Your privacy is important and we go to great lengths to protect it. This privacy notice tells you about the personal data we hold about you and explains how we collect, use and share your details. It also tells you about your rights under data protection laws.
Some of the personal information we collect is for vehicle insurance only, so you won’t be asked for all of the information detailed here if you’re applying for home insurance.
Here at Hastings Group Holdings plc, we'll always treat your personal data with respect and our products and services are designed with your privacy in mind.
Hastings Group Holdings plc consists of the data controllers Hastings Insurance Services Ltd and Advantage Insurance Company Ltd. You can find Advantage's privacy notice here.
We are Hastings Insurance Services Limited (also referred to as 'Hastings Direct', 'we', 'us' or 'our') and our registered office is at Conquest House, Collington Avenue, Bexhill-on-Sea, East Sussex, TN39 3LW.
Our ICO registration number is Z7677970.
This is information relating to you as an individual that's linked to your name or any other way you can be identified, such as your driving licence number or your insurance policy number.
Certain types of personal information are considered to be special categories of information, due to their more sensitive nature. Sometimes we'll ask for (or obtain) special categories of information because it's relevant to your insurance policy or claim. For example, to assess risk correctly, we'll ask you about previous motoring convictions. This privacy notice highlights where we're likely to obtain special categories of information and the grounds on which we process this data. We'll only process special categories of information if they're relevant e.g. information about your health and criminal convictions.
The personal information we collect will depend on our relationship with you. We've included a number of sections below – simply read those which most apply to your relationship with us.
- Use of our website
What personal information we'll collect and where we'll collect it from
We use various software (including cookies) to improve your digital journey and to identify and prevent fraud. We collect and store information about how you access and use our website, app and MyAccount (including the website you visited before coming to ours). We automatically receive the IP address of your computer, mobile device or the proxy server you use to access the internet and this may include information to identify your browser or device to analyse web traffic.
Fraud prevention cookies collect information about certain features of your device, such as your IP address, device type, browser type, screen resolution and operating system. This is to prevent and detect devices associated with fraudulent or other malicious activity and allows us to authenticate your account.
What we'll use your personal information for
We may process your personal information for a number of different purposes. We must have a legal ground for each purpose and we'll rely on the following ground:
- We have a legitimate interest to use your personal information (e.g. maintaining our business records, monitoring usage of our website, marketing our services, and improving our business model and services). When using your personal information in this way, we have considered your rights and ensured our business need doesn't cause you harm.
Here's how we use your personal information and the legal grounds we rely on:
Type of processing Grounds for using personal information Grounds for special categories Communicating with you and responding to any enquiries you have
- We have a legitimate interest (to communicate with you or to respond to any enquiries)
We won't process your special categories of information for this purpose. Monitoring usage of our website
- We have a legitimate interest (to assess usage of our website)
We won't process your special categories of information for this purpose
Sometimes we'll transfer the personal information we collect about you to countries outside of the European Economic Area ('EEA').
When a transfer happens we'll take steps to make sure your personal information is protected. We'll do this using a number of different methods including:
- Only transferring data to countries that have been deemed by the EU as having adequate privacy legislation, so transferring data to them is considered equivalent to processing within the EU. You can find out more about adequacy status at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.
- Establishing appropriate contracts. We'll use a set of contract wording known as the 'standard contractual clauses' which has been approved by the data protection authorities.
- Transferring personal data only to those companies in the United States who are certified under the 'Privacy Shield'. The Privacy Shield is a scheme under which companies certify they provide an adequate level of data protection. You can find out more about the Privacy Shield at: https://www.privacyshield.gov/Individuals-in-Europe.
You may also give your permission for us to contact you when you visit a price comparison site for an insurance quote. This would be because our product featured in the top few providers with the most competitive price and you wanted us to contact you.
You're free to object to receiving any marketing material and can edit your marketing preferences at any time. To opt out of marketing communications please click 'unsubscribe' on any marketing message we send you or change your preferences in MyAccount. You can also call us.
We have a legitimate interest to be able to contact you to discuss how your policy (or your claim) is being administered. This form of contact falls outside of your marketing preferences and must continue so we can provide you with a policy effectively. This will never include marketing material and all information will be strictly related to your policy or claim.
We'll keep your personal information for as long as reasonably necessary to fulfil the purposes set out in section three above and to comply with our legal and regulatory obligations. We have a detailed retention policy in place which governs how long we'll hold different types of information for. The exact time period will depend on the purpose for which we collect that information, for example:
|Policies, including driving data:||Seven years after a policy expires and no further action on the policy is required.|
|Claims:||Seven years after a claim has been closed unless there are extenuating circumstances requiring the claim to be held for longer.|
In some circumstances, depending on the nature of your policy and any claims made under it, data may be kept for a further period. These circumstances could be:
- Where children are involved in a claim.
- Where there is a claim on your policy over a set amount - we use such personal data to inform our pricing models after the claim is finally determined.
In the circumstances of the prevention or detection of crime and the apprehension or prosecution of offenders, Hastings Insurance Service Limited and agencies can hold your personal data for different periods of time and, if you're considered to pose a fraud or money laundering risk, your data can be held for up to six years.
If a human is involved in the decision at any point it is not considered an automated decision. When deciding whether to offer an insurance policy, we use automated processing. The process considers the information you provide us, as well as information from other sources such as search tools. These are used to determine whether your application for insurance can be accepted and what the price of the policy should be. The automated decisions include:
- The creation of pricing models and risk acceptance criteria.
- The application of the pricing and risk models using data we hold about you, to accept or decline your request for insurance and to calculate the price of your policy.
- Assessing your ability to pay the insurance premiums and/or credit.
- Assessing the risk of fraud being committed on your policy.
This means we may automatically decide you pose a fraud or money laundering risk. We do this if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.
If we, or a fraud prevention agency, determine you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or we may stop providing existing services to you. A record of any fraud or money laundering risk will be kept by the fraud prevention agencies and may result in others refusing to provide services, financing or employment to you.
Under data protection law you have a number of rights in relation to the personal information we hold about you. You can exercise these rights by contacting us. We won't usually charge you in relation to a request.
|The right to access your personal information||You're entitled to a copy of the personal information we hold about you and certain details of how we use it. We'll usually provide your personal information to you in an email unless you request otherwise.|
|The right to rectification||We take reasonable steps to make sure the information we hold about you is accurate and, where necessary, up-to-date and complete. If you believe there are any inaccuracies, discrepancies or gaps in the information we hold about you, you can contact us and ask us to update or amend it.|
|The right to erasure||This is sometimes known as the 'right to be forgotten'. It entitles you, in certain circumstances, to request your personal information be deleted. For example, where we no longer need your personal information for the original purpose we collected it for or where you have exercised your right to withdraw consent. While we will assess every request, there are other factors that will need to be taken into consideration. For example, we may not be able to erase your information as you've requested because we have a regulatory obligation to keep it.|
|The right to restriction of processing||In certain circumstances, you're entitled to ask us to stop using your personal information, for example where you think the personal information we hold about you may be inaccurate or where you think we no longer need to use your personal information.|
|The right to data portability||In certain circumstances, you can request we transfer personal information you've provided to us to a third party.|
|The right to object to marketing||You have control over the extent to which we market to you and the right to request we stop sending you marketing messages at any time. You can do this either by clicking on the 'unsubscribe' link or button in any email we send you or by contacting us using the details set out in section 10. Even if you exercise this right because you do not want to receive marketing messages, we may still send you service related communications where necessary.|
|The right to object to processing||In addition to the right to object to marketing, in certain circumstances you'll also have the right to object to us processing your personal information. This will be when we're relying on there being a legitimate interest to process your personal information. In some circumstances, we will not be able to cease processing your information, but we'll let you know if this is the case.|
|Rights relating to automated decisions||If you've been subject to an automated decision and don't agree with the outcome, you can ask us to review it.|
|The right to withdraw consent||Where we rely on your consent in order to process your personal information, you have the right to withdraw such consent to the further use of your personal information. We'll advise you of this at the point of collection of your data.|
|The right to lodge a complaint with the ICO||You have a right to complain to the Information Commissioner's Office if you believe that any use of your personal information by us is in breach of applicable data protection laws and/or regulations. More information can be found on the Information Commissioner's Office website. This will not affect any other legal rights or remedies that you have.|
There may be some circumstances where we cannot comply with your request. For example, we would not be able to agree to your request if it would mean we couldn't comply with our own legal or regulatory requirements. In these instances, we'll let you know why we cannot agree to your request.
The protection of your personal data is very important to us. We take a number of technical and procedural measures to protect personal data. For example:
- Where we capture your personal information through our website, we'll do this over a secure link using recognised industry standard technology (SSL) which encrypts data that's transmitted over the internet. Most browsers will indicate this by displaying a padlock symbol on the screen.
- We prevent unauthorised electronic access to our servers by use of suitable firewalls and network security measures. We use strong internal antivirus and malware monitoring tools and conduct regular vulnerability scans to protect our internal infrastructure and also to protect communications we may send you electronically. Our servers are located in secure datacentres that are operated to recognised industry standards. Only authorised people are allowed entry and this is only in certain situations.
- When you pay for a product by credit card, your card details are protected in accordance with the industry standard security practice called PCI DSS which includes the encryption of cardholder data if transmitted over the internet.
- We make sure only authorised people within our business have access to your data. We do regular checks to validate that only the correct people have access. We promote responsible access to data and segregate who can see what data within the organisation.
- Internally we have password policies in place which ensure passwords are strong and complex and are changed regularly.
- We use secure email exchange where necessary for sensitive data and have security monitoring on all email we send and receive.
- We schedule periodic checks of all security measures to ensure they continue to be efficient and effective, taking into account technological developments.
You can contact our Data Protection Officer if you want to exercise the rights set out above or if you have any questions about how we collect, store or use your personal information.
Please write to: The Data Protection Team, Hastings Insurance Services Limited, Conquest House, Collington Avenue, Bexhill-on-Sea TN39 3LW
Call Hastings Direct Insurance on 0333 321 9801.