have, we will promptly delete it.

13. Third-Party Links

Our website may link to third-party websites. We are not responsible for their privacy practices and encourage you to review their policies.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be reflected by an updated date at the top of this page. We encourage you to review this Policy periodically.