Privacy Policy.

§ I · Who we are

Castra Risk Underwriters LLC is a Delaware limited liability company acting as a managing general agent for specialty insurance carriers. The data controller for site-visitor and prospective-broker information is Castra Risk Underwriters LLC. For policyholder information collected in connection with underwriting and administering an insurance contract, the data controller is the issuing carrier; we process on their behalf as a service provider.

§ II · What we collect

We collect three kinds of information:

1. Site-visitor information. Browser type, device class, referring page, country-level location, and the pages you viewed. We use this in aggregate to operate and improve the site. We do not use it to identify you.
2. Inquiry information. When you submit an inquiry form, we collect your name, email address, organisation, role, the topic you selected, and any notes you choose to include.
3. Submission information. When a broker submits a placement, we collect the firm record and AI deployment record described in the Brokers page. This may include personal information of officers and directors of the prospective insured to the extent required for underwriting.

We do not collect special categories of data (race, religion, sexual orientation, etc.) except where the law of a placement's seat requires it for a specific underwriting decision.

§ III · Telemetry data

Castra ingests metadata describing the insured's AI deployment under the telemetry contract — specifically the action audit, classification stability signal, and dependency graph described on the Underwriting page. Castra does not ingest raw model inputs (prompts, queries, or source documents), raw model outputs (free-text responses or generated content), model weights, training data, or end-user personal information. The action audit records categorical metadata about each consequential action — timestamp, model version, input class, decision class, and downstream effect — sufficient to reconstruct a claim without reading the underlying interaction.

The telemetry contract is between Castra, the insured, and the issuing carrier; it is not governed by this Privacy Policy.

§ IV · Why we collect

We process personal information for one or more of the following purposes:

1. To respond to your inquiry or submission.
2. To evaluate, underwrite, bind, administer, and renew an insurance contract.
3. To investigate and adjust a claim under a Castra-bound policy.
4. To comply with our regulatory obligations, including responses to lawful requests from regulators and law enforcement.
5. To detect, prevent, and respond to fraud and security incidents.
6. To provide internal reporting and analytics on our book of business in aggregate.

Under GDPR, our lawful bases are contract performance (Art. 6(1)(b)), legitimate interests (Art. 6(1)(f)), and legal obligation (Art. 6(1)(c)). For insurance-specific processing the lawful basis is also Art. 9(2)(g) where special category data is involved.

§ V · Who we share with

We share personal information with the following categories of recipients, under written contract requiring confidentiality and security:

1. The issuing capacity carrier and any participating reinsurer in respect of the placement.
2. Panel counsel engaged on a Castra-bound claim or regulatory matter.
3. Independent claim adjusters and forensic firms engaged on a Castra-bound matter.
4. Our service providers (hosting, email, analytics, helpdesk) under written contracts.
5. Regulators, courts, and other governmental authorities where required by law.
6. Successors in a sale, merger, or reorganisation of the business.

We do not sell personal information. We do not share personal information for cross-context behavioural advertising as defined in the CCPA.

§ VI · International transfers

Castra is based in the United States. Where we transfer personal information from the EEA, the UK, or Switzerland into the United States, the transfer is made under the relevant Standard Contractual Clauses, the UK International Data Transfer Agreement, or a derogation under Art. 49 GDPR where it applies. Where we transfer personal information into a third country, we apply the same protections.

§ VII · How long we keep it

We keep personal information only as long as needed for the purposes for which it was collected, plus the period required by law and the period necessary to defend or pursue legal claims. As an indication: site-visitor information for 26 months; inquiry information for 36 months; submission and policy information for the policy period plus seven years; claim and regulatory-inquiry information for the longer of seven years or the limitation period at the seat.

§ VIII · Your choices and rights

Depending on where you live, you may have the following rights: to access the personal information we hold about you, to correct or update it, to delete it, to restrict or object to certain processing, to receive it in portable form, and to lodge a complaint with a supervisory authority. California residents have additional rights under the CCPA including the right to know, the right to delete, the right to correct, the right to limit the use of sensitive personal information, and the right to non-discrimination. EEA and UK residents have additional rights under GDPR / UK GDPR.

To exercise a right, contact privacy@castrarisk.ai. We will respond within 30 days. We may need to verify your identity before responding.

§ IX · Cookies and analytics

The site uses a small number of strictly-necessary cookies and one analytics service (Google Analytics 4). Analytics cookies do not capture personal information; IP addresses are truncated; we do not enable advertising features. You can opt out of GA4 by installing the Google opt-out add-on or by enabling Do Not Track in your browser; we honour the GPC signal.

§ X · Security

We hold personal information under SOC 2 Type II controls. Transport is TLS 1.2 or higher; at rest, AES-256 or equivalent. Access is role-scoped; quarterly access reviews are performed. We notify affected individuals and regulators of qualifying breaches in line with applicable law.

§ XI · Children

Our services are directed to businesses, not to children. We do not knowingly collect personal information from a person under 16. If you believe we have collected information from a child, contact privacy@castrarisk.ai and we will delete it.

§ XII · Updates

We update this Policy from time to time. Material changes are flagged at the top of the page with a new effective date. Continued use of the site after a change indicates acceptance.

§ XIII · Contact

Privacy desk: privacy@castrarisk.ai. Castra Risk Underwriters LLC, Los Angeles, California, United States. For EU / EEA inquiries: our representative will be appointed under Art. 27 GDPR in connection with the regulatory build referenced on the About page.