Privacy Notice - Canopy Insurance Ltd.

Privacy Notice

PRIVACY NOTICE

CANOPY INSURANCE LIMITED (“we”, “us” or “our”) respects your privacy and is committed to protecting your personal data. We are dedicated to complying with Jamaica’s data protection laws as we aim to bolster the trust and confidence of all our stakeholders, including our team, customers, business partners, and shareholders, in our stewardship of their personal data.

This Privacy Notice aims to give you information on how we collect and process your personal data, how we look after your personal data, and to inform you about your privacy rights and how the law protects you.

It is important that you read this Privacy Notice along with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your personal data. This Privacy Notice supplements those other notices and is not intended to override them.

CANOPY INSURANCE LIMITED is a subsidiary of the GraceKennedy Financial Group and Musson Group of Companies.

  1. THE PERSONAL DATA WE COLLECTPersonal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
    • Identity Data includes first name, middle name, last name, title, date of birth, gender, TRN and employer.
    • Contact Data includes address (home, postal or other physical address), email address and telephone numbers.
    • Financial Data includes bank account and payment card details.
    • Transaction Data includes details about payments to and from you and other details of products you have purchased from us.
    • Profile Data includes, in relation to your website account, your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
    • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
    • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website.
    • Usage Data includes information about how you use our website, products and services.
  2. HOW WE COLLECT PERSONAL DATA

    Your personal data is collected in the following ways:

    • Direct interactions. You may give us your Identity, Contact and Financial Data by filling in forms, by corresponding with us by post, phone, email, via our website or otherwise, or when you enter into a contract with us for the provision of our services.
    • Automated technologies or interactions. As you interact with us online, we may automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs, and other similar technologies.
    • Third parties. We may receive your Identity, Contact and Financial Data from third party suppliers and business partners such as Brokers and Agents to assist us with our business operations to enable us to provide you with products and services.
  3. HOW WE USE PERSONAL DATA

    We only use your personal data for the purposes for which it was acquired, or where we have a lawful reason for using it. Examples of how we use your personal data are detailed below:

    • Contacting us. When you contact us with an enquiry or to request information about our products, we will use your
    • Identity and Contact Data to respond to you in accordance with our legitimate interest of maintaining our goodwill and reputation as well as ensuring good customer relations.
    • Competition entries. When you enter any competition, prize draw or promotion which we run, we will use your
    • Identity and Contact Data to contact you in respect of that competition, prize draw or promotion and to notify you if you have won as part of our performance of our contract with you and in accordance with our legitimate interests of maintaining good customer relations and developing and growing our business.
    • Website account. When you sign up for an account on our website, we will need your Identity and Contact Data so that we can identify you as an account holder. You will also be asked to create Profile Data including a username and password. Your account will also hold details of your insurance plans and claims made by you (Transaction Data), and any preferences that you set for your account (Marketing and Communications Data). This information is necessary for the performance of our contract with you and is in accordance with our legitimate interest of maintaining good customer relations and ensuring the smooth running and operation of our business.
    • Purchasing our insurance products. We will use your Identity, Contact, Financial and Transaction Data to register you as a customer and to process and deliver products to you, including the management of payments, fees and charges. This is necessary for the purpose of performing our contract with you.
    • Advertising, marketing and public relations. We may use the Identity, Contact, Technical, and/or Usage Data of our customers to form a view on what we think our customers may want or need, or what may be of interest to them and in doing so we will only send information that is deemed relevant to their use of our services. This is necessary for our legitimate interests in growing and developing our business including our products and services. Customers will receive marketing communications from us in relation to similar products to those which they have previously purchased and where they have not opted out of receiving that marketing. You may also receive such advertising, marketing and public relations communications where you have expressly opted in to receiving those communications. We will always ask for express consent before we share personal data with any third party for marketing purposes. You can instruct us to stop sending marketing communications at any time by contacting us.
    • Surveys. If you choose to complete a survey that we use for research purposes, we will retain the information that you provide in response to that survey. This is necessary for our legitimate interest in understanding our customers and developing our business and informing our marketing strategy.
    • Website Analytics. As you navigate our website, Technical and Usage Data may be collected automatically. We do this to find out things such as the number of visitors to the various parts of the website, and to help us to improve the content of the website and to customise the content or layout of the website for you, in accordance with our legitimate interests. This is necessary for our legitimate interest in defining types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy.
      Fault reporting. If you contact us to report a fault with our website, we will use the Identity and Contact Data provided for the purposes of rectifying that fault in accordance with our legitimate interests.
    • Recruitment. Personal data provided for an employment opportunity will be processed to allow us to evaluate the merits of that application in accordance with our legitimate interests.We may also use it in the following instances:
    • To deal with and/or respond to any enquiry or request made by you prior to entering into any contract or agreement with us or as a result of such contract or agreement.
    • Where we need to perform the contract we are about to enter into or have entered into with you.
    • Where we need to comply with a legal or regulatory obligation, including the prevention of crime.
    • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. On occasion, we need to hire other companies to help us to serve you better and in some of these cases we may need to share personal data that is necessary to perform tasks for us, such as courier and delivery companies or companies engaged to run promotions on our behalf.
    • Where it is necessary for the performance of our contract with you, including where you have asked us to do so or where we need to take steps to enforce any contract which may be entered into between us.
    • Where we are under a legal duty to do so in order to comply with any legal obligation.
    • In order to protect the rights, property or safety of our business, our employees and workers, customers, suppliers and others. This includes exchanging information with other companies and organisations for the purposes of fraud prevention and credit risk reduction.
    • If we, or substantially all of our assets, are acquired by a third party, in which case personal data that we hold about our customers will be one of the transferred assets and the new owner or newly controlling party will, under the terms of our Privacy Policy, be permitted to use that data only for the purposes for which it was originally collected by us.
  4. DISCLOSURE OF PERSONAL DATA

    Your personal data will only be disclosed to those of our employees or third party providers who have a need for such access for the purpose for which it was collected. Your personal data will not be disclosed to any other individuals or entities unless there is a lawful basis to do so.We require all third parties that process personal data on our behalf to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

  5. TRANSFER OF PERSONAL DATA
    It may be necessary for your personal data to be transferred to another company with the GraceKennedy Financial Group or the Musson Group of Companies, or to a third-party outside of Jamaica. Unless an exemption applies, we will only transfer your personal data out of Jamaica if:

    • Your data is being transferred to a jurisdiction that has been deemed by the supervisory authority to provide an adequate level of protection for personal data.
    • The third party to whom the data is being transferred agrees to protect your personal data in the same way we do.
  6. RETENTION & DISTRUCTION OF PERSONAL DATA

    We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for seven (7) years after they cease being customers for tax purposes.We will retain details of your policy coverage, including your personal data, for a period of seven (7) years to enable us to deal with any follow-up communications from you or to ensure that we are in possession of all relevant papers in the event of a legal claim relating to the contract between us.To determine the appropriate retention period for all other personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

  7. LAWFUL BASIS FOR PROCESSING PERSONAL DATA

    We rely on one or more of the following lawful bases for processing your data.

    • Consent. We will obtain your clear, informed and freely given consent before processing your personal data, except in circumstances where we have another lawful basis to process your data.
    • Vital Interest. To protect your life, in instances that the same cannot be reasonably achieved by a means other than processing your data.
    • Contractual Obligation. In contemplation of entering a contract with you or to fulfil our existing contractual obligations to you.
    • Legitimate Interest. We may process your personal data in the interest of our business in maintaining and enhancing its goodwill and reputation, avoiding or minimising legal claims, conducting and managing our business to enable us to provide you with the best products and services and a secure customer experience.
    • Legal Obligation. To comply with our obligations under the law.
  8. YOUR ACCESS TO AND CONTROL OVER YOUR PERSONAL DATA

    We are committed to observing your rights as an individual in respect of your personal data. The rights which you may exercise are:

    • Request access to personal data we have about you
      You have the right to access the personal information that we hold about you. This is more commonly referred to as a “data subject access request”. If we agree that we are obliged to provide personal information to you (or someone else authorised to receive it on your behalf), we will provide it to you (or them) free of charge.
    • Request a change or correction to any data we have about you
      If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.
    • Request erasure of any data we have about you
      You have the right to have personal data erased. This enables you to ask us to delete or remove personal data where there is no lawful reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your personal data unlawfully or where we are required to erase your personal data to comply with the law. Please note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
    • Object to processing your data
      You may object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
    • Request restriction of processing of your personal data
      This enables you to ask us to suspend the processing of your personal data in the following scenarios:

      • if you want us to establish the data’s accuracy;
      • where our use of the data is unlawful but you do not want us to erase it;
      • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
      • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
    • Request the transfer of your personal data
      You may request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
    • Withdraw consent
      You may withdraw your consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. You can ask us to stop sending you marketing messages at any time by following the “unsubscribe” (or similar) links on any marketing message sent to you or by contacting us at any time. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a purchase, product/service experience or other transactions.
  9. HOW WE PROTECT PERSONAL DATA

    We are committed to protecting your personal data both online and offline. We (and our third-party service providers) use a variety of industry-standard security technologies and procedures, as well as organisational measures to help protect your personal data from unauthorised access, use, or disclosure, such as:

    • Vulnerability scanning
    • Malware scanning
    • Secure networks and access management
    • Encryption
    • Multi-Factor AuthenticationAdditionally, the access to and use of the personal data that we collect is restricted to our employees who need the personal data to perform a specific job role or activity. Where personal data is shared with third parties in line with this Privacy Notice, responsible measures are used to protect your personal data.
  10. DATA BREACHES

    We take data breaches very seriously. If a data breach occurs, we will endeavour to meet the deadlines stipulated by data protection laws to report data breaches to the supervisory authority. Where there is likely to be an impact on your rights because of the breach, we will endeavour to notify you without undue delay.

    • We will inform you of:
    • the nature of the data breach;
    • the measures taken or proposed to be taken to mitigate or address the possible adverse effects of the breach; and
    • the contact information of our Data Protection Officer or representative to whom you may address any concerns.We will review every breach as we become aware of it and take action to prevent future breaches.
  11. CHANGES TO PRIVACY NOTICE

    We reserve the right, in our sole discretion, to modify any part of this Privacy Notice. It is your responsibility to check this Privacy Notice periodically for changes. Continued use of our website indicates your acknowledgement that it is your responsibility to review this Privacy Notice periodically and become aware of any modifications. Changes to this notice are effective once they have been uploaded to our website. This version was last updated on May 15, 2024.

  12. CONTACT INFORMATION

    If you would like to exercise any of your rights as set out above, or you have a question or a comment about this Privacy Notice, or the way your personal information is processed, please contact us by using any of the following means:

    • By telephone at 888-4-CANOPY (888-422-6679)
    • By email at dataprivacy@canopy-insurance.com
      By post at 51 St. Lucia Avenue, Kingston 5, Jamaica. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request, if necessary.
  13. COMPLAINTS

    You have the right to make a complaint at any time to Jamaica’s supervisory authority for data protection issues – the Office of the Information Commissioner (“the OIC”). We would, however, appreciate the chance to deal with your concerns before you approach the OIC, so please contact us in the first instance.

Thank you for taking the time to read our Privacy Notice.

CANOPY INSURANCE LIMITED