Legal

Privacy Policy

Effective Date: March 25, 2026 | Last Updated: March 31, 2026

1. Introduction

ES Rating, LLC ("ES Rating," "we," "our," or "us") operates the esrating.com website and the ES Rating platform (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, share, and protect information when you use our Service.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to this Privacy Policy.

2. Information We Collect

2.1 Account Information

When you create an account, we collect your name, email address, company/organization name, and password. We use Firebase Authentication to securely manage your login credentials. If you enable multi-factor authentication (MFA), we store your TOTP enrollment data and/or phone number for SMS verification.

2.2 Insurance Program Data

We store the insurance programs, rating tables, forms, schemas, workflow configurations, and document templates you create through our platform. When your deployed portals are used, we also store insured information, policy data, quotes, binders, issued policies, endorsements, cancellations, renewal records, and related documents submitted or generated through your programs.

2.3 Payment Information

We use Stripe to process all payments. We do not store credit card numbers, bank account numbers, or other sensitive payment credentials on our servers. Stripe handles payment data in accordance with PCI DSS Level 1 requirements. We store Stripe customer IDs, subscription IDs, and transaction metadata (amounts, dates, descriptions) for billing records.

2.4 Usage Data

We automatically collect information about how you interact with the Service, including: IP addresses, browser type and version, device information, pages viewed, features used, actions taken, timestamps, API request metadata, and performance metrics. This data is used to operate, improve, and secure the Service.

2.5 AI Processing Data

When you use our AI features (program building, document extraction, mapping, or portal assistance), the content you provide (text prompts, uploaded documents, schema data) is sent to our AI service providers (Anthropic and/or OpenAI) for processing. AI providers process this data in accordance with their respective enterprise data processing agreements, which prohibit the use of your data for model training. We do not use your insurance program data, insured information, or policy data to train any AI models.

2.6 Documents and Files

Files you upload (PDF forms, ACORD documents, carrier forms, rate manuals, logos, and submission packets) are stored in Google Cloud Storage. Documents processed through our Document AI feature are temporarily held during extraction (maximum 30 minutes) and then deleted from the extraction pipeline. Extracted data is stored as structured metadata in your account.

3. How We Use Your Information

  • To provide, operate, and maintain the Service, including program building, rating, portal deployment, and document generation
  • To process your insurance programs and generate quotes, binders, policies, endorsements, cancellations, renewal notices, and related documents
  • To process payments, manage subscriptions, track usage, and maintain billing records
  • To send transactional emails, including account verification, password resets, policy notifications, account notifications, low-balance alerts, and billing-related communications
  • To detect, prevent, and respond to fraud, abuse, security incidents, and unauthorized access
  • To maintain audit trails for security and compliance purposes, including logging all data access, modifications, and administrative actions
  • To improve, optimize, and develop new features for the Service based on aggregated usage patterns
  • To provide technical support and respond to your inquiries
  • To comply with applicable legal and regulatory obligations

4. Data Storage and Security

Your data is stored on Google Cloud Platform (GCP) infrastructure in the United States (us-central1 region). We employ the following security measures:

  • Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher
  • Encryption at rest: All stored data is encrypted using AES-256 via Google Cloud's default encryption
  • Tenant isolation: Each organization's data is logically isolated at the database level with row-level security policies
  • Credential management: API keys, integration credentials, and secrets are stored in Google Cloud Secret Manager with encrypted, versioned access
  • Authentication: Firebase Authentication with optional multi-factor authentication (TOTP and SMS)
  • Network security: Cloudflare WAF and DDoS protection, Cloud Run IAM-based service authentication, and origin verification headers
  • Access controls: Role-based access controls, API key management with SHA-256 hashing, and audit logging of all administrative actions
  • Compliance: Our infrastructure and processes are designed to meet SOC 2 Type II requirements. Certification in progress.

5. Third-Party Services

We share data with the following third-party service providers only as necessary to operate the Service. Each provider processes data under contractual obligations that restrict their use of your information:

  • Google Cloud Platform: Infrastructure hosting, database (Cloud SQL), file storage (Cloud Storage), secret management (Secret Manager), and serverless compute (Cloud Run)
  • Firebase: Authentication services and Firestore real-time database for AI project state
  • Stripe: Payment processing, subscription management, and Connect platform for MGA payouts
  • SendGrid: Transactional email delivery (account notifications, policy communications, billing alerts)
  • SignWell: Electronic signature services for policy binding
  • Anthropic: AI-powered program generation, document analysis, and chat assistance (Claude models)
  • OpenAI: Document AI extraction and field mapping (GPT models)
  • Cloudflare: CDN, DNS, DDoS protection, and request routing
  • Google Maps Platform: Address validation, autocomplete, and geocoding

We do not sell, rent, or trade your personal information or insurance data to third parties. We do not use your data for advertising purposes.

6. Your Third-Party Integrations

When you use the API Integration Builder to connect third-party services (such as CoreLogic, ePayPolicy, IPFS, or other REST APIs), you provide your own API credentials. These credentials are encrypted and stored in our credential vault. Data exchanged between your portal and your connected third-party services flows directly through our servers as a pass-through -- we do not inspect, store, or use the content of those API responses beyond what is necessary to deliver the integration functionality you configured.

7. Data Retention

  • Account data: Retained for as long as your account is active. Upon account deletion, personal information is removed within 30 days, except where retention is required by law
  • Insurance program data: Programs, policies, quotes, and related documents are retained for 7 years after policy expiration to comply with insurance regulatory requirements and statute of limitations periods
  • Audit logs: Retained for 7 years for compliance and regulatory requirements
  • Usage and billing data: Retained for 7 years for tax and accounting compliance
  • Document AI processing: Uploaded files are deleted from the extraction pipeline within 30 minutes of processing. Extracted metadata is retained as part of your account data
  • AI conversation history: Program builder conversations are stored in Firestore as part of your project state and retained as long as the program exists

8. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request that we correct inaccurate or incomplete personal data
  • Deletion: Request deletion of your personal data, subject to legal and regulatory retention requirements
  • Portability: Request an export of your data in a machine-readable format
  • Restriction: Request that we restrict processing of your personal data in certain circumstances
  • Opt-out: Opt out of marketing communications at any time via unsubscribe links or account settings

California residents (CCPA/CPRA): You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact support@esrating.com.

EU/EEA residents (GDPR): Our legal basis for processing is contract performance (providing the Service), legitimate interest (security, fraud prevention, Service improvement), and consent (where applicable). You may lodge a complaint with your local data protection authority.

9. Cookies and Tracking

We use essential cookies and local storage for authentication session management and user preference persistence (e.g., sidebar state, onboarding completion). We do not use third-party tracking cookies, advertising pixels, or behavioral analytics tools. We do not participate in cross-site tracking or ad networks.

10. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take steps to delete it promptly.

11. International Data Transfers

The Service is hosted in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer. We rely on standard contractual clauses and other appropriate safeguards for international data transfers where required.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service or sending an email to your account address at least 30 days before changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy.

13. Contact Us

For privacy-related questions, data access requests, or concerns, contact us at:

ES Rating, LLC

Spokane, WA

Email: support@esrating.com

Website: esrating.com

We will respond to all privacy requests within 30 days.

ES Rating Assistant

Ask about pricing, features, or anything else

Hi! I'm the ES Rating assistant. I can answer questions about the platform, pricing, features, or how to get started. What would you like to know?

Popular questions

or book a demo →1000

Conversations are logged anonymously to improve the assistant. Please don't share personal info.