Open Insurance Services UK Limited - Privacy Notice

Summary

This Privacy Notice sets out in detail the purposes for which we process your personal data, how we collect it from you and other sources, who we share it with, what rights you have in relation to that personal data, and anything else we think is important for you to know.

We mainly process your personal data to provide you with the services that you’ve requested from us through one of our websites or distribution partners.

Our website and the digital insurance experiences that we make available from distribution partners’ websites are together referred to in this Privacy Notice as our “Platform”.

To use our services, we need to share your personal data with our insurance partners, distribution partners and product and service providers. The specific details of these parties, as well as other reasons for which we process your personal data, are set out below.

We are the data controller of the personal data that you provide on the Platform and/or that we collect about you. This means that we are the company responsible for deciding how your data is processed.

About Open Insurance Services UK Limited

This Privacy Notice relates to Open Insurance Services UK Limited (Company number 9365669). We use “we”, “us”, and “Open” to mean Open Insurance Services UK Limited and any of our trading names.

We are an insurance intermediary, authorised and regulated by the Financial Conduct Authority (FCA). Our registration number is 988625 and this can be confirmed at fca.org.uk/register or by calling 0800 111 6768. Our registered address is 91 Wimpole Street, London W1G 0EF.

Open provides services under trading names in the UK including:

• Huddle
• SO-SURE
• Wanda by Avios

Information we collect about you

Before and after we supply services or products, as well as collecting information directly from you, we also use external sources to find out more details about you and to check the information collected. 

We do this to offer you products and services and in the case of insurance, so that we can more effectively calculate the insurance risk and offer a price. 

We may also use this information for the purposes of conducting checks to prevent fraud and money laundering, verifying your identity, confirming the information you have provided to us, and gaining a better understanding of you as a customer. 

We collect information about you if you are:

• a potential customer and have submitted your personal information so we can provide you with a quote for our products and services; or, 
• somebody named on a quote;
• existing customer (either a policyholder or someone covered by a policy or product); or
• responsible for paying for someone else’s policy or product; or 
• acting on behalf of a customer.

The type of personal information we collect will also depend on your circumstances. For example, the information we collect if you have a policy with us is different to the information we will ask for or collect if you make a claim. 

If you give us personal information about other people, you must make sure they are aware of and agree to this Privacy Notice. You must also get their agreement before sharing any of their personal information with us.

We set out the types of information we may collect about you below.

Individual details

Your name, address, former address(es), contact details (e.g. email/telephone), gender, marital status, date of birth, length of time as a UK resident.

Employment information

Your job title and the nature of the industry you work in. 

Identification details

For example, your driving licence number. Sometimes we may ask you for further information and/or copies of documents so we can confirm your identity. This may include details about your residency, marital status, address, passport details.

Earlier and current claims

Any earlier insurance policies you’ve held, and claims made against those policies. 

Credit and anti-fraud data

Credit history and credit score may be collected before we offer the choice of monthly payments when we will run a credit check. We also collect sanctions and criminal offences, bankruptcy orders, individual voluntary arrangements or county court judgments, and information received from various anti-fraud databases. This information may include special categories of information about you such as criminal offences.

Demographic data

Lifestyle indicators such as income, education and the size of your household. 

Publicly available data including social media

This refers to data which is freely available. When necessary and proportionate to do so, this may include (but isn’t limited to) social media about you, the electoral roll, court judgments, insolvency registers, internet search engines, news articles, blog posts.

Other risk details

Details about the insured person or property to be insured, along with these special categories of information including:

• Health data such as physical or mental health information relevant to an insurance application.
• Criminal convictions: Any of which are unspent under the Rehabilitation of Offenders Act, including any motoring and non-motoring offences/alleged offences committed, or any court sentences you’re subject to.

Marketing preferences

This includes whether you’ve given your consent to receive marketing information from Open or one of our insurance or distribution partners (see section 7 for more details on how Open collects and uses your marketing preferences).

Website and app use, including cookies and use of our online service centre

During your use of our website and mobile app, we may collect information that relates to your device, device settings, browser or other identifying information, in addition to information about your use of the service. 

Payment information

Bank and payment information such as credit or debit card details. 

Other information

Other information may be captured during recordings of any telephone calls, other contact with us or if you make a complaint. This may include special categories of information you provide when talking with us.

Collecting and sharing your personal information

We only collect and share your personal information when there is good reason to do so, and in line with relevant data protection regulations. The following is the list of where we obtain personal information about you from, as well as who we share it with:

The person applying for or named on the policy, product or quote

We collect details where you’re an individual named under a quote, product, policy. We may collect or share these details:

• with you directly 
• with anyone named on the insurance policy
• anyone authorised to act on your or their behalf
• during your use of our Platform

Insurance partners

Our insurance partners also hold your personal data as Controller and use this information to underwrite your policy, provide you with insurance and claims services, to prevent fraud and to fulfil their regulatory obligations. 

Most of our insurance partners are located in the United Kingdom, although some may be in other countries. 

You can find more information about how they handle your data and where they process it on their privacy policies as follows:

• Astrenska Insurance Limited (trading as Collinson): Appendix 1 of this privacy notice
• Helvetia
• Wakam
• Axis Capital Group

Distribution partners and price comparison websites

Information is both collected from and shared with the distribution partners and price comparison websites that you may have visited prior to engaging with Open. This includes information about you, your insurance and whether or not you purchased insurance from Open.

You may also provide us with your consent to share your information with distribution partners for marketing purposes. Our distribution partners (and any other providers they work with) will be responsible for how your personal data is handled and they hold your data as a controller.

Other companies involved in the insurance application process

Service providers

We share your information with our providers who need it to supply a service to you (e.g. claims services and optional extras). These service providers (and any other providers they work with) will be responsible for how your personal data is handled and they hold your data as a controller.

Credit reference and debt collection agencies

Information is both collected from and shared with the credit reference agencies. This includes information about you and your financial history.

Providers of demographic data

We use numerous companies to find out information about you, your home and your property. This includes lifestyle indicators such as your income, education and the size of your household. It may also include information about your home , for example recent flood history.

Law enforcement agencies

We may share your details with law enforcement agencies, including the police, if requested. The information shared will be limited to what is necessary and proportionate. For example, we will pass certain details onto the police if they contact us as a result of investigating fraud.

Financial crime detection agencies and insurance industry financial crime databases

The personal information we have collected from you will be shared with fraud prevention agencies. They will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by visiting www.cifas.org.uk

Other Open Group companies

We may share information that you provide between Open Group companies.

Third party suppliers

We use these companies to help us to carry out our everyday business activities. These include our IT service and technology providers, data analytics, data science, cloud services, communications providers, payment service providers, information security suppliers and advertising and marketing agencies.

These third party suppliers act as our processor and we decide when these third parties process your personal data. We will have a contract in place with them placing a duty on them to keep your data secure and only use it for the reason we say.

Financial institutions

Finance institutions to allow us to carry out a financial transaction for your policy. For example, to process payments from your debit or credit card, we share your personal and transaction details with our payment processing provider, Stripe. Stripe collects and retains your credit card details and acts as a controller of your data under the terms of its own Privacy Notice.

Others

We may share and collect information from selected third parties in connection with any sale, transfer or disposal of our business. We may also share your data with the price comparison websites or the relevant incentive provider in cases where you’ve bought a policy using an introductory cash back offer.

What we use your personal information for and our lawful basis

We process your personal information for different purposes. We must have legal permission (this is called a ‘lawful basis’) for each purpose. We must have an extra lawful basis for the processing of special categories of information. We’ve summarised our uses of your information below.

Provide insurance, products and services to you and manage your claim

• To assess your insurance application and provide a quote (or a quote you’re named in). 
• To set up your insurance policy (or a policy you’re covered on). 
• To set up a product or service
• To set up a monthly payment plan. 
• To manage any claims you make under your insurance policy or a policy you’re covered on.

Lawful basis for processing your information

Contractual necessity, as we need this information to perform our contract with you and provide you with the service you have requested.

When we personalise your experience on our Platform we do so because it is our legitimate interest as a business to make your experience on our Platform as simple to use as possible.

Fraud Prevention

• To check your identity or carry out fraud, credit, and anti-money laundering checks for an insurance application or to provide a quote (or a quote you’re named in). 
• To prevent and investigate fraud on an ongoing basis.

Lawful basis for processing your information 

We process this information because it is necessary for our legitimate interests and because it is in the substantial public interest for us to do so, for the purpose of arranging an insurance contract. We also process this information to prevent or detect unlawful acts, such as fraud.

Communicate with you

• To communicate with you to manage queries and resolve any complaints you might have. 
• To send you marketing materials about our products and services (with your permission).

Lawful basis for processing your information

You can provide consent to receive marketing communications from us via various contact methods, including post, telephone call, email, SMS or other available instant messaging platforms.  Details of how you can opt-out of marketing messages are in Section 7 below. 

Legitimate interests, it is also in our interests to be able to deliver more personalised messages advertising to you across social media and other paid advertising platforms.

Run our business

• To follow our legal or regulatory obligations. 
• To make sure we consider any customers who may be in a vulnerable circumstance . 
• To help with risk modelling and renewal pricing of products. 
• Quality, training and security purposes (e.g. through recorded, monitored or transcribed phone calls to/from us, or customer satisfaction surveys). 
• Managing our business operations (e.g. keeping accounting records, analysing financial results, meeting audit requirements, receiving professional advice, and holding our own insurance). 
• For insurance administration purposes including trend analysis, actuarial work, pricing analysis, analysis of customer experience and transactions, planning service delivery, risk assessment, and costs and charges. 
• Monitoring the use of our website. 
• Debt collection purposes.

Lawful basis for processing your information

Contractual necessity, as we need this information to perform our contract with you and provide you with the service you have requested.

We also process your information because it is in the substantial public interest for us to do so, for the purpose of arranging an insurance contract. We also process this information to prevent or detect unlawful acts, such as fraud.

When we personalise your experience on our Platform we do so because it is our legitimate interest as a business to make your experience on our Platform as simple to use as possible.

Sending your data to other countries

Sometimes we’ll transfer the personal information we collect about you to other countries outside of the UK. When a transfer like this happens, we’ll take steps to make sure your personal information is protected. We’ll do this using a number of different methods including: 

Standard contractual clauses: When we are required to do so we put in place legally approved contractual clauses which govern the transfer of your personal data to all third party suppliers who are located in countries that require these clauses to be put in place. We do this to protect your personal data when it is transferred to those countries. Before making these transfers, we ensure that the data protection laws in those countries are sufficient to protect your data.

Adequacy: The government, with support from The Information Commissioner’s Office in the UK, have decided that certain countries provide an ‘essentially same’ level of protection for your personal data. We rely on these decisions to transfer your personal data to these jurisdictions.

Binding Corporate Rules: Data protection laws allow companies to propose a set of rules that they will apply when transferring your data to certain countries, these rules are required to be approved by the Information Commissioner’s Office if the company is based in the UK, or by other relevant regulators depending on that companies’ location. This approval will mean that the rules used will be sufficient to protect your data when transferred to companies in other countries that agreed to be subject to the rules.

Marketing

It is important that Open can market its products or services. In doing so, we must follow the various data protection regulations. These regulations mean that you always have the right to ask us to stop marketing to you, something which is called ‘opting out’. If we want to contact you electronically, we must have your consent beforehand. You may have consented to us contacting you when you visited one of our distribution partners or a price comparison site for an insurance quote. There are also other ways we may contact you:

Soft Opt-in

If you have asked for (or started to request) a quotation or price from us, either verbally or online, this expression of interest gives us permission to contact you to discuss our products – or to offer similar products and services to you, provided you haven’t opted out. 

This is called a soft opt-in. You’re free to object to receiving these messages or any other marketing material and can opt out at any time. You can do this online. If you’re not sure how to do this, please feel free to Contact us. 

Service messages

There are occasions when we will contact you for non-marketing purposes. Because these service messages do not contain any marketing, they fall outside of your marketing preferences and this means that even if you have opted-out of marketing, you will still receive them. Examples of these messages include confirmations of recent transactions and important information about your product, policy, claims, coverage or payments.

How long we keep your personal information for

We keep personal information for as long as is reasonably required to allow us to manage complaints, prevent fraud, to improve pricing, for analytical purposes and also to meet our legal, regulatory, tax or accounting obligations. Further details of this are provided earlier in this Privacy Notice. The actual retention periods for your personal information will depend on your specific circumstances (see below for more details):

Policies

If you buy a policy from us, we’ll keep all policy personal information (including any data we get from other sources) for seven years after the policy ends (or the settlement of any outstanding debt). We do this to allow us to manage complaints, claims, prevent fraud or financial crime and to meet our statutory and regulatory obligations as, in particular as required by the Financial Conduct Authority, Money Laundering regulations, the HMRC.  

Quotes

If you provide information for the purposes of getting a quote from us, either directly or through a price comparison website, we’ll keep your details for six years. This includes quotes that are abandoned, incomplete or unfinished. If a quote is bought and a new policy started, that quote and any quotes falling six years before the date the policy started, will be kept along with the policy details in line with our policy retention period of seven years. 

Claims

All active claims, those with periodic payment orders, or provisional damages awarded will be retained. Once closed, any claim records will be kept for seven years. 

Data shared with third parties  

Where your personal data is shared with a third party as a data controller (as noted in the ‘who do we share your information with, why and where do they process it’ section above), that third party will determine its own retention periods and you should check that third party’s privacy policy for more information.

Where your personal data is shared with a third party as a data processor, those third parties are required under the terms of their agreement with us to return or delete that personal data when they no longer provide us services, or when we instruct them to delete your information unless they are required to retain it to comply with any legal or regulatory requirements.

Automated processing

When deciding whether to offer an insurance policy, we use automated processing. The process considers the information you give us, as well as information from other sources, such as risk assessment tools or credit reference agencies. These are used to decide whether your application for insurance can be accepted and what the price of the policy should be. The automated decisions include: 

• The creation of pricing models and risk acceptance criteria. 
• The application of the pricing and risk models using data we hold about you, to accept or decline your request for insurance and to work out the price of your policy. 
• Assessing your ability to pay the insurance premiums. 
• Assessing the risk of fraud being committed on your policy. 

Although there are degrees of automation used in other parts of the business, these involve a person in the decision. This is why they’re not considered an automated decision and aren’t listed here. 

Your rights

Under data protection law, you have different rights relating to the personal information we hold about you. You can exercise these rights by contacting us on support@uk.beopen.com.

Depending on your request, we may ask for proof of your identity and address to ensure the security of your personal data. We won’t usually charge you in relation to a request.

Below is a summary of your data protection rights: 

• Right of Access(also called DSARs)    
• Right to Rectification
• Right to Erasure        
• Right to Restriction of Processing 
• Right to Data Portability
• Rights Related to Automated Decisions 
• Right to Object to Marketing        
• Right to Withdraw Consent
• Right to Object to Processing        
• Right to Lodge a Complaint with the ICO.

There may be some circumstances where we cannot comply with your request. For example, we wouldn’t be able to agree to your request if it meant we couldn’t comply with our own legal or regulatory requirements. In these instances, we’ll let you know why we cannot agree to your request.

How we protect your information

The protection of your personal data is especially important to us. We use technical and procedural measures to protect personal data in line with industry best practices and legal requirements. Open is aligned to the security standard ISO27001 and all of our team members are provided with regular data protection training.

Contacting us

If you want to exercise any of your rights, or if you have any questions about how we collect, store or use your personal information, our team can be reached as follows: 

• Post: Open, 91 Wimpole Street, London, W1G 0EF
• Email: support@uk.beopen.com

Your right to complain

If you have a complaint regarding how your personal data has been processed by us, then please contact us first. You also have the right to complain to the Information Commissioner’s Office, which regulates data protection compliance in the UK. You can find more information on their website www.ico.org.uk.

Updates to this Privacy Notice

We may need to update this Privacy Notice from time to time. This could be as the result of government regulation, new technologies or other developments in data protection laws or privacy generally, where our business model changes, or where we identify new sources and uses of personal information.

‍

Appendix A: Collinson Privacy Policy

‍

Data protection

How We Use the Information About You

As a data controller, we collect and process information about you so that we can provide you with the products and services you have requested. We also receive personal information from your agent on a regular basis while your policy is still live. This will include your name, address, risk details and other information which is necessary for us to:

• Meet our contractual obligations to you.
• Issue you this insurance policy.
• Deal with any claims or requests for assistance that you may have.
• Service your policy (including claims and policy administration, payments, and other transactions).
• Detect, investigate, and prevent activities which may be illegal or could result in your policy being cancelled or treated as if it never existed.
• Protect our legitimate interests.

Some of the personal information that you provide may be sensitive information. This includes details about your health or medical records. Where we need your consent to collect and process your sensitive information, this will be obtained from you at the relevant time. Please note that, in these cases, we may not be able to sell you an insurance policy or deal with a claim if you do not agree to us processing relevant sensitive information.

To administer your policy and deal with any claims, your information may be shared with trusted third parties. This will include members of The Collinson Group, third party administrators, contractors, investigators, crime prevention organisations and claims management organisations where they provide administration and management support on our behalf. Some of these companies are based outside of the European Union where different data privacy laws apply. Wherever possible, we will have strict contractual terms in place to make sure that your information remains safe and secure.

We will not share your information with anyone else unless you agree to this, or we are required to do this by our regulators (e.g., the Financial Conduct Authority) or other authorities.

The personal information we have collected from you will be shared with fraud prevention agencies and databases who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies and databases, and your data protection rights, can be found by visiting https://cifas.org.uk/fpn and https://insurancefraudbureau.org/privacy-policy.

Processing your data

Your data will generally be processed on the basis that it is:

• Necessary for the performance of the contract that you have with us.
• Is in the public or your vital interest: or
• For our legitimate business interests.

If we are not able to rely on the above, we will ask for your consent to process your data.

How we store and protect your information

All personal information collected by us is stored on secure servers which are either in the United Kingdom or European Union. We will need to keep and process your personal information during the period of insurance and after this time so that we can meet our regulatory obligations or to deal with any reasonable requests from our regulators and other authorities.

We also have security measures in place in our offices to protect the information that you have given us

How you can access your information and correct anything which is wrong.

You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please contact us by email or letter as shown below:

Email address: data.protection@collinsongroup.com

Postal Address: 3 More London Riverside, London, SE1 2AQ

This will normally be provided free of charge, but in some circumstances, we may either make a reasonable charge for this service or refuse to give you this information if your request is clearly unjustified or excessive.

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

If you wish to make a complaint about the use of your personal information, please contact our Complaints manager using the details above. You can also complain directly to the Information Commissioner’s Office (ICO). Further information can be found at https://ico.org.uk.