Viewing the Canadian version.See United States version →

Privacy Policy

Canada · Effective 2026-05-08 · Last updated 2026-05-08

1. Scope and applicability

This Privacy Policy describes how Override Tech LLC, doing business as Override Agency (“Override Agency,” “we,” “us,” or “our”), collects, uses, discloses, and safeguards personal information in connection with the software-as-a-service platform made available at platform.overrideagency.com (the “Platform”).

This policy applies only to the Platform. It does not apply to overrideagency.com, which is a separate U.S.-market lead-delivery service operated by Override Tech LLC under a distinct privacy notice.

The Platform is available to licensed life-insurance agents in Canada and the United States. This policy is the version that applies to agents whose principal place of business is in Canada. Agents in the United States should refer to the United States Privacy Policy. By creating an account or using the Platform, you confirm that you have read and understood the policy that applies to you.

2. Information we collect

2.1 Information you provide

When you create an account or use the Platform, we collect:

Identifiers and profile data: full name, business name, email address, phone number, mailing address, profile photo.
Licensing data: provincial insurance license number, province of licensure, regulator (FSRA, AMF, or other), license status.
Authentication credentials: email and password (passwords are hashed by our authentication provider; we never see your plaintext password). If you enable multi-factor authentication, we store the related TOTP enrollment metadata.
Carrier portal connection metadata: identifiers that link your Platform account to a remote browser session held by our automation provider. We do not see, store, or have access to your underlying carrier portal usernames or passwords (see Section 6).
Third-party OAuth tokens: encrypted refresh and access tokens for Zoom, DocuSign, and Google Workspace (Calendar, Drive) when you connect those integrations.
Lead and client records you enter: name, phone, email, date of birth, address, smoker status, health-questionnaire responses, beneficiary information, financial situation, coverage needs, and notes.
Documents you upload: insurance applications, proof-of-income, government-issued ID documents, and other files attached to a lead, client, or application.
Meeting data: Zoom meeting recordings and transcripts captured via Zoom Realtime Media Streaming, plus structured fields automatically extracted from those transcripts.
Billing data: Stripe customer ID, subscription tier, payment-method identifier (token), billing email. We do not store full payment-card numbers.
Communications: emails and support requests you send to us.

2.2 Information collected automatically

When you use the Platform we automatically collect limited operational and security telemetry:

Page views and feature-usage events within the Platform.
IP address, user-agent, device type, and approximate location (derived from IP) for security, fraud prevention, and audit logging.
Application error logs and performance traces necessary to operate and debug the Platform.
Essential session cookies that keep you signed in and protect against cross-site request forgery.

We do not deploy third-party analytics, advertising, or marketing trackers on the Platform. There are no Google Analytics, Meta Pixel, or similar tags.

2.3 Information from third parties

When you connect an integration, the third-party service shares information with us under your authorization:

Zoom: your Zoom user identifier, meeting metadata, recording streams, and live transcript data.
DocuSign: envelope status, signer events, and completed-document references for envelopes you send through the Platform.
Google Workspace: Calendar events (read/write) and Drive file references when you enable those features.
Stripe: payment-method tokens, subscription status, invoice events.

3. How we use your information

We use the information described above to:

Operate, maintain, and secure the Platform.
Authenticate you, enforce role-based access control, and support multi-factor authentication.
Drive carrier portal sessions on your behalf to submit insurance applications you have prepared.
Record and transcribe meetings you choose to capture, and run automated extraction to pre-populate draft applications.
Send transactional email (account confirmations, billing receipts, security alerts) via our email provider.
Process payments, issue invoices, and manage subscriptions.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with our legal, regulatory, tax, and accounting obligations.
Respond to your support requests and feedback.
Improve the Platform, including by aggregating de-identified usage patterns. We do not use your client data or meeting transcripts to train general-purpose AI models.

We do not sell your personal information, and we do not use it for cross-context behavioural advertising or ad targeting.

4. How we share your information

4.1 Service providers

We share personal information with vetted service providers strictly as necessary to deliver the Platform. Each provider is bound by contract to handle data only on our instructions and to apply appropriate safeguards.

Provider	Purpose
Stripe, Inc.	Subscription billing, payment-method storage, invoice generation. We never receive raw card numbers.
Supabase, Inc.	Postgres database, authentication, file storage, row-level security. Hosted in Supabase’s North American region.
Browserbase, Inc.	Remote-Chromium-as-a-service used to drive carrier advisor portals. Holds encrypted browser-context cookies on your behalf.
Zoom Video Communications, Inc.	Meeting hosting and Realtime Media Streaming used for recording and transcription.
DocuSign, Inc.	Envelope generation and e-signature for carrier applications. Authorized per agent via OAuth.
Google LLC (Vertex AI)	Gemini 2.5 Flash model used to extract structured fields from meeting transcripts. Inputs are not used to train Google’s foundation models under our Vertex AI terms.
Google LLC (Workspace APIs)	Calendar synchronization and Drive document mirroring when you enable those integrations.
Resend, Inc.	Transactional email delivery (verification, receipts, security alerts).
Railway Corp.	Application hosting and deployment.

4.2 Legal and regulatory disclosures

We may disclose personal information when we reasonably believe disclosure is required to: (a) comply with applicable law, court orders, or lawful requests by public authorities; (b) enforce our Terms of Service; (c) protect the rights, safety, or property of Override Tech LLC, our customers, or others; or (d) detect and prevent fraud or security incidents.

4.3 Business transfers

If Override Tech LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, personal information may be transferred to the successor entity. We will require the successor to honour the commitments made in this policy or notify you and provide a meaningful opportunity to object.

5. Cross-border data transfers

Override Tech LLC is a Delaware-style limited-liability company headquartered at 26 Van Riepen Ave, Jersey City, NJ 07306, United States. Several of our service providers (including Stripe, Browserbase, Zoom, DocuSign, Google, Resend, and Railway) are also established in the United States. As a result, personal information you submit to the Platform will be processed and stored outside Canada, including in the United States.

While stored or processed in another jurisdiction, your personal information is subject to the laws of that jurisdiction and may be accessible to courts, law enforcement, and national-security authorities under those laws. We use contractual safeguards (including data-processing agreements with each provider listed in Section 4.1) and technical safeguards (encryption in transit and at rest, role-based access, audit logging) to protect your information consistent with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy legislation.

6. Carrier portal credentials

The Platform connects to carrier advisor portals (currently Beneva and Experior) using a model that is intentionally designed to keep your credentials away from our servers.

When you initiate a carrier connection, we open a remote Chromium browser hosted by Browserbase. You sign in to the carrier portal inside that remote browser session, just as you would on your own computer.
The session cookies issued by the carrier are stored server-side, encrypted, inside Browserbase’s context vault. Override Agency never receives, processes, or stores your carrier username or password.
When you later submit an insurance application, the Platform re-attaches the same Browserbase context to drive the carrier’s submission form on your behalf, using only the encrypted cookies already held by Browserbase.
You can revoke a carrier connection at any time from your dashboard, which instructs Browserbase to release the stored context.

Because Override Agency is acting as your authorized agent when operating the carrier portal, you remain responsible for compliance with the carrier’s own terms of service and for the accuracy of any application submitted.

7. Meeting transcripts and recordings

When you record a Zoom meeting through the Platform, the recording and live transcript are streamed to our backend, stored in our database and storage layer, and processed by an LLM to extract structured fields for the underlying application.

You are responsible for obtaining valid consent from every meeting attendee before recording or transcribing the meeting, in accordance with applicable law. In Canada, this includes:

PIPEDA’s requirements for meaningful consent before collecting, using, or disclosing personal information.
For meetings involving Quebec residents, the express-consent and transparency requirements of Quebec’s Act respecting the protection of personal information in the private sector (commonly known as Law 25 or Bill 64).
Provincial private-sector privacy statutes in Alberta and British Columbia (PIPA).
Federal one-party-consent rules under section 184 of the Criminal Code, where applicable.

We provide the technical means to record and transcribe; you provide the legal basis for the underlying capture.

When monitoring features are enabled — including Command Center live listen-in by your upline or downline — you must also disclose to attendees, before recording begins, that the call may be monitored for training and coaching purposes.

8. End-client and lead data

Information about your end clients (the leads, prospects, and policyholders you enter into the Platform) is provided by you. You are the controllerof that data — or, depending on the applicable legal regime, the entity legally accountable for collecting and processing it. Override Agency acts as your processor or service provider: we process end-client data only on your documented instructions and as necessary to deliver the Platform features.

By entering end-client data into the Platform, you represent that:

You have a lawful basis (such as consent or legitimate business purpose recognized under applicable law) to collect, use, and import that data.
You have provided any required disclosures to the individual before collection.
You will respond to any access, correction, or deletion requests your clients direct to you, and will instruct Override Agency to assist where reasonably required.
You will retain or dispose of end-client records consistent with your obligations to your provincial regulator (FSRA, AMF, or other).

9. Data retention

We retain personal information only for as long as necessary to provide the Platform, comply with law, resolve disputes, and enforce our agreements. Indicative retention periods are summarized below.

Data category	Retention period
Active account profile and credentials	Until account deletion.
Lead and client records	Until you delete them or close your account; soft-deleted records remain recoverable for 30 days, then are permanently purged.
Meeting recordings and transcripts	Until you delete the meeting or close your account; soft-delete grace period of 30 days.
Uploaded application documents	Up to 7 years after submission to support carrier and regulatory recordkeeping, then purged unless legal hold applies.
OAuth refresh tokens	Until you disconnect the integration or delete the account.
Browserbase carrier-context references	Until you revoke the connection or delete the account.
Billing records and invoices	7 years after the close of the relevant tax year, as required by tax and accounting law.
Security and audit logs	Up to 24 months.
Backups	Encrypted point-in-time backups retained up to 35 days.

10. Data security

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. These include:

TLS encryption for all traffic in transit.
Encryption at rest provided by Supabase (database and storage), Browserbase (browser contexts), and Stripe (billing data).
Postgres row-level security policies that enforce per-agent data isolation on every table containing customer data.
OAuth refresh tokens stored encrypted via pgcrypto using SECURITY DEFINER stored procedures so that application code cannot read raw token material directly.
Multi-factor authentication available to every account, and required for administrative and elevated-privilege roles.
Continuous deployment with code review, automated testing, and dependency scanning.
Audit logging of authentication events, sensitive data access, and administrative actions.

No method of transmission or storage is perfectly secure. If we become aware of a security incident that creates a real risk of significant harm to you, we will notify you and, where required, the Office of the Privacy Commissioner of Canada and provincial regulators (including the Commission d’accès à l’information du Québec) without undue delay.

11. Your rights and choices

Subject to applicable law and reasonable verification of your identity, you have the right to:

Access the personal information we hold about you.
Correct personal information that is inaccurate, incomplete, or out of date.
Withdraw consent for collection, use, or disclosure of your personal information, subject to legal or contractual restrictions and reasonable notice. Withdrawing consent may mean we can no longer provide some or all of the Platform.
Export your lead, client, meeting, and application data in a structured, commonly used format from your account at any time.
Delete your account and associated data, subject to retention obligations described in Section 9.
Complain to the Office of the Privacy Commissioner of Canada (priv.gc.ca) or to your provincial privacy regulator.

Quebec residents additionally have the right to data portability (to receive their personal information in a structured, commonly used technological format) and to request de-indexing or ceasing-dissemination of certain personal information under Law 25.

To exercise any of these rights, contact [email protected]. We will respond within 30 days, or such shorter period required by law.

12. Quebec residents (Law 25)

Override Tech LLC has designated a person responsible for the protection of personal information (the “privacy officer”), who can be reached at [email protected]. The privacy officer is accountable for our compliance with Quebec’s Act respecting the protection of personal information in the private sector (Law 25 / former Bill 64).

If you reside in Quebec, you have the right to:

Be informed of any automated decision based exclusively on processing of your personal information that produces legal effects or similarly significant effects, and to obtain the principal factors and parameters that led to the decision.
Receive your personal information in a structured, commonly used technological format (data portability).
Request that your personal information cease to be disseminated or be de-indexed where the conditions of Law 25 are met.
File a complaint with the Commission d’accès à l’information du Québec (cai.gouv.qc.ca) if you believe your rights under Quebec privacy law have been infringed.

13. Children’s privacy

The Platform is intended exclusively for licensed life-insurance agents who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18. If you believe a minor has provided us with personal information, please contact [email protected] and we will delete it.

14. Cookies and similar technologies

The Platform uses only essential cookies required to keep you authenticated, maintain session state, protect against cross-site request forgery, and remember basic UI preferences. We do not deploy advertising cookies, marketing pixels, or third-party analytics tags on the Platform.

You can clear cookies through your browser settings, but doing so will sign you out of the Platform.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days in advance by email and via an in-Platform banner. The updated policy takes effect on the date stated at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the revised policy.

16. Contact us

For questions, requests, or complaints about this Privacy Policy or our handling of your personal information, contact:

Override Tech LLC (d/b/a Override Agency)
26 Van Riepen Ave, Jersey City, NJ 07306, United States
Email: [email protected]
Phone: (973) 519-2861