Privacy Policy

Nivel Insurance Brokerage, Inc.

Effective Date: March 22, 2026

Last Updated: March 22, 2026

1. Introduction

Nivel Insurance Brokerage, Inc. ("Nivel," "we," "us," or "our") operates the Nivel MCP Server at https://mcp.nivelrisk.com/mcp and related services (collectively, the "Service"). This Privacy Policy describes how we collect, use, store, and protect your information when you use our Service.

The Service provides commercial auto insurance tools for NYC TLC for-hire vehicle businesses through the Model Context Protocol (MCP), enabling eligibility determination, document collection, field extraction, carrier submission, quote comparison, consent capture, and policy binding.

2. Information We Collect

2.1 Account Information

When you authenticate with our Service, we collect:

  • Email address
  • Name
  • Organization name
  • Authentication identifiers (Auth0 subject ID)

2.2 Business Information

To process insurance submissions, we collect:

  • Business name, type, and classification
  • Employer Identification Number (EIN)
  • Business address and state of operation
  • TLC license numbers and driver information
  • Vehicle information (VIN, year, make, model)
  • Fleet size and operational details

2.3 Insurance Documents

When you upload documents through the Service, we collect:

  • Business licenses and permits
  • Driver's licenses and identification
  • Vehicle registrations and titles
  • Loss run reports
  • Insurance applications and declarations
  • Any other documents you provide for insurance processing

2.4 Telematics Data

If you connect telematics devices to the Service, we collect:

  • Vehicle GPS location (latitude/longitude)
  • Vehicle speed and heading
  • Driver behavior metrics
  • Device status information

2.5 Payment Data

If you make payments through the Service, our payment processor (Stripe) collects:

  • Bank account or card details (Nivel does not store full card numbers)
  • Transaction amounts and history
  • Stripe customer identifiers

2.6 Insurance Transaction Data

Through the submission and binding process, we collect:

  • Coverage selections and preferences
  • Carrier quotes and comparison data
  • Consent records and authorization details
  • Policy binding information
  • Audit trail of all actions taken

2.7 Technical Data

We automatically collect:

  • API request metadata (timestamps, tool names, request IDs)
  • Authentication tokens (for session management)
  • Error logs and diagnostic information
  • Rate limiting counters (per-organization, per-tool)

3. How We Use Your Information

We use the information we collect to:

  • Process insurance submissions — classify your business, determine eligibility, collect and validate documents, submit to carriers, and bind policies
  • Extract and validate data — use AI-powered field extraction to read uploaded documents and validate information across documents
  • Provide quotes — submit your information to insurance carriers and present competitive quotes
  • Maintain audit trails — record all actions for regulatory compliance and dispute resolution
  • Improve the Service — diagnose issues, monitor performance, and enhance our tools
  • Communicate with you — send notifications about submission status, quote availability, and policy updates
  • Comply with legal obligations — meet insurance regulatory requirements and respond to legal requests

4. How We Share Your Information

We share your information with the following categories of recipients:

4.1 Insurance Carriers

We submit your business information, documents, and coverage requests to insurance carriers you select, including Hereford, American Transit Insurance Company, and Maya Assurance. This is necessary to obtain quotes and bind policies.

4.2 Service Providers

We use the following third-party services to operate the Service:

ProviderPurposeData Processed
Amazon Web Services (AWS)Cloud infrastructure, database (RDS), file storage (S3), background processing (ECS), job queues (ElastiCache Redis)All data
Auth0 (Okta)Authentication and identity managementEmail, name, login credentials
Google Gemini 2.5 FlashAI-powered document field extraction, OCR, and vision analysisUploaded documents, photos, extracted PII (names, VINs, license numbers)
StripePayment processing, ACH/card collection, Connect onboardingBank account details, card last-4, customer IDs, payment amounts
MVRNOWMotor vehicle record lookups for insurance underwriting (DPPA-compliant)Driver license numbers, driving history, MVR reports
ResendTransactional email delivery (confirmations, verification, signing invitations)Email addresses, submission details, policy information
BouncieOBD-II vehicle telematics for fleet monitoringVehicle GPS location, speed, device status
SamsaraEnterprise fleet telematics and vehicle trackingVehicle GPS location, driver behavior data
Upstash RedisRate limiting and violation lookup cachingRequest metadata, cached violation records
ClamAVVirus and malware scanning of uploaded filesFile contents (transient, in-memory only — not retained)

4.3 Motor Vehicle Records

We access motor vehicle records through MVRNOW strictly for insurance underwriting purposes, in compliance with the Driver's Privacy Protection Act (DPPA). MVR data is used only to assess driving history as part of the insurance application process.

4.4 Legal Requirements

We may disclose your information if required by law, regulation, legal process, or governmental request, or to protect the rights, property, or safety of Nivel, our users, or the public.

5. Data Storage and Security

5.1 Storage Location

All data is stored in Amazon Web Services (AWS) in the US East (Ohio) region (us-east-2). This includes:

  • Database — Amazon RDS (PostgreSQL) with encryption at rest
  • File storage — Amazon S3 with server-side encryption (AES-256)
  • Application hosting — Amazon ECS Fargate

5.2 Security Measures

We implement the following security measures:

  • All data is encrypted at rest using AES-256 encryption
  • All data in transit is encrypted using TLS 1.2 or higher
  • Authentication via OAuth 2.0 with JWT token validation
  • Organization-scoped access control (tenant isolation) — users can only access data belonging to their organization
  • Role-based permissions (Owner, Broker, Operator, Finance Approver, Auditor)
  • SHA-256 content hashing on all uploaded documents for integrity verification
  • Idempotency protection on all write operations
  • Rate limiting to prevent abuse
  • Immutable audit logging of all actions

5.3 Document Integrity

Every document uploaded to the Service is hashed using SHA-256. This hash is verified before any document is submitted to a carrier, ensuring that only stored, verified documents are used in the insurance process.

5.4 Transient Processing

Certain services process your data in memory without retaining it. Uploaded files pass through virus scanning (ClamAV) and image processing (Sharp for format conversion and metadata stripping) before being stored. These services do not retain copies of your data after processing completes.

6. Data Retention

We retain your data according to the following schedule:

  • Insurance submission data, documents, and audit trails — Minimum 7 years from the date of the last action on a submission, in compliance with insurance regulatory requirements
  • Policy records — Minimum 7 years from policy expiration
  • Account information — Retained for the duration of your account plus 7 years
  • Technical logs — 90 days
  • Rate limiting counters — 24 hours

Insurance regulations in New York and other states require retention of records for 3 to 7 years. We apply the longer retention period to ensure compliance across all applicable jurisdictions.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate personal information
  • Deletion — Request deletion of your personal information, subject to our legal retention obligations
  • Portability — Request a machine-readable copy of your data
  • Objection — Object to certain processing of your personal information

To exercise any of these rights, contact us at wilson@nivelrisk.com. We will respond within 30 days.

Note: Due to insurance regulatory requirements, we may not be able to delete certain records that must be retained for compliance purposes. We will notify you if this applies to your request.

8. Cookies and Tracking

The MCP Server does not use cookies or browser-based tracking. Authentication is handled via OAuth 2.0 Bearer tokens passed in API requests.

9. Children's Privacy

The Service is designed for business use and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last Updated" date at the top of this page. Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Nivel Insurance Brokerage, Inc.
35 Maryetta Ct.
Syosset, NY 11791
Email: wilson@nivelrisk.com