IBNR.net logoIBNR.net

Data Privacy Policy

Last updated: March 14, 2026

1. Introduction

IBNR.net (“we”, “us”, or “our”) is committed to protecting your personal information and respecting your privacy rights. This Data Privacy Policy describes how we collect, use, disclose, and safeguard information when you access or use our Service.

2. Information We Collect

We may collect the following categories of information:

  • Account Information: Your name and email address when you register for an account.
  • Billing Information: Payment method details processed securely through our third-party payment provider (Stripe). We do not store full card numbers on our servers.
  • Uploaded Data: Actuarial triangle data and other files you upload to the Service for analysis purposes.
  • Communications: Messages you send us via support channels or email.
  • Newsletter Subscriptions: Email addresses collected when you subscribe to our newsletter. These are stored separately from your account information.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Service.
  • Process transactions and send related information.
  • Send administrative information such as account confirmations, updates to our terms, and security alerts.
  • Respond to inquiries and offer customer support.
  • Monitor and analyze usage trends to improve the Service.
  • Detect, prevent, and address technical issues or fraudulent activity.
  • Comply with legal obligations.

We do not sell your personal information or uploaded data to third parties.

4. Uploaded Data

You retain ownership of all data you upload to IBNR.net. We process uploaded data solely as necessary to provide claims reserving and related computational features. Uploaded data is stored securely in Google Cloud Storage. We do not use your uploaded data to train models, and we do not disclose it to third parties except as described in this Policy.

When you upload columnar data, it may be scanned by Google Cloud Data Loss Prevention (DLP) to detect the presence of personally identifiable information (PII) or protected health information (PHI). This scanning is performed to help you identify and remove sensitive data before analysis. Google Cloud DLP processes the data on our behalf and is contractually prohibited from using it for any other purpose. DLP scanning is only a supplemental safeguard and may not detect every sensitive field. Detection accuracy can vary depending on how your organization structures, labels, and formats its data. If you choose to remove data, that process may alter the structure of your uploaded data, which can affect downstream analysis. You remain responsible for reviewing your data and confirming that sensitive information has been handled appropriately before use.

You are responsible for ensuring that any data you upload complies with applicable privacy laws and does not contain unnecessary PII or PHI.

5. Health Data and Protected Health Information (PHI)

Although IBNR.net works with healthcare-related data, its primary function is to analyze actuarial loss triangles, which summarize claims by incurred and paid periods. This data is typically aggregated and does not contain individually identifiable health information. As a result, standard triangle data is generally not considered Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

However, IBNR.net also supports columnar-to-triangle data transformation, which allows users to upload raw columnar data files. These files may contain PHI depending on how they are prepared.

For columnar data files, we recommend the following:

  • Avoid uploading PHI when not necessary. Before uploading a column-based file, consider whether individual-level identifiers are needed for your analysis. In most cases, IBNR calculations can be performed without PHI fields. We recommend stripping any PHI before uploading.
  • Use Google Cloud DLP to handle PHI in your data. When you upload a columnar file, IBNR.net integrates with Google Cloud Data Loss Prevention (DLP) to automatically scan your data and identify columns that may contain PHI before saving any data to our systems. Once flagged, you can choose to delete those columns entirely or de-identify the values before proceeding with analysis. However, DLP does not guarantee complete detection of PHI, and it may miss fields depending on how your organization's data is structured, labeled, or formatted. De-identification or other alterations may also change the data in ways that reduce fidelity or affect analysis results, so you should review the output carefully before relying on it.

If you are a HIPAA Covered Entity or Business Associate, you must have a signed Business Associate Agreement (BAA) with IBNR.net before storing any PHI on our platform. Please contact us at support@ibnr.net to execute a BAA prior to use. Uploading PHI without a signed BAA in place is a violation of our Terms and Conditions.

IBNR.net has signed a HIPAA Business Associate Agreement (BAA) with Google Cloud, covering the services used for data storage. Uploaded files are therefore handled in a HIPAA-eligible environment. However, compliance ultimately depends on your organization's own obligations and how you prepare and upload your data. You are responsible for ensuring your use of the Service complies with all applicable HIPAA requirements.

AI-assisted features on this platform use Google Cloud Vertex AI, which is covered under our existing Google Cloud Business Associate Agreement (BAA). Vertex AI processes data within a HIPAA-eligible environment and does not use your data to train models. Nevertheless, we recommend avoiding the submission of PHI to AI features unless necessary, and ensuring that any such data has been de-identified where possible.

IBNR.net shall not be held responsible for any unauthorized disclosure or misuse of PHI arising from your failure to comply with applicable HIPAA obligations, improper preparation or upload of data, or use of the Service in a manner inconsistent with this Policy.

6. Group and Team Access

Collaborative workspaces are available to users on the Team and Enterprise plans, allowing multiple users to share data and collaborate on actuarial triangles and related analyses. When you add other users to a group, those individuals are granted access to all actuarial triangles and associated analyses within that group. Although IBNR.net implements multiple safeguards to help prevent inadvertent addition of users to groups, it remains your responsibility to ensure that you only grant access to individuals who are properly authorized to view or manage your data. IBNR.net will not be held accountable for unauthorized access or misuse of data resulting from group membership decisions made by you or your organization.

7. California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

  • Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it.
  • Right to Delete: You may request the deletion of your personal information, subject to certain exceptions.
  • Right to Opt-Out of Sale: We do not sell your personal information. As such, we do not offer an opt-out of sale mechanism.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To submit a CCPA request, please contact us at support@ibnr.net. We may need to verify your identity before fulfilling your request.

8. International Users

IBNR.net is operated from the United States. All data is stored and processed exclusively within the United States. If you are accessing the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal information on the following legal bases: (a) performance of a contract, when processing is necessary to provide the Service you requested; (b) legitimate interests, such as improving our Service and detecting fraud; and (c) your consent, where applicable. You may withdraw consent at any time by contacting us.

By using the Service, you consent to the transfer of your information to the United States as described in this Policy. If you do not agree with this transfer, you should not use the Service.

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and store certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, some portions of the Service may not function properly.

We use the following types of cookies:

  • Essential cookies: Required for the Service to function, including authentication session management.
  • Analytics cookies: Help us understand how visitors interact with the Service so we can improve it.

10. Data Storage and Retention

All data processed and stored by IBNR.net is retained exclusively within the United States. We do not transfer your data to servers or infrastructure located outside the United States.

We retain your personal information for as long as your account is active or as needed to provide the Service. Uploaded data is retained until you delete it or close your account. Upon account deletion, your data is removed from active systems promptly. Residual copies may remain in backup or disaster recovery systems for up to 180 days, after which they are permanently deleted in accordance with Google Cloud's data deletion commitments.

11. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS) and at rest, access controls, and regular security reviews.

12. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal information, please contact us and we will take steps to delete such information.

13. Changes to This Policy

We may update this Data Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the “Last updated” date. Your continued use of the Service after such changes constitutes acceptance of the updated policy.

14. Contact Us

If you have any questions or concerns about this Data Privacy Policy, please contact us at:

IBNR.net
support@ibnr.net