Charity First Insurance Services, Inc. Privacy Notice

 

Updated: 27 November 2023

 

This Privacy Notice applies to Charity First Insurance Services, Inc., and its affiliates and subsidiaries (collectively, “we,” “our,” “us,” or “Charity First”).  A full list of affiliates and subsidiaries is available here.[KC1] 

 

In this Privacy Notice, we identify the personal data that we collect about you and how we use that data. This Privacy Notice applies to any personal data you provide to Charity First and any personal data we collect from other sources, unless you are provided a more specific privacy statement at the time of data collection.  This Privacy Notice does not apply to any third-party websites, applications or portals (“Sites”) linked to Charity First’s Sites, or to any Charity First Sites that have their own privacy notices.  If you provide personal data to us about other people, you must provide them with a copy of this Privacy Notice and obtain any consent required for the processing of that person's data in accordance with this Privacy Notice.

 

If you have any questions about this Privacy Notice, please contact us using the details set out in the Contact Us section. When using our Sites, you should read this Privacy Notice alongside the Site’s Terms of Use.

 

United States of America Addendum (“Addendum”) to Charity First’s Privacy Notice

 

Updated: 1 July 2024

This United States of America Addendum (“Addendum”) supplements the terms of Charity First’s Privacy Notice and applies to individuals who are residents of the United States and who are acting in their individual or household context. For residents of California, this Addendum also applies to individuals who are acting in their commercial context.

This Addendum provides you with information about your privacy rights under applicable United States privacy laws and regulations, such as, for example the California Consumer Privacy Act (“CCPA”), the Virginia Consumer Data Protection Act (“VCDPA”), and similar state or federal laws and regulations, as enacted or amended from time-to-time. Any terms defined by the applicable privacy laws and regulations shall have the same meaning when used in this Addendum.  “Personal data” as used in this Addendum shall also mean “personal information” as defined by applicable laws and regulations.    

1)      Personal data we collect

You have a right to know the categories and types of personal data we collect about you.  We make this information available to you in the Personal Data We Collect section of our Privacy Notice. 

 

For residents of California, we collect data that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular California consumer or household (“CCPA Covered Personal Data” or “personal data”).   CCPA Covered Personal Data does not include personal data that has been de-identified or aggregated, or that is publicly available information from government records. 

 

In particular, we have collected the following categories of CCPA Covered Personal Data from consumers within the last twelve (12) months:

 

Category	Examples	Collected
A. Identifiers.	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.	Yes
B. Personal data categories listed in the California       Customer Records statute (Cal. Civ. Code § 1798.80(e)).	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, medical information, or health insurance information. Some personal data included in this category may overlap with other categories.	Yes
C. Protected classification characteristics under California or federal law.	Age (40 years or older), race, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status.	Yes
D. Commercial information.	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	Yes
E. Biometric information.	Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.	Yes
F. Internet or other similar network activity.	Browsing history, search history, information on your interaction with a Site, application, or advertisement.	Yes
G. Geolocation data.	Physical location or movements.	No
H. Sensory data.	Audio, electronic, visual, thermal, olfactory, or similar information.	Yes
I. Professional or employment related information	Occupation, title, employer information, current or past job history or performance evaluations.	Yes
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	No
J. Inferences drawn from other  personal data.	Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	No
L. Sensitive personal data	Social security, driver’s license, state identification or passport numbers; account log-in, financial account, debit or credit card number in combination with any required security or access code, password or credentials allowing access to an account; precise geolocation data; racial or ethnic origin, religious or philosophical beliefs or union membership, content of mail, email and text messages unless business is the intended recipient; genetic data; processing of biometric information for the purposes of uniquely identifying a consumer; personal data collected and analysed concerning your health.	Yes

 

2) Categories of sources from which we collect personal data

You have the right to know the categories of sources from which we collect your personal data.  We make this information available to you in the How we Collect Your Personal Data section of our Privacy Notice. 

 

3)      Our processing of your personal data

You have the right to know how we process and use your personal data.  We make this information available to you in the How We Use Your Personal Data section of our Privacy Notice.

To the extent that we use or maintain de-identified data, we take reasonable measures to ensure that de-identified data cannot be associated with a natural person, we publicly commit to using and maintaining de-identified data without attempting to re-identify the data, and we contractually obligate any recipient of de-identified data to comply with the same obligations.

 

4)      Disclosure of personal data

 

You have the right to know if we share your personal data with any third parties and the categories of those third parties. If you reside in Delaware or Oregon, you have the right to request the specific categories of third parties with whom we have shared your personal data. We make this information available to you in the Who we Share Your Personal Data With section of our Privacy Notice.

5)      We do not sell personal data and we do not share or use personal data for cross-context behavioural advertising or targeted advertising

 

We do not sell personal data for monetary or other consideration and do not sell the personal data of consumers under 16 years of age.

We also do not share personal data for cross-context behavioural advertising or use your personal data for targeted advertising (as those terms are defined by applicable state law).  We may send you advertising in response to your request for information or feedback or based on your activities with our Sites, including your search queries and visits to our Sites.  However, we will not send you targeted advertising based on your activities across non-affiliated Sites to predict your preferences or interests.

 

6)      Your rights

 

Where we act as the controller/business of your personal data (as opposed to a processor/service provider as those terms are defined in your applicable state privacy law), you have the right to submit a request to us for the following:

Your right to access

You may have the right to know if we process your personal data and have access to such information and certain details of how we use it.

 

For California residents, you have the right to request that we disclose the categories of personal data we collected about you, the categories of sources for the personal data we collected about you, our business or commercial purpose for collecting your personal data, the categories of third parties with whom we share your personal data, and the specific pieces of personal data we collected about you.  Under California’s “Shine the Light” law (Civil Code Section § 1798.83), you also have the right to request certain information regarding our disclosure of personal data to affiliates and other third parties for their direct marketing purposes.

Your right to data portability

You may have the right to obtain a copy of your data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to a third party.

Your right to delete

You may have the right to request that we delete your personal data where we act as a controller/business. This right is subject to several exceptions and we may deny your deletion request if retaining the data is necessary for us or our processors/service providers to:

1.      Complete the transaction for which we collected the personal data and take actions reasonably anticipated within the context of our ongoing business relationship with you or our client;

2.      Detect bugs or errors in our Sites, detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities;

3.      Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us;

4.      Comply with a legal obligation; or

5.      Make other internal and lawful uses of that information as permitted by law or that are compatible with the context in which we collected it.

Your right to correct

We take reasonable steps to ensure that data we hold about you is accurate and complete. However, you have the right to request that we correct any inaccurate personal data that we have about you. 

 

Your right to non-discrimination and no retaliation

We will not discriminate or retaliate against you for exercising any of your rights, including but not limited to, by denying you goods or services, charging you different prices for goods or services, or providing you a different level or quality of goods or services.

 

Your right to restriction of processing (opt-out)

You may have the right to opt-out of processing your personal data for purposes of profiling in furtherance of any automated processing of your data that produce legal or similarly significant effects concerning you. 

 

Your right to restrict the processing of sensitive personal data  

Unless we are processing your sensitive personal data pursuant to any of the legal exemptions listed below or as otherwise allowed by law:

o    For residents of California, we do not use or disclose sensitive personal data for purposes other than those specified in section 7027, subsection (m) of the CCPA regulations and we do not collect or process sensitive personal data for purposes of inferring characteristics about you.

o    For other residents of the United States, depending on your applicable state, we will not process your sensitive personal data without first obtaining your consent or providing you with notice and an opportunity to opt out.

 

a)      Exercising your rights

You may exercise your rights to know, delete and correct as described above by submitting a verifiable request to us by either:

·                     Emailing us at GlobalPrivacyOffice@ajg.com;

·                     Completing the Privacy Rights Request Form available at  https://cloud.info.ajg.com/privacy-rights-request-form; or

·                     Calling us at 1-833-208-9359.

 

b)      Authentication or verification process

 

We will use the personal data you provide in a request only for purposes of authenticating or verifying your identity or authority to make the request.

 

We will only fulfill requests when we can authenticate or verify your identify and confirm that you have the authority to make such a request. 

 

Only you, you as the parent or legal guardian on behalf of your minor child, or your authorized agent, guardian or conservator may make a request related to personal data.   If an authorized agent, legal guardian or conservator submits the request, we may require your written permission to do so and may require additional information to authenticate or verify your identity. We may deny a request by an authorized agent, legal guardian or conservator who does not submit proof of authorization to act on your behalf.

·         For requests for access to categories of personal data, we will verify your request to a “reasonable degree of certainty.” This may include matching at least two data points that you would need to provide with data points we maintain about you and that we have determined to be reliable for the purposes of verification.

·         For requests for specific pieces of personal data (portability request), we will verify your request to a “reasonably high degree of certainty.” This may include matching at least three data points that you would need to provide with the data points we maintain about you and that we have determined to be reliable for the purposes of verification. We will also require you to submit a signed declaration under penalty of perjury that you are the individual whose personal data is the subject of the request.

·         For requests to delete, we will verify your request to a “reasonable degree” or a “reasonably high degree of certainty” depending on the sensitivity of the personal data and the risk of harm to you posed by the unauthorized deletion.

 

c)      Response timing and format

 

We will respond to a verifiable or authenticated request within forty-five (45) days of its receipt, and will notify you within those forty-five (45) days if we require more time to respond and the reasons for the additional time. 

 

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.

If we cannot comply with a request or a portion of the request, we will include the reasons in our response.  For example, in certain states, if we deny your request on the basis that it is impossible or would involve a disproportionate effort, we will explain our reasons, such as the data is not in a searchable or readily accessible format, is maintained for only legal or compliance purposes, or is not sold or used for any commercial purpose and our inability to disclose it, delete or correct it would not impact you in any material manner.  

We do not charge a fee to process or respond to your authenticated or verifiable request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.