SafetyWing Customer Privacy Policy

1. Introduction

At SafetyWing, we take the safe and confidential handling of your personal data seriously, and we want you to understand how we are doing this and make you fully aware of your rights.

We have drafted our Privacy Policy to be simple, clear, and concise, so that we accurately describe how we are collecting and using the personal data we collect.

Building a global social safety net is a lot of work, and requires us to collect some personal data from our customers. Through our Data Privacy controls, we take good care of all the personal data we collect.

While we have put care and attention into making this policy as clear as possible, it's ok to have questions and we are here to help. Feel free to reach out to our customer support team or Data Protection Officer (dpo@safetywing.com) and they will be more than happy to help.

2. Why do we need your data anyway? (Purpose of processing)

That's a good question. Well, for a few reasons actually.

We want to provide you with the best service possible, answer all your questions in a specific and useful way, make sure that our products and services are suitable for you, and ultimately to enter into a contract with you to provide that service. To do all this, we need your personal data.

3. TL;DR (The short version)

Here's a brief, plain-language summary of what you want to know:

• We only collect the Personal Data that we need to provide you with products and services.
• In most cases, we process your data based on a valid reason ("lawful basis"), contractual or legal obligations for which we do not need your consent.
• Personal Data is collected either directly from customers or from related third parties.
• Sensitive data (special categories of Personal Data) might be collected in specific situations and will be handled with extra care.
• We usually keep the Personal Data of customers for 7 years following the expiration of their policies.
• There are international transfers of personal data, as you would expect from a global company like SafetyWing.
• You have rights!

4. A few definitions to make the reading easier

• Personal Data: Any information that can identify a natural person (i.e., human)
• (Personal Data) Processing: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
• Data Controller: An organization that decides how the personal data it collects and holds is used and dictates how other companies or individuals (“data processors”) should process personal data.
• Data Processor: A person (natural or legal) that processes personal data of which it has no ownership according to the instructions provided by the Data Controller.
• Special Categories of Personal Data: Personal data revealing sensitive information including, but not limited to, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
• Lawful basis: A valid, legitimate reason to process Personal Data.

5. Let's start with the what, why, and where

What data do we collect, why do we collect it, and where do we get it from?

We want to make sure that we know our customers well so that we can help them get the best experience with SafetyWing. To do this, we need to collect a few details about them, as presented below.

We get this data either directly from you or through third parties in cases where someone else adds you as a dependent or member of a policy that you do not own.

More precisely, we will obtain data directly from you via:

• Registration & Purchase
  • When you sign up for the first time and make your first purchase. That's when we initially collect most of your personal data.
  • When you update your personal data online or you request that we make changes. We process your personal data by updating them to be accurate.
• Phone communications
  • When you speak to us on the phone, we may record the call for training and quality purposes.
• Website and application use
  • When using our websites, and any digital or mobile app we may offer now or in the future.
• Written communication
  • When you reach out to us through our customer support chat services, the conversation is stored in our records. When you send us emails, we store those in our records as well.
  • When we use information that you've made public, such as social media content or when you interact with our social media profiles.
• Data collected from third parties

  There are also times when personal data will come from a third party. For example:

  • If you are signing up as a joint account with someone else, and you are not the main policy holder, we will collect your personal data when the policy holder signs you up.
  • When a nominated representative signs you up. Since the signup will be about you, we will collect your personal data.

6. You may be wondering on what grounds we are collecting Personal Data (“Lawfulness of processing”)

We collect your data for a few reasons, and most of them do not require us to get consent from you. This means that a) we do not need to bother you with giving us consent, and b) we really need this data to provide our Products and Services.

According to data privacy frameworks, Personal Data can only be collected where there are valid reasons. In the absence of any other legal reason (lawful basis), we need to obtain your consent to process your data.

These are the grounds on which we are collecting data from you ("lawful bases"):

7. Does SafetyWing need sensitive personal data? (“Processing of Special Categories of Personal Data”)

At SafetyWing, sensitive data usually means health data such as medical history, claims information, vaccination history, and any other information relevant to your coverage, policy, or claim. If we need to collect or process any sensitive data, you can rest assured that we will let you know about this in advance. Not only will you know, but you will also be asked whether you approve of SafetyWing processing any Personal Data ("explicit consent").

In the event that you submit information to us that involves any sensitive data, thereby granting us access to that sensitive data, we will ask for your consent to process the data, and will also handle it with additional security, as this is what the laws require us to do.

We understand and appreciate that providing sensitive data is sometimes difficult. So please know that at SafetyWing, access to sensitive data is limited to a need-to-know basis.

8. What about Personal Data regarding children?

Although we don't offer products directly to children, we may happen to become recipients of such data when you inquire about a family policy and you wish for your children to be covered. When we do collect this information, we will only ask for the minimal amount of data to enable an accurate quotation for coverage. Any data, like all the information we store, will be protected and kept secure, and the only people able to access it will be those who strictly need to in order to help with your request.

9. What's SafetyWing's role when processing my Personal Data?

SafetyWing will always be the Data Controller for any Personal Data collected from customers. This means that we will be responsible for how your data is processed, including cases where we need to transfer your data to third parties.

In other words, even when your data is transferred to third parties, we are still responsible for it.

10. Why does SafetyWing give my Personal Data to third parties?! ("Transfers to third parties and international transfers")

As the saying goes, it takes a village, and this is very true in building a global social safety net. In order to provide our Products and Services, we sometimes need to share your data with third parties, and this sometimes involves international transfers of data. Let's address two important questions:

• Where does your personal data travel to?
• How do we protect your data through this process?

Personal data is shared with the companies we use to provide, promote and protect our products, and our (re)insurance partners who, in some cases, are the ones that enable us to provide innovative new products.

In both cases, Personal Data might be shared internationally, as our vendors might have data hosted in different locations.

Some examples of where we share your data to:

• Our insurance partners
• Providers we are using to perform compliance, security and identity checks according to what insurance regulations require us to do
• Cloud service providers we use to securely store all data, including Personal Data
• Communication service providers to be able to provide you with real time and immediate communication with our customer care team
• Payment service providers
• Global assistance providers companies
• Government agencies, in certain cases where it is necessary to provide you with the service or product you have requested.

• First and most importantly, by ensuring that we only work with vendors and partners that treat data securely.
• We review our vendors and partners each year to ensure they maintain strong security standards.
• We only transfer personal data to countries that we have assessed and concluded that they have sufficient data protection frameworks.
• We put the necessary standard contractual clauses (as per Data Privacy regulations) in our contracts with third parties to ensure that they will do what the data protection law requires to provide us with adequate data privacy and security levels.

11. What categories of Personal Data do we collect from third parties?

12. How does SafetyWing make sure my Personal Data is secure?

We treat your data like ours. And for this reason, we take the security of Personal Data seriously and have the necessary measures in place:

• We keep all of our data, including your Personal Data, collected on secure cloud locations (Google Cloud Platform).
• We ensure that only a limited number of people have access to your Personal Data, on a need-to-know basis.
• We review our data privacy and security infrastructure each year, using independent audits to ensure that we are keeping up with global regulatory requirements and best practices.
• We have procedures in place in case of a data breach, which include notifying the affected users where relevant.

12.1. Where does SafetyWing store my data?

SafetyWing stores your data, using reliable cloud services providers, on servers located in the European Union.

13. Do I have any rights on the processing of my data ("Data Subject's rights")?

Of course you do, and we explain everything below.

You can exercise your rights by sending an email to dpo@safetywing.com or reaching out to our Customer Care team through our website.

We always try to address your request within 1 month of receiving it, and in the event we will need more time, we will let you know.

When you submit a Subject Access Request, we will tell you what Personal Data we have about you, whether it is transferred to third parties, the duration we intend to keep the data in our records, whether we use your data to perform automated profiling, and other details explicitly related to you.

Just keep in mind that we cannot execute a request that does not have reasonable grounds, or one that is regarding a person other than you.

Do you believe that Personal Data we have related to you is not correct? Just let us know and we will explain the process to update everything to be correct.

You can request that we delete some or all of your data, and we will gladly comply, to the best of our abilities.

While you have the right to request that your data be deleted, we also have a legal obligation to keep the data for a certain period of time ("retention schedule"). When we receive such a request from you, we will let you know what data we can delete now and what data we will need to wait to delete.

If you would like us to stop processing your Personal Data any further (excluding the storing of your data, as this is still required), you can request this. We will review your request and if our legal obligations allow us to execute your request, we will happily do so.

According to this right, you can ask that we send any of your Personal Data we keep in a structured, commonly used, and machine-readable format to another Data Controller.

In cases where your Personal Data is used to make automated decisions, you have the right to object to it and the process will stop, unless there are other pressing reasons, which will be communicated to you.

You have the right to withdraw your consent at any time. This won't affect the lawfulness of processing done before you withdrew your consent.

Please keep in mind that exercising your right to withdraw consent will only affect the processing of Personal Data for which the lawful basis has been the consent. Processing of Personal Data performed using other lawful bases is not affected by the withdrawal of consent.

As mentioned above, you can exercise your rights or ask for more information about them by sending an email to dpo@safetywing.com or contacting us through our 24/7 customer care chat on our website.

14. Compliance with data protection laws

Our privacy policy primarily complies with the General Data Protection Regulation (GDPR) as the guiding framework for our data protection practices. We strive to align with the principles and requirements set out by the GDPR to ensure your data is handled securely, transparently, and in line with your rights, while we also comply with other global data protection frameworks.

If you have any questions about how we comply with data protection laws or would like further information on your rights under GDPR, feel free to contact us.

15. Right to lodge a complaint

If you believe your data privacy rights have been violated, you have the right to lodge a complaint.

If you're not happy with anything related to the Privacy Policy, we are here to help. Here's what you can do depending on what the issue is:

• You can reach out to us and express your concerns or complaints by sending an email to feedback@safetywing.com
• You can contact our Data Protection Officer by sending an email to dpo@safetywing.com

Alternatively, you can file a complaint with a supervisory authority by sending an email to commissioner@dataprotection.gov.cy.

15.1. SafetyWing's EU representative

SafetyWing (Managing General Agent) Ltd (Reg. No. TC.050364, Turks and Caicos Islands) has appointed an EU Representative established in Cyprus, in accordance with art. 27 of the General Data Protection Regulation (EU) 2016/679 (GDPR). If you are located in the European Union, you may contact our EU Representative with any questions about the processing of your Personal Data by SafetyWing (Managing General Agent) Ltd including requests to exercise your rights under GDPR, using the following contact details:

16. How long do you keep my data for? ("Retention schedule")

Only for as long as we need to, and not a day more.

We keep data as long as laws and regulations require us to. Some of the factors we take into account to decide on how long to hold your data (“retention period”) are:

• Customer expectations, the nature of your relationship with us, your membership status and the types of accounts, products and services you have with us.
• The maximum or minimum retention periods identified by legal or regulatory guidance.
• Our contractual rights and obligations.
• Forensic requirements, for example, the need to access data no longer actively used in order to manage or respond to a complaint or dispute.
• The risks involved in retention, deletion and removal and cost of maintaining, storing, archiving and retrieving data.

You can see below a more detailed presentation of how long we keep different types of data:

17. What happens after the Retention schedule? ("Disposal of Personal Data")

As we pointed out earlier, we are very careful about how we deal with your Personal Data, including how long we will keep it for. So when we no longer need to keep your Personal Data, we will politely and gently show them the door as they will no longer be welcome at SafetyWing's servers.

To be more precise, once the retention period is up, we will make sure that:

• All Personal Data associated with your name is deleted or anonymised from our servers. When we say anonymise, we mean that there will be no way for anyone, not even Superman, to know who the data used to belong to. The anonymisation will be completely irreversible, so that we are in line with what the Data Privacy frameworks dictate.
• Your Personal Data will be deleted from third-party vendors we are using, excluding any information that they are legally required to retain, so that they won't get into trouble.
• You will not hear from us, unless you explicitly tell us otherwise (which we hope you will!)
• We will reach out to you and let you know that we will be deleting your information shortly, so that you can either accept deletion or advise otherwise.

This might be the end of our friendship, but we will always hope that you will come back and visit every now and then!

18. Can we sign a Data Processing Agreement with SafetyWing?

Most certainly, just reach out to our Customer Care team, or send an email to dpo@safetywing.com and we will take care of the rest.

19. Phew, that's it!

So, that was our Privacy Policy. Thank you for reading through all of it!

We really hope that we have answered any questions you might have had, and have given you enough information to understand both what we do with your personal data as well as how we do it.

If you still have questions or concerns, please reach out to our Data Protection Officer by email on dpo@safetywing.com or contact us via our 24/7 live chat.