Updates. We are continually improving and adding to the features and functionality of the services we offer. As a result of these changes, or changes in the law, we may need to update or revise this Policy. Accordingly, we reserve the right to update or modify this Policy at any time, without prior notice.
International Transfers. Our online environments are designed for and targeted to United States audiences and are governed by and operated in accordance with the laws of the United States. While users from countries other than the United States may access our online environments, we make no representation that such environments are operated in accordance with the laws or regulations of, or governed by, other nations. Please be aware that by accessing our online environments, or providing us with information, you understand and agree that:
- Information collected from you may be transferred to and stored on servers located outside your jurisdiction;
- To the extent you are a resident of a country other than the United States, you consent to the transfer of such information to the United States for our use in accordance with this Policy; and
- This Policy, and the collection and use of information pursuant to this Policy, shall be governed by and construed in accordance with the laws of the United States, without giving effect to any principles of conflicts of law.
Providing us with information or continuing to use our online environments indicates that you are agreeing to the collection, use, disclosure, management and storage of information collected from you as described in this Policy.
Children's Information. We do not knowingly collect or use any information from children (we define “children” as minors younger than 13) on our online environments. We do not knowingly allow children to order our products or services, communicate with us or use any of our online environments. If you are a parent and become aware that your child has provided us with information, please contact us using one of the methods specified below, and we will work with you to address this issue.
1. What personal information do we collect and use?
2. What marketing activities do we carry out?
3. How long do we keep personal information for?
4. How do we protect your information?
5. California Residents rights
6. Contacting us
What personal information do we collect and use?
Hiscox is an international insurance business. We offer insurance to individuals, companies and other insurers. We do this both by providing insurance ourselves and by placing insurance with other insurers. We also offer insurance to other insurers (known as “reinsurance”). For the purposes of this notice, references to insurance also mean reinsurance.
For us to provide you with a quote and then insurance, and deal with any claims or complaints that might arise, we need to collect and process data about you.
If you provide personal information to us about other individuals (for example, members of your family) you will inform them about the contents of this notice and obtain any required consent in accordance with this Policy.
What personal information do we collect?
Examples of the types of information we collect include:
- General information such as your name, address, contact details, date of birth, and gender;
- Identification information such as social security number, passport number, or driver’s license number;
- Information about your job including job title, your status as a director or partner, employment history, education history and professional accreditations;
- Information which is relevant to your insurance policy, including details of previous insurance policies and claims history;
- Information relevant to any claim or complaint you may make. For example, if you make a claim following a theft, we may use personal information which relates to the location of that theft;
- Financial information, such as your bank and payment details;
- Information (including photographs) obtained as a result of carrying out checks of publicly available sources, such newspapers and social media sites;
- Information relating to criminal convictions (including offenses and alleged offenses and any court sentence or unspent criminal conviction);
- If relevant, details of your current or former physical or mental health condition. This may take the form of medical reports or underlying medical data such as x-rays or blood tests; and
- Your marketing preferences and details of your customer experience with us.
How will we collect your personal information?
We will collect information directly from you and the following third parties, which may contain information related to you:
- The named policyholder (where you are a beneficiary);
- Third parties involved in the relevant insurance policy or claim (such as our business partners and representatives, brokers or other insurers, claimants, defendants or witnesses to an claim);
- Third parties who provide a service in relation to the relevant insurance policy or claim (such as loss adjusters, claims handlers, attorneys, and medical experts);<
- Publicly available sources, such as internet search engines, news articles and social media sites;
- Other companies within the Hiscox Group;
- Credit reference agencies;
- Financial crime detection agencies and databases;
- Third parties who provide sanctions-checking services;
- Third parties who provide us with details of individuals who have expressed an interest in hearing about insurance products;
- In limited circumstances, private investigators;
- Third-party data suppliers;
- Third-party administrators and suppliers we use to help us carry out our everyday business activities, including IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers, and applicable governmental entities;
- Our own websites;
- Selected third parties in connection with any sale, transfer or disposal of our business; and
What will we use your personal information for?
We may use your information for different business purposes, such as when:
- We need to use your personal information to enter into or perform a contract that we hold with you. For example, we need to use your personal information to provide you with a quote or to provide you with insurance policy and other associated products. We will rely on this for activities such as assessing your application, managing your insurance policy, handling claims and providing other products to you;
- We have a legal or regulatory obligation to use such personal information. For example, our regulators require us to hold certain records of our dealings with you;
- We have a business need to use your personal information. We will rely on this for activities such as maintaining our business records, security, training and quality assurance, and developing and improving our products and services;
- We need to use your personal information to establish, exercise or defend legal rights. This might happen when we are faced with legal proceedings or want to bring legal proceedings ourselves or when we are investigating a legal claim that a third party brings against you;
- We need to use personal information to prevent or detect crime. This might happen when we are investigating allegations of insurance fraud; and
- Selected third parties in connection with any sale, transfer, disposal or restructure of our business.
Who will we share your personal information with?
We may share your personal information with the other companies in the Hiscox Group or with third parties. We will keep your personal information confidential and only share it with the third parties listed below for the purposes set out above.
If you would like further information regarding the disclosures of your personal information, please contact us using the details set out in Section 6 below.
Where relevant, we will share your personal with:
- Other companies in the Hiscox Group, including where:
- one of our Group companies is placing your insurance policy with another Group company;
- one of our Group companies is unable to provide you with an insurance policy but another might be able to assist you;
- we are arranging our own insurance;
- necessary for our business administration purposes;
- we are using information for the prevention or detection of fraud or other crime; or
- we need to report information within our Group of companies.
- Our insurance and reinsurance partners such as brokers, other (re)insurers or other companies who act as (re)insurance distributors;
- Other third parties who assist in the administration of your insurance policy or claim, such as loss adjusters, claims handlers, accountants, auditors, banks, lawyers and other experts including medical experts;
- Our regulators;
- Other insurers;
- Fraud detection agencies and other third parties who operate and maintain fraud detection registers or undertake investigations in cases of suspected insurance fraud;
- The police and other third parties (such as banks or other insurance companies);
- Other insurers who provide our own insurance;
- Credit referencing agencies and third parties who carry out sanctions checks on our behalf;
- Our third-party services providers, such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers and tax advisers;
- Third parties who handle our direct marketing on our behalf (this includes, for example, sending marketing communications and analysis of responses to our marketing communications);
- Social media sites (such as Facebook) to carry out marketing;
- Selected third parties in connection with any sale, transfer or disposal of our business.
What marketing activities do we carry out?
We may use your personal information to provide you with information about products or services that may be of interest to you when you are an existing customer or when you have provided your consent for us to do so. We may do this by mail or email.
We are committed to only sending you marketing communications that you have clearly expressed an interest in receiving. If you wish to opt out of marketing, you may do so by clicking on the “unsubscribe” link that appears in all emails or telling us when we call you. Otherwise you can always contact us using the details set out in section 6 to update your contact preferences.
Please note that, even if you opt out of receiving marketing messages, we may still send you service related communications where necessary.
How long do we keep personal information for?
We will only keep your personal information for the minimum periods required to fulfill the relevant purposes set out in this Policy.
We are also required to keep certain information to comply with our legal and regulatory obligations.
The exact time period will depend on your relationship with us and the type of personal information we hold. For example, if you take out an insurance policy with us, we will keep your personal information for longer than if you obtain a quote from us but do not take out a policy.
If you would like further information regarding the periods for which your personal information will be stored, please contact us using the details set out in section 6.
How do we protect your information?
We maintain reasonable administrative, physical, and technological measures to protect the confidentiality and security of personal information you submit to us. We use a range of organizational and technical security measures to protect your information, including:
- physical security measures such as on-site security and CCTV;
- network security measures such as intrusion detection systems;
- access controls such as password protection and user logging; and
- virus and malware controls on our systems.
We review our security measures periodically. We also ensure that our employees receive appropriate data security training.
California Privacy Supplement
Information We Collect
Hiscox collects information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“Personal Information”). In particular, Hiscox has collected (or not collected, if indicated below) the following categories of personal information from its consumers in the past twelve (12) months:
|A. Identifiers||A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, or other similar identifiers.||YES|
|B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e))||
A name, signature, address, telephone number, education, employment, employment history, credit card number, debit card number, or any other methods of payment for our products, or medical information.
Some personal information included in this category may overlap with other categories.
|C. Protected classification characteristics under California or federal law||Age (40 years or older), medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), veteran or military status.||YES|
|D. Commercial information||Records of products or services purchased, obtained, or considered.||YES|
|E. Biometric information||Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.||NO|
|F. Internet or other similar network activity||Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.||YES|
|G. Geolocation data||Physical location or movements.||NO|
|H. Sensory data||Audio, electronic, visual, thermal, olfactory, or similar information. We record our customer interactions with our call centers.||YES|
|I. Professional or employment-related information||Current or past job history or performance evaluations.||YES|
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99))||Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.||NO|
|K. Inferences drawn from other personal information||Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.||NO|
Hiscox obtains Personal Information from categories of sources as set forth in the “How will we collect your personal information” subsection above. Hiscox will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you with additional notice.
Sharing Personal Information
Hiscox may disclose your Personal Information to a third party for a business purpose. When we disclose personal information for a business purpose, we require that the recipient both keep that Personal Information confidential and not use it for any purpose except performing the contract.
In the preceding twelve (12) months, Hiscox has disclosed the following categories of Personal Information for a business purpose:
- Category A: Identifiers
- Category B: California Customer Records personal information categories
- Category D: Commercial information
- Category F: Internet or other similar network activity
- Category I: Professional or employment-related information
In the preceding twelve (12) months, Company has not disclosed the following categories of personal information for a business:
- Category C: Protected classification characteristics under California or federal law
- Category E: Biometric information
- Category G: Geolocation data
- Category H: Sensory data
- Category J: Non-public education information
- Category K: Inferences drawn from other personal information
We share your Personal Information with categories of third parties set forth in the who will we share your personal information with.
Sale of Personal Information
In the preceding twelve (12) months, Hiscox has not sold any categories of Personal Information. Hiscox does not sell Personal Information to third parties.
Your Rights and Choices
The CCPA provides California residents with specific rights regarding their Personal Information. This subsection describes your CCPA rights and explains how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that Hiscox disclose certain information to you about our collection and use of your Personal Information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:
- The categories of Personal Information we collected about you
- The categories of sources for the Personal Information we collected about you
- Our business or commercial purpose for collecting that Personal Information
- The categories of third parties with whom we share that Personal Information
- The specific pieces of Personal Information we collected about you (also called a “data portability” request).
- If we disclosed your Personal Information for a business purpose, the Personal Information categories that each category of recipient obtained.
Deletion Request Rights
You have the right to request that Hiscox delete any of your Personal Information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Information from our records, unless an exception applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us
- Comply with a legal obligation
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it
Exercising Access, Data Portability, and Deletion Rights
To exercise the access, data portability, and deletion rights described above, please submit a verifiable request to us by either:
Calling us at: 1-866-283-7545
Visiting us here.
Only you, or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
We will not discriminate against you for exercising any of your CCPA rights.
If you would like further information about any of the matters in this notice or have any other questions about how we collect, store or use your personal information, or to exercise your rights under the California Consumer Privacy Act (California Residents only), you may contact us by telephone at 866-446-4082 or by emailing us at [email protected].