PRIVACY POLICY

Hiscox USA (“Hiscox”) is committed to protecting your privacy. This privacy policy (“Policy”) sets out details of the information that we may collect from you and how we may use that information. Please take your time to read this notice carefully. When using the Hiscox USA website, this Policy should be read alongside the website terms and conditions. Except where otherwise stated in this Privacy Policy, this Policy applies only to information collected through Hiscox-owned platforms that reference this Policy, including over the phone or in person, third-parties, and the following websites (“Site”):

Updates. We are continually improving and adding to the features and functionality of the services we offer. As a result of these changes, or changes in the law, we may need to update or revise this Policy. Accordingly, we reserve the right to update or modify this Policy at any time, without prior notice.

International Transfers. Our online environments are designed for, and targeted to, United States audiences and are governed by and operated in accordance with the laws of the United States. While users from countries other than the United States may access our online environments, we make no representation that such environments are operated in accordance with the laws or regulations of, or governed by, other nations. Please be aware that by accessing our online environments, or providing us with information, you understand and agree that:

Information collected from you may be transferred to and stored on servers located outside your jurisdiction;
To the extent you are a resident of a country other than the United States, you consent to the transfer of such information to the United States for our use in accordance with this Policy; and
This Policy, and the collection and use of information pursuant to this Policy, shall be governed by and construed in accordance with the laws of the United States, without giving effect to any principles of conflicts of law.

Providing us with information or continuing to use our online environments indicates that you are agreeing to the collection, use, disclosure, management, and storage of information collected from you as described in this Policy.

Children's Information. We do not knowingly collect or use any information from children (we define “children” as minors younger than 13) on our online environments. We do not knowingly allow children to order our products or services, communicate with us, or use any of our online environments. If you are a parent and become aware that your child has provided us with information, please contact us using one of the methods specified below, and we will work with you to address this issue.

CALIFORNIA RESIDENTS: The California Privacy Supplement, attached to and a part of this Privacy Policy, provides additional information to California residents about how we collect, use, a nd share your personal information and your rights under California law with respect to your personal information. The California Privacy Supplement applies to all personal information collected by Hiscox, including through Hiscox-owned platforms, through other channels (such as over the phone or in person), and from third parties.

TABLE OF CONTENTS

PRIVACY POLICY

link to section

What personal information do we collect and use?

link to section

What personal information do we collect?

link to section

How will we collect your personal information?

link to section

What will we use your personal information for?

link to section

Who will we share your personal information with?

link to section

What marketing activities do we carry out?

link to section

How long do we keep personal information for?

link to section

How do we protect your information?

link to section

Contacting us

link to section

California Privacy Supplement

link to section

Information We Collect

link to section

Sources of Personal Information

link to section

Business or Commercial Purposes for Collecting Personal Information

link to section

Disclosures of Personal Information to Third Parties

link to section

Your Rights and Choices

link to section

Right to Receive Information on Privacy Practices

link to section

Access to Specific Information and Data Portability Rights

link to section

Deletion Request Rights

link to section

Right to Correction

link to section

Right to Opt-Out of the Sale and Sharing of Your Personal Information

link to section

Right to Limit the Use of Your Sensitive Personal Information

link to section

Right to Non-Discrimination

link to section

Exercising Your CCPA Rights

link to section

Response Timing and Format

link to section

Appeal

link to section

What personal information do we collect and use?

Hiscox is an international insurance business. In the US, we offer insurance to companies and other insurers. We do this both by providing insurance ourselves and by placing insurance with other insurers. We also offer insurance to other insurers (known as “reinsurance”). For the purposes of this notice, references to insurance also mean reinsurance.

For us to provide you with a quote and then insurance, and to deal with any claims or complaints that might arise, we need to collect and process data about you.

If you provide personal information to us about other individuals (for example, members of your family or your employees) you will inform them about the contents of this Policy and obtain any required consent in accordance with this Policy.

What personal information do we collect?

How will we collect your personal information?

What will we use your personal information for?

Who will we share your personal information with?

We may share your personal information with the other companies in the Hiscox Group or with third parties. We will keep your personal information confidential and only share it with the third parties listed below for the purposes set out above.

If you would like further information regarding the disclosures of your personal information, please contact us using the details set out in Section 6 below.

If you would like further information regarding the disclosures of your personal information, please contact us using the details set out in the Contacting Us section below.

Where relevant, we will share your personal with:

Other companies in the Hiscox Group, including where:
- one of our Group companies is placing your insurance policy with another Group company;
- one of our Group companies is unable to provide you with an insurance policy but another might be able to assist you;
- we are arranging our own insurance;
- necessary for our business administration purposes;
- we are using information for the prevention or detection of fraud or other crime; or
- we need to report information within our Group of companies.
Our insurance and reinsurance partners, such as brokers, and other (re)insurers or other companies who act as (re)insurance distributors;
Other third parties who assist in the administration of your insurance policy or claim, such as agents, loss adjusters, claims handlers, accountants, auditors, banks, lawyers, and other experts including medical experts;
Our regulators;
Other insurers;
Fraud detection agencies and other third parties who operate and maintain fraud detection registers or undertake investigations in cases of suspected insurance fraud;
The police and other third parties (such as banks or other insurance companies);
Other insurers who provide our own insurance;
Credit referencing agencies and third parties who carry out sanctions checks on our behalf;
Our third-party services providers, such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, and tax advisers;
Third parties who handle our direct marketing on our behalf (this includes, for example, sending marketing communications and analysis of responses to our marketing communications);
Social media sites (such as Facebook) to carry out marketing;
Selected third parties in connection with any sale, transfer, or disposal of our business.

table of contents

What marketing activities do we carry out?

We may use your personal information to provide you with information about products or services that may be of interest to you when you are an existing customer or when you have provided your consent for us to do so. We may do this by mail or email.

We are committed to only sending you marketing communications that you have clearly expressed an interest in receiving. If you wish to opt out of marketing, you may do so by clicking on the “unsubscribe” link that appears in all emails or telling us when we call you. Otherwise you can always contact us using the details set out in the Contacting Us section below to update your contact preferences.

Please note that, even if you opt out of receiving marketing messages, we may still send you service- related communications where necessary.

How long do we keep personal information for?

We will only keep your personal information for the minimum periods required to fulfill the relevant purposes set out in this Policy.

We are also required to keep certain information to comply with our legal and regulatory obligations.

The exact time period will depend on your relationship with us and the type of personal information we hold. For example, if you take out an insurance policy with us, we will keep your personal information for longer than if you obtain a quote from us but do not purchase a policy./p>

If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out in the Contacting Us section below.

How do we protect your information?

We maintain reasonable administrative, physical, and technological measures to protect the confidentiality and security of personal information you submit to us. We use a range of organizational and technical security measures to protect your information, including:

physical security measures such as on-site security and CCTV;
network security measures such as intrusion detection systems;
access controls such as password protection and user logging; and
virus and malware controls on our systems.

We review our security measures periodically. We also ensure that our employees receive appropriate data security training.

Contacting us

If you would like further information about any of the matters in this Privacy Policy or have any other questions about how we collect, store or use your personal information, you may contact us by telephone at 1-866-446-4082 or by emailing us at [email protected].

If you are a California resident, you may also exercise your privacy rights under the California Consumer Privacy Act (California Residents only)

. See the California Privacy Supplement below for additional information.

California Privacy Supplement

This California Privacy Supplement (“Supplement”) supplements the information otherwise contained in this Privacy Policy and applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this Supplement to comply with the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, and its implementing regulations (collectively, the “CCPA”), and any terms defined in the CCPA have the same meaning when used in this Supplement.

This California Privacy Supplement applies to all personal information collected by Hiscox about consumers who reside in the State of California, including through Hiscox-owned platforms, through other channels (such as over the phone or in person), and from third parties.

We collect personal information from and about policyholders and insurance applicants; parties associated with an insurance claim, such as employees, claimants, and beneficiaries; our broker and agent partners; our vendors and other service providers; website visitors and users of our online environments; and Hiscox employees and applicants. Note that employee data and practices are detailed separately in our Employee Privacy Notice.

Information We Collect

Hiscox collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). In particular, Hiscox has collected (or not collected, if indicated below) the following categories of personal information from its consumers in the past twelve (12) months:

Category		Examples	Collected
A	Identifiers	A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.	YES
B	Personal information categories	A name, signature, address, telephone number, education, employment, employment history, passport number, driver’s license or state identification card number, credit card number, debit card number, or any other methods of payment for our products, medical or health insurance information, trade union membership, or political affiliations. Some personal information included in this category may overlap with other categories.	YES
C	Protected classification characteristics under California or federal law	Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status.	YES
D	Commercial information	Records of products or services purchased, obtained, or considered and family, lifestyle, and social circumstances.	YES
E	Biometric information	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	NO
F	Internet or other similar network activity	Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.	YES
G	Geolocation data	Physical location or movements.	YES
H	Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information. We record our customer interactions with our call centers.	YES
I	Professional or employment-related information	Current or past job history or performance evaluations.	YES
J	Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YES
K	Inferences drawn from other personal information	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	YES

In addition, Hiscox has collected (or not collected, if indicated below) the following categories of sensitive personal information from its consumers in the past twelve (12) months:

Category		Collected
L	Sensitive identification numbers (such as Social security, driver’s license, state identification card, or passport number)	YES
M	Account access information (including account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account)	YES
N	Precise geolocation	NO
O	Racial or ethnic origin, religious or philosophical beliefs, or union membership	YES
P	Contents of a consumer’s mail, email, and text messages unless the business is the intended recipient of the communication	YES
Q	Genetic data	NO
R	Biometric information processed for the purpose of uniquely identifying a consumer	NO
S	Health (or medical) information	YES
T	Information concerning sex life or sexual orientation	NO

Sources of Personal Information

Business or Commercial Purposes for Collecting Personal Information

Disclosures of Personal Information to Third Parties

Hiscox may disclose your Personal Information to a third party for a business purpose. When we disclose personal information for a business purpose, we require that the recipient both keep that Personal Information confidential and not use it for any purpose except performing the contract.

For purposes of the CCPA, a “Sale” is the disclosure of Personal Information to a Third Party for monetary or other valuable consideration, and a “Share” is the disclosure of Personal Information to a Third Party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration.

In the preceding twelve (12) months, Hiscox has disclosed the following categories of Personal Information to third parties for a business purpose:

Category of Personal Information Disclosed to Third Parties	Categories of Third Party Recipients
Category A: Identifiers	Advertising companies (like ad servers, advertising agencies, technology vendors, providers of sponsored content, and others) Joint marketing partners Insurance brokers and agents Operating systems and platforms Social media networks Internet service providers Data analytics providers Employers and other policyholders Other (re)insurers or other companies who act as (re)insurance distributors Parties involved in insurance claims, such as healthcare providers, employers, claimants, witnesses, and affected parties Fraud detection vendors Insurance rate advisory organizations, guaranty funds or agencies, or similar insurance entities Government entities, regulators, courts, and law enforcement agencies Consumer reporting agencies Our affiliates Potential purchasers of our assets or business
Category B: California Customer Records personal information categories	Advertising companies (like ad servers, advertising agencies, technology vendors, providers of sponsored content, and others) Joint marketing partners Insurance brokers and agents Operating systems and platforms Social media networks Internet service providers Data analytics providers Employers and other policyholders Other (re)insurers or other companies who act as (re)insurance distributors Parties involved in insurance claims, such as healthcare providers, employers, claimants, witnesses, and affected parties Fraud detection vendors Insurance rate advisory organizations, guaranty funds or agencies, or similar insurance entities Government entities, regulators, courts, and law enforcement agencies Consumer reporting agencies Our affiliates Potential purchasers of our assets or business
Category D: Commercial information	Advertising companies (like ad servers, advertising agencies, technology vendors, providers of sponsored content, and others) Joint marketing partners Insurance brokers and agents Operating systems and platforms Social media networks Internet service providers Data analytics providers Employers and other policyholders Other (re)insurers or other companies who act as (re)insurance distributors Parties involved in insurance claims, such as healthcare providers, employers, claimants, witnesses, and affected parties Fraud detection vendors Insurance rate advisory organizations, guaranty funds or agencies, or similar insurance entities Government entities, regulators, courts, and law enforcement agencies Consumer reporting agencies Our affiliates Potential purchasers of our assets or business
Category F: Internet or other similar network activity	Advertising companies (like ad servers, advertising agencies, technology vendors, providers of sponsored content, and others) Data analytics providers Social media networks
Category G: Geolocation data	Advertising companies (like ad servers, advertising agencies, technology vendors, providers of sponsored content, and others) Joint marketing partners Data analytics providers Social media networks
Category I: Professional or employment-related information	Operating systems and platforms Consumer reporting agencies Government entities, regulators, courts, and law enforcement agencies

In the preceding twelve (12) months, Hiscox has not disclosed the following categories of personal information to third parties for a business purpose:

Category C: Protected classification characteristics under California or federal law
Category E: Biometric information
Category H: Sensory data
Category J: Non-public education information

We disclose the categories of personal information to the categories of third parties identified above for the following business or commercial purposes:

Our business operational purposes, including to underwrite insurance, process payments, process claims, administer benefits (including utilization review activities), and maintaining accounts;
Assert and defend legal claims;
Conduct research, analytics, and data analysis;
Provide advertising or marketing services;
Detect and prevent fraud, and secure our systems and facilities;
Authenticate your identity and verify your access permissions;
Perform accounting, audit, and other internal functions, such as internal investigations; and to comply with law, legal process, and internal policies.

We do not have actual knowledge that we sell or share personal information of California Consumers under 16 years of age.

We sell or share the categories of personal information identified above for the following business or commercial purposes:

Conduct research, analytics, and data analysis;
Provide advertising or marketing services, including to provide you with targeted ads;
Monitor and improve our online environment functionality and personalize your website experience.

Your Rights and Choices

The CCPA provides California residents with specific rights regarding their Personal Information. This subsection describes your CCPA rights and explains how to exercise those rights.

Right to Receive Information on Privacy Practices

You have the right to receive the following information at or before the point of collection:

The categories of personal information to be collected;
The purposes for which the categories of personal information are collected or used;
Whether or not that personal information is sold or shared;
If the business collects sensitive personal information, the categories of sensitive personal information to be collected, the purposes for which it is collected or used, and whether that information is sold or shared; and
The length of time the business intends to retain each category of personal information, or if that is not possible, the criteria used to determine that period.

Access to Specific Information and Data Portability Rights

You have the right to request that Hiscox disclose certain information to you about our collection and use of your Personal Information over the past 12 months, including the following:

The categories of Personal Information we collected about you;
The categories of sources for the Personal Information we collected about you;
Our business or commercial purpose for collecting, selling, or sharing that Personal Information;
The categories of third parties with whom we disclosed that Personal Information; and
The specific pieces of Personal Information we collected about you (also called a “data portability” request).

You may also request that we disclose to you:

The categories of Personal Information that we have sold or shared about you and the categories of third parties to whom the personal information was sold or shared; and
The categories of personal information we have disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.

Deletion Request Rights

You have the right to request that Hiscox delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
Help to ensure security and integrity to the extent the use of the consumer’s personal information is reasonably necessary and proportionate for those purposes.
Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.)/li>
Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us.
Comply with a legal obligation.

Right to Correction

You may request that we correct any inaccurate Personal Information we maintain about you.

Right to Opt-Out of the Sale and Sharing of Your Personal Information

You have the right to opt-out of the Sale and Sharing of your Personal Information. We have Sold or Shared the categories of Personal Information identified under the Sale or Sharing of Personal Information section above. To submit an opt-out request, please access the below link. We will process your request(s) in accordance with applicable law.

Do Not Sell or Share My Personal Information

Right to Limit the Use of Your Sensitive Personal Information

You have the right to limit the use of your Sensitive Personal Information to the purposes authorized by the CCPA. We do not use Sensitive Personal Information for purposes beyond those authorized by the CCPA.

Right to Non-Discrimination

You have the right not to be discriminated against for exercising your CCPA consumer rights. We will not discriminate against you for exercising your consumer rights.

Exercising Your CCPA Rights

To exercise your CCPA rights described above, please submit a verifiable request to us by either: Calling us at: 1-866-283-7545

Visiting us here

Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative
Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response electronically, unless you indicate preference to receive a response by mail.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Appeal

Should you wish to challenge a determination surrounding the outcome of your consumer rights request, you may do so by emailing [email protected]

table of contents

Information Security

Information security is extremely important to us. If you believe you have discovered a security vulnerability on a Hiscox website, please contact us via email: [email protected].