Viewing the United States version.See Canadian version →

Privacy Policy

United States — Effective 2026-05-08 — Last updated 2026-05-08

1. Scope and applicability

This Privacy Policy describes how Override Tech LLC, doing business as Override Agency (“Override Agency,” “we,” “us,” or “our”), collects, uses, discloses, and safeguards personal information in connection with the software-as-a-service platform made available at platform.overrideagency.com (the “Platform”) when accessed by licensed life-insurance agents in the United States.

This policy applies only to the Platform. It does not apply to overrideagency.com, which is a separate U.S.-market lead-delivery service operated by Override Tech LLC under a distinct privacy notice.

The Platform is offered to licensed life-insurance agents in the United States and Canada. By creating an account or using the Platform, you confirm that you have read and understood this policy. Canadian agents should refer to the Canadian Privacy Policy.

2. United States privacy framework

The United States does not have a single, comprehensive federal consumer-privacy law. Instead, personal information processed through the Platform is governed by a combination of federal sector-specific laws (such as the Gramm-Leach-Bliley Act for financial information and the Children’s Online Privacy Protection Act for minors) and a growing patchwork of state comprehensive privacy laws (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Tennessee, Iowa, Indiana, Delaware, New Jersey, New Hampshire, and Maryland, among others).

Sections 11, 12, and 13 below describe the specific rights available to residents of states that have enacted comprehensive privacy laws. Section 14 addresses HIPAA. Section 15 addresses the Gramm-Leach-Bliley Act. Section 16 addresses children’s privacy.

3. Information we collect

3.1 Information you provide

When you create an account or use the Platform, we collect:

Identifiers and profile data: full name, business name, email address, phone number, mailing address, profile photo.
Licensing data: state insurance license number(s), state(s) of licensure, National Producer Number (NPN), license status, and lines of authority.
Authentication credentials: email and password (passwords are hashed by our authentication provider; we never see your plaintext password). If you enable multi-factor authentication, we store the related TOTP enrollment metadata.
Carrier portal connection metadata: identifiers that link your Platform account to a remote browser session held by our automation provider. We do not see, store, or have access to your underlying carrier portal usernames or passwords (see Section 7).
Third-party OAuth tokens: encrypted refresh and access tokens for Zoom, DocuSign, and Google Workspace (Calendar, Drive) when you connect those integrations.
Lead and client records you enter: name, phone, email, date of birth, address, smoker status, health-questionnaire responses, beneficiary information, financial situation, coverage needs, and notes.
Documents you upload: insurance applications, proof-of-income, government-issued ID documents, and other files attached to a lead, client, or application.
Meeting data: Zoom meeting recordings and transcripts captured via Zoom Realtime Media Streaming, plus structured fields automatically extracted from those transcripts.
Billing data: Stripe customer ID, subscription tier, payment-method identifier (token), billing email. We do not store full payment-card numbers.
Communications: emails and support requests you send to us.

3.2 Information collected automatically

When you use the Platform we automatically collect limited operational and security telemetry:

Page views and feature-usage events within the Platform.
IP address, user-agent, device type, and approximate location (derived from IP) for security, fraud prevention, and audit logging.
Application error logs and performance traces necessary to operate and debug the Platform.
Essential session cookies that keep you signed in and protect against cross-site request forgery.

We do not deploy third-party analytics, advertising, or marketing trackers on the Platform. There are no Google Analytics, Meta Pixel, or similar tags.

3.3 Information from third parties

When you connect an integration, the third-party service shares information with us under your authorization:

Zoom: your Zoom user identifier, meeting metadata, recording streams, and live transcript data.
DocuSign: envelope status, signer events, and completed-document references for envelopes you send through the Platform.
Google Workspace: Calendar events (read/write) and Drive file references when you enable those features.
Stripe: payment-method tokens, subscription status, invoice events.

4. How we use your information

We use the information described above to:

Operate, maintain, and secure the Platform.
Authenticate you, enforce role-based access control, and support multi-factor authentication.
Drive carrier portal sessions on your behalf to submit insurance applications you have prepared.
Record and transcribe meetings you choose to capture, and run automated extraction to pre-populate draft applications.
Send transactional email (account confirmations, billing receipts, security alerts) via our email provider.
Process payments, issue invoices, and manage subscriptions.
Detect, investigate, and prevent fraud, abuse, and security incidents.
Comply with our legal, regulatory, tax, and accounting obligations.
Respond to your support requests and feedback.
Improve the Platform, including by aggregating de-identified usage patterns. We do not use your client data or meeting transcripts to train general-purpose AI models.

We do notsell or share your personal information for cross-context behavioural advertising, and we do not use it for ad targeting. See Section 11 for how we treat the “Do Not Sell or Share My Personal Information” right under California law and Global Privacy Control signals.

5. How we share your information

5.1 Service providers

We share personal information with vetted service providers (sometimes called “processors” or, under California law, “service providers” and “contractors”) strictly as necessary to deliver the Platform. Each provider is bound by contract to handle data only on our instructions and to apply appropriate safeguards.

Provider	Purpose
Stripe, Inc.	Subscription billing, payment-method storage, invoice generation. We never receive raw card numbers.
Supabase, Inc.	Postgres database, authentication, file storage, row-level security. Hosted in Supabase’s North American region.
Browserbase, Inc.	Remote-Chromium-as-a-service used to drive carrier advisor portals. Holds encrypted browser-context cookies on your behalf.
Zoom Video Communications, Inc.	Meeting hosting and Realtime Media Streaming used for recording and transcription.
DocuSign, Inc.	Envelope generation and e-signature for carrier applications. Authorized per agent via OAuth.
Google LLC (Vertex AI)	Gemini 2.5 Flash model used to extract structured fields from meeting transcripts. Inputs are not used to train Google’s foundation models under our Vertex AI terms.
Google LLC (Workspace APIs)	Calendar synchronization and Drive document mirroring when you enable those integrations.
Resend, Inc.	Transactional email delivery (verification, receipts, security alerts).
Railway Corp.	Application hosting and deployment.

5.2 Legal and regulatory disclosures

We may disclose personal information when we reasonably believe disclosure is required to: (a) comply with applicable law, court orders, subpoenas, or lawful requests by public authorities; (b) enforce our Terms of Service; (c) protect the rights, safety, or property of Override Tech LLC, our customers, or others; (d) detect and prevent fraud or security incidents; or (e) respond to inquiries from your state Department of Insurance or other regulator with jurisdiction over your insurance practice.

5.3 Business transfers

If Override Tech LLC is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or part of its assets, personal information may be transferred to the successor entity. We will require the successor to honor the commitments made in this policy or notify you and provide a meaningful opportunity to object.

6. Data location and international transfers

Override Tech LLC is a limited-liability company headquartered at 26 Van Riepen Ave, Jersey City, NJ 07306, United States. Personal information you submit to the Platform is processed and stored in the United States. Several of our service providers (including Stripe, Browserbase, Zoom, DocuSign, Google, Resend, and Railway) operate global infrastructure and may, in the course of providing their services, transfer or replicate data internationally consistent with their own published terms and data-processing agreements.

We use contractual safeguards (data-processing agreements with each provider listed in Section 5.1, including standard contractual clauses or other transfer mechanisms where applicable) and technical safeguards (encryption in transit and at rest, role-based access, audit logging) to protect your information.

7. Carrier portal credentials

The Platform connects to carrier advisor portals using a model that is intentionally designed to keep your credentials away from our servers. (Note: the Beneva integration is currently available only to Canadian agents; U.S. carrier integrations are added on a rolling basis.)

When you initiate a carrier connection, we open a remote Chromium browser hosted by Browserbase. You sign in to the carrier portal inside that remote browser session, just as you would on your own computer.
The session cookies issued by the carrier are stored server-side, encrypted, inside Browserbase’s context vault. Override Agency never receives, processes, or stores your carrier username or password.
When you later submit an insurance application, the Platform re-attaches the same Browserbase context to drive the carrier’s submission form on your behalf, using only the encrypted cookies already held by Browserbase.
You can revoke a carrier connection at any time from your dashboard, which instructs Browserbase to release the stored context.

Because Override Agency is acting as your authorized service provider when operating the carrier portal, you remain responsible for compliance with the carrier’s own terms of service and for the accuracy of any application submitted.

8. Meeting transcripts, recordings, and state wiretap laws

When you record a Zoom meeting through the Platform, the recording and live transcript are streamed to our backend, stored in our database and storage layer, and processed by an LLM to extract structured fields for the underlying application.

You are responsible for obtaining valid consent from every meeting attendee before recording or transcribing the meeting, in accordance with applicable federal and state law. Federal law generally permits recording with the consent of one party (18 U.S.C. § 2511), but several states require the consent of all partiesto a communication (commonly called “two-party” or “all-party” consent states), including:

California
Connecticut
Florida
Illinois
Maryland
Massachusetts
Michigan
Montana
Nevada
New Hampshire
Oregon (for in-person communications)
Pennsylvania
Washington

Where any meeting attendee is located in an all-party consent state, you must obtain the express, informed consent of every attendee before recording begins. You must also disclose, before recording begins, that an automated transcription service is being used, that structured fields may be extracted by an AI model on behalf of Override Agency, and that the call may be monitored for training and coaching purposes (including live listen-in by your upline or downline through Command Center).

We provide the technical means to record and transcribe; you provide the legal basis for the underlying capture. Override Agency does not provide legal verification of compliance with state wiretap laws and does not assume responsibility for your obligation to obtain consent.

9. End-client and lead data

Information about your end clients (the leads, prospects, and policyholders you enter into the Platform) is provided by you. You are the controller (or, under California law, the business) of that data. Override Agency acts as your processor or service provider: we process end-client data only on your documented instructions and as necessary to deliver the Platform features.

By entering end-client data into the Platform, you represent that:

You have a lawful basis (such as the consumer’s consent or a legitimate business purpose recognized under applicable law) to collect, use, and import that data.
You have provided any required disclosures — including any GLBA initial or annual privacy notice, where applicable — to the individual before collection.
You will respond to any access, correction, deletion, or opt-out requests your clients direct to you, and will instruct Override Agency to assist where reasonably required.
You will retain or dispose of end-client records consistent with your obligations to your state Department of Insurance and other applicable regulators.

10. Data retention

We retain personal information only for as long as necessary to provide the Platform, comply with law, resolve disputes, and enforce our agreements. Indicative retention periods are summarized below.

Data category	Retention period
Active account profile and credentials	Until account deletion.
Lead and client records	Until you delete them or close your account; soft-deleted records remain recoverable for 30 days, then are permanently purged.
Meeting recordings and transcripts	Until you delete the meeting or close your account; soft-delete grace period of 30 days.
Uploaded application documents	Up to 7 years after submission to support carrier and regulatory recordkeeping, then purged unless legal hold applies.
OAuth refresh tokens	Until you disconnect the integration or delete the account.
Browserbase carrier-context references	Until you revoke the connection or delete the account.
Billing records and invoices	7 years after the close of the relevant tax year, as required by U.S. tax and accounting law.
Security and audit logs	Up to 24 months.
Backups	Encrypted point-in-time backups retained up to 35 days.

11. California residents (CCPA / CPRA)

This Section applies to California residents and supplements the rest of this policy. Defined terms (“personal information,” “sensitive personal information,” “business,” “service provider,” “sale,” “share,”) have the meanings given them by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (collectively, the “CCPA”).

11.1 Categories of personal information

In the 12 months preceding the effective date of this policy, we have collected the following categories of personal information about Platform users:

Identifiers (name, email, phone, address, IP address, account ID).
Customer-records information (Cal. Civ. Code § 1798.80(e)) and financial information related to subscription billing.
Commercial information (subscription tier, transaction history).
Internet activity (Platform usage telemetry, error logs).
Geolocation data (approximate, derived from IP address).
Audio and electronic information (Zoom meeting recordings and transcripts, where you choose to record).
Professional information (state insurance license details, NPN).
Inferences derived from the above (such as feature-usage patterns and account-health signals).

11.2 Sensitive personal information

Categories that may qualify as “sensitive personal information” under the CCPA include account login credentials (in combination with a password) and the contents of meeting recordings or transcripts. We use sensitive personal information only for the purposes of providing the Platform you have requested, preventing fraud and security incidents, and complying with law. We do not use sensitive personal information to infer characteristics about you, and we do not use it for any purpose that would require the “right to limit” under Cal. Civ. Code § 1798.121.

11.3 Sources of collection

We collect personal information directly from you, automatically through your use of the Platform, and from the third-party integrations you connect (Section 3.3).

11.4 Business or commercial purposes

We use personal information for the purposes described in Section 4 and disclose it to the service providers listed in Section 5.1 for those same purposes.

11.5 Sale and sharing

We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA. We have not done so in the 12 months preceding the effective date of this policy. To reflect this position, we treat any signal broadcast by your browser using the Global Privacy Control (GPC) as an opt-out of sale and sharing within the meaning of the CCPA.

11.6 California consumer rights

Subject to verification of your identity and the limitations in the CCPA, California residents have the right to:

Know the categories and specific pieces of personal information we have collected, the sources, the business or commercial purposes, and the categories of third parties with whom we share it.
Delete personal information we have collected, subject to certain exceptions.
Correct inaccurate personal information we maintain about you.
Opt out of the sale or sharing of personal information (we do not sell or share, but you may still exercise this right).
Limit the use of sensitive personal information (we do not use sensitive personal information beyond what is permitted under Cal. Civ. Code § 1798.121, but you may still exercise this right).
Non-discrimination for exercising your CCPA rights.

You may exercise these rights yourself, or through an authorized agent who provides written authorization. To submit a request, email [email protected], or use the “Do Not Sell or Share My Personal Information” link available in the Platform footer. We may ask you to verify your identity by confirming information already associated with your account. We will respond within 45 days, with one 45-day extension if reasonably necessary, as permitted by the CCPA.

12. Other state privacy laws

If you are a resident of a U.S. state with a comprehensive consumer privacy law — including, as of the effective date of this policy, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Tennessee (TIPA), Iowa (ICDPA), Indiana (INCDPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHDPA), and Maryland (MODPA), among others — you may have rights similar to those described in Section 11, including:

The right to know whether we process your personal information.
The right to access a copy of your personal information.
The right to correct inaccurate personal information.
The right to delete personal information.
The right to data portability.
The right to opt out of the sale of personal information, of targeted advertising, and of certain profiling that produces legal or similarly significant effects.
The right to appeal a decision we make on your request.

We do not sell personal information, do not engage in targeted advertising, and do not engage in profiling that produces legal or similarly significant effects about you. To exercise any other right available under your state’s law, email [email protected] with the subject line “State Privacy Request” and tell us your state of residence. We will respond within the timeframe required by your state’s law (generally 45 days). If we deny your request, you may appeal by replying to our denial; we will respond to the appeal within 60 days, or the period required by your state’s law.

13. “Do Not Track” and Global Privacy Control

Some browsers transmit “Do Not Track” (DNT) signals. There is no industry consensus on how to interpret DNT signals, and the Platform does not currently respond to them. However, we honor the Global Privacy Control (GPC) signal as an opt-out of sale and sharing of personal information within the meaning of the CCPA and analogous state privacy laws. Because we do not sell or share personal information, the practical effect of a GPC signal on the Platform is limited, but we record and respect it.

14. HIPAA and protected health information

Override Agency is not a HIPAA covered entity and does not act as a HIPAA business associate. The Platform is designed for non-PHI insurance application data collected by licensed life-insurance agents from prospective applicants in the ordinary course of an insurance sale. Information such as smoker status, height/weight, and routine medical questions on a life-insurance application is collected by you in your capacity as a licensed agent under your relationship with the carrier and the applicant, not as a healthcare provider or health plan.

You are solely responsible for determining whether any specific information you collect is subject to HIPAA, the HITECH Act, or analogous state health-privacy law (such as California’s Confidentiality of Medical Information Act). If you have HIPAA obligations, you are responsible for complying with them; the Platform does not provide a Business Associate Agreement and is not intended to receive, process, or transmit Protected Health Information as defined under 45 C.F.R. § 160.103.

15. Gramm-Leach-Bliley Act (GLBA)

Insurance agents are generally “financial institutions” under the Gramm-Leach-Bliley Act (15 U.S.C. §§ 6801–6809) and the Federal Trade Commission’s Privacy Rule (16 C.F.R. Part 313) and Safeguards Rule (16 C.F.R. Part 314), or under analogous state insurance privacy regulations adopted from the NAIC Privacy of Consumer Financial and Health Information Regulation (Model 672).

With respect to nonpublic personal information you collect about your end clients and process through the Platform, Override Agency acts as your service provider: we receive that information from you to perform services on your behalf and we use it solely for that purpose, consistent with the GLBA and applicable state insurance privacy rules. You remain responsible for delivering all required initial and annual GLBA privacy notices to your consumers and for compliance with the Safeguards Rule for systems under your control.

16. Children’s privacy (COPPA)

The Platform is intended exclusively for licensed life-insurance agents who are at least 18 years of age. We do not knowingly collect personal information from individuals under 18, and we do not direct the Platform to children under 13 within the meaning of the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, and 16 C.F.R. Part 312. If you believe a minor has provided us with personal information, please contact [email protected] and we will delete it.

17. Data security

We maintain administrative, technical, and physical safeguards designed to protect personal information against loss, theft, and unauthorized access, disclosure, copying, use, or modification. These include:

TLS encryption for all traffic in transit.
Encryption at rest provided by Supabase (database and storage), Browserbase (browser contexts), and Stripe (billing data).
Postgres row-level security policies that enforce per-agent data isolation on every table containing customer data.
OAuth refresh tokens stored encrypted via pgcrypto using SECURITY DEFINER stored procedures so that application code cannot read raw token material directly.
Multi-factor authentication available to every account, and required for administrative and elevated-privilege roles.
Continuous deployment with code review, automated testing, and dependency scanning.
Audit logging of authentication events, sensitive data access, and administrative actions.

No method of transmission or storage is perfectly secure. If we become aware of a security incident affecting your personal information, we will notify you and applicable regulators consistent with U.S. state data-breach notification laws and any other applicable legal requirements.

18. Cookies and similar technologies

The Platform uses only essential cookies required to keep you authenticated, maintain session state, protect against cross-site request forgery, and remember basic UI preferences. We do not deploy advertising cookies, marketing pixels, or third-party analytics tags on the Platform.

You can clear cookies through your browser settings, but doing so will sign you out of the Platform.

19. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days in advance by email and via an in-Platform banner. The updated policy takes effect on the date stated at the top of this page. Your continued use of the Platform after the effective date constitutes acceptance of the revised policy.

20. Contact us

For questions, requests, or complaints about this Privacy Policy or our handling of your personal information, contact:

Override Tech LLC (d/b/a Override Agency)
26 Van Riepen Ave, Jersey City, NJ 07306, United States
Email: [email protected]
Phone: (973) 519-2861

See also our Terms of Service (United States).