Skip to content

Last Updated: June 24, 2026

This Privacy Policy explains how Sorted. (“Sorted,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you use the Sorted application and services (the “Service”). Because you entrust us with sensitive financial and property information, privacy is a foundational priority.

This Policy should be read together with our Terms of Service. Capitalized terms not defined here have the meanings given in the Terms.

1. Who This Policy Covers

The Service is used by two kinds of customers:

  • Consumer Users — individuals who organize and document their own property and insurance information.
  • Commercial Providers — businesses (such as insurance brokers, agents, or adjusters) that subscribe to the Service and may be granted limited access to a Consumer User's account, or that sponsor or provision access for their own clients.

In all cases, the Consumer User owns and controls their own Vault Data. Where a Commercial Provider sponsors or provisions access, the individual Consumer User still controls what that Provider can see, as described in Section 5 (the Commercial Gate). This Policy applies to both customer types; sections specific to one are labeled.

2. Information We Collect

  • Account Information: Email address and authentication credentials (required). You may also provide optional profile information — such as contact details, household demographics, and financial profile data — that we use to personalize and improve the insights we offer you. For Commercial Providers, we also collect business account and billing contact details.
  • Vault Data: Content you actively add to the Service — including property and asset details, photos of spaces and belongings, insurance documents (such as policies and declaration pages), purchase receipts, and any other records you choose to store. The categories of Vault Data may expand as new features are added.
  • Generated Data: outputs produced by artificial intelligence (AI) processing of your Vault Data — such as identified items with valuation estimates, structural and condition assessments, confidence scores, and policy data extracted from insurance documents (such as coverage types, limits, and deductibles). The types of Generated Data may expand as new AI features are introduced.
  • Usage and Technical Data: service activity logs (including AI feature usage), device and browser information, and general interaction patterns within the Service, used to operate, secure, and improve it.
  • Communications: information you provide when you contact support.

We do not require you to provide the prohibited data described in our Terms (such as faces, medical records, or unredacted government IDs), and you agree not to upload it.

2a. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to operate and improve the Service and to measure the effectiveness of our advertising.

  • Strictly Necessary Cookies: Session and authentication cookies set by Supabase are required to keep you logged in and cannot be disabled.
  • Functional Cookies: We set a small number of first-party cookies to remember session state and preferences (for example, authorized support-staff impersonation sessions).
  • Advertising Conversion Tracking: We use Google Ads conversion tracking. This technology sends limited event data to Google to measure when visitors take an action on our site after seeing a Sorted advertisement. Under California law, this may constitute “sharing” of personal information for cross-context behavioral advertising purposes.
  • Live Chat: We use Tawk.to to provide live chat support. When you are logged in, your email address is transmitted to Tawk.to so our support team can identify your account. Tawk.to may set its own cookies in connection with the chat widget.
  • Bot Protection: We use Cloudflare Turnstile to protect account creation and login from automated abuse. Cloudflare may set cookies and collect technical signals (such as browser characteristics) to distinguish humans from bots.

Your Choices: You may opt out of Google's advertising tracking at adssettings.google.com. You may avoid Tawk.to data collection by not using the chat widget. Most browsers allow you to control or block cookies through their settings; note that disabling strictly necessary cookies will impair the Service.

California Residents: See Section 10 for your right to opt out of the sharing described above.

3. How We Use Information

We use information to:

  • provide, maintain, and secure the Service and your account;
  • analyze and enrich your Vault Data using AI and third-party data services — such as computer vision for item identification, market price research, address validation, flood zone classification, and historical weather data — to generate the outputs you request;
  • generate automated insights and recommendations based on your vaulted data, such as potential coverage gaps or inventory completeness;
  • communicate with you about your account and the Service;
  • detect, prevent, and address fraud, abuse, and security issues;
  • comply with legal obligations; and
  • improve the Service through aggregate analysis, feature development, and service operations — but not by training internal AI or machine-learning models on your individualized Vault Data without your explicit opt-in consent, as described in Section 4.

We do not sell your personal information. We share limited Usage and Technical Data with Google for advertising conversion tracking, which may constitute “sharing” for cross-context behavioral advertising under California law. See Section 2a for details and your opt-out choices.

4. AI Processing and Third-Party Providers

Summary: We use external AI to read your documents and photos. We don't use your individual files to train our own models unless you opt in.

To deliver AI processing and data enrichment features, we transmit relevant portions of your Vault Data to third-party service providers via secure APIs. Our current primary providers include: Google (Gemini) for AI image and document analysis; SerpApi for market price research (Google Shopping data); Google Maps for address validation; Visual Crossing for historical weather data; FEMA public services for flood zone classification; and web content services for generating market reference materials. Each provider processes data solely to generate the outputs you request and under contractual confidentiality and security obligations. We maintain a current list of our principal sub-processors available upon request at info@mail.gettingsorted.app, and will provide reasonable advance notice of material changes to that list.

Internal Training: We do not use your Vault Data to train our internal machine-learning models without your explicit, opt-in consent.

5. The Commercial Gate (Data Partition)

Summary: A connected Commercial Provider sees only high-level summaries — never your photos or itemized values — unless you specifically choose to share more during a claim.

A Consumer User may connect their account to, or be provisioned by, a Commercial Provider. Whenever a Commercial Provider has access, this strict data partition applies:

  • What is Shared: high-level portfolio summaries, total aggregated Valuation Estimates, and formal Vault Documents (such as Declaration Pages).
  • What is Walled Off: individual Asset Photos, itemized receipts, granular space-level data, and specific item valuations are hidden from the Commercial Provider.

The Consumer User controls this connection and may disconnect a Commercial Provider at any time.

6. How We Share Information

We share information only as follows:

  • Service Providers: with vendors that process data on our behalf under appropriate confidentiality and security obligations — including providers of cloud hosting and infrastructure, AI and data enrichment (as described in Section 4), payment processing and billing (Stripe), email delivery (Resend), live chat support (Tawk.to), bot protection (Cloudflare Turnstile), advertising conversion tracking (Google), and mapping, geospatial, and weather data services (Google Maps, Visual Crossing, FEMA).
  • Commercial Providers: only as permitted by the Commercial Gate in Section 5 and as authorized by the Consumer User.
  • Legal and Safety: when required by law, legal process, or to protect the rights, safety, and security of users, the public, or Sorted.
  • Business Transfers: in connection with a merger, acquisition, or sale of assets, subject to this Policy.

We do not otherwise disclose your Vault Data to third parties without your consent.

7. Data Security

We implement encryption and other safeguards to protect Vault Data. However, no electronic transmission or storage system is completely secure, and we cannot guarantee absolute security. You use the Service at your own risk and are responsible for safeguarding your credentials.

You may also voluntarily grant our support team temporary, time-limited access to your account to assist with troubleshooting; this access expires automatically and can be revoked at any time from Account Settings.

Breach Notification. In the event of a security incident affecting your personal information that triggers notification obligations under applicable law, we will notify you by email to your account address (or by in-app notice if email is not feasible). Our notification will describe the nature of the incident, the categories of information involved, and steps you can take to protect yourself.

8. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we delete or de-identify your Vault Data within 90 days, except where: (a) retention is required by law; (b) data has been transmitted to a third party (in which case we request deletion from that party where required); or (c) earlier deletion is not technically feasible due to backup systems, in which case the data is isolated from active processing and purged in the ordinary course of backup rotation.

9. Geographic Scope

The Service is intended for use by residents of the United States. We do not knowingly offer the Service to users outside the United States. If you access the Service from outside the United States, you do so at your own risk and are responsible for compliance with local laws.

10. Your Privacy Rights

Depending on your state — such as California (CCPA/CPRA) — you may have the right to access, correct, port, restrict, or delete the personal data we hold about you, to object to certain processing, and to withdraw consent. Many of these controls are available in Account Settings — note that active paid subscriptions must be cancelled before account deletion can be completed. For data portability requests (copies of your Vault Data), no automated self-service export is currently available; please contact us at info@mail.gettingsorted.app. You may also submit a rights request through an authorized agent by providing written proof of the agent's authority; we may verify your identity directly before processing. We will not discriminate against you for exercising these rights, and you may appeal a denied request by contacting info@mail.gettingsorted.app with a description of the request and the basis for your appeal.

Data responsibilities: For data a Consumer User uploads about themselves, Sorted is responsible for how that data is processed under this Policy. Where a Commercial Provider directs processing of personal data through the Service, additional data-processing terms may apply between Sorted and that Commercial Provider.

California Residents — Additional Disclosures (CCPA/CPRA). The following table identifies the categories of personal information we collect, their purposes, and with whom they are shared:

CategoryExamplesBusiness PurposeDisclosed To
IdentifiersEmail, account IDAuth, service deliverySupabase, Resend, Google (OAuth)
Personal RecordsContact details, household dataPersonalizationSupabase
Commercial InformationBilling and subscription recordsPayment processingStripe
Internet / Electronic ActivityService logs, feature usage, site visit eventsSecurity, improvement, ad measurementSupabase, Google (conversion tracking)
InferencesCoverage gap estimates, portfolio summariesService deliveryStored in your Vault only
Audio / VisualAsset photos, property imagesAI valuation processingAI sub-processors (see Section 4)
DocumentsInsurance policies, receiptsAI OCR and analysisAI sub-processors (see Section 4)
Technical / Device DataBrowser type, IP address, interaction signalsBot protection, securityCloudflare Turnstile, Tawk.to

Retention: Each category is retained while your account is active, plus up to 90 days following deletion (except where law requires longer retention or earlier deletion is not feasible due to backup rotation).

Do Not Sell / Do Not Share: We do not sell your personal information. We do share Internet/Electronic Activity data with Google for advertising conversion tracking, which may constitute “sharing” for cross-context behavioral advertising under CPRA. To opt out, visit adssettings.google.com or contact us at info@mail.gettingsorted.app.

Authorized Agents: California residents may submit a rights request through an authorized agent by providing written proof of the agent's authority (such as a signed authorization letter). We may verify your identity directly before processing the request.

No Discrimination. We will not discriminate against you for exercising your CCPA/CPRA rights.

11. Children's Privacy

The Service is not directed to children under 18, and we do not knowingly collect personal information from them. If we learn we have done so, we will delete it.

12. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or in-app notice). The “Last Updated” date reflects the most recent revision.

13. Contact Us

Questions about this Policy or your data can be directed to info@mail.gettingsorted.app.

Privacy Policy — Sorted