Privacy Policy

Effective: 2026-06-08 · Pilot-phase posture. Reflects the actual controls in place, not aspirational language.

What we collect

From signup form: name, agency name, contact email, AMS choice, agency code
From cycle uploads: carrier commission statement CSV + AMS export CSV per cycle
Operational: SHA-256 hash of your access key (never the raw key), Fly-Client-IP hash (per-day-rotating, never raw IP), user-agent string (first 200 chars), audit log of every action
What we DON'T collect: social security numbers, payment card details (Stripe handles those), browser fingerprints, third-party analytics cookies

Where data lives

Processing runs on a Fly.io machine in ord (US-Central, Chicago)
Storage is a per-tenant directory on a 1 GB Fly volume mounted at /data
Volume is encrypted at rest by Fly's platform (LUKS, platform-managed keys)
TLS termination at Fly's HTTPS edge; HSTS enforced

Third-party processors

Fly.io — hosting; sub-processors per Fly's DPA
Cloudflare — DNS + landing CDN + email routing
Anthropic — Claude API for PDF extraction (Phase C — not yet active). Anthropic does NOT train on API inputs per their terms.
Resend — transactional email. PII-bearing email content stored for 7 days (paid tier) or 30 days (free tier) for delivery monitoring.
Stripe — billing (Phase B+). Handles all payment card data per PCI scope

Retention

Active pilot data: retained for the duration of the pilot
After pilot termination: 30-day grace period, then purged
Soft-deleted cycles: 30-day grace before hard purge
Audit chain: retained for 7 years (industry-standard for financial records). The chain is tamper-evident via SHA-256 prev_hash linkage — any post-write modification of an entry invalidates the chain from that point forward and is surfaced by cowork audit verify-chain.
Earlier purge: request at any time via info@coworkrecon.com; executed within 5 business days

Your rights

Access: request a copy of all data we hold about your agency
Correction: edit your agency name + contact email self-serve on the Settings page
Deletion: email us. Self-serve deletion UI is on the roadmap
Portability: we export your data as JSON within 5 business days

Children's data

Cowork Recon is B2B-only. We do not knowingly collect data from anyone under 18.

Security incidents

In the event of suspected unauthorized access to your data, we notify your primary contact within 72 hours of discovery with a written summary of scope and remediation.

Certifications

We do not currently hold SOC 2 Type I or Type II. SOC 2 Type I is targeted within 6 months of reaching 10 paying customers. Agencies that require SOC 2 today should consider this a known gap.

Changes

We update this policy when controls change. Material changes notified by email; minor changes published here with the effective date updated.

Contact

Privacy questions: info@coworkrecon.com.