Effective Date: [20/09/2022]
Insurely [with the registered name of “The Great Collective AB”, org. no. 559103 -5646, a
company registered in Sweden at the registered address Sveavägen 9, 111 57, Stockholm,
Sweden] (“Insurely”, “we”, or “us”), cares about your privacy and wants you to be familiar
explains how we process your personal data when you wish to help us test our
infrastructure for insurtech products and services and how you can exercise your data
protection rights. This Policy, therefore, applies to testers or prospective testers of our
products and services (collectively called “Services”). Please note that the processing of
your personal data taking place in relation to the provision of our regular Services is subject
Insurely is the controller of your personal data, and we are responsible for and committed
to processing your personal data in accordance with applicable data protection laws.
We, therefore, encourage you to read this Policy in full to ensure that you fully understand
how we will process your personal data.
2. What personal data we process and how we collect it
In order to become a tester or to fulfil your contractual obligations as a tester we collect
and further process information about you that constitutes personal data, i.e, information
that alone or in combination with other information identifies you or can reasonably lead to your identification. The personal data categories that we will process are:
- Contact data, which includes your first and last name, your personal email address,
and your phone number.
- Authentication data, which includes personal data depending on the
authentication method implemented in your country. For countries where logging
in is supported by an electronic identification system (such as BankId for Sweden,
MitID for Denmark, or any other electronic identification system applicable in your
country), we will process your personal identity number. If a password-based
authentication method is implemented, we will process your login credentials
(email and password), while if a multi-factor authentication method is
implemented, we will process your login credentials and your phone number.
- Insurance data, which includes any information relating to your insurance, such as
the insurance name, insurance company, insurance number, insurance premium,
start and end date of insurance policy, insurance amount payment method, or any
information about the insured item or persons. Note that the latter will vary
depending on the type of your insurance, e.g., home, pet or car insurance. As such,
this category may include special categories of personal data, data of a sensitive
nature, or data that concern a member of your household. You can read more
about this processing in Section 4 of this Policy.
- Financial data, which includes information about the invoice such as the amount of compensation, VAT ID, Tax ID, invoice ID, invoice date, task name, task duration, and bank count details such as bank name, country of the bank, IBAN, SWIFTS/BIC.
- Communication data, which includes the content of our communication, such as
emails that we may exchange or by use of another appointed communication
We will collect the abovementioned personal data directly from you and not from any
other third party.
3. How, why, and on what basis we process your personal data
The GDPR requires that we establish that a legal ground (or otherwise called “legal basis”)
exists, allowing us to use your personal data. In this section, we explain the different
purposes for which we will process your personal data, how we will process it, our legal
basis, and how long we will store it.
3.1 When you express interest in becoming a tester
We will process personal data about you when you express your interest to become a
tester, by submitting the interest form on our website. For this purpose, we will process the
following personal data:
- Contact data
- Certain Insurance data such as the name of your insurance company and the type
of your insurance
In case your application is successful, we will contact you to schedule a call and discuss your
application further. We will process your personal data described above on the basis that it
is necessary to enter into an agreement with us. In case your application does not go
through, we will delete your personal data 6 months after the submission of your
3.2 Once you become a tester
Once your application moves forward and you become a tester by signing the tester agreement, we will process your personal data to test the quality of our Services, in accordance with the tester agreement. We will access your insurance accounts by you authenticating yourself according to the authentication method used in your country. For
example, in Sweden and Denmark, you can authenticate yourself by an electronic identification system (BankID and MitId respectively), while in other countries you can authenticate through a password-based or multi-factor authentication method.
We will process the following personal data:
- Contact data
- Authentication data
- Insurance data
We will process your personal data described above on the basis that it is necessary to fulfil the tester agreement. According to our tester agreement, you will be giving us access to your insurance account for one year upon signing the tester agreement. After every access to your Insurance data, we will store it, together with your Contact and Authentication data for 30 days and then delete it or anonymise it. We will though store your Contact data to fulfil other purposes as described in section
3. Please note that we will only access your
insurance account for the times that you have given us access by authenticating yourself.
Our processing activities, in relation to your Insurance data, will be limited to accessing,
storing and anonymising it. Note that we will not alter or in any way modify your Insurance
By accessing your insurance account, we will also access certain Contact and Insurance data
of other individuals that are covered by your insurance policy. As the tester agreement is
not between us and the other person(s) that are covered by your insurance policy, we will
process the co-insureds’ Insurance data based on our legitimate interest to get an overview
of your insurance policy and store it in the same way as your Insurance data (30 days after
each access to your insurance account).
3.3 To compensate you
In accordance with the tester agreement, we will compensate you for testing our Services. To do that, we will process the following personal data:
- Contact data
- Financial data
We will process your personal data described above on the basis that it is necessary to fulfil the tester agreement. We will store financial data for as long as required by applicable tax or accounting requirements and therefore for this processing, our legal basis is to comply with our legal obligations. As this period may change from time to time through an amendment of applicable law, for more information about the retention of your personal
for this purpose, contact us at firstname.lastname@example.org.
3.4 To provide you with support and manage our communication
For as long as you are a tester, we will need to contact you from time to time to provide
you with the access link or to ask you about your experience with testing our Services, as
per our tester agreement. It may also be the case that you will need to contact us to report
any issues that you may have experienced. To do that we will process the following
- Contact data
- Communication data
We will process your personal data described above on the basis that it is necessary to fulfil the tester agreement. We will store the personal data for as long as you are a tester in accordance with the tester agreement (1 year upon signing or as otherwise stated in the tester agreement).
3.5 To establish, exercise, or defend against legal claims
In certain cases, we may need to store the personal data to establish, exercise or defend ourselves against legal claims and we will need to store your personal data to deal with litigation or regulatory matters. The legal basis for this processing is our legitimate interest to establish, exercise or defence against legal claims. The categories of personal data that we will process, and the retention time may vary depending on the specific case at hand. In
any case, contact us at email@example.com for more information.
4. Sensitive data
When you become a tester, we will access all relevant data relating to your insurance, which may also include personal data classified as special categories of personal data according to the GDPR or otherwise called “sensitive data”. In order to process such data, we request your explicit consent according to Article 9.1 (a) of the GDPR. You can withdraw your consent at any given time. If you withdraw your consent, we no longer have a legal
basis to process the data and will then delete your data without delay.
5. How long we store your personal data
We retain the personal data we collect from you where we have an ongoing legitimate business need to do so (for example, to provide you with a Service you have requested or to comply with applicable legal, tax or, accounting requirements or to exercise, or defend legal claims). See section 3 for information on the particular retention periods we apply for the specific purposes described above.
When we have no ongoing legitimate business need or legal reason to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.
6. Recipients of personal data, and transfer of personal data
We will disclose your personal to the following recipients:
(i) Courts and similar judicial entities and/or authorities, if required to do so by
(ii) Service providers upon which we rely for our core operational activities.
We normally store and process your personal data within the EU/EEA. However, upon change of our current service providers, your personal data may be transferred to, and processed in, countries outside the EU/EEA. If we transfer data outside the EU/EEA, we will ensure adequate safeguards are in place to ensure that your personal data is protected in accordance with this Policy through one of the following measures:
The country of destination is on the European Commission’s list of countries with an adequate level of protection, or;
The transfer is made by otherwise ensuring an adequate level of protection through standard contractual clauses.
If a standard contract is deemed ineffective due to national law, Insurely will take additional measures to ensure an adequate level of protection when transferring personal data to countries covered by paragraph (b) above.
You can find out more information about the transfers of your personal data and the
safeguards we implement by contacting us at firstname.lastname@example.org.
7. Your rights
You have the right to have inaccurate personal data rectified and, depending on the purpose of the processing, have incomplete personal data completed. You may contact Insurely at any time to request correction or completion.
7.1 Right to access
You have the right to access and receive a copy of your personal data that we process, as
well as other supplementary information.
7.2 Right to rectification
You have the right to have inaccurate personal data rectified and, depending on the
purpose of the processing, have incomplete personal data completed.
7.3 Right to erasure
In certain cases, you have the right to request the erasure of your personal data, such as in
cases where the personal data is no longer needed for the purpose for which it was
collected, or if we no longer have a legal basis to continue processing it.
7.4 Right to restriction of processing
In certain cases, such as when you have contested the accuracy of your personal data, you
have the right to request that we restrict the processing of your personal data. In such a
case, we will only store your personal data or further process it if permitted to do so by law.
7.5 Right to data portability
You have the right to data portability, which means that in certain cases you can receive the
personal data you have shared with us in a structured, commonly used and machine-
readable format and that you have the right to request that we transfer these data to other
data controllers where this is technically possible.
7.6 Right to object
You have the right to object to the processing of personal data based on our legitimate
7.7 Right to withdraw consent
In case we process your personal data based on your consent, then you have the right to withdraw such consent at any given time. Note that withdrawal of your consent will not affect the lawfulness of the processing we carried out prior to such withdrawal.
7.8 Post-mortem right to privacy (applicable if you live in France)
During your lifetime, you may choose to designate someone to carry out your specific or
general instructions on how to retain, delete or disclose your personal data after your
death. If the instructions relate only to the personal data we process, you may choose to
contact us directly at email@example.com.
8. Notice of policy changes
9. Contact information for complaints
If you have any comments or complaints regarding Insurely’s processing of your personal data, please contact firstname.lastname@example.org.
You have the right to contact and lodge a complaint with your national Data Protection Authority. You can find the contact details of your supervisory authority here.
You also have the right to contact and lodge a complaint with the Swedish Authority for Data Protection Authority (“IMY”), which is the lead supervisory authority for the processing of personal data, since Insurely has its main establishment in Sweden. IMY can be reached at:
Box 8114, 104 20 Stockholm, Sweden
Phone number: +46 (0) 8-657 61 00
IMY’s website: www.imy.se
Note that certain data protection authorities may require that you exhaust our own internal
complains process before looking into your complaint.