Skip to main content
docInsured

Privacy Policy

Last updated April 29, 2026

This Privacy Policy describes how Magna & Magna, Inc. (“docInsured”, “we”, “us”) collects, uses, and shares information when you use the docInsured platform at app.docinsured.com (the “Service”). It applies to Certificate Holders, Insureds, and Brokers using the Service.

Initial release. Material updates to this policy are announced at least 30 days in advance via email to all account holders.

1. Information We Collect

1.1. Account Information

When you sign up, our authentication provider (Clerk) collects your email address, name, and optionally a profile photo. We store a docInsured-side record linking your Clerk identity to the organization you create or join.

1.2. Organization & Vendor Data

Certificate Holders enter information about their vendors, including name, contact email, and insurance requirements. This data is scoped to the holder organization that created it.

1.3. Certificate Documents

When an Insured fulfills a Certificate of Insurance request, the uploaded document and the structured coverage data extracted from it are stored against the request. Document files are stored in private Vercel Blob storage; structured data is stored in a Postgres database operated by Neon.

1.4. Communications

We send transactional emails (request notifications, fulfillment confirmations, expiry warnings) through Resend. We do not send marketing emails without your consent.

1.5. Usage Data

Our hosting provider (Vercel) and observability provider (Sentry) log standard request metadata: IP address, user agent, response codes, and error traces. We use this data only for diagnostics and security.

2. How We Use Information

  • To operate the Service: route Certificate of Insurance requests, render compliance status, and store fulfilled documents.
  • To send transactional notifications related to actions you or your counterparties take.
  • To diagnose errors and security incidents.
  • To enforce abuse controls (rate limits on the public fulfillment endpoint).

3. Third-Party Services We Share Data With

We share data only with vendors necessary to operate the Service. Each is bound by their own privacy policies and data-protection commitments:

  • Clerk — user authentication.
  • Neon — Postgres database hosting.
  • Vercel — web hosting + private file storage (Blob).
  • Resend — transactional email delivery.
  • Anthropic — AI-assisted extraction of structured data from uploaded certificates. Document content is sent to Anthropic only at the moment of extraction; Anthropic does not retain the document for training.
  • Sentry — error monitoring (request metadata + stack traces, not document contents).
  • Stripe (when subscriptions ship) — payment processing.
  • Upstash — rate-limit counters (no personally-identifiable data; only request fingerprints).

For the canonical, versioned list with the full role and jurisdiction of each vendor, see our sub-processor page. B2B customers under an executed DPA receive at least 30 days advance notice of any change.

4. Your Rights

Depending on your jurisdiction (including under GDPR for EU residents and CCPA for California residents), you may have the right to access, correct, export, or delete the personal information we hold about you. Contact us at support@docinsured.com to exercise these rights.

5. Data Retention

Account information: retained for the lifetime of your account. You may request deletion at any time by contacting support@docinsured.com.

Certificate of Insurance documents: retained for seven (7) years after the latest coverage expiration date on the certificate. After that, certificates are automatically soft-deleted; thirty (30) days later, the underlying file is permanently purged from our storage. The seven-year horizon aligns with insurance industry standards (NAIC) and most state statutes of limitations on construction defect and tort claims.

Legal hold:a certificate holder may flag any individual certificate as "on legal hold," which exempts it from the auto-delete cycle for as long as the flag remains set. Use this when you are subject to litigation, regulatory audit, or any other obligation to retain records past the default.

Audit trail:deletion of a certificate is recorded in the holder's audit log; metadata such as "a certificate existed for this vendor on this date and was deleted under retention policy on this later date" persists indefinitely so the holder can defend against future claims that they failed to verify insurance.

Earlier deletion on request: consistent with CCPA, CPRA, GDPR, and similar laws, you may request earlier deletion of personal information by contacting support@docinsured.com. We will honor verifiable requests within thirty (30) days unless the records are subject to legal hold or another statutory retention requirement.

6. Security

Communications with the Service are encrypted in transit via HTTPS. Files are stored in private buckets and accessible only via authenticated proxies. Passwords are managed by Clerk and never stored on docInsured systems.

7. Children's Privacy

The Service is intended for business use and is not directed to children under 13.

8. Changes to This Policy

We will update this Privacy Policy as the Service evolves. Material changes will be communicated by updating the “Last updated” date and, where appropriate, by direct notice to account holders.

9. Contact

Questions or requests: support@docinsured.com.