Privacy Policy

Last updated: February 19, 2026

This Privacy Policy (“Policy”) describes how 42 Consulting LLC (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects information in connection with the Deep Thought platform, our website at https://ai.42ims.com, and related services (collectively, the “Service”). This Policy applies to visitors to our website (“Visitors”), customers who subscribe to the Service (“Customers”), and individuals authorized by Customers to use the Service (“Authorized Users”).

By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree with this Policy, please do not use the Service.

The Deep Thought platform is owned by Deep Thought Technologies Inc., a Delaware corporation (“Licensor”), and licensed to Company. All intellectual property rights in and to the Platform are owned exclusively by Licensor. Company is the data controller or processor (as applicable) responsible for the information practices described in this Policy.

1. Information We Collect

1.1 Information You Provide Directly

  • Contact Form Submissions: When you submit a contact form on our website, we collect your full name, work email address, and the content of your message.
  • Account Information: When a Customer registers for the Service, we collect business name, administrator contact information (name, email, phone), billing information, and organizational details.
  • User Profile Data:Authorized Users may have profile information provisioned through their organization’s identity provider (e.g., Microsoft Entra ID), including name, email address, job title, department, and group memberships.
  • Communications: When you contact us via email or other channels, we collect the content of those communications.

1.2 Customer Data Processed Through the Service

In the course of providing the Service, we process Customer Data on behalf of Customers as a data processor. Customer Data may include:

  • Insurance policy data, submission data, claims data, and related records;
  • Documents such as ACORD forms, loss runs, applications, bordereaux reports, and endorsements;
  • Email content and attachments processed through email intelligence features;
  • Data retrieved from or written to Customer’s insurance management systems (IMS);
  • Data exchanged through API Connections configured by the Customer;
  • Conversation content between Authorized Users and AI agents;
  • Custom Skills, Automations, and configuration data created by the Customer;
  • Files (Excel spreadsheets, PDFs, and other documents) processed within conversations.

Customer Data is processed solely to provide the Service and is governed by our Terms of Service and Data Processing Agreement. We do not use Customer Data for our own purposes, advertising, or AI model training.

1.3 Information Collected Automatically

  • Usage Data: We collect information about how the Service is used, including features accessed, actions performed, timestamps, and session duration. This data is collected in aggregate and is used to improve the Service.
  • Audit Logs: The Service maintains detailed audit logs of all actions performed by Authorized Users, including action type, timestamp, resource accessed, decision outcome, and channel. Audit logs are maintained for Customer compliance and security purposes and are accessible to Customer administrators.
  • Device and Browser Information: When you visit our website, we may collect device type, operating system, browser type and version, screen resolution, and language preferences.
  • IP Address: We collect IP addresses for security, fraud prevention, and to determine approximate geographic location for analytics purposes.
  • AI Interaction Metadata: We collect metadata about AI interactions, including token counts, processing time, model used, and cost, for billing and service optimization purposes. We do not retain the content of AI interactions beyond the session unless stored as part of conversation history within the Service.

1.4 Information from Third Parties

  • Identity Providers:When Authorized Users authenticate through Microsoft Entra ID or other OIDC-compliant identity providers, we receive user profile information as configured by the Customer’s identity provider.
  • Microsoft Graph: When Customers enable email intelligence or calendar automation features, the Service may receive notifications and data from Microsoft Graph APIs as authorized by the Customer through OAuth consent.

2. How We Use Information

2.1 Service Provision

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service;
  • Process Customer Data through AI models to generate AI Output;
  • Execute Skills, Automations, and scheduled tasks as configured by Customers;
  • Proxy API requests to Customer-configured Connections;
  • Maintain audit logs for compliance and security;
  • Authenticate and authorize Authorized Users;
  • Process billing and payments.

2.2 Communication

We use contact information to:

  • Respond to inquiries submitted through our contact form;
  • Send transactional communications related to the Service (e.g., security alerts, service updates, billing notices);
  • Provide customer support;
  • Send marketing communications (only with consent and with opt-out available).

2.3 Security and Fraud Prevention

We use information to:

  • Detect, prevent, and respond to security incidents;
  • Monitor for violations of our Terms of Service and Acceptable Use Policy;
  • Protect the rights, property, and safety of Company, our Customers, and the public.

2.4 Analytics and Improvement

We use aggregated, de-identified usage data to analyze trends, understand how the Service is used, and improve Service features and performance. We do not use Customer Data content for these purposes.

3. How We Share Information

3.1 Third-Party AI Providers

To generate AI Output, Customer Data (including conversation content and documents) is transmitted to Third-Party AI Providers. Our current AI providers include:

  • Anthropic (Claude models) — San Francisco, CA, USA
  • OpenAI — San Francisco, CA, USA
  • Amazon Web Services (Bedrock) — various AWS regions as configured

We select AI providers that offer enterprise-grade data processing terms that prohibit the use of customer data for model training. Customer Data is transmitted securely via encrypted channels and is not retained by AI providers beyond the processing window required to generate a response.

3.2 Sub-Processors

We use third-party service providers to help operate the Service, including:

  • Cloud infrastructure providers (hosting, databases, storage);
  • Payment processors;
  • Email delivery services (for transactional communications);
  • Analytics services (using aggregated, de-identified data only).

A current list of sub-processors is available in our Data Processing Agreement.

3.3 Contact Form Data

Information submitted through our website contact form is transmitted to FormSubmit.co (operated by MillionVerifier LLC) for form processing and email delivery to our team. By submitting the contact form, you consent to this processing.

3.4 Legal and Compliance

We may disclose information if required to do so by law or if we believe in good faith that such disclosure is necessary to:

  • Comply with a legal obligation, court order, or governmental request;
  • Protect and defend the rights or property of Company;
  • Prevent or investigate possible wrongdoing in connection with the Service;
  • Protect the personal safety of users of the Service or the public.

3.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or other change of control, information may be transferred to the successor entity, subject to the commitments made in this Policy.

3.6 No Sale of Personal Information

We do not sell, rent, or trade personal information to third parties for their marketing purposes. We do not share personal information with third parties for cross-contextual behavioral advertising.

4. Data Retention

4.1 Customer Data

We retain Customer Data for the duration of the Customer’s subscription. Upon termination or expiration, Customer Data is available for export for thirty (30) days, after which it is deleted in accordance with our data retention schedule. Backup copies may persist for up to ninety (90) additional days before deletion from backup systems.

4.2 Audit Logs

Audit logs are retained for the duration of the Customer’s subscription plus one (1) year, or as required by applicable law, whichever is longer.

4.3 Contact Form Submissions

Contact form submissions are retained for as long as necessary to respond to the inquiry and maintain the business relationship, and thereafter as required by applicable law.

4.4 Website Analytics

Aggregated analytics data is retained for up to twenty-four (24) months.

5. Data Security

We implement commercially reasonable technical and organizational measures to protect information, including:

  • Encryption at Rest: Sensitive data, including API credentials and authentication tokens, is encrypted using AES-256-GCM.
  • Encryption in Transit: All data transmitted between clients, the Hub, and third-party services uses TLS 1.2 or higher.
  • Access Controls: Default-deny permission engine with role-based access control. Four built-in roles (Admin, Operator, Standard, Restricted) with configurable policies for tool access, file operations, and network requests.
  • Audit Logging: Comprehensive logging of all actions with 92 distinct action types, including user identity, timestamp, decision outcome, and resource details.
  • Credential Isolation: API credentials provided by Customers are never exposed to AI models, returned in API responses, or included in log entries.
  • Tenant Isolation: Multi-tenant data is isolated through application-level access controls and database foreign key constraints.

While we strive to use commercially reasonable means to protect information, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

6. Your Rights and Choices

6.1 For Authorized Users (Individuals)

If you are an Authorized User, your use of the Service is governed by your organization’s (the Customer’s) agreement with us. Please contact your organization’s administrator for questions about your data within the Service.

6.2 For EEA/UK Residents (GDPR)

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation:

  • Right of Access: Request a copy of the personal data we hold about you.
  • Right to Rectification: Request correction of inaccurate or incomplete personal data.
  • Right to Erasure: Request deletion of your personal data, subject to legal exceptions.
  • Right to Restriction: Request restriction of processing of your personal data.
  • Right to Data Portability: Request your personal data in a structured, commonly used, machine-readable format.
  • Right to Object: Object to processing of your personal data for certain purposes.
  • Right to Withdraw Consent: Withdraw consent where processing is based on consent.
  • Right to Lodge a Complaint: Lodge a complaint with your local supervisory authority.

6.3 For California Residents (CCPA/CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
  • Right to Delete: Request deletion of personal information we have collected.
  • Right to Correct: Request correction of inaccurate personal information.
  • Right to Opt-Out: Opt out of the sale or sharing of personal information (note: we do not sell personal information).
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, please contact us at privacy@42ims.com. We will respond to verifiable requests within the timeframes required by applicable law (generally 30 days for GDPR, 45 days for CCPA).

6.4 For All Users

  • Marketing Opt-Out: You may opt out of marketing communications by following the unsubscribe instructions in any marketing email or by contacting us at privacy@42ims.com.
  • Do Not Track:Our website does not currently respond to “Do Not Track” browser signals.

7. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States or other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country.

For transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, we rely on: (a) Standard Contractual Clauses approved by the European Commission; (b) adequacy decisions where applicable; or (c) other valid transfer mechanisms under applicable data protection law. Additional details are available in our Data Processing Agreement.

8. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child under 18, we will take steps to delete such information promptly. If you believe we have collected information from a child, please contact us at privacy@42ims.com.

9. Cookies and Tracking Technologies

9.1 Website Cookies

Our website (ai.42ims.com) uses minimal cookies and tracking technologies:

  • Essential Cookies: Required for basic website functionality (e.g., session management, security). These cannot be disabled.
  • Analytics: We may use privacy-respecting analytics to understand website traffic in aggregate. No personal advertising profiles are created.

9.2 Service Cookies

The Platform application uses cookies and local storage for authentication tokens, session management, and user preferences. These are essential for the operation of the Service and are not used for advertising or tracking.

9.3 Third-Party Cookies

We do not use third-party advertising cookies or cross-site tracking technologies on our website or within the Service.

10. Insurance Industry Data Considerations

Given that the Service is designed for the insurance industry, Customers may process data subject to specific regulatory requirements:

  • Gramm-Leach-Bliley Act (GLBA):The Service’s security measures are designed to assist Customers in meeting their obligations under GLBA and its implementing regulations. However, Customers are solely responsible for their own GLBA compliance.
  • State Insurance Data Privacy Laws: Customers operating in states with specific insurance data privacy laws (e.g., New York DFS Cybersecurity Regulation 23 NYCRR 500, NAIC Insurance Data Security Model Law) are responsible for configuring the Service in a manner consistent with those requirements.
  • Policyholder Information: The Service processes policyholder and claimant data on behalf of Customers. Customers are the data controllers for this data and are responsible for maintaining appropriate notices, consents, and data handling practices with respect to their policyholders and claimants.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on our website with an updated “Last updated” date and, for Customers, by providing notice through the Service or via email at least thirty (30) days before material changes take effect. Your continued use of the Service after such changes constitutes acceptance of the updated Policy.

12. Contact Us

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

42 Consulting LLC
Privacy Inquiries
Email: privacy@42ims.com
Website: https://ai.42ims.com

For data protection inquiries from the European Economic Area, you may also contact our designated data protection representative by emailing privacy@42ims.com with “GDPR” in the subject line.