Examples of the types of information we collect include:

• General information such as your name, address, contact details, date of birth, and gender;
• Identification information such as social security number, passport number, or driver’s license number;
• Information about your job including job title, your status as a director or partner, employment history, education history and professional accreditations;
• Information which is relevant to your insurance policy, including details of previous insurance policies and claims history;
• Information relevant to any claim or complaint you may make. For example, if you make a claim following a theft, we may use personal information which relates to the location of that theft;
• Financial information, such as your bank and payment details;
• Information (including photographs) obtained as a result of carrying out checks of publicly available sources, such newspapers and social media sites;
• Information such as IP address and browsing history obtained through our use of cookies;
• Information relating to criminal convictions (including offenses and alleged offenses and any court sentence or unspent criminal conviction);
• If relevant, details of your current or former physical or mental health condition. This may take the form of medical reports or underlying medical data such as x-rays or blood tests; and
• Your marketing preferences and details of your customer experience with us.

We will collect information directly from you and the following third parties, which may contain information related to you:

• The named policyholder (where you are a beneficiary);
• Third parties involved in the relevant insurance policy or claim (such as our business partners and representatives, brokers or other insurers, claimants, defendants or witnesses to an claim);
• Third parties who provide a service in relation to the relevant insurance policy or claim (such as loss adjusters, claims handlers, attorneys, and medical experts);<
• Publicly available sources, such as internet search engines, news articles and social media sites;
• Other companies within the Hiscox Group;
• Credit reference agencies;
• Financial crime detection agencies and databases;
• Third parties who provide sanctions-checking services;
• Third parties who provide us with details of individuals who have expressed an interest in hearing about insurance products;
• In limited circumstances, private investigators;
• Third-party data suppliers;
• Third-party administrators and suppliers we use to help us carry out our everyday business activities, including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers, and applicable governmental entities;
• Our own websites;
• Selected third parties in connection with any sale, transfer or disposal of our business; and
• Automated technologies or interactions. As you interact with our website, we may automatically collect data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive technical about you if you visit other websites employing our cookies. Please see our Cookie Policy for further details.

We may use your information for different business purposes, such as when:

• We need to use your personal information to enter into or perform a contract that we hold with you. For example, we need to use your personal information to provide you with a quote or to provide you with insurance policy and other associated products. We will rely on this for activities such as assessing your application, managing your insurance policy, handling claims and providing other products to you;
• We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you;
• We have a business need to use your personal information. We will rely on this for activities such as maintaining our business records, security, training and quality assurance, and developing and improving our products and services;
• We need to use your personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you;
• We need to use personal information to prevent or detect crime. This might happen when we are investigating allegations of insurance fraud; and
• Selected third parties in connection with any sale, transfer, disposal or restructure of our business.

We may share your personal information with the other companies in the Hiscox Group or with third parties. We will keep your personal information confidential and only share it with the third parties listed below for the purposes set out above.

If you would like further information regarding the disclosures of your personal information, please contact us using the details set out in Section 6 below.

Where relevant, we will share your personal with:

• Other companies in the Hiscox Group, including where:
  • one of our Group companies is placing your insurance policy with another Group company;
  • one of our Group companies is unable to provide you with an insurance policy but another might be able to assist you;
  • we are arranging our own insurance;
  • necessary for our business administration purposes;
  • we are using information for the prevention or detection of fraud or other crime; or
  • we need to report information within our Group of companies.
• Our insurance and reinsurance partners such as brokers, other (re)insurers or other companies who act as (re)insurance distributors;
• Other third parties who assist in the administration of your insurance policy or claim, such as loss adjusters, claims handlers, accountants, auditors, banks, lawyers and other experts including medical experts;
• Our regulators;
• Other insurers;
• Fraud detection agencies and other third parties who operate and maintain fraud detection registers or undertake investigations in cases of suspected insurance fraud;
• The police and other third parties (such as banks or other insurance companies);
• Other insurers who provide our own insurance;
• Credit referencing agencies and third parties who carry out sanctions checks on our behalf;
• Our third-party services providers, such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers and tax advisers;
• Third parties who handle our direct marketing on our behalf (this includes, for example, sending marketing communications and analysis of responses to our marketing communications);
• Social media sites (such as Facebook) to carry out marketing;
• Selected third parties in connection with any sale, transfer or disposal of our business.

Hiscox collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). In particular, Hiscox has collected (or not collected, if indicated below) the following categories of personal information from its consumers in the past twelve (12) months:

Category	Examples	Collected
A. Identifiers	A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.	YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))	A name, signature, address, telephone number, education, employment, employment history, credit card number, debit card number, or any other methods of payment for our products, or medical information. Some personal information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law	Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status.	YES
D. Commercial information	Records of products or services purchased, obtained, or considered.	YES
E. Biometric information	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
F. Internet or other similar network activity	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	YES
G. Geolocation data	Physical location or movements.	NO
H. Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information. We record our customer interactions with our call centers.	YES
I. Professional or employment-related information	Current or past job history or performance evaluations.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
K. Inferences drawn from other personal information	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	NO

Hiscox obtains Personal Information from categories of sources as set forth in the “How will we collect your personal information” subsection above. Hiscox will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you with additional notice.

Hiscox may disclose your Personal Information to a third party for a business purpose. When we disclose personal information for a business purpose, we require that the recipient both keep that Personal Information confidential and not use it for any purpose except performing the contract.

In the preceding twelve (12) months, Hiscox has disclosed the following categories of Personal Information for a business purpose:

• Category A: Identifiers
• Category B: California Customer Records personal information categories
• Category D: Commercial information
• Category F: Internet or other similar network activity
• Category I: Professional or employment-related information

In the preceding twelve (12) months, Company has not disclosed the following categories of personal information for a business:

• Category C: Protected classification characteristics under California or federal law
• Category E: Biometric information
• Category G: Geolocation data
• Category H: Sensory data
• Category J: Non-public education information
• Category K: Inferences drawn from other personal information

We share your Personal Information with categories of third parties set forth in the who will we share your personal information with.

In the preceding twelve (12) months, Hiscox has not sold any categories of Personal Information. Hiscox does not sell Personal Information to third parties.

The CCPA provides California residents with specific rights regarding their Personal Information. This subsection describes your CCPA rights and explains how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that Hiscox disclose certain information to you about our collection and use of your Personal Information over the past 12 months.  Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of Personal Information we collected about you
• The categories of sources for the Personal Information we collected about you
• Our business or commercial purpose for collecting that Personal Information
• The categories of third parties with whom we share that Personal Information
• The specific pieces of Personal Information we collected about you (also called a “data portability” request).
• If we disclosed your Personal Information for a business purpose, the Personal Information categories that each category of recipient obtained.

Deletion Request Rights

You have the right to request that Hiscox delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you
• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
• Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
• Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
• Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us
• Comply with a legal obligation
• Make other internal and lawful uses of that information that are compatible with the context in which you provided it

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable request to us by either:

Calling us at: 1-866-283-7545

Visiting us here.

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.  If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights.