1. Introduction

Strala Group Inc. ("Strala," "we," "us," or "our") respects your privacy. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you visit our website, interact with us, or use our services. It also describes your choices and rights regarding your personal information.

This Policy applies to two contexts: (a) our website and general business operations (visitors, prospects, vendors, job applicants) and (b) claims processing services we provide as a third-party administrator for Property & Casualty insurance customers. Where we process data on behalf of a customer under a separate agreement, that agreement controls to the extent it conflicts with this Policy.

2. Information We Collect

Information You Provide to Us

Contact and identity information such as your name, email address, phone number, employer, and job title. Communications you send us through forms, email, chat, or phone. If you apply for a position, your resume, application materials, and interview-related information.

Information We Collect Automatically

When you visit our website, we automatically collect certain technical information, including your IP address, browser type and version, operating system, device identifiers, pages visited, referring URLs, and interaction data. We collect this information through cookies, log files, and similar technologies.

Information We Process on Behalf of Customers

When providing claims processing services, we process data under the direction of our insurance customers. This may include policy and claim information, claimant and insured identity and contact details, financial and payment data, medical or incident-related records where applicable, call recordings and transcripts, digital documents and images, and system and operational logs. Our processing of this data is governed by our agreements with those customers.

3. How We Use Your Information

We use the information we collect for the following purposes:

To operate, maintain, and improve our website and services. To respond to your inquiries, requests, and support needs. To communicate with you about our services, including with your consent for marketing purposes. To process and evaluate job applications. To perform claims administration services on behalf of our customers, including intake, investigation, adjudication, payment, quality assurance, and dispute resolution. To support AI-assisted workflows such as document processing, classification, summarization, and decision support, subject to human oversight for consequential decisions. To detect, prevent, and respond to fraud, security incidents, and other harmful activity. To comply with legal obligations, enforce our agreements, and protect our rights and the rights of others.

4. Legal Bases for Processing

For website visitors and business contacts, we process personal information based on legitimate interests (operating and improving our services, security, fraud prevention), consent (where required, such as for certain marketing communications), contractual necessity (to fulfill requests or agreements), and legal obligations.

For claims processing services, we act as a service provider or processor on behalf of our customers. We process personal information only as instructed by the customer and as permitted under our agreements and applicable law.

5. How We Share Your Information

We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.

We may share personal information with the following categories of recipients:

Service providers and subprocessors who perform functions on our behalf, such as cloud hosting, communications infrastructure, document processing, and analytics. These parties are bound by contractual obligations to use personal information only for the purposes we specify and to maintain appropriate security. Our insurance customers and their designees, as necessary to perform claims processing services. Professional advisors, including legal counsel and auditors, under obligations of confidentiality. Law enforcement or government authorities when required by law, legal process, or to protect the rights, safety, or property of Strala, our customers, or others. Parties involved in a corporate transaction such as a merger, acquisition, or sale of assets, with appropriate safeguards.

We maintain a list of material subprocessors and provide notice of changes as required by our customer agreements. Contact us to request the current list.

6. Data Retention

We retain personal information only as long as necessary for the purposes described in this Policy, to comply with legal and regulatory requirements, to resolve disputes, and to enforce our agreements. General retention periods include:

Website analytics and cookie data are retained for up to 13 months. Support and inquiry records are retained for 3 years after the last interaction. Recruiting data is retained for 2 years unless you request earlier deletion or local law requires otherwise. Claims files and related records processed on behalf of customers are retained for 7 years after claim closure or as required by applicable regulations or the customer agreement. Payment and financial records are retained for 7 years for tax and audit purposes. System and security logs are retained on a 12-month rolling basis. AI inference logs are retained for 90 days for safety and quality purposes, then deleted or de-identified.

When we process data on behalf of a customer, we return or delete data at the end of the engagement as directed by the customer agreement, subject to any legally required retention.

7. Cookies and Tracking Technologies

We use cookies and similar technologies on our website. Strictly necessary cookies are used to enable core site functionality. Analytics cookies help us understand how visitors use our site. We do not use cookies for cross-context behavioral advertising. You can manage cookie preferences through our cookie banner or your browser settings. Disabling certain cookies may affect site functionality.

8. Data Security

We maintain a comprehensive information security program designed to protect personal information from unauthorized access, use, disclosure, alteration, and destruction. Our security measures include access controls with multi-factor authentication and role-based permissions, encryption of data in transit and at rest, network security monitoring, vulnerability management, and penetration testing, secure development practices and change management, vendor risk assessment and subprocessor oversight, audit logging, incident detection, and response procedures, and employee training and background checks where appropriate. Additional security details are available to customers and partners under NDA.

9. International Data Transfers

By default, we store and process data in the United States. If you are located outside the United States, please be aware that your information may be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. Where applicable, we implement appropriate safeguards for cross-border transfers in accordance with applicable law, including standard contractual clauses or other approved mechanisms.

10. Your Privacy Rights

Depending on your location and applicable law, you may have the following rights regarding your personal information:

The right to access and obtain a copy of your personal information. The right to correct inaccurate or incomplete personal information. The right to request deletion of your personal information. The right to data portability. The right to opt out of the sale of personal information (we do not sell personal information). The right to opt out of sharing for cross-context behavioral advertising (we do not engage in this). The right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. The right to non-discrimination for exercising your privacy rights.

To exercise your rights, contact us at info@strala.ai. We will verify your identity and respond within the timeframes required by applicable law. If you are an authorized agent submitting a request on behalf of another individual, please provide appropriate proof of authorization.

If we process your personal information on behalf of one of our customers, please direct your request to that customer. We will assist our customers in responding to such requests as required by our agreements and applicable law.

11. AI Use and Automated Processing

Our services incorporate AI and machine learning technologies to assist with claims processing workflows, including document ingestion, classification, extraction, summarization, and decision support.

We do not use customer data to train or fine-tune Strala-owned models unless expressly authorized in a signed agreement. Our third-party AI vendors are contractually prohibited from using customer data for their own model training or product improvement.

We do not make automated decisions that produce legal or similarly significant effects without human oversight. Qualified personnel retain authority over consequential determinations such as coverage decisions and payment approvals. We maintain audit trails for AI-assisted steps, recording inputs, outputs, reviewer identity, and decision outcomes where feasible.

We may use de-identified or aggregated data for quality assurance, safety evaluation, and service improvement, with safeguards against re-identification.

12. Children's Privacy

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us.

13. Do Not Track Signals

Some browsers transmit "Do Not Track" signals. Because there is no industry consensus on how to respond to these signals, our website does not currently alter its practices upon receiving a Do Not Track signal.

14. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

15. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date at the top of this page and, where required by law, provide you with additional notice. We encourage you to review this Policy periodically.