Privacy Policy

Status: September 2023

This Privacy Policy shall inform you on how Laka NL B.V. (“Laka”, “we”, “us”) processes personal data in connection with Laka´s website laka.co including the web-app on app.laka.co (hereinafter together also the “website”) and the provision of services regarding the Laka insurance platform.

We treat personal data carefully, safely and confidentially. 

1. General; contact data

We (Laka) are an authorised agent that carries out work on behalf of insurers (insurance intermediary). That might be sending quotes for, acceptances of or amendments to insurance contracts, implementing a policy administration or settling claims. For further information on data protection matter concerning the insurers we work with please see:

When carrying out our services, we, in general, are legally regarded as a Controller within the meaning of the EU General Data Protection Regulation (“GDPR”) with regard to the processing of personal data in this context. 

In addition, Laka NL B.V. complies with the Code of Conduct for Processing Personal Data by Insurers. You can download this code of conduct at www.verzekeraars.nl > Industry > Self-regulation. You can find the content of the AVG in the Official Journal of the European Union (Regulation 2016/679) and on the website of the Personal Data Authority (autoriteitpersoonsgegevens.nl).

We can be reached by:

• email: kundenservice@laka.co

• website: https://laka.co

• postal address: Raamplein 1, 1016 XK Amsterdam, Netherlands 

Our data protection officer can be reached as follows:

Data Protection Officer Laka, Mr. Ben Allen, email: dpo@laka.co, address: St Nicolas House, 31-34 High Street, Bristol, BS1 2AW 

2. Processing of personal data; legal basis for processing

We process personal data, in particular, in the following cases: 

a) If you visit our website we gather and store information automatically in so-called server logfiles, which your browser sends to us automatically. This information can include, for example: 

  • the IP address 
  • browser type and browser version
  • operating system used

This data can, in general, not be allocated to a specific person. This data will not be merged with other data sources. We use the data for the purpose of enabling the use of the website (connection establishment) and for internal system-related purposes (technical administration, system security). The legal basis for the processing of the data described above (to the extent such data is to be considered personal data) is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interests). The legitimate interests to process such data arises from the fact that without such data our website cannot be accessed safely by our customers and/or other users. 

b) Our Website uses so-called cookies to a limited extent.

  • Cookies are mainly small text files that are stored in the memory of your browser.

  • In particular, we use such cookies, for example, to make navigation through our website easier for you. Our use of cookies does, in general, not enable us to establish a personal reference. In general, we use only technically essential cookies that play a functional role in order to visit our website. The legal basis for the processing of personal data by using such technically essential cookies (insofar as personal data is involved at all in individual cases) is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interests; the legitimate interest follows from the fact that the respective cookies are basically indispensable to visit the website). 

  • In the event that non-essential cookies shall be used, you will always be asked to give your consent (Article 6(1) sentence 1 lit. a GDPR) beforehand via a respective cookie management tool on our website. 

  • You can configure your browser in a way that no cookies are stored or a message always appears before a new cookie is created. However, the (complete) deactivation of cookies may result in you not being able to (fully) use all the functions of our website.

c) Our website uses further third-party tools and cookies to a limited extent, namely: 

  • Google Analytics

The website uses Google Analytics, a web analytics service provided by Google. The responsible service provider in the EU is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. 

If you do not consent (Art. 6(1) sentence 1 lit. a GDPR) to the use of this tool when you (first) visit the website, no personal data about you will be processed using this tool. 

Google Analytics uses “cookies” to help analyze how you use the website. The information generated by the cookie about your use of the website will normally be transmitted to and stored by Google on servers in the United States. In case IP-anonymization is activated on the website, your IP address will be truncated within the area of member states of the European Union or within other contracting states to the Agreement on the European Economic Area (the IP-anonymization is active with regard to the website). Only in exceptional cases the whole IP address will be first transferred to a Google server in the USA and truncated there. Google will use this information on behalf of the operator of the website for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services for the website operator relating to website activity and internet usage. The IP address that your browser transfers within the scope of Google Analytics will not be associated with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can also opt-out from the storage by Google of the data that is created by the cookie and is related to the use of the website (including your IP address) and the processing of such data by Google by downloading and installing the Google Analytics opt-out Browser add-on available under https://tools.google.com/dlpage/gaoptout?hl=en. In case you delete your cookies, you will have to use the aforementioned link again. You can also deactivate the use of Google Analytics on our website with regard to your data in the cookie management tool contained on our website.

As described above, Google may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used (by Google) (Google can provide you with the corresponding documentation on the standard data protection clauses).

For further information on Google Analytics please refer to: http://www.google.com/analytics/terms/gb.html,  https://support.google.com/analytics/answer/6004245?hl=en, https://policies.google.com/privacy?hl=en-GB

  • Heap Analytics

The website uses Heap Analytics, a web analytics service provided by Heap Inc, 116 Natoma St, San Francisco, CA 94105, USA ("Heap Analytics"). 

Heap Analytics uses cookies to help analyze how you use our website. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your use of our website is usually transmitted to a server of Heap Analytics in the USA and stored there. 

Heap Analytics will analyse this information and forward it to us for the purpose of evaluating your use of the website and improving its user-friendliness for everyone.

The use of Heap Analytics is based on your consent or Art. 6(1) sentence 1 lit. a GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of Heap Analytics on our website with regard to your data in the cookie management tool contained on our website.

As described above, Heap Analytics may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Heap Inc (Heap Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Heap Analytics please refer to https://heap.io/privacy.  

  • LogRocket

The website uses LogRocket, a web analytics service provided by LogRocket Inc, 87 Summer St, Boston, MA 02110, USA.

LogRocket uses cookies and JavaScript technology to analyse how users interact with our website. We use this data in order to improve the design and usability of the service. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your use of our website is usually transmitted to a server of LogRocket in the USA and stored there.

The use of LogRocket is based on your consent or Art. 6(1) sentence 1 lit. a GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of LogRocket on our website with regard to your data in the cookie management tool contained on our website.

As described above, LogRocket may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by LogRocket Inc (LogRocket Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding LogRocket please refer to https://logrocket.com/privacy/.  

  • Maze

The website uses Maze, a web analytics service provided by MAZE.DESIGN LIMITED, London Office 5th Floor 167-169, Great Portland Street, London W1W 5PF, UK.

Maze uses cookies and JavaScript technology to serve surveys to user. Surveys may contain questions about users’ experience with Laka or questions about their life. We use this data in order to improve the design and usability of the service. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your use of our website is usually transmitted to a server of Maze in the USA and stored there.

The use of Maze is based on your consent or Art. 6(1) sentence 1 lit. a GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of Maze on our website with regard to your data in the cookie management tool contained on our website.

As described above, Maze may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Maze (Maze Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Maze please refer to https://maze.co/privacy-policy/.  

  • Meta

The website uses features of Meta’s social networks Facebook and Instagram called pixel tracking and custom audiences. Meta is headquartered at Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Irland.

Through Meta’s technology, users who have already visited our website and have shown interest can be approached through digital ads on Facebook and Instagram. Users are typically identified through the use of cookies. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your visits of our website is usually transmitted to a server of Meta in the USA and stored there. 

The use of Meta is based on your consent or Art. 6(1) lit. a and f GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of Meta on our website with regard to your data in the cookie management tool contained on our website.

As described above, Meta may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Meta (Meta can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Meta please refer to https://facebook.com/privacy/policy/. You can also deactivate the custom audiences feature by logging into your Facebook account under Settings.

  • Twitter

The website uses features of Twitter called pixel tracking and custom audiences. Twitter is headquartered at Twitter, Inc., One Cumberland Place, Fenian Street, Dublin D02 AX07, Ireland.

Through Twitter’s technology, users who have already visited our website and have shown interest, can be approached through digital ads on Twitter. Users are typically identified through the use of cookies. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your visits of our website is usually transmitted to a server of Twitter in the USA and stored there. 

The use of Twitter is based on your consent or Art. 6(1) lit. a and f GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of Twitter on our website with regard to your data in the cookie management tool contained on our website.

As described above, Twitter may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Twitter Inc (Twitter Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Twitter please refer to https://twitter.com/en/privacy.

  • LinkedIn

The website uses features of LinkedIn called pixel tracking and custom audiences. LinkedIn is headquartered at LinkedIn Corp, 000 West Maude Avenue Sunnyvale, CA 94085 United States.

Through LinkedIn’s technology, users who have already visited our website and have shown interest, can be approached through digital ads on LinkedIn. Users are typically identified through the use of cookies. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your visits of our website is usually transmitted to a server of LinkedIn in the USA and stored there. 

The use of LinkedIn is based on your consent or Art. 6(1) lit. a and f GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of LinkedIn on our website with regard to your data in the cookie management tool contained on our website.

As described above, LinkedIn may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by LinkedIn Corp (LinkedIn Corp can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding LinkedIn please refer to https://www.linkedin.com/legal/privacy-policy.

  • Google Ads Manager

The website uses features of Google Ads Manager called conversion tracking and remarketing. Google Ads Manager is a service of Google Ireland Ltd, Google Building Gordon House, Barrow St, Dublin 4, Ireland.

Through Google Ads Manager’s technology, users who have already visited our website and have shown interest, can be approached through digital ads on Google and other third-party websites. Users that have purchased Laka products can also be identified to avoid unnecessary advertisements. Users are typically identified through the use of cookies. The respective cookies are only set if you have consented to their use in our cookie management tool aforehand. The information generated about your visits of our website is usually transmitted to a server of Google Ads Manager in the USA and stored there. 

The use of Google Ads Manager is based on your consent or Art. 6(1) lit. a and f GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. You can deactivate the use of Google Ads Manager on our website with regard to your data in the cookie management tool contained on our website.

As described above, Google may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Google (Google can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Google Ads Manager please refer to https://policies.google.com/technologies/ads.

 

  • Mollie

The website uses Mollie, a payment processing service, provided by Mollie B.V., Keizersgracht 126, Amsterdam, 1015CW, NL.

When you pay with Mollie your payment details will be transferred to Mollie and the chosen payments provider (e.g. iDEAL or Bancontact). 

The use of Mollie is based on Art. 6(1) lit. b GDPR (contract). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. 

For further information regarding Mollie please refer to https://www.mollie.com/de/privacy.

  • Stripe

The website uses Stripe, a payment processing service, provided by Stripe Inc, 185 Berry St #550, San Francisco, CA 94107, USA.

When you pay with Stripe your payment details will be transferred to Stripe and the chosen payments provider. Stripe also uses cookies to help analyze how you use our website and detect fraud. The respective cookies are essential to the operation of payments. Your payment details may be transferred to the USA and stored there.

The use of Stripe is based on Art. 6(1) lit. b GDPR (contract) or, with regard to the aforementioned measures for detecting fraud attempts, possibly also Art. 6(1) lit. f GDPR (legitimate interests; the legitimate interest arises from the aforementioned purpose). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. 

As described above, Stripe may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Stripe Inc (Stripe Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Stripe please refer to https://stripe.com/de/privacy.

  • Dixa

The website uses Dixa, a customer support management service, provided by Dixa Aps, Vimmelskaftet 41A, 1 Sal, 1161 Kopenhagen, Dänemark.

Dixa improves communication with you by unifying all communications via email and website chat into one profile. Dixa makes use cookies to support this. The respective cookies are essential to communicate with you via webchat. 

The use of Dixa is based on Art. 6(1) lit. b GDPR (contract). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use all functions of the website. You will still be able to reach us through our support email address stated on our website.

For further information regarding Dixa please refer to https://www.dixa.com/legal/privacy/.

  • Customer.io

The website uses Customer.io, a communication platform, provided by Peaberry Software Inc., 9450 SW Gemini Dr., Suite 43920, Beaverton, Oregon 97008-7105.

Customer.io is used to send you communications via email and text message. These communications can be essential for the performance of the contract or for marketing purposes. Customer.io makes use of cookies to send you communications when visiting certain pages. To send you communications personal data is stored in profiles on Customer.io. 

The use of Customer.io is based on Art. 6(1) lit. b GDPR (contract) and in regards to marketing communications Art. 6(1) lit. a GDPR (consent). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use all functions of the website. 

As described above, Customer.io may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Peaberry Software Inc (Peaberry Software Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Customer.io please refer to https://customer.io/legal/privacy-policy/.

  • Webflow

The website uses Webflow, a content management system, provided by Webflow Inc, 398 11th Street, 2nd Floor, San Francisco, CA 94103, USA.

Webflow is used to manage content on the website and host interactive forms for data collection. Data collected by Webflow is provided by you and not collected automatically.

The use of Webflow is based on Art. 6(1) lit. f GDPR (legitimate interests). You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use all functions of the website. 

As described above, Webflow may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Webflow Inc (Webflow Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Webflow please refer to https://webflow.com/legal/eu-privacy-policy.

  • Zapier

The website uses Zapier, a workflow automation system, provided by Zapier Inc, 548 Market St. # 62411, San Francisco, CA 94104-5401, USA.

Zapier is used to automate workflows and integrate third-party tools with each other. Data that is collected or provided by you may be transmitted via Zapier. The use of Zapier is essential to ensure efficient operations.

The use of Zapier is based on Art. 6(1) lit. f GDPR (legitimate interests). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. 

As described above, Zapier may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Zapier Inc (Zapier Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Webflow please refer to https://zapier.com/privacy.

  • Sentry

The website uses Sentry, a service to monitor and analyse technical errors and is provided by Functional Software Inc, 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA.

Sentry uses cookies as well as in-browser and server-side technology to analyse how users interact with our website. We use this data to detect errors and user problems. The use of Sentry is essential to the performance of the website. The information generated about your use of our website is usually transmitted to a server of Sentry in the USA and stored there.

The use of Sentry is based on Art. 6(1) lit. f GDPR (legitimate interests; the legitimate interest arises from the aforementioned purpose). You may refuse the use of cookies by selecting the appropriate settings on your browser, however, please note that if you do this you may not be able to use all functions of the website. 

As described above, Sentry may also process personal data in the USA. Currently, there is no comprehensive decision by the EU Commission on the adequacy of the level of data protection in the USA. To ensure an adequate level of data protection, so-called standard data protection clauses in the sense of Article 46 (2) lit. c GDPR are used by Functional Software Inc (Functional Software Inc can provide you with the corresponding documentation on the standard data protection clauses).

For further information regarding Sentry please refer to https://sentry.io/privacy/.  

d) If you request information from us, we might ask you for your contact information so that we can send you said information The legal basis for the processing of personal data in this context is Art. 6 (1) sentence 1 lit. f GDPR (legitimate interests; the legitimate interest follows from the aforementioned purposes) or if you seek to enter into an agreement (with us) Art. 6 (1) sentence 1 lit. b GDPR (contract or contract initiation).

e) If you are seeking to receive the services offered on our website or seeking to enter into a contract (via our website), we might have to process certain data of you such as, for example, your contact details (name, address, town/city, telephone number and email address). We might also ask you for your bank details in order for us to make and collect payments (with regard to respective contracts). We use this data, in particular, for the implementation and fulfilment of contracts (legal basis: Art. 6 (1) sentence 1 lit. b GDPR; contract or contract initiation). If the contract or contract initiation do not involve a natural person, but a legal entity or company (e.g. the employer of the data subject, whereby the data subject acts as the employer's contact person in the context of contract processing), the legal basis for the processing of personal data in this context is generally Art. 6(1) lit f. GDPR (legitimate interests; the legitimate interest usually follows from the fact that we need to contact individual persons for the initiation, conclusion and performance of such contracts as well as for the provision of services), in individual cases possibly alternatively Art. 6(1) lit. a GDPR (consent).

Please note that you might not be able to enter into respective contracts if you do not provide the required information.

f) For some services, additional personal data from you might be required, your car registration number for example in the case of car insurance or your profession in the case of income insurance. That data is processed to estimate the risk, establish the conditions of the services and assess any claims for damages (legal basis: Art. 6 (1) sentence 1 lit. b GDPR; contract or contract initiation; in relation to the assessment of claims Art. 6 (1) sentence 1 lit. f GDPR; legitimate interests may (also) be relevant to pursue legal claims). If the contract or contract initiation does not involve a natural person, but a legal entity or company (e.g. the employer of the data subject, whereby the data subject acts as the employer's contact person in the context of contract processing), the legal basis for the processing of personal data in this context is generally Art. 6(1) lit f. GDPR (legitimate interests; the legitimate interest usually follows from the fact that we need to contact individual persons for the initiation, conclusion and performance of such contracts as well as for the provision of services), in individual cases possibly alternatively Art. 6(1) lit. a GDPR (consent).

g) Before personal injury claims are accepted or implemented, we might need certain information about your health. In this context only the health data required for the respective purpose is processed. (legal basis: Art. 6 (1) sentence 1 lit. a GDPR, Art. 9(2) lit. a GDPR; consent) 

3. For what purposes do we process personal data?

We process personal data, in particular, for the following purposes (cf. also above under “Processing of personal data; legal basis for processing” and below under “With whom do we share personal data?”):

For the implementation, fulfilment and termination of services and/or contracts.

We use personal data so we can get in touch with you, for contract administration, in order for us to assess whether you can take out insurance or in order for us to make a change to your policy. We may also use your personal data to manage your policy and to settle your claims.

Marketing activities

We like to keep you informed about our services. We can keep you up to date on developments (comparable) and supplementary services that could be relevant for you, through emails, newsletters, our website and social media, provided you consented to receiving such information or in case we are otherwise allowed to provide you with such information under statutory law. 

Improve and innovate

We use certain data to continually improve our products and services. We do this by making reports and analyses of our services. When drawing them up, we delete where possible any personal data we don't need. We may also bundle data on a certain level of abstraction (aggregate), encrypt (give it a pseudonym) or make it anonymous.

Tracing fraud and abuse

We also process personal data when tracing fraud, abuse and improper use. When doing so, we comply with the instructions we have been given by the insurance company.

To meet statutory processing/retention obligations (such as under applicable tax law)

4. What legal grounds do we have for processing personal data?

Processing personal data is only permitted if we have a legal basis on which to do so (cf. also above under “Processing of personal data; legal basis for processing” and below under “With whom do we share personal data?”), for example:

  • The processing is necessary for the implementation, fulfilment or termination of a contract, for example, an insurance contract (Article 6(1) sentence 1 lit. b GDPR; contract or contract initiation).

  • The processing is necessary in order to comply with statutory obligations, for example under applicable tax laws (Article 6(1) sentence 1 lit. c GDPR; legal obligation).

  • The processing is necessary for the protection of a legitimate interest, for example when we are investigating a possible case of fraud. In doing so, we weigh up the importance of our legitimate interest or that of a third party and your interests (Article 6(1) sentence 1 lit. f GDPR; legitimate interest).

  • Your consent (Article 6(1) sentence 1 lit. a GDPR or Art. 9(2) lit. a GDPR). Allowing us to place non-essential cookies on our website, for example, or in some cases where we might process sensitive personal data within the meaning of Article 9(1) GDPR (such as health data; if we need, for example, data on a client's health in order to implement the insurance contract or to settle a claim for damages, we use such data only after the client has given their explicit consent.). We may ask for your consent either in writing or by email. When we ask for your consent, we will also inform you of the way in which your data will be used and for what purpose. Once you have given your consent, you may revoke it at any time (in the future).

5. How long do we store personal data?

Unless no shorter storage period is indicated in this Privacy Policy, we, in general, store personal data as long (i) as required for the provision our services, and/or (ii) as it is necessary with regard to the contractual relationship with you, and/or (iii) as it is necessary for the respective processing purpose, thereafter only if and to the extent that we are obliged to do so by mandatory statutory retention obligations. If we no longer require the respective personal data for the purposes described above, such personal data will only be stored during the respective statutory retention period and not processed for other purposes.

6. With whom do we share personal data?

We, in general, do not share personal data with third parties unless otherwise provided for in this privacy statement. We might share personal data, e.g., with the following third parties:

  • Insurance companies (that are your contractual partners under an insurance contract) in connection with the implementation, fulfilment or termination of an insurance contract (Article 6(1) sentence 1 lit. b GDPR; contract or contract initiation; especially if the (potential) policyholder is a company, Article 6(1) lit. f GDPR - cf. above) or to investigate/respond to potential fraudulent insurance claims and/or complaints (Article 6(1) sentence 1 lit. f. GDPR (legitimate interest; the legitimate interest follows from the above purposes).

  • (In limited cases with) Governmental authorities, in particular, if we are legally obliged to do so (Article 6(1) sentence 1 lit. c GDPR). This might include, for example, tax authorities, the police, and data protection authorities in certain cases).

  • Your consultant, employer or third parties, in as much as that, is legally permissible and necessary to the provision of services and/or for contract implementation/fulfilment/termination (Article 6(1) sentence 1 lit. b GDPR; contract or contract initiation; and depending on the situation Article 6(1) sentence 1 lit. f GDPR; legitimate interest; the legitimate interest follows from the above purposes).

  • Companies we engage to provide services for us that are related to an insurance contract. This might include, for example, collection agencies or lawyers (Article 6(1) sentence 1 lit. b GDPR; contract or contract initiation). The legitimate interests in the aforementioned cases are primarily the defense and enforcement of legal claims (with regard to lawyers) or debt collection (with regard to collection agencies).

  • We may outsource the processing of your personal data to third parties or affiliated companies of us that process such data for us and on our behalf as data processors (Data Processing, Article 28 GDPR). For example, we might use IT service providers for maintenance and support functions. In this context with regard to a transfer of personal data respective affiliated companies might be situated in the United Kingdom (i.e. outside the EU/EEA). The EU Commission has issued an adequacy decision regarding the United Kingdom (i.e. the EU Commission considers the United Kingdom to have an adequate level of data protection).

  • Companies we engage to comply with local regulations and the requirements of our insurance company. This might include preventing fraud and actively managing insurance risk (Article 6(1) sentence 1 lit. b GDPR; contract or contract initiation). We can, for example, exchange information with insurers affiliated with  Central Information System Foundation (CIS) via Stichting CIS. More information about this can be found on the website of Stichting CIS;

  • Also, the tools or third-party providers mentioned under 2c act (partly) as processors on our behalf.

7. From which sources do we receive personal data?

We might receive personal data that we process from, for example:

  • consultants, employers or a legal representative of a data subject

  • the tax authorities

  • other natural persons, institutes or organisations authorised by a data subject or authorised on other grounds to provide the information.
  • the Central Information System Foundation (CIS);

8. What are the data subject´s rights?

As a data subject, you can request information from us at any time about your personal data stored by us. If the legal requirements are met, you also have rights vis-à-vis us to request from us access to and rectification or erasure or restriction of processing concerning your personal data or to object the processing of your Personal Data. If you request the personal data you provided us, we will share such data in a common and machine-readable format.

If you have given your consent to the use of personal data, you can revoke such consent at any time (in the future).

If you believe that the processing of your personal data by us is in breach of the applicable data protection laws, you can issue a complaint with the (competent) supervisory authority for data protection.

9. Modifying the Privacy Policy

Privacy legislation is constantly changing. We may also have to modify this Privacy Policy in order to stay up to date. We do that if there are new developments, for example, if something changes in our company activities, in the law or in jurisdiction. We, therefore, recommend you regularly consult this Privacy Policy when you visit our websites. We might also inform you actively by email or in a news report about changes to this Privacy Policy.

****