Privacy

Privacy Notice

This Privacy Notice is issued on behalf of the Mosaic Insurance group of companies. When there is mention of “Mosaic,” “we,” “us,” or “our” in this notice, we are referring to the relevant company within the Mosaic group responsible for processing the information.
 
Mosaic believes strongly in protecting the confidentiality and privacy of information that you provide to us that relates to an identifiable individual (“personal information” or “personal data”) and which we collect, use, share, disclose, and retain. This notice is intended to inform you about your choices regarding the use, access, and correction of your personal information. We are committed to ensuring any personal data we receive is protected and handled in accordance with applicable data-protection laws.
 
Insurance involves the use and disclosure of your personal data by various insurance market participants such as intermediaries, brokers, insurers, and reinsurers. There could be instances, such as when you request information, when we may obtain personal identifiable information from you or about you. Such personal data may include your name, mailing address, email, telephone number, or business contact, etc. This information will not be collected without your knowledge.
 
Please read the following carefully to understand how we will treat your personal information.

Collecting your data

We collect and use relevant information to provide the insurance coverage that benefits you and to meet our legal obligations.
 
We may collect a range of personal and business information supplied by you or third parties on your behalf.
 
Specifically, we may collect the following personal information throughout the duration of your relationship with us:

  • Basic personal details such as your name, address, date of birth or age, gender, marital status, and additional information about your insurance requirements
  • Business contact details (such as email and telephone details) related to correspondents, brokers and/or other relevant connections to insurance business
  • Personal information related to your insurance requirements and details of any specific claims

We may also collect special-category data, such as race, ethnic origin, political opinions, religion, trade-union membership, genetics, biometrics, health, sex life or sexual orientation when needed to provide insurance or process claims. This information will only be used for the specific purpose for which it was provided and to carry out the agreed service. In certain instances, we may also need to collect and process special-category data relating to individuals who may benefit from the policy.
 
Where necessary, we will obtain your consent to use special-category data and may do this via an intermediary or broker.
 
We may collect, use, or disclose to third parties special categories of personal information about other individuals, such as employees, family, or members of your household. Before providing us with personal information about other individuals, you agree: (a) to notify the individual about the content of this Privacy Notice; (b) inform the individual how and why their information will be used and, (c) if requested by us, obtain their permission to share their personal information with us by requiring the individual to sign a consent form.

Collection of Information from Children

Our services are not directed to nor intended for children under the age of 13 and we do not knowingly collect personal information from children under the age of 13.

Other Considerations 

When you use Mosaic products, services, and applications, or post information on a Mosaic channel or use social networking services such as Facebook, LinkedIn, X, Instagram, etc, the personal information and content you share are visible to other users and can be read, collected, or used by them.

Using Your Information

We will only use your personal data when the law allows us to do so. Generally, we will use your personal data in the following circumstances:

  • Assessing your application for a product, service or quote
  • Providing and administrating relevant insurance policies
    • Client care, including communicating with you
    • Payments to and from individuals
  • Verifying your identity and carrying out sanctions/anti-fraud/financial crime checks
  • Handling claims
    • Managing insurance and reinsurance claims
    • Defending or prosecuting legal claims
    • Investigation or prosecuting fraud
  • Dealing with complaints
  • General risk modelling
  • Renewals
    • Contacting the policyholder to renew your policy
    • Evaluating the risk to be covered and matching to appropriate policy/premium
    • Payment of premium
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
  • Where we need to comply with legal or regulatory obligations
  • Transferring books of business, company sales and reorganisations

Retention of Your Information

Retention periods for personal information vary. We retain personal data only for as long as it is necessary and for the purpose for which it was originally collected. We consider the following obligations when setting retention periods for personal information and the records we maintain: the need to retain information to accomplish the business purposes or contractual obligations for which it was collected; our duties to effectuate our clients’ instructions with respect to personal information we process on their behalf; our duties to comply with mandatory legal and regulatory record-keeping requirements; and to fulfil statutory and regulatory requirements, and other legal impacts such as applicable statute of limitations periods. We may also retain personal information for other purposes delineated in applicable privacy laws.
 
We will securely delete or erase your personal information if there is no valid business reason for retaining your data.

Storing Your Information

Given the nature of insurance, your information may be shared with, and used by, a number of third parties in the insurance sector—for example, insurers, agents or brokers, reinsurers, loss adjusters, premium collection, claims-validation processors and providers, sub-contractors, regulators, law enforcement agencies, fraud and crime-prevention detection agencies, as well as compulsory insurance databases. We will only disclose your personal information in connection with the insurance cover we provide and to the extent required or permitted by law.

We require all third parties to respect the security of your personal data. Parties processing data on our behalf are only permitted to process your personal information for specified purposes and in accordance with our instructions.

Transfer of your Information

From time to time, we may need to share your personal information with other insurance market participants or their affiliates, who may be based outside of your country of residence. Furthermore, we may also make other disclosures of your personal information, for example, if we receive a legal or regulatory request from a foreign law enforcement entity.

We will always take steps to ensure any international transfer of information is carefully managed to protect your rights and interests:

  • We will only transfer your personal information to countries which are recognized as providing an adequate level of legal protection or where we can be satisfied alternative arrangements are in place to protect your privacy rights
  • Where applicable, transfers of data overseas will be covered by standard contractual clauses adopted by the European Commission, which give specific contractual protections designed to ensure your personal information receives an adequate and consistent level of protection
  • Any requests for information we receive from law enforcement or regulators will be carefully checked before personal information is disclosed

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data.
 
We apply appropriate safeguards to prevent your personal data being lost, used, altered, disclosed, or accessed in an unauthorised way. In addition, we limit access to personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Confidentiality and Security

If personally identifiable information (i.e. name, address, email, telephone details) is provided to any third parties, we will require they maintain such information in strictest confidence in compliance with our Privacy Policy.
 
We take the security of your personal information seriously and make appropriate technical and organizational measures against unauthorized or unlawful processing of personal data, and against accidental loss, destruction of, or damage to, personal data.
 
The security of your personal information is important to us. Mosaic seeks to use reasonable administrative, technical, and physical safeguards to protect personal information within the organization. However, no method of data transmission or storage system can be guaranteed to be 100% secure.

Your Rights 

Under certain circumstances, you have rights under data protection laws in relation to your personal data:

  • Request access to your personal data
  • Request correction of your personal data
  • Request erasure of your personal data
  • Object to processing of your personal data
  • Request restriction of processing your personal data
  • Request transfer of your personal data
  • Right to withdraw consent of your personal data

Request access to your personal data (commonly known as a “data subject access request”). You are entitled to a confirmation whether we are processing your data; a copy of your data and information about purposes of processing; identity of those we disclose it to; whether we transfer it abroad and how we protect it; how long we retain data; what rights you have; how data was acquired; and how you can make a complaint. This enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.

Request correction of your personal data. This enables you to have any incomplete, inaccurate, or outdated information to be corrected.

Request erasure of your personal data. Sometimes referred to as “the right to be forgotten,” this right entitles you to request your personal information to be deleted or removed from our systems and records. However, this right applies in certain circumstances. Examples of when this right applies to the personal data we hold (subject to exemptions) include: when we no longer need the personal information for the purpose it was collected; if you withdraw consent to our use of your information and no legal justification supports our continued use of your personal data; if you object to the way in which we use your information and we have no grounds to continue using it; if we have used your personal data unlawfully; and, if the personal information needs to be erased to comply with the law.
 
Please be advised there may be consequences if you exercise your right to erasure. If you subsequently make a claim, it may be impossible to administer your claim without your personal data.

Object to processing of your personal data. You have the right to object to our use of your personal information in certain circumstances. You can object to our use of your personal information where you have grounds relating to a particular situation and the legal justification that we rely on for using your personal information in our, or a third-party’s, legitimate interest. However, despite your objections, we may continue to use your personal information where there are legitimate grounds to do so, or we need to use your personal data in connection with legal claims.

Request restriction of processing your personal data. You have the right to request that we restrict or suspend the use of your personal information. However, this right only applies in certain circumstances. For example, you can exercise this right if: you think the personal information we hold about you is inaccurate; the processing is unlawful and you oppose the erasure of your personal information and instead request the restriction of its use; we no longer need the personal information for the purposes we have used it; or you feel it impacts your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate we have legitimate grounds to process your information which may override your objections.

Request the transfer of your personal data. You have the right under certain circumstances to data portability, which requires us to provide personal information to you or a third party in a commonly used, machine readable format, but only where the processing of that information is based upon your consent or a contract to which you are a party.

Right to withdraw consent of your personal data. Where we have relied upon your consent to process personal information, you have the right to withdraw that consent. This right only applies where we process personal information based upon your written consent.

Ability to Opt Out

When you engage us to provide insurance services, we may ask for personal information which we maintain in encrypted form on secure servers. Mosaic does not sell personal information; however, if we propose to use your personal data for any purposes, other than those described in this notice and/or in any other specific notices, you may “opt out” to having your information shared, by contacting us at [email protected]
 
We will not collect or use sensitive personal information for purposes other than those described in this notice unless we have obtained your permission.

State-Specific Privacy Laws

Many states have developed their own privacy laws that apply to individuals and businesses that live and do business in such states. Individual state laws vary; therefore, we encourage you to review your rights as they pertain to state specific consumer privacy rights. For your convenience, below is a summary of current state privacy protections which have been enacted.

California Privacy Rights (CCPA)

California Civil Code Section §1798.83 and the California Consumer Privacy Act (CCPA) permits users of our website who are California residents to request certain data regarding our disclosure of personal information to third parties for their direct marketing purposes. The CCPA also provides California residents the right ‘To Be Forgotten’ by a company.
 
To make such a request, please send us a message via email: [email protected]

Right to Know

A California resident has the right to request that we disclose what Personal Information we collect, use, disclose or sell. You may request that we disclose the following information upon receipt of a verifiable consumer request:

  1. The categories of Personal Information collected and categories of sources from which the Personal Information is collected
  2. The business or commercial purpose for collecting or selling Personal Information
  3. The categories of third parties with whom we share Personal Information
  4. The specific pieces of Personal Information we have collected about you

Right to Delete

As a California resident, you have the right to request that we delete any Personal Information about you which we have previously collected. If it is necessary for us to maintain the Personal Information for certain purposes, we are not required to comply with your deletion request. If we determine that we will not delete your Personal Information when you request us to do so, we will inform you and tell you why we are not deleting it.

Right to Opt Out of Sale of Personal Information

We do not sell Personal Information, including the Personal Information of minors under the age of 16. However, pursuant to applicable law, a California resident may request that their information not be sold in the future. To do so, please email: [email protected]

No Discrimination

You have the right not to be discriminated against because you exercised any of your rights under the CCPA. If you would like to exercise any such rights, please email: [email protected]

Colorado Privacy Act (CPA)

The Colorado Privacy Act (CPA) provides consumers with certain rights related to their personal data.

The CPA provides five main rights for the consumer:

  1. Right of access: you have the right to confirm whether a controller is processing your personal data and to have the sole right to access your personal data
  2. Right to correction: you have the right to correct inaccuracies in any personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data
  3. Right to delete: you have the right to delete personal data concerning the consumer
  4. Right to data portability: you have the right to obtain your personal data in a portable and, to the extent technically feasible, readily usable format that allows you the consumer to transmit the data to another entity without hindrance
  5. Right to opt out: you have the right to opt out of the processing of your personal data purposes of:
  • targeted advertising
  • the sale of personal data
  • profiling in furtherance of decisions that produce legal or similarly significant effects on you as the consumer
  1. Right to appeal: the CPA also provides you the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline, it must notify you within the initial 45-day response period.

If you are a Colorado resident and would like to exercise any such rights, please send a request to [email protected]

Connecticut Data Privacy Act (CTDPA)

The Connecticut Data Privacy Act (CTDPA) provides consumers with certain rights related to their personal data. Under the Act, these rights:

  1. Allow consumers to opt-out of the processing of sensitive personal information
  2. Collect and process only the minimum amount of data needed for the processing purpose
  3. Provide consumers with a privacy notice
  4. Conduct data protection assessments where the processing may pose a risk

The CTDPA applies to Connecticut businesses as well as non-Connecticut businesses that interact with Connecticut consumers.

If you are a Connecticut resident and would like to exercise any such rights, please send a request to [email protected]

Montana Consumer Data Privacy Act (MTCDPA)

The Montana Consumer Data Privacy Act (MTCDPA) will go into effect October 1, 2024, and imposes transparency and disclosure obligations on a controller (i.e., an individual, or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data) who either conducts business in Montana or produces products or services that are targeted to Montana residents; and either (a) controls or processes personal data of at least 50,000 Montana consumers or (b) controls or processes personal data of at least 25,000 Montana consumers and derives over 25% of gross revenue from the sale of any personal data.

The MTCDPA grants Montana residents acting in an individual context, and not in a commercial or employment context (consumers), certain access and control rights concerning their personal data. A consumer may submit a request to a controller to:

  • Confirm whether the controller is processing the consumer’s data and provide access to the consumer’s data
  • Correct inaccurate personal data of the consumer
  • Delete personal data about the consumer
  • Obtain a copy of the consumer’s personal data (i.e., data portability)
  • Opt out of the processing of the consumer’s personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

A controller must respond to consumer requests to exercise their rights granted by the statute within 45-days, though that time period may be extended for an additional 45 days when reasonably necessary considering the complexity and number of the consumer’s requests. In addition, MTCDPA also grants consumers the right to appeal the controller’s refusal to take action on requests to exercise their rights. Furthermore, a controller must respond to an appeal, in writing, within 60-days. If the appeal is denied, the controller must provide the consumer with a method for contacting the Montana Attorney General.

If you are a Montana resident and would like to exercise any rights noted above, please send a request to [email protected]

Oregon Consumer Data Privacy Act (OCDPA)

The Oregon Consumer Data Privacy Act (OCDPA) took effect July 1, 2024 and applies to a company that either conducts business in Oregon or provides products or services to consumers in Oregon and meets one or two thresholds (i) control or process the personal data of a 100,000 or more consumers or (ii) control or process the personal data of 20,000 or more consumers and derive 25% or more of its annual gross revenue from selling personal data.

The OCDPA, like certain other State Data Privacy Laws, contains the regulatory framework of the European Union’s GDPR, which distinguishes roles and responsibilities between controllers and processors. The OCDPA defines a controller as a person that alone or jointly with others, determines the purpose and means of processing personal data, and a “processor” as an entity that processes personal data on behalf of a controller.

Controllers may only process personal data that is “adequate, relevant and reasonably necessary” for specific purposes. Controllers also are required to implement safeguards to protect the confidentiality, integrity and accessibility of personal data and to reduce reasonably foreseeable risks of harm to consumers.

The OCDPA provides a variety of individual consumer rights that align with most other State Privacy Data Laws. These rights provide consumers with a right to access, correct, delete, and obtain a copy of their personal data, and to opt-out of the selling of personal data and/or sharing of personal data for targeted advertising. In addition, included are consumer rights to data portability and to obtain a list of third parties to which their personal data was disclosed.

Under the OCDPA, a controller must respond to a consumer’s request to exercise a right withing 45-days of receipt of such request. Like most other State Data Privacy Laws, if the controller denies a consumer’s request, the controller must explain the justification for the denial and include instructions for appeal that are conspicuously available and similar to the process for submitting consumer rights requests.

If you are an Oregon resident and would like to exercise any rights noted above, please send a request to [email protected]

Texas Data Privacy and Security Act (TDPSA)

The state of Texas enacted a comprehensive consumer privacy law by passing the Texas Data Privacy and Security Act (TDPSA). The law took effect July 1, 2024. The TDPSA contains many provisions that are similar to other state privacy laws, however, the TDPSA applies to a broader range of individuals and businesses (known as “controllers” under the statute) regardless of revenues or the number of individuals whose personal data is processed or sold. In addition, the TDPSA requires all controllers to recognize universal opt-outs (e.g., web browser privacy settings).

The consumer rights granted in the TDPSA are consistent with other state privacy laws and include:

  • The right to know whether a controller is processing the consumer’s personal data.
  • The right to receive a portable copy, in digital format, of the consumer’s personal data processed by the controller.
  • The right to request deletion of personal data provided by or obtained by or obtained about the consumer.
  • The right to request a correction of inaccurate personal data.
  • The right to opt out of sales of personal data, targeted advertising, and profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
  • The right to appeal any refusal to take action on any of the above requests.

Furthermore, the TDPSA requires controllers to practice data minimization (only using personal data as reasonably necessary), maintain privacy policies and include a notice whether the business sells sensitive personal data. Mosaic Insurance Group of companies will never sell sensitive personal data.
If you are a Texas resident and would like to exercise any rights noted above, please send a request to [email protected]

Utah Consumer Privacy Act (UCPA)

The Utah Consumer Privacy Act (UCPA) which took effect December 31, 2023, protects consumers against excessive data processing practices and gives consumers more control over their personal data. UCPA grants consumers rights. The Act imposes obligations on “controllers” and “processors.”
 
The law describes controllers as an entity that determines the purposes for which and means by which personal is processed. Processors are entities that process personal data on behalf of a controller. According to the Act, processors must follow many, if not all, of the same regulations governing controllers.
 
Under the UCPA framework, Utah residents are granted the follow six categories of rights:

  1. Right to know: the right to verify if a data controller is processing their personal data
  2. Right of access: the right to access their personal data
  3. Right to deletion: limited right to request their personal data be deleted by the controller
  4. Right of copy: the right to obtain a copy of their personal data in a format that’s both portable and legible
  5. Right to opt out: the right to opt out of the processing of the consumer’s personal data for the purposes of targeted advertising or the sale of their personal data
  6. Right to avoid discrimination: the right to avoid discrimination for exercising their UCPA rights

In addition, UCPA requires businesses to be transparent about data practices and requires the controller to provide Utah consumers with a reasonably accessible and clear privacy notice which describes how consumers personal data is collected, used and shared.
 
If you are a Utah resident and would like to exercise any such rights, please send a request to: [email protected]

Virginia Consumer Data Protection Act (VCDPA)

The Virginia Consumer Data Protection Act (VCDPA) provides consumers with certain rights related to their personal data. Under the Act, these rights include:

  1. The right to know, access, and confirm personal data
  2. The right to delete personal data
  3. The right to correct inaccuracies in personal data
  4. The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company)
  5. The right to opt out of the processing of personal data for targeted advertising purposes
  6. The right to opt out of the sale of personal data
  7. The right to opt out of profiling based upon personal data
  8. The right to not be discriminated against for exercising any of the preceding rights

If you are a Virginia resident and would like to exercise any such rights, please send a request to: [email protected]

In addition to the privacy laws enacted by the various states noted above, more states have passed laws that will go into effect over the next two years. As such, beginning January 2025, five states’ consumer privacy laws will take effect to protect individuals from privacy violations. These laws create standards for how businesses collect, use and store consumer data.

Delaware, Iowa, Nebraska and New Hampshire privacy laws take effect January 1, 2025, while New Jersey’s are effective January 15, 2025. The applicability of consumer privacy laws is similar and takes into account the following key points:

Applicability:

  • Applies to companies that conduct business in the respective state, produce products or services targeted to the state’s residents, and have control or process personal data
  • The state consumer privacy laws include specific thresholds, such as minimum revenue amounts, data-processing volume and/or the number of residents affected

Consumer protection: what rights do state privacy laws give to consumers?

  • Right to access: to confirm whether a business (the controller) is processing personal data and access such data
  • Right to correct: the right to correct inaccuracies in the consumer’s personal data
  • Right to delete: the right to delete personal data concerning the consumer
  • Right to data portability: the right to obtain personal data in a portable and, if feasible, readily usable format that allows the consumer to transmit data to another entity without hindrance, where processing is carried out by automated means
  • Right to obtain: the right to obtain categories of third parties to whom the consumer’s personal data was disclosed
  • Right to opt out: the right to opt out of the process of personal data for purposes of (i) targeted advertising, (ii) sale of personal data, (iii) profiling decisions that significantly affect the consumer

The consumer privacy laws also govern businesses that control (controller) or process (processor). Such businesses are required to adhere to specific protections of consumers’ sensitive data, implement and maintain reasonable administrative and data security appropriate to the nature of the personal data to protect confidentiality, integrity, and accessibility of personal data.

In addition, businesses are required to clearly disclose to consumers if they sell personal data to third parties or process personal data for targeted advertising, and provide a clear method for consumers to opt out. Notably, similar to the California Consumer Privacy Act, sale is broadly defined as the exchange of personal data for monetary or other valuable consideration by the controller to a third party.

NOTE: The Mosaic group of companies do not sell clients information or personal data.

 

Changes to our Privacy Notice

We review this Privacy Notice regularly and reserve the right to make changes at any time to comply with legal requirements. We encourage you to review this page for any updates to the Privacy Notice. If there will be any significant changes made to the use of your personal information in a manner that is different from that stated at the time of collection, we will notify you by posting a notice on our website.

How to contact us

For questions or concerns relating to our Privacy Notice or data protection practices, or if you would like to exercise any of your rights as defined above, please email us at [email protected]
 
You may also contact our principal firm and Managing Agent, Asta Managing Agency at:

Data Protection Manager
5th Floor Camomile Court
23 Camomile Court
London EC3A 7LL
UK

[email protected]

Complaints

If you are not satisfied with our response or believe we are not processing your personal data in accordance with legal requirements, you can make a complaint to the relevant Data Protection Authority.