Menu
Close
Qdos Broker and Underwriting Services Limited (“Qdos”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy (“Policy”) will inform you as to how we look after your personal data when you visit our website or otherwise engage with our products and services (collectively “Services”) and tell you about your privacy rights and how the law protects you.
Qdos is a wholly owned subsidiary of HCC International Insurance Company plc, a member of the Tokio Marine HCC Group of Companies. Please see here for further information on the Group of Companies and here for a better understanding of our Global Privacy Policy.
It is important that you read this Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This Policy supplements the other notices and is not intended to override them.
This version was last updated in April 2024. This Policy may change from time to time, for example to keep it up to date or to comply with legal requirements or changes in the way we operate our business, so please check it periodically.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
This website may include links to third-party websites, plug-ins and applications for your convenience and interest. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Where visit any linked websites or social media tools not owned or controlled by Qdos, we encourage you to review their privacy notices/policies.
Our company is Qdos Broker and Underwriting Services Limited. Our registered office is The Grange, Grange Avenue, Rearsby, Leicester, LE7 4FY and our registered number is 06012716.
We are the Controller and responsible for your personal data, whether this is provided to us or we collect it directly from you, and we process it for the purposes described in this Policy.
We have appointed a Data Privacy Manager who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us using the details set out in the “Contact Us” section below.
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We collect personal data that you provide to us when you sign up for our Services. We may also collect information based on how you interact with our Services and/or other Internet or network activity (e.g., your online browsing history or mobile device information).
More specifically, we may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows (it may vary according to the circumstances):
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.
We do not generally collect any Special Categories of Data about you nor do we collect any information about criminal convictions and offences. However, should we need to collect such data, you will be informed of the reasons why it is required at the time we request it.
We use different methods to collect personal data from and about you including through:
Direct interactions
You may give us your Identity, Contact and Financial Data and Previous and current claims by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
The personal data you are being asked to provide, and the reasons why you are asked to provide it, will be made clear in this Policy or at the point at which we ask for such information.
PLEASE NOTE: if you call our telephone numbers, your call will be recorded for training, quality and compliance purposes, in accordance with our legal obligations, for our legitimate interest, public interest or on the basis of your consent, where applicable. Automated transcripts of the content of the conversation might be extracted on the same basis.
As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns with your prior consent. In the UK, this information may be considered personal data. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy (https://www.qdoscontractor.com/cookie-policy) for further details.
From time to time, we may receive your personal data from third party sources but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal data to us. These third parties and public sources may include:
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
Generally, we do not rely on consent as a legal basis for processing your personal data. However, if we do you will always be specifically informed of this when your consent is collected. You have the right to withdraw consent at any time by contacting us.
Please refer to the Glossary to find out more about the types of lawful basis that we will rely on to process your personal data.
Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you have questions about, or need further information concerning, the legal basis on which we collect and use your personal data, using the details set out in in the “Contact Us” section below.
Purpose/Activity | Type of data (it might vary according to the circumstances) |
Lawful basis for processing |
Quotation | ||
To register you as a new customer |
(a) Identity (b) Contact (c) Previous and current claims |
Performance of a contract with you |
Evaluating the risks to be covered and matching to appropriate policy and premium |
(a) Identity (b) Contact (c) Previous and current claims (d) Transaction |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to determine |
Customer Administration | ||
To process and deliver your order including: (a) Manage payments, fees and charges (b) Collect and recover money owed to us |
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or (b) Asking you to leave a review or take a survey (c) General client care, including communicating |
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications (e) Usage |
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our |
Claims Processing | ||
Managing insurance claims, which will include defending or prosecuting claims |
(a) Identity (b) Contact (c) Profile (d) Transaction (e) Previous and current claims |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to assist our |
Renewals | ||
Contacting customers in order to arrange the renewal of the insurance policy |
(a) Identity (b) Contact (c) Profile (d) Transaction (e) Previous and current claims |
(a) Performance of a contract with you |
Consultancy Services | ||
To provide consultancy services, to include providing |
(a) Identity (b) Contact (c) Profile (d) Transaction |
(a) Performance of a contract with you |
Website and marketing activities | ||
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) |
(a) Identity (b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running (b) Necessary to comply with a legal obligation |
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve you |
(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical |
Necessary for our legitimate interests (to study how customers use our Services, to develop them, to grow our business and to inform our marketing strategy) |
To use data analytics to improve our website, Services, marketing, customer relationships and experiences |
(a) Technical (b) Usage |
Necessary for our legitimate interests (to define types of customers for our Services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
To make suggestions and recommendations to you about Services that may be of interest to you |
(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile |
Necessary for our legitimate interests (to develop our Services and grow our business) |
Legal and Regulatory | ||
Complying with our legal or regulatory obligations |
(a) Identity (b) Contact (c) Financial (d) Transaction (e) Profile (f) Usage (g) Marketing and Communications (h) Telephone Calls Data |
(a) Necessary to comply with a legal obligation (b) Necessary for our legitimate interests (to take (c) Public interest |
In some instances, our use of your personal data may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.
Automated decision-making is the process of making a decision by automated means without any human involvement on the basis of a computer determination (using software algorithms). For example, in certain instances we may use automated decisions to establish whether we will offer insurance coverage to a prospective insured. We have implemented measures to safeguard the rights and interests of individuals whose personal data is subject to automated decision-making.
We will only use automated decisions-making when it is necessary for the entry into or performance of the contract; or is authorised by law; or is based on your explicit consent.
When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision.
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.
We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which Services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or purchased Services from us and you have not opted out of receiving that marketing.
We will obtain your express opt-in consent before we share your personal data with any company outside our corporate group for marketing purposes.
You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product /service purchase, warranty registration, product /service experience or other transactions. As your insurance broker we have a duty to act in your best interests. Where you opt out of receiving marketing messages, we will continue to communicate with you via telephone, email and post where we need to:
Where relevant and necessary for the purpose of the processing activity, we may disclose your personal data to other appropriate organisations who have a need to know (so-called ‘third party recipients’), based on our legitimate interest.
With the purpose of helping us understand more about your experience using our Services, we may for example share your personal data with Feefo Holdings Ltd, an independent market research company, who will enable you to provide us with feedback and reviews of our Services.
Feefo shall only be permitted to contact you once in relation to each order you place with us, for the sole purpose of inviting you to submit a review of your experience of our Services. Your details will not be used by Feefo for any other purpose. Further information regarding Feefo can be found at https://www.feefo.com/business /gb_en/about /b2c-customers.
When you are contacting us through the live chat widget, be aware that our third party service provider may have access to your personal data for providing the Service.
Please do not share any kind of any Special Categories of Data about you in the message field.
When we share your personal data externally as described above, it will be subject to strict data processing agreements whereby Qdos remains the Controller and the third party acts as Processor. The access and transfer of your personal data shall be restricted to trusted third party recipients who demonstrate an adequate level of data protection. Moreover, these third-party recipients will be required to delete or return all the personal data to Qdos after the end of the provision of services relating to the processing and delete existing copies, unless the law requires storage of the personal data.
You may object at any time to the processing of your personal data by Qdos or any third-party recipient for this purpose, where such processing is carried out based on our legitimate interests.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Our websites and applications are not directed to children under 16, and we do not knowingly collect any personal data directly from children under 16. If you believe that we are processing personal data pertaining to a child inappropriately, we ask you to contact us using the data provided under the “Contact Us” section below.
We may have to share your personal data with the parties set out below for the purposes set out in the table in the section above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We do not sell (or transfer) your personal data or information for monetary compensation.
Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. Specifically, the servers of Qdos’ parent company, HCC Insurance Holdings Inc., are located in the United States. However other TMHCC group companies are registered elsewhere, including in the EEA and operate around the world. This means that when we collect your information we may process it in any of these countries.
Furthermore, cookies and other technologies embedded into this website could determine the transfer of your personal data to third countries. For more information, please refer to our Cookie Policy, which can be found here.
When transferring personal data to other countries we will protect your personal data in accordance with this Policy, or as otherwise disclosed to you.
We have implemented Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the UK, EEA, and Switzerland in accordance with UK, EU and Swiss data protection laws (our Standard Contractual Clauses can be provided on request).
We may also transfer personal data to countries for which adequacy decisions have been issued, use contractual protections for the transfer of personal data to third party service providers and partners, such as the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s standard contractual or rely on other data transfer mechanisms relevant to your jurisdiction.
You may contact us as specified in the “Contact Us” section below to obtain a copy of the safeguards we use to transfer personal data outside of your jurisdiction.
Qdos places great importance on the security of all personal data associated with our customers. We have security measures in place designed to protect against the unauthorized access, acquisition, loss, misuse and alteration of personal data under our control, our security policies are periodically reviewed and enhanced as necessary.
While we cannot ensure or guarantee that our physical, technical and administrative security measures can prevent the unauthorized access, acquisition loss, misuse or alteration of your data will ever occur, we will use reasonable and appropriate measures to prevent this. If you have any concerns that your Qdos account or personal data has been put at risk, please contact us.
We will keep your personal data or information on our records for as long as we have an ongoing legislative or legitimate business need to do so. This includes providing you with a Service you have requested from us or to comply with applicable legal, tax or accounting requirements. It also includes keeping your data for so long as there is any possibility that you or we may wish to bring a legal claim under your insurance contract, or where we are required to keep your data for legal or regulatory reasons.
If you wish to receive further information regarding our record retention policy and procedures, please contact us using the data provided under the “Contact Us" section below.
Under certain circumstances, you may have rights or choices listed below under data protection laws in relation to your personal data:
Please refer also to the Glossary to better understand Your Legal Rights.
We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. If you wish to exercise the rights described above and are entitled to do so, we may ask you to verify your identity. We will not charge to reply to your request, but we may charge a reasonable fee or refuse your request if it is excessive or where additional copies are requested.
We will verify your identity in connection with any of the above requests and take steps to ensure that only you or your authorised representative can exercise your rights with respect to your information. There may be situations where we will be unable to grant or completely fulfil your request. If we are unable to grant your request, we shall provide a written explanation to explain the rationale for our decision and action.
Although the right of access always applies, there are some exemptions, which means you may not always receive all the information we process.
If you have any questions about this Policy or want to exercise your rights in relation to your personal data, you can contact our Data Privacy Manager using the following details:
Email: [email protected]
Postal address: Data Privacy Manager, Qdos Broker & Underwriting Services Limited, The Grange, Grange Avenue, Rearsby, Leicester, LE7 4FY.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
Controller means a natural or legal person which determines the means and purposes of processing of personal data.
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Personal data means any information that relates to an identified or identifiable individual.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
Process/Processing/Processed means any and all actions we take with respect to your personal data, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving.
Special Categories of Data means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership.
External Third Parties include:
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer (portability) of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine- readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you. We will advise you if this is the case at the time you withdraw your consent.
Lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance, although you have a right to contact the ICO at any time. The ICO’s contact details are:
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel.: 0303 123 1113 E-Mail: [email protected]
Website: https://ico.org.uk
Ask away! One of our team will get back to you!