You have arrived at a website that is owned and/or operated by Arch Capital Group Ltd. whose office is at Waterloo House, Ground Floor, 100 Pitts Bay Road, Pembroke HM 08, Bermuda, and its subsidiaries details of which can be found at the Website’s Terms and Conditions of Use: (collectively, “Arch” or “we,” “our” or “us”).
The purpose of this Privacy and Data Protection Policy (this “Policy”) is to explain how, when and why we collect and use Personal Data (otherwise known as Personal Information), including:
Particularly in the reinsurance context, we may possess personal information about you that we did not collect from you. For example, if you have purchased an insurance policy from an insurance company which reinsures the policy with us, we may come into receipt of your Personal Data. In these instances, we encourage you also to check the privacy policies of those third parties.
It is also important that you show this privacy policy to any other person who is insured under your insurance policy.
This Policy is not intended to override the terms of any insurance policy or contract you have with us, nor rights you are afforded under applicable privacy and data protection laws.
Arch is a group of companies which writes insurance, reinsurance and mortgage insurance on a worldwide basis through its principal operations in Bermuda, the United States, Canada, Europe, Australia and Hong Kong. The Arch company which was originally responsible for collecting information about you will be principally responsible for your personal data (“data controller”). For example, if you have an insurance policy with us, this will be the Arch company named on that policy.
In addition, please review the Website’s Terms and Conditions of Use, which governs your use of the Website.
We encourage you to read the entire Policy. Please click on the headings in the table of contents to go directly to the full explanation of a specific issue or point.
When we use the term Personal Data, we mean any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal Data is sometimes referred to as Personal Information, depending on the applicable law. Under the California Consumer Privacy Act, Personal Information is information that identifies, relates to, describes, is reasonably capable of ?being associated with, or could reasonably be linked, directly or indirectly, with a particular ?consumer or household.
Both Personal Data and Personal Information, which we use interchangeably, are broad definitions, and include pieces of information like your name, address, telephone number, or email address.
Certain pieces of information that are not Personal Data includes publicly available information, de-identified information or aggregate information. By “aggregate information" or “de-identified information,” we mean information that does not allow us to identify or contact a specific individual. For example, the number of users of our website is aggregate information which does not reveal who those users are.
In order to provide insurance quotes and policies and administer your insurance, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to offer you a quote or provide our services to you. We also may have to cancel our services with you but in that case we will notify you and provide an explanation.
The types of personal data may include:
Category |
Types of Data Collected |
Individual details |
Name, address, gender, marital status, date of birth, nationality, marketing preferences, bank account details or payment card details, vehicle details, relevant criminal convictions and offenses, penalty points, employer, job title and family details, including their relationship to you. |
Identification details |
Identification numbers issued by government bodies or agencies, including your driving license number. |
Credit and anti-fraud data |
Credit and anti-fraud data such as credit history, credit score, sanctions and criminal offenses and convictions, and information from various anti-fraud databases related to you. |
Special categories of personal data and criminal convictions data |
In the EEA/UK, certain categories of personal data may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal offenses and convictions. |
Risk details |
Information about you which we need to collect in order to assess the risk to be insured and provide a quote. This may include data relating to your health, relevant criminal offenses and convictions, or other special categories of personal data. |
In order to deal with any claims, we need to collect and process personal data about you. If you do not provide the information we need, we may not be able to handle the claim.
The types of personal data may include:
Category |
Types of Data Collected |
Individual details |
Name, address, bank account details, and vehicle details. |
Identification details |
Identification numbers issued by government bodies or agencies, including your driving license number. |
Credit and anti-fraud data |
Credit and anti-fraud data such as credit history, credit score, sanctions, criminal offenses and convictions, and information from various anti-fraud databases related to you. |
Special categories of personal data and criminal convictions data |
In the EEA/UK, certain categories of personal may have additional protection under applicable data protection laws. These categories include data concerning your health and criminal offenses and convictions. |
Claims information |
Information about previous and current claims, (including other unrelated insurances), which may include data concerning your health (e.g., injuries and relevant pre-existing conditions), relevant criminal offenses and convictions, or other special categories of personal data. |
We will collect your personal data: (1) directly from you when you apply for an insurance policy; (2) from third parties, such as an intermediary (e.g., an insurance broker), or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has a reinsurance arrangement with an Arch company) or your employer where, for example, they apply for an insurance policy under which you will be a beneficiary; and (3) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary to, for example, comply with applicable sanctions and anti-money laundering laws.
We will collect your personal data: (1) when you or a third party (e.g., your employer or attorney) notify us of a claim either directly or through an intermediary (e.g., an insurance broker) or other third party insurance companies (e.g., if you are a policyholder with an insurance company which has reinsurance with an Arch company); and (2) from other sources (e.g., credit reference agencies and government agencies) and other public sources where necessary, for example, to validate the claim or comply with applicable anti-money laundering laws and sanctions.
We will collect your personal data: (1) where you or your employer provides your contact or other information to us in the course of working with us, either directly as a business partner or as a representative of your company; (2) where you attend meetings, events or conferences that we organize or sponsor; and (3) where you visit and/or contact us through the Website or one of our online portals. For more information on how we collect technical data about your device and browsing activities, see our Cookie Policy.
In order to provide insurance quotes and policies and administer your insurance we may use your personal data for the following purposes:
Additional information concerning the legal basis for processing personal data of individuals in the EEA/UK is provided in Section 9.
In order to deal with any claims, we may process your personal data for the following purposes:
Additional information concerning the legal basis for processing personal data of individuals in the EEA/UK is provided in Section 9.
As part of our business activities, we may process your personal data for the following purposes:
As part of our business activities, we may process your personal data for the following purposes:
In addition, we may share with third parties the information we have collected about you, including personal data, to provide our services and comply with legal obligations. We do not share your personal data with third parties for their marketing purposes unless you have consented to such sharing.
These third parties may include:
Transfers amongst Arch entities are covered by intra-organizational agreements which provide specific requirements designed to ensure your personal information receives adequate protection whenever it is transferred within Arch. Transfers to our third party intermediaries and service providers are protected by contractual agreements that require an adequate level of data protection. If you are located in the EEA/UK, please also Section 9(v)’s discussion of transfers of personal data outside of the EEA/UK.
In accordance with our Cookie Policy, data about your online activity may be collected on our Website for use in providing advertising tailored to your individual interests. This process also helps us track the effectiveness of our marketing efforts. We may also use tracking technologies, such as our own cookies, to provide you with further information about your interests. The information collected may include information about your visits to our Website, such as the pages you have viewed. These third-party tracking technologies may be set to, among other things: (1) help deliver advertisements to you that you might be interested in; (2) prevent you from seeing the same advertisements too many times; and (3) understand the usefulness to you of the advertisements that have been delivered to you. Note that any images (or any other parts of content) served by third parties in association with third-party ads or other content may act as web beacons, which enable third parties to carry out the previously described activities.
Our Cookie Policy provides additional details and explains how you can limit the collection of this information.
Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer’s online activities over time and across third-party website or online services (e.g., browser do not track signals). Currently, we do not monitor or take any action with respect to these signals or other mechanisms.
The Website may contain content that is supplied by a third party, and those third parties may collect usage information and your device identifier when webpages from the Website are served to you. The Website may contain links to third parties. We are not responsible for the data collection and privacy practices employed by any of these third parties on their websites. We encourage you to review their privacy policies.
We will only use your Personal Data for the purposes for which we collect such Personal Data as outlined below and in Section 3, unless we need to use it at a later date for another purpose that is compatible with the original purpose. If we need to further process your Personal Data for a purpose that is not compatible with the original purpose for collection, we will notify you and provide an explanation of the legal basis which allows us to do so.
Purpose(s) for Processing |
Legal Basis for Processing |
To consider an application for an insurance policy, assess and evaluate risk, and where applicable, provide you with insurance cover |
• The processing of your personal data is necessary to perform a contract or enter into a contract with you (e.g., the insurance policy)
|
To manage and administer contracts including insurance policies (including dealing with your queries) with you or your employer |
|
For claims processing including, assessing and evaluating the merits of a claim and, where relevant to pay a settlement |
|
For reinsurance purposes |
• The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights*
|
For statistical analyses |
|
To improve our insurance products and services, to carry out market research, to perform data analytics, for general risk modelling purposes, for transferring books of business, company sales and reorganizations, and for statistical analyses |
|
Direct marketing |
• We will seek your consent to the processing of your personal data for direct marketing – which you may withdraw at any time |
For the prevention and detection of fraud, money laundering or other crimes |
• The processing of your personal data is necessary for us to comply with legal and regulatory obligations or as authorized by applicable law |
To manage our relationship with you |
• The processing of your personal data is necessary to perform a contract or enter into a contract with you |
Purpose(s) for Processing |
Legal Basis for Processing |
To improve the Website or our services, to customize your experience on the Website, or to serve you specific content that is relevant to you |
• The processing is necessary to support our legitimate interests in managing our business (or those of a third party) provided such interests are not overridden by your interests and rights* |
To contact you with regard to your use of the Website and, in our discretion, changes to the Website or the Website policies |
|
For internal business purposes, including to help us understand how our Website is navigated and used |
|
Evaluate your application and qualifications where you submit personal data in connection with a career opening or by submitting a resume through this Website |
|
Direct marketing |
• Where you have given consent to the processing of your personal data for direct marketing – which you may withdraw at any time |
If you are located in the EEA/UK, you have several rights in relation to your personal data under applicable privacy and data protection law, which may be subject to certain limitations and restrictions. We aim to respond to any valid requests within one month unless it is particularly complicated or you have made repeated requests in which case we aim to respond within three months. We will inform you of any such extension within one month of receipt of your request, together with the reasons for the delay. You will not be charged a fee to exercise any of your rights unless your request is clearly unfounded, repetitive or excessive, in which case we will charge a reasonable fee in the circumstances or refuse to act on the request. If you wish to exercise any of these rights, please contact us using the contact details set out in Section 15 below. We may request proof of identification to verify your request.
Your Right |
What this Means |
Right to withdraw consent |
If we are processing your personal data on the legal basis of consent, you are entitled to withdraw your consent at any time. Please see our contact details in Section 15 below. However, the withdrawal of your consent would not invalidate any processing we carried out prior to your withdrawal and based on your consent. |
Right of Access |
You can ask us to confirm whether we are processing your personal data and request a copy of that personal data. You can also ask that we provide additional information, including: |
Right to Rectification |
You have the right to request that we correct any inaccuracies in the personal data we hold about you and complete any personal data where this is incomplete. |
Right to Erasure (‘Right to be Forgotten’) |
You have the right to request that your personal data be deleted in certain circumstances including: |
Right to Restriction of Processing |
You can ask that we restrict the processing of your personal data (i.e., keep but not use) where: |
Right to Data Portability |
Where you have provided personal data to us, you have a right to receive such personal data back in a structured, commonly-used and machine-readable format, and to have those data transmitted to a third-party data controller without hindrance but in each case only where: |
Right to Object* |
You have a right to object where we are processing your personal data: |
Automated Decision-Making |
You have a right not to be subject to decisions based solely on automated processing (including profiling) which produce legal effects concerning you or similarly significantly affects you other than where the decision is: |
Right to Complain |
If you are not satisfied with our use of your personal data or our response to any request made by you to exercise any of your rights, you have the right to lodge a complaint with the local data protection supervisory authority at any time. |
If you are located in the EEA/UK, the personal data we collect from you may be transferred to, and stored at a destination outside of the EEA/UK (including, Bermuda, Switzerland and the United States) for the purposes described above. The recipients may be located in countries which do not provide a similar or adequate level of protection to that provided by countries in the EEA/UK.
Transfers within the Arch group will be covered by data transfer agreements designed to ensure the protection of your personal data when it is transferred outside of the EEA/UK, in accordance with Article 46(2) (c) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) ("Model Clauses").
Transfers to service providers and other third parties will comply with applicable data protection laws (e.g., under Model Clauses or the EU/Swiss-U.S. Privacy Shield in accordance with Article 45 of the GDPR).
The Website is hosted in the US.
You may withdraw your consent at any time.
We may also transfer your personal data outside of the EEA/UK when required by law (e.g., if we receive a request from a foreign judicial, regulatory or law enforcement body). Such transfers will be made in accordance with applicable data protection laws.
If you would like further information about the safeguards we have implemented please contact us using the contact details set out in Section 15 below.
The personal data about you that we collect includes personal information within the categories of data in the table below. These categories also represent the categories of personal information that we have collected over the past 12 months. Note that the categories listed below are defined by California state law. Inclusion of a category in the list below indicates only that, depending on the services and products we provide you, we may collect or disclose some information within that category. It does not necessarily mean that we collect or disclose all information listed in a particular category for all our customers.
We do not sell personal information about you, as defined under California state law, nor do we intend to do so. We also have not done so for the last 12 months.
Category |
Source | Purpose of processing | Disclosed for a Business Purpose in last 12 months? | Types of Third Parties Shared With |
Identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers. |
This information is collected directly from you, your agent, or our service providers. |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising. |
Yes |
Affiliates, service providers, and intermediaries. |
Information that identifies, relates to, describes, or is capable of being associated with, a particular individual, including, but not limited to, your name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. |
This information is collected directly from you, your agent, consumer reporting agencies, our service providers, or public records. |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. In addition, this data is used for marketing purposes, including offering you products that may interest you through both direct and partner advertising. |
Yes |
Affiliates, service providers, and intermediaries. |
Characteristics of classes protected under federal or California law, including: familial status, disability, sex, national origin, religion, color, race, sexual orientation, gender identity and gender expression, marital status, veteran status, medical condition, ancestry, source of income, age, or genetic information. |
This information is collected directly from you, your agent, consumer reporting agencies, or our service providers. |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. This data is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising. |
Yes |
Affiliates, service providers, and intermediaries. |
Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
This information is collected directly from you, your agent, consumer reporting agencies, our service providers, or public records. |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. This data, as well as information regarding your purchasing tendencies obtained from our business partners, is also used for marketing purposes, including offering you products that may interest you through both direct and partner advertising. |
Yes |
Affiliates, service providers, and intermediaries. |
Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement. |
This information is collected directly from you, or from our service providers, via cookies or similar technologies. |
This data is used for marketing purposes, including offering you products that may interest you through both direct and partner advertising. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. |
Yes |
Affiliates, service providers, and intermediaries. |
Geolocation data |
This information is collected directly from you, or from our service providers, via cookies or similar technologies. |
This data is processed for marketing purposes, including offering you products that may interest you through both direct and partner advertising. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management. |
Yes |
Affiliates, service providers, and intermediaries. |
Audio, electronic, visual, thermal, olfactory, or similar information |
This information is collected directly from you, your agent, or our service providers. |
This data (e.g. voice signatures for e-applications as well as recordings of customer service calls) is processed in connection with a number of our operational functions to provide you with services, including policy issuance and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management. |
Yes |
Affiliates, service providers, and intermediaries. |
Professional or employment-related information |
Professional or employment-related information |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, and for compliance management. |
Yes |
Affiliates, service providers, and intermediaries. |
Inferences drawn from any of the above categories of information to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
This information is collected from consumer reporting agencies, our partners, or our service providers. |
This data is processed in connection with a number of our operational functions to provide you with services, including to assess and evaluate risk, to issue policies and to administer claims. It is also processed in order to help manage and administer your account, as well as to detect security incidents, protect against malicious, deceptive, fraudulent or illegal activity, for compliance management, data analytics and technological development of our systems. |
Yes |
Affiliates, service providers, and intermediaries. |
Privacy Rights under the California Consumer Privacy Act
For residents of California, you may have the rights described below with respect to personal information about you. We may also provide you with rights even if we are not required to do so.
Subject to certain conditions and limitations, you may have the following rights with respect to personal information about you:
Right of access – You may be entitled to request that we disclose to you personal information we have collected about you, the categories of sources from which the information was collected, the purposes of collecting the information, the categories of third parties we have shared the information with, and the categories of personal information that have been shared with third parties for a business purpose. Data solely retained for data backup purposes is generally excluded.
Right of data portability – In some instances, you may have the right to receive the information about you in a portable and readily usable format. Before providing this information, we must be able to verify your identity. Data solely retained for data backup purposes is generally excluded.
Right to have personal data erased – Subject to certain conditions, you may be entitled to request that we delete personal information about you. We will not delete personal information about you when the information is required to fulfill a legal obligation, is necessary to exercise or defend legal claims, or where we are required or permitted to retain the information by law. For example, we cannot delete information about you while continuing to provide you with insurance products or where required to be retained for regulatory purposes. Data solely retained for data backup purposes is generally excluded.
If you chose to exercise any of these rights, to the extent that they apply, U.S. state law prohibits us from discriminating against you on the basis of choosing to exercise your privacy rights. We may, however, charge a different rate or provide a different level of service to the extent permitted by law.
Before providing information you request in accordance with your rights, we must be able to verify your identity. In order to verify your identity, you will need to submit information about yourself, including, to the extent applicable, providing your account login credentials or other account information, answers to security questions, your name, government identification number we already have on file, date of birth, contact information, or other personal identifying information. We will match this information against information we have previously collected about you to verify your identity and your request. To the extent you maintain an account with us, we will require you to login to that account as part of submitting your request. If we are unable to verify your identity as part of your request, we will not be able to satisfy your request. We are not obligated to collect additional information in order to enable you to verify your identity, but we may offer you the ability to provide additional information for verification purposes. For deletion requests, you will be required to submit a verifiable request for deletion and then to confirm separately that you want personal information about you deleted.
If you would like to appoint an authorized agent to make a request on your behalf, and that agent is not already authorized to access your account in your profile, please submit a notarized special power of attorney or a letter from your attorney.
To request that we access or delete personal information, please contact us, or submit an online request by clicking HERE or call us at: 877-800-6249 (toll free in the U.S.).
Gramm-Leach-Bliley Act and Fair Credit Reporting Act Information
Note that to the extent we receive, obtain, or generate information about you in connection with providing a financial service or product to you in your personal capacity within the United States, your rights with respect to that information are generally governed by the Gramm-Leach-Bliley Act (GLBA). Those Arch entities that have privacy policies under GLBA are:
• https://www.roamright.com/aigi-privacy-notice/
However, while we may receive this kind of information, individuals in their individual capacity- as opposed to their capacity as a representative of a company—are not our consumer or customer as those terms are defined in the GLBA.
Nonetheless, as required by GLBA, we protect that information to keep it confidential and secure, and we do not share or use this kind of information other than as necessary for providing the financial product or service. If you have questions about how information about you is collected and used in connection with a financial product for you, your family or our household, please contact your financial institution.
In connection with providing financial services or products, we may also receive or obtain information about your creditworthiness or insurability subject to the Fair Credit Reporting Act. We need to handle and share this personal information to run our everyday business. We may use and share this information:
• for our everyday business purposes— such as to process transactions, maintain accounts, respond to court orders and legal investigations, or report to credit bureaus
You cannot limit the use or sharing of FCRA data for these purposes. Federal law gives you the right to limit only:
• sharing for affiliates’ everyday business purposes—information about your creditworthiness or insurability
• affiliates from using your information to market to you
• sharing for non-affiliates to market to you
We do not share information for these purposes. Should we share information for these purposes in the future, we will notify you before doing so and you will have the right to opt-out of that sharing.
The Website is not targeted at children, as defined by local law, and we do not knowingly collect any personal data from children. We will delete any personal data we determine to have been collected from a child or user under the applicable age of consent. If you are a parent or guardian of a child under the relevant digital age of consent and believe he or she has disclosed personal data to us, please contact us at ArchDPO@archcapservices.com
We implement appropriate and reasonable security and technical and organizational measures against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Although we take measures to protect the security of the information communicated through the Website, no Internet-connected computer system can be made absolutely secure from intrusion. We, therefore, cannot and do not guarantee that information communicated by you to us via the Website will be received or that it will not be altered before or after its transmission to us. If you elect to use the Website to communicate with us or provide us with information, you do so at your own risk.
We retain your personal data only for as long as necessary in accordance with our document retention policy and in accordance with legal, regulatory, tax or accounting requirements, or for dealing with complaints, legal challenges or prospective litigation.
For example, where you purchase our insurance product, information will be held for the duration of your insurance cover and a period of several years after the end of our relationship. We keep information after our relationship ends in order to comply with applicable laws and regulations and for use in connection any legal claims brought under or in connection with your policy.
Once your personal data is no longer required, it will be securely deleted.
We reserve the right to change, update and/or modify this Policy at any time without notice to you. Any changes will be effective immediately upon the posting of the revised Policy. However, if we make material changes to this Policy we will notify you by means of a prominent notice on the Website prior to the change becoming effective, or in other ways as required by law. Please review the Policy whenever you access or use this Website.
To the extent any provision of this Policy is found by a competent tribunal to be invalid, illegal or unenforceable, such provision shall be deemed to be severed to the extent necessary, but the remainder shall be valid and enforceable.
If you have any questions about our Policy or practices described in it, you should contact us in the following ways:
• Postal Mail: Arch Group Data Protection Officer, Arch Capital Services Inc., 360 Hamilton Avenue, Suite 600, White Plains, New York 10601
• By e-mail: ArchDPO@archcapservices.com
• By phone: 877-800-6249 (toll free in the U.S.) or +1 914-872-3609