Customer Privacy Notice

TABLE OF CONTENTS

A. GENERAL INFORMATION
I. Person responsible
II. Data Protection Officer
III. Information security & data protection-friendly default settings

Information security
Privacy-friendly default settings

B. YOUR DATA PROTECTION RIGHT

I. Information & Access, Art. 15 GDPR
II. Correction, Art. 16 GDPR
III. Deletion, Art. 17 GDPR
IV. Restriction, Art. 18 GDPR
V. Transfer, Art. 20 GDPR
VI. Objection, Art. 21 GDPR
VII. Revocation, Art. 7 GDPR
VIII. Complaint, Art. 57 GDPR
C. PROCESSED DATA
D. DATA PROCESSING BASED ON YOUR CONSENT
E. DATA PROCESSING FOR CONTRACT EXECUTION
General information about our cooperation partners and data transfer
F. USES OF PERSONAL DATA
G. LAWFUL BASIS FOR USES OF PERSONAL INFORMATION
H. DURATION OF DATA STORAGE IN GENERAL

A. GENERAL INFORMATION

In this section, you will learn who is responsible for processing your data, who you can contact with questions and complaints about data protection, how to contact our data protection officer, how we protect your data, and how you can generally protect your data.

I. Person responsible

The responsible body for the collection and use of your personal data on our online platform and when using our service within the meaning of data protection laws is:

Candid Insurance Services Ltd (“the Company”) of which ”TOM.co.uk” is a trading style. The Company is registered at 920 Hempton Court, Aztec West, Almondsbury Bristol BS32 4SR with company registration number 7279489. We can be contacted at this address, via email at yourdata@tom.co.uk or via this website.

We are a policy distributor and broker supporting people to purchase long term insurance products including life insurance, serious illness cover and income protection. We are also a broker for private medical insurance. We are authorised and regulated by the Financial Conduct Authority (FCA).

If you have any questions about the collection and use of data, you can contact us at any time.

II. Data Protection Officer

If you have any questions or suggestions regarding data protection, please feel free to contact us directly by email at yourdata@tom.co.uk.You can reach our group data protection officer directly at clark@isico-datenschutz.de.

III. Information security & data protection-friendly default settings

1. Information security

CLARK maintains a high standard of personal data protection. We are committed to the secure and confidential processing of personal data relating to customers, website and App users and other stakeholders.

Data we collect is:

fair and used exclusively for legitimate purposes
protected against unauthorized or unlawful access by internal or external parties
not transmitted externally without legal basis
not kept longer than necessary

We take the following measures to ensure the protection of your personal data:

We restrict access to personal data and constantly monitor it
Our employees are trained in the implementation of personal and technical protective measures
Within the scope of data processing by our service providers, we agree on contractual clauses that bind them as data processors to the level of data protection specified by us.
We take current security measures to prevent cyber attacks and data breaches.

We have implemented an internal control system to ensure that the necessary measures are appropriate and effective at all times. This control system is based on the applicable requirements of the ISO 27001 and is regularly reviewed. To protect your personal data, we guarantee cybersecurity and fair data processing.

2. Privacy-friendly default settings

This website uses a number of cookies for different reasons. We explain these in this policy. Before we can use some – but not all – of these cookies, we need your consent. This Cookie Policy will be reviewed periodically and, in any event, if there is a change in laws and regulations.

What are cookies?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Software on your device, for example a web browser, stores the cookies and sends them back to a website next time you visit. Cookies allow websites to recognise your device and preferences, and provide information to the owners of sites which can be used to improve your online experience.

To remove or clear existing cookies or similar technologies from other sites, you can set privacy-friendly preferences in your browser or use certain opt-out options.

Here are some steps you can take:

Delete cookies: Most browsers offer the option to delete stored cookies. To do this, go to your browser’s settings and look for the privacy or data protection section. There you will findYou normallyan option to manage and delete cookies.
Use incognito/private mode: Many browsers have an incognito or private mode that limits the use of cookies and other data while browsing. You can enable this mode to prevent new cookies from being saved.
Use browser extensions: There are various browser extensions and add-ons available to help block or control tracking by cookies and similar technologies. Find extensions compatible with your browser and install them according to the provider’s instructions.
Use opt-out options: We use third party software “OneTrust” that manages our website cookies. One Trust provides a cookie consent banner that provides detailed information on the cookies that operate on this website. It also allows you to switch on or off the cookies that apply, giving you control over your browsing experience for this site.

The types of cookies that we use

(i) Necessary Cookies

We use necessary cookies to operate the core functions of our website, so that you may visit and move around it, and use its features. We do not require your consent to use these cookies but you may be able to block these cookies yourself on your device/browser (see the section below “How to Manage Your Cookies” for further information). However, without these cookies, our site is unlikely to work as you would expect and certain services that you may ask for, for example, signing into your online account, cannot be provided.

Where we process ‘personal data’ using these necessary cookies, we do so on the basis of our legitimate interests to provide a website for visitors to use and to promote our business.

(ii) Analytics Cookies

Analytics cookies are used by us for statistical analysis purposes. This helps us to understand how visitors use and move around our website, and to make improvements and adaptations to our website to best meet our visitors’ needs.

Our analytics cookies may also collect information about your browser type and settings, device type and settings, operating system and mobile network. This information is used to distinguish you from other visitors to our site, but it cannot be used to identify you as a named individual.

We will only set these types of cookies where you have provided us with your consent to do so via the cookie consent banner. Where we process your personal information using these types of cookies, we do so on the basis of that consent.
Rejecting our analytics cookies will prevent us from collecting the data described above to improve our site for you and other visitors. The performance and functionality of our site will however not be affected.

(iii) Advertising cookies

We use cookies from those third parties’ sites on our own website to:
– provide us with anonymised demographics and browsing activity information of the logged-in visitors to our own website;
– help us to tailor our advertising on the websites of those third parties to previous logged-in visitors to certain pages of our own site;
– and help us measure the effectiveness of our advertising.

We will only set these types of cookies where you have provided us with your consent to do so via the cookie consent banner. Where we process your personal information using these types of cookies, we do so on the basis of that consent.

How to manage Cookies

You can use the cookie consent banner to control the cookies that apply to this website. Web browsers also give users control over what cookies are stored, but each works slightly differently. The links below allow you to visit commonly used web browser and to find out how to delete and manage cookies in your browser.

Google Chrome – https://support.google.com/chrome/answer/95647?hl=en

Microsoft Edge – https://support.microsoft.com/en-gb/windows/microsoft-edgebrowsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd

Mozilla Firefox – https://support.mozilla.org/en-US/kb/third-party-cookies-firefox-tracking-protection

Safari (iPhone) – https://support.apple.com/en-gb/HT201265

Safari (Mac) https://support.apple.com/en-gb/guide/safari/sfri11471/mac

Samsung Internet (mobile) – https://www.samsung.com/uk/support/mobiledevices/what-are-cookies-and-how-do-i-enable-or-disable-them-on-mysamsung-galaxy-device/

In this section you can find out what data protection rights you have. These rights include, among others, the right to information about the data stored about you, the right to rectification, and – if the legal requirements are met – the right to erasure of your data. Whenever we ask for your consent to process your data, you also have the right to withdraw your consent at any time and without giving reasons.

B. YOUR DATA PROTECTION RIGHTS

I. Information & Access, Art. 15 UK GDPR
According to Art. 15 GDPR, you have the right to request information about our processing of your personal data at any time. When providing this information, we will explain our data processing and provide you with an overview of the data stored about you.

We inform you about:

the purpose of processing
the categories of personal data
Recipients or categories of recipients of personal data
the planned duration of storage (or the criteria for determining it)
the existence of your rights against processing
whether we process data that we have not collected from you and where it comes from
the existence of automated decision-making

If you request information about your data, we will provide you with comprehensive information about how your data is processed, where it comes from and where it goes.

Data Subject Access

Request If you wish to request a copy of your data, please submit your request in writing/email to the Company, including sufficient information to enable us to identify you and search for any appropriate data. Our contact details are set out in the first paragraph of this privacy policy.

II. Correction, Art. 16 UK GDPR
If data stored by us is incorrect or no longer up to date, you have the right to have this data corrected in accordance with Art.16 GDPR.

We will respond to your request promptly.

When making a correction, you can send us the correct data, and we will take care of the rest.

III. Deletion, Art. 17 UK GDPR

According to Art. 17 GDPR, you can also request the deletion of your data if one of the following situations applies.

The data is no longer necessary for the purpose for which it was collected
You have withdrawn your consent to processing and there is no other legal basis
You have objected to the processing pursuant to Art. 21 (1) or (2) GDPR (see below)
Your data was processed unlawfully
Under Union or Member State law, erasure is necessary to comply with a legal obligation

If deletion is exceptionally not possible due to other legal provisions, the data will be blocked so that it is only available for this legal purpose.

If we store data unlawfully, we will of course delete it immediately!

IV. Restriction, Art. 18 UK GDPR
You can also restrict the processing of your data in accordance with Art. 18 GDPR if you believe that the data we have stored is incorrect, the processing is unlawful, the personal data is no longer required for the purpose or you have lodged an objection.

While we review your aforementioned rights, you can request that processing be restricted.

V. Transfer, Art. 20 UK GDPR
Furthermore, according to Art. 20 GDPR, you have the right to request that we transfer the data concerning you in the form of a digital copy if you have consented to the data processing (Art. 6 I lit. a GDPR) or if it is based on a contract existing between us (Art. 6 I lit. b GDPR).

If you request the transfer of the data you have provided to us, we will provide it to you in a portable format.

VI. Objection, Art. UK 21 GDPR
To the extent that we process your data based on legitimate interests pursuant to Art. 6 (1) (f) GDPR, you have the right to object to the processing of your data pursuant to Art. 21 GDPR, provided there are reasons for doing so that arise from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right of objection, which we will implement even without you providing reasons.
If you object, we will check whether we have compelling reasons for processing your data. If this is not the case, we will no longer process your data.

VII. Revocation, Art. 7 UK GDPR

According to Article 7 (3) (1) GDPR, you have the right to revoke your consent at any time by sending a message to yourdata@tom.co.uk. This means that we will no longer continue the data processing based on this consent in the future. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until the revocation, Article 7 (3) (2) UK GDPR. If you withdraw your consent, we will stop the data processing based on it.

VIII. Complaint, Art. 77 UK GDPR

If you are dissatisfied with this policy, have queries about our data protection procedures or wish to lodge a complaint, please contact us in the first instance at complaints-uk@clark.io. Independently, you have the right to submit a complaint to the Company’s Supervisory Authority, the Information Commissioner’s Office (ICO) which can be contacted via the following methods :

ICO Contact Details

Address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Website:
www.ico.org.uk
Helpline:
0303 123 1113

C. PROCESSED DATA

In order to perform our duties, we process your personal data. This includes information that allows us to identify you personally, such as your name, telephone number, address, or email address. Statistical data that cannot be linked to you personally does not fall under the definition of personal data.

As a broker, we need to process certain information about you:

First, we need your Contact details:

Name, address, date of birth, age
Telephone number, e-mail address
Bank details

You will provide us with this information when you register.

We also process the following personal data:

Gender
Marital status
Profession, status (FT, PT), address of employer and salary
Special categories of data (e.g. health data)
Smoking status
Current insurance situation
Family situation (partner, children)
Living situation (current and planned)
Hobbies and interests
Pets
Other personal/financial circumstances, care requirements

You will provide us with this information as part of our needs, requirements and identification check.

In addition, we process your Insurance details:

Application data (data you provide when applying for insurance)
Contract data for a specific contract (such as insurance policy number, insured amount, term, premium, risk, investment amounts, loan amounts)
Benefit data (insurance claims, data at the time of occurrence of the claim or benefit event)

This data you share with us in the course of taking over or managing a brokerage mandate. If we take over an existing brokerage mandate, we will receive the data with your consent also from the insurers.

We also collect your Usage data:

Interactions on the website and app or with emails (clicks, etc.)
Visits to the websites and apps (which ones were accessed?)
Time spent on websites and apps (how long did you view a page)
Source page (ref URL)
Time and date, e.g. of accessing our website or emails

We collect this data when you use our website and app.

Finally, we collect the following of your Device, browser and location data:

Operating system of your device (e.g. Windows, Android or iOS)
Model of your device (e.g. iPhone, Samsung Galaxy)
Settings of your device, e.g. screen resolution
Browser settings e.g. language setting, time zone, installed plugins and fonts IP addresses
Your location (we do not use GPS data, but only the information derived from the IP address).

We collect this data when you use our website and app.

We require your consent if we process special categories of personal data as defined in Art. 9 UK GDPR. This includes, for example, information about your health status. We need this information if we advise you on insurance products, particularly when processing claims for health and liability insurance.

Therefore, we ask for your consent if you decide to purchase a corresponding product. You can revoke your consent at any time in the future by sending a message to yourdata@tom.co.uk.

We may also require your consent to send you marketing and/or advertising information.

This consent is voluntary. You can use our services without it. Furthermore, you can revoke your consent at any time. This will not affect the legality of the processing up to the time of revocation.

E. DATA PROCESSING FOR CONTRACT EXECUTION

In this section, we will inform you about the processing of your data in connection with the initiation and/or processing of an insurance contract with us. You will learn which data categories we process for which purposes, the legal basis under the General Data Protection Regulation (“GDPR”) on which we base this, and to whom we share your data, e.g., service providers who provide us with technical support, or broker pools and insurers. Finally, you will also learn how long we retain your data andwhatThis period is determined by the terms of use. We will also inform you there about the data processing used to send our newsletter and other marketing communications.

General information about our cooperation partners and data transfer

In connection with the purposes set out above, we will sometimes share Personal data with companies within the CLARK Group and third parties, including:

Insurance brokers, financial advisers and business partners who help us arrange, manage and underwrite our products and who provide insurance services;
Other insurers (either directly or via those acting for the insurer);
Our insurers or reinsurers (either directly or through insurance brokers), who provide reinsurance services to us and each other in respect of risks underwritten by the Company, or insurers who cover the Company under our group insurance policies. We can supply on request further details of the insurers and reinsurers we provide your Personal Information to and how this may be used. If you require further details, please contact us;
Third parties who provide you with certain services including assistance providers;
Third party in relation to the relevant insurance policy or claim e.g. experts and in limited circumstances, private investigators;
Legal advisers, accountants, auditors, financial institutions and professional service firms who act on our or your behalf;
Data analysts and providers of data services who support us with developing our products and prices and measuring the effectiveness of marketing;
Third parties that help us maintain the accuracy of our data e.g. identifying individuals who are deceased, updating contact details for individuals who have moved and payment card providers who provide us with updated payment card details;
Financial crime detection agencies, sanctions checking providers and third parties who maintain fraud detection databases or provide assistance with investigation in cases of suspected fraud;
Regulators who regulate how we operate, including the FCA, PRA, FOS, HMRC, ICO and the Advertising Standards Agency;
Government agencies and regulatory bodies including the police, courts and DWP;
Debt advisors where breathing space is requested on outstanding debts;
Insurance industry bodies, including the Association of British Insurers;
Service providers, including those who help operate our IT and back office systems, underwriting and claims processes and our information security controls;
Third party payment service providers, who process card and other payments for us.
Medical professionals, if we need to access health records or assessments for the purposes of arranging and underwriting certain products or facilitating and handling claims;
Clinicians, including hospitals and third party case managers from whom you and others covered under the policy receive insured treatment or who manage your care or treatment pathway;
Research agencies and providers of market research services, including customer feedback surveys; – Providers of marketing and advertising services, including delivering and administering marketing, ensuring you receive marketing content that’s relevant to you and in accordance with your preferences and analysing marketing campaigns. These may include media agencies, fulfilment partners, social media and other online platforms and advertising technology companies.
Third parties in connection with any sale, transfer or disposal of our business.

The information you will be asked for will include details about your medical history, which is essential to enable a broker to provide you with an accurate life insurance quote. TOM.co.uk and any trusted third parties who wish to provide a quote to you will then need to process the personal data provided by you for administration purposes, to enable quotes to be provided to you and, if you decide to proceed with the purchase of a policy, as reasonably required to provide life insurance to you.

F. USES OF PERSONAL DATA

The main purposes for which we use Personal data are to:

Communicate with you and other individuals;
Make assessments and take decisions, including whether to provide you with our products and services
Provide our products and services, including insurance administration, taking payment, making changes where requested or necessary, claims assessment, settlement and dispute resolution and the provision of our apps and other technologies e.g. Polly, TOM apps
Manage relationships with third parties, e.g. advisers and service providers;
Prevent, detect and investigate fraud and other crime, including by carrying out fraud, sanctions and anti-money laundering checks.
Improve our products and services, provide staff training and maintain information security, including by recording and monitoring telephone and online calls and screen sharing sessions;
Provide marketing information and run promotions in accordance with preferences you have expressed.
Help us better understand our customers and improve our customer engagement, including noting your interest in our website, understanding your customer journey, and use of profiled data (which is not actual information about you but predictions about you, e.g. assumptions about your interests based on the preferred leisure pursuits of households in your area). This allows us to make correlations about our customers to improve and promote our products and to suggest other products, services and information which may be relevant or of interest to customers;
Carry out data analysis, including to ensure data accuracy and quality and for insurance risk modelling and product and pricing refinement.
Manage complaints, including to allow us to respond to any current complaints, or challenges you or others might raise later, for internal training and monitoring purposes and to help us to improve our complaints handling processes. We may be obliged to forward details about your complaints, including your Personal data to the appropriate authorities, e.g. Financial Ombudsman Service
Manage feedback and queries, and handle requests to exercise data subject rights.
Manage our business operations, including by carrying out internal audits, quality assurance and training, financial analysis and accounting, producing management information and performing administrative activities in connection with the services we provide;
Manage commercial risk, including by taking out and maintaining appropriate insurance and reinsurance;
Comply with applicable legal, regulatory and professional obligations, including cooperating with regulatory bodies e.g. the FCA, PRA, ICO and government authorities, to comply with law enforcement and to manage legal claims;
Identify and support customers requiring additional support, to help us better meet your needs and to comply with regulatory guidance about how we meet your needs. Sometimes you or a third party may tell us that you have additional support requirements, and in other cases we may infer this from your Personal Information and our interactions with you;
Establish, enforce and defend our legal rights or those of third parties, including enforcing our terms and conditions, pursuing available remedies and limiting our damages;
Carry out activities that are in the public interest, e.g. we may need to use Personal data to carry out anti-money laundering checks;
Buy, sell, transfer or dispose of any part of our business;
Archiving, scientific or historical research or statistical purposes.

G. LAWFUL BASIS FOR USES OF PERSONAL INFORMATION

We are committed to collecting and using Personal data in accordance with applicable data protection laws. By law, we must have a legal justification, known as a lawful basis, in order to use your Personal Information for the purposes described in this Privacy Policy. Depending upon the purpose, our lawful basis will be one of the following:

Performance of a contract – to arrange, underwrite or manage our products, or handle claims in accordance with their terms;
Compliance with a legal obligation – to meet responsibilities we have to our regulators, tax officials, law enforcement, or other legal responsibilities;
Legitimate interests – to operate and improve our products and services and keep people informed about our products and services or for any other purposes we identify as appropriate to our business needs, or those business needs of a third party;
Consent – where we have obtained appropriate consents to collect or use your Personal Information for a particular purpose.
Where we rely on legitimate interests as our lawful basis, we are required to carry out a balancing test to ensure that our interests, or those of a third party, do not override the rights and freedoms that you have as an individual. The outcome of this balancing test will determine whether we can use your Personal Information for the purposes described in this Privacy Policy. Where we rely on the lawful basis of legitimate interests, the interests being relied upon will usually be:
- To further our business and commercial activities and objectives, or those of a third party, e.g., to provide our products and services and produce management information on our performance and the performance of third parties;
- To help us better understand our customers and improve our customer engagement and marketing campaigns including by carrying out analysis and profiling, e.g. by making certain predictions and assumptions about your interests;
- To send you marketing information in accordance with your preferences, e.g. about other products and services we offer, and to administer promotions that you enter;
- To provide you with helpful information relating to your products and about useful tools for managing and engaging with your products, e.g. the Polly, TOM apps. These are not marketing communications;
- To comply with our legal and regulatory obligations, guidelines, standards and codes of conduct, e.g., background checks or the prevention, detection and investigation of financial crime or fraud;
- To improve and develop our business, products and services, or those of a third party, e.g. to ensure the accuracy of customer data and to develop our pricing and risk methods and models;
- To retain your policy record for a period of time in order to ensure we have appropriate records in place in respect of any future claims that may be insured by us;
- To safeguard our business, shareholders, employees and customers, or a third party, e.g., maintaining the security of our IT network and information, enforcing claims, including debt collection;
- To facilitate the purchase, sale, transfer or disposal of any part of our business; and
- To analyse and assess competition in the market for our products services, e.g., by carrying out market research.

H. DURATION OF DATA STORAGE IN GENERAL

Information on the storage of information when using the CLARK website/app

How long we store the data we collect varies and depends on what data it is and for what purpose we use it.

Some data you can delete yourself. Some data is automatically deleted after a certain period of time or anonymised. In some cases, your data will only be deleted when your account is deleted or your contract with us ends.

We keep records, which may include your personal data – to meet legal, regulatory, tax or accounting needs. For example, we are required to retain an accurate record of your dealings with us, so we can respond to any complaints or challenges you or others might raise later. We’ll also retain files if we reasonably believe there is a prospect of litigation. The specific retention period for your Personal Information will depend on your relationship with us and the reasons we hold your Personal Information and we have carefully considered different retention periods that apply to each data category.

Our third parties are also subject to these regulations but we recommend that you check their privacy policies separately. This is to ensure that you do not inadvertently agree to authorise the use of your personal data in a manner you would not wish to have done, as your arrangements with these third parties are separate from your arrangements with us.

To support us in managing how long we hold your data and our record management, we maintain a data retention policy which includes clear guidelines on data retention and deletion.

If you would like more information about our data retention policy, please contact us.

Contact us

Our expert advisors are on call to answer any questions

0808 175 2244

Monday – Thursday: 8:30am – 6pm
Friday: 8:30am – 4:30pm
Saturday: 9am – 1pm

hello@tom.co.uk

fb.com/tom.co.uk

@tomdotcodotuk

@tomlifeinsurance

Manage your insurance policy from our app

You can now view and access your policy documents in one place, any time, anywhere. Our TOM app helps keeping on top of your insurance super simple. Manage your payments, learn about our other products and get in touch at the tap of a button.