Legal

Privacy Policy.

Version 2026.04 · Effective April 17, 2026

This policy explains what information AskFlorence collects, why we collect it, how we use it, and the choices you have. We wrote it in plain language on purpose. If anything is unclear, email us at hello@askflorence.health.

AskFlorence is a service of AskFlorence Health, Inc. (“AskFlorence Health,” “AskFlorence,” “we,” or “us”). This policy covers our website at askflorence.health and any connected tools or pages we link to from the site.

What we collect

We only collect what we need to run the service. Here is the full list:

Information you give us

  • Contact information. Your name, email address, and phone number when you join the waitlist, contact support, or sign up for updates.
  • Quote inputs. ZIP code, household size, ages, estimated income, and tobacco use when you use our plan calculator. We use this to return subsidy estimates and plan options. We do not ask for a Social Security number.
  • Agent survey responses. If you apply to the agent platform, we collect your responses to our discovery survey, your National Producer Number (NPN), state licenses, carrier appointments, and other information you choose to share about your practice.
  • Consumer survey responses. If you fill out a survey about your insurance experience, we collect your answers.
  • Communications. Emails, text messages, and support tickets you send us.

Information we collect automatically

  • Audit metadata. IP address, user agent (browser and device), and timestamp when you submit a form or consent to a policy. We keep this so we can prove what version of this policy you agreed to and when.
  • Usage analytics. Pages visited, clicks, time on page, and referring URL. We use privacy-respecting analytics and do not sell this data.
  • Cookies and local storage. Small files in your browser that keep you logged in and remember your preferences. You can clear or block these in your browser settings. Some features may not work without them.

Information we expect to collect later

When we launch enrollment, we will collect the information required to enroll you in a health plan, including date of birth, Social Security number, immigration status where relevant, household composition, income documentation, and photo identification. We will verify your photo ID through an automated identity verification service so we can confirm you are who you say you are before we submit an application on your behalf.

We will also use an automated identity verification service to confirm the identity of licensed agents on our platform before we give them access to any member enrollment data (including Social Security numbers and other sensitive enrollment inputs). This is in addition to the NPN and license verification we do at agent onboarding.

We will update this policy before we start collecting any of that, and we will ask for your consent at the point of collection.

How we use your information

  • To run the service. Calculate quotes, match you with appropriate agents (for the agent platform), answer your questions, and send you what you asked for.
  • To communicate with you. Service updates, launch notifications, and responses to your messages. Marketing emails only if you opt in, and you can unsubscribe any time.
  • To comply with the law. Audit logs, identity verification, licensing checks (for agents), and records required by insurance regulators and by CMS.
  • To improve the product. Understand what works, fix what does not, and build what you actually need. Research uses aggregated or de-identified data by default. We ask for explicit consent before using identifiable data for research.
  • To prevent fraud. Detect abuse, protect accounts, and keep the platform safe.

We do not use your information to train public AI models. We do not sell your personal information. We will never sell your personal information, and we will not share it with advertisers for their own purposes.

Who we share it with

Today, we share your information only in these limited cases:

  • Service providers. Vendors that host our infrastructure, send our emails, and process payments. They only get what they need to do their job, and they are contractually bound to protect it.
  • Legal requirements. If we are required by law, court order, or regulator to disclose information, we will. We will push back on overbroad requests.
  • Business changes. If AskFlorence Health is acquired or reorganized, your information may transfer to the new entity. The new entity will be bound by this policy or one at least as protective.

When we launch enrollment, we will share the information necessary to complete a health insurance application with the carrier you select and with CMS (for federal marketplace states) or the applicable state-based exchange. We will also share enrollment data with licensed agents you are matched with, with your consent, and with CRM or communication tools we use to support agents, also with your consent.

Your rights and choices

Wherever you live, you have the following rights over your information:

  • Access. Get a copy of what we have about you.
  • Correction. Fix anything that is wrong.
  • Deletion. Ask us to delete your information. We may keep records we are legally required to retain (see Retention below).
  • Portability. Get your data in a common machine-readable format.
  • Opt out of marketing. Unsubscribe from any email, reply STOP to any text, or email us.
  • Withdraw consent. For anything we do based on your consent (like research use of identifiable data), you can withdraw that consent at any time.

To exercise any of these rights, email hello@askflorence.health. We will respond within 30 days.

California residents.Under the California Consumer Privacy Act (CCPA), you have the rights above plus the right to know what categories of personal information we collected, used, disclosed, and sold or shared in the past 12 months. We do not sell your personal information. We do not “share” it for cross-context behavioral advertising as that term is defined in the CCPA.

EU, UK, and EEA residents. We process your information under the GDPR or UK GDPR. Our legal bases are your consent, the performance of a contract with you, our legitimate interest in operating the service, and compliance with legal obligations. You have the right to lodge a complaint with your local data protection authority.

How long we keep it

  • Audit and consent records. 10 years, which matches HIPAA and Enhanced Direct Enrollment (EDE) retention requirements. This includes the IP, user agent, timestamp, and policy version tied to each consent.
  • Enrollment records (when we launch). 10 years after the end of the plan year, per CMS requirements.
  • Quote inputs. Kept as long as your account is active, then deleted within 90 days of account closure unless legally required otherwise.
  • Marketing data. Until you opt out or go inactive for 24 months, whichever comes first.
  • Support messages. 3 years after the last interaction.
  • Analytics data. 25 months in aggregate, de-identified form.

How we protect it

  • Encryption. All traffic to the site is encrypted in transit with TLS. Data at rest is encrypted in our database.
  • Access controls. Least-privilege access. Only the people who need a given piece of data can see it. All internal access is logged.
  • Audit logging. Every access to personal information leaves a record we can review.
  • Vendor review. We evaluate the security of every vendor that touches your data before we integrate them.
  • Compliance roadmap. We are building toward SOC 2 Type II and, for the enrollment product, the CMS EDE privacy and security audit against NIST 800-53 controls.

No system is perfect. If we ever have a breach that affects you, we will notify you and the appropriate authorities within the timeframes required by law.

Children

AskFlorence is not designed for children under 13, and we do not knowingly collect information from them. When a parent or guardian gives us information about a minor dependent for the purpose of getting a health insurance quote or coverage, we use that information only for that purpose. If you believe a child has given us information without a parent’s permission, email us and we will delete it.

International data transfers

We are based in the United States and we process data here. If you are outside the US, your information will be transferred to and processed in the US. Where required, we use Standard Contractual Clauses or another lawful transfer mechanism.

Changes to this policy

We will update this policy when our practices change. Every version has a version number and an effective date at the top. Old versions stay accessible at /privacy?v=followed by the version number (for example, /privacy?v=2026.04), so you can always see the exact text you agreed to. For material changes, we will notify you by email or through the site before the change takes effect.

Contact us

Questions, requests, or complaints about privacy:

AskFlorence Health, Inc.
Attn: Privacy
hello@askflorence.health