SafetyWing Customer Privacy Policy

1. Introduction

At SafetyWing, we take the safe and confidential handling of your personal data seriously, and we want you to understand how we are doing this and make you fully aware of your rights.

We have drafted our Privacy Policy to be simple, clear, and concise, so that we accurately describe how we are collecting and using the personal data we collect.

Building a global social safety net is a lot of work, and requires us to collect some personal data from our customers. Through our Data Privacy controls, we take good care of all the personal data we collect.

While we have put care and attention into making this policy as clear as possible, it's ok to have questions and we are here to help. Feel free to reach out to our customer support team or Data Protection Officer (dpo@safetywing.com) and they will be more than happy to help.

2. Why do we need your data anyway? (Purpose of processing)

That's a good question. Well, for a few reasons actually.

We want to provide you with the best service possible, answer all your questions in a specific and useful way, make sure that our products and services are suitable for you, and ultimately to enter into a contract with you to provide that service. To do all this, we need your personal data.

3. TL;DR (The short version)

Privacy Policies are not always easy or fun to read, and we get that. So, here's a brief summary of what you want to know:

• We only collect the Personal Data that we need to provide you with products and services.
• In most cases, we process your data based on a valid reason (“lawful basis”), contractual or legal obligations and therefore we do not need your consent.
• Personal Data is collected either directly from customers or from related third parties.
• Sensitive data (special categories of Personal Data) might be collected in specific situations, and will be handled with extra care.
• We usually keep the Personal Data of customers for 7 years following the expiration of their policies.
• There are international transfers of personal data, as you would expect from a global company like SafetyWing.
• You have rights!

4. A few definitions to make the reading easier

• Personal Data: Any information that can identify a natural person (i.e. human)
• (Personal Data) Processing: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data.
• Data Controller: An organization that decides how the personal data it collects and holds is used and dictates how other companies or individuals (“data processors”) should process personal data.
• Data Processor: A person (natural or legal) that processes personal data of which it has no ownership according to the instructions provided by the Data Controller.
• Special Categories of Personal Data: Personal data revealing sensitive information including but not limited to genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.
• Lawful basis: A valid, legitimate reason to process Personal Data.

5. Let's start with the what, why, and where

What data do we collect, why do we collect it, and where do we get it from?

We want to make sure that we know our customers well so that we can help them get the best experience with SafetyWing. To do this, we need to collect a few details about them, as presented below.

We get this data either directly from you or through third parties in cases where someone else adds you as a dependent or member of a policy that you do not own.

More precisely, we will obtain data directly from you via:

• Registration & Purchase
  • When you sign up for the first time and make your first purchase. That's when we initially collect most of your personal data.
  • When you update your personal data online or you request that we make changes. We process your personal data by updating them to be accurate.
• Phone communications
  • When you speak to us on the phone, we may record the call for training and quality purposes.
• Website and application use
  • When using our websites, and any digital or mobile app we may offer now or in the future.
• Written communication
  • When you reach out to us through our customer support chat services, the conversation is stored in our records. When you send us emails, we store those in our records as well.
  • When we use information that you've made public, such as social media content or when you interact with our social media profiles.
• Data collected from third parties

  There are also times when personal data will come from a third party. For example:

  • If you are signing up as a joint account with someone else, and you are not the main policy holder, we will collect your personal data when the policy holder signs you up.
  • When a nominated representative signs you up. Since the signup will be about you, we will collect your personal data.

6. You may be wondering on what grounds we are collecting Personal Data (“Lawfulness of processing”)

We collect your data for a few reasons, and most of them do not require us to get consent from you. This means that a) we do not need to bother you with giving us consent and b) we really need this data to provide our Products and Services.

According to data privacy frameworks, personal data can only be collected where there are valid reasons. In the absence of any other legal reason (lawful basis), we need to obtain your consent to process your data. These are the grounds on which we are collecting data from you (“lawful bases”):

7. Does SafetyWing need sensitive personal data? (“Processing of Special Categories of Personal Data”)

At SafetyWing, sensitive data usually means health data such as medical history, claims information, vaccination history, and any other information relevant to your coverage, policy or claim. If we need to collect or process any sensitive data, you can rest assured that we will let you know about this in advance. Not only will you know, but you will also be asked whether you approve of SafetyWing processing any personal data (“explicit consent”).

In the event that you submit information to us which involves any sensitive data, thereby granting us access to sensitive data, we will ask for your consent to process the data, and will also handle them with additional security, as this is what the laws require us to do.

8 What about personal data regarding children?

Although we don't offer products directly to children, we may happen to become recipients of such data when you inquire about a family policy and you wish for your children to be covered. When we do collect this information, we will only ask for the minimal amount of data to enable an accurate quotation for coverage. Any data, like all the information we store, will be protected and kept secure, and the only people able to access it will be those who strictly need to in order to help with your request.

9. What's SafetyWing's role when processing my personal data?

SafetyWing will always be the Data Controller for any personal data collected from customers. This means that we will be responsible for how your data is processed, including cases where we need to transfer your data to third parties.

In other words, even when your data is transferred to third parties, we are still responsible for it.

10. Why does SafetyWing give my Personal Data to third parties?! (“transfers to third parties & international transfers”)

As the saying goes, it takes a village, and this is very true in building a global social safety net. In order to provide our Products and Services, we sometimes need to share your data with third parties, and this sometimes involves international transfers of data. Let's address two important questions:

• Where does your personal data travel to?
• How do we protect your data through this process?

Personal data is shared with the companies we use to provide, promote and protect our products, and our insurance partners who, in some cases, are the ones that enable us to provide innovative new products.

In both cases, personal data might be shared internationally, as our vendors might have data hosted in different locations.

Some examples of where we share your data to:

• Our insurance partners
• The company we are using to perform compliance checks against sanctions
• The vendors we use to securely store all data, including personal data

• First and most importantly, by ensuring that we only work with vendors and partners that treat data securely.
• We review our vendors and partners each year to ensure they maintain strong security standards.
• We only transfer personal data to countries that we have assessed and concluded that they have sufficient data protection frameworks.
• We put the necessary standard contractual clauses (as per Data Privacy regulations) in our contracts with third parties to ensure that they will do what the data protection law requires to provide us with adequate data privacy and security levels.

11. How does SafetyWing make sure my personal data is secure?

We treat your data like ours. And for this reason we take the security of personal data seriously and have the necessary measures in place:

• We keep all of our data including your personal data collected on secure cloud locations (Google Cloud Platform).
• We ensure that only a limited number of people have access to your personal data, on a need-to-know basis.
• We review our data privacy and security infrastructure frequently, using independent audits to ensure that we are keeping up with global regulatory requirements and best practices.
• We have procedures in place in case of a data breach, which include notifying the affected users where relevant.

12. Do I have any rights on the processing of my data (“Data Subjects rights”)?

Of course you do, and we explain everything below.

You can exercise your rights by sending an email to dpo@safetywing.com or reaching out to our Customer Care team through our website.

We always try to address your request within 1 month of receiving them, and in the event we will need more time, we will let you know.

When you submit a Subject Access Request, we will tell you what personal data we have about you, whether these are transferred to third parties, the duration we intend to keep the data in our records, whether we use your data to perform automated profiling, and other details explicitly related to you.

Just keep in mind that we cannot execute a request that does not have reasonable grounds, or one that is regarding a person other than you.

Do you believe that personal data we have related to you is not correct? Just let us know and we will explain the process to update everything to be correct.

You can request that we delete some or all of your data, and we will gladly comply, to the best of our abilities.

While you have the right to request for your data to be deleted, we also have a legal obligation to keep the data for a certain period of time (“retention schedule”). When we receive such a request from you, we will let you know what data we can delete now, and what data we will need to wait to delete.

If you would like us to stop processing your personal data any further (excluding the storing of your data, as this is still required), you can request this. We will review your request and if our legal obligations allow us to execute your request, we will happily do so.

According to this right, you can ask that we send any of your personal data we keep in a structured, commonly used and machine-readable format to another Data Controller.

In cases where your personal data are used to make automated decisions, you have the right to object to it and the process will stop, unless there are other pressing reasons, which will be communicated to you.

As mentioned above, you can exercise your rights or ask more information about them by sending an email to dpo@safetywing.com or contacting us through our 24/7 customer care chat through our website.

13. How long do you keep my data for (“Retention schedule”)?

Only for as long as we need to, and not a day more.

We keep data as long as laws and regulations require us to. Some of the factors we take into account to decide on how long to hold your data (“retention period”) are:

• Customer expectations, the nature of your relationship with us, your membership status and the types of accounts, products and services you have with us.
• The maximum or minimum retention periods identified by legal or regulatory guidance.
• Our contractual rights and obligations.
• Forensic requirements, for example, the need to access data no longer actively used in order to manage or respond to a complaint or dispute.
• The risks involved in retention, deletion and removal and cost of maintaining, storing, archiving and retrieving data.

You can see below a more detailed presentation of how long we keep different types of data:

14. Phew, that’s it!

So, that was our Privacy Policy. Thank you for reading through all of it!

We really hope that we have answered any questions you might have had, and have given you enough information to understand both what we do with your personal data as well as how we do it.

If you still have questions or concerns, please reach out to our Data Protection Officer by email on dpo@safetywing.com or contact us via our 24/7 live chat.