Personal Data Privacy Policy for Customers

Attachment to Order 1/2566

Personal Data Privacy Policy for Customers, Prospects, and Website Users

insurverse Public Company Limited

————————————————

insurverse Public Company Limited (the “Company”) is aware of the importance of privacy and its responsibilities relating to the collection, use, and disclosure of (“processing” or “to process”) your personal data.  The Company, therefore, issues this Personal Data Privacy Policy (the “Policy”) to describe the details of the processing of your personal data, as well as details of the retention period of personal data, the disclosure of personal data, the rights of data subjects with respect to their personal data, and the contact channels of the Company as prescribed in the Personal Data Protection Act B.E. 2562 (2019) (the “Personal Data Protection Act”) as follows.

1.  Scope of Application

    This Policy applies to the customers, prospects, and website users.

2.  Definitions

“personal data” means any information that can be used to identify a natural person,  directly or indirectly, but shall not include, in particular, any information about deceased persons.

“sensitive personal data” means the personal data as specified in Section 26
of the Personal Data Protection Act, and other applicable laws and regulations, as well as personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union information, genetic data, biometric data, or any other data that may affect the data subject in the same manner, as prescribed and notified by the Personal Data Protection Committee.

“Personal Data Protection Act” means the Personal Data Protection Act B.E. 2562 (2019), including any notifications, rules, regulations, or secondary legislation issued by virtue of the Personal Data Protection Act, and any amendments thereto from time to time.  

“Committee” means the Personal Data Protection Committee.

3.  What type of personal data is collected?

The type of personal data that the Company collects varies, depending on the scope of products and/or services relating to the insurance of the Company, and this consists of personal data and sensitive personal data.

The personal data that the Company processes may consist of the following:

3.1 General personal data:

(1)  Data of personal nature that is generally related to you; for example, names, surnames, titles, identification numbers, date of birth, age, occupation, gender, marital status, photographs, telephone numbers, registered address, mailing address, passport number, email address, and other  contact information;

(2)  Data that is related to your work; for example, position, office address, work experience, and this may include the name and address of your employers;

(3) Financial data, for example; income, sources of income, bank account numbers, credit card numbers, bank account names, credit card issue date, credit card expiry date, etc.;

(4) Details of the insurance products and/or insurance-related services, for example; product information, insurance application forms and/or the services or products of the Company or other insurers that you purchased or in which you were interested , for example; the insurance types and coverages, policy information and numbers, sums insured, any change or transactions in consequence of or relating to policies, methods or payment of insurance premiums, records of payments of insurance premiums or records of loans, beneficiaries, claims, as well as any exercise of rights under policies or other products or services of the Company or other insurers;

(5)         Data that is related to your status, i.e., the status concerning anti-money laundering and counter-terrorism financing, the status regarding bankruptcy, the status in relation to the US Foreign Account Tax Compliance Act (FACTA);

(6)  Data related to the use of electronic platforms or the use of the Internet, for example; technical data and personal activities, your preference when using our website and applications, and this may include the use of online social network platforms of other service providers, for example; specific names of clients used on online social network platforms,  IP addresses, types and versions of browsers, time zone setting, types of plug-in browsers, operating systems and platforms, user profiles, information of equipment, including information on mobile equipment, wireless networks information and general network information, data collected from cookies (For more details, please refer to “Use of Cookies”);

Any audio or video recording, recording by electronic means of correspondence records and communications between you and the Company, this may include various accessible formats or methods, for example: telephone, emails, conversations, and communications via social media are the personal data that the Company is required to collect and process for consideration and underwriting, entering into contracts of insurance, performance of contracts of insurance and related services, consideration for payment of claims, as well as arrangements for related reinsurance so as to provide coverage for your contract of insurance or to comply with the law.  If you do not give your consent or do not give your personal data, the Company will be unable to enter into or perform such contracts or to take any act as required by law.

3.2 Sensitive personal data  

The Company collects sensitive personal data to the extent it is necessary and shall advise the data subjects of details only after it has requested and obtained express consent from the data subjects, unless it is otherwise exclusively provided by law:  

1. Record of lawsuits: For example; criminal records, records of lawsuits, whether civil or other cases, including relevant police reports and court orders;
2. Health data: For example; medical records, consultation records, medical examination records, medical investigation records, nursing records,  prescription records, treatment records, details of medical services received, medical reports, autopsy reports, and details of medical expenses, and also questions relating to health and any data presented in documents, reports, books, diagrams, maps, drawings, photographs, films, audio or video recordings, recordings by electronic equipment or other equipment which can display the recorded data relating to personal health data that can be identified to a person, as well as other data as prescribed and notified by the competent authority for the protection and management of personal health data.

(3)  Religious data: In the case that you wish to purchase specific insurance products in order to comply with the religious principles of the insured or underwriting principles.

The personal data stated above in each case is necessary for the entering into contracts with the Company and the performance of contracts by the Company.  If you do not provide the Company with this personal data, the Company will not be able to consider your personal data and enter into contracts with you.  In the case that such data is necessary for complying with the law and you do not provide the Company with your personal data, the Company will not be able to take any act in relation to those matters or comply with the provisions of law.    

Your sensitive personal data that the Company processes is the personal data that the Company is required to collect and process for the consideration and underwriting, entering into contracts of insurance, performance of contracts of insurance and related services, consideration for payment of claims, as well as arrangements for related reinsurance so as to provide coverage for your contracts of insurance or to comply with the law.  If you do not give your consent or do not give your personal data, the Company will be unable to enter into or perform such contracts or to take any act as required by law.

4.  How is personal data collected?

  We collect your personal data in the following cases:

1. When you express your intention to buy products, apply for insurance, agree to be insured, jointly receive benefits or coverage of other products and services of the Company, or when you access or use our website, applications, or banners, or other on-line services on mobile equipment, computers, tablets, or via telephone (call center) or any other services of the Company (collectively "our products and services");

(2)        When you send an insurance application forms or express your intention in any way or by any method to ask for information, purchase or use, or whenever you give information when considering purchasing or using our products or services. This may be through the Company’s agents or representatives, permitted brokers and banks, and business partners of the Company;

(3)        When you communicate with us through different communication channels, for example; in writing, verbally, or electronically, SMSs, or any other methods of communications or transmitting information that is made possible, regardless of whether you or the Company first made contact;

(4)        When you make a request to the Company to change or improve our products and services or any other requests relating to our products and services, and also include the sending of forms or documents relating to your applying for our products and services;

(5)        When you contact our staff members, customer service officers, employees or representatives, permitted brokers and banks, and business partners or other relevant persons or agencies of the Company (collectively the “staff members and suppliers of the Company”) using any method, for example: our website, applications, on-line social media, telephone, call center, email, face-to-face communication, interview, SMSs, facsimile, post or any other method where communication is made possible;

(6)        When we are introduced to you or when we receive personal data from staff members and suppliers of the Company;

(7)        When you send personal data to us for participating in marketing activities, contests, prize draws, events, or competitions, that are organized by the Company or on our behalf or by our staff members or suppliers.  These activities may be organized in many different channels where communication is made possible in all cases;

(8)        When we receive from third parties your personal data, including without limitation, from public sources, private sources, commercial sources, websites, on-line social media sources, data providers, medical data sources, public health establishments, hospitals, physicians, other public health professionals, other insurance business operators, business associations or federations relating to the products or services that you have purchased or used, insurance application forms for our products and services, risk insurance for the products that you have purchased, lodging complaints relating to our products or services that you have purchased or used (the “third-party data sources”);

(9)        When we receive your personal data for the purposes of complying with the law and for the purposes of other supervision and other lawful purposes, for example: the Company may receive your personal data from the Office of the Insurance Commission (OIC.) or other regulatory authorities;

(10) When you visit our website, access our applications, or other on-line media.

Important Notice:  When you disclose any personal data concerning third parties to us (the term “third parties” shall include but is not limited to the insured, family members, persons who make payments under insurance policies, employers, or beneficiaries), the Company regards that this data is accurate and the acquisition of this data is in compliance with the Personal Data Protection Act and other applicable laws.  You represent and warrant that those persons have given their express consent and have agreed to it being given to the Company and that you have informed them in full of the purpose for the disclosure to the Company and the details of this Policy.

5.  Purposes of the Processing of Personal Data

Your personal data will be collected, used, and disclosed for the following purposes:

Personal Data Processing Basis	Personal Data Processing Activities
It is necessary to comply with the request of the data subject before entering into a contract or performing a contract.	Offering, selling, providing, managing, taking any act, and complying with procedures, and administering our products and/or services to you. Complying with procedures, administrating, completing our products or provision of services and introducing appropriate products and services to you, complying with procedures for insurance application forms for products, administering  the products that you purchase, collecting insurance premiums and outstanding amounts from you, investigating, analyzing, processing the surrender of insurance policies and making payments of claims /policy benefits under your insurance policies, and renewing, updating and revising, cancelling your insurance policies, as well as exercising any rights under your insurance policies, including the right of subrogation and the right so subrogated (if applicable). Administering the insurance of the Company, i.e., our insurance product designs, and/or new services, or adding or enhancing our current products and/or services, and any act of reinsurance for our products and/or services to you. Providing services on electronic communication channels, for example: so that you may access contents on our website, applications, or online social media platforms, or any exclusive  services whereby we may process your use of the website, applications, or online social media platforms for the following purposes: analyzing your behaviors in using the website, applications, or online social media platforms and understand your preferences; arranging for the website, applications, and online social media platforms to respond to your particular needs; evaluating, operating, and improving the website, applications, and online social media platforms or our products and/or services; solving problems, introducing related products and/or services; posting advertisements on the website, applications, and other channels according to the target groups. Providing services on the website or applications of the Company.
It is necessary for the legitimate interests of the Company or the related parties.	Communicating with you, including disseminating information on administration and other information on any products or accounts you may have with us, providing technical support on our website and applications or advising any amendment to this Personal Data Privacy Policy in the future. Promoting sales and giving information on products and services that are suitable for you as customers of the Company, this may include giving advice and information on various matters, including insurance-related matters and sales promotion activities for our products and services, for example: customer loyalty programs that give rewards, benefits, or privileges, charitable activities/not-for-profit activities, and marketing activities, events and other activities that the Company feels may be to your benefit. Analyzing for statistical purposes, e.g., market research, advanced data analysis, and statistical or actuary research, reporting or evaluating the financial results of the Company, its group of companies, staff members and suppliers or the relevant regulatory authorities. Anti-corruption, e.g., investigation or prevention of fraud, concealment of facts, and other wrongful acts, whether actual or threatening, in particular in communicating with other companies in the financial service and insurance sectors, as well as communicating with the relevant regulatory authorities. Restructuring the Company to restructure the organization and to enter into transactions of the Company, as well as buying or selling any part of the business of the Company (if applicable). Auditing the business of the Company, either internal audit or external audit. Operating and managing the business of the Company.   Complying with the Company’s internal policies on its business operations. Management of information, e.g., for the purpose of managing, storing, recording, backing up, or destroying personal data. Developing products and services, and reviewing and enhancing the qualities and training in the recording of communications. The Company will record images of people entering the Company’s premises for security reasons. The Company collects personal data via our website or applications to allow you to access the information and use our website efficiently, as well as to facilitate information exchange and communication between your web browser and server. The Company collects your personal data via our website or applications in order to: Evaluate the performance of our website and applications by analyzing the traffic and the number and characteristics of particular user groups.  This information will be used to analyze user behavior so that the Company will understand web browsing behaviors and improve the website performance to be more efficient and appropriate. Remember the options that you have selected or the preferences that you have set when using our website.  In order to ease your use of our website, the information that has been recorded will be used again when you revisit our website and the options or preferences will be shown so that you are not required to choose or set any option or preference again, for example: your preferred language, information for log-in or information that has been completed in product forms.
It is necessary to comply with the law.	To comply with the provisions of the applicable laws, rules, regulations, agreements, or policies of the official regulatory authorities, law enforcement agencies, government agencies, dispute resolution agencies or the insurance regulatory authority. For the purpose of law enforcement or assistance or cooperation in any investigation, carried out by us or on our behalf, by the police or other government agencies or regulatory authorities in the country, and performing duties in reporting and complying with the provisions of the laws or as agreed with other government agencies or regulatory authorities in other countries or administrative areas or taking any act with the lawful order of the competent officer or government agencies. To take any act in accordance with the Personal Data Protection Act, including any investigation in complying with the rights of data subjects. To comply with any order of the court or any other judiciary organizations.
It is necessary to create and take any act in relation to the rights of claim of the Company.	The Company may be required to process your personal data to create, comply, dispute, defend or take any act on its rights of claim.
Consent (for personal data)	In the case that you are a prospect: The Company may process your personal data for  sales promotions, as well as giving appropriate product and service information, this may include giving advice and information on various matters, including insurance-related matters, and sales promotion activities for our products and services, for example: customer loyalty programs that give rewards, benefits, or privileges, charitable activities/not-for-profit activities, and marketing activities, events and other activities in which you choose to participate. In this case, the Company will only be able to do so after you have given your consent, and you have the right to withdraw your consent on the processing of your personal data for sales promotion activities at all times by contacting us at the contact channels provided in this Policy, or click on the “unsubscribe” or “opt-out” button on various communications, for example: SMSs or emails that you receive. Collection of personal data on the website: The Company collects your personal data via our website or applications, and other on-line social media networks, for example: Facebook if you access our website via those networks.  For advertising purposes, the Company may use cookies and information from the use of cookies to analyze your interest or requirement for insurance products and offer you the appropriate products, services, and promotion.
Consent (for sensitive personal data)	Processing personal data on health for offering, selling, providing, managing, taking any act, complying with procedures, and administering our products and/or services to you, e.g., underwriting, reinsurance, payments of claims, and any other act according to the types of insurance policies you have purchased. Processing criminal record data for preventing fraud, e.g. investigation or prevention of any fraudulent act, concealment of facts, and other wrongful acts, including disclosure of sensitive personal data to government agencies, law courts, other judiciary organizations, and business associations.  In this regard, the Company shall disclose such personal data only to the extent necessary.

In addition, the Company may process your personal data to take any other necessary acts in relation to the purposes stated above.

Unless otherwise permissible by the applicable laws and regulations, as well as the Personal Data Protection Act, if we wish to use your personal data for any purpose other than as specified in this Personal Data Privacy Policy or other than the purpose that are directly related to this Personal Data Privacy Policy, we will inform you and ask for your consent.  

6.  Who will receive your personal data?

The Company keeps your personal data confidential.  But if it is permissible under the applicable law or such disclosure is necessary to achieve the processing of personal data of the Company, the Company may disclose personal data to the following persons:

(1)  Any person who is allowed to act as a staff member or supplier of the Company, to invite, persuade, direct, arrange, offer for sale, sell, distribute or provide services for our products and services or the products and services of the companies in the group to you, and deliver the products and services that have been offered/sold to you, for example: reinsurers, investment management companies, credit rating agencies, companies that provide investigation services or other suppliers;

(2) Policy holders, in the case of group insurance products;

(3)  Any person who has been employed or has been contracted to work for the staff members and suppliers of the Company, to invite, persuade, direct, arrange, offer for sale, sell, distribute or provide our products and services of the products and services of the companies in the group to you;

(4)  Any of our staff members and suppliers who provide services on managing various matters, provide data processing services, provide  services on the making of payments, debt collection or settlement of securities accounts, telecommunications services, technological services, cloud services, outsourcing services, call center service, storage services, documentation service, data recording service, document scanning service, mailing services, printing service, parcel delivery services or pick-up and delivery service by messenger, data analysis, marketing service, research, emergency service, legal service, or other services related to the operation of the Company or provision of the management, operations, or compliance with steps or administration in relation to our products or services to you;

(5)  Other insurance business operators, including associations in the insurance business sector;

(6)  Third-party sources of data (as detailed above);

(7)  Law enforcement agencies, committees established under the law, government agencies or regulatory authorities, dispute resolution agencies, or any other persons in the countries to which the Company or companies in the group disclose data:

(a)         in accordance with its duty under the law and/or its duty to comply with the regulations in Thailand, which may include government agencies in the countries in which its group companies are located;or  

(b)         in accordance with the agreement or policies among the companies in the group and the government, regulatory authorities, or other relevant persons;

(8)         Any companies in our group;

(9)         Professional advisors of the Company, for example: lawyers, physicians, auditors, or advisors;  

(10) Any persons or agencies to whom you have given your consent to disclose your personal data;

(11) Any person who enters or will enter into transactions with the Company and your personal data may be a part of any purchase or sale or a part of any offer to purchase or offer to sell of the business of the Company (if applicable);

(12) Any other persons or agencies permitted under the applicable law.

7. Use of Cookies

7.1 What are cookies?

Cookies are small text files of information, created from downloading that may be stored in your web browsers or other equipment connected to the Internet, these record data and set preferences for example, internet domain names and IP addresses from the point that you access websites, the date and time of accessing websites, addresses of other websites that link you to our website, the webpages that you use, as well as the contents on the webpages that you visit, and the times of your visits.

7.2 Categories of use

The categories of cookies used by the Company and details are as follows:

(1)        Necessary cookies: The Company uses this category of cookies to allow you to access information and to use our website efficiently, and to assist in the exchange of information and communication between your web browser and server.

(2)        Analytical and performance cookies:  The Company uses this category of cookies to evaluate the performance by analyzing the website traffic and the number and characteristics of particular user groups.  The information will be used in analyzing the pattern of user behaviors so that the Company will understand web browsing behaviors and will improve the website performance to be more efficient and appropriate.

(3)        Functionality cookies: The Company uses this category of cookies to remember the options that you have selected or the preferences that you have set when using our website.  In order to facilitate your use of our website, the information that has been recorded will be used again when you revisit our website and the options or preferences will be reflected so you are not required to choose or set any option or preference again, for example: your preferred language, information for log-in, or information that has been filled in product forms.  

(4)        Advertising cookies: The Company may use cookies and information from cookies to analyze your interests or needs in insurance products and thus  offer you appropriate products, services, and promotions.

(5)        Other cookies:  The Company uses other cookies from third parties who cooperate with the Company to enable them to analyze data, for example: website traffic, website user behavior, types of browsers and electronic devices, pixel file data or other data relating to your behavior (for example, your location).  Cookies collect and process data of visitors to our website, their behavior, usage preferences, and interest in products.  This category of cookies allows advertisements and marketing offers to be displayed and data relating to your interest in promotions to be analyzed.    

In the case that cookies are used for various purposes which require consent as explained in this clause, for example: for offering products or services, the Company will use such cookies only after it has been given your consent.  In this case, you can withdraw or cancel your consent for such purposes at all times.  

Most web browsers are automatically set to accept cookies to ensure that the use of the website is facilitated, and that the contents are properly displayed.  Cookies may be managed by adjusting values at web browsers at all times.  However, setting certain cookie values may prevent our website from properly functioning and certain operating systems may not function in whole or in part, for example: information for log-in is displayed or information is readily available in product forms.  

8.  Links to other websites

In the case that your use of our website directs you to a link to another website, the Company has no obligation of responsibility to you for any use of other websites.  If you use other websites, you are advised to review and familiarize the conditions and terms of use of those websites, in particular, the details relating to personal data protection.

9.  Cross-border personal data transfer

Your personal data may be transferred, retained, or processed by the Company or may be transmitted to any person or agency as stated above, who may have their establishments in Thailand or abroad, provided that your personal data shall be transferred to other establishments in accordance with the personal data protection provision in the Personal Data Protection Act.  In the case of transfer of your personal data within our group of companies, we shall comply with our corporate personal data privacy policies (Binding Corporate Rules) which have been approved by the Committee (if applicable).

10.  Retention of personal data

We shall retain your personal data to the extent it is necessary to achieve the purpose of its process, but it shall be no longer than a period of 10 years from the end of your relationship or the last  contact with the Company.  The Company may retain your personal data for a longer period as specified if it is permissible by law or if it is a duty of the Company.

The Company will take reasonable steps to erase or destroy or anonymize your personal data so that it is no longer identifiable for the retention period of personal data above.

11.  Your rights relating to your personal data and channels for exercising the rights

You have rights in respect of your personal data under the Personal Data Protection Act as follows:

(1)  Right to access: You have the right to check whether or not the Company has any data relating to you, and the right to access or obtain a copy of your personal data that is under the responsibility of the Company, and to request the disclosure of the source of your personal data in the case that the personal data has been collected from other sources.

(2) Right to rectification: You have the right to request the Company to rectify any personal data pertaining to you.

(3) Right to erase or destroy: You have the right to request the Company to have your personal data erased, destroyed or anonymized so that it can no longer be identifiable.  The procedures for erasure, destruction, or anonymizing personal data so that it can no longer be identifiable shall be specified by the Company and will be in compliance with the law.

(4) Right to object to processing: You have the right to object to the Company’s processing your personal data in the case that the Company’s processing of your personal data was without your consent, or in the case of direct marketing.

(5) Right to restrict processing: You have the right to restrict the processing of personal data pending the Company’s consideration of any act according to your right, or if you wish to restrict the processing of personal data instead of erasing or destroying it.

(6) Right to data portability: You have the right to request the Company to transfer your personal data, in a format that is readable or commonly used by way of automatic equipment, to other controllers, and to receive such data (in the case that the Company has made the personal data available in such format).

(7) Right to file complaints: You have the right to file complaints to the Office of the Personal Data Protection Committee with respect to the processing of personal data by the Company in following the procedures in accordance with the law.

The Company reserves the right to decline any request to exercise the right by data subjects as it deems appropriate and in accordance with the law.

In the case that it is permissible under the law, you may be subject to payment of reasonable expenses incurred in connection with the Company’s taking any act on your request to exercise of a data subject, provided that the Company shall inform you prior to undertaking any act which incurs expenses.  

12.  Amendment to this Policy

The Company reserves the right to make any amendment, addition, change, improvement, or adjustment to the Policy, to the extent permissible under the law.  In the case of any material change to this Policy, the Company shall inform you of any such amendment, addition , change, improvement, or adjustment and/or may obtain your consent (if such consent is required by law).  Please refer to the effective date of this Policy or the latest revision date of this Policy.

13.  Contact Channels

If you have any question relating to any part of this Personal Data Privacy Policy or require additional information relating to the Company’s guidelines in protecting your personal data, or if you would like to exercise the right as data subject, please contact us at:

Details of the Company

Name:                        insurverse Public Company Limited

Address:                    1115, Rama 3 Road, Chong Nonsi, Yannawa, Bangkok 10120.

Telephone No.:         02-118-4750

Details of the Data Protection Officer (DPO)

Data Protection Officer of insurverse Public Company Limited

Address:                       1115, Rama 3 Road, Chong Nonsi, Yannawa, Bangkok 10120.

Contact Channel:        [email protected]