Claim Compass CRM Privacy Policy

1. Who We Are

Claim Compass LLC ("Claim Compass CRM", "we", "our", or "us") provides a web-based claims-management platform that helps independent public adjusters organise claims, email threads and site-inspection schedules.

2. Scope of This Policy

This Privacy Policy explains how we collect, use, disclose and safeguard information when you use claimcompass.io (the "Service"), including information obtained from Google APIs and other third-party integrations.

3. Information We Collect

We do not intentionally collect data from anyone under 18.

4. How We Use Google Data (Limited-Use Compliance)

We access Google user data only to provide or improve user-facing features that are prominent in the interface, in line with Google's API Services User Data Policy — Limited-Use requirements. Specifically:

• Display email threads inside the dashboard so you can view claim-related conversations.
• Send replies/new emails you compose from the dashboard.
• Apply or remove Gmail labels that mark claim status.
• Create, update or delete Calendar events (including Meet links) related to inspections.
• Show your calendar list so you can choose where to save an event.

We never use Google data for advertising, profiling or credit decisions, and do not transfer it except as listed in §7.

5. Legal Bases (EEA/UK)

We process personal data only when we have a lawful basis, including Contract (to provide the Service), Legitimate Interests (service security and improvement), and Consent (Google scopes, marketing emails).

6. Security Measures

• All data encrypted in transit (TLS 1.2+) and at rest with AES-256 on Supabase managed storage.
• OAuth access & refresh tokens are stored encrypted and protected by Postgres Row-Level Security so that only the token owner can access their row.
• Application-level CSRF tokens protect form submissions and are stored in HttpOnly, Secure cookies.
• Servers run on ISO 27001-certified infrastructure.

7. Sharing & Disclosure

We share data only:

• With service providers under contract (e.g., Supabase hosting, Stripe payments) who process it on our instructions;
• To comply with law or defend legal claims;
• To investigate abuse, security incidents or fraud;
• Following a merger, acquisition or asset sale (with user notice);
• Never for advertising or to data brokers.

8. Data Retention & Deletion

• Refresh tokens are deleted immediately when you disconnect Google in Settings → Integrations.
• Account-level data is retained for 30 days after account deletion, then purged from backups within 30 additional days.
• Log files are kept for 90 days for security auditing.

9. Your Choices & Rights

• Disconnect Google at any time (Settings → Integrations).
• Access / download a copy of your data (Settings → Account → Export).
• Delete account (Settings → Account → Delete), which removes all personal data within the timelines above.
• Opt-out of non-transactional emails via the unsubscribe link.
• EU/UK users: Right to object, restrict, erase, complain to a supervisory authority.

10. International Transfers

Your data may be processed in the United States and other countries where we or our service providers operate. We rely on standard contractual clauses or equivalent safeguards for such transfers.

11. Children's Privacy

The Service is not directed to children under 18. If we learn we have collected personal data from a child, we will delete it promptly.

12. Changes to This Policy

We may update this Policy from time to time. Material changes will be announced via email and in-app banner at least 30 days before they take effect.

13. Contact Us

Questions? Email benjamin@baseclaims.com or write to:
Base Claims Public Adjusters
2400 Atlantic Shores Blvd
Hallandale Beach, FL 33009
United States