In this privacy notice, references to "our", "us" and "we" are to Superscript. Superscript is a trading name of Enro Limited. We're registered in England and Wales under company number 09265254, and our principal place of business is 180 Borough High St, London SE1 1LB, United Kingdom.
We're registered with the Information Commissioner's Office number ZA093999.
This privacy notice describes how and why we obtain, store and process information which can identify you directly or indirectly, such as your name, contact details, business information and location information. This privacy notice applies where we're acting as a data controller in respect of your personal data. References to the processing of information includes the collection, use, storage and protection of personal data. All personal data collected by us will only be processed in accordance with this privacy notice.
We amend this privacy notice from time to time, so please review it regularly, for the most up-to-date version.
How we protect information
We're committed to ensuring that the information we process is secure. In order to prevent unauthorised access, use or disclosure, we've put in place physical, electronic and organisational procedures to protect it. Anyone processing personal data in our team or on our behalf must do so in accordance with this privacy notice and on the basis that we're satisfied that they can and will adhere to our high standards for data protection and security.
Information entered on our website and email data processed by our mail servers is encrypted in transit using HTTPS over Transport Layer Security (TLS). Please note however that transmission of data over the internet is inherently insecure, so we can't guarantee the security of information sent over the internet.
If we provide you with a password to access our website or your account, it is your responsibility to keep it confidential. We won't ask you for your password, other than if and when you need it to log in to your account.
Information we collect, and how we use it
Information we collect about you
Generally, information we may collect from and process about you falls into the following categories:
- Information we collect from you – for example, your name, contact details and information about your business, or claims history. This could be on the website, on the phone or if you write to us, generally we refer to this as ‘Account Data’.
- Information automatically collected about you when you visit our site (“Website Data”) – Website Data may include your IP address, browser type and version, location data, source of referral, length of visit, pages you view, search queries you make and general use of our website.
- Information from third party sources – for example, claims history from the insurance database, third party insurers and underwriters, information about your use of services from analytics software, information about your business online, this is also included as ‘Account Data’
Why do we use your information?
Your information will be processed for a number of reasons, including
- to follow up with you by email when you have started a quote,
- to provide our products and services,
- to assess your insurance requirements,
- to provide cover,
- to calculate your insurance premiums and policy conditions,
- to obtain and provide you with quotes for insurance,
- to arrange and manage your insurance policies, including claims, mid-term alterations, renewals and cancellations.
We may also use this information to help us improve and sell our services, and to monitor our compliance with regulatory requirements.
We may create a profile about you to help us provide services and understand your preferences to send you the most relevant information. We make automated decisions using profiling, which may not include human intervention for example, to decide what type of cover and the level, cost and terms of the cover to provide to you.
In addition, we may also use Website Data to engage with website visitors, to market and improve our services (and develop new services) and to provide information by email or otherwise which may result in a subscription to our services.
The law sets out the permitted basis for our processing of your information, we rely on the following bases to process your information:
- Legitimate interests – the processing is necessary for our, your or a third party's legitimate interests unless overridden by your personal data rights. We will do so in the interests of providing services to you, to provide insurance cover, for direct marketing, to prevent and detect fraud, for organisational reasons, to improve services, for network and information security purposes, to ensure we comply with the law and comply with your individual rights, to ensure we suppress any requests you make, to provide personalised messages, to retain evidence of Our compliance and to defend Superscript against claims or fraud, for monitoring of performance, to improve use of AI, for web analytics, to host data in the cloud, to carry out limited international transfers (our service providers are across a number of countries), for the purposes of an acquisition or legal restructuring, and to update customer and prospective customer details and preferences.
- Contract – the processing is necessary for a contract (insurance policy or employment) between us, or because we are taking specific steps towards entering into a contract with or on behalf of you
- Consent – for certain activities, where we need your express consent to process your information, we will obtain it prior to using your information
- Legal Obligation - We process personal data where necessary to comply with any legal obligations which we're subject to; to establish or defend any legal claims so as to protect our or your legal rights, or the legal rights of other interested parties; or to obtain or maintain our own insurance cover, obtain professional advice or otherwise manage business risks
Please note that we record phone calls for the purpose of collecting Account Data, and for training and monitoring our team, fraud prevention and security.
We don't store payment card information on our systems so please don't send it to us.
Information we share with third parties
We share Account Data with other businesses in the insurance industry, such as underwriters and other intermediaries and business service providers, including external consultants for the purposes of calculating premiums, assessing claims, arranging and handling your insurance.
We share Account Data with our own insurers and professional advisors where necessary to obtain insurance or professional advice; establish or defend legal claims; comply with any legal obligations; protect your interests as best we can, and otherwise manage business risks.
We may share contact details including email address and name with Trustpilot for the purpose of collecting feedback to improve our services.
Payments to us may be processed by our payment service providers from time to time, which include Stripe (for credit and debit card payments), GoCardless (for direct debits) and Premium Credit (for insurance premium financing) ("PSPs"). We may share information with our PSPs to the extent necessary for the purposes of processing payments and refunds, and sending communications related to those payments and refunds. In the case of Premium Credit, we may also provide them with your personal data when introducing you to them. You should separately review the privacy policies and terms of our PSPs which are separate to this privacy notice and should be available on their respective websites.
We use third parties to enable us to provide our services, and these may store personal data, these third parties are:
- IT services: AWS, Aircall, Heroku
- Client relationship management tools: Hubspot, Trustpilot, Segment, Intercom
- Data analysis: Google
- Payment services: Stripe, GoCardless, Chargebee
- Social Media services: Facebook, Linkedin, Twitter ("Third Party Data Processors").
We enter into agreements with Third Party Data Processors, which state that personal data will not be processed for any purpose other than as stated in our respective privacy policies.
International transfers of data outside the European Economic Area
The data storage facilities of some of our Third Party Data Processors are located in the USA. We enter into standard data protection clauses approved by the European Commission, a copy of which can be found on the Third Party Data Processors' respective websites to ensure protection of your personal data outside of Europe.
When you submit information onto our website, this is done using the internet, and we can't control the use of such information beyond our reasonable control.
Retention of personal data
Personal data that we process for any purpose won't be kept for longer than is necessary for that purpose. Subject to any overriding legal requirements, we'll store and retain your personal data as follows:
- Website Data will be deleted as soon as it not needed, and kept for no longer than 36 months; and
- Account Data will be retained for 7-years from collection (for compliance and contract reasons) or longer if necessary for any relevant competent authority to monitor our compliance with the requirements under the regulations applicable to our business.
Your individual rights
As the data subject you have the right to:
- Request access to your personal information (commonly known as a data subject access request). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
- Right to withdraw consent, where it is relied upon to process your personal data.
You can exercise any rights, including modification or withdrawal of consent to send you marketing communications at any time by sending an email to email@example.com or by post addressed to The Data Protection Officer, Enro Limited, Unit 9705, PO Box 6945, London W1A 6US.
Please note that we reserve the right to charge a reasonable fee to cover the administrative cost of providing the information or refuse to respond if your request is manifestly unfounded or excessive.
You are entitled to complain to the Information Commissioner’s Office at ico.org.uk. We’re keen to make sure any concerns are dealt with, so please contact us at firstname.lastname@example.org if you have any questions or concerns about how your information is used.
Links to third party websites
Our website may contain links to other websites. However, once you've used these links to leave our website, you should note that we don't have any control over that other website. Therefore, we can't be responsible for the protection and privacy of any information you provide whilst visiting third party websites and those other websites aren't governed by this privacy notice.