This Privacy and Cookie Policy is designed to assist you with understanding how Trium U.S. Services, Inc., Trium Cyber UK Services, Ltd. and Trium Cyber syndicate 1322 (collectively, “Trium Cyber”, “we”, “us” or “our”) collect, use, share and secure your personal information and non-personal confidential information when we provide our services as an insurance and reinsurance business. By using our services or accessing our website, you signify your acceptance of this Privacy and Cookie Policy and to our processing and use of your information in accordance with this Privacy and Cookie Policy.

This website is not intended for children and we do not knowingly collect data relating to children.

What Information Do We Collect?

We may collect information from you or your representative, including agents and brokers, that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with you. We may share this information with Third Party Suppliers for a legal business purpose. The type of personal information we collect depends on the context in which your information is collected. In particular, we may collect some or all of the following categories of personal information:

• Identifiers (PII) such as name, email address, phone, address, financial information / bank account, corporate title, insurance policy information.
• Commercial information, including records of products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.
• Technical information, including internet or other electronic network activity regarding your interaction with our Web site or applications (including IP address).
• Miscellaneous information, including inferences drawn from any of the information identified above.

Special categories of personal data

We may collect or process any types of sensitive data.

Special categories of personal information (sometimes referred to as “sensitive personal information”), includes:

• information about your personal characteristics and circumstances of a sensitive nature such as your racial or ethnic origin;
• your membership of a professional association or trade union; and
• your health records (such as your medical history, and information, prescription history, death certificate and reports on medical diagnoses, tests and treatment, Medicare / Medicaid eligibility).

Sources of information we collect
We collect information from a variety of sources:

• From you directly;
• From other insurance / reinsurance companies that we work with;
• From third party claims handlers who are involved in a claim or assist us in investigating or processing claims, including external claims data collectors and verifiers, and counsel retained by us;
• From our business partners with whom we work to provide insurance products;
• From public sources, such as public databases (where permitted by law);
• From cover-holders, insurance brokers or other intermediaries; and
• From third party evidence providers.
  

How we use your personal information and the basis on which we use it

We will only use your personal data when the law allows us to. Most commonly we use the information you provide to:

• to provide our services and fulfil our contractual obligations to you and other third parties;
• to review, process and manage claims;
• to conduct data analysis, which helps us assess risks, price our products appropriately and improve our services;
• to operate our business activities;
• to perform administrative activities in connection with our services; and
• to audit our business.

Please note that where it is necessary for us to process your personal data for the performance of a contract, or to take steps prior to entering into a contract, your failure to provide data when reasonably requested of you could prevent us from being able to enter into a contract with you, or being able to subsequently to perform our obligations under an existing contract that is in place.

We must have a legal basis to process your personal information. In most cases the legal basis will be one of the following:

a) to complete necessary contractual checks to ensure that we can assess your suitability for our insurance products;

b) to fulfil our contractual obligations to you, and to ensure that invoices are paid correctly. Failure to provide this information may prevent or delay the fulfilment of these contractual obligations;

c) to comply with our obligations, such as due diligence and reporting obligations, and responding to binding requests from regulators, law enforcement authorities or other government authorities; or

d) to meet our legitimate interests, for example to improve our services, to ensure we price our products appropriately, to manage risk, to manage our business efficiently, to perform audits, and to maintain accurate records. When we process personal information to meet our legitimate interests, we always balance these against your fundamental rights and freedoms and put in place robust safeguards to ensure that your privacy is protected.

We may obtain your explicit consent to collect and use certain types of personal information when we are required to do so by law (for example, in relation to our direct marketing activities, cookies and tracking technologies). If we ask for your consent to process your personal information, you may withdraw your consent at any time by contacting us using the details at the end of this Privacy and Cookie Policy.

How and where we will store or transfer your personal information

Trium Cyber will never sell your personal information.

We may disclose your personal information to third parties in the following circumstances:

• where you expressly provide us with your explicit consent to do so;
• to professional service providers, such as lawyers, for the purpose of receiving advice;
• where we are required to disclose such information because of contractual, legal or regulatory requirements; and
• to third parties we engage to provide services and business functions.

If we share any of your personal information with a third party, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s legal obligations.

Trium Cyber is headquartered in the United States with service providers that operate in the United States and other countries. We may transfer your personal information to the United States and other countries which may not have the same data protection laws as your home country or territory, and where such laws will apply to your personal information while it is located there, but we will protect your personal information in accordance with applicable law in the country in which you reside and this Privacy and Cookie Policy, or as otherwise disclosed to you. The law of the United States or other countries to which we may transfer your data may require disclosure of your personal information to authorities in the United States or other country or territory. If you would like further details about how your personal information would be protected if transferred outside of the country where you reside, please contact Trium Cyber as indicated below.

Information Security and Storage

We have implemented technical and operational security measures to ensure a level of security appropriate to the risk to the personal information we process. These measures are aimed at ensuring the on-going integrity and confidentiality of personal information. We evaluate these measures on a regular basis to ensure the security of the processing.

We retain your personal information for as long as we have a relationship with you, and for a period thereafter, in line with internal policies.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

If you would like further details about how long we retain your personal information, please contact Trium Cyber as indicated below.

Protection of Personal Information

Trium Cyber does not collect any data through our website. Trium Cyber does not use cookies. You agree to not hold Trium Cyber liable for any loss or damage of any sort incurred as a result of use of information provided through our website.

Your Rights Under Data Privacy Regulations

Trium Cyber adheres to all relevant Data Privacy regulations in the jurisdictions in which we operate. In accordance with applicable law relevant to your location, you may have certain rights over your personal information, including, under certain circumstances:

• a right to access the personal information we hold about you;
• to seek rectification or erasure of such personal information;
• to restrict or object to our processing of such personal information;
• to withdraw consent from our processing of your personal information;
• to opt out of the sale or transfer of your data;
• a right to request transfer of your data;
• a right against automated decision making; or
• to lodge a complaint with an applicable supervisory authority (e.g. ICO in the UK).

If you wish to exercise any applicable rights, or have any other inquiries or complaints in relation to data collected, please refer to the “Contact Us” section below. We aim to respond to requests, or provide a reason for delay or decline where legally permitted, within one month of receipt. Unless unreasonable, unduly burdensome or otherwise legally allowed, requests will generally be handled free of charge.

Automated decisions & Artificial Intelligence

We do not make any decisions about you using automated means (without human review) or artificial intelligence. If this position changes, we will update our Privacy and Cookie Policy, and ensure that any use complies with applicable laws and regulations.

Website Use Information & Cookies

We do not use cookies on our site to track website usage.

Hyperlinks and Third-Party Sites

This website may contain links to other third-party websites that may collect personal information about you, including through cookies or other technologies. If you follow a link from this website to another website, you will leave this website and this Privacy and Cookie Policy will not apply to your use of and activity on those other websites.

Changes to our Privacy and Cookie Policy

Any revisions to this Privacy and Cookie Policy will be posted on the home page of our website. It is your obligation to periodically visit our website to review any changes that may be made to this Privacy and Cookie Policy.

Contact Us

If you have any questions about this Privacy and Cookie Policy, please contact us at dpo@triumcyber.com.

EU / EEA Residents

Transferring Your Data Outside Of The EU

The personal data that we collect about you may be transferred to, and stored at, one or more countries outside the EEA or outside the jurisdiction in which you reside. It may also be processed by staff operating outside the EEA (or outside the jurisdiction in which you reside) who work for Trium Cyber or for our Third Party Suppliers. In such cases, Trium Cyber will take appropriate steps to ensure an adequate level of data protection in the country of the recipient as required under the GDPR (or as required under local laws in your jurisdiction) and as described in this Notice.

If Trium Cyber cannot ensure such an adequate level of data protection, your personal data will only be transferred outside the EEA (or outside the jurisdiction in which you reside) if you have given your prior consent to such transfer and any local law requirements for the transfer have been satisfied. Your personal data is currently processed in Trium Cyber’s operating jurisdictions (including the UK and US) and India.

UK Residents

Transferring your data outside of the UK

The personal data that we collect about you may be transferred to, or stored at, one or more of Trium Cyber’s locations outside of the UK.

Transfers of your personal data to the EEA

Following the UK’s departure from the EU, the EU authorities have made an adequacy decision in respect of the UK. This means that the UK is deemed to provide an essentially equivalent level of protection for personal data to that which exists within the EU. In turn, the UK Government has made an adequacy decision in respect of the EU. On that basis, data can flow freely between the two areas.

Please note that the UK’s adequacy status has been limited to a period of 4 years from 1 January 2021.

Transfers of your personal data to jurisdictions outside of the UK and EEA

We may transfer your personal data outside UK to the United States. There is no adequacy decision in respect of the United States. This means that the United States is not deemed to provide an adequate level of protection for your personal information.

However, to ensure that your personal information does receive an adequate level of protection if we transfer it to third parties we have put in place the following appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects UK law on data protection:

• specific contractual protections approved for use by the UK Information Commissioner’s Office to ensure that your data is adequately protected.

Any other transfers outside the UK or EEA will be made subject to similar safeguards above.

UK / EU / EEA Data Subject Requests

If you wish to invoke any of your rights under relevant Privacy regulations or to make a general enquiry regarding Trium Cyber’s approach to securing your data, please refer to the “Contact Us” section above.

Please note that only you or someone that you authorize to act on your behalf may submit these requests.

In response to such request, we may ask you to verify your identity or to provide additional information that helps us to understand your request better. Once we have the necessary information from you regarding proof of identity, or in the case of an agent, proof of authorization, and your request is valid, we will respond to you as soon as possible but no later than within 30 days unless the number and complexity of the requests made be deemed excessively high, in which case we may extend this time by a maximum of a further two months. We will inform you if we need to make use of this additional time and why we need to do so as soon as is practicably possible.

Legal basis for processing your personal information:

More information on the most common legal basis that we may rely on are set out in the table below.

Special Note On Consent For Policyholders, Beneficiaries And Claimants

Under the UK GDPR, we do not need your explicit consent if we use your PII (including Special Category Data) to carry out insurance processing activities or to meet our legal obligations in the field of insurance law. In very limited circumstances, and where applicable, we may approach you for your written consent to allow us to process Special Category Data. Please see the references above to our reliance on your explicit consent for processing for further details.

Australian Residents

We will only collect your personal information if it is reasonably necessary for, or directly related to, one of our functions or activities. We will seek your consent before collecting any sensitive information about you. We may use or disclose the personal information we collect about you for one or more of the purposes described in this Notice, or for any related purpose if we believe you would reasonably expect us to use or disclose your personal information for that purpose. We may also use and disclose your personal information with your consent, or where we are otherwise required or permitted by Australian law to do so.

For any queries regarding our services in Australia please refer to the “Contact Us” section.

Canada Residents

PIPEDA does not apply to business contact information (https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_brief/#_h2)