Insurance & claims Policyholder & health data

Claims and policyholder data don't belong in an AI prompt.

Underwriters, claims handlers and brokers are already pasting claim narratives, policyholder details and medical reports into ChatGPT, Claude and Copilot to draft a letter or summarise a file. Every paste can carry personal data and health data straight out of your control. Tracehold catches it on the device, before it leaves the browser — and maps what it finds to GDPR, NIS2, ISO 27001 and SOC 2.

Prompts stay in the browser Health data caught on-device Built & hosted in the EU
claims assistant — caught on paste

REC-INS-07 · ON-PASTE SCAN · BLOCK

A claims handler is about to send this to an AI tool:

Policyholder PII

name, address, policy & national ID number

Health data in the claim

diagnosis, injury detail, medical report

Block

Blocked before it leaves the tab

the handler gets a clear heads-up; the prompt stays put

On the device
Where detection runs

The moment a handler is about to send claim text to an AI tool, Tracehold sees it — right at the source, before it leaves the machine.

Claim data stays put
What leaves the browser

By default the prompt never leaves the browser. In managed deployments, only metadata — type of finding, severity, timestamp — reaches the backend.

1,600+
Detection patterns

Across 2,200+ known AI tools and sites — including policyholder PII and health data written in free form, with no fixed shape.

EU
Built and hosted in Europe

Built and hosted in the EU (France), with EU data residency.

[ The risk in insurance · observe ]

A claim file is some of the most sensitive data you hold

Insurance runs on exactly the data regulators care about most: identity, finances and health. AI tools make the work faster — and make it far too easy to send that data somewhere it should never go. Here is where the exposure shows up.

Claims narratives

Handlers paste whole claim notes into AI to draft a response or summarise a file — carrying the claimant's circumstances, injuries and account of events straight into a third-party tool.

Policyholder PII

Names, addresses, dates of birth, policy and national ID numbers and bank details end up in prompts when staff ask AI to reformat a quote, a letter or a renewal.

Health & special-category data

Life, health and personal-injury claims are full of medical reports and diagnoses. Under GDPR that's special-category data — and a single careless paste can become a reportable breach.

The honest version: blocking AI tools outright doesn't work — people just switch to a personal device or an unapproved app, and you lose all visibility. The realistic answer is to let teams use AI while catching the sensitive data before it leaves. That's what Tracehold does.
[ See · decide · protect · record ]

Caught on the device, before it reaches the AI

A single check on the device decides everything. The network only ever carries the result, never the content of the claim.

See

The moment a handler is about to send claim text to an AI tool, Tracehold sees it — right at the source, before it leaves the machine.

Decide

Detection recognises policyholder PII, financial details and health data — even names and conditions that don't follow a fixed format — and your policy decides what happens.

Protect

The sensitive part is redacted so the rest of the request can still go through, or the whole paste is blocked — and the handler gets a clear, in-context explanation.

Record

Your compliance team gets an audit trail with just the essentials — type, severity, when. The claim text itself stays where it started.

Allow Observe Redact Block
Our number-one design rule: the prompt never leaves the browser by default. In managed deployments, only metadata — type of finding, severity, timestamp — reaches the backend.
[ Surfaces · everywhere your people work ]

Across the browser, the desktop and Outlook

Claims and underwriting work doesn't only happen on AI websites. Tracehold covers 2,200+ known AI tools and sites with 1,600+ detection patterns, across every surface your teams use.

Free browser extension

Catches sensitive claim and policyholder data the moment it's pasted into an AI tool in the browser — the surface where most of it happens.

Desktop & developer agents

Extends the same on-device detection to desktop apps and to the developer and terminal tools your technical teams rely on.

Outlook add-in

Checks email before it's sent, so a claim file or medical report doesn't leave in an attachment or a forwarded thread.

Claim files already on disk

The desktop agent also scans PDF, Word and Excel files already on the device, and checks documents at the moment they're uploaded into an AI tool — so a scanned claim form or medical report doesn't slip through as a file instead of pasted text.

Detection runs on the device

The check happens right where your team works. By default the prompt — the claim text, the policyholder details, the medical note — never leaves the browser. There's no proxy in the middle and no copy of the claim sent off for analysis.

In managed deployments, only metadata reaches the backend: the type of finding, its severity and a timestamp — never the claim content itself by default. See how we protect your data →

[ Compliance for insurers · GDPR · NIS2 · ISO 27001 · SOC 2 ]

Live compliance mapping, for the rules you answer to

Tracehold maps AI risk to GDPR, NIS2, ISO 27001 and SOC 2 as live compliance mapping — so you can see where you stand and prove it to your DPO, your board and your supervisor.

GDPR

Policyholder PII and health data are exactly what GDPR protects — and health data is special-category. Tracehold keeps it from leaking into AI tools, and gives you the audit trail to show it.

ISO 27001

Tracehold's reporting is mapped to ISO 27001 controls, so your information-security programme can point to real, current evidence of how AI-related data risk is managed.

SOC 2

The same reporting is mapped to SOC 2 trust-services criteria, giving your assessors and clients evidence of ongoing control over AI-related data risk.

NIS2

NIS2 raises the bar on security and incident handling. The metadata trail — type, severity, timestamp — gives you the evidence to demonstrate control and report cleanly.

Compliance mapping you can show the board. Beyond protecting your data, Tracehold maps AI risk to GDPR, NIS2, ISO 27001 and SOC 2 as a clear, always-current view — so you can see where you stand and prove it. See compliance in depth →
On certifications, to be precise: Tracehold is built and hosted in the EU (France) with EU data residency. Our ISO 27001 certification is in progress (not yet certified). We are aligned with / mapped to ENS, PCI-DSS and SOC 2, but not certified against them. We won't claim a certification we don't hold.
[ Deployment · live in 2–4 weeks ]

Rolled out in weeks, with the tools you already run

No proxy, no network surgery, no year-long programme. Tracehold is a browser extension and a set of agents you push with your normal device management — and it plugs into the identity, alerting and SIEM stack your security team already uses.

Single sign-on

Log your people in with Microsoft Entra ID or Okta, tied to your verified domain and scoped to the right team.

SIEM & alerting

Send detection metadata to Splunk or Microsoft Sentinel, and route alerts to Slack or Microsoft Teams.

Push it with MDM

Deploy across the fleet with Microsoft Intune or any standard MDM — and add the Outlook add-in for email.

Start in observe-only mode

Begin by simply watching: see exactly what claim and policyholder data your teams are sending to AI tools today, mapped to GDPR, NIS2, ISO 27001 and SOC 2 — with zero disruption to your people. Turn on redaction and blocking when you're ready.

Most teams go from first call to protected in 2–4 weeks. Built and hosted in the EU (France), with EU data residency.

[ Plans · published pricing ]

Honest, published pricing

Start free on the device with no account and no backend. Move up when you need central visibility, compliance mapping and governance.

Free — €0 forever

Runs on the device, no account and no backend. The browser extension catching sensitive data on-device, for individuals and small teams getting started.

See what's included

Insight — €40/user·mo

Central visibility and reporting: adds a managed backend, the compliance mapping & reports, SSO, SIEM and alerting integrations — so security and compliance can see and act on AI risk.

Compare plans

Governance — €60/user·mo

Full control and governance: everything in Insight plus deeper policy, governance and audit controls for regulated insurers that need the most oversight.

Talk to our team
[ FAQ · what insurers ask ]

What insurers ask us

Does the claim text or medical report leave our environment?
No, not by default. Detection runs on the device, in the browser, and the prompt — the claim narrative, the policyholder details, the medical report — never leaves the tab to be checked. In managed deployments only metadata reaches the backend: the type of finding, its severity and a timestamp. The claim content itself stays put.
Can Tracehold detect health and special-category data?
Yes. Tracehold uses 1,600+ detection patterns across 2,200+ known AI tools and sites, and recognises personal data, financial details and health data — including names, conditions and addresses that don't follow a fixed format. Under GDPR, health data is special-category, so it's exactly the kind of thing the product is built to catch before it leaves the browser.
Which regulations does the compliance mapping cover?
Tracehold's compliance mapping maps your AI use to GDPR, NIS2, ISO 27001 and SOC 2, and turns it into a clear, always-current view you can show your DPO, your board and your supervisor — with the metadata audit trail to back it up.
Are you certified to ISO 27001, SOC 2 or PCI-DSS?
To be precise: our ISO 27001 certification is in progress — we are not yet certified. We are aligned with and mapped to ENS, PCI-DSS and SOC 2, but not certified against them. We won't claim a certification we don't hold. Tracehold is built and hosted in the EU (France), with EU data residency.
Won't this just push staff to use AI on personal devices?
That's exactly why Tracehold doesn't simply ban AI. It lets your teams keep using the AI tools that make claims and underwriting faster, while catching sensitive data before it leaves. You get the productivity and the control — instead of driving the behaviour into the shadows where you can't see it.
How fast can we be up and running?
Weeks, not months. It's a browser extension and agents you push with your normal device management — no proxy, no network changes. It plugs into Microsoft Entra ID or Okta for SSO, Splunk or Microsoft Sentinel for SIEM, and Slack or Microsoft Teams for alerts. Most teams go from first call to protected in 2–4 weeks.

See what your teams are sending to AI today

Book a demo and start in observe-only mode — see exactly what claim, policyholder and health data is going into AI tools across your business, mapped to GDPR, NIS2, ISO 27001 and SOC 2, with zero disruption to your people.