Insuritas Privacy Notice for California Residents
Effective Date: July 29, 2024
This Privacy Notice for California Residents (this “Notice”) supplements the information contained in the Insuritas US Privacy Policy (the “Policy”) and is provided on behalf of Insuritas and its subsidiaries. Please read both policies.
This Notice provides our “notice at collection” and provides certain mandated disclosures about our treatment of California residents’ information, both online and offline. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as supplemented by the California Privacy Rights Act of 2020 (collectively “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice (unless separately defined in this Notice or Policy). This Notice applies solely to residents of the State of California as defined in the CCPA (“California Residents”) who do business with us directly and/or visit the mobile apps and websites of Insuritas and its subsidiaries (“our websites”).
Updates to this Notice and Accessibility
We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the websites and update the Notice’s effective date. We encourage you to look for updates and changes to this Notice when you access our websites. Your continued use of our websites and mobile applications following the posting of changes constitutes your acceptance of such changes with respect to your use of the websites and mobile applications.
Accessibility
If you have special needs with regard to accessing the content of this Notice, we recommend that you or someone on your behalf, contact us by email at: privacy.compliance@hubinternational.com. Please indicate “Accessibility Request” in your subject line to help us to identify this request.
Definition and Exclusions of Personal Information and Sensitive Personal Information under the CCPA and at Insuritas
Generally, Personal Information under the CCPA and in this Notice means information that identifies (whether directly or indirectly) you, such as your name, postal address, email address, and telephone number. Due to the nature of Insuritas business, Personal Information we collect may also include:
- your name, Social Security Number, driver’s license, or other government-issued identification;
- assets and income, occupation and employment status, dependent information, and other relevant financial information;
- information relating to any of your past claims, driving history, certifications, license details, previous insurance policy details, previous accident and claims history including any driving convictions;
- information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
- information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship including credit reference agencies, vetting and data validation agencies, advisory service providers, insurers, underwriters, reinsurers, business partners;
- your account activity and premium payment history;
- benefits information such as benefits elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits;
- information about your interest in and attendance at Insuritassponsored events, including feedback responses;
- information from social media interactions with Insuritas social media presence, feedback forms or surveys;
- credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers;
- passive tracking information from our website or the Internet, including information obtained through the use of internet “cookies” as detailed in the “Cookie Notice and Notice of Other Web Technologies” of our U.S. Privacy Policy; and
- inferences drawn from other Personal Information, precise geolocation data, and sensory data such as audio or visual information.
Personal Information as defined under the CCPA does not include:
- Publicly available information from government records as defined under Civil Code Section 1798.140;
- Deidentified or aggregated consumer information;
- Health or medical information to the extent covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
- Personal information to the extent covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994.
Certain types of Personal Information are considered “Sensitive Personal Information” under the CCPA. Specifically, Sensitive Personal Information is a specific type of Personal Information defined specifically as its own category under California law in the CCPA, as information that reveals a consumer’s:
- Social Security, driver’s license, state identification card, or passport number;
- Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
- Precise geolocation;
- Racial or ethnic origin, religious or philosophical beliefs, or union membership;
- Mail, email, and text message content, unless the business is the intended recipient of the communication;
- Genetic data; and/or
- Biometric information, which may reference certain physiological, biological, or behavioral characteristics; or DNA information; which could potentially establish an individual’s identity. Retina scans, fingerprints or voice recordings could also be considered such information.
Personal Information We Collect
The following categories of Personal Information and/or Sensitive Personal Information may have been collected from California Residents within the last twelve (12) months. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below.
| Category | California Sensitive Personal Information may be considered to be within this Category (YES or NO) | Examples of Personal Information | Collected |
| A. Identifiers. | YES | A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers. | YES |
| B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80I). | YES | A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some Personal Information included in this category may overlap with other categories. | YES |
| C. Protected classification characteristics under California or federal law. | YES | Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information). | YES |
| D. Commercial information. | NO | Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES |
| E. Biometric information. | YES | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns and sleep, health, or exercise data. | NO |
| F. Internet or other similar network activity. | NO | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | YES |
| G. Precise geolocation data. | YES | Physical location or movements within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet. | YES |
| H. Sensory data. | YES | Audio, electronic, visual, thermal, or similar information. | YES |
| I. Professional or employment-related information. | NO | Current or past job history. | YES |
| J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). | YES | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | YES |
| K. Inferences drawn from other Personal Information. | YES | Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. | YES |
Sources of Personal Information We Collect
We may obtain the categories of Personal Information listed above from the following categories of sources:
- Directly from you – for example, from insurance applications or in connection with your other communications with us.
- From third parties – for example, from insurance carriers and other industry service providers, and other third parties with which you maintain a relationship, such as an employer, financial service or medical or health providers, or any industry provider from which we purchase or acquire industry assets or operations. This may occasionally include referral sources.
- Indirectly from you – for example, from observing your actions on our websites, including through the use of “cookies” as described on our websites, as permitted, or described in those other third-party sites’ own Privacy Policies, or as may otherwise be developed over time based on your interactions with us.
Use of Personal Information
We may from time to time use your Personal Information for the following reasons:
- to fulfill or meet the reason you provided the information and for our everyday business purposes, such as to obtain quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; to allow risk management or actuarial evaluation of prospective or existing placements; to confer with medical professionals if necessary regarding a relevant claim; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
- for legal reasons, such as to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities including government authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
- for our own marketing purposes so that we may offer you our products and services, including through the use of targeted or similar advertising on the internet.
- for joint marketing purposes so that we and any third-party product or service provider may together offer you products and services;
- for our affiliates’ everyday business purposes, such as to process or service transactions or to provide or receive shared organizational services.
- for our affiliates’ marketing purposes so that they may offer you their products and services.
- for our and our affiliates’ fraud prevention purposes where necessary to prevent and detect fraud.
- for non-affiliated third parties whenever you consent to such sharing, when the information cannot reasonably identify you, when business partners or third-party companies play a related or expected role in an insurance transaction, or as needed for Insuritas to participate in insurance support organizations.
- for our internal and external auditors, where necessary for company audits, complaint investigation or investigation of a security threat.
- for other purposes as may be permitted by law, as described to you when collecting your Personal Information or as otherwise set forth in the CCPA.
- to evaluate, negotiate or effect a business transaction (e.g., a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets) in which Personal Information held by us about our consumers or website users is among the assets evaluated or transferred.
Sharing of Personal Information under the CCPA
Under the CCPA, the Sharing of Personal Information means sharing, disclosing, disseminating, making available or otherwise communicating a consumer’s Personal Information to a third party for uses such as targeted advertising for the benefit of the business.
California residents have certain rights under the CCPA around limiting the Sharing of their Personal Information.
The CCPA addresses two distinct categories of information disclosure by businesses, differentiating the Sharing of Personal Information for a Commercial Purposes from the Disclosure of Personal Information for a Business Purpose, as described below.
Sharing of Personal Information for a Commercial Purpose
The CCPA defines the Sharing of Personal Information for a Commercial Purpose as including the sale or sharing of a customer’s Personal Information for monetary or other consideration paid to the sharing business.
In accordance with that definition, in the preceding twelve (12) months, Insuritas has Shared Personal Information for a Commercial Purpose as disclosed within the U.S. Privacy Policy, including specifically as described in our Cookie Notice and Notice of Other Web Technologies in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.
As provided by the CCPA, California consumers have the right to opt-out of the “sale” of personal information to third parties. To opt-out of the “sale” or “sharing” of personal information related to targeted advertising, interest based advertising and cross context behavioral advertising, take the following steps:
- Turn off Social Media, Targeting and Advertising cookies by using the cookie consent mechanism available on our websites or by enabling the Global Privacy Control (“GPC”) signal on your browser; and
- Complete and submit a request using the HUB Consumer Privacy Request Portal
Your cookie selections are specific to the particular device, browser, and website you use. If you use another device or browser, you will need to opt out on each device and browser. Blocking or deleting cookies from your browser may remove your opt-out settings, requiring you to opt-out again.
Disclosure of Personal Information for a Business Purpose
The CCPA excludes from the definition of Sharing Personal Information any use of Personal Information which was requested by you (the customer), including the expected and typical use of that information by a third party for the reasonably necessary purposes to achieve the requested service. Such an information transfer is considered the Disclosure of Personal Information for a Business Purpose under the CCPA.
In the preceding twelve (12) months, we may have Disclosed the following categories of Personal Information for a Business Purpose:
Category A: Identifiers
Category B: California Customer Records Personal Information categories
Category C: Protected classification characteristics under California or federal law
Category D: Commercial information
Category F: Internet or other similar network activity
Category H: Sensory Data
Category I: Professional or employment-related information
Category J: Non-public education information
Category K: Inferences drawn from other Personal Information
We may Disclose to the following categories of third parties your Personal Information for a Business Purpose to perform services on your behalf and to provide you with the insurance products and services you expect from us:
- Service providers.
- Insurance carriers and other industry service providers.
- Other third parties with which you or we maintain a relationship regarding your insurance.
Sales of Personal Information
In the preceding twelve (12) months, we have sold or shared Personal Information as defined by the CCPA, as described herein and in our Cookie Notice and Notice of Other Web Technologies in our Policy in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.
Global Privacy Control (GPC) Signal
You have the right to opt out of the use of your personal information for targeted advertising purposes. You may download one of the supported browsers or extensions to send the Global Privacy Control (“GPC”) signal, which will transmit your request to opt-out of targeted advertising automatically. A list of GPC enabled available browsers or extensions is available here: https://globalprivacycontrol.org/#download.
Your computers or devices also have tools within their browser settings that allow you to manage your acceptance of cookies. These can include the ability to disable or block cookies, remove cookies, automatically accept cookies or to notify you when a cookie is received. Generally disabling or rejecting cookies can impact your user experience; Certain features of our website may not be available if all cookies are disabled, and therefore, disabling, particularly of strictly necessary cookies, may not be available.
| Category | California Sensitive Personal Information may be considered to be within this Category (YES or NO) | Examples of Personal Information | Collected |
| Additional personal details, contact details and identifiers. | YES | Additional personal details for recruitment/employment purposes, such as national identification number, Social Security number, insurance information, your National Producer Number, marital/civil partnership status, domestic partners, dependents, emergency contact information, and military history; professional/personal calendar availability/scheduling information for meeting/communication purposes. | YES |
| Education information and professional or employment-related information. | NO | Information about your education and professional or employment-related information, such as your employment history. | YES |
| Sensitive data for recruitment purposes. | YES | Certain types of sensitive information when permitted by local law or with your consent, such as health/medical information (including disability status), trade union membership information, religion, race or ethnicity, minority flag, and information on criminal convictions and offences. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness (subject to legal limits on the timing of collection of such information and other applicable limitations) and to provide benefits; background checks and diversity-related Personal Information (such as race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination. | YES |
| Documentation required under immigration laws. | YES | Data on citizenship, passport data, and details of residency or work permit (a physical copy and/or an electronic copy). | YES, as to employees, some job candidates, and contractors of. |
| Financial information for payroll/benefits purposes. | YES | Your banking and other relevant financial details we need for payroll/benefits purposes. | YES |
| Talent management information. | YES | Information necessary to complete a background check, details on performance decisions and outcomes, performance feedback and warnings, e-learning/training programs, performance, and development reviews (including information you provide when asking for/providing feedback, creating priorities, updating your input in relevant tools), driver’s license and car ownership information, and information used to populate biographies. | YES |
| Requested recruitment information. | NO | Information requested to provide during the recruitment process, to the extent allowed by applicable law. | YES |
| Recruitment information you submit. | NO | Information that you submit in résumés / CVs, letters, writing samples, or other written materials (including photographs). | YES |
| Information generated by us during recruitment. | NO | Information generated by interviewers and recruiters related to you, based on their interactions with you or basic Internet searches where allowed under applicable law. | YES |
| Recruitment information received from third parties. | NO | Information related to you provided by third-party placement firms, recruiters, or job-search websites, where applicable. | YES |
| Audiovisual information processed during recruitment. | YES | Photograph, and images/audio/footage captured on CCTV or other video systems when visiting our office or captured in the course of recruitment events or video recruitment interviews. | YES |
| Recommendations. | NO | Recommendations provided on your behalf by others. | YES |
| Employment history and background checks. | YES | Information about your prior employment, education, and where applicable and allowed by applicable law, credit history, criminal records or other information revealed during background screenings. | YES |
| Diversity related information. | YES | Information about race / ethnicity / religion / disability / gender and self-identified LGBT status, for purposes of government reporting where required by law, as well as to understand the diversity characteristics of our workforce, subject to legal limits. | YES |
| Assessment information. | YES | Information generated by your participation in psychological, technical, or behavioral assessments. You will receive more information about the nature of such assessments before your participation in any of them. | YES |
Information Specific to Employment Data of Insuritas
In addition, for recruitment and/or employment purposes, in the past twelve (12) months we have collected or may have collected and retained the following categories of Personal Information as necessary from California residents. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below:
Retention of Your Information
Insuritas retains certain records of your Personal Information as necessary to operate our business and comply with our legal and regulatory obligations. Such records are retained for legally defined retention periods that may extend beyond the period for which we provide the Services to you. We have implemented appropriate measures to confirm that Personal Information is securely disposed when no longer required.
Your Rights and Choices
The CCPA at Section 7011 (e)(2) provides California Residents with specific rights regarding their Personal Information:
(A) Access. The right to know what Personal Information the business has collected about the consumer, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom the business discloses Personal Information, and the specific pieces of Personal Information the business has collected about the consumer;
(B) Deletion. The right to delete Personal Information that the business has collected from the consumer, subject to certain exceptions;
(C) Correction. The right to correct inaccurate Personal Information that a business maintains about a consumer;
(D) Opt-out of Sale or Sharing. If the business sells or shares Personal Information, the right to opt-out of the sale or sharing of their Personal Information by the business;
(E) Limitation on the Use of Sensitive Personal Information. If the business uses or discloses sensitive Personal Information for reasons other than those set forth in section 7027, subsection (m), the right to limit the use or disclosure of sensitive Personal Information by the business; and
(F) Non-discriminatory Treatment. The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.
The following sections describe these CCPA rights in further detail and explain how to exercise those rights.
Access to Specific Information and Data Portability Rights
You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request for Access rights, (see “Exercising Access, Data Portability and Deletion Rights”), we will disclose to you to the extent reasonably available, and to the extent that we can continue to protect your data while providing such disclosure:
- The categories of Personal Information we collected about you.
- The categories of sources for the Personal Information we collected about you.
- Our business or commercial purpose for collecting or selling that Personal Information.
- The categories of third parties with whom we share that Personal Information.
- The categories of Personal Information shared for a business purpose for each category of recipients.
- The specific pieces of Personal Information we collected about you (also called a data portability request).
In addition to the rights listed above, you may request limitations on the use of your Sensitive Personal Information consistent with the terms and limitations described in the CCPA, and pursuant to Civil Code Section 1798.120 et.seq. Limited use of Sensitive Information may continue to include those uses which the average consumer would reasonably expect in context, and for uses which are reasonably necessary and proportionate for our business.
Deletion Request Rights
You have the right to request that we delete any of your Personal Information that we collected from you and retained. Once we receive and confirm your verifiable consumer request (refer to “Exercising Access, Data Portability and Deletion Rights”), we will delete your Personal Information from our records, unless an exception applies.
We may deny your deletion request in whole or in part for other reasons and exceptions described in the CCPA.
Exercising Access, Data Portability and Deletion Rights
To exercise the access, data portability and deletion rights described above, please submit a verifiable consumer request to us by:
- Visiting the: HUB Consumer Privacy Request Portal
- Email: privacy.compliance@hubinternational.com
- Calling us at: 866-415-2207
To protect your information and privacy, only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. Please indicate in your subject line “California Privacy Rights Request” so that we can better respond to you. Designated agents making any request will be required to provide signed permission for the agent to submit a request. In addition, when an authorized agent submits a request, we may also require that you verify your own identity directly to us or confirm with us that you have requested that the agent to submit the request. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:
- Provide sufficient information as we may request that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative of such person, which may include personal and/or commercial identifiers, such as an insurance policy number. Depending on the sensitivity of the information you are requesting, we may ask for additional information to verify your identity.
- Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.
We cannot provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.
Response Timing and Format
We will acknowledge receipt of your request within ten (10) days. We will endeavor to respond in substance to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the extension period which may not exceed an additional forty-five (45) days beyond the original forty-five (45) day period.
Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without significant hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
Other California Privacy Rights
California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website who are California Residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please write us at the mailing address shown beneath the heading “Contact Information for Requests under this Notice.”
Contact Information for Requests under this Notice
If you have any questions or comments about this Notice, the ways in which we collect and use your Personal Information described herein and, in the Policy, your choices, and rights regarding such use, or wish to exercise your rights under California law, please contact us at:
Postal Address:
Chief Legal Officer
Hub International Limited
150 N Riverside Plaza, 17th Floor
Chicago, IL 60606
Or by:
Privacy Portal: Visit the HUB Consumer Privacy Request Portal
Email: privacy.compliance@hubinternational.com
Calling us at: 866-415-2207
Please indicate the purpose of your Email in the subject line, for instance “California Privacy Rights Request,” so that we can identify your Email properly.
Situations Where Rights Cannot Be Granted
There may be situations where we cannot grant a particular request — for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law, or if we are unable to verify your identity through standard and reasonable requirements. We may also decline to grant a request where doing so would undermine our legitimate use of data for antifraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied could be that granting the request would jeopardize the privacy of others; that the request is substantively frivolous or vexatious; or that granting the request would be highly impractical in the context of our legitimate business purposes.
