Insurance: Privacy policy

This Privacy Policy explains how we use personal information about you and the steps we take to ensure your personal information is kept secure and confidential. It should be read together with our Terms and Conditions.

If you provide us with information about another person (for example, in relation to your client if you are a financial advisor or in relation to a named party on your policy if you are an insurance policy holder), in doing so, you confirm that they have consented for you to provide the information to us for us to be able to process their personal data, including any “special categories of personal data” (for further information, see below) and that you have told them who we are and what we will use their data for, as set out in this Privacy Policy.

Certua Protect Limited

1.       Data controller

1.1              In section 1 of this Privacy Policy, “Certua”, “we”, “us” and “our” refers to Certua Protect Limited and, where the context requires, the relevant member of the “Certua Group” (which includes Certua Financial Information Services Limited, Certua Group Limited, Certua Licensing Limited, Certua Protect Limited, Certua Lending Limited, Certua Sport Limited and Certua Services Limited).

1.2              Certua Protect Limited is a company incorporated in England with company registration number 11506180 and whose registered office address is 1st Floor Healthaid House, Marlborough Hill, Harrow, United Kingdom HA1 1UD.

1.3             Certua Protect Limited is authorised and regulated by the Financial Conduct Authority (registration number 826485) to provide certain regulated insurance services.

1.4             Section 1 of this Privacy Policy applies to all insurance products and services offered by us (or offered on behalf of us) through any websites, web applications, mobile applications or similar devices, channels, platforms, service applications or other applications operated by or on behalf of us (or a member of the Certua Group) or which reference this Privacy Policy (“Applications”).

1.5             We are the data controller in relation to the processing of the personal information that you provide to us. Our contact details are as follows:

1.5.1            Address: Certua, Unit 7, 27 Corsham Street, London, N1 6DR.

1.5.2            Telephone number: +44 (0)20 3962 0003.

1.5.3           Email address: contact@certua.io (please include “Personal Data Request” in your subject heading to ensure it receives the correct attention).

1.6             Our Data Protection Officer can be contacted at: compliance@certua.io  

2.       How we collect your information

How you engage with us

2.1              The information we hold about you comes from the way you engage with us (or a member of the Certua Group, or one of our distribution, insurance, banking or financial advisor partners or other partners), for example by doing any of the following:

2.1.1             requesting or obtaining a quote for an insurance policy;

2.1.2            purchasing an insurance product or policy;

2.1.3            sharing information with us or a member of the Certua Group via Open Banking (please see section 2 for further information);

2.1.4           providing us, or one of our partners, with information in the course of registering for and/or using our Applications or services;

2.1.5            taking part in surveys, posting on our message boards or blogs and entering into any competitions or prize draws;

2.1.6            downloading information or participating in any other interactive areas that appear on our Applications;

2.1.7            interacting with us using social media; and/or

2.1.8            contacting us offline, for example by telephone, SMS, email or by post.

2.2             We may also obtain information about you from credit reference agencies and fraud prevention agencies.

What information do we collect?    

2.3             The information we collect when you engage with us for any of the purposes described above may include, for example:

2.3.1            basic personal details such as your name, date of birth or age, address, email address, telephone number, gender and marital status;

2.3.2           your national insurance number;

2.3.3           details of the internet protocol (IP) address connected to your device, browser type, Internet Service Provider (ISP), date and time stamp, referring/exit pages, and possibly the number of clicks (Technical Log Data);

2.3.4           sensitive or special categories of personal data e.g. relating to your health (for further information, see above);

2.3.5           information about your employment, including salary;

2.3.6           information about your lifestyle and insurance requirements;

2.3.7           information about your other policies, such as claims history, quotes history, payment history, claims data and additional pensions held;

2.3.8           payment information (such as bank account details);

2.3.9           details of your spending habits; and

2.3.10         your marketing preferences.

2.4            Please note that it is your responsibility to check and ensure that all information you provide on the Applications is correct and accurate and that you disclose all relevant facts.

3.       What we use your information for

3.1             We may use your information for the following purposes, based on the following legal grounds:

             Quotations and policies

3.1.1             If it is necessary for the performance of our contract or for the purposes of entering into a contract, for the purpose of:

3.1.1.1            issuing quotes and policies to you, including assessing your application for a product, service or quote, and providing you with premium and payment options;

3.1.1.2           sending a confirmation email of your quote - if you obtain a quote with us, you may automatically be sent confirmation of your quote by email or SMS so that you have a record of it and can easily retrieve your quote in the future;

3.1.1.3           administering your policy, including delivering and updating you on our services, handling claims and dealing with complaints;

3.1.1.4           carrying out automated profiling/decision making in regard to your personal data, for example, when assessing risks and offering quotations for policies to you (see further information below at paragraph 4).

3.1.2            Compliance with a legal obligation, for the purpose of:

3.1.2.1           verifying your identity in order to comply with our regulatory requirements; and

3.1.2.2           carrying out anti-fraud checks in order to prevent fraud or money laundering or to comply with any other legal or regulatory requirements.

                      Recommendations, market analysis and training purposes

3.1.3            If it is in our legitimate business interests to do so, for the purpose of:

3.1.3.1           sending annual renewal quotes (if you are subscribed to our renewal reminder service) based on information you previously provided to us when requesting a quote, when our systems indicate that your renewal is due;

3.1.3.2          sending other information to you (if you agree) about products and services which we think may be of interest to you (see further information in the “Marketing” section below);        

3.1.3.3          internal record keeping for administration and management purposes;

3.1.3.4          using our customer insight products to understand customer behaviours, analyse market trends and customer demographics, and develop the product/service which we offer to you or other individuals in the future;

3.1.3.5          research or statistical purposes, including to analyse how people use the Applications, view our products, respond to our advertising and to improve our understanding of what customers need; and

3.1.3.6          training purposes, to improve our services and their delivery, for example by recording telephone calls.

3.1.4           If it is necessary for reasons of substantial public interest (pursuant to Article 9(g) General Protection Regulation 2016/679 (GDPR) and Schedule 1, Part 2, Section 20 Data Protection Act 2018) we may use your special categories of personal data for insurance purposes, including but not limited to the purposes described at paragraphs 3.1.1 and 3.1.2 (e.g. to use medical information you provide in order to provide you with a life insurance quotation and to carry out automated profiling/decision making described at paragraph 3.1.1.4 and paragraph 4).

Consent

3.1.5           In certain circumstances (and in accordance with data protection legislation), we will only collect and process your personal information and/or special categories of personal information if you have provided consent for us/the Certua Group to do so. For example:

3.1.5.1           market analysis and emails - we will not pass your information to third parties for marketing purposes unless we have your consent to do so; and

3.1.5.2          to retrieve your information via Open Banking (please see further information at section 2 in respect of this) – where you have provided consent, your banking transaction information will be used by us to analyse your data, generate quotations, decide the amount of premium you pay and the value of your insurance cover, and make recommendations to you about insurance products on an ongoing basis. It is therefore very important that you check any documents that you receive or that are made available to you describing any insurance product that you have entered into and notify us immediately if you are aware of any errors.

If we do so, we will provide you with full details of the information that we would like and the reason we need it, so that you can carefully consider whether you wish to consent. You should be aware that it is not a condition of any contract with us that you agree to any request for consent from us.

3.2             For all other processing of your personal information (where your consent is not required), we will only do so in accordance with this Privacy Policy and data protection legislation.

4.       Automated decision making

4.1             Please note that your personal data may be subject to automated profiling and/or automated decision-making.

4.2            Our automated technology allows to us to, using the information you have provided (or that we have obtained about you), generate quotations, decide the amount of insurance cover to be provided and the amount of premium you are charged. This assists us with providing you with an efficient service and helps to keep our prices competitive. The significance and envisaged consequences of such automated profiling making include decisions as to your eligibility to take out a policy, the amount of premium you must pay and the level of sum assured you are guaranteed to receive under a policy.

4.3            You have the right to request a manual review of the accuracy of an automated decision that you are unhappy with by contacting us (our details are displayed above).

5.       Sharing your information

How we use and share information within the Certua Group

5.1             We may share and aggregate information about you with any company within the Certua Group for general administration and management purposes if it is in our legitimate interests to do so and pursuant to any purpose set out in this Privacy Policy only (e.g. customer relationship management, software and service compatibility and improvements and to provide you with any information, applications, products or services that you have requested).

         How we use and share information outside the Certua Group

5.2            If you request a quote, or purchase a product or service, your personal information may be shared with and processed by:

5.2.1            our associated companies and partners such as introducers, intermediaries, insurers, reinsurers and agents, and your broker, financial advisor or agent (including third parties providing services to them) for the purposes of providing you with online quotes or eligibility scores for the product/service requested by you, to facilitate products, services and information you have requested or for administration and underwriting of your policy;

5.2.2           regulators (such as the Financial Conduct Authority) or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;

5.2.3           credit reference and fraud prevention agencies;

5.2.4          any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example in response to a court order);

5.2.5           our own professional advisors and auditors for the purpose of seeking professional advice or to meet our audit responsibilities;

5.2.6           our service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and platform providers, payment processing providers and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested or which we believe may be of interest to you;

5.2.7           third parties where you have a relationship with that third party and you have consented to us sending information (for example social media sites or other third party application providers);

5.2.8           third parties for marketing purposes (with your consent), e.g. our partners and other third parties with whom we work and whose products or services we think will interest you; and

5.2.9           another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets.

5.3            We may share non-personally identifiable information about the use of our website, applications, products or services publicly or with third parties but this will not include information that can be used to identify you.

Please also refer to Section 4 of this Privacy Policy which includes further information including your rights with regards to your personal data.

Additional information (including your rights in respect of your personal data)

1.       What is personal data

1.1              For the purposes of this Privacy Policy, personal data or personal information means any information relating to a living individual who can be identified from that information (or from that information and other information in our possession). Personal data may be factual (e.g. name, address, date of birth) or it can be an opinion about that person, their action or behaviours.

1.2              There are special categories of more sensitive personal information which require a higher level of protection. These include information about a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic and biometric data, physical or mental health or condition or sexual orientation. For the purposes of this Privacy Policy, any information about the commission of, or proceedings for any criminal offence committed or alleged to have been committed by that person, the disposal of such proceedings or the sentence of any court in such proceedings are treated in the same way as special categories of personal data.

2.       International Transfers

It may be necessary in certain cases for us to transfer your personal information outside the UK to locations that may not provide the same level of protection as the UK.  However, we will not do so unless one of the following scenarios under the UK General Data Protection Regulation (UK GDPR) applies:  

2.1              the country or recipient is covered by UK adequacy regulations under UK GDPR Article 45;

2.2             appropriate safeguards have been put in place which meet the requirements of UK GDPR Article 46 (for example using the European Commission’s Standard Model Clauses); or

2.3             one of the derogations for specific situations under UK GDPR Article 49 is applicable to the transfer.  These include (in summary):

2.3.1            the transfer is necessary to perform, or to form, a contract to which we are a party:

2.3.1.1           with you; or

2.3.1.2           with a third party where the contract is in your interests;

2.3.2           the transfer is necessary for the establishment, exercise or defence of legal claims;

2.3.3           you have provided your explicit consent to the transfer; or

2.3.4           the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

3.       How long will we keep your information for?

3.1             Unless we are required or permitted by law to hold on to your data for a specific retention period (for example, the Payment Services Regulations requires us to hold certain information for a period of 5 years) or where we retain data pursuant to our policy with you or for our legitimate business purposes, we will only hold your personal information on our systems for as long as is necessary to fulfil the purposes outlined in this Privacy Policy (for example, to carry out services ordered by you) or until you request it is deleted.

3.2             Where we no longer need your personal information, we will dispose of it in a secure manner.

3.3            In some circumstances you can ask us to delete your data: see your legal rights at paragraph 6 below for further information.

3.4            In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research, analytics or statistical purposes for use by us or by third parties and, in those circumstances, we may use this information indefinitely without further notice to you.

4.       Security

4.1             We keep your information protected by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:

4.1.1             where appropriate, data is encrypted when transiting on our system or stored on our databases;

4.1.2            where appropriate, our Applications use HTTPS to help keep information about you secure;

4.1.3            we have implemented safeguards in relation to access and confidentiality in order to protect the information held within our systems; and

4.1.4           we frequently carry out risk assessments and audits to monitor and review threats and vulnerabilities to our systems to prevent fraud.

4.2            However, while we will do our best to protect your personal information, we cannot guarantee the security of your information which is transmitted to any Application via an internet or similar connection.

4.3            The registration process via any Application may include the creation of a username, password and/or other identification information. All such details should be kept confidential by you and should not be disclosed to or shared with anyone. In order to protect your account, please choose a strong password (which should include a mixture of letters and numbers) and ensure that it is kept safe. If you disclose details of your username or password information, you will be responsible for all activities undertaken on the Applications where they are used.

5.       Marketing

5.1             From time to time, we may use your information to contact you with details about our applications, products and services which we feel may be of interest to you.

5.2            You have the right at any time to stop us from contacting you for marketing purposes. If you wish to exercise these rights you can do so by selecting your contact preferences at the point where you provide us with your information on any Applications, or by sending an email to us at contact@certua.io.  

5.3            You can also unsubscribe from any electronic marketing communications at any time using the links provided in the communications we send to you.

6.       Your rights to your personal data

6.1             You have certain rights under existing data protection laws, including the right to (upon written request) access a copy of your personal data that we are processing. In accordance with UK data protection legislation:

6.1.1            you will have the following rights:

6.1.1.1            right to access: the right to request certain information about, access to and copies of the personal information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs);

6.1.1.2           right to rectification: the right to have your personal information rectified if it is inaccurate or incomplete;

6.1.2            in certain circumstances, you will also have the following rights:

6.1.2.1           right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the processing is based on your consent) and the right to request that we delete or erase your personal information from our systems (however, this will not apply if we are required to hold on to the information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);

6.1.2.2          right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;

6.1.2.3          right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible; and

6.1.2.4          right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.

6.2            Please note that if you withdraw your consent to the use of your personal information for purposes set out in our Privacy Policy, we may not be able to provide you with access to all or parts of our Application or services.

6.3            If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. Please see further information on their website: www.ico.org.uk.

7.       Changes to this Privacy Policy

We may amend this Privacy Policy from time to time, for example, to keep it up to date, to implement minor technical adjustments and improvements or to comply with legal requirements. We will always update this Privacy Policy via our Applications (the “last updated” reference tells you when we last updated our Privacy Policy).