Inshura Privacy Notice Addendum for California Residents

Effective Date: May 1, 2022

This Privacy Notice Addendum for California Residents (the “California Privacy Addendum”) supplements the information in Inshura’s Privacy Notice (the “Privacy Notice”) and describes our collection and use of Personal Information. This California Privacy Addendum applies solely to all visitors, users, and others who reside in the State of California (“consumers” or “you”). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this notice.

Note that this California Privacy Addendum does not apply to employment-related personal information collected by a company or other organization about its employees, job applicants, contractors, or similar individuals used to administer those individuals’ (or their dependents’) benefits. Please contact your local human resources department if you are a California employee and would like additional information about how we process your Personal Information.

Where noted, this California Privacy Addendum also does not apply to personal information reflecting a written or verbal business-to-business communication (“B2B Personal Information”) between you and Inshura, which includes the personal information of applicable insurance agents. Unless otherwise noted, this exemption will expire on January 1, 2021.

Information We Will Collect
Our Website collects information that identifies, relates to, describes, references, can be associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). Inshura’s Website collects, and over the prior twelve (12) months have collected, these categories of personal information from our consumers:

Category Applicable Pieces of Personal Information Collected
A. Identifiers. A real name, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, employee number (when applicable), or other similar identifiers.
B. Personal information categories in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, insurance policy number, employment, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some personal information in this category may overlap with other categories.

C. Protected classification characteristics under California or federal law.

We may collect your age, medical condition, physical or mental disability, and sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions) as necessary to request an insurance quote or enroll in insurance.

You may also voluntarily disclose your race, color, ancestry, national origin, citizenship, religion or creed, marital status, veteran or military status, genetic information (including familial genetic information), and sexual orientation.

D. Commercial information. Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
F. Internet or other similar network activity. Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
I. Professional or employment-related information. Current or past job history or performance evaluations.

Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA’s scope, like:
  • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;
  • personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Use of Personal Information
We may use, “sell” for monetary or other valuable consideration, or disclose the personal information we collect and, over the prior twelve (12) months, have used, “sold” for monetary or other valuable consideration, or disclosed the personal information we have collected, for one or more of the business or commercial purposes described in our Privacy Notice.

Inshura will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sources of Personal Information
Inshura obtains the categories of personal information listed above from the categories of sources described in our Privacy Notice.

Sharing Personal Information
Inshura may disclose your personal information to a third party for a business purpose or “sell” your personal information, subject to your right to opt-out of those sales (see Opt-Out and Opt-In Rights). When we disclose personal information for a business purpose, we enter a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except performing the contract. The CCPA prohibits third parties who purchase the personal information we hold from reselling it unless you have received explicit notice and an opportunity to opt-out of further sales.

Disclosures of Personal Information for a Business Purpose
In the preceding twelve (12) months, Inshura has disclosed these categories of personal information for a business purpose to the listed categories of third parties:

  1. Identifiers:
    1. Categories of Third Parties: Service providers; employers (when applicable); insurance companies and agents; affiliates, parents, and subsidiary organizations of Inshura; and CMS and other government entities.
  2. California Customer Records personal information categories:
    1. Categories of Third Parties: Service providers; employers (when applicable); insurance companies and agents; affiliates, parents, and subsidiary organizations of Inshura; and CMS and other government entities.
  3. Protected classification characteristics under California or federal law:
    1. Categories of Third Parties: Service providers; employers (when applicable); insurance companies and agents; affiliates, parents, and subsidiary organizations of Inshura; and CMS and other government entities.
  4. Commercial information:
    1. Categories of Third Parties: Service providers; employers (when applicable); insurance companies and agents; affiliates, parents, and subsidiary organizations of Inshura; and CMS and other government entities.
  5. Internet or other similar network activity:
    1. Categories of Third Parties: social media companies, Internet cookie information recipients, such as analytics and behavioral advertising services.
    2. Professional or employment-related information:
    3. Categories of Third Parties: Service providers; employers (when applicable); insurance companies and agents; affiliates, parents, and subsidiary organizations of Inshura; and CMS and other government entities.

Sales of Personal Information
In our general Privacy Notice, we do not sell your personal information as the term “sell” is commonly understood to require an exchange for money. However, the California State Attorney General may issue guidance on whether the use of advertising and analytics cookies on our Website may be considered a “sale” of Personal Information as the term “sale” is broadly defined in the CCPA to include both monetary and other valuable considerations. Until such guidance has been issued, we continue to consider it a “sale” (subject to the below exceptions) to be transparent with users of our Website and will comply with the restrictions of the “sale” of this information to the extent technologically feasible. [This “sale” would be limited to our use of third-party advertising and analytics cookies and their use in providing you behavioral advertising and their use in understanding how people use and interact with our Website(s).]

However, the CCPA does not consider disclosure to a third party when you use or direct us to intentionally disclose personal information or to interact with the third party as a “sale” of personal information, provided that the third party does not further “sell” your personal information. We consider no information that you provide to us to disclose it to insurance companies and agents to receive a quote or enroll in their insurance programs as a “sale” and will not be subject to the obligations below.

In the preceding twelve (12) months, Inshura has “sold” these categories of personal information to these categories of third parties for monetary or other valuable consideration:

  • Internet or other similar network activity:
  • Categories of Third Parties: Advertisers and advertising networks, Social media companies, Internet cookie information recipients, such as analytics and behavioral advertising services.

Your Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding their personal information. This section describes your CCPA rights and explains how to exercise those rights. You may exercise these rights yourself or through your authorized agent.

Access to Specific Information and Data Portability Rights
You may request that Inshura disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will disclose to you.

The categories of personal information we collected about you:

  • Our business or commercial purpose for collecting or selling that personal information.
  • The categories of sources for the personal information we collected about you.
  • The categories of third parties with whom we share that personal information.
  • The specific pieces of personal information we collected about you (also called a data portability request). We will not disclose your social security number, financial account number, health insurance or medical identification number, or your account password or security question or answers. We will also not provide specific pieces of personal information if the disclosure would create a substantial, articulable, and unreasonable risk to your personal information, your account with Inshura, or the security of our systems or networks.
    • If we sold or disclosed your personal information for a business purpose, two lists disclosing:
    • sales, identifying the personal information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the personal information categories that each category of recipient obtained.
  • We do not provide these access and data portability rights for B2B personal information.
  • Deletion Request Rights
  • You may request that Inshura delete any of your personal information we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Data Portability, and Deletion Rights), we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies.
  • We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
    • Complete the transaction for which we collected the personal information, provide a good or service you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you.
    • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
    • Debug products to identify and repair errors on our Website that impair existing intended functionality.
    • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.
    • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
    • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you provided informed consent.
    • Enable solely internal uses reasonably aligned with your expectations based on your relationship with us.
    • Comply with a legal obligation.
    • Make other internal and lawful uses of that information compatible with the context in which you provided it.
  • We do not delete rights B2B personal information.
  • Exercising Access, Data Portability, and Deletion Rights
  • To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:
    • Calling us at [provide number]
    • Emailing us at [Support@Inshura.com

    If you (or your authorized agent) submit a request to delete your information online, we will use a two-step process to confirm that you want your personal information deleted. This process may include verifying your request through your email address on record, calling you on your phone number on record (which may include the use of an automated dialer), sending you a text message and requesting that you text us a confirmation, or sending you a confirmation through US mail.

    If you fail to make your submission under the ways described above, we may either treat your request as if it had been submitted with our methods described above, or provide you with information on how to submit the request or remedy any deficiencies with your request.

    Only you, or your agent you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child, where applicable. To designate an authorized agent, see Authorized Agents below. We may request additional information so we may confirm a request to delete your personal information.

    You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

    • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. This may include:
      • We will verify you against confidential information we have on file.
    • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

    We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

    For instructions on exercising sale opt-out rights, see Opt-Out and Opt-In Rights.

    Authorized Agents
    You may authorize your agent to exercise your rights under the CCPA on your behalf by registering your agent with the California Secretary of State. You may also provide your authorized agent with power of attorney to exercise your rights. If you authorize an agent, we may require that your agent provide proof they have been authorized to exercise your rights on your behalf. We may request that your authorized agent submit proof of identity We may deny a request from your agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof they have the authority to exercise your rights.

    Response Timing and Format
    We will respond to a verifiable consumer request within ten (10) days of its receipt. We will generally process these requests within forty-five (45) days of its receipt. If we require more time (up to 45 days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option.

    Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information readily usable and should allow you to transmit the information from one entity to another entity without hindrance.

    We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

    Opt-Out (meaning “Do Not Sell My Personal Information”) and Opt-In Rights Regarding the “Sale” of Your Personal Information
    If you are 16 years of age or older, you may direct us to not sell your personal information at any time (the “right to opt-out”). We do not sell the personal information of consumers we actually know are less than 16 years of age, unless we receive affirmative authorization (the “right to opt-in”) from either the consumer who is between 13 and 16 years of age, or the parent or guardian of a consumer less than 13 years of age. Consumers who opt-in to personal information sales may opt-out of future sales.

    To exercise the right to opt-out, you (or your authorized representative) may click here, or you may adjust your cookie preferences by setting your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. However, if you do not consent to our use of cookies or select this setting you may not access certain parts of our Website or other websites. You can find more information about cookies at http://www.allaboutcookies.org and http://youronlinechoices.eu.

    Non-Discrimination
    We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

    • Deny you goods or services.
    • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
    • Provide you a different level or quality of goods or services.
    • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

    Changes to This California Privacy Addendum
    Inshura reserves the right to amend this California Privacy Addendum as described in our Privacy Notice. Your continued use of our Website following posting changes constitutes your acceptance of such changes.

    Contact Information
    If you have any questions about this California Privacy Addendum, how Inshura collects and uses your information described above and in the Privacy Notice, your choices and rights regarding such use, please contact us through the contact information provided in the Privacy Notice.