- What information do we collect from you?
- Why do we collect this information?
- Automated Decisions Making
- How long do we keep hold of your information?
- Who might we share your information with?
- How is your data stored and kept secure?
- International transfers
- What are your rights?
- Changes to this Policy
- Contact Us
What information do we collect from you?
We will collect and process the following data about you:
- Information you give us. This is information about you that you give us by filling in forms on our site or by corresponding with us by phone, email or otherwise. The information you give us may include your name, address, email address and phone number and financial information. We will ask you for further information depending on which insurance you are interested in.
- Information we collect from your use of our site. With regard to each of your visits to our site we will automatically collect the following information:
- technical information, such as the Internet protocol (IP) address used to connect your device to the Internet, whereabouts you connected to our service, your internet service provider (ISP), and what type of device you are using to access our service;
- Information we collect when you call us. If you call us we will automatically collect the phone number used to call. Some of our partner brokers, claims administrators or similar business partners may record calls as part of their FCA compliance requirement. The relevant business partner will be the data controller for that information, so please address any queries directly to the appropriate broker.
We review a selection of the business partner calls set out above in our legitimate interests in order to check they are providing a quality service.
- Information we receive from other sources. We are working closely with other organisations who may provide us with information relating to you, including:
- Property information from surveyors;
- In certain cases, convictions information from sources such as the DVLA;
- Claims information, from claims organisations;
- App providers, where you choose to allow the app to share data with us.
Why do we collect this information?
We process your personal information for the following reasons:
- Pursuant to a contract in order to:
- Process information at your request to take steps to enter into an insurance policy;
- Provide you with our products and services;
- Process payments and assess your eligibility for payment plans;
- Handle claims;
- Maintain business and service continuity; and
- Send service communications so that you receive a full and functional service and so we can perform our obligations to you. These will be sent by email wherever possible but in some circumstances we may need to contact you by post or by phone. These will include notifications about changes to our service.
- On the basis of your consent:
- Where we rely on your consent for processing this will be brought to your attention when the information is collected from you or will otherwise be clear from the context of you providing the information;
- We will contact you with direct marketing communications if you consent to us doing so and you have the right to withdraw consent at any time.
See the What are your rights? section below for more information.
- In our legitimate interests of providing the best service and improving and growing our business we will process information in order to:
- Provide you with a personalised service;
- Promote our products and services;
- Improve our products and services;
- Keep our site and systems safe and secure;
- Understand our customer base and purchasing trends;
- Defend against, establish or exercise legal claims and investigate complaints; and
- Understand the effectiveness of our marketing.
We will carry out analytics to improve our products and services as set out above
You have the right to object to processing carried out for our legitimate interests.
See the What are your rights? section below for more information.
- To comply with legal requirements relating to:
- The provision of products and services;
- Anti-money laundering;
- Fraud investigations;
- Data protection;
- Assisting law enforcement; and
- Any other legal obligations placed on us from time to time.
Special Category Personal Data and Offences
In some circumstances we need to process special category personal data or criminal convictions and offences data which are required in order for us to make decisions in relation to providing you with a policy or assessing a claim. For example, in order to provide you with a motor insurance policy we will need to understand whether you have any motoring offences, or for a travel insurance policy we will need information on any existing medical conditions.
We process this information because it is required in order for us to enter into or to perform a contract with you. We also process this information because it is necessary for the purposes of substantial public interest permitted by law.
Automated Decision Making and Profiling
We use automated systems which means that some decisions are made automatically. We offer our insurance policies based on the information we have about our customers. Some information may identify a high risk to us in providing insurance, for example if an applicant for motor insurance has committed certain driving offences. Our systems are designed to identify particularly high risk factors and, in some circumstances, to automatically decline an application. It may also affect the price at which we offer you our products and services. Decisions are therefore made based on your particular risk profile.
The types of decision which are automated include initial decisions about whether to offer you insurance, which product to offer and at which price, based on the information you have provided us with.
You have the right to request that we review the automated decision manually and you are entitled to express your view on the automated decision when you request a review. You can exercise this right by contacting our DPO at email@example.com.
How long do we keep hold of your information?
We will keep your information only for as long as is necessary for the purposes for which it was collected. The periods of retention are different depending on which insurance policy is involved. We will retain information for a number of years after the end of our relationship with you using the criteria below, unless obligations to our regulators require otherwise or we are required to remove such data from our records.
Our retention periods are determined by reference to:
- Legal requirements – as a regulated financial services provider we are bound by specific rules on retention of information;
- Statutory limitation periods – these determine the periods for which legal claims can be brought;
- Insurance industry standards; and
- Operational requirements – set by how long we need to keep information for operational purposes for example to operate your insurance policy, handle insurance claims or deal with legal claims.
Who might we share your information with?
For the purposes set out in the ‘Why do we collect this information?’ section above, we will share your personal information with:
- the following categories of third parties, some of whom we appoint to provide services, including:
- Distribution partners (or other insurance intermediaries), suppliers and sub-contractors for the performance of any contract we enter into with you, including our IT service providers;
- Analytics and search engine providers that assist us in the improvement and optimisation of our site;
- Customer survey providers in order to receive feedback and improve our services.
- Any member of our group, which includes our subsidiaries.
Additionally, we will disclose your personal information to the relevant third party:
- In the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of such business or assets if appropriate.
- If we are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets.
- Anti-fraud and anti-money laundering groups or organisations;
- Credit reference agencies;
- Debt recovery providers;
- Law enforcement and legal professionals;
- Our insurers or auditors.
How is your data stored and kept secure?
At Archipelago, we take your safety and security very seriously and we are committed to protecting your personal and financial information. All information kept by us is stored on our secure servers. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our service, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
All transaction payments are handled by SmartDebit. SmartDebit are a Bacs approved bureau and Facilities managed provider. SmartDebit are ISO 27001:2013 certified, authorised and regulated by the Financial Conduct Authority.
Your personal information is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the information confidential. In addition, all credit information you supply is encrypted via Secure Socket Layer (SSL) technology. We have a number of further security measures in place, including regular Malware scanning.
We may transfer your data outside the European Economic Area ("EEA"). For travel insurance, we may need to transfer information internationally if there is a medical emergency or incident. We will only transfer your information if adequate protection measures are in place or if the transfer is otherwise permitted in compliance with data protection legislation. Our systems are all hosted within the EEA. More information is available by contacting us.
What are your rights?
Where processing of your personal data is based on consent, you can withdraw that consent at any time.
You have the following rights. You can exercise these rights at any time by contacting us at firstname.lastname@example.org. You have the right:
- To ask us not to process your personal data for marketing purposes. We will inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes;
- To ask us not to process your personal data where it is processed on the basis of legitimate interests provided that there are no compelling reasons for that processing;
- To ask us not to process your personal data for scientific or historical research purposes, where relevant, unless the processing is necessary in the public interest.
- To request from us access to personal information held about you;
- To ask for the information we hold about you to be rectified if it is inaccurate or incomplete;
- To ask for data to be erased provided that the personal data is no longer necessary for the purposes for which it was collected, you withdraw consent (if the legal basis for processing is consent), you exercise your right to object, set out below, and there are no overriding legitimate grounds for processing, the data is unlawfully processed, the data needs to be erased to comply with a legal obligation or the data is children’s data and was collected in relation to an offer of information society services;
- To ask for the processing of that information to be restricted if the accuracy of that data is contested, the processing is unlawful, the personal data is no longer necessary for the purposes for which it was collected or you exercise your right to object (pending verification of whether there are legitimate grounds for processing);
- To request that we review an automated decision manually (see Automated Decision Making above);
- To ask for data portability if the processing is carried out by automated means and the legal basis for processing is consent or contract.
Should you have any issues, concerns or problems in relation to your data, or wish to notify us of data which is inaccurate, please let us know by contacting us using the contact details below. In the event that you are not satisfied with our processing of your personal data, you have the right to lodge a complaint with the relevant supervisory authority, which is the Information Commissioner’s Office (ICO) in the UK, at any time. The ICO’s contact details are available here: https://ico.org.uk/concerns/.
If you have any queries, complaints or requests please contact our data protection officer (“DPO”) at email@example.com.
For the purpose of data protection legislation, the data controller is Archipelago Risk Services Limited a company registered in England and Wales under registered No. 11346631 and whose registered office is at 5th Floor, Plantation Place South, 60 Great Tower Street, London, EC3R 5AZ.
Archipelago products are underwritten by various insurers including Arch Insurance Company (Europe) ltd whose privacy notices can be found on their websites.