Last updated: 13 November 2020
During our interactions, you share personal data with us.
This notice tells you what to expect when we collect and use your data. You should read it with our Terms. We may need to update this notice occasionally, but we will inform you when we do.
If you have any questions, please contact us at [email protected].
1. What personal data we collect
We collect data that helps us provide our services and communicate with you.
- Your name, registration number and contact details.
- Your representatives’ name and contact details.
- Your users’ login credentials (users are those people or entities who you give access to the Root Insurance Platform).
- Your end users’ login credentials (end users are people who use your applications and add-ons on the Root Insurance Platform).
- The personal data of your policyholders.
2. How we use your data
Here we explain how we use personal data. We are also required to tell you on what grounds we are allowed to use your data – this is called a ‘legal basis for processing’.
|How we use personal data||Our legal basis for processing|
We process this data to meet our contractual obligations with you.
When you ask us to send you updates and news about our services. You can unsubscribe at any time by following the unsubscribe link at the bottom of the email, or by contacting us.
We process this personal data with your consent.
When we process payments, we have to process certain data to comply with tax and accounting regulations.
We process this data as a legal requirement.
3. To deliver our services to you, we share data with others we trust
We only use service providers we trust, and who have agreed to keep your data secure and confidential and to only use it for the purpose for which we shared it with them.
Some of our service providers may be located in other countries. We provide for appropriate safeguards through contracts between our foreign and local service providers and us.
We use service providers to help us:
- Communicate with you.
- Communicate with your policyholders on your instruction.
- Process payments.
- Securely host your data.
- Deploy and manage applications.
Sometimes we need to disclose your data to a third party, including:
- If we believe that disclosure is reasonably necessary to comply with the law, legal process, or a government request.
- To enforce our contracts and policies.
- To protect ourselves, clients, and the public from illegal activity.
- To respond to an emergency which we believe in good faith requires that we disclose personal data.
If there is a change in our company structure or ownership, we may share your data as part of the assets transferred or the due diligence for the transaction.
4. We have taken reasonable steps to minimise the impact of a breach
We emphasise privacy and security throughout all system design processes and implement security measures based on the sensitivity of the data we hold. These measures are in place to protect the data from being disclosed, from loss, misuse, and unauthorised access, and from being altered or destroyed.
We proactively monitor our systems for bugs, possible vulnerabilities and attacks. Our team is on call 24/7 to address and report incidents. Still, no system is perfect, and we cannot guarantee that we will never experience a breach of any of our physical, technical, or managerial safeguards. If something should happen, we have taken steps to minimise the threat to your privacy. We will let you know of any incidents that affect your personal data, and we will inform you how you can help minimise the impact.
You also have a role to play in keeping your and your clients’ data secure. For example, you should never share your login credentials with anyone. If you suspect that we (or you) have had a security breach, please let us know immediately by sending an email to [email protected].
5. We delete your data on the root insurance platform after 60 days
If you or we terminate our services agreement, we will delete all data of your policyholders, users and end users from the Root Insurance Platform and our servers. We will notify you in advance, and we will assist you to extract the data before the 60 days expire.
We retain your other data for business reasons and to comply with legal obligations. We will not keep it for longer than is necessary.
6. You have the right to know what data we have, and what we do with that data
You have these rights in terms of the EU GDPR and the Protection of Personal Information Act in South Africa:
- The right to be informed about the collection and use of your personal data.
- The right to access your personal data. You may make such a request from us by contacting [email protected]. We may take one month to respond to your request and may charge a fee in some circumstances. We will let you know if this is the case.
- You have a right to have inaccurate personal data corrected or completed if it is incomplete. You may make such a request from us by contacting [email protected]. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to have your personal data erased, also known as the ‘right to be forgotten’. You may make such a request from us by contacting [email protected]. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to request that we restrict or suppress your personal data. You may make such a request from us by contacting [email protected]. We may take one month to respond to your request and may refuse in certain circumstances.
- You have the right to reuse your personal data for your own purposes across different services, also known as the right to data portability.
- You have the right to object to us processing your personal data in certain circumstances. You may make your objection by contacting [email protected]. We may take one month to respond to your request. There are legitimate reasons why we may refuse your objection, which depend on why we are processing it.
- If you are in the European Union, you have the right to complain to a supervisory authority in the Member State where you live or work, or where the infringement took place. If you are in South Africa, you have the right to complain to the Information Regulator.
- You have the right to object to automated decision-making and profiling.
- You may ask that a human review any automated decisions that we make about you, express your point of view about it, and obtain an explanation of the decision. You may challenge any automated decision made about you by contacting [email protected]. We may take one month to respond to your request.