Privacy Policy

This Privacy Policy describes how Tidalpeak Labs Private Limited ("Tidalpeak Labs," "Raph," "we," "us," or "our"), a company incorporated under the laws of India in the state of Karnataka, collects, uses, stores, and protects information when you use the Raph platform and services available at tryraph.com. Our registered office is located at Collab Space, Near Babai Tiffins, 19th Main Rd, 4th Sector, HSR Layout, Bengaluru, Karnataka 560102, India.

1. Introduction

Raph is an AI copilot platform for P&C insurance claims operations. We are committed to protecting the privacy and security of the data entrusted to us by our customers, their insureds, claimants, and witnesses.

By accessing or using the Raph platform, you consent to the collection, processing, and storage of information as described in this Privacy Policy. If you do not agree with this policy, please do not use our services.

This policy applies to all users of the Raph platform, including customer adjusters and supervisors, customer authorised representatives, and individuals (insureds, claimants, witnesses) whose information passes through Raph in the course of claims handling on behalf of our customer.

2. Information We Collect

We collect the following categories of information in order to provide our services:

2.1. Customer (Business) Information. Carrier or organisation name, NAIC code (where applicable), registered address, lines of business, claim volume tier, and authorised representative contact details.

2.2. Claim Data from Integrated Systems. FNOL documents, ACORD forms (1/2/3/4), DWC-1 and state FROIs, policy declarations and endorsements, claim notes, reserve records, payment records, and related data ingested from your claims platform (Guidewire ClaimCenter, Duck Creek, Sapiens, Origami, Majesco, Insurity, or your in-house system) or via document upload, email, fax, or other channels you configure.

2.3. PII of Insureds, Claimants, and Witnesses. Name, address, date of birth, government identifiers (where applicable), contact details (phone, email), employer information (in workers' comp), vehicle and policy details, and other personal data necessary to handle the claim on behalf of the customer.

2.4. Protected Health Information (PHI).In workers' compensation, auto bodily injury, and other claims involving medical records, Raph processes PHI as defined under HIPAA, including treatment records, medical chronologies, prescription records, and provider correspondence.

2.5. Communications. Call recordings and transcripts of three-point contact attempts (initiated on behalf of the customer with appropriate consent and call-recording notices where required), email correspondence with insureds, claimants, and witnesses, and related communication metadata.

2.6. Website Analytics Data. Information collected via PostHog when you visit tryraph.com, including page views, session data, device information, and browsing behaviour.

2.7. Cookies. We currently use essential cookies necessary for the functioning of our website. We may introduce marketing and retargeting cookies in the future, at which point this policy will be updated accordingly.

3. How We Collect Information

3.1. Direct Collection. When you request a demo, create an account, or communicate with our team, we collect the information you provide directly.

3.2. Integrations. When you connect your claims platform, policy administration system, document repository, telephony, or email systems to Raph, we collect claim-related data through these integrations with your authorisation as the data controller.

3.3. Document Channels. Raph ingests FNOLs and supporting documents from the channels you configure: inbound calls, email, web portal submissions, fax, EDI feeds, and broker email submissions.

3.4. Website. We collect analytics data automatically when you visit tryraph.com through PostHog and essential cookies.

3.5. Outbound Communications. When Raph initiates three-point contact on behalf of the customer, communication metadata, transcripts, and recordings are collected and made available to the customer in the claim file.

4. How We Use Your Information

We use the information we collect for the following purposes:

4.1. Service Delivery. To provide claims intake automation, coverage verification, reserve setting support, external data enrichment, three-point contact, medical record processing, and related claims operations services.

4.2. Claim Lifecycle Operations. To monitor open claims for updates, surface new information to adjusters, and maintain a current view of the claim file inside your claims platform.

4.3. Communications. To contact authorised customer representatives regarding service updates, account matters, and support; and to conduct outbound contact attempts on behalf of the customer with insureds, claimants, and witnesses.

4.4. Platform Improvement. To analyse website usage patterns and improve the Raph platform. Where Raph improves its models, only customer-controlled, opted-in, de-identified data is used (see Section 6).

4.5. Legal Compliance. To comply with applicable laws, regulations, and legal processes.

5. Data Storage and Security

5.1. Server Location. All customer data is stored on Amazon Web Services (AWS) infrastructure in US regions, in accordance with the data residency commitments made to our customers.

5.2. Encryption. All data is encrypted both at rest (AES-256) and in transit (TLS 1.2+) using industry-standard encryption protocols.

5.3. Per-Customer Data Isolation.Customer data is logically isolated on a per-customer basis. No customer's data is accessible to or shared with any other customer.

5.4. Security Measures. We implement appropriate technical, physical, and administrative safeguards to protect your data, aligned with SOC 2 Type II controls and HIPAA Security Rule requirements.

5.5. Incident Response. We maintain an incident response programme and will notify affected customers in accordance with HIPAA breach-notification rules, applicable state breach-notification laws, and the terms of the relevant Business Associate Agreement or data processing addendum.

6. AI and Data Processing

6.1. No AI Training on Customer Data. Raph does not use customer data, PHI, or claim records to train any AI models. Your data is used solely for the purpose of delivering the services you have contracted for.

6.2. Data Minimisation for Model Calls. Before any data is processed through external AI model providers, PII/PHI minimisation and access-scoped controls are applied to limit identifiable data exposure.

6.3. On-Infrastructure Processing.All data processing, including AI-assisted processing, happens on Raph's controlled infrastructure. Customer data is not retained by external AI model providers in identifiable form.

7. Cookies and Analytics

7.1. Essential Cookies. We use essential cookies that are necessary for the proper functioning of our website. These cookies do not track you for advertising purposes.

7.2. PostHog Analytics. We use PostHog to collect website analytics data, including page views, session information, and general usage patterns.

7.3. Future Cookies. We may introduce marketing and retargeting cookies in the future. If and when we do, this Privacy Policy will be updated, and you will be notified of any changes. Appropriate consent mechanisms will be implemented before any such cookies are deployed.

8. Third-Party Services

We use the following third-party services in the operation of our platform:

8.1. Amazon Web Services (AWS). We use AWS for data storage and compute infrastructure in US regions. AWS is subject to its own privacy and security policies and serves as a Business Associate under HIPAA where applicable.

8.2. PostHog. We use PostHog for website analytics to understand how visitors interact with our website.

8.3. AI Model Providers. We use AI model providers for inference. Strict guardrails are in place: PII/PHI minimisation, access scoping, and contractual restrictions ensuring no customer data is retained by providers for training or other purposes.

8.4. Telephony and Communication Providers.To support outbound three-point contact, Raph integrates with telephony and SMS providers. These providers process call routing, recording, and transcription on Raph's behalf under appropriate data processing agreements.

9. Data Sharing

9.1. No Third-Party Sale or Sharing. Raph does not sell, rent, or share customer data with third parties for their own purposes.

9.2. Service Providers.Data stored on AWS, processed by AI providers, or routed through telephony providers is subject to those providers' security and privacy practices. Raph maintains contractual control over how providers may use customer data, and providers act as data processors or sub-processors under our direction.

9.3. Legal Requirements. We may disclose information if required to do so by law, regulation, legal process, subpoena, or governmental request.

9.4. On Behalf of the Customer.Where Raph initiates contact with insureds, claimants, or witnesses on the customer's behalf, the relevant claim and contact information is shared with those individuals only to the extent necessary to handle the claim.

10. Data Retention

10.1. Active Customers. For active customers, data is retained for the duration of the service engagement.

10.2. After Termination. Following termination of services, customers have a period of thirty (30) days to export their data from the Raph platform. After this 30-day window, all customer data is permanently deleted from our servers, subject to Section 10.3.

10.3. Regulatory Retention. Certain claim records, particularly those subject to state insurance retention requirements (typically 3 to 10 years depending on jurisdiction and claim type), may be retained beyond termination where required by law or by the terms of your service agreement.

10.4. Special Requests. For any special requirements related to data retention or deletion, please contact us at vivek@tryraph.com.

11. Your Rights

As a user of the Raph platform (or, in the case of individual data subjects, the relevant insured / claimant / witness), you have the following rights regarding your data:

11.1. Right to Access. You may request access to the personal data we hold about you.

11.2. Right to Correction. You may request correction of any inaccurate or incomplete data.

11.3. Right to Data Export. Customers may request an export of their data at any time during the active engagement with Raph.

11.4. Right to Deletion. You may request deletion of personal data, subject to any legal obligations that may require us to retain certain records (including insurance retention requirements and active litigation holds).

11.5. Right to Withdraw Consent. Where processing is based on consent, you have the right to withdraw your consent at any time. To exercise any of these rights, please contact us at vivek@tryraph.com. For data subject requests relating to claims data, please contact your insurer (our customer) in the first instance. Raph processes such data on behalf of the customer as a service provider or processor.

12. Insured, Claimant, and Witness Data

12.1. Role of Raph. Raph acts as a service provider or data processor on behalf of our customer (the carrier, MGA, TPA, or self-insured organisation). The customer remains the data controller for the underlying claim data, including PII and PHI of insureds, claimants, and witnesses.

12.2. Individual Inquiries. Insureds, claimants, and witnesses who have questions about how their data is processed should contact the insurer (our customer) in the first instance. They may also reach out to us at vivek@tryraph.com.

12.3. HIPAA Business Associate Status. Where the customer is a HIPAA Covered Entity and Raph processes PHI on its behalf, Raph operates as a Business Associate under HIPAA pursuant to a Business Associate Agreement (BAA) executed between the customer and Tidalpeak Labs.

13. Children's Privacy

Raph's services are designed for use by P&C carriers and related insurance organisations and are not intended for use by individuals under the age of 18. We do not knowingly collect personal data from individuals under 18 years of age, except where minors are claimants or insureds and their data is processed on behalf of our customer in the course of claims handling. In such cases, processing occurs under the customer's direction as data controller.

14. Marketing Communications

14.1. Consent-Based Communication. Raph only sends marketing communications to individuals who have requested a demo or otherwise provided explicit consent to receive such communications.

14.2. No Unsolicited Marketing. We do not send unsolicited marketing emails or messages. You will only receive marketing communications from us if you have voluntarily opted in by requesting a demo or subscribing to our communications.

15. Compliance with Applicable Law

15.1. US Insurance and Health-Data Frameworks. Raph processes claim data, including PII and PHI, in alignment with the Health Insurance Portability and Accountability Act (HIPAA) where applicable, the Gramm-Leach-Bliley Act (GLBA), state insurance data security laws (including the NAIC Insurance Data Security Model Law adopted in many states), and state privacy laws (including, where applicable to data subjects, the California Consumer Privacy Act / California Privacy Rights Act).

15.2. Indian Data Protection.Tidalpeak Labs Private Limited is incorporated in India and is actively working towards compliance with India's Digital Personal Data Protection Act, 2023 (DPDP Act). This Privacy Policy will be updated as compliance measures are implemented and as the regulatory framework evolves.

15.3. Information Technology Act, 2000. As an Indian entity, we also comply with the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, as applicable to the collection, storage, and processing of personal data.

15.4. Governing Law. This Privacy Policy is governed by the laws of India. Any disputes arising from this policy shall be subject to the exclusive jurisdiction of the courts in Bengaluru, Karnataka, India, as further set forth in our Terms of Use.

16. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or applicable laws. Material changes will be communicated to active customers via email or through the platform.

We encourage you to review this policy periodically. The "Last updated" date at the top of this page indicates when the policy was most recently revised.

17. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have any privacy-related concerns, please contact us: