How Keel Technologies, Inc. collects, uses, shares, and protects information when you use our benefits enrollment platform and related services.
Keel Technologies, Inc. ("Keel," "we," "us," or "our") provides an AI-native enrollment firm platform that helps insurance brokers, employers, and the employees they serve administer voluntary, ancillary, and medical benefits programs. This Privacy Policy describes how we handle information when you visit our websites at keel.com, meetkeel.ai, and related properties (the "Sites"), when you access the Keel application at app.keel.com (the "Platform"), and when you otherwise interact with Keel.
Keel is headquartered in the United States. References to "you" in this policy include website visitors, broker users, employer administrators, and plan participants (employees and their dependents) whose information we process in connection with the Platform.
Some of the information we receive is Protected Health Information ("PHI") subject to the Health Insurance Portability and Accountability Act of 1996, as amended ("HIPAA"). When we process PHI on behalf of a broker, employer, group health plan, or carrier (each a "Covered Entity" or another Business Associate), we act as a "Business Associate" as that term is defined under HIPAA. In those cases, our handling of PHI is governed by a Business Associate Agreement ("BAA") executed with the relevant party. The terms of any executed BAA control over conflicting language in this Privacy Policy with respect to PHI.
This Privacy Policy describes our general practices and supplements (rather than replaces) the obligations we have under any BAA or other written agreement with a customer.
We collect information that you submit to us when you create an account, request a demo, sign a customer agreement, send us a communication, or otherwise interact with Keel. This includes:
When a broker or employer engages Keel, they direct us to receive information about the employees and dependents they sponsor under a benefits program. This information is typically furnished through an integration with a human resources information system ("HRIS"), a benefits administration platform, a payroll system, or by direct upload. It may include:
When we receive plan participant information from a Covered Entity, the participant's relationship with Keel is governed primarily by the privacy notices of the Covered Entity (for example, your employer's notice of privacy practices). Keel processes that information at the direction of the Covered Entity under the terms of our customer agreement and any applicable BAA.
Where a customer authorizes a connection between Keel and a third-party system, we receive information from that system on the customer's behalf. Examples include:
When you use the Sites or the Platform, we and our service providers collect information automatically. This includes:
We use information for the following purposes:
We do not use information about plan participants for advertising, do not sell information about plan participants, and do not share information about plan participants for cross-context behavioral advertising.
Keel's product surfaces include an AI counselor referred to as "Amanda" that conducts benefits conversations across phone, text, web, and video. Amanda's natural language reasoning is powered by large language models provided by Anthropic, PBC ("Claude").
We share information only in the ways described below.
We share information at the direction of our customers with the parties our customers tell us to share with, including carriers, benefits administration platforms, payroll providers, third-party administrators, broker partners, and the customer's other vendors. Examples include 834 enrollment files sent to a medical carrier, 820 premium remittance files sent to a voluntary carrier, EOI submissions sent to a life carrier, and election summaries sent to a benefits administration platform.
We engage a limited number of vendors to operate the Platform on our behalf. These vendors are bound by contracts requiring them to protect information consistent with this Privacy Policy and any applicable BAA. A current list appears in Section 7.
We may disclose information if we believe in good faith that doing so is necessary to comply with applicable law, regulation, legal process, or a lawful governmental request; to enforce our agreements; or to detect, prevent, or address fraud, security, or technical issues. Where law permits, we will give a customer notice and an opportunity to seek a protective order before responding to compulsory legal process directed at the customer's data.
If Keel is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of company assets, or transition of service to another provider, information may be transferred as part of that transaction. We will continue to ensure the confidentiality of any information held in our role as a Business Associate and will use commercially reasonable efforts to notify customers of any material change in the handling of their information.
We will share information for any other purpose disclosed to you at the time we collect the information or with your consent.
The list below identifies our principal subprocessors as of the effective date of this policy. We update this list when we add or remove subprocessors and will provide customers with at least thirty (30) days' notice before adding a new subprocessor that will process PHI, where required by a BAA.
| Subprocessor | Function | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud infrastructure, storage, encryption key management | United States |
| Anthropic, PBC | Large language model reasoning (Claude) | United States |
| Stedi, Inc. | EDI translation for 834 / 820 / 270 / 271 transactions with carriers | United States |
| Finch (Tilt 49, Inc.) | HRIS and payroll connectivity aggregation | United States |
| Twilio Inc. | Voice, SMS, and WhatsApp delivery | United States |
| SendGrid (Twilio Inc.) | Transactional email delivery | United States |
| Datadog, Inc. | Application performance monitoring and infrastructure logs | United States |
| Stripe, Inc. | Payment processing for invoiced fees | United States |
| Linear Orbit, Inc. | Internal product issue tracking (no PHI) | United States |
A more detailed and up-to-date subprocessor list is available to current customers in the Trust Center at trust.keel.com.
We retain information for as long as we have a legitimate business reason to do so and as required by law. The principal retention periods are:
On termination of a customer agreement, we return or destroy PHI in accordance with the BAA. We may retain copies necessary to comply with law, resolve disputes, or enforce our agreements.
Keel maintains an information security program designed to protect information against unauthorized access, alteration, disclosure, and destruction. Our program includes administrative, physical, and technical safeguards, and is independently assessed under SOC 2 Type II. Key practices include:
No security measure is perfect. If you believe your account or any account at Keel may have been compromised, contact [email protected] immediately.
If you are an employee or dependent whose information is processed on the Platform at the direction of an employer, broker, or carrier, you may exercise privacy rights primarily through that Covered Entity, which controls how your information is collected and used. Keel will support that Covered Entity in responding to your request. You may also contact us directly using the details in Section 14 and we will forward your request to the appropriate Covered Entity.
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), gives you the right to request that we (i) disclose categories and specific pieces of personal information we have collected about you, (ii) delete personal information we have collected, (iii) correct inaccurate personal information, and (iv) limit the use and disclosure of sensitive personal information. You also have the right not to be discriminated against for exercising these rights.
We do not sell personal information, do not share personal information for cross-context behavioral advertising, and do not knowingly process the personal information of consumers under sixteen (16) years of age.
To exercise a CCPA right, email [email protected]. We will verify your request using the information we already hold about you and may need to ask for additional information to confirm your identity. You may use an authorized agent to submit a request on your behalf; the agent must provide written authorization that we may verify.
Residents of Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, Virginia, and other states with applicable comprehensive privacy laws may have rights similar to those described above. To exercise those rights, follow the process in Section 10.2.
If you are in the EEA, the UK, or Switzerland and the General Data Protection Regulation, UK GDPR, or Swiss Federal Act on Data Protection applies to our processing of your information, you have the right to access, rectify, erase, restrict, port, or object to our processing of your personal data. You may also lodge a complaint with your local supervisory authority. Where Keel acts as a processor for an EEA, UK, or Swiss customer, please direct your request first to the customer. Where Keel acts as a controller, contact us at [email protected].
Most browsers allow you to control cookies through their settings preferences. If you block cookies, some Platform features may not function as expected. We do not respond to "Do Not Track" browser signals because no industry standard for those signals has been established.
You can opt out of marketing email by following the unsubscribe instructions in any marketing message we send, or by contacting [email protected]. We will continue to send transactional and service messages necessary to operate the Platform.
Keel is based in the United States and our infrastructure is hosted in the United States. If you access the Platform from outside the United States, your information will be transferred to, stored in, and processed in the United States. Where we transfer personal data from the EEA, the UK, or Switzerland to the United States, we rely on the European Commission's Standard Contractual Clauses, the UK Addendum, and the Swiss Addendum, as applicable, supplemented by additional safeguards described in our Trust Center.
The Platform is not directed to children under sixteen (16). We do not knowingly collect personal information directly from children under sixteen. Dependent information that is shared with us at the direction of an employer or broker (for example, to enroll a child in dependent coverage) is governed by the customer agreement and the relevant Covered Entity's notice of privacy practices.
We may update this Privacy Policy from time to time. If we make material changes, we will post the updated policy at this URL, update the "Last updated" date, and (where appropriate) notify customers in writing or through the Platform. Your continued use of the Platform after the effective date of the updated policy will constitute your acceptance of the changes.
If you have questions about this Privacy Policy or our handling of your information, contact us at:
Keel Technologies, Inc.
Attention: Privacy Officer
[email protected]
Postal mail: 548 Market Street, Suite 36107, San Francisco, CA 94104
Customers operating under a Business Associate Agreement should also direct PHI-specific inquiries to [email protected].