Data Privacy and Protection
Explanatory Notes on Personal Data:
GDPR extends the definition of personal data to include digital identifiers such as IP addresses. Identifiers in telematics systems that correlate data and drivers, including information on location, speed or driving events, may thus be personal data.
This means that fleets need a lawful basis for processing it and they face extra responsibilities to guard it and to respond to driver enquiries and concerns.
Several options are available as the basis for processing, including driver consent; the performance of a contract; compliance with a legal obligation; to fulfil a task in the public interest or to pursue legitimate interests.
If the telematics data is being used for contractual reasons, such as to record driving time because the driver is paid by the hour, then the collection of the data ought to be covered by the contract of employment.
Similarly, fleet operators can reasonably claim ‘fraud prevention, security and safety’, as a motive to collect and process telematics data.
Humn.ai is registered with the UK Information Commissioner’s Office under reference ZA504331and operates as both a Data Processor and a Data Controller of your personal information. We trade under the brand name Humn.ai Risk Services.. For the purposes of this notice personal data may include:-
- Personal data such as your name, address, date of birth and claims history;
- Special categories of data such as information about offences, criminal or motoring convictions and your medical history; and
- Information obtained from any telematics device and dashcam if fitted including vehicle, journey and driving information.
Generally, we do not have a direct contractual relationship with individual drivers; normally we have a contract with a 3rd party which is typically your employer, the insurer of the vehicle, the owner of your vehicle or the broker placing the vehicle insurance policy with the insurer (the Contracting Entity).
The Contracting Entity will also be a Data Controller under Data Protection legislation
The Contracting Entity are responsible for defining the Purpose for processing your personal information and for ensuring a Lawful Basis for that processing. Humn.ai are responsible for determining what information to collect from the telematics or dashcam device in order to fulfil the stated purpose.
It is very important that you read this Privacy Notice in full so that you understand what information we collect from you and from the Telematics device fitted to your vehicle(s) and how we then process this information.
This Privacy Notice only covers the processing performed by Humn.ai and its sub-processors; it does not cover the processing performed by the Contracting Entity.
It is therefore important that you also read the Privacy Notice provided by the Contracting Entity to obtain a full picture of the processing being undertaken.
Phrases which start with capital letters (such as “Privacy Notice”) are defined in the Definitions section at the end of this notice.
Where you have any concerns about the information collected or how your information may be used, you should discuss in the first instance with the relevant individual within your organisation or service provider, for example where you are leasing a vehicle, the leasing company or financing firm.
How do Humn.ai obtain your personal data?
We may obtain your personal data from a variety of sources including: directly from you, via the “Contracting Entity” when they register you for our service, from your telematics/dashcam device and from other third parties such as Claims Underwriting Exchange, the Motor Insurance Bureau (MIB) and Driver and Vehicle Licensing Agency (DVLA).
What will we use your data for?
We collect your information and use it in different ways depending on your relationship with us and how you have interacted with us. This can include information we share with or receive from other third parties.
We use your information for the following lawful reasons:
To enter into or perform a contract: for example, to arrange and administer your insurance including making any changes, renewing your policy, cancelling your policy answering queries and to action your requests.
This information may also include sensitive (special category) data such as any convictions (criminal and motoring) and your medical history and conditions which we can collect on grounds of substantial public interests to arrange your insurance. If you give us information about another person in doing so you are confirming that you have their permission to do so and that we may use their personal data in the same way as we will use yours.
To comply with a legal obligation: for example the rules set by our regulators the Financial Conduct Authority (FCA), and The Financial Ombudsman Service, to fulfil your data rights under data privacy laws, handle complaints about data privacy or our insurance products and services and to comply with other legal requirements.
For yours and our legitimate interests: for example to detect and prevent fraud, money laundering and other financial crimes, monitor and improve our business and our products and services, demonstrate compliance with applicable laws and regulations, handle legal claims, and responding to other types of complaint not previously mentioned,.
Where we rely on this lawful reason, we assess our business needs to ensure they are proportionate and do not affect your rights. In some instances, you also have the right to object to this kind of use. For more information, visit the “Your data rights” section of this policy.
With your consent: for example by sending you email marketing communications. when you ask us to provide you with information, when you give us your details, where we have obtained your contact details in the course of a sale, when you ask us to contact you for email marketing purposes and have not opted out of marketing messages. You can withdraw your consent at any time, for more information please visit the “Mark eting” section of this policy.
To protect vital interests: in extreme or unusual circumstances, we may need to use your information to protect your life or the lives of others.
What data do we collect from the telematics/dashcam device?
Once the telematics device has been installed and activated, it will record and analyse data relating to the vehicle to which it has been fitted.
Depending on the specific unit fitted and the instructions from the Contracting Entity, the telematics device will collect driver behaviour related information such as:
- Vehicle Data: Registration, VIN, make, model etc.
- Journey Data: GPS location, time and date, direction, speed, acceleration/deceleration rates etc.
Note: This includes Private Journey data which may be available as standard to the Contracting Entity; which may be made available under specific, agreed circumstances; or which may only be made available with the consent of the Data Subject. Please refer to the Contracting Entity to establish which is the correct scenario for your device
- Dashcam Data: images captured by the dashcam device(s)
- Diagnostic Data: vehicle fault codes, battery health status etc.
What data do we collect from your mobile device?
When you access our App (Rideshur) via a mobile device, we will process your device location and settings to enable the map display function within the App, to allow the Bluetooth features to operate and to help optimise performance.
Granting these permissions is necessary for the App to operate correctly. This data is used locally by the App and is NOT transferred from the device.
Use of Telematics and Dashcam data
Humn.ai maintains a database of all telematics and dashcam data and will keep this information in accordance with the retention periods agreed between Humn.ai and the Contracting Entity.
We use this data to provide the Service. We also use this data to maintain and improve the Service and to carry out research and development for new products and services.
Note, that Humn.ai may aggregate and anonymise location and/or driving behaviour for statistical or business purposes. All aggregated and anonymised data is the property of Humn.ai.
Use of Mobile Device Data
When using our App (Rideshur), we process the location of your device for the purposes of enabling the feature to display your current location on a map. Any such data is NOT transferred from the device at any point; the data is not stored by Humn.ai and is never passed to 3rd parties.
Profiling – Driver Behaviour Scores
Humn.ai systems including Rideshur allow Driver Behaviour Scores to be calculated based on recorded telematics data and other publicly available data such as speed limits. The calculation of Driver Behaviour Scores is a form of profiling under Data Protection Legislation.
Driver Behaviour Scores are calculated using a combination of recorded telematics data, speed limit or similar data and System Thresholds that may be defined within our systems by the Contracting Entity. These thresholds typically relate to legal speed limits (speeding events), acceleration rates (harsh acceleration events), deceleration rates (harsh breaking events) or other driving behaviours (such as harsh cornering).
Humn.ai uses the Driver Behaviour Score profiling as key metrics in automated decision making processes to calculate dynamic insurance premium prices on behalf of the Contracting Entity.
Calculated Driver Behaviour Scores are passed directly from Humn.ai to the Contracting Entity for their subsequent processing and use.
Humn.ai do not control the use of Driver Behaviour Score data by the Contracting Entity and you should contact the Contracting Entity directly for further information on their use of this data.
Who we share your data with?
We use your information only as set out in this Policy and will not sell, rent or pass your information on to others for marketing or other purposes without your express consent.
Where applicable, we share your personal information with the following types of third parties when we have a valid reason to do so:
- Insurers, underwriters and other companies for the purpose of arranging and administering your insurance and for handling claims and complaints;
- Certain telematics and dashcam data to the Contracting Entity in order to provide the Services, as agreed in our contract with the Contracting Entity;
- Where you have opted to pay your insurance by instalments with our Premium Finance Partner
- Law enforcement, government bodies, regulatory organisations, courts and public authorities, for example the Financial Conduct Authority (FCA), The Financial Ombudsman Service, The Information Commissioner’s Office (ICO), the Driver and Vehicle Licencing Agency (DVLA) and the Driver Licensing and Vehicle Agency Northern Ireland, Police and HMRC;
- Credit reference, fraud prevention and other agencies that carry out activities on our behalf for example the Motor Insurance Database and the Insurance Fraud Burea;
- Your broker/intermediary where you purchased the policy through them;
- Personal representatives appointed by you to act on your behalf;
- Media agencies and other marketing organisations that we conduct marketing activities through; andA third party where disclosure is required to comply with legal or regulatory requirements. This may include telematics and/or dashcam data.
Humn.ai may also provide aggregate statistics about our customers, sales traffic patterns and related site information to reputable third-party vendors and relevant affiliate partners. These statistics do not include personal information about an individual and cannot be used to identify you or any other driver.
Other third parties
Other third parties including claims handling and assistance service providers may share personal information that you have disclosed to them, with us for the purposes of administering your policy. If you refuse disclosure of data to a third party which prevents the insurer from providing cover, the insurer may be released from any liability for any claim.
For information on how these third parties collect and use your information, please refer to their privacy policies.
Transferring data internationally
Data protection law places restrictions on transferring personal data outside of the United Kingdom (UK) and the European Economic Area (EEA). The EEA consists of the member countries of the European Union (EU), along with Iceland, Liechtenstein, Norway and Switzerland, and who are all considered to have appropriate data protection laws to safeguard your privacy and protect your rights.
We may need to transfer information to our service suppliers in countries outside the UK and the EEA. If we do, we will ensure that your information is properly protected. If the laws of the country where our supplier is based are not considered equivalent to those in the UK or the EEA, we will ensure that the service supplier enters into a formal legal agreement that reflects the standards required.
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
We will only send you marketing information regarding our own products and services and those from trusted third parties.
You have the right to stop the use of your personal data for direct marketing activity through all channels, or selected channels.
If you do choose to stop receiving marketing communications from us, we will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future.
Your Rights - Controlling your personal information
Data protection law gives you rights relating to your personal information. This section gives you an overview of these and how they relate to the information you give us.
The UK supervisory authority for data rights, the Information Commissioner’s Office (ICO), has also published detailed information about your rights on their website: www.ico.org.uk.
These rights apply to information held and processed by Humn.ai and not to that held and processed by the Contracting Entity.
Your right to be informed
You have the right to be informed in a clear and precise manner about the data we hold about you. Within this privacy notice we detail the nature of data we hold. The reasons we hold it, how this data is used, who we will share it with, how long we retain it for and the rights you have in relation to your data. If you require any further information, you can contact us using the details in the contact us section.
Your right to access
You have a right to request copies of the personal information we hold on you, along with meaningful information on how it is used and who we share it with. We will provide a copy within 30 days of you making this request.
This right always applies, but there are some instances where we may not be able to provide you with all the information we hold. If this is the case, we will confirm why we are unable to provide it – unless there is a valid legal reason that means we cannot let you know why.
Your right to rectification
If information we hold is inaccurate or incomplete, and this has an impact on the way we are using your data, you have the right to have any inaccuracies corrected and for any incomplete data to be completed.
If you ask us to rectify your information, we will either confirm to you that this has been done, or if there is a valid reason that this cannot be done, we will let you know why.
Your right to erasure (the right to “be forgotten”)
You have the right to request that all of the data we hold on you be erased from our systems. We may only be able to comply with this request in specific circumstances. This request would also apply to any third party whom we had shared your data with, and we would notify them accordingly if your request were valid. We will not be able to erase your data in all circumstance. For example, we would not be able to erase data that is being processed for the purposes of administering a live or lapsed insurance policy unless the policy has been lapsed for seven years or more. This is because we have a legal obligation to retain this data for the defence of legal claims should a third party make a claim against your policy.
If you ask us to erase your information, we will either confirm to you that this has been done, or if we are unable to delete it, let you know why and also inform you how long we will hold it for. For more information, see the “Retention Policy” section of this policy.
Your right to restrict processing
You have the right to restrict our processing of your data under the following circumstances: –
- If you contest the accuracy of the information we hold until such a time that we have been able to verify the accuracy of the data or correct any errors.
- You believe that the processing of tis data in unlawful.
- We no longer need the data for any purpose other than for the defence of any future insurance claims made against your policy.
- You are awaiting a decision following an objection you have raised regarding automated decisions making process.
If you ask us to restrict your information, we will either confirm to you that this has been done, or if we are unable to restrict it, we will inform you why.
Your right to object to direct marketing
You can object to receiving direct marketing from us.
If you do so, we will ensure that you do not receive such material going forward, unless you change your mind and specifically request it in the future. For more information, see the “Marketing” section of this policy.
Your right to object to automated decision-making and profiling
You have the right to request human intervention into any process involving automated decision making where this results in a legal implication to you. This right would not apply to underwriting decisions as this automated decision making is required for entering into the insurance contract.
If you do object then we, will arrange for someone to assess the automated decision and confirm the outcome of this assessment to you.
Your right to object to processing
Your right to object to the use of your information for statistical purposes
You can object to us using your information for statistical purposes in some instances.
If you do so, we will either confirm to you that the processing has stopped, or there is a valid reason for the processing to continue, we will inform you why.
Your right to challenge our legitimate interests
In cases where we are processing your personal data on the basis of our legitimate interest, you can ask us to stop for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal data. You can find more information on when we use this lawful basis in the “What we will use data for?” section of this policy.
If we decide not to action your request we will explain to you the reasons for our refusal.
Your right to data portability
You have the right to request that your information be compiled into a common, machine readable format and either provided directly to you or sent by us to a third-party you nominate.
If you request this, we will either act upon your instruction and confirm to you that we have done so, or if there is a valid reason that this cannot be done, we will tell you why.
Your right to complain
If you have a complaint about how we use your personal information, please contact us by email at firstname.lastname@example.org or by writing to:
The Data Protection Officer
12 Hammersmith Grove
London W6 7AP
If you feel that your data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.
The Information Commissioner’s Office can be contacted via telephone on 0303 123 1113 or online at www.ico.org.uk/concerns
If you are based outside the UK, you have the right to lodge your complaint with the relevant data protection regulator in your country of residence.
You have the right to request a copy of any information about you that Humn.ai holds at any time, and also to have that information corrected if it is inaccurate.
Checking your identity
To protect the confidentiality of your information, we will ask you to verify your identity before proceeding with any request you make under this Privacy Notice.
If you have authorised a third party to submit a request on your behalf, we will ask them to prove they have your permission to act.
Making and Dealing with Requests
Any requests relating to this Service and the Personal data being processed will be handled jointly between Humn.ai and the Contracting Entity.
Requests relating to how your personal data is being used by the Contracting Entity should be directed to them – details of how to do this will be included in the relevant Privacy Notice provided by the Contracting Entity.
We will only retain data for as long is necessary for the purposes for which it is being processed and in line with our data retention policy. In most cases this will be a maximum of 7 years from the expiry of an insurance contract.
If you would like any further information regarding this privacy notice or you would like to exercise any of your data rights you can contact us by email at email@example.com or in writing to:
The Data Protection Officer
12 Hammersmith Grove