Skip to main content
Nexture.
Legal NoticesMay 31, 2026
Home

Privacy Policy

Nexture AI, Inc.

Effective Date: February 15, 2026

This document was last reviewed and updated on the effective date above.

This Privacy Policy describes how Nexture AI, Inc. ("Nexture AI," "we," "us," or "our") collects, uses, processes, stores, and discloses your personal information when you use our platform and related services (the "Service"). Your privacy is important to us, and we are committed to protecting your personal information.

By accessing or using the Service, you agree to the collection, use, and disclosure of your information in accordance with this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

1. Introduction & Your Commitment to Privacy

Nexture AI is dedicated to providing an innovative platform for insurance brokers and buyers while maintaining high standards for privacy and data security. This Privacy Policy explains our practices concerning the information we collect and process, particularly Nonpublic Personal Information (NPI) as defined by the Gramm-Leach-Bliley Act (GLBA) and personal information under various U.S. state privacy laws.

Important Note

Nexture AI's Service is designed exclusively for Property & Casualty (P&C) insurance documents. We do not collect, process, or store Protected Health Information (PHI) subject to the Health Insurance Portability and Accountability Act (HIPAA).

GLBA Compliance: As a service provider to financial institutions (insurance brokers), Nexture AI maintains an information security program and privacy practices consistent with GLBA requirements, including:

  • Limiting the collection and use of NPI to what is necessary to provide and improve the Service.
  • Not disclosing NPI to nonaffiliated third parties except as permitted under GLBA (e.g., to service providers under contract, as required by law, or with your consent).
  • Maintaining administrative, technical, and physical safeguards to protect NPI as described in our Security Statement.
  • Providing this privacy notice at account opening and annually thereafter for the duration of the customer relationship, as required by Regulation P.

2. Your Role as Data Controller/Processor

2.1. For Insureds: When you, as an individual insured, upload your own documents and use the Service for your personal insurance management, Nexture AI acts as the "Controller" of your personal information, determining the purposes and means of processing your data.

2.2. For Brokers: When you, as an insurance broker or firm ("Broker User"), upload documents containing your clients' information, Nexture AI acts as a "Service Provider" or "Processor" for your clients' Nonpublic Personal Information (NPI). In this context, the Broker User is the "Financial Institution" or "Controller," and you retain primary responsibility for your clients' NPI. Our processing of such NPI is governed by our Terms of Service and any applicable Data Processing Addendum/GLBA Addendum.

3. Information We Collect

We collect various types of information, including personal information, to provide and improve our Service.

3.1. Information You Provide Directly:

  • User Profile Data: When you register for an account, we collect your name, email address, physical address, phone number, company name (for Broker Users), job title (for Broker Users), and login credentials.
  • Communications: Records of your correspondence with us, such as customer support inquiries or feedback.

3.2. Information from User-Uploaded Documents: When you upload insurance documents (e.g., policies, binders, endorsements, quotes) to the Platform, our Service processes the content of these documents. This includes, but is not limited to, extracting and storing:

  • Insurance Policy Data (P&C Only): Policy numbers, coverage limits, deductibles, premiums, effective dates, types of coverage, insured property addresses, vehicle identification numbers (VINs), driver information (including names, dates of birth, driver's license numbers), loss history, and other details contained within P&C insurance documents.
  • No SSNs: As stated in our Terms of Service, we expressly prohibit the upload of Social Security Numbers (SSNs) and do not intentionally collect or store them. Nexture AI disclaims all liability for SSNs uploaded in violation of our Terms.

Prohibited Data: Users must not upload documents containing Social Security Numbers. See our Terms of Service for full details on prohibited content.

3.3. Information Collected Automatically: When you access or use the Service, we may automatically collect certain information about your device, browsing actions, and patterns, including:

  • Usage Data: Details of your access to and use of the Service, including traffic data, location data, logs, and other communication data and the resources that you access and use on the Service. This includes interactions with AI tools (e.g., chatbot queries, summaries generated).
  • Device Information: Information about your computer and internet connection, including your IP address, operating system, browser type, and unique device identifiers.

3.4. Cookies and Tracking Technologies: We use cookies and similar tracking technologies to enhance your user experience, analyze trends, administer the website, and gather demographic information about our user base. Specifically:

Cookie Type Purpose Duration
Essential / Session Authentication, security, and core platform functionality Session (cleared on browser close) or up to 24 hours
Preference Remembering your settings (e.g., layout preferences, theme) Up to 1 year
Analytics Understanding usage patterns, page views, and feature adoption to improve the Service Up to 12 months

We do not use cookies for third-party advertising or cross-site behavioral tracking. You can control the use of non-essential cookies at the individual browser level. Disabling certain cookies may limit your ability to use some features of the Service.

Do Not Track (DNT) Signals: Some browsers transmit "Do Not Track" signals to websites. Because there is no common industry standard for interpreting DNT signals, we do not currently alter our data collection and use practices based on DNT signals. We will update this policy if a uniform standard is established.

4. How We Use Your Information

We use the information we collect for various purposes, primarily to provide, maintain, and improve our Service, and for legitimate business operations.

4.1. To Provide the Service:

  • To operate and maintain the Platform, including storing your documents and account information.
  • To enable AI functionality such as smart sorting, document summarization, policy comparison, and chatbot responses.
  • To process payments for your subscription (via our third-party payment processor).
  • To communicate with you about your account and provide customer support.

4.2. To Improve the Platform & AI Models:

  • AI Fine-Tuning: To enhance the capabilities and accuracy of our platform's AI tools (such as document summarization, comparison, and chatbot responses), we utilize the content of user-uploaded documents and interactions within the platform. This data is rigorously anonymized or pseudonymized before being used for internal model fine-tuning and improvement. This process helps us deliver more precise and relevant services and improve the overall functionality of our AI without identifying specific individuals or entities.
  • Analytics: To analyze usage patterns and improve the user experience, functionality, and performance of the Service.

4.3. For Security & Compliance:

  • To monitor, detect, and prevent security incidents, fraud, and other malicious or illegal activities.
  • To comply with our legal obligations, including under the Gramm-Leach-Bliley Act (GLBA) and various U.S. state data privacy and breach notification laws.
  • To enforce our Terms of Service.

5. How We Share Your Information

Nexture AI does not sell your personal information or share it with third parties for their independent marketing or cross-context behavioral advertising purposes. We only share your information in the following limited circumstances:

5.1. With Service Providers (Our Sub-processors): We engage trusted third-party service providers to perform functions on our behalf and help us operate and improve the Service. These providers are contractually obligated to protect your information and use it only for the purposes for which it was disclosed. They include categories such as:

  • Infrastructure & Hosting: Render (PaaS hosting), Amazon Web Services (S3, KMS, SES, Cognito, Secrets Manager — primary region us-east-1), MongoDB Atlas (primary database), and Redis Cloud (queue + cache).
  • Large Language Model (LLM) Providers: OpenAI, Anthropic, Google AI (Gemini + Geocoding), and Mistral AI. All operate under enterprise/API agreements that prohibit them from using your input data to train or improve their general models.
  • Document Processing: LLMWhisperer (OCR / PDF-to-text).
  • Billing: Stripe — receives only billing details; no policy or insured data.
  • Operational Telemetry: Sentry — error and performance monitoring with PII scrubbed before transmission.
  • Conditional / Opt-In: Microsoft Graph (Outlook/OneDrive/SharePoint), Box, and web-research providers (Tavily, Jina Reader, Firecrawl) are only invoked when the corresponding feature is explicitly enabled by your broker.

A complete, current list of sub-processors — including each provider's role, data class, region, and contractual basis — is maintained at nextureai.com/legal/sub-processors. We provide 30 days' advance notice via email and an in-app banner before adding any new sub-processor that handles tenant data.

5.2. As Required by Law: We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court order, subpoena, or government agency request).

5.3. To Protect Our Rights: We may disclose your information when we believe it is necessary to protect the rights, property, or safety of Nexture AI, our users, or others.

5.4. Business Transfers: In the event of a merger, acquisition, sale of assets, or other corporate change, your personal information may be transferred to the acquiring entity, subject to their commitment to similar privacy protections. We will notify you via email and/or a prominent notice on the Service of any such change in ownership or control of your personal information.

6. AI & Your Data (Transparency & Your Control)

AI-Generated Outputs: The Service uses artificial intelligence to generate document summaries, policy comparisons, data extractions, and chatbot responses. All AI-generated outputs are presented as aids and should be reviewed by qualified professionals before reliance. We clearly identify AI-generated content within the platform where applicable.

No Automated Decision-Making: Nexture AI does not use automated decision-making or profiling that produces legal or similarly significant effects on you. All AI outputs are informational tools intended to assist human decision-making, not replace it.

AI Fine-Tuning: As explained in Section 4.2, we use anonymized or pseudonymized User Content and interactions to improve and fine-tune our internal AI models.

Opt-Out Right for AI Fine-Tuning: You have the right to opt out of the use of your anonymized or pseudonymized data for our internal AI model fine-tuning.

  • How to Opt-Out: To exercise this right, please contact us at privacy@nextureai.com.
  • Effect of Opt-Out: Upon opting out, your new data and interactions will not be used for future fine-tuning. However, due to the technical complexities of AI model training, we cannot guarantee the complete removal of your previously contributed anonymized/pseudonymized data from historical, already-trained models.

7. Data Retention & Deletion

We retain your personal information for as long as necessary to fulfill the purposes for which it was collected, to provide the Service, to comply with our legal obligations (including GLBA and state record-keeping requirements), resolve disputes, and enforce our agreements. Specific retention periods are as follows:

Data Category Retention Period
Account profile data Duration of account + 3 years post-termination
Uploaded documents & extracted policy data — Trash Held indefinitely until you choose to permanently delete or restore
Uploaded documents & extracted policy data — Permanently deleted Purged from active systems within minutes; aged out of backups on the next rotation cycle (typically within 90 days)
AI interaction logs (chatbot queries, summaries) 12 months, then anonymized
Usage and analytics data 24 months, then aggregated/anonymized
Payment and billing records 7 years (tax and regulatory compliance)
Security and audit logs 12 months
Backup copies 90 days after deletion from active systems
  • Trash (soft delete): Moving a document to Trash hides it from your active library and from every list, search, deliverable, calendar event, and notification that references it. Trashed items do not auto-expire — they remain available for restore until you choose to permanently delete them.
  • Permanent Deletion (Delete Forever): When you choose Delete Forever, our cascade-deletion routine removes the Document and every associated record from our active systems within minutes. This covers the Document record, all extraction tables, the canonical policy snapshot, the encrypted PDF and OCR transcript in S3, page-image artifacts, indexed vector-store chunks, shares + share-conversation history, review-session snapshots, workspace and view memberships, calendar events, notifications, and deliverable edit-request audit trails. See our Security Statement § 4.5 for the full cascade detail.
  • Backups: MongoDB Atlas point-in-time backups and S3 versioned object copies are governed by their respective retention policies (typically 30–90 days). Permanently-deleted data ages out of these backups on the next rotation cycle. The customer-controlled key revocation feature described in Security Statement § 3.1.1 will, once shipped, enable cryptographic destruction of data including backups.
  • Account Deletion: If you close your account entirely, we will retain limited account metadata (email, account creation/closure timestamps) for up to three (3) years to comply with legal obligations, prevent fraud, and resolve disputes, after which it will be securely deleted or anonymized.
  • Legal Compliance: We may retain specific records for longer periods if required by law (e.g., GLBA, state insurance regulations) or for legitimate business interests such as auditing or maintaining business records (e.g., payment records held for 7 years).
  • AI Fine-Tuning Data: Anonymized/pseudonymized data already incorporated into our AI fine-tuning datasets at the time of your deletion request may persist there subject to your opt-out rights under Section 6.

8. Your Privacy Rights (U.S. State-Specific)

Depending on your state of residency, you may have specific rights regarding your personal information under laws such as the California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA), Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), Utah Consumer Privacy Act (UCPA), Connecticut Data Privacy Act (CTDPA), and other applicable state laws.

These rights may include:

  • The Right to Know: To request information about the categories and specific pieces of personal information we have collected about you, the sources from which it is collected, the purposes for collecting/selling/sharing it, and the categories of third parties to whom we disclose it.
  • The Right to Delete: To request the deletion of your personal information, subject to certain exceptions (e.g., to complete transactions, for security purposes, to comply with legal obligations).
  • The Right to Correct/Rectify: To request the correction of inaccurate personal information.
  • The Right to Data Portability: To receive a copy of your personal information in a structured, commonly used, machine-readable format.
  • The Right to Opt-Out of Sale/Sharing: Nexture AI does not sell or share your personal information with third parties for their independent marketing or cross-context behavioral advertising purposes. Therefore, an opt-out mechanism for "sale/sharing" is not generally required as we do not engage in these activities.
  • The Right to Limit Use and Disclosure of Sensitive Personal Information: While P&C insurance data is sensitive, its processing for the provision of our core service is generally exempt from the "right to limit" under CCPA/CPRA, as it is necessary for the transaction.
  • The Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

How to Exercise Your Rights: To exercise any of these rights, please contact us at privacy@nextureai.com. We may need to verify your identity before processing your request.

Response Timeframe: We will acknowledge receipt of your request within 10 business days. We will respond to verified requests within 45 calendar days from receipt. If we require additional time (up to an additional 45 days), we will inform you of the reason and extension in writing.

Authorized Agents: You may designate an authorized agent to submit a privacy rights request on your behalf. To do so, you must provide the authorized agent with written permission and we may require you to verify your identity directly with us. An authorized agent may also submit a request with a valid power of attorney.

Appeal Process: If we deny your privacy rights request in whole or in part, you have the right to appeal our decision. To appeal, please contact us at privacy@nextureai.com with the subject line "Privacy Rights Appeal" within 60 days of receiving our decision. We will respond to your appeal within 60 days. If the appeal is denied, we will provide you with instructions on how to contact your state's Attorney General to submit a complaint.

California "Shine the Light" (Civil Code § 1798.83): California residents may request information about whether we have disclosed personal information to third parties for their direct marketing purposes. As stated above, Nexture AI does not share personal information with third parties for their direct marketing purposes.

9. Data Security

We implement robust technical and organizational measures to protect your personal information from unauthorized access, use, alteration, or disclosure. For a detailed description of our security practices, please refer to our Security Statement.

What is encrypted at rest: Your uploaded documents and the structured policy data we extract from them are encrypted at rest using AES-256-GCM with per-tenant keys managed in AWS Key Management Service (KMS). This includes coverage details, limits, premiums, agent reasoning, audit history, deliverable content, communications bodies, client contact details, and the cross-tenant audit log.

What is plaintext at the database level: A small number of identifiers necessary for product functionality — insured name on a policy, carrier name, policy number, document filename, client legal name, and your account email — are stored as plaintext so that search, filtering, and navigation work efficiently across your library. These identifiers are protected by per-tenant access scoping, multi-factor employee authentication, audit logging, and TLS encryption in transit. We disclose this transparently; the alternative (encrypting these fields) is on our roadmap (Security Statement § 3.1.1) as a customer-controlled key-revocation feature.

What we can see while you are an active customer: Our extraction pipeline and AI agents must process your documents in plaintext to do their work (OCR, language-model extraction, SOIFA responses, deliverable generation). Employees with production code-deploy access therefore have the technical capability to access in-flight data while your account is active; that access is constrained by access controls, audit logging, and the contractual obligations described in our Security Statement. We do not claim that our employees cannot read your data while you use the Service; we claim they are constrained from doing so without authorization.

10. Data Breach Notification

In the event of a security breach that results in the unauthorized access, acquisition, or disclosure of your personal information, Nexture AI will:

  • Investigate promptly: We will immediately investigate the scope and nature of the breach and take steps to contain and remediate it.
  • Notify affected individuals: We will notify affected users without unreasonable delay, and no later than 60 days after discovery of the breach (or sooner where required by applicable state law). Notification will be provided via email to the address associated with your account.
  • Notify regulators: We will notify applicable state attorneys general and regulatory authorities as required by law.
  • Notification content: Breach notifications will include a description of the incident, the types of information involved, the steps we are taking in response, and steps you can take to protect yourself.
  • Broker notification: For Broker Users, we will also notify you of any breach affecting your clients' NPI so that you can fulfill your own notification obligations as the data controller.

11. International Data Transfers

Nexture AI is based in the United States and primarily stores and processes data within the United States (AWS us-east-1, N. Virginia). Our Service is primarily designed for users located in the United States. However, some of our sub-processors, including LLM providers, may process data in other regions as part of their service delivery. In all cases:

  • We ensure that sub-processors are bound by contractual obligations to protect your data consistent with this Privacy Policy.
  • Data transfers are limited to what is necessary for the specific processing purpose.
  • If you are located outside the United States and choose to use our Service, you understand and consent to your data being transferred to, stored, and processed in the United States, which may have different data protection standards than your jurisdiction.

If you are located in the European Economic Area (EEA), United Kingdom, or other jurisdiction with data protection laws that may differ from U.S. law, please note that we may not offer the full range of protections required under your local law, such as the General Data Protection Regulation (GDPR). We are committed to working with users and organizations to address cross-border data protection concerns. If you have questions about international data use, please contact us at privacy@nextureai.com.

12. Children's Privacy

Our Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete that information as quickly as possible.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For material changes, we will also provide notice via email or a prominent in-app notification at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically.

14. Contact Information

If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Nexture AI, Inc.

Attn: Privacy Officer

1521 Alton Rd. PMB 106, Miami Beach, FL 33139, United States

Privacy inquiries  privacy@nextureai.com

General inquiries  admin@nextureai.com

© 2026 Nexture AI, Inc.   ·   Miami, FL

Nexture AI · Miami