Privacy and Cookies Policy

Data Protection Notice

Last updated August 2022

The protection of your personal data is important to the Pinnacle Pet Group ("Group") and we have adopted strong principles in relation to data protection for our Group.

This Data Protection Notice provides you with transparent and detailed information relating to the protection of your personal data by the following Group companies, acting as Data Controller:

Pinnacle Pet Group Limited

• Pinnacle Insurance plc (trading as helpucover and Everypaw)
• Pinnacle Insurance Management Services plc

("we", "us", "our")

The above companies are part of the Pinnacle Pet Group (all "Group companies"). Registered Address: Pinnacle House, A1 Barnet Way, Borehamwood, Hertfordshire, WD6 2XX

We are responsible, as a Data Controller, through the above legal entities for collecting and processing your personal data, in relation to our activities. The purpose of this Data Protection Notice is to tell you which types of personal data we collect and process about you, the reasons why, who we share your data with and why, how long we keep it, what your rights are and how you can exercise them.

Where necessary, further information may be provided to you when you apply for, purchase, renew or make a claim in relation to a specific insurance product or service.

1. Which personal data do we collect and use?

Depending on the types of data that we require from you in relation to the type of insurance product or service we provide to you and to enable us to provide a high standard of personalised products and improve our services, we may collect any of the following types of personal data about you including, but not limited to, any of the following types:

• identification information (e.g. full name, address, date of birth, gender and photograph);
• contact information (e.g. postal addresses (including country, city and postcode) and email addresses, telephone numbers);
• household information (e.g. marital status, number of occupiers, number of pets, other types of pet products you have purchased);
• financial and tax information (e.g. bank account and payment card details);
• education and employment information (e.g. level of education, type of employment, employer's name);
• data relating to your insurance contract(s) (e.g. policy number, methods of payment, duration, premium amounts, payment history, discounts, claim history and payments, complaint history, professional and expert reports including medical history, third party claimant information);
• data necessary to assess your risk (e.g. your and your insured asset's geographic location, information relating to your pet, loan, card account, vehicle, electronic device, purchases and travel);
• data relating to your lifestyle and the use of your insured assets (e.g. hobbies, interests, sports, occupation);
• data relating to your interactions with us (e.g. our websites, our mobile applications ("apps"), our social media pages and social media apps, connection and tracking data such as cookies, use of portals, IP address, personal meetings, telephone and video calls, interviews, written and digital correspondence, SMS, web chats, replies to surveys and customer service feedback);
• CCTV (e.g. where you visit our premises);
• information about your device (IP address, technical specifications and unique identifying data);
• log-in credentials used to connect to our websites, apps and portals;
• data relating to your participation in competition and promotional activities (e.g. date of participation, your answers, your pictures and the type of prizes);
• data necessary to prevent insurance fraud, money laundering and terrorist financing.

Where necessary and subject to your explicit consent, we may collect the following special categories of data for the reasons stated below:

• biometric data: (e.g. voice recognition);
• health data: data that is required to underwrite your insurance cover or to process your claim.

We do not collect or process any data relating to your racial or ethnic origin, political beliefs, religious or philosophical beliefs, trade union membership, your genetic data or sexual orientation, unless we have a legal obligation to do so.

2. Who is affected by this notice and from whom do we collect personal data?

We collect data directly from you as a potential customer or policyholder, a client party or supplier. We also collect data about other individuals directly and indirectly during our interactions with you who may have no direct relationship with us but who are connected to you or to the insurance product, for example:

• The policyholder and/or other family members where you or another person is a beneficiary of an insurance policy or are required to contact us in relation to the policy;
• Co-insured, co-borrower or co-account holder;
• Third party claimants or defendants in relation to a claim;
• Representatives for you including lawyers, family members, executors, trustees, persons with power of attorney, insolvency practitioners and creditors (in cases of arrears or debt);
• Ultimate beneficial owners and shareholders of legal entities.

Where you provide us with another person's personal data, please direct the individual to our Data Protection Notice. We will also provide them with the Data Protection information directly, where we have their contact details.

We also collect data about you from the previous insurer of your insurance product and/or your chosen brand provider where we become your new insurer for your continuing insurance product and where your chosen brand provider enters into a new client relationship with us.

We may also obtain personal data about you from the following sources for the purposes of verifying or enriching our data:

• official public records (e.g. census data, electoral roll);
• our service providers, commercial partners, co-insurers, corporate insurers and re-insurers;
• your loan, card or mortgage provider;
• your employers;
• third parties such as fraud prevention agencies (including the Police service and other insurance providers) or data brokers (in accordance with data protection legislation);
• websites and social media containing publicly available information;
• data bases and information made public by you or third parties.

3. Why do we use your personal data and what for?

In this section, we describe how and why we use your personal data and draw your attention to some types of data processing activities that we consider could have a greater impact on you and, in certain cases, may require your consent.

a. To comply with our legal and regulatory obligations

We use your personal data to comply with our various legal and regulatory obligations, which include:

• monitoring transactions to identify those which do not meet normal routines or patterns;
• detecting, managing and preventing insurance fraud;
• monitoring and reporting risks (financial, credit, legal, compliance or reputational risks, etc.) that we could incur;
• detecting and preventing money laundering including the financing of terrorism and complying with regulations relating to the imposition of sanctions and embargoes through our Know Your Customer ("KYC") and Know Your Intermediary ("KYI") processes (to identify you, verify your identity, screen your details against sanctions lists and determine your profile);
• detecting and managing suspicious sales and transactions;
• carrying out an assessment of the suitability of the proposed insurance products in compliance with regulatory requirements;
• preventing, where possible, tax fraud, and fulfilment of taxation and tax notification obligations;
• recording transactions for accounting purposes;
• detecting, managing and reporting risks related to our Corporate Social Responsibilities and our Environmental Social Governance development principles, including our Modern Slavery commitments;
• detecting and preventing bribery;
• exchanging and reporting different operations, transactions, quotes or sales, and replying to risk monitoring and reporting;
• responding to official requests from national or foreign financial, tax, administrative, criminal, public, regulatory or judicial authorities, legal representatives (including arbitrators and mediators), law enforcement, state agencies or public bodies.

b. To perform a contract with you or to take steps at your request before entering into a contract

We use your personal data to enter into and perform our contracts as well as to manage our relationship with you, which includes:

• evaluating if we can offer you a product or service, or enter into a contract with you, and under which conditions including price;
• defining and evaluating the details of your insurance risk including the assessment of the applicable price, your premium or renewal premium (including evaluation of your expected claims frequency, claim cost and expected loyalty) and the terms on which we will offer our insurance product or service, including any discount;
• providing you with information and answering your requests for information about your insurance contract; responding to requests to update your personal data when your circumstances change and making consequential changes to your insurance contract;
• handling your claims including collecting information from and sharing your personal data with your pet healthcare providers;
• handling your complaints;
• managing the payment of outstanding debts (including the identification and exclusion of customers with outstanding debts or fraudulent claims);
• to provide you or our corporate clients with products or services.

The above processes may include the making of automated decisions at all stages, for the entering into or the performance of the contract including, but not limited to, generating a quote and the assessment of certain types of claims made in relation to the insurance contract.

c. To fulfil our legitimate interests

We use your personal data in order to offer, develop and promote our insurance products and services, to improve our insurance risk management and to defend our legal rights for the following reasons:

• to prove your purchase and premium payments (including your transaction data and to follow-up rejected payments);
• detection, management and prevention of fraud which may include sharing data with other fraud prevention agencies, other insurance companies and their related parties, and parties who maintain databases of fraudulent claims;
• monitoring transactions to identify those which do not meet normal routines or patterns;
• debt collection;
• to defend or pursue legal claims;
• for IT management purposes, including business continuity and IT security;
• to create and develop individual statistical models and analysis for research and development purposes, allowing us to improve our risk management, create new and alternative products and services, offer more competitive pricing or offer more personalised products and services;
• recording telephone and video calls, on-line chat messages, emails, etc. notwithstanding other contact methods described elsewhere in this notice for the purposes of staff training and monitoring, administering your policy, handling complaints, detecting or preventing fraud and other crimes and to improve the quality of our services;
• to provide customer advisory services relevant to your quote and insurance product (e.g. pet healthcare advice and products, quote reminders, anniversaries and renewals);
• to personalise our product and service offers to you to:

• improve the quality of our products and services (e.g. customer satisfaction surveys);
• advertise products and services that match, or which may be of interest to you, according to your status and profile;
• determine your preferences, demands and needs, in order to provide you with a personalised offer

We achieve this personalisation by:

• segmenting our prospects, clients, potential customers and policyholders;
• analysing your habits and preferences in the use of our various communication channels (e.g. our website, portals and digital online chat assistant ("chatbot"), our social media apps, emails, newsletters and other communication messages, visits to our website, etc);
• combining data about your existing insurance products and services or those for which you have obtained a quote with other data held by us, in particular to speed up your on-boarding process with us;
• matching the products and services that you already hold with us or use with other data that we hold about you (e.g. where we may identify that you have a pet but do not have pet insurance); and
• organising prize competitions and promotional campaigns;

• to ensure our products and services are promoted to other individuals who are likely to be interested in them.

We achieve this by:

• considering commonalities between current clients and policyholders to identify similar individuals with the same characteristics in order to target promotional activities; and
• providing certain personal data you have provided to us (for example, your identification information and contact information) to our advertising partners such as social media providers who will hash that information and, if you have an account with them, use it to identify individuals who are similar to you and who might be interested in our products and services, in order to target those other individuals with advertising;

• Research & Development ("R&D") which includes establishing statistics and models to:

• optimise and automate our operational processes (e.g. creating a "Frequently Asked Questions" ("FAQ") or by using a digital online chat assistant ("chatbot"));
• offer products and services that will best meet your demands and needs;
• adapt products and services distribution, content and pricing in accordance with your profile;
• create new offers;
• prevent potential security failures, improve customer authentication and access rights management;
• improve security management;
• improve risk and compliance management;
• improve the management, prevention and detection of fraud;
• improve measures to counter money laundering and the financing of terrorism.

• IT Security and IT systems performance, including:

• Management of IT, including infrastructure management (e.g. shared platforms and portal access), business continuity and security (e.g. user authentication);
• prevent personal injury and damage to people and property (e.g. video surveillance).

• More generally:

• informing you about our products and services;
• carrying out financial operations such as debt portfolio sales, books of business sales, securitisations, financing or refinancing of our Group companies;
• organising contests and games, prize competitions, lotteries or any other promotional operations;
• performing client satisfaction and opinion surveys;
• improving process efficiency (training of our staff by recording phone calls in our call centres and improving our telephone call scenarios);
• implementing process automation such as application testing, automatic completion of customer information, complaints handling, etc.

In each case, our legitimate interests remain proportionate and, where we are required to do so, we verify these according to a balancing test so that your interests and fundamental rights are preserved. Should you wish to obtain more information about the balancing test, please contact us using the contact details provided in Section 9 below "How to contact us".

The carrying out of the above processes may include the making of automated decisions at any stage.

d. Respecting your choices where we requested your consent

In certain cases, we require your consent to process your data. Please note that you may withdraw your consent to these types of processing at any time. For example:

• where we send you communications for direct marketing purposes (e.g. emails, newsletters, SMS, telephone calls, pop-up messages etc), unless you tell us you want to opt out of receiving any further communications by contacting us using the details set out in Section 9 below or by unsubscribing. If you do not exercise this right, you may continue to receive certain types of communications from us whether you hold an insurance product with us or not;
• for certain interactions on social media platforms and in order to promote and administer competitions or similar marketing activities;
• unless we can rely on another legal ground or where the above purposes lead to the making of an automated decision, which produces legal effects or which significantly affects you. At that point, we will inform you separately about the reasons for the process involved, as well as the significance and the envisaged consequences of such processing;
• where we need to process your health data for the purposes of administering your claim - we will ask you to confirm your consent when completing your claim form.

If we need to carry out further processing for purposes other than those listed above in Section 3, we will inform you and, where necessary, obtain your consent.

4. Who do we share your personal data with?

a. Sharing of information within our Group

(i) We share your personal data within our Group for commercial and efficiency requirements such as:

• our legal and regulatory obligations including:

• sharing data collected for Anti-Money Laundering / Anti-Terrorism financing purposes, sanctions screening, embargoes, asset freezing and for our KYC and KYI procedures;
• risk management including credit, insurance and operational risks;
• management, prevention and detection of fraud;
• R&D activities in particular for compliance, risk, communication and marketing purposes;/li>
• a global overview of our clients;

• within our Group and their staff for the purposes of providing our services to you;
• within our Group to offer the full range of products and services of the Group to enable you to benefit from them, including:

• personalisation of the content and pricing of products and services.

(ii) We share your personal data outside our Group with the following:

• independent agents, intermediaries, introducers, brokers, affiliates and similar entities that promote our products and services (e.g. price comparison websites), including alongside their own products and services;
• co-insurers, re-insurers and our corporate insurers;
• any party that has a legitimate interest in your insurance contract (e.g. your next of kin, a beneficiary or a third party claimant, a person with power of attorney, an executor or trustee, your previous insurer (where your chosen brand provider enters into a new commercial relationship with us) and any representatives for these parties);
• social security agencies when they are involved in insurance claims or where we provide benefits complementary to social security benefits;
• service providers that perform services on our behalf (e.g. IT services, logistics, printing services, data analysis, customer surveys, customer review sites, telecommunication, debt collection, legal, advisory and consulting, and distribution and marketing);
• our advertising, social media and marketing partners and service providers, for example Facebook;
• banking and commercial partners, financial institutions, counterparties, trade repositories with whom we have a relationship if such transmission is required to allow us to provide you with the services and products or execute our contractual obligations or transaction (e.g. banks, correspondent banks, depositaries, custodians, issuers of securities, paying agents, insurance companies, payment system operators, issuers or payment card intermediaries);
• credit reference agencies;
• local or foreign financial, tax, administrative, criminal, banking, commercial partners and brokers;
• financial and judicial authorities, arbitrators and mediators, law enforcement, state agencies or public bodies, where we are required to disclose requested information pursuant to and to the extent permitted by law (e.g. Information Commissioner's Office, Financial Ombudsman Service, Financial Services Compensation Scheme, HM Revenue & Customs, Financial Conduct Authority, the Competition and Markets Authority);
• defending or responding to a matter, action or proceeding;
• complying with regulation or guidance from a regulatory authority applying to us;
• certain regulated professionals such as human and pet healthcare professionals, lawyers, notaries, administrators and trustees, rating agencies and internal and external auditors where required under specific circumstances (e.g. a claim, dispute or litigation, audits, investigations) as well as to an actual or proposed purchaser of the companies or businesses of our Group or our insurers;

and where we:

• defend or respond to a matter, action or proceeding;
• comply with regulation or guidance from a regulatory authority applying to us.

• Other parties with whom we act as a Joint Controller: Awin (promotion of our products and services) and BNP Paribas SA (sanction screening);
• (Where applicable) other insurance companies where your chosen brand provider enters into a new commercial relationship with a new insurer in relation to your continuing insurance product;

b. Sharing aggregated or anonymised information

We share aggregated or anonymized information with partners such as research groups, universities or advertisers, service providers or data analysis providers. The recipients will be unable to identify you from the data sets we provide.

Your data may be included in aggregated or anonymised data and statistics that that may be offered to professional clients to assist them in developing their business. In this case, your personal data will never be disclosed and the recipients of the aggregated or anonymised data and statistics will be unable to identify you from the data sets we provide. These clients and service providers may include:

• national and international debt collecting and credit reference agencies;
• national and international fraud prevention agencies.

5. Transfers of personal data

IIn cases of international data transfers originating from the UK or the European Economic Area (EEA) to a non-EEA country, the transfer of your personal data may take place. Where the Information Commissioner's Office or the European Commission has recognised that non-EEA country as providing an adequate level of data protection, your personal data may be transferred on this basis without your specific authorisation.

In cases of international data transfers originating from the UK to non-EEA countries where the level of protection has not been recognised as adequate by the Information Commissioner's Office or the European Commission, we will either rely on an exemption from a rule or law that is applicable to the specific situation (e.g. if the transfer is necessary to perform our contract with you) or use one of the following safeguards to ensure the protection of your personal data:

• Standard contractual clauses approved by the Information Commissioner's Office; or
• Binding corporate rules (for inter-group transfers), where applicable.

To obtain a copy of these safeguards or details on where they are available, you can send us a written request as set out in Section 7.

6. Retention of your personal data

We retain your personal data for a minimum period from the date of the data collection or the date of our last contact with you so that we can comply with applicable laws and regulations and our operational requirements, such as appropriate account maintenance, facilitating client relationship management, being able to respond to legal claims or regulatory complaints or requests.

If you are a prospective client / prospective policyholder:

We retain your data in digital format for 2 years following the date of the data collection or the date of our last contact with you. As we need to comply with our legal and regulatory obligations and to defend complaints and claims against us, your data is retained for this period so that we can answer your claims or to present evidence in the event of a dispute (e.g. in relation to a decision not to enter into an insurance contract with you).

If you are a client / policyholder:

We retain your data in digital and, only if required, paper format, in the majority of cases for the duration of the contractual relationship and thereafter, for the statutory limitation period for claims and complaints relevant to the contract, unless law or regulation imposes a shorter or longer retention period. Where we retain a digital format of your data for the required retention period, we will destroy any corresponding documents that we collect in paper format, in the majority of cases, within 1 year after the date of collection.

All data subjects:

Bank account details for the payment of direct debits are retained indefinitely. We do not record or retain any payment card details.

We retain indefinitely telephone recordings that we make to improve the quality of delivered services and for the training of our employees.

Information relating to the validation of your identity and provided by you (or your nominated representative) in relation to the exercise of your data subject rights, as set out in Section 7, is retained indefinitely following the date of exercise of that right by you and depending on the type of right exercised by you.

7. What are your rights and how can you exercise them?

In accordance with applicable regulations and where applicable, you have the following rights:

• to access: you can obtain information relating to the processing of your personal data and a copy of the personal data held.
• to rectify: where you consider that your personal data are inaccurate or incomplete, you can request that such personal data is updated.
• to erase: you can require the deletion of your personal data, to the extent permitted by law.
• to restrict: you can request the restriction of the processing of your personal data.
• to object: you can object to the processing of your personal data, on grounds relating to your particular situation. You have the absolute right to object to the processing of your personal data for direct marketing purposes, which includes profiling related to such direct marketing.
• to withdraw your consent: where you have given your consent for the processing of your personal data, you have the right to withdraw your consent at any time.
• to data portability: where legally applicable, you have the right to have the personal data you have provided to us be returned to you or, where technically possible, transferred to a third party.

If you wish to exercise the rights listed above, please contact us using the following address details in Section 9 below.

You may be required to verify your identity in certain cases when you exercise your rights.

In accordance with data protection legislation, in addition to your rights above, you are also entitled to make a complaint to:

The Information Commissioner's Office

Head Office:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: https://ico.org.uk/concerns

Email: casework@ico.org.uk Tel: 0303 123 1113

Wales:

2nd Floor, Churchill House, Churchill Way, Cardiff, CF10 2HH

Email: wales@ico.org.uk Tel: 0330 414 6421

Scotland:

Queen Elizabeth House, Sibbald Walk, Edinburgh, EH8 8FT

Email: scotland@ico.org.uk Tel: 0303 123 1115

Northern Ireland:

3rd Floor, 14 Cromac Place, Belfast, BT7 2JB

Email: ni@ico.org.uk Tel: 0303 123 1114

8. Future changes to this data protection notice

In the context of constant technological evolution, we will update this Data Protection Notice from time to time. Please check the latest version of this Data Protection Notice on our website.

9. Contacting us

To exercise your rights or if you have any questions regarding our use of your personal data please contact us at:

Data Protection Correspondent

Pinnacle House, A1 Barnet Way, Borehamwood, Hertfordshire, WD6 2XX

Email: dataprotection@pinnaclepetgroup.com

So that we can answer your query or request as quickly as possible, please indicate the right(s) you wish to exercise. We will acknowledge receipt of your communication.

We are required to answer all requests within one month but we are permitted to extend this period by one further month depending on the complexity of the request. We will contact you in writing if we are unable to reply to your request within one month.

If you wish to learn more about cookies and security, please read our Cookie Policy below.

Cookie Policy

We are committed to delivering the best possible service to you while maintaining the confidence that you place in us. As part of this, we have adopted strong principles across our Group to ensure the protection of your personal data.

We set out below information about how we place, use and store cookies on your device when you use our website and/or our mobile application (the "Website" and/or "Application") and you select the option to manage and delete cookies.

1. What is a cookie?

Cookies are small text, image or software files that are placed on your device when you access our Website. The word "device", when used in this Cookies Policy, refers notably to computers, smartphones, tablets and all other devices used for accessing the internet.

Cookies may be either: (i) session specific, meaning that they are deleted from your device once the session and browser are closed; or (ii) persistent meaning that they will remain on your device until they are removed.

Cookies perform a number of useful functions, such as to:

• Authenticate and identify you on our Website and/or Application in order to provide you with services that you have requested;
• Enhance the security of the Website and/or Application, including to prevent fraudulent use of login credentials and protect user data from access by unauthorised parties;
• Send you personalised advertising based on your browsing history and your preferences on line;
• Monitor your use of our Website and/or Application in order to improve them;
• Enhance your user experience by adapting and tailoring the content on the Website and/or Application to your interests and providing more relevant ads and content to you on other applications;
• Remember information that you provided to us (e.g. to automatically populate forms with information that you have previously provided to us so that you can log on more quickly);
• Keep track of your preferences and settings in your use of our Website (e.g. time zone).

2. What kind of information can be stored in a cookie?

The information stored by the cookies on your device may relate to the following, subject to its retention period:

• the webpages you have visited on that device;
• the advertisements you have clicked on;
• the type of browser you use;
• your IP address;
• and any other information that you have provided on our Website.

Cookies may contain personal data. Our Data Protection Notice above covers where we use cookies that collect your personal data.

3. What kinds of cookies do we use and for what purpose?

Cookies used on our Websites are classified into different categories:

3.1 Strictly necessary cookies (mandatory)

These cookies are necessary for the Website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

3.2 Functional cookies

These cookies enable the Website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

3.3 Performance cookies

Performance cookies collect information about how you use our Website. For example, which pages you visit and if you experience any errors. These cookies are essential to us being able to operate and maintain our Website.

3.4 Targeting cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

4. Who places the cookies on your device?

When you select which types of cookies you allow on your device, the cookies may be deposited directly by us or by one of our partners.

This means that when you authorise the installation of certain so-called "third-party" cookies on your device, our partners will also be able to access the information they contain (such as, for example, your browsing statistics when you allow third-party analysis cookies) within the limits of our Data Protection Notice and those of our partners.

See below for the full list and categories of the cookies that we currently use on our Website:

5. How can you manage cookies?

To see the different categories of cookies that we use on the Site and/or Application and configure your choices, you can consult the cookie management module accessible here. You can modify at any time your preferences, withdraw or re-provide your consent at any time.

Please note that the use of strictly necessary cookies for the proper functioning of the Site does not require your consent. This is why the option "strictly necessary cookies" is pre-checked in our cookie management tool and is not optional.

By refusing certain types of cookies (preference cookies for example), we will not be able to optimize your user experience on our Website and some parts may not function properly.

By default, we save your cookie choices on a device for a maximum of 6 months. If you change your mind about the preferences you have expressed regarding cookies, you can update your choices at any time, by following the below link. We will ask you to repeat your choice every 12 months.