Customer Privacy Notice

GENERAL INFORMATION
YOUR DATA PROTECTION RIGHTS
PROCESSED DATA
DATA PROCESSING BASED ON YOUR CONSENT
DATA PROCESSING FOR CONTRACT EXECUTION
USES OF PERSONAL DATA
LAWFUL BASIS FOR USES OF PERSONAL INFORMATION
DURATION OF DATA STORAGE IN GENERAL
RECIPIENTS OF THE DATA
TRANSFER TO THIRD COUNTRIES
OBLIGATION TO PROVIDE DATA
AUTOMATED DECISION MAKING

A. GENERAL INFORMATION

In this section, you will learn who is responsible for processing your data, who you can contact with questions and complaints about data protection, how to contact our data protection officer, how We protect your data, and how you can generally protect your data.

I. Person responsible

The Controller responsible for the collection and use of your personal data on our online platform and when using our service within the meaning of data protection laws is:

Candid Insurance Services Ltd (“the Company/We/Us/Our”) is a Company of which ”Tom” is a trading style. The Company is registered at 920 Hempton Court, Aztec West, Almondsbury Bristol BS32 4SR with company registration number 7279489. We can be contacted at this address, via email at hello.uk@tom.io or via this Website.

We are a policy distributor and broker supporting people to purchase long term insurance products including life insurance, serious illness cover and income protection. We are also a broker for private medical insurance. We are authorised and regulated by the Financial Conduct Authority (FCA).

We also provide services via the wallet section of the Tom app to provide insights and suggestions upon your uploaded insurance policies (if you have agreed to this service).

If you have any questions about the collection and use of data, you can contact Us at any time.

II. Data Protection Officer

If you have any questions or suggestions regarding data protection, please feel free to contact Us directly by email at hello.uk@tom.io.

You can reach our group data protection officer directly at clark@isico.de.

III. Information security & data protection-friendly default settings

1. Information security

Tom maintains a high standard of personal data protection. We are committed to the secure and confidential processing of personal data relating to customers, Website and App users and other stakeholders.

Data we collect is:

fair and used exclusively for legitimate purposes
protected against unauthorised or unlawful access by internal or external parties
not transmitted externally without legal basis
not kept longer than necessary

To this end, We have implemented the following measures to ensure the protection of your personal data:

We restrict access to personal data and constantly monitor it
Our employees are trained in the implementation of personal and technical protective measures
Within the scope of data processing by our service providers, We agree on contractual clauses that bind them as data processors to the level of data protection specified by Us.
We take current security measures to prevent cyber attacks and data breaches.

To this end, We have implemented an internal control system to ensure that the necessary measures are appropriate and effective at all times. This control system is based on the applicable requirements of the ISO 27001 BSI standard (Information Security) and is regularly reviewed. To protect your personal data, We guarantee cybersecurity and fair data processing.

2. Data Protection-friendly default settings

This Website uses a number of cookies for different reasons. We explain these in this policy. Before We can use some – but not all – of these cookies, We need your consent. This Cookie Policy will be revieWed periodically and, in any event, if there is a change in laws and regulations.

What are cookies?

Cookies are text files containing small amounts of information which are downloaded to your device when you visit a Website. Software on your device, for example a Web browser, stores the cookies and sends them back to a Website next time you visit. Cookies allow Websites to recognise your device and preferences, and provide information to the owners of sites which can be used to improve your online experience.

To remove or clear existing cookies or similar technologies from other sites, you can – in addition to the options for consent and revocation in our consent banner for services used by Us – set privacy-friendly preferences in your browser or use certain opt-out options.

Here are some steps you can take:

Delete cookies:
Most browsers offer the option to delete stored cookies. To do this, go to your browser’s settings and look for the privacy or data protection section. There you will find You normally have an option to manage and delete cookies.
Use incognito/private mode:
Many browsers have an incognito or private mode that limits the use of cookies and other data while browsing. You can enable this mode to prevent new cookies from being saved.
Use browser extensions:
There are various browser extensions and add-ons available to help block or control tracking by cookies and similar technologies. Find extensions compatible with your browser and install them according to the provider’s instructions.
Use opt-out options:
We use third party software “OneTrust” that manages our Website cookies. One Trust provides a cookie consent banner that provides detailed information on the cookies that operate on this Website. It also allows you to switch on or off the cookies that apply, giving you control over your browsing experience for this site.

The types of cookies that We use

(i) Necessary Cookies

We use necessary cookies to operate the core functions of our Website, so that you may visit and move around it, and use its features. We do not require your consent to use these cookies but you may be able to block these cookies yourself on your device/browser (see the section below “How to Manage Your Cookies” for further information). However, without these cookies, our site is unlikely to work as you would expect and certain services that you may ask for, for example, signing into your online account, cannot be provided.

Where We process ‘personal data’ using these necessary cookies, We do so on the basis of our legitimate interests to provide a Website for visitors to use and to promote our business.

(ii) Analytics Cookies

Analytics cookies are used by Us for statistical analysis purposes. This helps Us to understand how visitors use and move around our Website, and to make improvements and adaptations to our Website to best meet our visitors’ needs.

Our analytics cookies may also collect information about your browser type and settings, device type and settings, operating system and mobile network. This information is used to distinguish you from other visitors to our site, but it cannot be used to identify you as a named individual.

We will only set these types of cookies where you have provided Us with your consent to do so via the cookie consent banner. Where We process your personal information using these types of cookies, We do so on the basis of that consent. Rejecting our analytics cookies will prevent Us from collecting the data described above to improve our site for you and other visitors. The performance and functionality of our site will however not be affected.

(iii) Advertising cookies

We use cookies from those third parties’ sites on our own Website to:
provide Us with anonymised demographics and browsing activity information of the logged-in visitors to our own Website;
help Us to tailor our advertising on the Websites of those third parties to previous logged-in visitors to certain pages of our own site; and
help Us measure the effectiveness of our advertising.

How to manage Cookies

You can use the cookie consent banner to control the cookies that apply to this Website. Web browsers also give users control over what cookies are stored, but each works slightly differently. The links below allow you to visit commonly used Web browser and to find out how to delete and manage cookies in your browser.

Google Chrome – https://support.google.com/chrome/ansWer/95647?hl=en

Microsoft Edge – https://support.microsoft.com/en-gb/windows/microsoft-edgebrowsing-data-and-privacy-bb8174ba-9d73-dcf2-9b4a-c582b4e640dd

Mozilla Firefox – https://support.mozilla.org/en-us/kb/third-party-cookies-firefoxtracking-protection

Safari (iPhone) – https://support.apple.com/en-gb/HT201265

Safari (Mac) – https://support.apple.com/en-gb/guide/safari/sfri11471/mac

Samsung Internet (mobile) – https://www.samsung.com/uk/support/mobiledevices/what-are-cookies-and-how-do-i-enable-or-disable-them-on-my-samsunggalaxy-device/

B. YOUR DATA PROTECTION RIGHTS

This section explains your data protection rights in relation to your data. These rights include the right to access the data stored about you, the right to rectify it and, provided the legal requirements are met, the right to have your data deleted. Whenever We ask for your consent to process your data, you also have the right to withdraw your consent at any time without giving reasons.

According to Art. 15 UK GDPR, you have the right to request information about our processing of your personal data at any time. When providing this information, We will explain our data processing and provide you with an overview of the data stored about you.

We inform you about:

he purpose of processing
the categories of personal data
Recipients or categories of recipients of personal data
the planned duration of storage (or the criteria for determining it)
the existence of your rights against processing
whether We process data that We have not collected from you and where it comes from
the existence of automated decision-making
the transfer of your data to third countries

Data Subject Access Request

If you wish to request a copy of your data, please submit your request in writing/email to the Company, including sufficient information to enable Us to identify you and search for any appropriate data. Our contact details are set out in the first paragraph of this privacy policy.

II. Correction, Art. 16 UK GDPR

If data stored by Us is incorrect or no longer up to date, you have the right to have this data corrected in accordance with Art.16 UK GDPR.

We will respond to your request without delay.

When making a correction, you can send Us the correct data, and We will take care of the rest.

According to Art. 17 UK GDPR, you can also request the deletion of your data if one of the following situations applies.

The data is no longer necessary for the purpose for which it was collected
You have withdrawn your consent to processing and there is no other legal basis
You have objected to the processing pursuant to Art. 21 (1) or (2) UK GDPR (see below)
Your data was processed unlawfully
Under Union or Member State law, erasure is necessary to comply with a legal obligation

If deletion is exceptionally not possible due to other legal provisions, the data will be blocked so that it is only available for this legal purpose.

If We store data unlawfully, We will of course delete it immediately.

You can also restrict the processing of your data in accordance with Art.18 UK GDPR if you believe that the data We have stored is incorrect, the processing is unlawful, the personal data is no longer required for the purpose or you have lodged an objection.

While We review your aforementioned rights, you can request that processing be restricted.

Furthermore, according to Art. 20 UK GDPR, you have the right to request that We transfer the data concerning you in the form of a digital copy if you have consented to the data processing (Art. 6 I lit. a UK GDPR) or if it is based on a contract existing between Us (Art. 6 I lit. b UK GDPR).

If you request the transfer of the data you have provided to Us, We will provide it to you in a portable format.

To the extent that We process your data based on legitimate interests pursuant to Art. 6 (1) (f) UK GDPR, you have the right to object to the processing of your data pursuant to Art. 21 UK GDPR, provided there are reasons for doing so that arise 9 from your particular situation or if the objection is directed against direct marketing. In the latter case, you have a general right of objection, which We will implement even without you providing reasons. If you object, We will check in cases outside of direct marketing whether We have compelling reasons for processing your data. If this is not the case, We will no longer process your data.

According to Article 7 (3) (1) UK GDPR, you have the right to withdraw your consent at any time by sending a message to hello.uk@tom.io. This means that We will no longer continue the data processing based on this consent in the future. Revoking your consent does not affect the legality of the processing carried out on the basis of your consent until the revocation, Article 7 (3) (2) UK GDPR. If you withdraw your consent, We will stop the data processing based on it. If you have given your consent in the consent banner, you can also withdraw it there.

If you are dissatisfied with this policy, have queries about our data protection procedures or wish to lodge a complaint, please contact Us in the first instance at complaints-uk@tom.io. Independently, you have the right to submit a complaint to the Company’s Supervisory Authority, the Information Commissioner’s Office (ICO) which can be contacted via the following methods:

ICO Contact Details

Address:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow Cheshire
SK9
5AF

Website:
www.ico.org.uk

Helpline:

0303 123 1113

C. PROCESSED DATA

In order to perform our duties, We process your personal data. This includes information that allows Us to identify you personally, such as your name, telephone number, address, or email address. Statistical data that cannot be linked to you personally does not fall under the definition of personal data.

As a broker, We need to process certain information about you:

First, We need your Contact details:

Name, address, date of birth, age
Telephone number, e-mail address
Bank details

You will provide Us with this information when you register.

We also process the following personal data:

Gender
Marital status
Profession, status (FT, PT), address of employer and salary
Special categories of data (e.g. health data)
Smoking status
Current insurance situation
Family situation (partner, children)
Living situation (current and planned)
Hobbies and interests
Pets
Other personal/financial circumstances, care requirements

You will provide Us with this information as part of our needs, requirements and identification check.

In addition, We process your Insurance details:

Application data (data you provide when applying for insurance)
Contract data for a specific contract (such as insurance policy number, insured amount, term, premium, risk, investment amounts, loan amounts)
Benefit data (insurance claims, data at the time of occurrence of the claim or benefit event)
When you upload other insurance policies in the wallet section of the Tom app (if you have agreed to this service) including any personal data extracted from those policies, to enable Us to provide insights and suggestions to you regarding those policies.

This data you share with us in the course of taking over or managing a brokerage mandate. If we take over an existing brokerage mandate, we will receive the data with your consent also from the insurers.

We also collect your usage data:

Interactions on the website and app or with emails (clicks, etc.)
Visits to the Websites and apps (which ones were accessed?)
Time spent on Websites and apps (how long did you view a page)
Source page (ref URL)
Time and date, e.g. of accessing our Website or emails

We collect this data when you use our Website and app.

Finally, we collect the following of your Device, browser and location data:

Operating system of your device (e.g. Windows, Android or iOS)
Model of your device (e.g. iPhone, Samsung Galaxy)
Settings of your device, e.g. screen resolution
Browser settings e.g. language setting, time zone, installed plugins and fonts
IP addresses
Your location (we do not use GPS data, but only the information derived from the IP address).

We collect this data when you use our website and app.

I. We require your consent if We process special categories of personal data as defined in Art. 9 UK GDPR. This includes, for example, information about your health status. We need this information if We advise you on insurance products, particularly when processing claims for health and liability insurance.

Therefore, We ask for your consent if you decide to purchase a corresponding product. You can revoke your consent at any time in the future by sending a message to hello.uk@tom.io.

II. Consent for advertising and newsletters We may also require your consent in order to send you advertising information and to personalise it. This applies in particular to the sending of newsletters to provide you with information about our products, special offers, discounts or other relevant 12 news and events from the world of insurance that may be of interest to you. If you confirm your email address, We will store your email address, the time of registration and the IP address used for registration. We process this data in order to send you the newsletters and to be able to verify your registration. In addition, We process your usage data in order to understand your interaction with our newsletters. A corresponding unsubscribe link can be found in every newsletter.

III. Consent for tracking technologies In addition, We require your consent for the use of tracking technologies to analyse the usage behaviour of our Websites and apps and for marketing purposes. This also involves reading and storing information on your device. Detailed information on this, in particular on the individual providers, data protection information, privacy settings and explanations of any joint responsibility, can be found in this privacy policy under section G and in our consent banner.

IV. Data processing within the framework of our partnerships We cooperate with various partners in order to provide you with additional benefits. In doing so, certain data must be passed on so that our partners can check whether you meet the relevant requirements. In this context, upon your request – with which you give your consent – your number of insurance policies and a corresponding identifier will be sent. This allows Us to check whether you meet the requirements for the respective benefit.

V. Information on revocation These consents are voluntary. It is also possible to use our services without giving these consents. Furthermore, you can revoke your consent at any time with effect for the future. This does not affect the lawfulness of the processing until the time of revocation.

VI. Wallet services
We also provide value-added services via the wallet section of the App (if you have agreed to this service) to provide insights and suggestions upon your uploaded UK insurance documents

E. DATA PROCESSING FOR CONTRACT EXECUTION

In this section, We provide you with information about the processing of your data in connection with the initiation and/or execution of a contract with Us in insurance matters. In particular, you will learn which categories of data We process for the creation of your account, for carrying out needs assessments, for concluding an insurance policy and for managing your data, e.g., to service providers who provide Us with technical support, or to insurers. Finally, you will also learn how long We store your data and what determines this period. We also inform you there about data processing for sending marketing communications, insurance-related recommendations and transactional messages.

I. Data processing in the context of the account

1. Account for the provision of our services

To use our service, you need to provide your details and We store all information relevant to the use of our app and Website, including master data, contact details, payment details and profile data.

2. Identification and insurance support

Data processing is used to identify you and to allow Us to provide support in insurance matters. It is important that you identify yourself and that We know who you are, in order for Us to carry out engagement and conclusion of insurance contracts as Well as assistance with administration and fulfilment, especially in the event of a claim.

II. Data processing for the conclusion of insurance contracts and customer service

1. Conclusion of insurance contracts

The core of our business is to provide you with the best possible insurance policies. That is why We also process your data (including master and contact data, insurance data, payment data and, if applicable, health data) in the context of concluding contracts with insurers, provided that you wish to purchase a specific insurance product. This data may be shared with insurers. In order to conclude such a contract, insurers request a variety of information about you and your personal details.

2. Communication

We process your data so that you can contact Us and We can respond to your enquiry. We are available to support you with your insurance queries on the days and at the times stated on our Website. In doing so, We process your contact and communication data.

3. Management of policies

As an insurance distributor, We support you in insurance matters and in the areas that you have added to your profile, that interest you or for which We have identified a need. We use your master and contact data, your profile data, your payment data and your insurance data, i.e. the details of your insurance contracts or individual insurance claims, in order to:

provide you with secure and reliable information about your insurance policies;
offer value added insights and suggestions relating to insurance policies uploaded within the wallet section of the App (if you have agreed to this service);
inform you about relevant news or offer you new insurance policies that suit your needs and are appropriate for your life situation.
Your data may also be shared with insurers, as described in Section I.

III. Data processing for notifications and personalised recommendations

A. Personalised recommendations

We use the information available to Us (in particular master and contact data, insurance data, profile data (including product interests)) to analyse your interests or needs as a customer so that We can recommend suitable products for you. We perform this task as part of our advisory duty as a broker.

To do this, We analyse the data according to certain criteria based on our experience as brokers, in particular on the basis of the information from the needs assessment.

In order to continuously improve and further automate our product and our recommendations, We also use tools and methods to determine both your insurance needs and your satisfaction with your current insurance situation. The aim of this is, on the one hand, to provide you with the best experts at your side and, on the other hand, to optimise the workload of our insurance advisors.

B. Transactional emails

Transactional emails are messages sent to you as part of our contractual relationship to enable Us to fulfil certain obligations in connection with our brokerage activities. As brokers, We have obligations and responsibilities that require Us to provide you with regular updates and relevant information. These emails serve to keep you informed about important aspects of our service and the existing contractual relationship.

In the course of our brokerage activities, the following situations, among others, may arise that require transactional communication by email:

Udates and changes:
If, in the course of our contractual relationship, there are updates, changes or new information that are relevant to you, We will send you a transactional email to inform you. This may be the case, for example, if legal provisions change, new options or services become available, or changes are made to the terms of the contract.
Broker obligations and communication:
As brokers, We are obliged to share certain information with you in order to fulfil our legal obligations. This may include the transmission of documents, forms or other relevant information that is important in the context of our contractual relationship.
Regular review of your insurance situation:
As part of our activities, it is necessary to regularly review your insurance situation. This is to ensure that your insurance coverage meets your current needs and circumstances. In this context, We send you transactional emails to inform you of upcoming needs checks and, if necessary, to give you recommendations for adjustments or updates to your insurance policies. These emails contain relevant information to help you make an informed decision and keep your insurance coverage up to date.

This involves the processing of contact data, usage data and device data (including IP address). Please note that transactional emails serve to fulfil the contractual relationship and our regulatory obligations. They contain relevant information and updates that may be useful to you in order to provide you with a comprehensive and professional service.

IV. General information about our cooperation partners and data transfer

In connection with the purposes set out above, We will sometimes share Personal data with companies within the Clark Group and third parties, including:

Insurance brokers, financial advisers and business partners who help Us arrange, manage and underwrite our products and who provide insurance services;
Other insurers (either directly or via those acting for the insurer);
Our insurers or reinsurers (either directly or through insurance brokers), who provide reinsurance services to Us and each other in respect of risks underwritten by the Company, or insurers who cover the Company under our group insurance policies. We can supply on request further details of the insurers and reinsurers We provide your Personal Information to and how this may be used. If you require further details, please contact Us;
Third parties who provide you with certain services including assistance providers;
Third party in relation to the relevant insurance policy or claim e.g. experts and in limited circumstances, private investigators;
Legal advisers, accountants, auditors, financial institutions and professional service firms who act on our or your behalf;
Data analysts and providers of data services who support Us with developing our products and prices and measuring the effectiveness of marketing;
Third parties that help Us maintain the accuracy of our data e.g. identifying individuals who are deceased, updating contact details for individuals who have moved and payment card providers who provide Us with updated payment card details;
Financial crime detection agencies, sanctions checking providers and third parties who maintain fraud detection databases or provide assistance with investigation in cases of suspected fraud;
Regulators who regulate how We operate, including the FCA, PRA, FOS, HMRC, ICO and the Advertising Standards Agency;
Government agencies and regulatory bodies including the police, courts and DWP;
Debt advisors where breathing space is requested on outstanding debts;
Insurance industry bodies, including the Association of British Insurers;
Service providers, including those who help operate our IT and back office systems, underwriting and claims processes and our information security controls;
Third party payment service providers, who process card and other payments for Us.
Medical professionals, if We need to access health records or assessments for the purposes of arranging and underwriting certain products or facilitating and handling claims;
Clinicians, including hospitals and third party case managers from whom you and others covered under the policy receive insured treatment or who manage your care or treatment pathway;
Research agencies and providers of market research services, including customer feedback surveys;
Providers of marketing and advertising services, including delivering and administering marketing, ensuring you receive marketing content that’s relevant to you and in accordance with your preferences and analysing marketing campaigns. These may include media agencies, fulfilment partners, social media and other online platforms and advertising technology companies.
Third parties in connection with any sale, transfer or disposal of our business.

The information you will be asked for will include details about your medical history, which is essential to enable a broker to provide you with an accurate life insurance quote. Tom.co.uk and any trusted third parties who wish to provide a quote to you will then need to process the personal data provided by you for administration purposes, to enable quotes to be provided to you and, if you decide to proceed with the purchase of a policy, as reasonably required to provide life insurance to you.

F. USES OF PERSONAL DATA

The main purposes for which We use Personal data are to:

Communicate with you and other individuals;
Make assessments and take decisions, including whether to provide you with our products and services
Provide our products and services, including insurance administration, taking payment, making changes where requested or necessary, claims assessment, settlement and dispute resolution and the provision of our apps and other technologies e.g. Tom app
Manage relationships with third parties, e.g. advisers and service providers;
Prevent, detect and investigate fraud and other crime, including by carrying out fraud, sanctions and anti-money laundering checks.
Improve our products and services, provide staff training and maintain information security, including by recording and monitoring telephone and online calls and screen sharing sessions;
Provide marketing information and run promotions in accordance with preferences you have expressed.
Help Us better understand our customers and improve our customer engagement, including noting your interest in our Website, understanding your customer journey, and use of profiled data (which is not actual information about you but predictions about you, e.g. assumptions about your interests based on the preferred leisure pursuits of households in your area). This allows Us to make correlations about our customers to improve and promote our products and to suggest other products, services and information which may be relevant or of interest to customers;
Carry out data analysis, including to ensure data accuracy and quality and for insurance risk modelling and product and pricing refinement.
Manage complaints, including to allow Us to respond to any current complaints, or challenges you or others might raise later, for internal training and monitoring purposes and to help Us to improve our complaints handling processes. We may be obliged to forward details about your complaints, including your Personal data to the appropriate authorities, e.g. Financial Ombudsman Service
Manage feedback and queries, and handle requests to exercise data subject rights.
Manage our business operations, including by carrying out internal audits, quality assurance and training, financial analysis and accounting, producing management information and performing administrative activities in connection with the services We provide;
Manage commercial risk, including by taking out and maintaining appropriate insurance and reinsurance;
Comply with applicable legal, regulatory and professional obligations, including cooperating with regulatory bodies e.g. the FCA, PRA, ICO and government authorities, to comply with law enforcement and to manage legal claims;
Identify and support customers requiring additional support, to help Us better meet your needs and to comply with regulatory guidance about how We meet your needs. Sometimes you or a third party may tell Us that you have additional support requirements, and in other cases We may infer this from your Personal Information and our interactions with you;
Establish, enforce and defend our legal rights or those of third parties, including enforcing our terms and conditions, pursuing available remedies and limiting our damages;
Carry out activities that are in the public interest, e.g. We may need to use Personal data to carry out anti-money laundering checks;
Buy, sell, transfer or dispose of any part of our business;
Archiving, scientific or historical research or statistical purposes.
In the wallet section of the App to provide (if you have agreed to this service), following analysis through an artificial intelligence tool, We will provide insights and suggestions relating to insurance policies uploaded within the Wallet. For this purpose We process personal data contained in the uploaded insurance policies.

G. LAWFUL BASIS FOR USES OF PERSONAL INFORMATION

We are committed to collecting and using Personal data in accordance with applicable data protection laws. By law, We must have a legal justification, known as a lawful basis, in order to use your Personal Information for the purposes described in this Privacy Policy. Depending upon the purpose, our lawful basis will be one of the following:

Performance of a contract – to arrange, underwrite or manage our products, or handle claims in accordance with their terms;
Compliance with a legal obligation – to meet responsibilities We have to our regulators, tax officials, law enforcement, or other legal responsibilities;
Legitimate interests – to operate and improve our products and services and keep people informed about our products and services or for any other purposes We identify as appropriate to our business needs, or those business needs of a third party;
Consent – where We have obtained appropriate consents to collect or use your Personal Information for a particular purpose.
Where We rely on legitimate interests as our lawful basis, We are required to carry out a balancing test to ensure that our interests, or those of a third party, do not override the rights and freedoms that you have as an individual. The outcome of this balancing test will determine whether We can use your Personal Information for the purposes described in this Privacy Policy. Where We rely on the lawful basis of legitimate interests, the interests being relied upon will usually be:
- To further our business and commercial activities and objectives, or those of a third party, e.g., to provide our products and services and produce management information on our performance and the performance of third parties;
- To help Us better understand our customers and improve our customer engagement and marketing campaigns including by carrying out analysis and profiling, e.g. by making certain predictions and assumptions about your interests;
- To send you marketing information in accordance with your preferences, e.g. about other products and services We offer, and to administer promotions that you enter;
- To provide you with helpful information relating to your products and about useful tools for managing and engaging with your products, e.g. the Tom app. These are not marketing communications;
- To comply with our legal and regulatory obligations, guidelines, standards and codes of conduct, e.g., background checks or the prevention, detection and investigation of financial crime or fraud;
- To improve and develop our business, products and services, or those of a third party, e.g. to ensure the accuracy of customer data and to develop our pricing and risk methods and models;
- To retain your policy record for a period of time in order to ensure We have appropriate records in place in respect of any future claims that may be insured by Us;
- To safeguard our business, shareholders, employees and customers, or a third party, e.g. maintaining the security of our IT network and information, enforcing claims, including debt collection;
- To facilitate the purchase, sale, transfer or disposal of any part of our business; and
- To analyse and assess competition in the market for our products services, e.g., by carrying out market research.

Content Delivery Networks – We have a legitimate interest in providing our online services in a secure, fast and efficient manner. For this reason, We work with service providers who store and provide our services, infrastructure and data. These may include, in particular, services such as content delivery networks (CDN).

Communication
– Apart from communication within the scope of your contractual relationship), We have a legitimate interest in communicating with you and answering your questions about Us, our services or data protection. For this purpose, We process the contact details of your chosen contact channel and the communication data, including communication content.

Social Networks
– We operate company pages on the LinkedIn social network to keep you up to date about Us and our services and to communicate with customers and interested parties.
– user data is generally processed by the social network for market research and advertising purposes. This allows usage profiles to be created based on users’ interests. For this purpose, cookies and other identifiers are stored on the end devices of the persons concerned. Based on these usage profiles, advertisements are then placed within the social network, and also on third-party Websites.
– The legal basis for data processing carried out by social network on their own responsibility can be found in the data protection information of the respective social network. The links below also provide further information on the respective data processing and the options for objection.
– As part of the operation of our company pages, We may be able to access information such as statistics on the use of our company pages provided by the social network. These statistics are aggregated and may include, in particular, usage data such as demographic information and interactions with our company pages and the posts and content distributed on them.

These may also provide information about the interests of users and which content and topics are particularly relevant to them. We may also use this information to tailor the design, activities and content of our company page and optimise it for our audience. The legal basis is our legitimate interest in effective information and communication with users of social networks.

– If you have an account with a social network, We may be able to see your publicly available information (e.g. username) and media (e.g. images and videos) when We visit your profile. In addition, the social network may allow Us to contact you. This can be done, for example, via direct messages or posted contributions.

– The content of communication via the social network and the processing of communication data is the responsibility of the social network as a messenger and platform service. For this processing, We refer to the privacy policy of the respective social network.

– As soon as We transfer your data to our own systems or process it further, We are independently responsible for it. In this case, the legal basis depends on the type of processing listed in this privacy policy.

– We would like to point out that data protection requests can be most efficiently made to the respective social network provider, as only these providers have access to the data and can take appropriate measures directly. You can, of course, also contact Us with your request. In this case, We will process your request and forward it to the social network provider.

Our Company Pages

Below We list the social networks where We operate company pages:

– LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
– Privacy policy: https://www.linkedin.com/legal/privacy-policy
– Privacy settings: https://www.linkedin.com/mypreferences/g/guestretargeting-opt-out
– Information on the joint responsibility agreement: https://www.linkedin.com/legal/l/page-joint-controller-addendum.

H. DURATION OF DATA STORAGE IN GENERAL

Information on the storage of information when using the Tom Website/app

The period of time for which We store the data We collect varies and depends on what data it is and for what purpose We use it.

Some data you can delete yourself. Some data is automatically deleted after a certain period of time or anonymised. In some cases, your data will only be deleted when your account is deleted or your contract with Us ends.

We keep records, which may include your personal data – to meet legal, regulatory, tax or accounting needs. For example, We are required to retain an accurate record of your dealings with Us, so We can respond to any complaints or challenges you or others might raise later. We’ll also retain files if We reasonably believe there is a prospect of litigation. The specific retention period for your Personal Information will depend on your relationship with Us and the reasons We hold your Personal Information and We have carefully considered different retention periods that apply to each data category.

Our third parties are also subject to these regulations but We recommend that you check their privacy policies separately. This is to ensure that you do not inadvertently agree to authorise the use of your personal data in a manner you would not wish to have done, as your arrangements with these third parties are separate from your arrangements with Us.

To support Us in managing how long We hold your data and our record management, We maintain a data retention policy which includes clear guidelines on data retention and deletion.

If you would like more information about our data retention policy, please contact Us.

I. RECIPIENTS OF THE DATA

The data We collect is only passed on if there is a legal basis for this in a specific case. This may be via your consent, but it may also be necessary for the transmission within the framework of your contractual relationship, due to legal obligations or to protect our legitimate interests. In this section, you will find further details about recipients.

Legal basis for disclosure

Your data will only be passed on if one of the following legal bases applies:

Your consent;
Your contractual relationship with Us, including for the performance of the contract and for the implementation of pre-contractual measures;
Legal obligation, including due to binding requirements, official requests, court orders and legal proceedings for legal prosecution and enforcement;
Necessity to safeguard our legitimate interests, including to ensure secure and stable Website and app operation and to assert, exercise or defend legal claims.

Insurers

If you apply for insurance with Us, We will forward the personal data relevant to the conclusion of the insurance policy contract to the respective insurer. This transfer is carried out in order to fulfil our obligations to the insurer. As an insurance broker, We transfer information between you and the insurers.

Technical service providers & infrastructure providers

We use technical service providers for the operation, maintenance and further development of our digital infrastructure. These providers support Us in particular with the secure storage, processing and transmission of data, as well as with ensuring stability, performance and protection against unauthorised access. These technical service providers act exclusively on our instructions and are bound by corresponding contracts to comply with data protection regulations in accordance with Art. 28 UK GDPR. This includes services such as payments and billing, document and contract management and consulting.

Regulatory, legal and judicial enquiries

In addition, data may be disclosed in individual cases in connection with official requests, our regulatory obligations, court orders and legal proceedings if We believe in good faith that We are legally obliged to do so.

We may also disclose data if We believe in good faith that it is necessary to: detect, prevent and prosecute fraud, unauthorised use of our product, and other harmful or illegal activities. In this case, the legal basis is our legitimate interest in investigating these matters.

J. TRANSFER TO THIRD COUNTRIES

We may use services whose providers are located in so-called third countries (outside the UK) or transfer personal data to such countries, i.e. countries whose level of data protection does not correspond to that of the UK. In such cases, We implement appropriate measures to protect your data during transmission, as explained below.

Pursuant to an ongoing adequacy decision by the European Commission (Art. 45 UK GDPR) regarding the UK, We will base our exchange of data to countries within the EU on this.

We will take appropriate measures to ensure an adequate level of data protection for any data transfers.

K. OBLIGATION TO PROVIDE DATA

There is generally no obligation to provide your data. In this section, you will learn in which cases you would need to provide your data in order to make full use of our services.

If the provision of your data is necessary for the conclusion of a contract (e.g. to register an account or use services), to fulfil legal obligations (e.g. for registration forms), to establish contact or to use other services and functions (e.g. to subscribe to a newsletter), without this data, a contract cannot be concluded, the specific service cannot be provided or the function cannot be used.

Other information not marked as mandatory fields is voluntary. The entry of such data is then not necessary for the conclusion of a possible contract, for the provision of the service or for the use of the function and has no influence on the execution of the contract.

L. AUTOMATED DECISION-MAKING

When using technologies to personalise our services, automated decisions may be made about the personalised content and advertising that is displayed or sent. These decisions are then based on the usage data previously collected automatically or the data you have provided yourself, for example in form fields. We use this data to create a profile that helps Us select the appropriate content and advertising.

Contact us

Our expert advisors are on call to answer any questions

0808 175 2244

Monday – Thursday: 8:30am – 6pm
Friday: 8:30am – 4:30pm
Saturday: 9am – 1pm

hello@tom.co.uk

fb.com/tom.co.uk

@tomdotcodotuk

@tomlifeinsurance

Manage your insurance policy from our app

You can now view and access your policy documents in one place, any time, anywhere. Our TOM app helps keeping on top of your insurance super simple. Manage your payments, learn about our other products and get in touch at the tap of a button.