Privacy Policy

POP Technology Group Privacy Statement

30 September 2021

We take our responsibility to protect your privacy very seriously. We apply strict security and privacy controls to the way we handle your personal information.

1a. About this Privacy Statement

We take your privacy very seriously and are committed to ensuring the protection of your personal information, no matter where you are located. Each member of the POP Technology Group collects and handles your personal information in accordance with its legal obligations, including those under the Privacy Act 1988 (Cth).

POP Technology Holdings Pty Ltd (previously POPai Holdings Pty Ltd) and its subsidiaries (the POP Technology Group) provides an online marketplace platform (Product) and a range of insurance, underwriting, and other products or services (io.insure Services).

This Statement describes how your personal information and confidential information is collected and handled by the following members of the POP Technology Group:

• POPio Pty Ltd (previously io.insure Pty Ltd), trading as io.insure
• POPai Pty Ltd.

If you are located in the European Union or the United Kingdom, or if you are a customer of our Singapore branches, you may have additional rights. See Additional Rights at the end of this statement for more information.

If you live in Europe, information on how we process any personal data you provide us that’s covered by the European Union’s General Data Protection Regulation (GDPR) and your rights under the GDPR described in the Schedule of our Privacy Statement.

1b. Authority to disclose information

We collect your personal information directly from you most of the time, however on occasion, we may also collect information about you from other people and organisations such as someone acting on your behalf, such as an authorised representative, professional advisor, under power of attorney or an authorised operator of your account with io.insure.

If you give us information about others (such as a joint applicant or as an organisation, its officers or beneficial owners), you must have their authority and tell them what’s in this Privacy Statement.

2. Collection, use and sharing

2a. What information do we collect?

We collect personal information when you:

• enquire about, apply for, or use our products or services
• contact us to make an enquiry or give us feedback
• visit our website or use our digital services
• participate in other activities we offer, such as surveys
• talk to us or do business with us.

While we are required to collect some types of personal information to meet our legal obligations, we do attempt to keep our collection of your personal information to what is necessary to offer you the products and services you require. Depending on those products and services, or your interactions with the members of the POP Technology Group, we may collect the following types of personal information:

Types of personal information	Examples of person information that may be involved
Personal and contact details	This may include your name, address, email address, phone number, and date of birth.
Australian Business and Company identifiers and identity documents	These may include your: Australian Company Number Australian Business Number Business Names
Foreign Business and Company identifiers and identity documents	These may include your: Company Numbers Business registration numbers Business Names
Financial information and you or your business	This may include: Employment details, income, assets, financial liabilities copies of accounts and financial statements, audits or reports information from third parties about your business and insurance claims history.
Transaction information	This includes information about the transaction that you are involved in using our products and services. For example: Term Sheet Information Memorandum Offer documents Sale and Purchase Agreement or transaction documents.
Data Room and Due Diligence information	This includes all the information in a data room or contained in due diligence reports relating to the transaction.
Third Party Information	This may include information relating to your professional advisors or other parties involved in the transaction including their name, contact details and scope of works.
Interaction information	This includes details of your interactions with us, such as when you visit our website, call us, use our online services (such as the Product or io.insure Services), make an enquiry, provide feedback, or make a complaint.
Digital information	We collect information from you electronically when you use our online Product or io.insure Services. This includes information such as: location information (if enabled on your device) IP address details of the device used to access our digital services (including mobile and tablet) details of the wi-fi network or mobile network used by your device type of authentication used (for example touch ID or face ID. Importantly, we do not link this information to you unless we need to access these details for fraud or security reasons. Find out more about the types of cookies we use and why in our Cookies policy located on our website.
Behavioural information	This includes information that we generate about how you use our products and services. For example, if you use our Product, or access io.insure Services, we may generate information about your transaction history so we can improve and deliver more to you.
Call recordings	On occasion, we monitor and record our calls with you. We will let you know if we are doing this.
Sensitive information	On occasion, we collect and handle sensitive information. This may include: financial information (where this is relevant to an insurance policy, or claim) race or ethnicity (for example we may ask you what language you speak if you request a translator to communicate with us) criminal history and political affiliation, where it is relevant for our regulatory obligations.
Publicly available information	On occasion, we may collect and handle information that is in the public domain, such as from: online forums, websites, Facebook, Twitter, YouTube or other social media (for example, if you use social media to make a complaint) public registers (for example, those kept by the Australian Securities and Investments Commission).

See ‘Who do we share your information with?’ (Collection, use & sharing, Section 2c) for details of third parties we may share information with.

2b. How do we use your information?

We’re careful about how we use your information to deliver our products and services. We also use your information for other reasons, such as to better understand you, your needs, and to let you know about other products and services you might be interested in.

Here is a list of the ways we may use your personal information. 

Purpose	How we use your personal information
Serving you as a customer	We use your information to deliver our products and services including to: assess and process your applications for products and services administer and manage existing products or services you have with us manage our relationship with you or your business improve our service to you and your experience with us design, price, provide, manage and improve our products, services, and digital features assist our business partners with designing, pricing, providing, managing and improving their products and services communicate with you or your representatives about our products and services let you know about other products and services that may be of interest to you.
Improving our business	We use your information to improve the products and services we provide through activities such as: reviewing customer feedback and assessing how you use our products and services testing and validating the effectiveness of products, services and system enhancements monitoring and reviewing call recordings, online chats and other business activity for quality assurance, training and compliance purposes.
Manage our operations	We use your information to manage our operations including to: deliver our products and services make and manage customer payments and transactions manage fees, charges and taxes due on your products and services collect and recover money that is owed to us respond to complaints and seek to resolve them manage our insurer bordereaux, audits and records.
Managing security, risk and crime prevention	We use your information to: prevent, detect and investigate suspicious or fraudulent activities support the management of our information security and network controls to prevent cyber-attacks, unauthorised access and other criminal or malicious activities.
To comply with our legal obligations	Where required, we use your personal information to comply with the law, including our regulatory obligations, including to: confirm your identity share relevant information with law enforcement agencies, tax authorities and other regulatory bodies screen applications and monitor account holder activity to identify criminal activity such as fraud, terrorist financing, bribery, corruption and money laundering.
Managing our business	We use your information to run our business in an efficient and proper way. This includes managing our financial position, business capability and planning, testing systems and processes, as well as managing communications, corporate governance, and audit.
Performing analytics activities	Sometimes we may combine information we have about you and our other customers, for example deal size, or claims information, with data from other sources, such as third party websites or the Australian Bureau of Statistics. We use this information to: help us understand trends in customer behaviour including how products and services are used improve the products and services we offer improve the quality of our data develop products and services that better meet our customers’ needs and behaviours understand and manage our risks better.
De-identifying information	Sometimes we may de-identify your personal information and use this to: provide insights and analytics services to other organisations (see below for examples) share de-identified information with other organisations (see below for examples). Examples of other organisations include our insurers, forensic accountants for claims analytics, or professional advisors involved in the products and services that we provide.
Sales or acquisitions by us	We may also use your personal information to support any changes to the ownership of products or services or the make-up of the POP Technology Group. For example, we may: sell, transfer, or merge parts of our business, or our assets, including products or services bring other businesses into the POP Technology Group stop providing a particular product or service. When we do this, we may share your personal information with other members of the POP Technology Group or other parties involved, where appropriate.
Determine your eligibility for insurance	We use the information you provide us, including your personal information, to conduct underwriting, our rating and assessment of your risk.

We may also collect, use and share your information for other reasons where the law allows or requires us to.

Direct marketing

From time to time, we may also use your personal information to tell you about products and services we think may be of interest and value to you, but we will stop if you tell us to.

We may contact you by various means, including by mail, telephone, email, SMS or other electronic means, such as through social media or targeted advertising through the io.insure website.

If you do not want to receive direct marketing offers from us, you can opt-out by contacting us using the details in Contact us, Section 5a. We may first require you to log into your io.insure account or otherwise identify yourself.

2c. Who do we share your information with

We may share your information with third parties for the reasons mentioned in How do we use your information? (Collection, use & sharing, Section 2b), or where the law otherwise allows or requires us to.

The types of third parties are listed below. 

Type of third party	Description
Other members of the POP Technology Group	We may share your information between members of the POP Technology Group. This helps us offer you a high-quality customer experience. You can read about how POP Technology Group members may use your information in How do we use your information? (Collection, use & sharing, Section 2b).
Authorised third parties	We may share information with third parties where you have authorised us to do so, or where we are legally required. They include: third parties that you have authorised to act for you (such as accountants, financial counsellors, legal representatives, agents, mortgage brokers, financial advisors, or a person with Power of Attorney) your legal guardian guarantors and other security providers.
Third parties that can verify your information	This includes organisations that can verify information that you have supplied when applying for a product or service, or making a claim, including commercially available third party databases.
Our service partners	We may share your information with our service partners, external service providers and other organisations that help us to supply products and services. These include: organisations that we partner with to supply products and services, for example, insurance agencies, insurers, insurance brokers, legal and financial advisors, banks, and our product distributors external service providers that we engage to do some of our work for us, for example debt recovery agencies, legal service providers and information technology and cloud service providers people who help us process applications and claims (like forensic accountants and lawyers) organisations involved in our funding arrangements (like investors, advisers, brokers and rating agencies) auditors, insurers and re-insurers organisations that assist us to identify, investigate or prevent fraud or with risk management.
Other financial services organisation	We may collect and share your information with insurance agencies (eg MGAs), insurers, third party payment providers, and financial services providers to provide you services, for example to conduct underwriting, issue policies, facilitate renewals, endorsements or cancellations and provide refunds.

Sending information overseas

Sometimes, we may send your information overseas, including to:

• POP Technology Group partners that are located in China, India, Hong Kong, Singapore, Japan, Korea, the United Kingdom, Europe, Brazil and the United States of America
• service providers or third parties who store data or operate outside Australia
• complete international transactions, such as currency exchanges
• organisations we partner with to provide products and services such as insurance agencies (eg MGAs), insurers, brokers or professional services partners
• comply with laws and help government or law enforcement agencies.

If we do this, we make sure there are appropriate privacy, data handling and security arrangements in place to protect your information.

3. Securing your information

Our staff are trained in how to keep your information safe and secure. We use secure systems to hold your information.

We store your electronic records in secure systems or using trusted third parties. We use a range of physical, electronic and other security measures to protect the security, confidentiality and integrity of the personal information we hold about you.

We aim to keep personal information only for as long as we need it – for example for business or legal reasons. When we no longer need information, we take reasonable steps to destroy or de-identify it.

4. Accessing, updating and correcting your information

You can contact us and ask to view your information. For more detailed information, we may ask you to fill out a request form. If your information isn’t correct or needs updating, let us know straight away.

How can I access my information?

You can ask us for a copy of your information, like your policy wording or claims history, by contacting us by writing to us (see Contact us, Section 5a).

How will we handle you request?

There is no fee to ask for your information, but sometimes we might charge a fee to cover the time we spend gathering the information you want. If there’s a fee, we’ll let you know how much it is likely to be, so you can choose if you want to go ahead.

We try to make your information available within 30 days after you ask us for it.

In some cases, we can refuse access or only give you access to certain information. For example, we might not let you see information that involves other people. If we do this, we will write to you explaining our decision.

5a. Contact us

If you need more information, want to access or update your personal information or if you have a privacy concern – please contact us by writing to us.

Attention: The Privacy Officer, POP Technology Holdings Pty Ltd

By Mail: Level 29, Chifley Tower. 2 Chifley Square, Sydney NSW 2000, Australia

By Email: [email protected]

5b. Making a privacy complaint

If you have a concern or complaint about how we have handled your personal information, let us know and we’ll try to fix it. We try to get things right the first time – but if we don’t, we’ll do our best to sort it out. If you’re not satisfied with how we respond to your complaint about how we’ve handled your personal information, there are other things you can do.

How can you make a complaint?

To make a complaint, contact one of our staff or customer service teams (see Contact us, Section 5a). We’ll look into the issue and try to fix it straight away.

What else can you do?

If you’re not satisfied with our response after you’ve been through our internal complaints process, you can lodge a dispute through the Australian Financial Complaints Authority (AFCA), our external dispute resolution provider.

AFCA provides consumers and small businesses with fair, free and independent dispute resolution for financial complaints.

Australian Financial Complaints Authority

Visit: www.afca.org.au
Email: [email protected]
Phone: +61 1800 931 678 (free call)
Mail: Australian Financial Complaints Authority, GPO Box 3, Melbourne VIC 3001, Australia

Secure data management

The data collected via the io.insure website is hosted on the Google Cloud platform, whose infrastructure guarantees the following data security:

• All data is stored and encrypted at rest with 256-bit encryption
• File level encryption with information rights management policies to track, expire and prevent printing of documents
• Virtual elimination of risks from Trojan viruses, worms, and application vulnerabilities
• All data uploaded into the data room is encrypted through HTTPS/SSL
• The io.insure platform is multi-tenant guaranteeing data segregation that ensures privacy
• 99.98% system availability

Google Cloud has the following information security certifications to ensure information stored by io.insure is fully secure.

• SOC 1/SSAE 3402
• SOC2
• SOC 3
• FISMA, DIACAP, FedRAMP
• PCI DSS Level 1
• ISO 27001
• ITAR
• FIPS 140-2

In addition, io.insure supports single sign on and multi-factor authentication.

.

Privacy Statement – Schedule

1. Additional rights in Asia – Customers of our Singapore Business

Additional rights for customers of our Singapore Business are set out in the Singapore Privacy Notice. You may request a copy of this Notice, or further information relating to your rights, by contacting our Privacy Officer (see Contact us, Section 5a).

2. Additional rights for individuals located in the European Union and United Kingdom

This Schedule shall apply where POP Technology Group processes personal data of data subjects that are located in the European Economic Area or where POP Technology Group processes personal data your behalf where you are established in the European Economic Area and shall take priority over any other provision of the Terms and Conditions of Use to the extent of any conflict or inconsistency between this Schedule and any other provision of the Privacy Statement or customer agreement.

The European Union (EU) General Data Protection Regulation (GDPR) and local data protection laws, such as the United Kingdom General Data Protection Regulation, give more rights to individuals located in the EU and the UK and more obligations to organisations holding their personal information. In this Schedule, “personal information” means any information relating to an identified or identifiable natural person (the meaning given to the term “personal data” in the GDPR).

Personal information must be processed in a lawful, fair and transparent manner. As such, if you are located in the EU, GDPR requires us to provide you with more information about how we collect, use, share and store your personal information as well as advising you of your rights as a ‘data subject’.

If you are located in the EU and have an enquiry relating to your rights under the GDPR, please contact us at [email protected]

3. Relationship of the parties to this Schedule agreement

Each Party shall comply with its obligations under this Schedule and under European Data Protection Law with respect to the types of personal data it processes and according to its responsibilities as a controller or processor (as appropriate) for the relevant personal data.

4. Controller obligations

4.1 The Parties agree that:

(a) POP Technology Group shall be a controller with respect to the processing of CRM Data and User Data; and

(b) you shall be the controller of and POP Technology Group shall be a processor of Content Data (unless you are acting as a processor of content data on behalf of a third party, in which case you shall be a processor and POP Technology Group shall be sub-processor of the content data, but for the purposes of this Schedule you shall be treated as a controller and POP Technology Group shall be treated as a processor).

4.2 Whenever you are acting in a capacity as a controller in relation to personal data, you agree to comply in all respects with European Data Protection Law including:

(a) by processing such data fairly and lawfully;

(b) by implementing appropriate technical and organisational measures to protect such personal data against data security Incidents;

(c) by obtaining any consents required for its processing of personal data, particularly where sensitive personal data or special categories of personal data are processed; and

(d) by complying with its obligations with respect to data subject rights.

4.3 As the controller with respect to content data, you accept full responsibility for obtaining all consents necessary for, and otherwise for having lawfully grounds to process, content data that is processed in connection with POP Technology Group’s performance of the io.insure Services.

5. Personal information

5.1 What personal information do we collect?

Please refer to Section 3 (Securing your information) above for details of the personal information we collect.

5.2 Special categories of personal information 

The GDPR provides additional protection for personal information about your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data (for example your fingerprints), or data concerning your health, sex life or sexual orientation. We will only process this type of personal information with your consent or where otherwise lawfully permitted.

You agree that it is the controller’s responsibility to determine if any further details of POP Technology Group’s processing of such personal data need to be recorded in the Privacy Statement to comply with European Data Protection Law and POP Technology Group shall act in good faith to cooperate with any reasonable request to do so.

5.3 How long we keep your personal information

We will keep your personal information while you are an account holder of POP Technology Group. We aim to keep your personal information for only as long as we need it. We will generally keep your personal information for up to 7 years after you stop being a User but we may keep your personal information for longer:

• To fulfil legal or regulatory obligations
• For internal research and analytics 
• To respond to a question or complaint

5.4 How we use your personal information

We can only collect and use your personal information if we have a valid lawful reason to do so. For the POP Technology Group, these reasons are:

• Contract: We need to process your personal information in order to fulfil a contract you have with us, or because you have asked us to take specific steps before entering into a contract such as underwriting steps.
• Legal obligations: We need to process your personal information for us to comply with the law (not including contractual obligations).
• Consent: You have given clear consent for us to process your personal information for a specific purpose. The use of the io.insure website, the Product and io.insure Services is clear consent for us to process your personal information and confidential information for the specific purpose of use.
• Legitimate interests: We need to process your personal information for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal information which overrides these legitimate interests.

How we use your personal information	Our reasons	Our legitimate interests
To confirm your identity	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Complying with guidance of regulators and law Managing risk
To assess your application for a product or service	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Identifying and rating risks prior to entering into an insurance policy contract Complying with guidance of regulators and law Managing risk
To manage our relationship with you	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Complying with guidance of regulators and law Managing risk
To minimise risks and identify or investigate fraud and other illegal activities	To fulfil contracts To meet our legal duty We have legitimate interests	Preventing fraud Ensuring network and information security Preventing and reporting potential criminal activity Complying with guidance of regulators Managing risk
To contact you, for example, when we need to tell you something important	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Preventing fraud Complying with guidance of regulators Managing risk
To improve our service to you and your experience with us	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Preventing potential criminal activity Complying with guidance of regulators Managing risk
To comply with laws, and assist government or law enforcement agencies	To fulfil contracts To meet our legal duty We have legitimate interests	Preventing fraud Ensuring network and information security Preventing and reporting potential criminal activity Complying with guidance of regulators and law Managing risk
To manage our business	We have your consent To fulfil contracts To meet our legal duty We have legitimate interests	Complying with guidance of regulators and law Preventing and reporting potential criminal activity Managing risk

We may use your information for direct marketing purposes.  We will only do this with your consent.

6. Confidentiality of processing

POP Technology Group shall ensure that any person that it authorises to process the personal data (including POP Technology Group’s staff, agents and subcontractors) (each an “Authorised Person”) shall be under an obligation (whether under contract or statute) to keep the personal data confidential.

7. Security

POP Technology Group shall implement appropriate technical and organisational measures to protect the personal data from data security incidents. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.

8. Sub processing

POP Technology Group shall be authorised to engage third parties to process personal data on behalf of the controller, and this is notified by you under this agreement (each, an “Authorised Sub-processor”). POP Technology Group will ensure that there is in place a written contract between POP Technology Group and the authorised sub-processor that specifies the authorised Sub-Processor’s processing activities and imposes on the Authorised Sub-Processor equivalent terms as those imposed on POP Technology Group in this agreement. Where POP Technology Group is instructed by you to grant access to personal data to a third party who is contracted to you (a “Contracted Third Party”), the contracted third party shall not be a sub-processor of POP Technology Group for the purposes of this clause and you shall have sole responsibility for putting in place an appropriate data processing agreement with the contracted third party that complies with European Data Protection Law.

9. Data Security Incidents

(a) Upon becoming aware of a Data Security Incident, POP Technology Group shall inform you without undue delay and shall provide such timely information and assistance as you may reasonably require in order to fulfil your data breach reporting obligations under European Data Protection Law and to mitigate the effects of the Data Security Incident.

(b) You understand and accept that the performance by POP Technology Group of the Product and certain io.insure Services may carry a risk to you of loss or corruption of data. You understand and accept that, save to the extent of any obligations detailed in this Privacy Statement or the Terms and Conditions of Use, you shall bear full responsibility for the loss or corruption of data that may result from a data security incident.

10. Your rights as a data subject

(a) The right to be informed how personal information is processed

• You have the right to be informed how your personal information is being collected and used. If we require your consent to process your personal information you can withdraw consent at any time. If you withdraw consent, we may not be able to provide certain products or services to you. The right to withdraw only applies when the lawful basis of processing is consent.

(b) The right of access to personal information

• You can access your personal information that we hold by emailing: [email protected]

(c) The right to rectification

• You have the right to question any personal information we have about you that is inaccurate or incomplete. If you do, we will take reasonable steps to check the accuracy and correct it.

(d) The right to erasure

• You have the right to ask us to delete your personal information if there is no need for us to keep it. You can make the request verbally or in writing. There may be legal or other reasons why we need to keep your personal information and if so we will tell you what these are.

(e) The right to restrict processing

• You have the right to ask us to restrict our use of your personal information in some circumstances. We may be able to restrict the use of your personal information. In this situation, we would not use or share your personal information while it is restricted. This is not an absolute right and only applies in certain circumstances.

(f) The right to data portability

• In some circumstances, you have the right to request we provide you with a copy of the personal information you have provided to us in a format that can be easily reused.

(g) The right to object

• In some circumstances, you have the right to object to us processing your personal information.  

(h) Rights in relation to automated decision making and profiling

• We sometimes use systems to make automated decisions (including profiling) based on personal information we have collected from you or obtained from other sources such as public registries. These automated decisions can affect the products or services we offer you. You can ask that we not make decisions based on automated score alone or object to an automated decision and ask that a person review.  

(i) The right to lodge a complaint with a supervisory authority

• You have the right to complain to the regulator if you are not happy with the outcome of a complaint.  See the ‘Regulator Contact Details’ section below for more information. The individual regulator websites will tell you how to report a concern. 

UK Regulator contact details

The UK data protection authority is:

Information Commissioner’s Office
Wycliffe House
Wilmslow
Cheshire SK9 5AF
UK
Visit: ico.org.uk

For European jurisdictions please refer to the European Commission website for details of the relevant data protection authorities.

11. International transfers

POP Technology Group is located in a territory outside of the EEA that is not an Adequate Territory. The Parties agree that the appropriate form of the Model Clauses will be incorporated into this agreement by reference and will apply to the processing of any personal data that is transferred from you to POP Technology Group as follows:

(a) you will be the data exporter and will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the personal data disclosed to POP Technology Group;

(b) POP Technology Group will be deemed to have entered into the Model Clauses in its own name and on its own behalf in relation to the personal data disclosed to it by you and shall also be deemed to have entered into the Model Clauses on behalf of any related entities in its corporate group that are also located in a territory outside of the European Economic Area that is not an adequate territory;

(c) the descriptions of the categories of personal data that are transferred in this agreement shall be incorporated based on the definitions in these agreement (that is, CRM data, User Data and Content Data, as appropriate);

(d) the optional illustrative indemnification clause will be deemed to have been deleted; and

(e) where and to the extent that the Model Clauses apply pursuant to this clause 9, if there is any conflict between this agreement and the Model Clauses, the Model Clauses will prevail.

12. Security & compliance

While a lot of data that passes through our products does not fall under the scope of GDPR, it is of course confidential information, and therefore handled in accordance to our robust security standards. We are applying the same rigorous standards to the privacy of the personal information we process. We continue to invest and improve our processes and security.

13. Definitions

In this Schedule:

“Adequate Territory” means a territory outside of the European Economic Area that has been designated by the European Commission as ensuring an adequate level of protection pursuant to EU Privacy Law.

“Applicable Law” means applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any regulatory body, delegated or subordinate legislation or notice of any regulatory body.

“Content Data” means the content (comprising any speech, music, sounds, visual images or data of any description) created, provided, posted, hosted, uploaded, stored, communicated or displayed when using the io.insure Services.

“CRM Data” means any personal data of staff or representatives of a Party which is processed by the other Party for the purposes of managing the Product and io.insure Services, administering a Services Agreement or marketing products or services to that Party.

“Data Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Effective Date” has the meaning given at the top of this Privacy Statement.

“European Data Protection Law” means:

(a) the GDPR; and

(b) Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications.

“European Economic Area” means the Member States of the European Economic Area as it is made up from time to time, comprising the Member States of European Union and such other countries that are party to the Agreement on the European Economic Area that entered into force on 1 January 1994, including the United Kingdom.

“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Model Clauses” means model clauses for the transfer of personal data to Controllers or Processors (as appropriate) established in third countries approved by the European Commission from time to time (available online at http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm), as such model clauses may be amended or superseded by the European Commission from time to time.

“User” means any end user or administrator of the Product or io.insure Services.

“User Data” means personal data regarding Users which is not Content Data or CRM Data. Such personal data include user IDs, passwords, authenticators, addresses (including MAC addresses, IP addresses and email addresses) and telephone numbers.