Privacy Policy

01Overview

This Privacy Policy explains how Sovra Inc. ("Sovra," "we," "us," or "our") collects, uses, shares, and protects information about you when you use our website at trustsovra.com, our voice advisory service, or any related products or services (collectively, the "Service").

Sovra is an AI-powered health insurance advisory platform. We help consumers understand and select health insurance coverage. To do this responsibly, we collect certain information about you and your situation. This policy describes what we collect and what we do with it.

02Information we collect

Information you provide directly

• Contact information: Your name, email address, and phone number when you submit our intake form or contact us.
• Insurance intake information: Your state of residence, ZIP code, household size, ages of household members, estimated annual household income, current coverage status, and reason for seeking new coverage.
• Health and care information: The names of your doctors and medical providers, prescription medications you take, ongoing health conditions, anticipated procedures, and other information relevant to evaluating health insurance coverage. This information is provided voluntarily by you during the advisory process.
• Voice recordings and transcripts: When you use our voice advisory feature, we record and transcribe the conversation between you and our AI advisor. This is described in more detail below.
• Communications: Any messages you send to support@trustsovra.com or other communications with us.

Information collected automatically

• Usage data: Information about how you interact with the Service, including pages viewed, features used, time spent, and referring URLs.
• Device and connection data: IP address, browser type and version, operating system, device identifiers, and language preferences.
• Cookies and similar technologies: We use a minimal set of first-party cookies to operate the Service. We do not use third-party advertising cookies. See our cookies section below.

Information from third parties

• Plan and pricing data: We retrieve health insurance plan information from insurance carriers, federal and state marketplaces, and licensed health insurance data providers. This includes plan benefits, premiums, networks, formularies, and provider directories.
• Provider lookups: We use public healthcare provider registries to verify the existence and specialty of doctors and medical providers you mention.

03Voice recordings and AI processing

Our voice advisory service involves real-time conversation with an AI advisor. To provide this service:

• Your voice is captured by your device's microphone and transmitted to our voice processing infrastructure for speech-to-text transcription and text-to-speech response generation.
• Transcripts of the conversation are processed by our AI advisory engine to generate personalized responses.
• Conversation transcripts are stored in our secure database to provide context within your session and to power future personalized recommendations.
• De-identified conversation excerpts may be used to improve the Service. Identifying information (your name, contact details, exact location) is removed before any such use.

04How we use your information

We use the information we collect to:

• Deliver the Service: Generate personalized health insurance recommendations, surface plans that match your stated needs, and help you understand your options.
• Communicate with you: Send you SMS messages with links to your personalized plan recommendations, respond to your inquiries, and notify you of important changes to the Service.
• Improve the Service: Analyze how the Service is used so we can improve our recommendations, fix problems, and develop new features. Where this involves your conversation transcripts, identifying information is removed first.
• Comply with legal obligations: Meet requirements imposed by federal and state insurance regulations, the Centers for Medicare & Medicaid Services (CMS), and other applicable law.
• Prevent fraud and abuse: Detect and prevent fraudulent or abusive use of the Service.

05How we share your information

We share information only as necessary to operate the Service or as described in this policy. We never sell your personal information.

Service providers (sub-processors)

We share information with carefully selected service providers, each bound by confidentiality and data protection obligations. These providers fall into the following categories:

• Cloud infrastructure providers for hosting our website, storing your information, and delivering the Service securely.
• AI and machine learning providers for natural language understanding and recommendation generation, including for our voice advisory feature.
• Voice processing providers for speech-to-text transcription and text-to-speech synthesis where you use our voice service.
• Health insurance data providers for retrieving plan information, pricing, networks, and formularies.
• Communications providers for sending SMS messages and email related to your inquiry.
• Analytics and monitoring providers for understanding aggregate usage patterns and ensuring service reliability.

We select providers that meet industry-standard security and privacy practices. We share only the information necessary for each provider to perform its function. Our service providers are contractually prohibited from using your information for their own commercial purposes. A current list of specific service providers is available upon request to consumers exercising their rights under applicable privacy law.

Insurance carriers and enrollment partners

If you choose to enroll in a health insurance plan through Sovra or our parent agency, Covered America, we share the information necessary to complete enrollment with the relevant insurance carrier and the federal or state marketplace. This typically includes your name, contact information, household composition, income, and any other information required by the carrier or marketplace.

Legal compliance and protection

We may disclose information when we believe in good faith that disclosure is necessary to: (a) comply with applicable law, regulation, legal process, or government request; (b) enforce our Terms of Service; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of Sovra, our users, or others.

Business transfers

If Sovra is involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you (typically by email) of any such transfer and any choices you may have regarding your information.

06We do not sell your personal information

Sovra does not sell, rent, or trade your personal information for monetary or other valuable consideration. Sovra does not engage in "cross-context behavioral advertising" or "targeted advertising" as those terms are defined under California, Virginia, Colorado, Connecticut, Utah, Texas, or other state privacy laws.

Our business model is to provide a free advisory service to consumers and to earn standardized commissions from insurance carriers when consumers voluntarily enroll. These commissions are paid by the carriers, not by you, and they do not involve sharing your data outside of what is required to complete an enrollment you have chosen.

07Cookies and tracking technologies

We use a minimal set of first-party cookies and similar technologies to operate the Service:

• Essential cookies: Required for the Service to function (such as session identifiers, security tokens, and load-balancing). These cannot be disabled. Typical duration: session-only or up to 30 days.
• Functional cookies: Remember your preferences (such as the admin mode flag) so you don't have to re-enter them. Typical duration: up to 12 months.
• Performance cookies: Help us understand aggregate usage patterns so we can improve the Service. These do not identify you individually.

We do not use third-party advertising cookies, social media tracking pixels, or cross-site tracking technologies. We respect the Global Privacy Control (GPC) browser signal as a valid opt-out request where applicable. You may also disable or delete cookies through your browser settings, though doing so may affect the functionality of the Service.

Because we do not engage in cross-context behavioral tracking, we do not separately respond to the legacy "Do Not Track" (DNT) browser signal.

08Data retention

We retain your information for as long as necessary to provide the Service and to comply with our legal obligations:

• Intake data: Retained for 24 months from your last interaction, then deleted unless required for an active enrollment or by applicable law.
• Voice recordings and transcripts: Retained for up to 12 months, after which raw recordings are deleted. De-identified excerpts may be retained longer for service improvement.
• Enrollment records: Retained for at least 7 years from the policy effective date as required by federal and state insurance regulations.
• Communications: Retained for 24 months for customer support purposes.

09Security

We use reasonable administrative, technical, and physical safeguards designed to protect your information from unauthorized access, alteration, disclosure, or destruction. These include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest where supported by our infrastructure providers.
• Access controls limiting personal data access to authorized personnel with a legitimate business need.
• Regular security reviews and prompt patching of identified vulnerabilities.
• Service-provider selection based on demonstrated security and compliance practices, with contractual confidentiality and data protection obligations.
• Periodic deletion of information that is no longer needed for the purposes for which it was collected.

No system, however, is perfectly secure, and we cannot guarantee the absolute security of your information. You play an important role in protecting your information by keeping any access links confidential and notifying us promptly of any suspected unauthorized access.

Data breach notification. In the unlikely event of a data breach involving your personal information, we will notify you and the relevant authorities as required by applicable law, including state breach notification statutes. Notice will typically be made by email and, where required, by other means specified by law.

If you become aware of any security concern with our Service, please notify us at support@trustsovra.com.

10Your rights and choices

Depending on where you live, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Ask us to correct inaccurate or incomplete information.
• Deletion: Request that we delete your personal information, subject to legal retention requirements.
• Portability: Request a copy of your information in a portable, machine-readable format.
• Opt-out: Opt out of certain processing activities, including any sale or sharing of your information for cross-context behavioral advertising (we do not engage in either).
• Non-discrimination: Exercise any of these rights without being denied the Service or charged a different price.

To exercise any of these rights, email us at support@trustsovra.com with the subject line "Privacy Request." We will respond within 45 days (or as required by applicable law). We may need to verify your identity before fulfilling certain requests.

11California privacy rights

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete personal information we have collected from you, subject to certain exceptions (such as information needed to complete an active enrollment or to comply with a legal obligation).
• Right to correct inaccurate personal information we maintain about you.
• Right to opt out of sale or sharing of personal information. Sovra does not sell personal information and does not share personal information for cross-context behavioral advertising.
• Right to limit use of sensitive personal information. We use sensitive personal information (such as health information, account access credentials, and precise geolocation if collected) only as reasonably necessary to provide the Service you requested or as otherwise permitted by law.
• Right to non-discrimination for exercising your privacy rights. We will not deny, charge different prices for, or provide a different level of quality of the Service based on your exercise of these rights.

Notice at Collection. The categories of personal information we collect from California residents are described in section 02 above (Information we collect). We collect this information for the business purposes described in section 04 (How we use your information) and retain it for the periods described in section 08 (Data retention). We do not use personal information for purposes incompatible with those disclosed at collection.

Sensitive Personal Information. The categories of "Sensitive Personal Information" we may collect (as defined under California law) include: account log-in credentials and access tokens; information concerning your health (such as medications and conditions you choose to share); and information concerning your finances (such as estimated household income for subsidy calculations). We do not use Sensitive Personal Information for any purpose other than providing the Service you requested.

To exercise these rights, email support@trustsovra.com. You may also designate an authorized agent to make a request on your behalf; we may require written authorization and identity verification.

"Shine the Light" disclosure: California Civil Code Section 1798.83 permits California residents to request information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes.

12Other state privacy rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), New Hampshire (NHDPA), New Jersey (NJDPA), Maryland (MODPA), Minnesota (MCDPA), and other states with comprehensive privacy laws have substantially similar rights to those described above (access, correction, deletion, portability, opt-out, and non-discrimination).

Residents of these states may exercise their rights by contacting us at support@trustsovra.com. If we deny your request, you may have the right to appeal our decision; we will provide instructions for appeal in our response.

13Health information and HIPAA

Sovra is not a "covered entity" or "business associate" under HIPAA. The information you share with us is not "Protected Health Information" as defined under HIPAA because we are not a healthcare provider, health plan, or healthcare clearinghouse, and we do not provide services on behalf of one.

Even though HIPAA does not apply, we treat health-related information with care. We collect health information only to the extent necessary to recommend appropriate insurance coverage, we limit access to authorized personnel, and we share it only with the service providers and enrollment partners described in this policy.

If you complete an enrollment with an insurance carrier through Sovra, the information held by that carrier is subject to HIPAA and the carrier's own privacy practices.

14Children's privacy

The Service is intended for adults 18 years of age and older. We do not knowingly collect personal information from children under the age of 13 in violation of the Children's Online Privacy Protection Act (COPPA), and we do not knowingly market the Service to children.

While our Service is not directed to minors under 18, parents or guardians applying for family coverage may provide age and basic identifying information about minor household members for the purpose of obtaining accurate insurance recommendations. By providing such information, the parent or guardian represents that they have the legal authority to do so.

If you are a parent or guardian and believe a child under 13 has provided personal information directly to Sovra, please contact us at support@trustsovra.com and we will promptly delete it. We will also delete information about minor household members upon request from the parent or guardian who provided it.

15International users

Sovra operates in the United States and provides the Service only to U.S. residents in states where our parent agency holds the appropriate insurance licenses. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data protection laws different from those in your country.

The Service is not directed to residents of the European Economic Area, the United Kingdom, or other jurisdictions outside the United States, and we do not specifically target users in those regions.

16Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will update the "Last updated" date at the top of this policy and, where appropriate, notify you by email or by a prominent notice on our website before the changes take effect.

Your continued use of the Service after the effective date of any updated policy constitutes your acceptance of the updated policy.

17Contact us

If you have questions, concerns, or requests regarding this Privacy Policy or our handling of your information, please contact us:

For complaints not resolved by us, U.S. residents may also contact their state attorney general's office or, where applicable, their state insurance commissioner.