Legal
Pelorus Signal LLC · Effective April 2026 · Version 1.0 · Questions: privacy@pelorusai.com
This Privacy Policy describes how Pelorus Signal LLC collects, uses, processes, and protects information in connection with the Pelorus AI-powered submission triage platform.
When a Customer uses the Services, we receive and process the following categories of information:
We collect standard technical data to operate and secure the Services, including IP addresses, browser type and version, session identifiers, and error logs. This data is used solely for security, troubleshooting, and platform reliability purposes.
We do not collect personal information from insurance applicants, insureds, or brokers whose information may appear within Submission documents. We do not operate a consumer-facing platform and do not collect consumer personal data directly.
We use Customer Data exclusively for the following purposes:
We do not use Customer Data for marketing, profiling, analytics beyond service delivery, or any purpose not listed above without Customer's prior written consent.
Pelorus does not use Customer Data — including Carrier Guidelines, Submission documents, Output, or any derivative thereof — for the purpose of training, fine-tuning, benchmarking, or improving any AI or machine learning model. This prohibition is absolute and survives termination of the Agreement.
Any future engagement of Customer Data for model improvement purposes would require Customer's express prior written consent and would be governed by a separate data processing addendum.
Pelorus does not sell, rent, or trade Customer Data to any third party under any circumstances.
To deliver the Services, Pelorus engages third-party subprocessors, which may include AI model API providers and cloud infrastructure providers. All subprocessors are bound by data protection agreements requiring protections substantially equivalent to those in this Policy.
Pelorus maintains a current list of material subprocessors available to Customers upon written request. We will provide thirty (30) days' advance notice before adding any new subprocessor that will have access to Customer Data.
We may disclose Customer Data to comply with applicable law, a valid court order, regulatory requirement, or lawful government request. Where permitted, we will notify Customer prior to any such disclosure and cooperate with Customer's reasonable efforts to limit the scope of disclosure.
In the event of a merger, acquisition, or sale of substantially all of Pelorus's assets, Customer Data may be transferred to the acquiring entity, subject to the same protections as this Policy. We will notify affected Customers in advance of any such transfer.
Customer Data is processed and stored within the United States. Pelorus does not transfer Customer Data outside the United States without Customer's prior written consent.
If a Customer requires specific data residency commitments — such as state-level data segregation or compliance with New York DFS cybersecurity regulations — those requirements should be addressed in the applicable Order Form or a separate Data Processing Addendum.
Pelorus retains Customer Data for the duration of the applicable Agreement and for a period not to exceed ninety (90) days following termination or expiration, after which Customer Data is securely deleted or returned as directed by Customer.
Pelorus may retain Customer Data in secure, encrypted backup archives for up to thirty (30) additional days beyond the standard deletion window, solely for disaster recovery purposes. Data in backup archives remains subject to all confidentiality and no-training obligations.
Customers may request deletion of their Customer Data at any time by written notice. Pelorus will complete the deletion within thirty (30) days of receipt, subject to any obligations to retain data under applicable law.
Customers may retain Output for their own legitimate internal business, compliance, and regulatory purposes. Retained Output may not be used to reverse engineer, replicate, or develop a competing service that incorporates Pelorus's analytical methodology, scoring framework, or prompt architecture.
Pelorus implements and maintains commercially reasonable administrative, technical, and physical safeguards to protect Customer Data. Our measures include:
Pelorus will provide Customers with reasonable information about its security practices upon written request and will cooperate with Customer's vendor security assessment process.
In the event of a confirmed security breach involving Customer Data, Pelorus will notify the affected Customer without undue delay, and in no event later than five (5) business days after becoming aware of the confirmed breach. Notification will describe the nature of the breach, the categories of data affected, and Pelorus's response and remediation steps.
For Submission documents containing personal information of insurance applicants, insureds, or other individuals, Customer acts as the data controller. Customer is solely responsible for:
Pelorus processes personal information within Submission documents solely as a data processor acting on Customer's instructions, and solely for the purpose of delivering the Services.
The Pelorus platform uses session cookies and similar technologies solely for authentication and platform functionality. We do not use advertising cookies, behavioral tracking, or third-party analytics cookies. No Customer Data or Submission content is shared with advertising or analytics platforms.
We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or the Services. We will notify Customers of material changes at least thirty (30) days in advance by email or platform notification. Continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated terms.
Customers operating under a signed Agreement that contains specific data processing terms should note that those contractual terms control over this Policy to the extent of any conflict.
For questions about this Privacy Policy, data handling practices, subprocessor requests, or to submit a data deletion request: