Simple. Personal. Transparent. These values don’t just apply to our product and services; we keep these values in mind for everything we do. For you to be confident using our services we want you to know and trust that we’re committed to ensuring your privacy is protected.
We realise insurance can be complicated, and there’s a lot of information we need to provide to you, so we’ve provided a table of contents with links to the relevant sections and please do contact us firstname.lastname@example.org with any questions.
We are Wrisk Transfer Limited (‘WTL’), authorised and regulated by the Financial Conduct Authority (reference # 788062), incorporated in England (company # 10657213), registered office 45 Gresham Street, London EC2V 7BG.
We always seek to comply with the data protection laws applicable to our processing of personal data (‘DP Laws’).
For example, the EU General Data Protection Regulation 2016/679 (‘EU GDPR’) may apply and, as a UK company, the UK Data Protection Act 2018 (‘UK DPA’), the UK e-Privacy Regulations (‘PECR’), and the UK-adopted version of the EU GDPR (‘UK GDPR’) apply directly to all our processing. We’ll use ‘GDPR’ to refer to either the EU or UK version as they’re almost identical.
‘Personal data’ is a defined term in EU and UK law. We also use it here to cover ‘personally identifiable information’ as defined in US law, and other similar legal definitions. Essentially ‘personal data’ means any information relating to an identified or identifiable natural person, namely one who can be identified, directly or indirectly from that information alone or in conjunction with other information.
As data protection law and practice are constantly developing, we’ll need to update this policy from time to time, which we’ll do by posting a new policy on the Website that takes effect from the date stated. It is your responsibility to return to the Website from time to time and check for changes.
You clearly do not have to provide personal data to us. However, if you would like us, for example, to respond to a query, provide a quotation, issue an insurance policy or manage a claim, we may not be able to do so without personal data from you and failing to provide certain personal data, for example for a quotation, may invalidate any resulting policy.
You’ll see we’ve identified the legal basis for our processing throughout this Policy. The legal bases we rely on are:
‘Special categories of personal data’ is defined by GDPR to include personal data revealing racial or ethnic origin, religious or philosophical beliefs or trade union membership, genetic data or data concerning health. We may need to ask for some special categories of personal data, in particular health data.
We may also need to ask for personal data relating to criminal convictions and offences, for the same reasons.
Without this information we may not be able to provide Services to you. For example, we may not be able to give you a quote or issue an insurance policy and it may affect the outcome of any claims you make.
The legal basis for any processing by us of special categories of personal data or personal data relating to criminal convictions and offences is the Insurance basis in paragraphs 20 and/or 36 and 37 of Part 2 of Schedule 1 to the UK DPA.
We collect or are provided your personal data in the normal course of our business, including:
We will process your personal data for expected purposes related to the business of marketing, administering and managing insurance. We have set out details of these purposes below, together with information on the data processed, the appropriate legal basis, whether it is shared and how long it is retained.
We will collect and process your personal data to provide you with a quotation, before you become a customer and for anniversary.
In this process, we will also perform industry-standard checks and share the results with insurers and other necessary parties as set out below.
As part of the quotation process, and ongoing administration of any insurance policy, we will perform certain checks to inform the risk of providing you with insurance.
Once we’ve provided you with a quotation and the risk checks are passed, you may decide to take out your insurance policy with us (that may be through a partner-branded offering but the insurance contract will still be with us). We will have collected most of the information in the quotation process, but we will ask you to confirm it.
In this process, we will also perform industry-standard checks as follows in Purpose 2 and share it with insurers and other necessary parties as set out in Purpose 3.
You may contact us with queries from time to time and we will always respond as quickly and helpfully as possible.
Should you have a claim under your policy with us, we will need to process personal data necessary to administer that claim. We will have some of that data from the quotation and contracting processes.
From time to time, we will send you service messages, which are generally transactional in nature and related to the Services you have with us. These messages may be a reminder of the expiry of a quotation, the timing of your renewal, invoices and payments, and about any changes to your policy.
From time to time, we would like to send you marketing messages, which are related to the Services you have with us. These messages may be about relevant news, updates and promotions related to Wrisk. This section applies to customers of Wrisk branded products only.
We may collect statistics to help us improve the features and performance of our Website and online Services.
We may record telephone calls between you and Wrisk for the purposes of training our staff and ensuring a high quality of customer service.
We may need to record telephone calls between you and Wrisk to comply with a legal obligation, such as compliance monitoring or fraud detection and prevention. This is a separate purpose to recording for training and quality assurance purposes.
Under the laws relevant to insurance, including the FCA Rules relevant to us, we have to share certain of your personal data with:
You will appreciate that, because we are authorised by the FCA, we are subject to FCA rules on retention of certain personal data, for the period(s) set out in the FCA rules. We may also be subject to other legal obligations as an administrator and manager of insurance, which may require us to retain personal data for a set period.
We need to ensure that our Services, and the underlying network, infrastructure and systems we use to provide those Services, are secure, resilient and free from fraudulent and other illegal activity.
We may anonymise your personal data, and may aggregate it with other anonymised data, so that we can analyse it, for example to improve our question sets and pricing models for the benefit of all our customers.
We use automated decision-making, including profiling, to prepare your quotation and for quoting for in-policy changes and any anniversary.
As you’ve already seen, we may share personal data in the limited circumstances necessary for operating our business and issuing quotations and insurance policies both under our name and partner brands. Here is more detail on those third parties, who may be separate controllers given their own regulatory obligations.
As above, under applicable insurance regulations, we have to share certain personal data with our regulator, the FCA, and the UK Motor Insurance Bureau.
Given the nature of insurance and the typical context of claims, we may receive requests or legal orders from the Police and other UK authorities to disclose your personal data to them (‘Legal Request’). If we receive a Legal Request, we will review it to ensure that it complies with the applicable law: if it does not, we will inform the issuing party and we will not comply with it; if it does, we will disclose your personal data only to the extent necessary to comply with the Legal Request, and the legal basis for our compliance will be Legal Obligation. Unless the Legal Request and applicable law prevents us doing so, we will notify you about any such disclosure.
We do not collect or process any bank or debit or credit card data ourselves. Any such data is collected and processed by our payment processors, to process the relevant payments. Our payment processors generally act as independent controllers, given their own regulatory requirements, although they may act as our processors in terms of when payments are taken and reporting information to us. We will at all times comply, and choose payment providers who comply, with the applicable industry codes and laws regarding security and retention of such data, for example the Payment Card Industry Data Security Standard.
Our payment processors are:
We have worked with LV= to create our BMW Flex, BMW DriveAway, MINI Flex, MINI DriveAway, Volvo Car Insurance, Volvo Free Driveaway Insurance, Jaguar Insurance, Land Rover Insurance, RAC Pay by Mile, heycar motor insurance, Wrisk Car Insurance and Wrisk Driveaway products and they act as insurer on the policies that we issue to our customers.
We have worked with KGM to create our Wrisk Driveaway Insurance product and they act as insurer on the policies that we issue to our customers.
We will share your information with other insurance companies and intermediaries in the distribution chain to enable us to arrange and administer a policy for you and to enable their Services.
For example, if you are introduced to us by a placing broker, your personal information (e.g. policy details, contact details, claims and any other data you share with us) will be shared between us and them as part of your relationship with us.
For provision of the Services, and for our own disaster recovery and business continuity purposes, we may store or transmit personal data to or through third party providers, such as with our contractors and advisors to help us operate, secure and analyse our business. The lawful basis will be Legitimate Interests or Contract.
We may be obliged to disclose your personal data to comply with a law, order or request of a court, government authority, other competent legal or regulatory authority or any applicable code of practice or guideline. The lawful basis will be Legal Obligation.
In each case, we share the minimum personal data necessary and we have written contracts in place incorporating relevant wording to safeguard that personal data and comply with applicable laws, and we will only share such data as is necessary for the purpose in question.
Our starting position is always to keep personal data within the UK or European Economic Area (‘EEA’) where the UK GDPR or EU GDPR applies respectively. However, in order to carry out the above purposes, we may use third parties and their facilities outside the EEA. In all such cases we will ensure that appropriate security measures are in place to protect your personal data and a valid legal basis for the transfer applies.
If no retention period is specified above, our default position is to only retain personal data for any statutory retention period, then a reasonable period (if any) necessary for the above purposes. This is subject, for example, to any valid opt-out or withdrawal of consent where processing is based on consent, or other valid exercise of your data subject rights.
The security of data is very important to our business. In accordance with our legal obligations, we take appropriate technical and organisational measures to protect your personal data and keep those measures under review. However, we can only be responsible for systems that we control and we would note that the internet itself is not inherently a secure environment.
Under the UK and EU GDPRs, you have the following rights (some of which may be subject to conditions set out in the relevant GDPR):
You have the right, at any time, to object to the processing of your personal data for direct marketing.
Where processing is based on Consent, you may withdraw consent at any time.
You have the right to notify a complaint to any regulator such as the UK Information Commissioner. We always welcome the opportunity to discuss and resolve any complaint with you first.
The Website does not use technologies that respond to ‘Do-Not-Track’ signals communicated by your internet browser.