This addendum supplements the information contained in the Privacy Notice and applies to all customers, visitors of this website, and others who reside in the State of California and sets out how (1) CFC Underwriting Ltd and (2) CFC USA Inc, collect, use and disclose personal information subject to the CCPA (as defined below). This addendum also describes the privacy rights of California consumers and how they can exercise those rights.
We have adopted this addendum to comply with the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020 and its implementing regulations (collectively the “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Addendum.
The CCPA does not apply to certain types of information, such as information subject to the Gramm Leach-Bliley Act (“GLBA”) or the Fair Credit Reporting Act (“FCRA”). This means that this Addendum may not apply to personal information that we collect about individuals who seek, apply for, or obtain insurance products or services for personal, family, or household purposes. The CCPA also has limited application to personal information we collect in connection with providing a product or service to a business.
Personal information we collect
We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device ("Personal Information").
Personal Information does not include:
-
Publicly available information from government records.
-
Deidentified or aggregated consumer information.
In particular, we have and within the last 12 months have collected the following categories of Personal Information: (1) directly from customers, (2) from our affiliates and third parties. Some of this personal information may be subject to GLBA, HIPAA, CMIA or FCRA:
| Category | Examples may include |
|
A. Identifiers. |
A name, alias, user ID, username, account number, email address, phone number, postal address, IP address, email address or other similar identifiers. |
|
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). |
Personal information categories listed in the California Customers Records Statute (i.e. name, corporate address and telephone number). |
|
C. Protected classification characteristics under California or federal law. |
Protected information, such as race, religion, sexual orientation, gender, age or marital status. |
|
D. Commercial information. |
Such as records of personal property and insurance products or services purchased or obtained, purchasing or consuming histories, or transaction or account information. |
|
F. Internet or other similar network activity. |
Browsing history, search history, and information on a consumer's interaction with a website, application, or advertisement. |
|
I. Professional or employment-related information. |
Current or past job history or performance evaluations. |
|
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). |
Education information, such as school or date of graduation. grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
We may also draw inferences from the personal information we collect directly from you or from our affiliates and third parties.
How we use personal information
The purposes for which we use personal information depend on our relationship or interaction with a specific California consumer. We may use, and in the past 12 months have used, personal information to underwrite your insurance policy and evaluate claims under your policy; to operate and manage our business; to provide and maintain our insurance products and services; to verify your identity; to detect and prevent fraud; for vendor management purposes; to operate, manage, and maintain our business, such as developing and marketing our products and services; to conduct research and data analysis; to comply with applicable laws; to respond to civil, criminal, or regulatory lawsuits or investigations; to exercise our rights or defend against legal claims; to resolve complaints and disputes; to perform compliance activities; and to perform institutional risk control.
For more information on where we source Personal Information and how we have used Personal Information in the past 12 months, please see paragraph 2 of the Privacy Notice.
Personal information we disclose
We disclose, and in the past 12 months have disclosed, the categories of personal information described in “Personal Information We Collect” for the purposes described in “How We Use Personal Information” to the following categories of third parties:
-
Affiliates,
-
Agents,
-
Brokers,
-
Service providers, such as loss adjusters, fraud prevention services, and software providers,
-
Regulatory and law enforcement agencies,
-
Attorney, auditors and other business partners.
For more information on the Personal Information we have disclosed in the last 12 months, please see paragraph 6 of the Privacy Notice.
Sale of personal information
In the preceding twelve (12) months, we have not sold any categories of Personal Information. We do not sell Personal Information to third parties.
Your rights
You may have certain rights under the CCPA. These rights are subject to certain conditions and exceptions. Your rights under the CCPA may include:
Right to Request to Know. You have the right to request to know the following information about our practices over the past 12 months: (i) the categories of Personal Information we collected about you; (ii) the categories of sources from which we collected the Personal Information about you; (iii) the categories of third parties with whom we shared Personal Information, (iv) the categories of Personal Information we disclosed about you and the categories of third parties to whom we sold or disclosed that particular category of Personal Information; (v) our business or commercial purpose for collecting or disclosing your Personal Information; and (vi) the specific pieces of Personal Information we collected about you.
You may exercise your right to request to know twice a year, free of charge. If we are unable to fulfil your request to know, we will let you know the reason why. Please note, in response to a request to know, we are prohibited from disclosing your Social Security number; driver’s license number or other government-issued identification number; financial account number; any health insurance or medical identification number; an account password, security questions, or answers; and unique biometric data generated from measurements or technical analysis of human characteristics.
Right to Request to Delete. You have the right to request that we delete the Personal Information that we have collected from you. We may deny your request under certain circumstances, such as if we need to retain your Personal Information to comply with our legal obligations or if retaining the information is necessary to complete a transaction for which your Personal Information was collected. If we deny your request to delete, we will let you know the reason why.
Right to access and portability – You have the right to request a categorised list of the Personal Information we have collected, in a portable and readily usable format.
Right to Request correction. You have the right to request that we correct the Personal Information we maintain about you.
Right to Non-Discrimination. If you choose to exercise any of these rights, we will not discriminate against you in any way.
If you, or your authorized agent, would like to make a request to know or request to delete, you can do so by clicking here.
Verification
We will take steps to verify your identity before processing your request to know or request to delete. We will not fulfil your request unless you have provided sufficient information for us to reasonably verify that you are the individual about whom we collected Personal Information. We may request additional information about you so that we can verify your identity. We will only use the additional Personal Information you provide to verify your identity and to process your request.
You may use an authorized agent to submit a request to know or a request to delete. When we verify your agent’s request, we may verify both your and your agent’s identity and request a signed document from you that authorizes your agent to make the request on your behalf. To protect your Personal Information, we reserve the right to deny a request from an agent that does not submit proof that they have been authorized by you to act on your behalf.
Response timing and format
We endeavour to substantively respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.
We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
Retention periods
For more information on how long we retain your Personal Information see section 8 of the Notice.
Updates to addendum
We may change or update this CCPA Addendum from time to time. When we make changes to this Addendum, we will post the updated notice on the website and update the notice’s effective date. Your continued use of our website following the posting of changes constitutes your acceptance of such changes.
Contacting us
If you have any questions or concerns about this CCPA Addendum including exercising your data rights or would like to learn more about how we protect your privacy or need to access this Addendum in an alternative format due to having a disability, please contact us by:
-
emailing dataprotection@cfc.com; or
-
submit your query through our website here.
Effective Date: 01 August 2024