How Keystone Systems LLC collects, uses, stores, shares, and protects personal information when you use INSPEKTiT.
Keystone Systems LLC ("Company," "we," "us") operates a suite of cloud-based software products for the property insurance claims industry, including INSPEKTiT and InspektiV (collectively, the "Platform"). This Privacy Policy describes how we collect, use, store, share, and protect personal information when you use any of our products through your Inspekt Account.
This policy applies to all users, including independent insurance adjusters ("Adjusters"), independent adjusting firms ("Firms"), and insurance carriers ("Carriers"). If you do not agree to this Privacy Policy, you may not use the Platform.
Keystone Systems processes different categories of data in different capacities:
Data Controller: For your account data (name, email, subscription information, usage analytics), Keystone Systems LLC is the data controller — we determine how this data is collected and used.
Data Processor: For claim data (policyholder names, property addresses, claim numbers, inspection photos and notes) and roster data (adjuster personal information entered by a Firm), Keystone Systems LLC is the data processor — you (or the Firm or Carrier you represent) are the data controller. We process this data solely to provide the Platform's services on your behalf.
NIPR Data: For license verification data obtained through the NIPR PDB API, Keystone Systems LLC acts as a licensed data recipient subject to NIPR's terms of use. This data is used exclusively for credential verification within InspektiV.
When you create an Inspekt Account, we collect:
| Data Category | Details |
|---|---|
| Identity | Full name, email address, phone number, password (hashed) |
| Professional Info | NPN (National Producer Number), license states, certifications, designations, firm affiliations, role (Adjuster/Firm/Carrier) |
| Business Info (Firms) | Company name, EIN, primary contact name, business address |
| Business Info (Carriers) | Company name, NAIC Company Code, primary contact name |
| Billing | Billing address, payment method (processed by Stripe — we do not store card numbers, bank account numbers, or full payment credentials) |
| Data Category | Details |
|---|---|
| Usage Data | Features used, inspection count, file submissions, storage usage, login history, session duration |
| Device Info | Browser type, operating system, IP address, device identifiers, screen resolution, camera and GPS permission status |
| Log Data | Server logs, error reports, performance metrics, API call records |
| Data Category | Details |
|---|---|
| Policyholder Info | Policyholder name, contact information, policy number |
| Property Info | Property address, property type, construction details, square footage |
| Claim Info | Claim number, loss date, loss type, carrier name, adjuster assignment details, claim status |
| Inspection Docs | Photographs, field notes, measurements, annotations, damage descriptions, scope of loss |
| Location Data | GPS coordinates embedded in photographs (if device permissions allow), inspection timestamps, geolocation of inspection site |
| Reports | Generated inspection reports, general loss reports (GLRs), exported documents |
When a Firm manages adjusters through the platform, the following data may be entered:
| Data Category | Details |
|---|---|
| Adjuster Identity | Name, email, phone number, NPN, license states, certifications |
| Deployment Data | Assignment history, geographic deployment, availability status, performance metrics |
| Credential Data | License expiration dates, certification status, compliance flags |
The Firm is responsible for ensuring it has obtained any necessary consents from adjusters before entering their personal information into the platform.
When an Adjuster creates an InspektiV profile and provides their NPN, Keystone Systems LLC queries the NIPR Producer Database (PDB) API to verify and retrieve:
This data is retrieved under Keystone Systems LLC's approved access to the NIPR PDB API and is subject to NIPR's terms of use. NIPR data is used solely for credential verification and display within InspektiV and is not sold, shared, or used for any other purpose.
To operate the Platform: Manage your account, authenticate sessions, process subscription payments, deliver product functionality.
To communicate: Send account notifications, service updates, billing confirmations, and product announcements. We do not send unsolicited marketing emails.
To improve the Platform: Analyze usage patterns in aggregate (not individual claim data), diagnose technical issues, inform product development, and optimize performance.
To ensure security: Detect and prevent fraud, unauthorized access, abuse, and security threats.
To comply with law: Respond to legal process, enforce our Terms of Service, and protect the rights and safety of our users and the public.
To provide Platform services: Store, organize, index, and display your inspection documentation within your account and, where applicable, within your Firm's account.
To generate reports: Format your inspection data into exportable reports and GLRs.
To enable photo management: Process, store, organize, and label photographs you capture or upload.
To enable search and retrieval: Allow you to find and access past inspections within your account.
To facilitate firm workflows: Transmit inspection data from INSPEKTiT to the Firm's account when an adjuster's account is linked to a Firm.
Roster data entered by Firms into the platform is used solely to provide the Firm's operations functionality — roster management, credential tracking, adjuster deployment, and compliance reporting. Keystone Systems LLC does not use roster data for any purpose outside the Firm's account.
NIPR data is used solely to verify and display adjuster credential status within InspektiV profiles. NIPR data is refreshed periodically to maintain accuracy. Keystone Systems LLC does not use NIPR data for marketing, profiling, scoring, or any purpose other than credential verification.
With your Firm (if applicable): If your INSPEKTiT account is linked to a Firm's account, your inspection data for assignments dispatched through that Firm will be visible to authorized users within the Firm's account. This mirrors the existing industry workflow.
By your action: When you export, download, email, or share a report, you are choosing to transmit data outside the Platform. We are not responsible for data once it leaves the Platform through your action.
Legal requirements: We may disclose claim data if required by law, subpoena, court order, or government request. We will notify you of such requests where legally permitted.
Roster data is visible only to authorized users within the Firm's account. Adjusters who are rostered may see limited information about their own assignments through their Inspekt Account. Roster data is never shared with other Firms, Carriers, or third parties unless the Firm explicitly authorizes such sharing.
By creating an InspektiV profile, you understand that your verified credential information (name, license states, certifications, NPN verification status, availability) will be visible to Firms with active InspektiV subscriptions. This is the core purpose of InspektiV — to be discovered by Firms seeking qualified adjusters. You control the information in your profile beyond the NIPR-verified fields.
We use the following categories of third-party service providers to operate the Platform. All providers are contractually bound to protect your data, process it only on our behalf, and delete it upon termination of their service agreement:
| Category | Provider | Data Accessed |
|---|---|---|
| Cloud Hosting & Database | Supabase | All platform data including claim data, roster data, photos, and account information. Encrypted at rest (AES-256) and in transit. |
| Frontend Hosting | Vercel | Application code and static assets. No user data stored on Vercel. |
| Payment Processing | Stripe | Billing address, payment method, transaction history. Stripe is PCI DSS Level 1 certified. No claim or inspection data is shared with Stripe. |
| SendGrid (Twilio) | Email address, name, notification content. SOC 2 Type II certified. No claim data is transmitted through email. | |
| License Verification | NIPR PDB API | NPN submitted for verification. License data returned. Subject to NIPR terms of use. |
| Monitoring | Better Stack | Uptime monitoring, health checks, performance metrics. No user data or claim data shared. |
Given the sensitive nature of claim data and policyholder information, we implement the following security measures:
Encryption in transit: All data transmitted between your device and our servers is encrypted via TLS 1.2 or higher.
Encryption at rest: Claim data, photographs, and roster data are encrypted in storage using AES-256 encryption.
Access controls: Row-Level Security (RLS) is enforced at the database level, ensuring users can only access data they are authorized to see. Keystone Systems LLC employees do not have routine access to claim data.
Authentication: All accounts are protected by password-based authentication. Multi-factor authentication (MFA) is available and recommended.
Audit logging: Access to claim data and administrative actions are logged for security monitoring and incident response.
Infrastructure security: Our cloud infrastructure is hosted in SOC 2 Type II certified data centers with automated backups, redundancy, and disaster recovery capabilities.
No system is 100% secure. While we implement industry-standard protections and continuously evaluate our security posture, we cannot guarantee absolute security against all threats. You are responsible for maintaining the security of your account credentials and your device.
Account data: Retained as long as your account is active. Deleted within 30 days of account closure, except where retention is required by law.
Claim data (INSPEKTiT): Retained as long as your account is active. Upon account termination, you have 30 days to export your data. After the export period, claim data including photographs, notes, and reports is permanently deleted.
Roster data (Firms): Retained as long as the Firm's subscription is active. Upon subscription termination, the Firm has 30 days to export all roster and operational data. After the export period, roster data is permanently deleted.
InspektiV profile data: Retained as long as the Adjuster's profile is active. Adjusters may delete their profile at any time, which removes their information from the searchable network within 48 hours.
NIPR data: Cached locally within InspektiV for the duration of the Adjuster's active profile. Refreshed periodically per NIPR PDB API terms. Deleted when the Adjuster's profile is deleted.
Usage and log data: Retained for up to 12 months for security, analytics, and troubleshooting purposes, then automatically purged.
Backups: Encrypted backups may retain data for up to 90 days after deletion for disaster recovery purposes, after which they are purged from backup systems.
Access: View and export all of your data through your Inspekt Account at any time.
Correction: Update your account information, profile data, and inspection records at any time through the Platform.
Deletion: Request deletion of your account and all associated data through any of the following methods, each of which initiates the same deletion workflow: (a) in the INSPEKTiT mobile application, by navigating to Settings → Account and selecting “Delete Account”; (b) on the web platform, by signing in at inspektit.io, opening account settings, and selecting “Delete Account”; or (c) by emailing support@keystonestack.com from the email address associated with your Inspekt Account. Account deletion requests are processed within thirty (30) days of receipt, subject to the retention exceptions described in Section 7 and any applicable legal-hold obligations.
Export: Download your complete data archive at any time through the Platform's export features.
Objection: Object to specific uses of your data by contacting us. We will accommodate reasonable requests unless the use is required to provide the Platform's core services.
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: Request the categories and specific pieces of personal information we have collected about you.
Right to Delete: Request deletion of your personal information, subject to legal exceptions and the 30-day export period.
Right to Correct: Request correction of inaccurate personal information.
Right to Opt-Out of Sale or Sharing: We do not sell or share personal information. If this ever changes, we will provide a clear opt-out mechanism.
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.
To exercise these rights, contact us at legal@keystonestack.com. We will verify your identity and respond within 45 days.
If a policyholder contacts Keystone Systems LLC requesting access to or deletion of their personal data stored in an Adjuster's or Firm's inspection files, we will direct them to the appropriate data controller (the Adjuster, Firm, or Carrier that controls the claim). As a data processor, Keystone Systems LLC will cooperate with the data controller to fulfill such requests in accordance with applicable law.
The INSPEKTiT mobile application requests access to specific device hardware and operating system features in order to capture inspection documentation and deliver operational alerts. The table below describes each permission requested, the data accessed, the purpose of access, and the impact of declining or revoking the permission. The user may grant or revoke each permission individually through the device's operating system settings at any time.
| Permission | Data Accessed | Purpose | If Declined or Revoked |
|---|---|---|---|
| Camera | Live camera feed and captured photographs. Photographs are saved to the inspection record. | To capture inspection photographs of property exterior, interior, damage areas, and serial-tag or data-plate detail as required by the carrier inspection workflow. | The user cannot capture new inspection photographs through the application. The user may still upload existing photographs from the device's photo library if that permission has been granted. |
| Photo Library | Photographs the user explicitly selects for upload, and their EXIF metadata. | To allow the user to attach existing photographs (such as previously captured images of the loss) to an inspection record. | The user cannot upload existing photographs from the device. Camera-captured photographs remain available if camera permission is granted. |
| Location (While Using App) | Approximate or precise GPS coordinates of the device while the application is open. Coordinates may be embedded in photograph EXIF metadata and attached to inspection records. | To verify inspection locations, attach GPS-stamped timestamps to photographs for carrier compliance, plot inspection locations on the in-app map, and calculate route distances between assignments. | Photographs captured through the application will not include embedded GPS coordinates. Map and routing features will be limited or unavailable. Certain carrier requirements that depend on geographic verification may not be satisfied. |
| Push Notifications | The device's push-notification token (a non-personal device identifier issued by Apple or Google). | To deliver operational alerts including new claim assignments, dispatch acceptances, report completions, contact-attempt reminders, and billing notices. We do not send marketing or promotional push notifications. | The user will not receive real-time alerts through the device. Equivalent information remains available inside the application and via email. |
Background Activity. The mobile application does not collect location, camera, microphone, or any other sensor data while the application is closed or running in the background. Location collection occurs only while the application is open and only while the user is actively engaged with a workflow step that requires it.
EXIF Metadata in Photographs. Photographs captured through the application may include embedded GPS coordinates, capture timestamp, and device model in the file's EXIF metadata. This metadata is preserved when photographs are stored in the inspection record and is treated as Claim Data subject to the access controls, encryption, retention, and deletion policies described elsewhere in this Privacy Policy.
No Microphone, Contacts, Calendar, or Health Access. The INSPEKTiT mobile application does not request, access, transmit, or store data from the device's microphone, address book, contacts, calendar, health data, Bluetooth peripherals, or any other sensor or data source not listed in the permissions table above.
Tracking Disclosure (iOS App Tracking Transparency). The mobile application does not track the user across other applications or websites. The application does not request permission under the App Tracking Transparency framework because it has no need to do so.
Revoking Permissions. On iOS, permissions can be reviewed and revoked at Settings → Privacy & Security → (Permission Category) → INSPEKTiT. On Android, permissions can be reviewed and revoked at Settings → Apps → INSPEKTiT → Permissions. Revoking a previously granted permission takes effect immediately and does not require re-installing the application.
Essential cookies: We use cookies that are strictly necessary for authentication, session management, and security. These cannot be disabled without breaking Platform functionality.
No advertising cookies: We do not use advertising cookies, third-party tracking pixels, or retargeting technologies.
No cross-site tracking: We do not track your activity across other websites or applications.
If we implement analytics cookies in the future, we will update this Privacy Policy and provide opt-out controls before any non-essential cookies are deployed.
The Platform is designed for licensed insurance professionals and is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly.
The Platform is operated from the United States. If you access the Platform from outside the United States, you understand and consent to the transfer of your personal information to the United States, where data protection laws may differ from those in your jurisdiction. Keystone Systems LLC will protect your information in accordance with this Privacy Policy regardless of where it is processed.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Material changes will be communicated via email to the address associated with your Inspekt Account and/or through a notice within the Platform at least 30 days before the changes take effect. Your continued use of the Platform after the effective date of any changes constitutes acceptance of the updated Privacy Policy.
If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, contact us at: