Privacy Policy

1. Introduction

Agency Engine Inc., a New Mexico C corporation ("Agency Engine," "we," "us," or "our"), provides a customer relationship management (CRM) platform at agencyengine.app and my.agencyengine.app (collectively, the "Platform") that enables licensed insurance producers and agencies ("Agents") to manage prospects, clients, communications, and policy lifecycles.

This Privacy Policy describes how we collect, use, disclose, and protect personal information. It applies to all users of the Platform, including Agents, end users of Agent-built lead capture pages, and individuals whose information is processed through Agent workflows (collectively, "Subjects").

Two-tier data relationship: Agency Engine processes personal information in two distinct capacities. When we operate the Platform itself (account management, billing, telemetry), we act as a data controller / business. When we process prospect and client data on behalf of an Agent (CRM contacts, call recordings, message history), we act as a data processor / service provider / contractor under California Civil Code § 1798.140 and GDPR Article 4(8). The Agent is the controller of that data; we follow the Agent's documented instructions.

By using the Platform you acknowledge this Privacy Policy. If you do not agree, you may not use the Platform.

2. Definitions

• Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular Subject or household, as defined under Cal. Civ. Code § 1798.140(v).
• Sensitive Personal Information includes Social Security numbers, driver's license numbers, financial account numbers, precise geolocation, race, ethnic origin, religious beliefs, union membership, contents of mail and messages, genetic data, biometric data for identification, health information, and information about sex life or sexual orientation.
• Nonpublic Personal Financial Information (NPFI) has the meaning given in NAIC Model Regulation #672 § 4 and the Gramm-Leach-Bliley Act, including any information a consumer provides to obtain an insurance product or service.
• Sale and Share have the meanings under CPRA — selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating Personal Information to a third party for monetary or other valuable consideration, or for cross-context behavioral advertising. We do not sell or share Personal Information.
• Process means any operation performed on Personal Information, whether automated or not — collection, storage, transmission, use, disclosure, deletion, or otherwise.

3. Personal Information We Collect

3.1 From Agents (Account Holders)

• Identity information: name, email, phone number, agency name, business address, time zone.
• Professional credentials: state insurance license numbers, carrier appointments, line-of-authority designations, NPN.
• Authentication information: hashed passwords, OAuth tokens for connected services (Google, Microsoft, Discord, Stripe, Twilio), MFA recovery codes.
• Billing information: tokenized payment method (held by Stripe; we never receive raw card numbers), billing address, tax ID where required.
• Usage telemetry: pages viewed, features used, error logs, device type, browser, IP address, session duration.
• Communications between Agent and Agency Engine support.

3.2 From Subjects (Prospects and Clients of Agents)

When Subjects submit information through an Agent's lead capture page, booking link, or document share, we collect on behalf of the Agent:

• Contact information: name, phone, email, mailing address, preferred contact times.
• Insurance-relevant information: date of birth, gender, height, weight, smoking status, household income range, dependents, existing coverage, health questionnaire answers, beneficiary designations.
• Communications: call recordings (where Agent has documented consent under applicable two-party / one-party state law), voicemails, text messages, emails sent through the Platform.
• Marketing attribution: IP address, user agent, referrer URL, UTM parameters, Google Click ID (gclid), session identifiers.
• Form submission timestamps, IP address, and the exact consent language displayed at the time of submission (retained as evidence of TCPA-compliant prior express written consent).

3.3 Automatically Collected

When anyone visits any page on the Platform, we collect IP address, user agent, device fingerprint (browser, screen resolution, language), pages visited, navigation timestamps, and referrer URL. We use first-party cookies for session authentication and CSRF protection. Third-party cookies appear only on Agent public pages where the Agent has integrated Google Analytics, Meta Pixel, or similar tools — those cookies are governed by the Agent's privacy policy, not ours.

4. How We Use Personal Information

We process Personal Information for the following business purposes (each is a permitted purpose under Cal. Civ. Code § 1798.140(e)):

1. Operating, maintaining, and securing the Platform.
2. Providing customer support, fulfilling service requests, and processing payments.
3. Performing CRM functions on behalf of Agents — call routing, SMS delivery, email send, calendar integration, document generation, lead scoring, AI-assisted drafting.
4. Detecting security incidents, protecting against malicious or fraudulent activity, debugging.
5. Internal product improvement, including aggregated and de-identified analytics that cannot reasonably be linked to any individual.
6. Complying with legal obligations (e.g., responding to lawful process, tax recordkeeping, audit requirements).

AI processing: Agent-initiated AI features (call summaries, draft messages, lead scoring) send relevant context to Anthropic's Claude API under a Zero Data Retention agreement — Anthropic does not log, store, or train on this data. We do not use Subject Personal Information to train any AI model, ours or anyone else's.

Insurance-specific use: Information about a Subject's health, finances, or insurance history collected through the Platform is used solely to enable the Agent to provide insurance products and services to that Subject, in accordance with NAIC Model #672 § 17 and applicable state implementations.

5. When We Disclose Personal Information

We disclose Personal Information only as follows:

• To service providers and processors bound by written contracts that restrict their use to the purpose for which we disclosed the information. Our current subprocessors are listed at agencyengine.app/subprocessors. We will provide at least 30 days' notice before engaging a new subprocessor that processes Subject Personal Information.
• To the Agent who controls a given Subject's record, in their capacity as data controller.
• For legal compliance: in response to a subpoena, court order, or other lawful process; to comply with applicable law or regulation; or to protect the rights, property, or safety of Agency Engine, our users, or others. We will challenge over-broad or facially invalid requests.
• In a corporate transaction: in connection with a merger, acquisition, financing due diligence, or sale of assets, subject to confidentiality obligations on the receiving party. Agents and Subjects will be notified of any change in controller and given an opportunity to object before their data is transferred.

We do not sell Personal Information. We do not share Personal Information for cross-context behavioral advertising. We do not disclose Personal Information to data brokers.

5A. Google API Services User Data

When an Agent connects their Google Ads, Google Calendar, or Gmail account to Agency Engine, we access information from Google APIs strictly to provide the integration features the Agent has requested. Agency Engine's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, in connection with Google API access we:

• Use Google user data only to provide or improve user-facing features that are prominent in the Agency Engine product (campaign-to-policy attribution, offline conversion upload, ad performance reporting, calendar availability, and carrier-domain email intelligence).
• Do not transfer Google user data to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the Agent's prior notice.
• Do not use Google user data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising.
• Do not allow humans to read Google user data unless we have the Agent's explicit consent for specific data, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or the data is aggregated and used for internal operations in accordance with applicable privacy and other laws.

An Agent may revoke Agency Engine's access to their Google account at any time from their Agency Engine settings or directly via Google Account permissions. Upon revocation we delete stored OAuth tokens within 24 hours and cease all further API calls on the Agent's behalf.

For full details on how the Google Ads integration is used inside Agency Engine, see our Google Ads Integration page.

6. SMS / Text Message Communications

Subjects who provide their mobile phone number to an Agent through the Platform may receive SMS messages from that Agent regarding insurance quotes, appointment reminders, policy updates, document requests, and account servicing.

• Mobile information is not shared with third parties or affiliates for marketing or promotional purposes. Mobile numbers and SMS opt-in records are disclosed only to Twilio for the strict purpose of message delivery.
• Message frequency: Typically 2 to 8 messages per month per Subject, varying by Agent and stage of the relationship.
• Message and data rates may apply. Standard charges from your mobile carrier apply.
• Opt-out: Reply STOP to any message at any time. Twilio processes STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, and QUIT keywords automatically and ceases all SMS to that number immediately and permanently.
• Help: Reply HELP to any message for support information, or contact the Agent directly.
• Consent records: When a Subject submits a Web form opt-in, we retain the timestamp, IP address, user agent, and exact consent language displayed at submission for no fewer than four years to evidence prior express written consent under 47 C.F.R. § 64.1200(f)(9).

TCPA framework: Agents are solely responsible for ensuring that every Subject they message has provided prior express written consent under the Telephone Consumer Protection Act, that messages comply with state-specific time restrictions and Do-Not-Call rules, and that all required disclosures are present. Agency Engine provides tools to help with compliance but does not audit Agent consent records.

7. Data Retention

We retain Personal Information only as long as necessary for the purposes described in this Policy, plus any period required by law:

• Active Agent accounts: for the duration of the subscription, plus 90 days after termination for export and reactivation.
• Subject CRM records: as long as the controlling Agent maintains an active subscription, plus whatever retention period the Agent designates within the Platform, subject to a minimum of seven (7) years for communications relating to insurance transactions to satisfy NAIC and state-insurance recordkeeping requirements.
• SMS consent records: at least four (4) years from the most recent message to the Subject.
• Billing and tax records: seven (7) years from the relevant transaction.
• Security logs: 90 days for verbose logs; indefinite for hashed audit trails.

On termination of an Agent subscription, the Agent has 30 days to export their data. Thereafter, Subject Personal Information is permanently deleted within 60 days, except where retention is required by law.

8. Security

We implement reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Information against unauthorized access, alteration, disclosure, or destruction. These include:

• TLS 1.2+ encryption for all data in transit.
• AES-256-GCM encryption at rest for OAuth tokens, MFA secrets, and other sensitive credentials.
• Postgres row-level security (RLS) enforcing strict tenant isolation — one Agent's data is never accessible to another Agent.
• Principle of least privilege for staff access; access reviews quarterly.
• Continuous error monitoring and security telemetry (Sentry).
• Vendor due diligence; we contract only with subprocessors that hold SOC 2 Type II, ISO 27001, or equivalent attestations.

No system is perfectly secure. We will notify affected Agents and, where applicable, Subjects, regulators, and law enforcement of any security incident affecting Personal Information without unreasonable delay and consistent with applicable breach notification laws (including but not limited to Cal. Civ. Code § 1798.82, GDPR Art. 33–34, and 47 U.S.C. § 222).

9. Your Privacy Rights

9.1 California Residents (CCPA / CPRA)

California residents have the following rights, subject to verification and exceptions provided in Cal. Civ. Code § 1798.100 et seq.:

• Right to know the categories and specific pieces of Personal Information we hold and the sources, purposes, and recipients of disclosure.
• Right to delete Personal Information.
• Right to correct inaccurate Personal Information.
• Right to limit use of Sensitive Personal Information to permitted business purposes.
• Right to opt out of sale or sharing — not applicable, as we do neither.
• Right to non-discrimination for exercising any privacy right.
• Right to authorize an agent to make a request on your behalf.

To exercise these rights, email privacy@agencyengine.app from the email address on file or use our request form at agencyengine.app/privacy/request. We respond within 45 days (extendable to 90 days where permitted).

9.2 European and UK Residents (GDPR / UK GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation: access, rectification, erasure, restriction of processing, data portability, objection, and the right to withdraw consent for any processing based on consent. You also have the right to lodge a complaint with your supervisory authority.

Lawful bases: we rely on (a) performance of contract for account and service operation, (b) legitimate interests for security, analytics, and product improvement (subject to balancing test), (c) consent for non-essential cookies and marketing communications to Agents, and (d) legal obligations for tax, audit, and law enforcement compliance.

International transfers: Personal Information may be transferred to and processed in the United States. For transfers from the EEA, UK, or Switzerland, we rely on the EU Standard Contractual Clauses (Module 2: Controller to Processor; Module 3: Processor to Processor) adopted by Implementing Decision 2021/914, plus the UK International Data Transfer Addendum where applicable.

9.3 Other US States

Residents of Colorado (CPA), Connecticut (CTDPA), Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas (TDPSA), Utah (UCPA), and Virginia (CDPA), among others, have rights similar to those listed above. Submit requests to privacy@agencyengine.app.

9.4 Subject Requests Regarding Agent CRM Records

If you are a Subject (a prospect or client of an Agent) and wish to access, correct, or delete information held in an Agent's CRM, please contact the Agent who collected your information. Agency Engine acts as a processor for that information and will assist the Agent in responding to your request. We can provide the Agent's contact information if you tell us which Agent you interacted with.

10. Children's Privacy

The Platform is not directed to children under 13 (or under 16 in the EEA/UK). We do not knowingly collect Personal Information from children. If you believe a child has provided us with Personal Information, contact us at privacy@agencyengine.app and we will delete the information promptly. Agents must not use the Platform to target marketing to children.

11. Cookies and Similar Technologies

We use cookies and similar technologies for:

• Essential cookies — authentication, CSRF protection, session continuity. Cannot be disabled without breaking the Platform.
• Analytics cookies — first-party only; limited to aggregate usage telemetry.
• A/B test cookies — 30-day expiry; used for variant assignment on Agent-built funnel pages.

Agent-built lead capture pages may also serve cookies from third-party tools the Agent has integrated (e.g., Google Analytics, Meta Pixel). Those cookies are governed by the Agent's own privacy policy.

You can disable non-essential cookies through your browser settings. We honor browser-level Global Privacy Control (GPC) signals as opt-out of sale/share where applicable, even though we do not currently sell or share Personal Information.

12. Insurance-Specific Privacy Notice (NAIC Model #672)

For Subjects whose Personal Information is collected in connection with an insurance transaction, the following additional disclosures apply, consistent with NAIC Model Regulation #672 §§ 7–9 and applicable state implementations (including but not limited to California Insurance Information and Privacy Protection Act, Cal. Ins. Code §§ 791 et seq.):

1. What we collect: Information from your application or claim, your transactions with us or others, consumer reporting agencies, third parties, and inspections we may perform.
2. How we use it: To help your Agent quote policies, underwrite risk, process applications and claims, detect fraud, comply with regulatory requirements, and administer your account.
3. To whom we disclose: Your Agent and the carriers your Agent submits applications to; service providers under contractual confidentiality; and as required by law. We do not disclose Nonpublic Personal Financial Information to nonaffiliated third parties for marketing purposes.
4. Your rights: You may request access to and correction of recorded Personal Information about you in your insurance file by submitting a written request to your Agent or to privacy@agencyengine.app. Some information collected in connection with claim investigation may be exempt from disclosure as permitted by law.

13. Do Not Track Disclosure

The Platform does not respond to legacy "Do Not Track" browser signals because there is no industry-wide standard for compliance. We do honor Global Privacy Control (GPC) signals as required by California regulations.

14. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will (a) post the updated Policy with a new "Effective" date, (b) notify Agents by email at the address on file at least 30 days before the changes take effect, and (c) for changes that materially expand the categories of Personal Information collected or uses thereof, obtain affirmative consent before applying the change. Continued use of the Platform after the effective date of changes constitutes acceptance of the updated Policy.

15. Contact Us

For privacy questions, requests, or to exercise your rights:

• Email: privacy@agencyengine.app
• Postal: Agency Engine Inc., Attn: Privacy Officer, 1209 Mountain Road Pl NE, Ste N, Albuquerque, NM, 87110
• Data Protection Officer (for GDPR inquiries): dpo@agencyengine.app
• Subprocessor list: agencyengine.app/subprocessors
• Data Processing Agreement: agencyengine.app/dpa