Privacy Policy

This Policy should be read together with Lorica’s Terms of Service and, where applicable, the Master Services Agreement (“MSA”) entered into between Lorica and a customer entity.

For paid or managed Services, the MSA governs data rights, processing, and controls.

In the event of any conflict between this Policy and the MSA, the MSA controls.

This Policy does not create contractual obligations beyond those set forth in the MSA.

Lorica uses information collected through the Services to: provide, operate, maintain, and support the Services; secure the Services and prevent fraud, abuse, or misuse; enable compliance, personnel management, vendor management, and analytics workflows; respond to inquiries and provide customer support; comply with applicable legal obligations; and generate aggregated, anonymized, or de-identified analytics.

Lorica does not use Customer Data or professional profile information for consumer advertising or to provide targeted advertising based on platform activity.

When users voluntarily provide contact information for newsletters, updates, or marketing communications, we may use that information to send informational or promotional content. Users may opt out at any time using the unsubscribe link in such communications.

Lorica uses automated systems, including machine learning and artificial intelligence techniques, to support and enhance platform functionality.

These systems may use Customer Data and usage information to: extract, classify, or organize credential and compliance data; improve search, analytics, risk indicators, and workflow prioritization; enhance security, anomaly detection, and platform performance; and train and refine internal models used solely to operate and improve the Services.

Lorica does not use Customer Data to train general-purpose models offered to third parties, and does not design models to recreate, infer, or disclose identifiable individual records.

Use of Customer Data for model training is limited to improving and operating the Services and is subject to the contractual controls set forth in the MSA.

Automated tools support administrative and informational workflows and do not replace customer judgment or make final legal, employment, licensing, or regulatory determinations.

Lorica may create and use aggregated, anonymized, or de-identified data derived from the Services (“Aggregated Data,” which constitutes Usage Data as defined in the MSA where applicable).

Aggregated Data: does not identify, and cannot reasonably be used to identify, any individual or customer; is combined across users, companies, or datasets; and is subject to reasonable technical and organizational safeguards to prevent re-identification.

Lorica may use Aggregated Data for internal purposes such as analytics, benchmarking, research, security, and product development, and may license or share Aggregated Data with third parties, including insurers, underwriters, researchers, or analytics partners, for independent analytical or commercial purposes. Aggregated Data does not include identifiable Customer Data or Professional Data.

Lorica does not attempt to re-identify Aggregated Data and contractually restricts recipients from doing so.

Lorica may disclose information: to service providers and subprocessors who support the operation of the Services under confidentiality and data-protection obligations; as directed or authorized by customers or users; to comply with law, regulation, or legal process; or to protect the rights, security, or integrity of Lorica, users, or the Services.

Lorica does not sell personal information as that term is commonly defined under applicable privacy laws.

For clarity, Aggregated Data is not personal information and may be shared or sold as described above.

Lorica maintains administrative, technical, and physical safeguards designed to protect information against unauthorized access, disclosure, or misuse.

These safeguards are aligned with industry-standard practices for software-as-a-service (SaaS) providers and the Trust Services Criteria applicable to SOC 2 (Security, Availability, and Confidentiality).

Data security is subject to a shared responsibility model. Lorica is responsible for securing the infrastructure, application environment, and systems under its control. Customers and users are responsible for managing user access, protecting credentials, configuring permissions appropriately, and ensuring that data submitted to the Services complies with applicable laws and internal policies.

Lorica retains information only for as long as necessary to provide the Services, comply with legal obligations, and support legitimate business purposes.

Upon termination or expiration of applicable services: Customer Data is deleted or anonymized in accordance with the MSA and Lorica’s standard retention practices, subject to legal or archival requirements. Inactive or dormant accounts may be deactivated or removed.

The Services are operated from the United States. Information collected through the Services may be processed and stored in the United States or other jurisdictions where Lorica or its service providers operate.

By using the Services, you acknowledge that information may be transferred and processed outside your country of residence, subject to applicable legal safeguards.

Lorica responds to privacy requests in accordance with applicable law and contractual obligations.

For Customer Data processed on behalf of a customer, requests to access, correct, or delete information should be directed to the relevant customer, as Lorica acts as a service provider with respect to such data.

The Services are intended for professional and commercial use only and are not directed to children. Lorica does not knowingly collect personal information from individuals under the age of 18.

Lorica may update this Policy from time to time. Changes will be effective upon posting. Continued use of the Services constitutes acknowledgment of the updated Policy.