Privacy and Data Protection Policy

When we refer to Personal Data or Personal Information, we generally mean any information that pertains to you or can identify you, which is protected by applicable law. Different pieces of information, when combined, can lead to the identification of a specific person, and thus constitute Personal Data.

Importantly, de-identified/anonymized information or aggregate information does not fall under the definition of Personal Data or Personal Information if the de-identification/anonymization cannot be reversed (for example, the total number of users of our website is considered aggregate information that does not disclose the identities of those users is not Personal Data if that aggregation cannot be reversed to identify individual users).

i. Prospective Insureds and Insureds

To provide insurance quotes and policies and manage other (re)insurance products and services offered by the Arch companies we need to collect and process Personal Data about you. If you do not provide the required information, we may be unable to offer you a quote or deliver other products or services. In certain cases, this could lead to cancellation of your insurance or other services, but we will notify you and provide an explanation.

The types of Personal Data may include:

Category	Types of Data collected
Individual details	Name, address, gender, marital status, date of birth, nationality, citizenship, immigration status, marketing preferences, bank account details or payment card details, vehicle details, relevant criminal convictions and offenses, penalty points, education, employer, job title and family details, including their relationship to you.
Identification details	Identification numbers issued by government bodies or agencies, including your driving license number.
Credit and anti-fraud data	Credit and anti-fraud data such as credit history, credit score, sanctions and criminal offenses and convictions, and information from various anti-fraud databases related to you.
Special categories of Personal Data and criminal convictions data	Certain categories of Personal Data may have additional protection under applicable data protection laws (e.g., EU and UK laws).  Depending on the applicable law (including those applicable in the EEA and the UK), these categories include data concerning your health and criminal offenses and convictions.
Risk details	Information about you which we need to collect in order to assess the risk being insured and provide a quote. This may include special categories of personal data such as data relating to your health, or data relating to relevant criminal offenses and convictions.

ii. Claimants

In order to address any claims, we need to collect and process your Personal Data.  If you do not cooperate and provide the required information, we may not be able to effectively handle the claim.

The types of Personal Data may include:

Category	Types of Data collected
Individual details	Name, address, bank account details, and vehicle details.
Identification details	Identification numbers issued by government bodies or agencies, including your driving license number.
Claims history reports and anti-fraud data	Claims history reports and anti-fraud data such as sanctions, criminal offenses and convictions, and information from various anti-fraud databases related to you.
Special categories of Personal Data and criminal convictions data	Certain categories of Personal Data may have additional protection under applicable data protection laws (e.g., EU and UK laws).  Depending on the applicable law (including those applicable in the EEA and the UK), these categories include data concerning your health and criminal offenses and convictions.
Claims information	Information about previous and current claims, (including other unrelated insurances), which may include special categories of personal such as data concerning your health (e.g., injuries and relevant pre-existing conditions), or data relating to relevant criminal offenses and convictions.

iii. Business Partners, Investors and Website Users

• Business Partners: If you are a business partner, we will collect your business contact details. We may also collect information about your professional expertise and experience.
• Investors: If you are a shareholder or investor, we will collect your contact details to provide you with shareholder information and notices.
• Website Users: If you are a Website user:
  • You may choose to share with us your Personal Data (e.g., if you contact us).   Depending on your preference on cookies (see below), you can browse the Website without revealing your identity or providing any Personal Data (except such Personal Data as may be collected by cookies which you choose to accept or strictly necessary cookies).  However, there will be times, such as when you request information or a publication from us through the Website, when we will need to obtain your Personal Data.  We may collect this Personal Data through various forms and in various places on the Website, including application forms, contact us forms, via chatbots (RoamRight.com only), or other interactions.  Additionally, we may offer certain online services, such as an online portal that permits our customer account holders to access their business accounts.  
  • We and our third-party service providers may use cookies or other tracking technologies that automatically (or passively) store or collect certain information whenever you visit or interact with the Website based on your usage (“usage information”), unless you decline certain cookies. A cookie is a text file created by a web server and stored on your device which can retain information. This usage information may be stored or accessed using various technologies that may be downloaded to your personal computer, browser, laptop, tablet, mobile phone or other devices whenever you visit or interact with our Website.   You have options regarding analytical, tracking and/or targeting cookies.  Please see our Cookie Policy and Consent Manager for further information.
  • From time to time, we enhance the information we collect directly from you on the Website with outside records from third parties for various purposes, including improving our services, or marketing (e.g., tailoring content to your preferences, and offering relevant opportunities).  We will apply this Policy to any supplemental information and if that supplemental information amounts to Personal Data (and/or the combined information amounts to Personal Data), it will be treated as Personal Data. 

i. Prospective Insureds and Insureds

We collect your Personal Data: (1) directly from you when you apply to purchase an insurance policy or other products or services, including information about others that you provide during this process; (2) from third parties, such as intermediaries (e.g., an insurance broker), or other insurance companies (e.g., if you are a policyholder with an insurance company which has a reinsurance arrangement with an Arch company) or your employer if they apply for an insurance policy where you are named a beneficiary; and (3) from other sources (e.g., credit reference agencies, government agencies and other public sources) as needed to comply with applicable sanctions and anti-money laundering laws.

ii. Claimants

We collect your Personal Data: (1) when you or a third party (such as your employer or attorney) notify us of a (potential) claim either directly or through an intermediary (e.g., an insurance broker) or other insurance companies or claims managers (e.g., if you are a policyholder with an insurance company which has reinsurance with an Arch company); and (2) from other sources (e.g., claim report providers, government agencies and other public sources) as needed to validate the notice of (potential) claim or comply with applicable anti-money laundering laws and sanctions.

iii. Business Partners, Investors and Website/Portal Users

We  collect your Personal Data: (1) where you or your employer share your contact details or other information with us during the course of your collaboration  with us, either  as a business partner or  a company representative; (2) when  you participate in meetings, events or conferences that we organize or sponsor; or (3) where you become a shareholder or investor in Arch and your contact information are made available to us or a third party such as our stock transfer agent. We may also collect your Personal Data when you visit or contact us through the Website or online portals using cookies, which you can choose to decline at any time. Please see our Cookie Policy and Consent Manager for further information.

i. Prospective Insureds and Insureds

• To provide insurance quotes, policies and provide insurance related services, we may use your Personal Data for the following purposes:
  • To evaluate applications for insurance policies, assess risks, and if applicable, offer insurance coverage;
  • To manage and administer insurance policies (including addressing your queries) with you or your employer;
• For reinsurance purposes;
• For direct marketing purposes;
• To enhance our insurance products and service offerings, conduct market research, perform data analytics, engage in general risk modelling, for transfer of business portfolios, support company sales and reorganizations, and for statistical analyses; and
• For the prevention and detection of fraud, money laundering or other criminal activity.

Additional information concerning the legal bases for processing Personal Data of individuals in the EEA/UK is provided in Section 9.

ii. Claimants

• To manage any (potential) claims or (potential) claim notices, we may process Personal Data for the following purposes:
  • For claims processing including assessing and evaluating the merits of a claim and to pay a settlement;
• For statistical analyses; and
• For the prevention and detection of fraud, money laundering or other criminal activity.

iii. Business Partners, Investors and Website Users

Business Partners and Investors:

As part of our business activities, we may process your Personal Data for the following purposes:

• To manage our relationship with you;
• To provide you with information about our company; and
• To oversee our contractual obligations with you or your employer.

Website Users:

As part of our business activities, we may process your Personal Data for these purposes:

• To enhance the Website or our services, tailor your experience, or publish content that is relevant to you;
• To contact you regarding your use of the Website and any changes to Website policies; 
• For internal purposes, including analyzing how our Website is navigated and used; and
• For direct marketing purposes.

We may share information we collect about you, including Personal Data, with third parties to provide our products and services and fulfill our legal obligations. We do not share Personal Data with third parties for their direct marketing purposes.

The third parties we may share Personal Data with include:

• Affiliates. We may share your Personal Data with other companies in the Arch group of companies located in and outside of the EEA/UK to assist in the delivery of products and services to you. We also reserve the right to disclose and transfer such information: (1) to a subsequent owner, co-owner or operator of the Website; or (2) in connection with a merger, consolidation, restructuring, the sale of substantially all of our interests and/or assets, investment or other corporate change, including, during the course of any due diligence process.
• Third Party Intermediaries. We may disclose your Personal Data to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers in and outside of the EEA/UK to assist us in managing our business.
• Third Parties. We may use third party vendors in and outside of the EEA/UK to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose your Personal Data to our advisors (e.g., attorneys and other professional services firms) in and outside of the EEA/UK.
  
  Transfers of Personal Data amongst Arch entities are covered by intra organizational agreements which provide specific requirements designed to ensure your Personal Data receives adequate protection whenever it is transferred within Arch. Transfers of Personal Data to our third-party intermediaries and service providers are protected by contractual agreements that require an adequate level of data protection. If you are located in the EEA/UK, please also see Section 9(v)’s discussion of transfers of Personal Data outside of the EEA/UK.
• Judicial, Regulatory and Law Enforcement Bodies. We may disclose your Personal Data to judicial, regulatory and law enforcement bodies, including, but not limited to: (1) satisfy any applicable law, regulation, subpoenas, governmental requests or legal process if in our good faith opinion such disclosure is required or permitted by law; (2) protect and/or defend our rights, property and/or interests (including, the Website’s Terms and Conditions of Use or other policies applicable to the Website) and investigation of potential violations thereof; (3)  protect the safety, rights, property or security of Arch or any third party where we are legally required or advised to do so; and (4) detect, prevent or otherwise address fraud, security or technical issues.  Further, we may use information or device identifiers to identify users, on our own or in cooperation with third parties and/or law enforcement agencies, including disclosing such information to third parties, all in our discretion and subject to applicable law. Such disclosures may be carried out without notice to you.

In accordance with our Cookie Policy, data about your online activity may be collected on our Website to, among other things: (1) help deliver advertisements to you that you might be interested in; (2) prevent you from seeing the same advertisements too many times; and (3) understand the usefulness to you of the advertisements that have been delivered to you. Note that any images (or any other parts of content) served by third parties in association with third-party ads or other content may act as web beacons, which are tracking technologies enabling third parties to carry out the previously described activities.

Website users are able to reject any or all of the advertising and other non-essential cookies and other tracking technologies utilized on our Website at any time by visiting our Cookie Consent Manager.

Our Cookie Policy provides additional details and explains how you can set and manage your and limit the collection of this information. Website users can learn about all the cookies and other tracking technologies utilized on our Website without first providing their Personal Data.

We do not track information about an individual consumer’s online activities over time and across third-party website or online services (i.e. cross-contextual behavioral advertising) except with your specific, opt-in consent. Accordingly, we do not monitor or take any action with respect to these browser Do Not Track signals (including the Global Privacy Control signal).

The Website may contain content that is supplied by a third party, and those third parties may collect usage information and your device identifier when webpages from the Website are served to you.  The Website may contain links to third parties’ websites.  We are not responsible for the data collection and privacy practices employed by any of these third parties on their websites.    We encourage you to review their privacy policies and our Terms and Conditions of Use.

• If you wish to update or correct your Personal Data held by us, please email our Data Protection Officer at: [email protected].
• You may cancel/unsubscribe from the email marketing communications you receive from us or modify your marketing communication preferences by following the instructions contained in our promotional emails or in some cases by logging into your Website account and changing your communication preferences.  This will not affect subsequent subscriptions, and you may limit your opt-out to certain types of emails.
• Please note that we reserve the right to send you certain communications relating to your account or use of the Website, such as administrative and service-related announcements, and you will continue to receive these transactional communications if you opt-out from receiving marketing communications. 

i. Legal Basis for Processing Personal Data of Individuals in the EEA/UK

We will only use your Personal Data for the purposes for which we collect such Personal Data as outlined below and in Section 3 above, unless we need to use it at a later date for another purpose that is compatible with the original purpose. If we need to further process your Personal Data for a purpose that is not compatible with the original purpose for collection, we will notify you and provide an explanation of the legal basis which allows us to do so.   

Purpose(s) for Processing	Legal Basis for Processing
To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover To manage and administer contracts including insurance policies (including dealing with your queries) with you or your employer For claims processing including, assessing and evaluating the merits of a claim and, where relevant to pay a settlement For reinsurance purposes To manage our relationship with you	The processing of your Personal Data is necessary to perform a contract or enter into a contract with you (e.g., the insurance policy). Additional basis for the processing of Personal Data relating to criminal offenses and convictions and special categories of Personal Data (e.g., health data): The processing is necessary for the provision of providing insurance and is in the substantial public interest.
For statistical analyses To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses	The processing of your Personal Data is necessary to support our legitimate interests in managing and improving our business (or those of a third party) provided such interests are not overridden by your interests and rights.
Direct marketing	We will seek your consent to the processing of your Personal Data for direct marketing – which you may withdraw at any time.
For the prevention and detection of fraud, money laundering or other crimes	The processing of your Personal Data is necessary for us to comply with legal and regulatory obligations or as authorized by applicable law.

ii. Legal Basis for processing personal datLegal
basis for processing Personal Data (including usage information) relating to
Website users in the EEA/UK

Purpose(s) for Processing	Legal Basis for Processing
To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies For internal business purposes, including to help us understand how our Website is navigated and used	The processing of your Personal Data is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights.
Direct marketing	Where you have given consent to the processing of your Personal Data for direct marketing – which you may withdraw at any time.

Learn how Personal Data is used within the London Insurance Market within which we participate in connection with our (re)insurance products through our Lloyd’s Syndicates and other insurance placed in the London Insurance Market (link to external PDF opens in a new window).

iii. Criminal Offenses and Convictions Data and Special Categories of Personal Data of Individuals in the EEA/UK

• Criminal Offenses and Convictions Data: We will only process Personal Data relating to criminal offenses and convictions for the following purposes: (i) in order to underwrite risk appropriately, calculate a quote or policy renewal and in the context of motor insurance, to risk assess any person who will be driving the insured vehicle (e.g., a risk assessment), (ii) for fraud detection or prevention or (iii) where required for claims handling. We will only carry out such processing where it is authorized by applicable law.
• Special Categories of Personal Data: Where we process special categories of Personal Data (e.g., health data) for any of the above purposes, we will only do so where: (1) you have given explicit consent to the processing of your special categories of Personal Data for these purposes – which you may withdraw at any time; (2) the processing is necessary to protect your vital interests (or those of a third party); (3) you have manifestly made your special categories of Personal Data public; (4) the processing is necessary for the establishment, exercise or defense of legal claims; or (5) the processing is necessary for reasons of substantial public interest on the basis of applicable law.

iv. What Additional Rights Do You Have if You are in the EEA/UK?

If you are located in the EEA/UK, you have several rights in relation to your Personal Data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We aim to respond to any valid requests to exercise data protection rights within one month unless it is particularly complicated, or you have made repeated requests in which case we aim to respond within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request. If you wish to exercise any of these rights, please contact us using the contact details set out in Section 17 below. We may request proof of identification to verify your request.

Your Right	What this Means
Right of Access	You can ask us to confirm whether we are processing your Personal Data and request a copy of that Personal Data. You can also ask that we provide additional information, including: Description of the Personal Data we hold about you; Why we have your Personal Data; Identify any third parties to whom we disclose your Personal Data; Transfers of your Personal Data to locations outside the EEA/UK; How long we keep your Personal Data; More details about your rights related to your Personal Data and how you can make a complaint to the supervisory authority; Where we obtained your Personal Data; or Whether we have carried out any automated decision-making (see Automated Decision-Making below).
Right to Erasure (‘Right to be Forgotten’)	You have the right to request that your Personal Data be deleted in certain circumstances, including: The Personal Data are no longer needed for the purpose for which they were collected. You withdraw your consent (where the processing was based on consent). You object to the processing and there are no overriding legitimate grounds justifying the processing of your Personal Data (see Right to Object below). The Personal Data have been unlawfully processed. To comply with a legal obligation. However, this right does not apply where, for example, the processing is necessary: To comply with a legal obligation. For the establishment, exercise or defense of legal claims.
Right to Withdraw Consent	If we are processing your Personal Data on the legal basis of consent, you are entitled to withdraw your consent at any time. Please see our contact details in Section 17 below. However, the withdrawal of your consent would not invalidate any processing we carried out prior to your withdrawal and based on your consent.
Right to Object	You have a right to object where we are processing your Personal Data: In reliance on our legitimate interests. In such a case we must stop processing your Personal Data unless we demonstrate compelling legitimate interests that override your interests.    You also have a right to request information on the balancing test we use to make this determination. For direct marketing purposes.
Right to Rectification	You have the right to request that we correct any inaccuracies in the Personal Data we hold about you and complete any Personal Data where this is incomplete.
Right to Data Portability	Where you have provided Personal Data to us, you have a right to receive such Personal Data back in a structured, commonly used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where: The processing is carried out by automated means. The processing is based on your consent or on the performance of a contract with you.
Right to Restriction of Processing	You can ask that we restrict the processing of your Personal Data (i.e., keep but not use) where: The accuracy of the Personal Data is contested. The processing is unlawful, but you do not want it erased. We no longer need the Personal Data, but you require it for the establishment, exercise or defense of legal claims. You have objected to the processing and verification as to our overriding legitimate grounds is pending. We can continue to use your Personal Data: Where we have your consent to do so. For the establishment, exercise or defense of legal claims. To protect the rights of another. For reasons of important public interest.
Automated Decision-Making	You have a right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affects you other than where the decision is: Necessary for entering into a contract, or for performing a contract with you (e.g., your insurance policy). Based on your explicit consent, which you may withdraw at any time. Is authorized by applicable law. Where we base a decision solely on automated decision-making, you will always be entitled to have a person review the decision so that you can contest it and put your point of view and circumstances forward.
Right to Complain	If you are not satisfied with our use of your Personal Data or our response to any request made by you to exercise any of your rights, you have the right to lodge a complaint with the local data protection supervisory authority at any time.

v. Transfers of Personal Data Out of the EEA/UK

If you are located in the EEA/UK, the Personal Data we collect from you may be transferred to and stored at a destination outside of the EEA/UK (including, Bermuda, Switzerland and the United States) for the purposes described above. The recipients may be located in countries which do not provide a similar or adequate level of protection to that provided by countries in the EEA/UK.

Transfers within the Arch group will be covered by data transfer agreements designed to ensure the protection of your Personal Data when it is transferred outside of the EEA/UK.

Transfers to service providers and other third parties will comply with applicable data protection laws (e.g., under standard data protection clauses approved by competent authorities in the relevant jurisdiction, such as the EU Standard Contractual Clauses approved by the EU Commission (“EU SCCs”) for transfers of data outside the EEA, or the UK International Data Transfer Agreement or the UK Addendum to the EU SCCs issued by the UK Information Commissioner for transfers of data outside the UK).

We may also transfer your Personal Data outside of the EEA/UK when required by law (e.g., if we receive a request from a foreign judicial, regulatory or law enforcement body), as necessary to comply with a contract, or with your explicit consent.

All international transfers of your Personal Data will be made in accordance with applicable data protection laws.

If you would like further information about the safeguards, we have implemented please contact us using the contact details set out in Section 17 below.

This Section provides additional information for California residents/households pursuant to the CCPA, as amended, and applies to Personal Information, whether collected online or offline.  

The tables below set out generally the categories of Personal Information about California residents/households that we have collected in the last twelve (12) months and have disclosed to others for a business purpose.  Note that the categories listed below are defined by California state law. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you, we may collect or disclose some information within that category. It does not necessarily mean that we collect or disclose all information listed in a particular category for all our customers, nor does it necessarily mean that the CCPA and other U.S. state law applies to that data.  For example, Personal Information which is governed by the federal Gramm- Leach-Bliley Act (GLBA) or Fair Credit Reporting Act (FCRA) is exempted from the CCPA.

i. How We Collect Your Personal Information

For the categories of Personal Information specified below, we collect the information directly from you, through our service providers, third party vendors, publicly available sources, consumer reporting agencies, government agencies or other businesses. For the category indicated “INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION,” we collect that information through automated means.

ii. Use and Disclosure of Your Personal Information

We do not sell Personal Information or share Personal Information for cross-context behavioral advertising purposes as such terms are defined under California law.  We also have not done so for the last 12 months.

Category	Purposes	Categories of Parties to Whom Personal Information is Disclosed
IDENTIFIERS:  such as a real name, alias, postal address, unique personal identifier, online identifier internet protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers.	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. For reinsurance purposes. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To manage our relationship with our business partners, policyholders, shareholders and other business associates. To improve our Website or our services, to help us understand how our Website is navigated and used. To comply with legal and regulatory requirements.	Affiliates: We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Party Intermediaries:We may share your Personal Information to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers. Third Parties:We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies: We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
PERSONAL INFORMATION categories listed in the California Civil Code Section 1798.80(e): Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. For reinsurance purposes. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To manage our relationship with our business partners, policyholders, shareholders and other business associates. To improve our Website or our services, to help us understand how our Website is navigated and used. To comply with legal and regulatory requirements.	Affiliates: We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Party Intermediaries: We may share your Personal Information to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers. Third Parties: We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies: We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
CHARACTERISTICS OF PROTECTED CLASSIFICATIONS UNDER CALIFORNIA OR FEDERAL LAW:  Includes race, ancestry, national origin, religion, age, mental and physical disability, sex, sexual orientation, gender identity and other protected classes.	We collect all or a subset of all of the Personal Information: Operational functions to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To comply with legal and regulatory requirements.	Affiliates: We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Parties: We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies: We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
COMMERCIAL INFORMATION: Includes records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. For reinsurance purposes. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To comply with legal and regulatory requirements.	Affiliates: We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Party Intermediaries: We may share your Personal Information to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers. Third Parties: We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies: We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
INTERNET OR OTHER ELECTRONIC NETWORK ACTIVITY INFORMATION: Includes, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	We collect all or a subset of all of the Personal Information: To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. For targeted advertising. To improve our Website or our services, to help us understand how our Website is navigated and used.	Affiliates: We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Parties:  We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies:  We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
AUDIO, ELECTRONIC, VISUAL, THERMAL, OLFACTORY OR SIMILAR INFORMATION	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To comply with legal and regulatory requirements.	Affiliates:  We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Parties:  We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors Judicial, Regulatory and Law Enforcement Bodies:  We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
PROFESSIONAL OR EMPLOYMENT-RELATED DATA	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. To manage and process any claims and to pay claims.	Affiliates:  We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Parties:  We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies:  We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.

In addition to the categories of personal information above, we collect the following categories of sensitive personal information, none of which we share with third parties or to personalize marketing:

Category of Personal Information Collected	Purposes	Categories of  Parties to Whom Personal Information is Disclosed
Social security, driver’s license, state identification card, or passport number	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, for company sales, and for statistical analyses. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes; and To comply with legal and regulatory requirements.	Affiliates:  We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Party Intermediaries:  We may share your Personal Information to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers. Third Parties:  We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies:  We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.
Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account	We collect all or a subset of all of the Personal Information: For operational functions, including to provide you with services, insurance quotes, issue policies, assess and evaluate risk, administer claims and generally manage and administer insurance policies. To manage and process any claims and to pay claims. For the prevention and detection of fraud, money laundering or other crimes. To comply with legal and regulatory requirements.	Affiliates:  We may share your Personal Information with other companies in the Arch group of companies for the purposes listed above. Third Party Intermediaries:  We may share your Personal Information to intermediaries (e.g., brokers, managing general agents, third party administrators) and other (re)insurers. Third Parties:  We may disclose some of your Personal Information to third party vendors we use to perform certain services on our behalf, such as technical support and back-office services, loss adjustors, medical service providers, fraud detection agencies, other debt collection agencies, motor bureaus and other insurance reference bureaus and claims experts, hosting services and Website activity tracking and analytics. We may also disclose some of your Personal Information to our professional advisors. Judicial, Regulatory and Law Enforcement Bodies:  We may disclose your Personal Information to judicial, regulatory and law enforcement bodies to comply with applicable laws, regulations or other legal or statutory requests.

We do not process sensitive personal information beyond what is reasonably necessary to provide our products and services and the purposes described above. We may rely on service providers to assist us with these efforts.

Privacy Rights under the California Consumer Privacy Act

If you reside in California, you may have the following rights concerning your Personal Information.  We may also provide you with rights even if not mandated.

Subject to certain conditions and limitations, you may have the following rights regarding your personal information:

• Access.  You may request disclosure of the personal information we have collected, the categories of sources from which we collected the information, the purposes for its collection, the categories of third parties with whom we have shared the information, and categories of personal information that we have shared with third parties for a business purpose.
• Portable data.  You may have the right to receive your personal information in a portable format, to the extent feasible, that allows for easy transfer to another entity.
• Correct.  You may have the right to notify us through the methods identified in the “Exercising Your Rights” section below to correct any mistakes in your personal information.  We may not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect; data solely retained for data backup purposes is generally excluded.
• Delete.  You may request deletion of your personal information, subject to certain exceptions. 
• Limit use and disclosure of sensitive personal information.  California law allows you to restrict the use and sharing of sensitive personal information to only what is necessary for our services; we process sensitive personal information for only service-related purposes. 
• Opt-out of the sharing or selling of information. We do not sell any personal information or share it for cross contextual behavioral advertising.
• Non-discrimination.  We will not discriminate against anyone exercising these rights. However, we may charge a different rate or provide different levels of service as permitted by law.

Before providing any requested information, we must verify your identity. In order to verify your identity, you will need to submit information about yourself, including, to the extent applicable, providing your account login credentials or other account information, answers to security questions, your name, government identification number we already have on file, date of birth, contact information, or other personal identifying information. We will match this information against information we have previously collected about you to verify your identity and your request.

To the extent you maintain an account with us, we will require you to login to that account as part of submitting your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request. We are not obligated to collect additional information identity verification, but we may offer you the ability to provide additional information for verification purposes.

If you wish to appoint an authorized agent to make a request on your behalf, you must provide the agent with written, signed, and notarized permission to submit privacy right requests on your behalf. The agent must provide this authorization at the time of request. For requests to disclose or delete your personal information, we will also require you to verify your identity directly with us, unless the agent has been provided with valid power of attorney. To request that we access or delete personal information, please submit an online request or call us at: +1 877 800 6249 (toll free in the U.S.).

Note that to the extent we receive, obtain, or generate information about you in connection with providing a financial service or product to you in your personal capacity within the United States, your rights with respect to that information are generally governed by the Gramm-Leach-Bliley Act (GLBA).  Those Arch entities that have privacy policies under GLBA are:

https://www.roamright.com/aigi-privacy-notice/

However, while we may receive this kind of information, individuals acting in their personal capacity- as opposed to their capacity as a representative of a company—are not our consumer or customer as those terms are defined in the GLBA. 

Nonetheless, as required by GLBA, we protect that information to keep it confidential and secure, and we do not share or use this kind of information other than as necessary for the financial product or service. If you have questions about how information about you is collected and used in connection with a financial product or service, please contact your financial institution. 

In connection with providing financial services or products, we may also receive or obtain information about your creditworthiness or insurability subject to the Fair Credit Reporting Act (FCRA). We need to handle and share this personal information to run our everyday business. We may use and share this information:

• For our everyday business purposes — such as to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus.

You cannot limit the use or sharing of FCRA data for these purposes. Federal law gives you the right to limit only:

• Sharing for affiliates’ everyday business purposes — information about your creditworthiness or insurability.
• Affiliates from using your information to market to you.
• Sharing for non-affiliates to market to you.

We do not share information for these purposes. Should we share information for these purposes in the future, we will notify you beforehand and you will have the right to opt-out.

i.  What personal information is used

Please refer to Section 1.

ii.  Purposes for which personal information is used

Please refer to Section 3. We will only use your personal information where it is necessary and in accordance with one or more of the below conditions:

• You have provided your consent for the use;
• It is necessary for taking steps at your request with a view to entering into a contract;
• It is necessary for the performance of a contract with us; or
• It is pursuant to a provision of law that authorises or requires its use.

iii.  The identity and types of individuals or organizations to whom personal information might be disclosed

Please refer to Section 4.

iv. The identity and location of the organization, including information on how to contact it about its handling of personal information

The Arch entities are based at Waterloo House, First Floor, 100 Pitts Bay Rd, Pembroke, HM08, BM including the following:

Arch Capital Group Ltd.
Arch Credit Risk Services
Arch Fund Management Ltd.
Arch Group Reinsurance Ltd.
Arch Investment Management Ltd.
Arch Reinsurance Ltd.
Arch Underwriters Ltd.

These entities can be contacted via the Privacy Officer’s contact details below.

v. The privacy officer

The Privacy Officer for our Bermudian entities can be contacted at [email protected].

vi. What additional rights do you have if you are in Bermuda

Your Right	What This Means
Right of Access	You can ask us to confirm whether we are using your personal informationand request a copy of that personal information. You can also ask that we provide additional information, including: the purposes for which the personal information has been and is being used by the organization. the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed.
Right to Erasure	You have the right to request that your personal information be deleted where that personal information is no longer relevant for the purposes of its use (see Section 12(iv)).   There are circumstances in which we can refuse to comply with this right and we will inform you of such grounds if they are applicable.
Right to Object	You have a right to object where we are using your personal information if the use of such information is causing or is likely to cause substantial damage or distress to you or another individual.
Right to Rectification	You have the right to request that we correct any inaccuracies in the personal informationwe hold about you and complete any Personal informationwhere this is incomplete.
Right to request review with Regulator	You may ask the Privacy Commissioner of Bermuda to review a decision, action or failure or act that we have made.

The Website is not targeted at children, as defined by local law, and we do not knowingly collect any Personal Data from children.  We will delete any Personal Data of children under the relevant digital age of consent where we determine this has been collected.  If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed Personal Data to us, please contact the Arch Data Protection Officer at [email protected].

We implement appropriate and reasonable security and technical and organizational measures against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data. 

Although we take measures to protect the security of the information communicated through the Website, no Internet-connected computer system can be made absolutely secure from intrusion.  We, therefore, cannot and do not guarantee that information communicated by you to us via the Website will be received or that it will not be altered before or after its transmission to us.  If you elect to use the Website to communicate with us or provide us with information, you do so at your own risk.

We retain your Personal Data only as long as necessary in accordance with our company record retention policy and in line with legal, regulatory, tax or accounting requirements, as well as addressing complaints, legal challenges or potential litigation.

We consider the following criteria when determining how long a particular record will be retained, including any personal information contained in that record:

• How long the record is needed to provide you with the products and services you request.
• How long the record is needed to support and enhance our operational processes.
• How long the record is needed to protect our rights and legal interests.
• How long the record must be retained to comply with applicable laws and regulations.

The same personal information about you may be included in more than one record and used for more than one purpose, each of which may be subject to different retention periods based on the factors listed above.

For example, where you purchase our insurance product, information will be held for the duration of your insurance cover and a period of several years after the end of our relationship. We keep information after our relationship ends in order to comply with applicable laws and regulations and for use in connection any legal claims brought under or in connection with your policy.

Once your Personal Data is no longer required, it will be securely deleted.

We reserve the right to change, update and/or modify this Policy at any time without notice to you.  Any changes will be effective immediately upon the posting of the revised Policy.  However, if we make material changes to this Policy, we will notify you by means of a prominent notice on the Website prior to such changes becoming effective, or in other ways as required by law. Please review the Policy whenever you access or use this Website.

To the extent any provision of this Policy is found by a competent tribunal to be invalid, illegal or unenforceable, such provision shall be deemed to be severed to the extent necessary, but the remainder shall be valid and enforceable.

If you have any questions about our Policy or practices described in it, you should contact us in the following ways (and if you are a California resident/household looking to exercise CCPA rights, see an additional method above):

• Postal Mail: Arch Group Data Protection Officer, Arch Capital Services LLC, 360 Hamilton Avenue, Suite 600, White Plains, New York  10601.
• By e-mail: [email protected].
• By e-mail for UK residents: [email protected].
• By e-mail for Bermuda residents: [email protected].
• By phone: 1-877-800-6249 (toll free in the U.S.) or +1 914 872 3609.