In this day and age, more and more information is being uploaded and shared across the web. For you to be confident using our services we want you to trust that not only are we providing you with the best deal, we’re also committed to ensuring your privacy is protected.
Who are Brooks Braithwaite (Sussex) Ltd?
We are your data controller for the purposes of the personal data we will collect. Our details are as follows:
Brooks Braithwaite (Sussex) Ltd, a limited company registered in England with the company registration number 1416900 and registered address at Third Floor Front, Oakfield House, 35 Perrymount Road, Haywards Heath, RH16 3BW.
If you wish to contact us in relation to this notice, or data protection generally, please contact our Data Protection Officer by email on firstname.lastname@example.org or by post using the address above, marked for the attention of the Data Protection Officer.
How do we process your data?
We will collect and process your personal data under some, if not all, of the following lawful bases: contractual necessity, our legitimate interests, consent, because it’s necessary for us to comply with a legal obligation, and where the processing is necessary for reasons of substantial public interest.
Contractual necessity is where we collect your personal data because it is necessary for us to provide you with a quote or a contract of insurance. Without this data, we wouldn’t be able to provide you with a quote or arrange an insurance policy for you.
We need personal data for the following reasons to provide our service to you:
- To arrange and administer insurance on your behalf. This will include several types of correspondence either via our website including live chat, or by post, email or phone, for example: non-marketing communications about obtaining a quote and purchasing a policy, your welcome pack and policy documents, payment reminders, arrears notifications, confirmation of your cancellation, renewal documents, complaint communications, any mid-term adjustments you may make to your policy, and any communications in response to a query you have sent us.
- To enable us to introduce you to an insurer that offers insurance policies to meet your insurance needs.
Organisations can rely on “legitimate interests” to process personal data where: (a) their reason for processing personal data is a legitimate business interest (e.g. it is not illegal and it actually receives a benefit from it); (b) the processing is a proportionate way of achieving that interest; and (c) that legitimate business interest is not outweighed by the impact on the individual. We have completed that assessment and are satisfied with it for each of the purposes set out below.
You do have a choice as to whether you provide us with your personal information and you have the right to object to us using your data for our legitimate interests, please see “Section 12 – Right to object”. However, if you decline to provide us with certain personal information this may impact the services that we can offer to you.
We have a legitimate interest in each of the following:
- Targeting online advertising to you on other websites because we believe it is relevant to you. For example, we might ask Google, Facebook or Snapchat to either (a) show you adverts based on your characteristics or interests, e.g. to only show our advert to people interested in dogs; or (b) show you adverts based on your visit to our website, e.g. where you have read an article about specialist pet insurance, we might show you an advert for one of our specialist pet insurance products.
- Improving our products, services and offers by emailing you asking you to complete Feefo customer experience reviews, which enable you to leave reviews of how you found the experience of dealing with Brooks Braithwaite (Sussex) Ltd.
- Monitoring website usage, including website usage statistics and third-party hyperlink click tracking. We use google analytics to do this and we do not have access to the underlying data, only aggregated views of it (e.g. to see how many users visited our website in a certain timeframe, which pages were most popular, and which website visitors came from for instance directly, via Google, or from Facebook).
- Creating Management Information to help us with pricing decisions.
- Bringing a legal claim or defend legal claims against us.
Where we rely on consent, we will only process your personal data in that way if you have told us we can. Usually this will be by ticking a box or agreeing over the phone. You have the right to withdraw consent at any time (see the section titled “Withdrawing consent” below).
We only rely on consent to send you marketing communications.
This is where we are required by a law or regulation to process your data to fulfil our legal obligations.
We process your personal data to comply with our legal obligations where:
- We are required by our regulator to analyse customer feedback on the product to enable us to make product improvements.
- We are required to complete a sanctions check prior to selling insurance to a customer. A sanctions check is a search of an individual against government sanction databases that identify people who are prohibited from entering the financial services environment, including buying insurance products.
- We are required to confirm whether you have received and/or opened policy related emails (e.g. your policy documents when you purchase a policy from us).
What personal data do we collect?
To enable us to process your data for the reasons set out in “Section 3 – How we process your data”, we collect the following personal data:
- Personal information such as name, date of birth, email address, postal address, telephone number.
- Details of your insurance needs and interests.
- Information you submit when obtaining a quote or purchasing an insurance policy including declarations (e.g. have you ever been declined insurance).
- Policy adjustments made during the policy term, claims made during your policy term.
- Your bank details and credit card information.
- Information shared with us during a telephone call, which will be recorded.
- Current and historical policies held and your policy renewal dates.
- Personal information such as name, email address, to be able to target our Facebook ads to your timeline.
- If you purchase a policy, we may upload your email address to Facebook for the purposes of creating a lookalike audience for marketing. A lookalike audience is where Facebook use an email address to find individuals with similar characteristics who are registered with Facebook – Facebook will then show our ads to these individuals.
- If Facebook login credentials were used to register on the Brooks Braithwaite (Sussex) Ltd website, your Facebook profile. We will also have access to your Facebook ‘likes’, Facebook friends who are members of Brooks Braithwaite (Sussex) Ltd, and email address if you give us permission to access this data during the registration process.
- Your social media IDs and handles where they are linked to your account if you used social media credentials to register with our website.
- What products you have previously viewed or shown interest in.
We also collect website usage data, including:
- Your IP address.
- The browser you used to access our website.
- The website from which you came.
- The device used to access our website.
- The pages you visit on our website, and
- The hyperlinks to other websites which you click on.
- Personal information such as name, email address, so that we are able to send you a newsletter
- Personal information such as name, date of birth, email address, postal address, telephone number.
Where do we obtain your personal data from?
We obtain your personal data in the following ways:
- From you via web forms or telephone, for instance when signing up for an account or expressing an interest in a policy.
- Automatic recording, for instance the buttons you press to obtain a quote or share an offer, your location through your IP address, your internet service provider and the type of device or browser you are browsing with.
- From the social media accounts you connect to your Brooks Braithwaite (Sussex) Ltd account. Note: the personal data from social media accounts that we have access to is determined by the permissions you give us when registering with our website.
How do we share your personal data?
In general, access to your personal data will be restricted to those who have a need to access it to carry out their duties (for example our employees such as our customer service team).
However, we will also share your personal data with the following external third-parties in some circumstances:
- Fraud prevention agencies or other third parties that assist us in preventing fraud or other forms of risk (anti-money laundering agencies and credit agencies).
- Regulators such as the Financial Conduct Authority (FCA), and government authorities such as Her Majesties Revenue Commission (HMRC) or the police, if we are required to do so by law or if the regulator or authority requests it and we regard that request as reasonable.
- Our insurers, legal advisers or other third parties who need access to it in the context of managing, investigating or defending claims or complaints.
- Potential buyers of all or part of our business and/or their advisors.
- Organisations that process your data on our behalf who are not allowed to use your data for any other purpose, for instance our web hosts.
- Other companies within our group, for instance where they provide us services.
We aim to share only anonymised data or aggregated data wherever possible. We will use secure means to store and share data. We also require third-parties to sign legally binding agreements not to use any information for marketing purposes and not to share this data. This may not be possible in all circumstances, for instance where we are obliged to disclose data to a regulator.
Do we make solely automated decisions?
We use an automated insurance rating engine to evaluate insurance risk based on the information you supply us during the quote process. We use this information to automatically determine your potential risk, and whether we are able to offer you a quote and, if we are able to offer you a quote, what the value of the quote will be.
We also make solely automated decisions based on personal data in order to screen you against government sanctions databases prior to allowing you to buy a contract of insurance – we are required to do this by law. Whilst this automated decision could result in us not offering you a contract if insurance, this would only be automated where the system determines a 100% match. Most of the time there isn’t a 100% match, and one of our staff will therefore review the decision manually.
Do we transfer your data outside of the EEA?
We store your personal data in cloud servers based in the European Economic Area (EEA). In certain limited circumstances, we may export personal data outside of the European Economic Area for processing, and we may use third party service providers who do the same. We only do that if there is a good reason to do it and where either:
- There are adequate safeguards in place (such as the appropriate contractual arrangements with suppliers, or adequacy decisions, depending on the destination country); or
- We are otherwise permitted by data protection law (for instance, where you consent or such transfer is necessary to provide our service to you).
How long we keep your information for?
If you are a customer, we will keep your personal information and all telephone conversations for a period of 6 years after you cancel your policy. We need to keep your information for this amount of time as required by law (including FCA regulations) or to defend potential legal claims.
If you are a customer who has public & employers liability cover we will hold your data for a period of up to 40 years.
Your bank and card details will be deleted at the point that you cancel your policy.
Email communication that we have had with you will be deleted 6 months after you cancel your policy.
As a member of Brooks Braithwaite (Sussex) Ltd that has never bought a policy through us, we will keep your personal information until either:
- you cancel your membership, or ask us to remove your details
- you have not obtained a quote or bought a policy from us in the last two years, and you have not responded to the email we send asking whether you still want to be a member (we typically send this one month before your account is due to be deleted).
How can you opt out of receiving marketing communications?
If you do not wish to receive further marketing information about our products and services, you can contact us via any channel detailed within “Section 2 – Details”, you can manage your marketing preferences within the “My Account” or “Log in” section of our websites and we will also include unsubscribe links within all of our marketing emails.
How do you withdraw your consent for us to process your personal data?
You have the right to withdraw your consent to how we process your data in circumstances where we are using your data based on consent. The type of processing that this includes is under section 4 “The Personal Data we collect – Consent”. To withdraw your consent, you can do this on any of our newsletters that we send by using the unsubscribe link, through our website in your “My account” or “Log in” area, you can also call our customer services department on 0345 982 5499 or you can email our Data Protection Officer at DPO@brooksbraithwaite.com.
How can you object to us processing your personal data based on our legitimate interests?
You have the right to object to other processing on the basis of our legitimate interests, but we might not have to cease processing where you do so if either:
- We can demonstrate legitimate grounds for the processing which override your interests; or
- Where that legitimate interest is the establishment, exercise or defence of legal claims.
To object to legitimate interests processing, please contact our Data Protection Officer using the details in section 2 of this notice.
What are your rights concerning your personal data?
- You have the right to obtain your personal data from us except in limited circumstances. The first copy will be free of charge, but we reserve the right to charge a small fee for additional requests if they are disproportionate.
- You have the right to require us to rectify any inaccurate personal data we hold concerning you.
- Considering the purposes of the processing, you may also have the right to have incomplete personal data completed, by means of providing a supplementary statement or otherwise.
- You have the right to require us to erase your personal data on certain limited grounds (including where they are no longer necessary for the purpose for which they were collected or where we rely on consent, which you withdraw, and there is no other legal ground for the processing).
- Where we process personal data, either on the basis of consent or contractual necessity, that you provided to us, and we process that personal data by automated means, you have the right to require us to give you your data in a commonly used electronic format.
- You have the right to object to our processing of personal data which we process on the grounds of our legitimate interests, as detailed in the paragraph titled “objecting to our legitimate interest processing” above.
You have the right to require us to restrict the processing of your personal data on certain grounds, including where:
- You contest the accuracy of the personal data and want us to restrict processing of your personal data while we verify its accuracy;
- The processing is unlawful, but you request a restriction of the processing rather than erasure;
- We (as controller) no longer need the data for the purposes of the processing, but you have told us you require us to retain that personal data for you to establish, exercise or defend legal claims; or
- You have objected to us processing your personal data on grounds of legitimate interests and want us to restrict processing of your personal data while we consider your objection.
How can you make a complaint?
If we can’t remedy an issue you have, or you remain unhappy with how we are handling your data, you can lodge a complaint with the Information Commissioner’s Office (ico.org.uk).
The only cookies we use are ‘analytical cookies’. They allow us to count the number of visitors and identify which pages are being viewed, or used, with the sole purpose of analysing data about webpage traffic and to improve our website in order to tailor it to our customers’ needs. We do not store unencrypted personally identifiable information in the cookies.
How do we use Google Analytics?
We use Google Analytics to help analyse use of our website. This analytical tool collects standard internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of our website (including your IP address) is transmitted to Google. This information is then used to evaluate visitors’ use of our Website and to compile statistical reports on website activity for our website. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
We will not (and will not allow any third party) to use the analytics tool to track, or to collect, any personally identifiable information of visitors to our site. We will not associate any data gathered from this site with any personally identifying information from any source as part of our use of the Google Analytics tool. Google will not associate your IP address with any other data held by Google. Neither ourselves, nor Google, will link, or seek to link, an IP address with the identity of a computer user.
What happens when you click a link to another website?
Our website contains links to third party websites, including those of the insurance companies that we partner with.