Privacy Policy

Version 4.0

13 October 2022

Simple. Personal. Transparent. These values don’t just apply to our product and services; we keep these values in mind for everything we do. For you to be confident using our services we want you to know and trust that we’re committed to ensuring your privacy is protected.

We realise insurance can be complicated, and there’s a lot of information we need to provide to you, so we’ve provided a table of contents with links to the relevant sections and please do contact us customercare@wrisk.co with any questions.

Who we are
About this policy
Providing personal data
Legal basis
Special Categories & Criminal Convictions and Offences
How we collect your personal data
Why we process your personal data
Automated Decision-Making
Sharing Data & International Transfers
Cookies
Retention
Security
Third Party Services
Your rights
‘Do Not Track’
Contact Us

Who we are

We are Wrisk Transfer Limited (‘WTL’), authorised and regulated by the Financial Conduct Authority (reference # 788062), incorporated in England (company # 10657213), registered office 45 Gresham Street, London EC2V 7BG.

About this policy

Please do read this Privacy Policy as, together with our Cookie Policy, it explains how we process your personal data, for example when you visit wrisk.co or any other website (‘Website’) owned or provided by us, or when you use or buy our insurance services and other products (‘Services’).

We always seek to comply with the data protection laws applicable to our processing of personal data (‘DP Laws’).

For example, the EU General Data Protection Regulation 2016/679 (‘EU GDPR’) may apply and, as a UK company, the UK Data Protection Act 2018 (‘UK DPA’), the UK e-Privacy Regulations (‘PECR’), and the UK-adopted version of the EU GDPR (‘UK GDPR’) apply directly to all our processing. We’ll use ‘GDPR’ to refer to either the EU or UK version as they’re almost identical.

‘Personal data’ is a defined term in EU and UK law. We also use it here to cover ‘personally identifiable information’ as defined in US law, and other similar legal definitions. Essentially ‘personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified, directly or indirectly from that information alone or in conjunction with other information.

As data protection law and practice are constantly developing, we’ll need to update this policy from time to time, which we’ll do by posting a new policy on the Website that takes effect from the date stated. It is your responsibility to return to the Website from time to time and check for changes.

Providing personal data

You clearly do not have to provide personal data to us. However, if you would like us, for example, to respond to a query, provide a quotation, issue an insurance policy or manage a claim, we may not be able to do so without personal data from you and failing to provide certain personal data, for example for a quotation, may invalidate any resulting policy.

Legal basis

You’ll see we’ve identified the legal basis for our processing throughout this Policy. The legal bases we rely on are:

‘Legal Obligation’ - where the processing is necessary for us to comply with our legal obligations (for example the FCA rules),
‘Contract’ - where the processing is necessary under a contract we have with you (for example an insurance policy) or to take pre-contract steps at your request (for example providing you with an insurance quotation),
‘Legitimate Interests’ - where the processing is necessary for our legitimate interests in carrying out our business (for example to improve or market our Services), provided those interests are not outweighed by your rights and interests, and
‘Consent’ - where you’ve given us your freely given, specific, informed and unambiguous consent to process your personal data. When we rely on consent, we will ask for your consent before any processing and provide you with relevant information to make the processing fair and transparent.

Special Categories & Convictions and Offences

‘Special categories of personal data’ is defined by GDPR to include personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health. We may need to ask for some special categories of personal data, in particular health data.

We may also need to ask for personal data relating to criminal convictions and offences, for the same reasons.

Without this information we may not be able to provide Services to you. For example, we may not be able to give you a quote or issue an insurance policy and it may affect the outcome of any claims you make.

The legal basis for any processing by us of special categories of personal data or personal data relating to criminal convictions and offences is the Insurance basis in paragraphs 20 and/or 36 and 37 of Part 2 of Schedule 1 to the UK DPA.

How we collect your personal data

We collect or are provided your personal data in the normal course of our business, including:

when you visit our Website, we may collect information such as your IP address and the pages you visit,
when you interact with us through phone, email, chat or otherwise to ask about our services and we may otherwise lawfully obtain contact details of potential customers for our Services for our marketing purposes, for example from your business website,
when you provide information in order to receive an insurance quotation, which may be on our Website or on the website of one of our partners for whom we administer and manage insurance quotations and policies,
from our third party suppliers who provide us with information or services related to anti-money laundering, know-your-client, credit risk and fraud risk and similar purposes related to providing you with a quotation or insurance,
from you, or from one of our partners for whom we administer and manage insurance, when we enter into an insurance contract with you,
from you or others when we administer and manage your insurance with you, including providing support, handling claims, anniversary, and changes such as additional insurance cover for other vehicles or drivers,
when you use our Services, as to how you’ve used our Services, including page view times, response times, machine to machine data and logging data, and
you may provide us with your CV and other personal data when you apply for a position with us.

Why we process your personal data

We will process your personal data for expected purposes related to the business of marketing, administering and managing insurance. We have set out details of these purposes below, together with information on the data processed, the appropriate legal basis, whether it is shared and how long it is retained.

Providing you with quotations, including in-policy changes and anniversary

We will collect and process your personal data to provide you with a quotation, before you become a customer and for anniversary.

We will collect most of this information from you directly or, when you have asked for a quotation on a partner website, from that partner. The information will depend on the insurance you are asking for but will include, for each driver to be covered: their name, email and postal addresses, age, insurance history, driving history (including accidents), and driving licence details.
The primary legal bases are Contract and Legal Obligation, though some may be based on Legitimate Interests.
We may also need to process special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for 3 years after a quotation or for the duration of your policy and for 7 years after termination of the contract, whichever is longer.

In this process, we will also perform industry-standard checks and share the results with insurers and other necessary parties as set out below.

Performing credit, fraud, anti money laundering and KYC checks

As part of the quotation process, and ongoing administration of any insurance policy, we will perform certain checks to inform the risk of providing you with insurance.

We will perform ‘know your client’ or KYC and anti money laundering checks, credit checks, fraud checks and sanction list clearance using third party providers (more on them below). We will share certain personal data about you (mostly information from the quotation process) as necessary with those providers.
We will then receive personal data about you from these providers in return, which we use to inform our decision on whether to offer you a quotation and how to administer your policy.
The primary legal basis is Legal Obligation (under FCA rules and other legal obligations related to the administration and management of insurance contract), though some may be based on Contract (in order to be able to provide the quotation to you and administer your policy) or Legitimate Interests (to better inform the risk in providing the insurance or other service requested).
We may also need to process special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for the duration of your policy and for 7 years after termination of the contract.

Entering into an insurance contract with you, including in-policy changes and anniversary

Once we’ve provided you with a quotation and the risk checks are passed, you may decide to take out your insurance policy with us (that may be through a partner-branded offering but the insurance contract will still be with us). We will have collected most of the information in the quotation process, but we will ask you to confirm it.

We will also need to collect billing information, including to confirm your billing address if different from the address you have already provided to us, though we do not collect or retain your financial information (such as card or bank account details), which is handled by our payment providers. More on them below.
Our payment providers generally act as separate controllers, given their own regulatory obligations. We have listed our current providers below and you will usually also be made aware of the identity of the provider when you make the payment.
The legal basis is Contract.
We will keep this data for the duration of your policy and for 7 years after termination of the contract.

In this process, we will also perform industry-standard checks as follows in Purpose 2 and share it with insurers and other necessary parties as set out in Purpose 3.

Answering your queries

You may contact us with queries from time to time and we will always respond as quickly and helpfully as possible.

We will use your contact data (such as your email, phone, postal address) and the relevant information such as the information in your query and your quotation or policy information.
The primary legal basis is Legitimate Interests, though it may sometimes be Contract.
We will keep this data for the duration of your policy and for 7 years after termination of the contract.

Administering any claim

Should you have a claim under your policy with us, we will need to process personal data necessary to administer that claim. We will have some of that data from the quotation and contracting processes.

We will need to collect relevant details of any reported and actual claims including, but not limited to, details of any accident, people involved, cause and value of the loss.
We will need to share some personal data as necessary with certain third party providers such as claims management specialists and loss adjusters.
The majority of this processing will rely on the legal bases of Legal Obligation and Contract, though some may be processed on Legitimate Interests.
We may also need to process special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for the duration of your policy and for 7 years after termination of the contract or until we no longer require it for claims purposes.

Sending you service messages

From time to time, we will send you service messages, which are generally transactional in nature and related to the Services you have with us. These messages may be a reminder of the expiry of a quotation, the timing of your renewal, invoices and payments, and about any changes to your policy.

We will use your contact data (such as your email, phone, postal address) and the relevant information such as your quotation or policy information.
The primary legal basis is Contract, though some messages may be based on Legal Obligation or Legitimate Interest.
We may also need to process special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for the duration of your policy and for 7 years after termination of the contract.

Sending you marketing messages

From time to time, we would like to send you marketing messages, which are related to the Services you have with us. These messages may be about relevant news, updates and promotions related to Wrisk. This section applies to customers of Wrisk branded products only.

We will use your contact data (such as your email, phone, postal address) and the relevant information such as your quotation or policy information, other information from the quotation process, or information you provided when you subscribed for a newsletter. We may also obtain such information from sources such as your business website.
The primary legal basis is Consent for emails, SMS and other electronic messaging to individual consumers and Legitimate Interest for other marketing.
Where the processing is based on consent, you can withdraw that consent at any time by contacting us customercare@wrisk.co or using the link provided in the message.
Where the processing is not based on consent, you can opt out of such messaging at any time by contacting us customercare@wrisk.co or using the link provided in the message.
We will keep this data until you exercise your right to be forgotten or until we no longer need the information for this purpose, whichever comes first.

Improving our Website and online Services

We may collect statistics to help us improve the features and performance of our Website and online Services.

We may collect information on web pages visited, browser type and settings, cookies, and similar tracking information, and wifi/cellular access.
We collect this information through the use of cookies and similar technologies.
As set out by the DP laws, in particular UK PECR, we will only drop essential cookies (such as for load balancing, security, and shopping trolley) without your consent. The legal basis there is Legitimate Interests (to collect and process those statistics) and some pay be Legal Obligation (to comply, and prove we complied with the law).
Any ‘non-essential cookie’ (such as advertising cookies) will only be dropped after you have consented. The legal basis will therefore be Consent for these non-essential cookies.
We will keep this data for as long as required by the legal obligation or the earlier of 12 months or your withdrawing your consent.

Recording telephone calls - training and quality assurance

We may record telephone calls between you and Wrisk for the purposes of training our staff and ensuring a high quality of customer service.

We will not record for these purposes without your prior consent. The legal basis here will always be Consent.
We will not share these recordings unless we are subject to a binding legal order or decision to do so.
We may also need to collect special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for until you exercise your right to be forgotten or until we no longer need the information for this purpose, whichever comes first.

Recording telephone calls - regulatory requirement

We may need to record telephone calls between you and Wrisk to comply with a legal obligation, such as compliance monitoring or fraud detection and prevention. This is a separate purpose to recording for training and quality assurance purposes.

We may or may not be allowed by the legal obligation we are under, to notify you in advance of recording a particular call.
The legal basis is Legal Obligation.
We will not share these recordings unless we are subject to a binding legal order or decision to do so.
We may also need to collect special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for the duration of your policy and for 7 years after termination of the contract. This period is 3 years where a quotation has been requested and is not linked to a policy.

Sharing data to comply with laws and regulations

Under the laws relevant to insurance, including the FCA Rules relevant to us, we have to share certain of your personal data with:

the UK Financial Conduct Authority (FCA) for the monitoring of our regulated business and other regulatory purposes. They are a separate controller, please see their Privacy Policy for more information and their contact details.
the UK Motor Insurance Bureau, which operates the Motor Insurance Database for the UK government. They are a separate controller, please see their Privacy Policy for more information and their contact details.

Retaining data to comply with laws and regulations

You will appreciate that, because we are authorised by the FCA, we are subject to FCA rules on retention of certain personal data, for the period(s) set out in the FCA rules. We may also be subject to other legal obligations as an administrator and manager of insurance, which may require us to retain personal data for a set period.

Where we retain personal data purely because of a legal obligation to do so, we will not process that personal data for any other purpose.
The legal basis is Legal Obligation.
We may also need to collect special categories of personal data such as health data and personal data relating to criminal convictions and offences, for which the legal basis is under the UK DPA as above.
We will keep this data for the period required by the legal obligation.

Securing our services and preventing fraud

We need to ensure that our Services, and the underlying network, infrastructure and systems we use to provide those Services, are secure, resilient and free from fraudulent and other illegal activity.

We may therefore process some of your personal data to the limited extent necessary for this purpose. Such personal data may include, for example, that multiple applications have been made with different information, and may be limited to so-called metadata and machine to machine information processed in monitoring and logging procedures unless we identify a related issue, in which case we will limit such processing to the personal data necessary to complete any respective investigation.
The legal bases will be Legitimate Interests and Legal Obligation.
We will keep the data only for the duration needed for this purpose which is for the duration of your policy and for 7 years after termination of the contract. This period is 3 years where a quotation has been requested and is not linked to policy.

Creating anonymised data

We may anonymise your personal data, and may aggregate it with other anonymised data, so that we can analyse it, for example to improve our question sets and pricing models for the benefit of all our customers.

Any anonymisation would be carried out in accordance with applicable law as well as relevant guidelines from regulators such as the UK Information Commissioner (‘UK ICO’).
The legal basis is Legitimate Interests.
Because anonymised data is no longer personal data under GDPR, neither the DP Laws nor this Privacy Policy will apply to such anonymised data.

Automated Decision-Making

We use automated decision-making, including profiling, to prepare your quotation and for quoting for in-policy changes and any anniversary.

As part of the quotation process, the information you provide to us is automatically combined with information identified above including our KYC and anti money laundering check, information from national databases, from our insurers, and from fraud and credit checks.
This information creates a risk profile that we use to decide whether to offer a quotation to you and the terms of that quotation. This decision is automated and may result in your not being offered an insurance quotation based on the results of those checks or, for example, if a driver is too young, has too many convictions, we do not cover your postcode, etc.
We will always inform you of the reasons why we are unable to provide you with a quotation, and you are able to request that a person reviews the decision.

As you’ve already seen, we may share personal data in the limited circumstances necessary for operating our business and issuing quotations and insurance policies both under our name and partner brands. Here is more detail on those third parties, who may be separate controllers given their own regulatory obligations.

Regulatory Recipients

As above, under applicable insurance regulations, we have to share certain personal data with our regulator, the FCA, and the UK Motor Insurance Bureau.

Compliance with Legal Requests & Orders

Given the nature of insurance and the typical context of claims, we may receive requests or legal orders from the Police and other UK authorities to disclose your personal data to them (‘Legal Request’). If we receive a Legal Request, we will review it to ensure that it complies with the applicable law: if it does not, we will inform the issuing party and we will not comply with it; if it does, we will disclose your personal data only to the extent necessary to comply with the Legal Request, and the legal basis for our compliance will be Legal Obligation. Unless the Legal Request and applicable law prevents us doing so, we will notify you about any such disclosure.

Commercial Partners

BMW

Wrisk partners with BMW Financial Services (GB) Limited (BMW) in the UK to power the BMW Flex insurance product. Wrisk and BMW are separate controllers. You may direct your questions and exercise your rights directly with the relevant party. Our contact details are privacy@wrisk.co and BMW’s are in their Privacy Policy.

RAC Financial Services Limited (RAC)

Wrisk partners with RAC in the UK to power the RAC Pay by Mile insurance product. Wrisk and RAC are separate controllers. You may direct your questions and exercise your rights directly with the relevant party. Our contact details are privacy@wrisk.co and RAC’s are in their Privacy Policy.

Mobility Trader UK Ltd, trading as heycar (heycar)

Wrisk partners with heycar in the UK to power the heycar motor insurance product. Wrisk and heycar are separate controllers. You may direct your questions and exercise your rights directly with the relevant party. Our contact details are privacy@wrisk.co and heycar’s are in their Privacy Policy.

Payment processors

We do not collect or process any bank or debit or credit card data ourselves. Any such data is collected and processed by our payment processors, to process the relevant payments. Our payment processors generally act as independent controllers, given their own regulatory requirements, although they may act as our processors in terms of when payments are taken and reporting information to us. We will at all times comply, and choose payment providers who comply, with the applicable industry codes and laws regarding security and retention of such data, for example the Payment Card Industry Data Security Standard.

Our payment processors are:

Stripe, Inc. - Stripe will process your card payments. They are a separate controller for most of their processing and you can see full details, including their contact details, in their Privacy Policy.‍
GoCardless Ltd - GoCardless process direct debits and similar payments for us. Again, they are a separate controller for most of their processing and you can see full details, including their contact details, in their Privacy Policy.

Insurers

LV=

LV= is the main insurer with whom we work to create our products and act as insurer on the policies we issue to our customers.

LV= and Liverpool Victoria are registered trademarks of Liverpool Victoria Financial Services Limited and LV= and LV= Liverpool Victoria are trading styles of the Liverpool Victoria General Insurance Group of companies.
Insurance from LV= is underwritten by Highway Insurance Company Limited. Highway Insurance Company Limited, registered in England and Wales number 3730662 is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority, register number 202972.
The registered address for Liverpool Victoria Financial Services Limited and Highway Insurance Company Limited is 57 ladymead, Guildford GU1 1DB and their Privacy Policy can be viewed here.

ARC Legal Assistance (ARC)

Where you have selected Legal Expenses insurance, that will be provided by ARC, and we will share your personal data with them as necessary for that purpose, Their registered address is; The Gatehouse, Lodge Park, Lodge Lane, Colchester CO4 5NE. They are a separate controller and their Privacy Policy, including their contact details, is available here.

Brokers and other parties

We will share your information with other insurance companies and intermediaries in the distribution chain to enable us to arrange and administer a policy for you and to enable their Services.

For example, if you are introduced to us by a placing broker, your personal information (e.g. policy details, contact details, claims and any other data you share with us) will be shared between us and them as part of your relationship with us.

Credit Agencies

TransUnion

We share and obtain data from TransUnion who are a credit reference agency, for the purposes set out above. They are a separate controller and their Privacy Policy, including their contact details, is available here.

Fraud protection and prevention

Synetics Solutions

We share and obtain data from Synetics Solutions for the purposes set out above. They are a separate controller and their Privacy Policy, including their contact details, is available here.

Other recipients

For provision of the Services, and for our own disaster recovery and business continuity purposes, we may store or transmit personal data to or through third party providers, such as with our contractors and advisors to help us operate, secure and analyse our business. The lawful basis will be Legitimate Interests or Contract.

We may be obliged to disclose your personal data to comply with a law, order or request of a court, government authority, other competent legal or regulatory authority or any applicable code of practice or guideline. The lawful basis will be Legal Obligation.

If we enter negotiations with a third party for the sale or purchase of all or part of our business, we will only disclose personal data to that third party to the extent it relates to that business and only under conditions of confidentiality requiring the third party to be bound by the privacy policy that applies to that data. The lawful basis will be Legitimate Interests.

In each case, we share the minimum personal data necessary and we have written contracts in place incorporating relevant wording to safeguard that personal data and comply with applicable laws, and we will only share such data as is necessary for the purpose in question.

Our starting position is always to keep personal data within the UK or European Economic Area (‘EEA’) where the UK GDPR or EU GDPR applies respectively. However, in order to carry out the above purposes, we may use third parties and their facilities outside the EEA. In all such cases we will ensure that appropriate security measures are in place to protect your personal data and a valid legal basis for the transfer applies.

Cookies

Our Website uses cookies and/or similar technologies. Please review our Cookie Policy for more information, including on how to refuse or selectively accept cookies and/or similar technologies and update your preferences.

Retention

If no retention period is specified above, our default position is to only retain personal data for any statutory retention period, then a reasonable period (if any) necessary for the above purposes. This is subject, for example, to any valid opt-out or withdrawal of consent where processing is based on consent, or other valid exercise of your data subject rights.

Security

The security of data is very important to our business. In accordance with our legal obligations, we take appropriate technical and organisational measures to protect your personal data and keep those measures under review. However, we can only be responsible for systems that we control and we would note that the internet itself is not inherently a secure environment.

Third Party Services

If you access the services of another provider through our websites or services, for example through a link on the Website, your use of those services is entirely at your risk and governed by the terms and privacy policy of that third party provider. If we resell a service delivered or provided by a third party (‘Third Party Service’), including any software that is delivered or owned by a third party (‘Third Party Software’), it is that third party’s separate privacy policy that will apply to your personal data and your use of the Third Party Service and Third Party Software. Your use of a Third Party Service is not covered by this Privacy Policy. Please therefore review the privacy policy for any Third Party Service and Third Party Software before using it.

Your rights

Under the UK and EU GDPRs, you have the following rights (some of which may be subject to conditions set out in the relevant GDPR):

to know if we process any personal data about you and, if we do, with certain limitations, to a copy of that personal data,
to ask us to remove or correct any of that personal data that is inaccurate,
to object to certain processing,
to ask us to restrict processing certain of your personal data,
to ask us to erase your personal data, and
to ‘port’ certain of your personal data to you or another provider, provided in each case that we have such data and certain conditions are met.

You have the right, at any time, to object to the processing of your personal data for direct marketing.

Where processing is based on Consent, you may withdraw consent at any time.

You have the right to notify a complaint to any regulator such as the UK Information Commissioner. We always welcome the opportunity to discuss and resolve any complaint with you first.

‘Do Not Track’

The Website does not use technologies that respond to ‘Do-Not-Track’ signals communicated by your internet browser.

Contact Us

If you’ve any question you can always contact us at the address above or by email to privacy@wrisk.co. You can also always contact our Data Protection Officer at dpo@wrisk.co.

‍