PRIVACY AND DATA PROTECTION POLICY

Effective Date:  This Privacy and Data Protection Policy was last revised on January 1, 2020


You have arrived at a website that is owned and/or operated by Arch Capital Group Ltd. whose office is at Waterloo House, Ground Floor, 100 Pitts Bay Road, Pembroke HM 08, Bermuda, and its subsidiaries details of which can be found at the Website’s Terms and Conditions of Use: (collectively, “Arch” or “we,” “our” or “us”).

The purpose of this Privacy and Data Protection Policy (this “Policy”) is to explain how, when and why we collect and use Personal Data (otherwise known as Personal Information), including:

  • When you access our website (the “Website”) regardless of how you access or use the Website, whether via personal computers, mobile devices or otherwise;
  • When you, as a representative of a company, purchase an insurance policy underwritten by us;
  • When you, in an individual capacity, purchase an insurance policy underwritten by us (e.g. when you purchase travel insurance from RoamRight); or
  • When you purchase an insurance policy from a third party insurance company that enters into a reinsurance arrangement with us, which is referred to as “reinsurance”.

Particularly in the reinsurance context, we may possess personal information about you that we did not collect from you. For example, if you have purchased an insurance policy from an insurance company which reinsures the policy with us, we may come into receipt of your Personal Data. In these instances, we encourage you also to check the privacy policies of those third parties.

It is also important that you show this privacy policy to any other person who is insured under your insurance policy.

This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you are afforded under applicable privacy and data protection laws.

  • If you are located in the European Economic Area (“EEA”)/United Kingdom (“UK”), it is important you read, in particular, Section 9 of this Policy.
  • If you are a California resident or “consumer,” it is particularly important that you read Section 10 of this Policy.

Arch is a group of companies which writes insurance, reinsurance and mortgage insurance on a worldwide basis through its principal operations in Bermuda, the United States, Canada, Europe, Australia and Hong Kong. The Arch company which was originally responsible for collecting information about you will be principally responsible for your personal data (“data controller”). For example, if you have an insurance policy with us, this will be the Arch company named on that policy.

In addition, please review the Website’s Terms and Conditions of Use, which governs your use of the Website.

We encourage you to read the entire Policy. Please click on the headings in the table of contents to go directly to the full explanation of a specific issue or point.

Table of Contents

  1. What Personal Data do we Collect?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  2. ​When do we Collect your Personal Data?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  3. How Do We Use the Personal Data Collected?
    1. Prospective Insureds and Insureds
    2. Claimants
    3. Business Partners and Website Users
  4. How and When Do We Disclose Personal Data to Third Parties?
  5. Ads and Information About You
  6. Do Not Track Disclosures
  7. Does the Site include Third Party Content and Links to Third Party Websites?
  8. How Do I Change My Information and Communications Preferences?
  9. Additional information regarding individuals in the EEA/UK
    1. Legal basis for processing personal data or of individuals in the EEA/UK.
    2. Legal basis for processing personal data (including usage information) relating to Website users in the EEA/UK.
    3. Criminal Convictions and Offenses Data and Special Categories of Personal Data of Individuals in the EEA/UK.
    4. What additional rights do you have if you are in the EEA/UK?
    5. Transfers of Personal Data out of the EEA/UK.
  10. Additional information regarding California Residents
  11. Children’s Privacy
  12. Security of Personal Data
  13. How Long Do We Retain Your Personal Data?
  14. Changes to Our Privacy Policy
  15. Contact Us

 

 

  1. What Personal Data do we Collect?

    When we use the term Personal Data, we mean any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

    Personal Data is sometimes referred to as Personal Information, depending on the applicable law. Under the California Consumer Privacy Act, Personal Information is information that identifies, relates to, describes, is reasonably capable of ‎being associated with, or could reasonably be linked, directly or indirectly, with a particular ‎consumer or household.

    Both Personal Data and Personal Information, which we use interchangeably, are broad definitions, and include pieces of information like your name, address, telephone number, or email address.

    Certain pieces of information that are not Personal Data includes publicly available information, de-identified information or aggregate information. By “aggregate information" or “de-identified information,” we mean information that does not allow us to identify or contact a specific individual. For example, the number of users of our website is aggregate information which does not reveal who those users are.

    1. Prospective Insureds and Insureds

      In order to provide insurance quotes and policies and administer your insurance, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to offer you a quote or provide our services to you. We also may have to cancel our services with you but in that case we will notify you and provide an explanation.

      The types of personal data may include:

      Category
             		Types of Data Collected
      Individual details

      Name, address, gender, marital status, date of birth, nationality, marketing preferences, bank account details or payment card details, vehicle details, relevant criminal convictions and offenses, penalty points, employer, job title and family details, including their relationship to you.
      Identification details

      Identification numbers issued by government bodies or agencies, including your driving license number.
      Credit and anti-fraud data

      Credit and anti-fraud data such as credit history, credit score, sanctions and criminal offenses and convictions, and information from various anti-fraud databases related to you.
      Special categories of personal data and criminal convictions data

      In the EEA/UK, certain categories of personal data may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal offenses and convictions.
      Risk details

      Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, relevant criminal offenses and convictions, or other special categories of personal data.

    2. Claimants

      In order to deal with any claims, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to handle the claim.

      The types of personal data may include:

      Category
             		Types of Data Collected
      Individual details

      Name, address, bank account details, and vehicle details.
      Identification details

      Identification numbers issued by government bodies or agencies, including your driving license number.
      Credit and anti-fraud data

      Credit and anti-fraud data such as credit history, credit score, sanctions, criminal offenses and convictions, and information from various anti-fraud databases related to you.
      Special categories of personal data and criminal convictions data

      In the EEA/UK, certain categories of personal may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal offenses and convictions.
      Claims information

      Information about previous and current claims, (including other unrelated insurances), which may include data concerning your health (e.g., injuries and relevant pre-existing conditions), relevant criminal offenses and convictions, or other special categories of personal data.

    3. Business Partners and Website Users
      1. Business Partners: If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience.
      2. Website Users: If you are a Website user:
        • You may voluntarily provide us with personal data (e.g., to contact us). You can visit the Website without revealing who you are or providing any personal data about yourself. However, there will be times, such as when you request information or a publication from us through the Website, when we will need to obtain personal data from you or about you. We may collect this personal data through various forms and in various places on the Website, including application forms, contact us forms or when you otherwise interact with the Website. Additionally, we may also make certain online services available, such as an online portal that permits our customer account holders to access their business accounts.
        • We and our third-party service providers may use a variety of technologies that automatically (or passively) store or collect certain information whenever you visit or interact with the Website based on your use of the Website (“usage information”). This usage information may be stored or accessed using a variety of technologies that may be downloaded to your personal computer, browser, laptop, tablet, mobile phone or other device whenever you visit or interact with our Website. You may have other options regarding tracking and/or targeting. Please see our Cookie Policy for further information.
        • We may, from time to time, supplement the information we collect directly from you on the Website with outside records from third parties for various purposes, including to enhance our ability to serve you, to tailor our content to you and to offer you opportunities that may be of interest to you. We will apply this Policy to such supplemental information and where such supplemental information amounts to personal data (and/or the combined information amounts to personal data), it will be treated as personal data.

  2. When do we Collect your Personal Data?
    1. Prospective Insureds and Insureds

      We will collect your personal data: (1) directly from you when you apply for an insurance policy; (2) from third parties, such as an intermediary (e.g., an insurance broker), or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has a reinsurance arrangement with an Arch company) or your employer where, for example, they apply for an insurance policy under which you will be a beneficiary; and (3) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary to, for example, comply with applicable sanctions and anti-money laundering laws.

    2. Claimants

      We will collect your personal data: (1) when you or a third party (e.g., your employer or attorney) notify us of a claim either directly or through an intermediary (e.g., an insurance broker) or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has reinsurance with an Arch company); and (2) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary, for example, to validate the claim or comply with applicable anti-money laundering laws and sanctions.

    3. Business Partners and Website Users

      We will collect your personal data: (1) where you or your employer provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company; (2) where you attend meetings, events or conferences that we organize or sponsor; and (3) where you visit and/or contact us through the Website or one of our online portals. For more information on how we collect technical data about your device and browsing activities, see our Cookie Policy.

  3. How Do We Use the Personal Data Collected?
    1. Prospective Insureds and Insureds

      In order to provide insurance quotes and policies and administer your insurance we may use your personal data for the following purposes:

      1. To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover;
      2. To manage and administer insurance policies (including dealing with your queries) with you or your employer;
      3. For reinsurance purposes;
      4. For direct marketing;
      5. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses; and
      6. For the prevention and detection of fraud, money laundering or other crimes.

      Additional information concerning the legal basis for processing personal data of individuals in the EEA/UK is provided in Section 9.

    2. Claimants

      In order to deal with any claims, we may process your personal data for the following purposes:

      1. For claims processing including assessing and evaluating the merits of a claim and to pay a settlement;
      2. For statistical analyses; and
      3. For the prevention and detection of fraud, money laundering or other crimes.

      Additional information concerning the legal basis for processing personal data of individuals in the EEA/UK is provided in Section 9.

    3. Business Partners and Website Users

      Business Partners:

      As part of our business activities, we may process your personal data for the following purposes:

      1. To manage our relationship with you and to, for example, invite you to events; and
      2. To administer our contract with you or your employer.

      Website Users:

      As part of our business activities, we may process your personal data for the following purposes:

      1. To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you;
      2. To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies;
      3. For internal business purposes, including to help us understand how our Website is navigated and used;
      4. For direct marketing; and
      5. Where you submit personal data in connection with a career opening or by submitting a resume through the Website, we will use that information in accordance with our Applicant Data Protection Notice on the Careers section of the Website and only for the purpose of evaluating your application.

  4. How and When Do We Disclose Personal Data to Third Parties?

    In addition, we may share with third parties the information we have collected about you, including personal data, to provide our services and comply with legal obligations. We do not share your personal data with third parties for their marketing purposes unless you have consented to such sharing.

    These third parties may include:

    • Other Companies. We may share your personal data with other companies in the Arch group of companies located in and outside of the EEA/UK to assist in the delivery of services to you. We also reserve the right to disclose and transfer such information: (1) to a subsequent owner, co-owner or operator of the Website; or (2) in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets or other corporate change, including, during the course of any due diligence process.
    • Third Party Intermediaries. We may disclose your personal data to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers in and outside of the EEA/UK to assist us in managing our business.
    • Third Parties Providing Services on our Behalf. We may use third party vendors to perform certain services on our behalf, such as technical support and back-office services, loss adjustors and claims experts, hosting services and Website activity tracking and analytics. We may also disclose your personal data to our advisors (e.g., attorneys and other professional services firms) in and outside of the EEA/UK.

      Transfers amongst Arch entities are covered by intra-organizational agreements which provide specific requirements designed to ensure your personal information receives adequate protection whenever it is transferred within Arch. Transfers to our third party intermediaries and service providers are protected by contractual agreements that require an adequate level of data protection. If you are located in the EEA/UK, please also Section 9(v)’s discussion of transfers of personal data outside of the EEA/UK.

    • Judicial, Regulatory and Law Enforcement Bodies. We may disclose your personal data to judicial, regulatory and law enforcement bodies, including, but not limited to: (1) satisfy any applicable law, regulation, subpoenas, governmental requests or legal process if in our good faith opinion such disclosure is required or permitted by law; (2) protect and/or defend our rights, property and/or interests (including, the Website’s Terms and Conditions of Use or other policies applicable to the Website) and investigation of potential violations thereof; (3) protect the safety, rights, property or security of Arch or any third party where we are legally required or advised to do so; and (4) detect, prevent or otherwise address fraud, security or technical issues. Further, we may use usage information or device identifiers to identify users, on our own or in cooperation with third parties and/or law enforcement agencies, including disclosing such information to third parties, all in our discretion and subject to applicable law. Such disclosures may be carried out without notice to you.

  5. Ads and Information About You

    In accordance with our Cookie Policy, data about your online activity may be collected on our Website for use in providing advertising tailored to your individual interests. This process also helps us track the effectiveness of our marketing efforts. We may also use tracking technologies, such as our own cookies, to provide you with further information about your interests. The information collected may include information about your visits to our Website, such as the pages you have viewed. These third-party tracking technologies may be set to, among other things: (1) help deliver advertisements to you that you might be interested in; (2) prevent you from seeing the same advertisements too many times; and (3) understand the usefulness to you of the advertisements that have been delivered to you. Note that any images (or any other parts of content) served by third parties in association with third-party ads or other content may act as web beacons, which enable third parties to carry out the previously described activities.

    Our Cookie Policy provides additional details and explains how you can limit the collection of this information.

  6. Do Not Track Disclosures

    Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer’s online activities over time and across third-party website or online services (e.g., browser do not track signals). Currently, we do not monitor or take any action with respect to these signals or other mechanisms.

  7. Does the Website include Third Party Content and Links to Third Party Websites?

    The Website may contain content that is supplied by a third party, and those third parties may collect usage information and your device identifier when webpages from the Website are served to you. The Website may contain links to third parties. We are not responsible for the data collection and privacy practices employed by any of these third parties on their websites. We encourage you to review their privacy policies.

  8. How Do I Change My Information and Communications Preferences?
    1. If you wish to update or correct your Personal Data, please email: ArchDPO@archcapservices.com.
    2. You may cancel or modify the email marketing communications you receive from us by following the instructions contained in our promotional emails or in some cases by logging into your Website account and changing your communication preferences. This will not affect subsequent subscriptions and you may limit your opt-out to certain types of emails.
    3. Please note that we reserve the right to send you certain communications relating to your account or use of the Website, such as administrative and services announcements and you will continue to receive these transactional communications if you opt-out from receiving marketing communications.

  9. Additional information regarding individuals in the EEA/UK
    1. Legal basis for processing personal data of individuals in the EEA/UK.

      We will only use your Personal Data for the purposes for which we collect such Personal Data as outlined below and in Section 3, unless we need to use it at a later date for another purpose that is compatible with the original purpose. If we need to further process your Personal Data for a purpose that is not compatible with the original purpose for collection, we will notify you and provide an explanation of the legal basis which allows us to do so.

      Purpose(s) for Processing
             		Legal Basis for Processing
      To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover

      • The processing of your personal data is necessary to perform a contract or enter into a contract with you (e.g., the insurance policy)

      • The processing of your personal data is necessary for us to comply with legal and regulatory obligations

      • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights*

         
        To manage and administer contracts including insurance policies (including dealing with your queries) with you or your employer
        For claims processing including, assessing and evaluating the merits of a claim and, where relevant to pay a settlement
        For reinsurance purposes

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights*

         
        For statistical analyses
        To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses
        Direct marketing

        • We will seek your consent to the processing of your personal data for direct marketing – which you may withdraw at any time
        For the prevention and detection of fraud, money laundering or other crimes

        • The processing of your personal data is necessary for us to comply with legal and regulatory obligations or as authorized by applicable law

        To manage our relationship with you

        • The processing of your personal data is necessary to perform a contract or enter into a contract with you

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights*


      1. Legal basis for processing personal data (including usage information) relating to Website users in the EEA/UK.
        Purpose(s) for Processing
                 		Legal Basis for Processing
        To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you

        • The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights*

        To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies
        For internal business purposes, including to help us understand how our Website is navigated and used
        Evaluate your application and qualifications where you submit personal data in connection with a career opening or by submitting a resume through this Website
        Direct marketing

        • Where you have given consent to the processing of your personal data for direct marketing – which you may withdraw at any time

      2. Criminal Offenses and Convictions Data and Special Categories of Personal Data of Individuals in the EEA/UK.
        • Criminal Offenses and Convictions Data: We will only process personal data relating to criminal offenses and convictions for the following purposes: (i) in order to underwrite risk appropriately, calculate a quote or policy renewal and in the context of motor insurance, to risk assess any person who will be driving the insured vehicle (e.g., a risk assessment), (ii) for fraud detection or prevention or (iii) where required for claims handling. We will only carry out such processing where it is authorized by applicable law.
        • Special Categories of Personal Data: Where we process your special categories of personal data (e.g., health data) for any of the above purposes, we will only do so where: (1) you have given explicit consent to the processing of your special categories of personal data for these purposes – which you may withdraw at any time; (2) the processing is necessary to protect your vital interests (or those of a third party); (3) you have manifestly made your special categories of personal data public; (4) the processing is necessary for the establishment, exercise or defense of legal claims; or (5) the processing is necessary for reasons of substantial public interest on the basis of applicable law.

      3. What additional rights do you have if you are in the EEA/UK?

        If you are located in the EEA/UK, you have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made repeated requests in which case we aim to respond within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request. If you wish to exercise any of these rights, please contact us using the contact details set out in Section 15 below. We may request proof of identification to verify your request.

        Your Right
                 		What this Means
        Right to withdraw consent

        If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time. Please see our contact details in Section 15 below. However, the withdrawal of your consent would not invalidate any processing we carried out prior to your withdrawal and based on your consent.

        Right of Access

        You can ask us to confirm whether we are processing your personal data and request a copy of that personal data. You can also ask that we provide additional information, including:
        • Description of the personal data we hold about you;
        • Why we have your personal data;
        • Identify any third parties to whom we disclose your personal data;
        • Transfers of your personal data to locations outside the EEA/UK;
        • How long we keep your personal data;
        • More details about your rights related to your personal data and how you can make a complaint to the supervisory authority;
        • Where we obtained your personal data; and
        • Whether we have carried out any automated decision-making (see Automated Decision-Making below)
        Right to Rectification

        You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete.

        Right to Erasure (‘Right to be Forgotten’)

        You have the right to request that your personal data be deleted in certain circumstances including:
        • The personal data are no longer needed for the purpose for which they were collected;
        • You withdraw your consent (where the processing was based on consent);
        • You object to the processing and there are no overriding legitimate grounds justifying the processing of your personal data (see Right to Object below);
        • The personal data have been unlawfully processed; or
        • To comply with a legal obligation.

        However, this right does not apply where, for example, the processing is necessary:
        • To comply with a legal obligation; or
        • For the establishment, exercise or defense of legal claims.

        Right to Restriction of Processing

        You can ask that we restrict the processing of your personal data (i.e., keep but not use) where:
        • The accuracy of the personal data is contested;
        • The processing is unlawful but you do not want it erased;
        • We no longer need the personal data but you require it for the establishment, exercise or defense of legal claims; or
        • You have objected to the processing and verification as to our overriding legitimate grounds is pending.

        We can continue to use your personal data:
        • Where we have your consent to do so;
        • For the establishment, exercise or defense of legal claims;
        • To protect the rights of another; or
        • For reasons of important public interest.

        Right to Data Portability

        Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where:
        • The processing is carried out by automated means; and
        • The processing is based on your consent or on the performance of a contract with you.

        Right to Object*

        You have a right to object where we are processing your personal data:
        • In reliance on our legitimate interests. In such a case we must stop processing your personal data unless we demonstrate compelling legitimate interests that override your interests. You also have a right to request information on the balancing test we use to make this determination; and
        • For direct marketing purposes.

        Automated Decision-Making

        You have a right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affects you other than where the decision is:
        • Necessary for entering into a contract, or for performing a contract with you (e.g., your insurance policy);
        • Based on your explicit consent – which you may withdraw at any time; or
        • Is authorized by applicable law.

        Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.

        Right to Complain

        If you are not satisfied with our use of your personal data or our response to any request made by you to exercise any of your rights, you have the right to lodge a complaint with the local data protection supervisory authority at any time.


      4. Transfers of Personal Data out of the EEA/UK

        If you are located in the EEA/UK, the personal data we collect from you may be transferred to, and stored at a destination outside of the EEA/UK (including, Bermuda, Switzerland and the United States) for the purposes described above. The recipients may be located in countries which do not provide a similar or adequate level of protection to that provided by countries in the EEA/UK.

        Transfers within the Arch group will be covered by data transfer agreements designed to ensure the protection of your personal data when it is transferred outside of the EEA/UK, in accordance with Article 46(2) (c) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) ("Model Clauses").

        Transfers to service providers and other third parties will comply with applicable data protection laws (e.g., under Model Clauses or the EU/Swiss-U.S. Privacy Shield in accordance with Article 45 of the GDPR).

        The Website is hosted in the US.

        You may withdraw your consent at any time.

        We may also transfer your personal data outside of the EEA/UK when required by law (e.g., if we receive a request from a foreign judicial, regulatory or law enforcement body). Such transfers will be made in accordance with applicable data protection laws.

        If you would like further information about the safeguards we have implemented please contact us using the contact details set out in Section 15 below.

    2. California Residents

      The personal data about you that we collect includes personal information within the categories of data in the table below. These categories also represent the categories of personal information that we have collected over the past 12 months. Note that the categories listed below are defined by California state law. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you, we may collect or disclose some information within that category. It does not necessarily mean that we collect or disclose all information listed in a particular category for all our customers.

      We do not sell personal information about you, as defined under California state law, nor do we intend to do so. We also have not done so for the last 12 months.

      Category
             		Source Purpose of processing Disclosed for a Business Purpose in last 12 months? Types of Third Parties Shared With

      Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.

      This information is collected directly from you, your agent, or our service providers.

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      In addition, this data is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising.

      Yes

      Affiliates, service providers, and intermediaries.

      Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

      This information is collected directly from you, your agent, consumer reporting agencies, our service providers, or public records.

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      In addition, this data is used for marketing purposes, including offering you products that may interest you through both direct and partner advertising.

      Yes

      Affiliates, service providers, and intermediaries.

      Characteristics of classes protected under federal or California law, including: familial status, disability, sex, national origin, religion, color, race, sexual orientation, gender identity and gender expression, marital status, veteran status, medical condition, ancestry, source of income, age, or genetic information.

      This information is collected directly from you, your agent, consumer reporting agencies, or our service providers.

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      This data is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising.

      Yes

      Affiliates, service providers, and intermediaries.

      Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

      This information is collected directly from you, your agent, consumer reporting agencies, our service providers, or public records.

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      This data, as well as information regarding your purchasing tendencies obtained from our business partners, is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising.

      Yes

      Affiliates, service providers, and intermediaries.

      Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.

      This information is collected directly from you, or from our service providers, via cookies or similar technologies.

      This data is used for marketing purposes, including offering you products that may interest you through both direct and partner advertising.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      Yes

      Affiliates, service providers, and intermediaries.

      Geolocation data

      This information is collected directly from you, or from our service providers, via cookies or similar technologies.

      This data is processed for marketing purposes, including offering you products that may interest you through both direct and partner advertising. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management.

      Yes

      Affiliates, service providers, and intermediaries.

      Audio, electronic, visual, thermal, olfactory, or similar information

      This information is collected directly from you, your agent, or our service providers.

      This data (e.g. voice signatures for e-applications as well as recordings of customer service calls) is processed in connection with a number of our operational functions to provide you with services, including policy issuance and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management.

      Yes

      Affiliates, service providers, and intermediaries.

      Professional or employment-related information

      Professional or employment-related information

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management.

      Yes

      Affiliates, service providers, and intermediaries.

      Inferences drawn from any of the above categories of information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

      This information is collected from consumer reporting agencies, our partners, or our service providers.

      This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims.

      It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems.

      Yes

      Affiliates, service providers, and intermediaries.

      Privacy Rights under the California Consumer Privacy Act

      For residents of California, you may have the rights described below with respect to personal information about you. We may also provide you with rights even if we are not required to do so.

      Subject to certain conditions and limitations, you may have the following rights with respect to personal information about you:

      Right of access – You may be entitled to request that we disclose to you personal information we have collected about you, the categories of sources from which the information was collected, the purposes of collecting the information, the categories of third parties we have shared the information with, and the categories of personal information that have been shared with third parties for a business purpose. Data solely retained for data backup purposes is generally excluded.

      Right of data portability – In some instances, you may have the right to receive the information about you in a portable and readily usable format. Before providing this information, we must be able to verify your identity. Data solely retained for data backup purposes is generally excluded.

      Right to have personal data erased – Subject to certain conditions, you may be entitled to request that we delete personal information about you. We will not delete personal information about you when the information is required to fulfill a legal obligation, is necessary to exercise or defend legal claims, or where we are required or permitted to retain the information by law. For example, we cannot delete information about you while continuing to provide you with insurance products or where required to be retained for regulatory purposes. Data solely retained for data backup purposes is generally excluded.

      If you chose to exercise any of these rights, to the extent that they apply, U.S. state law prohibits us from discriminating against you on the basis of choosing to exercise your privacy rights. We may, however, charge a different rate or provide a different level of service to the extent permitted by law.

      Before providing information you request in accordance with your rights, we must be able to verify your identity. In order to verify your identity, you will need to submit information about yourself, including, to the extent applicable, providing your account login credentials or other account information, answers to security questions, your name, government identification number we already have on file, date of birth, contact information, or other personal identifying information. We will match this information against information we have previously collected about you to verify your identity and your request. To the extent you maintain an account with us, we will require you to login to that account as part of submitting your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request. We are not obligated to collect additional information in order to enable you to verify your identity, but we may offer you the ability to provide additional information for verification purposes. For deletion requests, you will be required to submit a verifiable request for deletion and then to confirm separately that you want personal information about you deleted.

      If you would like to appoint an authorized agent to make a request on your behalf, and that agent is not already authorized to access your account in your profile, please submit a notarized special power of attorney or a letter from your attorney.

      To request that we access or delete personal information, please contact us, or submit an online request by clicking HERE or call us at: 877-800-6249 (toll free in the U.S.).

      Gramm-Leach-Bliley Act and Fair Credit Reporting Act Information

      Note that to the extent we receive, obtain, or generate information about you in connection with providing a financial service or product to you in your personal capacity within the United States, your rights with respect to that information are generally governed by the Gramm-Leach-Bliley Act (GLBA). Those Arch entities that have privacy policies under GLBA are:

      •  https://www.roamright.com/aigi-privacy-notice/

      However, while we may receive this kind of information, individuals in their individual capacity- as opposed to their capacity as a representative of a company—are not our consumer or customer as those terms are defined in the GLBA.

      Nonetheless, as required by GLBA, we protect that information to keep it confidential and secure, and we do not share or use this kind of information other than as necessary for providing the financial product or service. If you have questions about how information about you is collected and used in connection with a financial product for you, your family or our household, please contact your financial institution.

      In connection with providing financial services or products, we may also receive or obtain information about your creditworthiness or insurability subject to the Fair Credit Reporting Act. We need to handle and share this personal information to run our everyday business. We may use and share this information:

      •  for our everyday business purposes— such as to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus

      You cannot limit the use or sharing of FCRA data for these purposes. Federal law gives you the right to limit only:

      •  sharing for affiliates’ everyday business purposes—information about your creditworthiness or insurability
      •  affiliates from using your information to market to you
      •  sharing for non-affiliates to market to you

      We do not share information for these purposes. Should we share information for these purposes in the future, we will notify you before doing so and you will have the right to opt-out of that sharing.

    3. Children’s Privacy

      The Website is not targeted at children, as defined by local law, and we do not knowingly collect any personal data from children. We will delete any personal data we determine to have been collected from a child or user under the applicable age of consent. If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed personal data to us, please contact us at ArchDPO@archcapservices.com

    4. Security of Personal Data

      We implement appropriate and reasonable security and technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

      Although we take measures to protect the security of the information communicated through the Website, no Internet-connected computer system can be made absolutely secure from intrusion. We, therefore, cannot and do not guarantee that information communicated by you to us via the Website will be received or that it will not be altered before or after its transmission to us. If you elect to use the Website to communicate with us or provide us with information, you do so at your own risk.

    5. How Long Do We Retain Your Personal Data?

      We retain your personal data only for as long as necessary in accordance with our document retention policy and in accordance with legal, regulatory, tax or accounting requirements, or for dealing with complaints, legal challenges or prospective litigation.

      For example, where you purchase our insurance product, information will be held for the duration of your insurance cover and a period of several years after the end of our relationship. We keep information after our relationship ends in order to comply with applicable laws and regulations and for use in connection any legal claims brought under or in connection with your policy.

      Once your personal data is no longer required, it will be securely deleted.

    6. Changes to Our Privacy Policy

      We reserve the right to change, update and/or modify this Policy at any time without notice to you. Any changes will be effective immediately upon the posting of the revised Policy. However, if we make material changes to this Policy we will notify you by means of a prominent notice on the Website prior to the change becoming effective, or in other ways as required by law. Please review the Policy whenever you access or use this Website.

      To the extent any provision of this Policy is found by a competent tribunal to be invalid, illegal or unenforceable, such provision shall be deemed to be severed to the extent necessary, but the remainder shall be valid and enforceable.

    7. Contact Us

      If you have any questions about our Policy or practices described in it, you should contact us in the following ways:

      •  Postal Mail: Arch Group Data Protection Officer, Arch Capital Services Inc., 360 Hamilton Avenue, Suite 600, White Plains, New York 10601
      •   By e-mail: ArchDPO@archcapservices.com
      •   By phone: 877-800-6249 (toll free in the U.S.) or +1 914-872-3609