1. Introduction & Scope
PHINS Insurance Company and its subsidiaries and affiliates (collectively, "PHINS," "we," "us," or "our") are committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard information when you interact with our platform, products, and services, including our insurance, investment, health services, and AI-powered tools.
This Policy applies to all users worldwide, including customers, applicants, suppliers, beneficiaries, agents, brokers, and visitors to our website, portals, mobile applications, and application programming interfaces (APIs). It covers all services provided through the PHINS platform, including:
- Insurance underwriting, quotation, policy administration, and claims processing
- Investment advisory, portfolio management, and capital markets services
- Health and wellness services, telemedicine, and medical data processing
- AI-powered risk assessment, fraud detection, and automated decision-making
- Community foundation management and charitable programs
- Supplier marketplace and partner ecosystem services
Our Commitment: PHINS operates as a global platform serving clients across multiple jurisdictions. We comply with all applicable data protection and privacy laws, including but not limited to the EU General Data Protection Regulation (GDPR), the EU AI Act, the U.S. Health Insurance Portability and Accountability Act (HIPAA), the California Consumer Privacy Act (CCPA/CPRA), Brazil's Lei Geral de Proteção de Dados (LGPD), South Africa's Protection of Personal Information Act (POPIA), Canada's PIPEDA, India's Digital Personal Data Protection Act (DPDPA), the UK Data Protection Act 2018, and other regional regulations.
2. Key Definitions
| Term | Definition |
|---|
| Personal Data | Any information relating to an identified or identifiable natural person, including name, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. |
| Protected Health Information (PHI) | Individually identifiable health information transmitted or maintained in any form, as defined under HIPAA and applicable health data laws. |
| Sensitive Personal Data | Data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, sex life, sexual orientation, or criminal records. |
| Processing | Any operation performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction. |
| AI System | A machine-based system designed to operate with varying levels of autonomy, that generates outputs such as predictions, recommendations, decisions, or content that can influence environments. |
| Automated Decision-Making | A decision made solely by automated means, including profiling, without meaningful human involvement. |
| Data Controller / Operator | PHINS, as the entity that determines the purposes and means of processing personal data. |
| Data Processor / Sub-processor | An entity that processes personal data on behalf of PHINS pursuant to written instructions. |
3. Information We Collect
3.1 Information You Provide Directly
- Identity Data: Full name, date of birth, gender, nationality, government-issued identification numbers (passport, national ID, social security number, tax identification number)
- Contact Data: Email address, postal address, telephone number, emergency contact details
- Financial Data: Bank account details, payment card information, income and employment details, credit history, investment preferences, net worth declarations
- Insurance Data: Prior coverage history, claims history, property details, vehicle information, travel plans, beneficiary designations
- Health Data: Medical history, current health conditions, prescription medications, physician information, diagnostic results, treatment records, disability status, lifestyle factors (smoking, alcohol consumption, exercise habits)
- Employment Data: Employer name, occupation, professional certifications, business registration details (for suppliers)
- Account Data: Username, password (stored in hashed form), security questions, two-factor authentication preferences
- Communication Data: Correspondence, support tickets, feedback, survey responses, claims narratives
3.2 Information Collected Automatically
- Device Data: IP address, browser type and version, operating system, device identifiers, screen resolution
- Usage Data: Pages visited, features used, time spent on pages, click patterns, navigation paths, search queries within the platform
- Session Data: Login timestamps, session duration, authentication events, security events
- Location Data: Approximate geographic location derived from IP address (we do not collect precise GPS location without explicit consent)
3.3 Information from Third Parties
- Identity Verification Services: Identity confirmation, watchlist screening, politically exposed persons (PEP) status
- Credit Bureaus: Credit scores, credit reports (with your consent where required)
- Medical Providers: Medical examination reports, attending physician statements (with your authorization)
- Insurance Databases: Prior claims history, loss records, motor vehicle records
- Public Records: Court records, property registrations, corporate filings
- Reinsurance Partners: Risk assessment data shared under treaty or facultative arrangements
4. AI & Automated Decision-Making
EU AI Act Classification: Certain PHINS AI systems used in insurance underwriting, health risk assessment, and investment suitability analysis are classified as high-risk AI systems under the EU AI Act (Regulation (EU) 2024/1689). We maintain full compliance with applicable high-risk requirements, including risk management, data governance, transparency, human oversight, and technical documentation.
4.1 How We Use AI
PHINS deploys AI and machine-learning technologies across several areas of our operations:
- Underwriting & Risk Assessment: AI models analyze application data to assess risk profiles, calculate premiums, and support underwriting decisions. These models are trained on historical actuarial data and are subject to regular bias auditing and validation.
- Claims Processing: AI assists in claims triage, damage estimation, fraud pattern detection, and settlement recommendations. Human claims adjusters review AI recommendations before final determinations.
- Investment Suitability: AI-driven tools assess your risk tolerance, financial goals, and market conditions to provide personalized investment recommendations.
- Health Risk Scoring: With your explicit consent, AI models process health-related data to provide wellness scores, risk stratification, and preventive care recommendations.
- Fraud Detection: AI systems monitor transactions and claim patterns to identify potentially fraudulent activity, protecting both PHINS and its customers.
- Customer Service: AI chatbots and virtual assistants handle routine inquiries, route complex requests to human agents, and provide 24/7 support.
4.2 Human Oversight
We are committed to maintaining meaningful human oversight over AI-assisted decisions that significantly affect your rights or interests:
- No insurance application is solely denied by an AI system without human review.
- Claims above established thresholds require human adjuster approval regardless of AI recommendation.
- Investment recommendations generated by AI are reviewed by licensed financial advisors before execution of trades above defined limits.
- Health-related AI outputs are presented as decision-support tools and do not replace professional medical judgment.
4.3 Your Rights Regarding AI Decisions
You have the right to:
- Be informed when an AI system has been used in making a decision that affects you
- Obtain an explanation of the logic, significance, and envisaged consequences of any automated decision
- Request human review of any decision made or substantially supported by an AI system
- Contest an AI-assisted decision and express your point of view
- Opt out of solely automated decision-making where legally required
4.4 AI Model Governance
PHINS maintains a comprehensive AI governance framework, including:
- Documented risk assessments for all AI systems before deployment
- Regular bias and fairness audits to prevent discriminatory outcomes across protected characteristics
- Model performance monitoring with defined accuracy, precision, and recall thresholds
- Data quality controls ensuring training and input data accuracy, completeness, and representativeness
- Incident reporting procedures for AI-related errors or adverse outcomes
- Technical documentation and logging of AI system outputs as required under the EU AI Act
5. How We Use Your Information
We process your personal data for the following purposes:
5.1 Service Delivery
- Provide and administer insurance policies, including underwriting, premium calculation, policy issuance, renewals, endorsements, and cancellations
- Process and adjudicate insurance claims
- Provide investment advisory and portfolio management services
- Deliver health and wellness services, including telemedicine referrals and preventive care programs
- Manage your account, authenticate your identity, and maintain session security
- Process payments, billing, and financial transactions
5.2 Legal and Regulatory Compliance
- Comply with applicable insurance, financial services, and health care regulations
- Fulfill anti-money laundering (AML), know-your-customer (KYC), and sanctions screening obligations
- Report to regulatory authorities and respond to lawful requests from law enforcement or courts
- Maintain records as required by statutory retention periods
5.3 Legitimate Business Interests
- Detect and prevent fraud, financial crime, and misrepresentation
- Improve our products, services, and platform functionality
- Conduct actuarial analysis, risk modeling, and statistical research (using anonymized or aggregated data where possible)
- Train and validate AI models (using de-identified or synthetic data where feasible)
- Ensure information security and protect the integrity of our systems
- Administer supplier relationships and marketplace operations
5.4 With Your Consent
- Send marketing communications about products or services that may interest you
- Process sensitive health data for wellness scoring and preventive care recommendations
- Share your data with third-party partners for ancillary services you request
- Conduct satisfaction surveys and research studies
6. Legal Bases for Processing
| Legal Basis | Examples |
|---|
| Contract Performance | Underwriting and issuing policies, processing claims, managing investments, payment processing |
| Legal Obligation | AML/KYC checks, regulatory reporting, tax reporting, HIPAA compliance, insurance solvency requirements |
| Legitimate Interest | Fraud detection, platform security, service improvement, actuarial analysis, AI model validation |
| Consent | Marketing communications, health data processing for wellness services, optional analytics, sharing with third-party partners |
| Vital Interests | Emergency medical situations, imminent threat to life |
| Public Interest / Substantial Public Interest | Insurance claim processing involving special category data where permitted by national law |
7. Sharing & Disclosure
We may share your personal data with the following categories of recipients, subject to appropriate safeguards:
- Reinsurers and Co-insurers: To manage risk, underwrite policies, and settle claims under reinsurance or co-insurance arrangements
- Regulators and Government Authorities: When required by law, regulation, or lawful government request
- Service Providers: Including cloud hosting providers, payment processors, identity verification services, communication platforms, and professional advisors, all bound by data processing agreements
- Healthcare Providers: When necessary for claims adjudication or with your authorization for health services
- Financial Institutions: Banks, custodians, and clearing houses as needed for investment and payment operations
- Marketplace Suppliers: When you engage with supplier services through our marketplace platform, limited to the data necessary for service delivery
- Legal and Professional Advisors: Lawyers, auditors, and consultants under professional privilege and confidentiality obligations
- Law Enforcement: When required by valid legal process (warrant, subpoena, court order), and when necessary to protect the rights, safety, or property of PHINS, our users, or the public
- Corporate Transactions: In connection with a merger, acquisition, reorganization, or sale of assets, with prior notice to affected users where required
We do not sell your personal data. We do not share your data for third-party advertising purposes without your explicit consent.
8. International Data Transfers
As a global platform, PHINS may transfer your personal data across international borders. When we do so, we ensure adequate protection through:
- Adequacy Decisions: Transferring data to countries recognized by the European Commission, UK, or other relevant authorities as providing adequate data protection
- Standard Contractual Clauses (SCCs): Using EU-approved or locally required standard contractual clauses with our international processors and partners
- Binding Corporate Rules: Intra-group transfers governed by binding corporate rules approved by supervisory authorities
- Supplementary Measures: Implementing technical measures such as encryption in transit and at rest, pseudonymization, and access controls to supplement contractual safeguards
- Data Localization: Where required by local law (e.g., Russia, China, certain Middle Eastern and African jurisdictions), we store and process data locally
You may obtain a copy of the safeguards we use for international transfers by contacting our Data Protection Officer.
9. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. General retention periods include:
| Data Category | Retention Period | Basis |
|---|
| Active policy data | Life of the policy + 7 years | Contractual obligation, regulatory requirements |
| Claims records | 10 years after final settlement | Statute of limitations, regulatory requirements |
| Health/medical data | As required by applicable health records laws (typically 6–10 years) | HIPAA, national health data laws |
| Investment records | 7 years after account closure | Financial services regulations |
| AML/KYC records | 5–7 years after relationship ends | Anti-money laundering regulations |
| Marketing consent records | Duration of consent + 3 years | Accountability and audit |
| Session/audit logs | 2 years | Security and compliance |
| AI model training data | De-identified upon model validation or 5 years, whichever is shorter | Model governance policy |
Upon expiration of the retention period, data is securely deleted or irreversibly anonymized. Anonymized and aggregated data used for actuarial and statistical purposes may be retained indefinitely as it no longer constitutes personal data.
10. Your Rights
Depending on your jurisdiction, you may exercise the following rights with respect to your personal data:
- Right of Access: Request a copy of the personal data we hold about you and information about how it is processed.
- Right to Rectification: Request correction of inaccurate or incomplete personal data.
- Right to Erasure ("Right to Be Forgotten"): Request deletion of your personal data, subject to our legal retention obligations.
- Right to Restriction: Request that we restrict processing of your data in certain circumstances.
- Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
- Right to Object: Object to processing based on legitimate interests, including profiling and direct marketing.
- Right to Withdraw Consent: Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
- Right Not to Be Subject to Automated Decisions: Not be subject to decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects, except where authorized by law or based on explicit consent.
- Right to Non-Discrimination: Not be discriminated against for exercising your privacy rights (CCPA/CPRA).
- Right to Appeal: Appeal a decision regarding your data rights request.
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 19. We will respond within the timeframes required by applicable law (typically 30 days for GDPR, 45 days for CCPA/CPRA).
11. Health & Medical Data (HIPAA)
Where PHINS acts as a covered entity or business associate under HIPAA, the following additional protections apply to Protected Health Information (PHI):
- PHI is processed under the minimum necessary standard — only the information required for the stated purpose is accessed or disclosed.
- Business Associate Agreements (BAAs) are in place with all vendors and sub-processors that handle PHI.
- AI systems processing PHI operate within HIPAA-compliant infrastructure with encryption at rest (AES-256) and in transit (TLS 1.2+).
- You have the right to request an accounting of disclosures of your PHI made by PHINS in the preceding six years.
- You may request restrictions on how your PHI is used or disclosed for treatment, payment, and health care operations.
- Breach notification will be provided within 60 days of discovery for any unauthorized acquisition, access, use, or disclosure of unsecured PHI, in accordance with the HIPAA Breach Notification Rule.
Where there is a conflict between this Privacy Policy and the PHINS Notice of Privacy Practices required under HIPAA, the Notice of Privacy Practices shall control with respect to PHI.
12. Financial & Investment Data
PHINS processes financial and investment data in accordance with applicable financial services regulations, including:
- Payment Card Industry Data Security Standard (PCI DSS) for payment card transactions
- Securities regulations governing investment advisory and portfolio management activities
- Anti-money laundering (AML) and counter-terrorism financing (CTF) requirements
- Solvency and capital adequacy reporting obligations
Financial data is encrypted both in transit and at rest, and access is restricted to authorized personnel on a need-to-know basis. We do not store complete payment card numbers on our platform; card processing is handled by PCI DSS-certified payment processors.
13. Cookies & Tracking Technologies
PHINS uses the following categories of cookies and similar technologies:
| Category | Purpose | Duration |
|---|
| Strictly Necessary | Session management, authentication, security (CSRF protection), load balancing | Session / up to 24 hours |
| Functional | Language preferences, accessibility settings, remembered login choices | Up to 12 months |
| Analytics | Platform usage patterns, performance monitoring, error tracking (anonymized) | Up to 24 months |
We do not use third-party advertising or behavioral targeting cookies. You may manage cookie preferences through your browser settings. Disabling strictly necessary cookies may impair platform functionality.
14. Children's Privacy
PHINS services are not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If a parent or guardian becomes aware that a child has provided personal data to PHINS, please contact us immediately. If we discover that we have collected personal data from a child without parental consent, we will delete such data promptly.
In limited circumstances, we may process a minor's data where they are a named beneficiary or dependent on an insurance policy, in which case the data is collected from and managed by the policyholder (parent or legal guardian).
15. Data Security
PHINS implements comprehensive technical and organizational security measures, including:
- Encryption: AES-256 encryption at rest, TLS 1.2+ encryption in transit
- Access Controls: Role-based access control (RBAC), multi-factor authentication for administrative access, principle of least privilege
- Network Security: Firewalls, intrusion detection and prevention systems, DDoS mitigation
- Application Security: Input validation, output encoding, CSRF protection, Content Security Policy headers, rate limiting
- Monitoring: Continuous security monitoring, audit logging, automated anomaly detection
- Physical Security: Data centers with SOC 2 Type II certification, restricted physical access, environmental controls
- Personnel: Background checks, confidentiality agreements, regular security awareness training
- Testing: Regular penetration testing, vulnerability scanning, and code security reviews
16. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, PHINS will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR) or as required by applicable law
- Notify affected individuals without undue delay when the breach is likely to result in a high risk to their rights and freedoms
- For HIPAA-covered PHI, notify affected individuals within 60 days of discovery, the U.S. Department of Health and Human Services, and, where applicable, prominent media outlets
- Document all breaches, including their effects and the remedial actions taken, in our internal breach register
17. Regional & Jurisdictional Disclosures
17.1 European Economic Area, United Kingdom & Switzerland (GDPR / UK GDPR / FADP)
If you are in the EEA, UK, or Switzerland, PHINS processes your data as described in this Policy. Our legal bases for processing are detailed in Section 6. You have the right to lodge a complaint with your local data protection supervisory authority.
17.2 United States — California (CCPA / CPRA)
California residents have additional rights under the CCPA/CPRA, including the right to know what personal information is collected, the right to delete, the right to correct, the right to opt out of "sale" or "sharing" of personal information, and the right to limit the use of sensitive personal information. PHINS does not sell personal information as defined by the CCPA/CPRA. To exercise your rights, contact us using the details in Section 19 or use our "Do Not Sell or Share My Personal Information" page where applicable.
17.3 United States — Other States
Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and other states with comprehensive privacy laws have similar rights. We honor all applicable state privacy laws.
17.4 Brazil (LGPD)
Brazilian data subjects have rights under the LGPD, including access, correction, anonymization, portability, deletion, information about sharing, and the right to revoke consent. Our Data Protection Officer serves as the LGPD-required "encarregado."
17.5 South Africa (POPIA)
South African data subjects have the right to be notified of data collection, to access and correct personal information, and to object to processing. Complaints may be directed to the Information Regulator.
17.6 Canada (PIPEDA)
Canadian users have rights under PIPEDA, including the right to access personal information, challenge its accuracy, and withdraw consent (subject to legal or contractual restrictions). Complaints may be directed to the Office of the Privacy Commissioner of Canada.
17.7 India (DPDPA)
Indian data principals have rights under the Digital Personal Data Protection Act, including the right to access, correct, erase, and nominate. Processing of personal data is based on consent or legitimate uses as defined under the DPDPA.
17.8 Other Jurisdictions
PHINS respects and complies with applicable privacy and data protection laws in all jurisdictions where we operate. If your jurisdiction is not specifically listed above, please contact our Data Protection Officer for information about your specific rights.
18. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make material changes, we will:
- Post the updated Policy on our website with a revised "Last Updated" date
- Notify you via email or platform notification for material changes that significantly affect how we process your data
- Where required by law, obtain your renewed consent before processing your data under materially different terms
We encourage you to review this Privacy Policy periodically.
If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact:
Data Protection Officer
PHINS Insurance Company
123 Insurance Boulevard, Financial District
New York, NY 10004, United States
Email: privacy@phins.com
Phone: 1-800-PHINS-01 (1-800-744-6701)
EU/EEA Representative
PHINS Insurance Company (EU)
Email: eu-privacy@phins.com
UK Representative
PHINS Insurance Company (UK)
Email: uk-privacy@phins.com
You also have the right to lodge a complaint with the supervisory authority in your jurisdiction if you believe your data protection rights have been violated.