Privacy Policy

Last updated: 10 May 2026

Summary: Validera processes booking data and insurance claim information solely to verify that bookings comply with claim requirements. We do not sell your data, do not use it for advertising, and retain it only as long as needed for audit compliance. We act as a data processor on behalf of our customer (the insurer), who remains the data controller.

1. Who we are and our role

Validera is operated by Agentic Labs Group Pty Ltd (ACN 692 724 584), based in Sydney NSW Australia. In this policy, "we", "us", and "our" refer to Agentic Labs Group Pty Ltd.

For most personal data we process (claim ticket content, agent identifiers, booking transaction details), Validera acts as a data processor within the meaning of Article 4(8) of the EU GDPR and as a service provider under the Australian Privacy Act 1988. The data controller is the insurer or other organisation that has procured Validera. We process this data only on the documented instructions of the controller, set out in the customer agreement and the Data Processing Agreement (DPA) we sign with each customer.

For a limited set of data (information you give us directly through validera.io, such as enquiry emails to support@validera.io), Validera acts as the data controller.

Contact: privacy@validera.io

2. What data we collect

2.1 Data processed by the Chrome extension

When an agent uses the Validera browser extension, we process:

Insurance claim data -- claim reference numbers, claimant names, policy details, budget limits, stay dates, accommodation requirements, and accessibility needs as entered in the connected ticket management system (e.g. Zammad).
Booking transaction data -- property details, pricing, dates, and listing information scraped from supported booking platforms (e.g. Airbnb, Booking.com) during the agent's active booking session.
Verdict and override data -- the result of our verification checks, any warnings or blocks issued, and the reason text entered by agents when overriding a verdict.
Agent identity -- the authenticated agent's email address, display name, and organisational affiliation.

2.2 Data we do NOT collect

Browsing history or activity outside of supported ticket and booking platforms
Passwords, payment card numbers, or financial account details
Personal data of claimants beyond what appears in the claim ticket
Screen recordings, keystrokes, or clipboard contents
Location data, device identifiers, or advertising IDs

3. How we use your data

We process data for the following purposes only:

Verification -- extracting structured information from claim tickets and comparing it against booking details to identify mismatches (price, dates, location, accessibility).
Audit logging -- recording extraction events, verdicts, and overrides to maintain a compliance trail for our customers' internal audit requirements.
Service improvement -- aggregated, anonymised metrics (e.g. extraction accuracy rates, override frequency) to improve our verification models. We do not use customer data to train AI models.

4. Legal basis for processing (GDPR)

Where the GDPR applies, we rely on the following lawful bases under Article 6:

Performance of a contract (Art 6(1)(b)) for processing carried out to deliver Validera under the customer agreement and DPA.
Legitimate interests (Art 6(1)(f)) for security monitoring, abuse prevention, rate limiting, and aggregated service-improvement analytics. The legitimate interests are operating a secure, reliable verification service; we have assessed that these do not override the rights and freedoms of data subjects.
Compliance with a legal obligation (Art 6(1)(c)) for retaining audit logs where law or regulation requires it.

We do not rely on consent as a legal basis for the core verification processing, because that processing is necessary to deliver the service the customer has procured. Marketing communications, where applicable, do rely on consent and can be withdrawn at any time.

5. Sub-processors and third-party services

We use the following sub-processors to deliver Validera. The current, dated list is published at validera.io/subprocessors. We commit to giving customers thirty days notice via email before adding a new sub-processor.

Vercel -- hosts our API services and the admin dashboard. Operational data in transit. Functions execute on Vercel's edge network, region nearest the user.
Supabase -- hosts the audit-log PostgreSQL database. All operational data at rest. Sydney (ap-southeast-2) region.
Anthropic -- Claude API for ticket extraction and verdict semantic checks. Ticket text and intent objects are sent for processing under Anthropic's commercial API terms, which prohibit training on inputs. United States.
Google -- Chrome identity API for agent sign-in. Agent email address only. Global.

6. International data transfers

Some of our sub-processors are located outside the European Economic Area (EEA), the United Kingdom, and Australia — specifically, Anthropic processes data in the United States, and Vercel functions may execute in any of its global edge regions.

For transfers from the EEA or UK, we rely on the European Commission's Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented where necessary by additional safeguards (encryption in transit and at rest; minimisation of data sent to sub-processors; contractual restrictions on use). Copies of the relevant SCCs are available to customers under our DPA.

For transfers from Australia, our sub-processor contracts include the equivalent commitments required under Australian Privacy Principle 8.

7. Data retention

Audit logs -- retained for 7 years to meet insurance industry compliance requirements, unless a shorter period is agreed with your organisation.
Session data -- booking and claim data held in the browser extension's session storage is cleared when the browser is closed or the extension is reloaded.
Account data -- retained for the duration of the customer relationship, plus 30 days after account closure.

8. Data security

All data in transit is encrypted via TLS 1.2+.
All data at rest in our database is encrypted (AES-256, provided by Supabase's underlying storage).
API endpoints are authenticated with bearer tokens resolved per-tenant. The Chrome extension communicates only with Validera's own backend services.
We do not store Anthropic API keys in the browser extension. All LLM calls are made server-side.
Per-tenant data isolation is enforced at the application layer: every query is scoped to the authenticated tenant, with no cross-tenant access path.

For a fuller engineering description of our security posture, see validera.io/security.

9. Data breach notification

If we become aware of a personal data breach affecting customer data, we will notify the affected customer (the controller) without undue delay and, where feasible, within 72 hours of becoming aware, in line with GDPR Article 33. Customers can use that notification to meet their own controller-side reporting obligations to data protection authorities and to data subjects.

For Australian customers, where a breach is likely to result in serious harm to individuals, we will support the customer's compliance with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988.

Our notification will include: the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address it.

10. Your rights

Under the Australian Privacy Act 1988 and, where applicable, the EU General Data Protection Regulation (GDPR), you have the right to:

Access the personal data we hold about you
Request correction of inaccurate data
Request deletion of your data (subject to legal retention requirements)
Object to or restrict processing
Data portability (receive your data in a structured format)
Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) or your local data protection authority

To exercise any of these rights, contact privacy@validera.io. Where we act as a processor on behalf of a customer, we will route the request to that customer (the controller) and assist them in responding within the statutory time limits.

11. Cookies

The Validera Chrome extension does not use cookies. Our web applications (app.validera.io) use only essential session cookies required for authentication. We do not use tracking cookies, analytics cookies, or advertising cookies.

12. Children's privacy

Validera is a business-to-business product designed for use by professional insurance claim handlers. We do not knowingly collect data from anyone under 18 years of age.

13. Changes to this policy

We may update this policy from time to time. Material changes will be communicated to customers via email and posted on this page. The "last updated" date at the top reflects the most recent revision.

14. Contact

For privacy-related enquiries:

Email: privacy@validera.io
Post: Agentic Labs Group Pty Ltd, Sydney NSW Australia