Privacy Policy

Last updated: 2026-04-29

Scope

This policy covers the CriticalAsset AI Portal (criticalcopilot.com), operated by CriticalAsset and InsureMEP. It applies to all users who sign in to the portal — staff, carrier partners, broker partners, inspection partners, and any other invited collaborator.

The portal is a private AI tool that answers questions over documents and customer records you choose to connect or upload. It does not collect data outside the integrations you explicitly authorize.

What we collect

When you sign in and use the portal, we collect:

• Identity: your email address and Google subject ID, via the Google Sign-In flow. We use these to authenticate every request and to scope which corpora you can read.
• Connected-source credentials: when you connect Google Drive, HubSpot, or a CriticalAsset API account, the access and refresh tokens for those integrations. These are envelope-encrypted (per-write data-encryption key, KMS-held key-encryption key) before they're written to Firestore. They are never returned in any API response and never written to logs.
• Documents you connect or upload: PDFs, DOCX, plain text, HTML, CSV, and the export of Google Docs / Sheets / Slides that you place in the connected Drive folder or upload via the Admin Content surface. Stored as objects in a Google Cloud Storage bucket within our project, encrypted with our CMEK.
• Embeddings + chunks: extracted text from your documents, chunked and embedded for retrieval. Stored in Vertex AI RAG Engine within our project.
• Conversation transcripts: the prompts you send and the responses generated, including the citations referenced. Stored so you can resume a thread on refresh, and logged for audit.
• Operational logs: HTTP request metadata (path, status code, latency), error traces, and structured event logs (sign-in, upload, retrieval, sync). Stored in Cloud Logging.

Google Drive integration

When you connect Google Drive at Settings → Google Drive, the portal requests two OAuth scopes:

• https://www.googleapis.com/auth/drive.file — lets the portal create a folder named CriticalAsset Ingestion in your Drive root and write to files the portal owns. Drive's scope semantics: per-file access, only to files this app created.
• https://www.googleapis.com/auth/drive.readonly — lets the portal read the contents of the inbox folder, including files you drop into it via Drive's web UI. Without this scope, drive.file alone cannot see user-uploaded files in an app-created folder.

Our code only ever lists files inside the specific folder ID you connected. We do not crawl, index, or retrieve files from the rest of your Drive. We do not modify or delete files in your Drive (except files we created — i.e. the inbox folder itself, if you disconnect).

Each sync compares the Drive modifiedTime of every file against our last-sync cursor and only re-ingests files that have changed. Files you remove from the inbox folder are not deleted from the portal's corpus on disconnect — that is your data, not your credentials. Use Admin → Content to remove documents from a corpus.

You may disconnect Drive at any time from Settings → Google Drive. Disconnecting wipes the encrypted Drive credentials we hold. The inbox folder we created stays in your Drive; you can delete it manually if you want.

The portal complies with Google API Services User Data Policy, including its Limited Use requirements. Specifically:

• We use Drive data only to provide and improve the user-facing features clearly described on this site (chat grounding and report QA against documents you place in the inbox folder).
• We do not transfer Drive data to third parties, except as necessary to provide the user-facing features (e.g., Google Cloud Storage and Vertex AI within our own GCP project) or as required by law.
• We do not use Drive data for advertising, training general AI models outside our project, or any purpose unrelated to the portal's stated functionality.
• We do not allow humans to read Drive data, except: (a) with your affirmative agreement for specific files, (b) for security investigations, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized.

HubSpot integration

When you connect HubSpot, the portal requests read-only scopes for contacts, companies, deals, owners, and their associated schemas. HubSpot data is pulled once a day (via Cloud Scheduler) into the account corpus tied to each company you own deals on. The portal never writes to HubSpot.

How we use the data

• To answer your questions, by retrieving the chunks of your connected documents and customer records that match the question and grounding the generated answer on those chunks.
• To produce the citation list under each answer, so you can verify every factual claim against its source.
• To run the Report QA Copilot — verifying claims in a draft report against cited evidence, returning CITED, UNSUPPORTED, or AMBIGUOUS per claim.
• To maintain the audit trail required by the property-risk and insurance domains we serve.
• To diagnose and fix bugs (operational logs only — no document content is ever read by an engineer for this purpose).

We do not use your data to train any general-purpose AI model. The Gemini model we use is Google's hosted Vertex AI service; under Google's Cloud Data Processing Addendum, your data is not used to improve Google's foundational models.

Where it's stored + encryption

• All data lives in a single Google Cloud project (us-west1 region). No replication to other regions.
• Source documents in Cloud Storage are encrypted with our customer-managed encryption key (CMEK), software-protection level, 90-day rotation. Cloud KMS holds the key; the runtime service account holds cryptoKeyEncrypter + cryptoKeyDecrypter only.
• OAuth refresh tokens (Drive, HubSpot, CriticalAsset API) are envelope-encrypted: per-write AES-256-GCM data key, wrapped by the KMS-held key-encryption key. Plaintext tokens never persist to Firestore.
• Embeddings and document chunks live in Vertex AI RAG Engine, sharded across four corpora keyed by hash. Per-corpus access control restricts which embeddings each user can retrieve from.
• Audit logs are written to Cloud Logging with our project's default retention; a logging sink to a long-term Cloud Storage bucket is configured for 7-year retention.

Retention

• Documents you connect or upload: retained until you delete them via Admin → Content or disconnect the source. Soft delete leaves a tombstone for 30 days for accidental-undo, then is hard-purged.
• Conversation transcripts: retained per session in browser localStorage; persisted in Firestore until you start a new conversation. Deleted threads are removed within 30 days.
• Audit logs: 7 years (regulatory minimum for the insurance domain).
• Operational logs: 30 days, then auto-deleted.

Third parties

The portal uses the following Google Cloud services as data sub-processors. All are governed by Google Cloud's Data Processing Addendum and remain within our project:

• Google Cloud Run — hosts the application.
• Vertex AI (Gemini, RAG Engine, Embeddings) — runs the AI generation and retrieval.
• Cloud Firestore — stores corpus metadata, conversation threads, encrypted credentials.
• Cloud Storage — stores source documents, encrypted with our CMEK.
• Cloud KMS — holds the encryption key.
• Cloud Logging — audit trail.
• Identity-Aware Proxy (IAP) — gates access to authenticated users.

External integrations you opt into: Google Drive (read your inbox folder), HubSpot (read deals/contacts when connected), CriticalAsset API (read your locations when connected). No other external services receive your data.

Your rights

• Access: download the documents you've uploaded and the conversation history you've created via the relevant surfaces (Admin → Content, Chat → Threads). Email casey@criticalasset.com for assistance with bulk export.
• Deletion: delete individual documents, threads, or connections from the portal's UI. For full account deletion (your identity record + all your uploads + all your threads), email casey@criticalasset.com; we will action within 7 days.
• Disconnection: disconnect Drive, HubSpot, or CriticalAsset API at any time from Settings.
• Revocation: revoke this app's access to your Google account via Google Account → Third-party apps with account access. Revocation blocks the portal from refreshing tokens; the next request fails and the connection is marked as needing re-auth.

Contact + changes to this policy

Privacy questions, data requests, or anything else about this policy: casey@criticalasset.com. Security concerns: security@criticalasset.com.

Material changes to this policy are announced via the portal's in-app notification panel and via email to all active users at least 30 days before they take effect.

Operator: CriticalAsset, in partnership with InsureMEP. This portal is governed by United States law and the data processing requirements of the property-risk and insurance domains it serves.