Last updated: April 25, 2026
ClearQuote Subprocessors
Last updated: April 25, 2026
ClearQuote uses the following third-party service providers ("subprocessors") to process data on behalf of our Customers as part of delivering the Service. Each subprocessor is authorized to process data only for the purposes described below.
Notification Commitment
We will notify Customers by email at least 30 days before engaging any new subprocessor or making material changes to an existing subprocessor's data processing role. To object to a new subprocessor, you may terminate your account in accordance with the Terms of Service before the effective date of the change.
Current Subprocessors
| Subprocessor | Service | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, authentication, and file storage | All customer and client data: agency profiles, proposals, carrier quotes, tracking events, and uploaded logos | US (AWS us-east-1) |
| Vercel | Application hosting and edge computing | HTTP request metadata; runtime logs may contain user identifiers on error paths | US |
| Stripe | Payment processing and billing management | Payment method (card), billing address, email address, customer name | US |
| Resend | Transactional email delivery (client proposals and operator notifications) | Proposal delivery to insurance clients — recipient email, proposal subject, email body content (including client-facing proposal text); Operator notification emails — operator email address, HTML notification content including AI-generated triage summaries (derived from inbound email, XSS-escaped), and operational metadata (GitHub PR URLs, Gmail message IDs, alert/gate counts) | US |
| Anthropic | AI content generation, text extraction, automated email triage, and autonomous code fix generation | Carrier quote content (NPI), proposal draft text, and PDF-extracted text from uploaded carrier quote documents (Claude models); sanitized inbound email content (subject and up to 1000 characters of body text, with sender metadata excluded) sent to claude-haiku-4-5 for bug/security/noise classification; autonomous code fix generation — AI-generated fix prompts (containing triage summary and reproduction steps derived from the prior triage step) sent to Anthropic via the Claude Code CLI subprocess (Sonnet model) to generate code changes for qualifying bug reports. Note: fix prompts do not contain raw email content. | US |
| Google (Gmail API) | Inbound email access for feedback agent | OAuth credentials for authentication; search query strings (to-addresses, date filters, subject-based approval searches); email content is returned from Google to the agent (not sent to Google beyond the authentication and query parameters) | US |
| GitHub | Code review and version control for autonomous bug fixes | Branch name, pull request title (containing AI-generated issue summary), pull request body (classification, severity, modified file list), and code changes. Note: PR content is AI-derived from inbound email triage, not raw email content. | US |
| Upstash | Rate limiting (Redis) | User identifiers (user_id or IP address), request counts, sliding-window timestamps | US |
| PostHog | Product analytics, event capture, and feature flag evaluation (reverse-proxied through /ph/* → same-origin) | Pseudonymous visitor events and funnel metrics (page URLs, click targets, referrer, UTM parameters, Supabase user ID post-login). Excludes client names, agency names, license numbers, premium amounts, proposal content, and all carrier-quote NPI. | US (AWS us-east-1) |
Notes
DPA Coverage: Each subprocessor maintains their own data processing agreements and security practices. Links to subprocessor security and privacy policies are available upon request.
PostHog Reverse Proxy: PostHog is reverse-proxied through /ph/* on the ClearQuote domain so that all analytics traffic is same-origin and no third-party cookies are set on clearquoteapp.com. PostHog's DPA is available at https://posthog.com/dpa.
Carrier Quote Data (NPI): Quote content submitted to Anthropic for AI processing may include Nonpublic Personal Information (NPI) as defined under the GLBA. Anthropic processes this data solely to generate proposal content and does not retain it for model training under its commercial API terms.
Inbound Email Triage Data: Sanitized inbound support and security email content (subject and up to 1000 characters of body text, with sender metadata excluded) is submitted to Anthropic's claude-haiku-4-5 model for bug/security/noise classification by the autonomous feedback agent. Anthropic does not retain this data beyond processing the API request, consistent with its commercial API terms.
Contact
Questions about our subprocessors or data processing practices? Email support@clearquoteapp.com.
For security matters: security@clearquoteapp.com.