InsuraimInsuraim
Legal Documents

Privacy Policy

Last Updated: December 2024

This Privacy Policy applies to visitors, trial users, formal client representatives, and potential client contacts accessing Insuraim's official website, related online services, and our SaaS platform. For end-client personal data stored and processed by Brokerages/Advisory Teams within the Insuraim platform, we generally act as a technical service provider (Data Processor) and will make further arrangements in contracts and Data Processing Agreements signed with the institution.

1. Who We Are

Insuraim is owned and operated by Insuraim Platform Operations Company ('the Company', 'we', 'us'). The Company is incorporated in the Hong Kong Special Administrative Region.

We respect personal data privacy and are committed to complying with the Personal Data (Privacy) Ordinance (Cap. 486) ('PDPO') and its six Data Protection Principles ('DPPs').

2. Scope of this Policy

This Privacy Policy explains:

  • What categories of personal data we collect from website visitors or form submitters
  • What data we collect from institutional representatives and contacts for trials or subscriptions
  • What data we collect from institutional users (e.g., brokerage staff, advisors) using the Insuraim platform
  • How we use, store, and protect this personal data
  • Our role and responsibilities when processing end-client data on behalf of institutions
  • Key rights of data subjects under the Ordinance and how to exercise them

If this Policy is inconsistent with the terms of a contract or Data Processing Agreement (DPA) signed for specific services, the contract/DPA shall prevail.

3. Definition of Personal Data

In this Policy, 'Personal Data' means any data relating to a living individual who can be identified, directly or indirectly, from that data.

4. Categories of Data Collected

Depending on your interaction with us, we may collect:

4.1 Website Visitors & General Inquiries

Basic Contact InfoName, Company Name, Job Title, Phone, Email
Inquiry ContentText information voluntarily provided in forms or communications
Technical & Usage DataIP address, browser type, visit time, pages visited, etc. (usually aggregated or anonymized for analysis)

4.2 Trial & Subscriber Users (Institutional Reps / Advisors)

Account DataName, Company Name/Address, Job Title, Work Email, Username (if applicable)
Auth & Security DataPasswords (stored irreversibly encrypted), MFA info (if enabled)
Platform Usage DataLogin times, operation logs, preference settings, etc.

4.3 End-Client Data Entered by Institutions

When your institution uses Insuraim to enter end-client, policy, and related data, it may include:

  • Personal data of end clients and family members (e.g., Name, Contact, DOB)
  • Policy data (e.g., Policy Number, Insurer, Product Type, Sum Assured, Premium, Payment Records)
  • Info related to financial status, family structure, risk tolerance (as entered by the institution)
  • Service records and communication notes

For the above end-client data, generally, your institution is the 'Data User' under the Ordinance, and we act as the 'Data Processor' or similar role per contract; this policy primarily explains how we assist the institution in fulfilling its PDPO responsibilities.

4.4 Cookies & Similar Technologies

We may use Cookies to collect usage data for:

  • Maintaining session login status
  • Remembering preferences (e.g., language)
  • Statistical analysis of site usage

You can restrict Cookies via browser settings, though some functions may be affected.

5. Purposes & Legal Basis of Collection

Per PDPO principles, we collect personal data only for lawful purposes directly related to our functions or activities. Main purposes include:

  • Processing your inquiries, demo bookings, or information requests
  • Assessing needs and providing recommendations, quotes, or draft contracts
  • Establishing and managing user accounts, providing, maintaining, and improving the Insuraim platform
  • Assisting institutions in creating, maintaining, and analyzing client/policy data
  • Providing customer support and troubleshooting
  • Security and anti-abuse purposes (monitoring abnormal logins, investigating fraud)
  • Internal stats and analysis to improve product design (using de-identified/aggregated data where possible)
  • Complying with applicable laws, regulations, or legal requirements
  • Direct marketing (with appropriate consent or compliance with the Ordinance)

6. Use and Disclosure

6.1 Internal Use

We may disclose relevant data to internal employees on a 'need-to-know' basis to fulfill the above purposes. Employees are bound by confidentiality obligations.

6.2 Disclosure to Third-Party Service Providers

We may disclose personal data to the following third parties where necessary and consistent with purposes:

  • Cloud infrastructure, hosting, backup, and security providers
  • System development, maintenance, and technical support providers
  • Email/SMS delivery or analysis service providers
  • Auditors, legal counsels, and compliance consultants
  • Potential or actual counterparties in M&A or asset transfer transactions (subject to legal requirements)

We require these third parties via contract to observe appropriate confidentiality and security standards.

6.3 Legal & Regulatory Disclosures

We may disclose data if required by law, court order, regulatory requirement, or law enforcement agency.

6.4 Direct Marketing (If Applicable)

If we intend to use your contact info for sending Insuraim-related updates or promotions:

  • We will inform you of this purpose before use
  • We will obtain your consent or provide an opportunity to opt-out/object as required by law
  • We will provide a simple 'Unsubscribe' mechanism in every marketing message

You may opt-out of direct marketing at any time free of charge by contacting us per Section 14.

7. Cross-Border Data Transfer

Depending on our cloud provider locations, your data may be transferred outside Hong Kong. We take reasonable steps to ensure data receives protection comparable to Hong Kong standards, including:

  • Selecting reputable providers with security certifications
  • Contractually requiring confidentiality and security measures
  • Limiting transfer scope and access

We continuously assess cross-border arrangements per PDPO and PCPD guidance.

8. Accuracy & Retention

We take reasonable steps to ensure held personal data is accurate and up-to-date.

We retain personal data only as long as necessary for the purpose, deleting or anonymizing it afterwards, unless:

  • Required by law or regulation to retain longer
  • Reasonably necessary for potential claims or disputes

Institutions (Data Users) determine the retention period for client/policy data in Insuraim based on their own policies; we assist in execution.

9. Data Security

We take reasonable technical and organizational measures to protect data from unauthorized access, processing, loss, or use, including:

  • TLS/HTTPS for data in transit
  • Encryption for data at rest where applicable
  • Multi-tenant isolation limiting cross-institution access
  • RBAC and least privilege principle
  • Audit logs for key operations
  • Regular backups and drills
  • Internal security training

No internet transmission is 100% secure. We continuously improve measures and will handle breaches per regulations and contracts.

10. Rights of Data Subjects (Access & Correction)

Under PDPO, data subjects have rights to:

AccessCheck if we hold your data and request a copy
CorrectionRequest correction of inaccurate data
Direct MarketingRequest us to stop using data for direct marketing

To exercise these rights, contact us per Section 14 with:

  • Information to identify you
  • The data category you wish to access/correct
  • Proof of relationship to the data (if applicable)

We respond within a reasonable time and may charge a reasonable fee for access requests (usually free for corrections).

For end-client data entered by institutions, please submit requests through the relevant institution (your broker/advisor) first; we assist them per agreement.

11. Children's Data

Insuraim is B2B oriented and not intended for persons under 18. If we inadvertently collect minor's data without consent, we will delete it or rectify it with the institution.

12. Relation to PICS

PDPO requires Data Users to state policies (PPS) and provide a Personal Information Collection Statement (PICS) upon collection.

This document is our Privacy Policy (PPS). In specific collection scenarios (e.g., forms), a specific PICS may be shown. If inconsistent, the specific PICS prevails.

View PICS →

13. Updates

We may update this policy. Significant changes will be posted on the website with a 'Last Updated' date; major changes may be notified via email.

Continued use implies agreement to the revised policy.

14. Contact Us

For questions or to exercise access/correction rights, contact our Data Privacy Contact:

Email[email protected]

Mailing AddressHong Kong (Attn: Data Privacy Contact)

We may verify your identity before processing requests.

⚠️ Important: This Policy is for general information and does not constitute legal advice. Refer to the formal agreement between Insuraim and your institution.