Privacy Policy

  1. Purpose of this Notice

This privacy notice explains our approach to any personal information that you might supply to us (or that might be collected from you) in connection with your use of Zoe and sets out your rights in respect of Zoe’s processing of your personal information.

This privacy notice will inform you how you can verify which of your personal information is collected by us through the Zoe Website and how you can request that we delete, update or transfer it.

This privacy notice is intended to assist you in making informed decisions when using the Zoe Website. Please take a moment to read and understand it. Please note that it should be read in conjunction with our Terms and Conditions.

Please also note that this privacy notice only applies to the use of personal information collected by us from your use of the Zoe Website or during your communications with us. It does not apply to personal information collected during your communications with third parties.

  1. Who are we and what do we do?

This website, https://www.zoe-ai.com/ (the “Website”), is owned and operated by Zoe AI Limited. Zoe is the trading name of ZOE AI Limited, Incorporated in England & Wales, with Company No 11025645, having its registered office at 24 Park Road South, Havant, Hampshire, PO9 1HB.

Zoe is the data controller responsible for your personal information. Zoe is registered at the UK Information Commissioner’s Office with registration number ZA332279.

Zoe’s principal business activities include providing insurance concierge services to consumers through which Zoe may market insurance products of third parties in addition to managing the consumer’s insurance portfolio.

For the purposes of Data Protection Legislation (as defined below) Zoe AI Limited is the data controller. References to “Zoe”, “we”, “us” or “our” are references to Zoe AI Limited.

We take the privacy of your information seriously.

This privacy policy explains how we collect and use your personal information in connection with the provision of services including:

  • through your use of our Website (as defined below) and any or any Zoe application that we make available from time to time or by contacting us via any means including through our Website live chat, Facebook and other social media channels, by email or phone; or

  • by interacting with our content and/or services including by applying to be one of our employees.

This policy also applies to information held about suppliers and possible future suppliers, contacts and all other people we hold information about.

References to “you” are references to any natural person excluding any of our employee’s data but including any person accessing this Website.

Please read this privacy policy carefully.

  1. Definitions and interpretation

In this privacy policy, the following definitions are used:

“Data Protection Legislation” means the EU General Data Protection Regulation 2016/679 and the UK Data Protection Act 2018 together with all other applicable legislation relating to privacy or data protection and including any statute or statutory provision which amends, extends, consolidates or replaces the same. The terms “personal data”, “data subject”, “controller”, “processor”,“process” (and its derivatives) and “special categories of personal data” shall have the meanings given to them in the Data Protection Legislation;

“Cookies” are a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the cookie policy;

“UK and EU Cookie Law” means The Privacy and Electronic Communications (EC Directive) Regulation 2003 as amended.

  1. What information we collect

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

You have the flexibility to provide us with as little or as much information as possible, however, the more information you provide, the more you will get out of Zoe.

We will also collect information from your email account if you consent to us accessing it.

Please be aware that if you activate the option for Zoe to connect directly to your email account so that we can analyse your email account and find your insurance policies, this will provide Zoe with read access to your entire email account although we will only process personal information necessary for us to provide our services.

Data derived from connected emails account:

Zoe allows you to connect to your personal email accounts providers from google Gmail and Microsoft Outlook, to improve our application utility as an insurance portfolio management tool and insurance product price comparator.

Data derived from personal email accounts fall under a modified policy to enhance user protection.

Upon activating option from Zoe to connect directly to your email account, Zoe is enabled full read access to your entire email account, although no email data will persist in Zoe databases unless you explicitly authorise using the platform’s policy finder tool. The policy finder tool queries your email account for emails containing content relating to insurance policies. The policy finder tool cannot assure complete accuracy and responsibility falls on you as a consenting user to verify each document found is appropriate and safe to persist on Zoe databases.

Derived and aggregated data from email accounts:

  • Remain only in Zoe systems until the user instructs for required data to facilitate the purchase of insurance products. If the data is not required to facilitate the purchase of insurance products it is deleted from Zoe systems

  • Will never be sold to any third party or affiliates (whether anonymised or not).

  • Will never be used in any market research or advertising purposes.

Please refer to https://support.google.com/cloud/answer/9110914#restricted-scopes

In particular section “How do I know if my privacy policy is inconsistent with the Limited Use requirements?”

We may collect and process different kinds of personal data about you which we have grouped together as follows:

  • Information that you voluntarily submit to us during your use our website or mobile application, during the course of email exchanges with us, as part of any customer support interactions and/or surveys, when participating in discussions and/or forums or when you enter a competition or promotion sponsored by us or third parties, and when you report any problem with our website.

  • Identity & Contact Data includes first name, last name, username or similar identifier, title, gender, email address and telephone number of you, and other people linked to your account.

  • Information about your current and previous insurance policies/products.

  • Information about your living situation including, but not limited to, home address, if you own or rent, number of people living in your home, high value item you own.

  • Information about your finances including, but not limited to, income, savings, financial assets, other financial support, mortgages and other financial loans, credit card debt.

  • Information about your health and the health of other people linked to your account including, but not limited to, medical conditions, prescribed medications, treatment history.

  • Information about your lifestyle including, but not limited to, pets, travel, car or other vehicle ownership/lease arrangements.

  • Technical & Usage Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. We also collect information about how you use our website.

  • Marketing & Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

  • Claims history as part of the insurance pricing requirements, we require information about your previous claims history.

  • Exercising your rights: if you exercise any of your statutory rights under Data Protection law, we will keep a record of this and how we respond.

  1. What we use your personal data for and why

Where we process your personal data because of our contract:

We process these items of your personal data to enter or fulfil the contract between us, including to:

Reason or purposePersonal data used
Provide our services to you and maintain your account (including handling any complaints you might make)
  • All the personal data in categories listed in Section 4.

To deliver service communications (such as policy schedules) and tailoring those communications to your circumstances
  • Your contact details and contact details of people associated with your product

  • Transaction and payment information

Answer your complaints or questions
  • The personal data which is necessary for us to deal with your complaint, which will depend on the nature of your complaint

  • Your contact details and the contact details of people associated with your account

  • Product information and details of other people linked to your account

  • Transaction and payment information and account information

Understand what claims you make
  • All personal information we collected as listed in Section

Insurance pricing and modelling
  • All personal information we collect as listed in Section 4

Where we process your personal data because we’re legally obliged to

We process these items of your personal data because we have a legal obligation to, including to:

Reason or purpose Personal data used
Investigating misuse of your account, crime and fraud
  • The personal data which is necessary for us to investigate the issue, which will depend on the nature of the problem.

  • At a minimum, this will include your name and contact information and information about your account and transaction history.

Assist law enforcement agencies, and other public authorities
  • The personal data processed for this purpose would depend on the scope of the enquiry, and will be limited to what is necessary to achieve the purpose of the request.

Where we process your personal data because there is a substantial public interest to

We process these items of your personal data because there is a substantial public interest that the public has access to insurance products:

Reason or purpose Personal data used
Insurance pricing and modelling
  • Contact details

  • Information and details of other people linked to your product

  • Claim history

Where we process your personal data because we have a legitimate interest to

We process these items of your personal data because we have a legitimate interest to improve the services we provide to you, or to identify new services you might be interested in, or to advertise our services to you, including:

Reason or purposePersonal data used
Maintain and improve our products and services, e.g. Optimise business processes, quality assurance purposes, support efficient management of our staff, analyse performance of webpages, provide relevant content, improve modelling and enhance marketing capability.
  • Your contact details and the contact details of people associated with your product

  • Product information and details of other people linked to your product

  • Transaction and payment information

  • Delivery information

  • Purchase and account history

  • Lifestyle and demographic insight information

  • How you use mobile applications and websites

  • Location information

  • Device and machine information

  • Advertising and Direct Marketing

Staff training
  • All the personal data we collect

Assess which of our partner products and services that may be of interest to you e.g. To understand regional demographics and take up, tailor offers and recommendations to customers’ needs and reward loyal customers.
  • All the personal information we collect.

Direct Marketing. If you have not specifically consented to receive Direct Marketing, we will only send you Direct Marketing materials where we are allowed to because of law. However, we will never send you direct marketing where you have opted out of receiving direct marketing communications.
  • Your contact details and the contact details of people associated with your product

  • Product information and details of other people linked to your product

  • Purchase and account history

  • Transaction and payment information

  • How you use mobile applications and websites

  • Rewards

  • Advertising and Direct Marketing

For market research purposes, e.g. to understand how you use our products and services or how we might improve them.
  • Your contact details and the contact details of people associated with your product

  • Product information and details of other people linked to your product

  • Transaction and payment information

  • Purchase and account history

  • Lifestyle and demographic insight information

  • Responses to surveys, competitions and promotions

  • How you use mobile applications and websites

  • Device and machine information

  • Advertising and Direct Marketing

Protection of our staff
  • All personal information we collect as listed in Section 4

For the establishment, exercise or defence of legal claims
  • All personal information we collect as listed in Section 4

Maintain accuracy and relevance of your data
  • All personal information we collect as listed in Section 4

Assist law enforcement agencies and other public authorities
  • The personal data processed for this purpose would depend on the scope of the enquiry, and will be limited to what is necessary to achieve the purpose of the request.

Where we process your personal data because you have allowed us to

We process these items of your personal data because you have provided your consent to the processing, you may revoke your consent at any point, however this may affect our ability to provide our products and services to you:

Reason or purposePersonal data used
Direct marketing
  • Your contact details and the contact details of people associated with your product

  • Product information and details of other people linked to your product

  • Purchase and account history

  • Transaction and payment information

  • How you use mobile applications and websites

  • Advertising and direct marketing

  • Products and services that we have determined may be of interest to you

Where we process your personal data so you can’t be identified any more

We may anonymise and aggregate any of the personal data we hold (so that it does not identify you). We may use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, improving our site, apps, developing new products and services and assess future providers of services.

  1. Sources we collect your personal data from

We will collect personal data from a number of sources. These include:

  • Directly from you: when you set up an account with us, purchase products or services from us, submit information via our websites or apps, complete forms we provide to you, enter our competitions and promotions, make a claim, make a complaint, exercise your statutory rights, contact us by phone, email or communicate with us directly in some other way.

  • Our website and apps: we collect information about how you use them and any smart devices you connect to them

  • Other companies we work with: provide us with information to help us deliver our products and services to you. These include:

    • Underwriters: who may provide information about claims and complaints they receive from you or your representatives.

    • Other companies’ websites mobile applications and products: provide us with information if you connect them to our products or services.

  • Lead generation providers: companies to which you give contact information, where you give permission for them to pass it on to us.

  • The government and regulators: provide us with information about the complaints they receive

  • Social media: information you submit to our social media accounts.

  • Our business customers: provide us with information about their own customers.

  • The police: may provide us with information.

  1. Who we share your personal data with

7.1 We share personal data with the following categories of third parties:

Who Examples
Our investorsBritish Gas Services Limited
Insurance BrokersBritish Gas Services Limited
Advertising partners

Google

Mediacom

Affiliate Marketing

Facebook

Microsoft

Underwriters and industry partners

  • Your carefully selected broker and underwriter’s will depend upon the product/s you buy and will be shown on your policy documents.

  • Where a third-party data controller is involved in the provision of insurance and ancillary services, we recommend that you also review their privacy notice as this will tell you how they process your information.

  • You’ll be able find the privacy notices for all third parties we work with online.

This list is not exhaustive and may vary from time to time as we add insurers to our panel.

For example:

  • AXA Insurance

  • British Gas Services Limited

The government or our regulatorsInformation Commissioner’s Office (ICO), Ofgem, Financial Conduct Authority (FCA),
Ombudsman servicesIf you raise a dispute or complaint and are eligible for review by an ombudsman services, such as the Financial Ombudsman Service, we may share information pertinent to the complaint with the relevant Ombudsman Service.
Data and insight providers
  • Experian

Industry partners

To comply with financial and audit regulations

  • Rothmans LLP

Companies that help us run our business, support our IT infrastructure and to further understand our customers
  • Amazon Web Services – a subsidiary of Amazon that provides on-demand cloud computing platforms

  • Intercom - integration for live chat communications with customers. Intercom is a GDPR compliant service, we utilise data exporting and permanent delete functionality, furthermore data automatically expire on intercom for users that have been inactive longer than 9 months

  • Sentry - integration used for application error alerting and reporting. Errors reported occasionally contain userId in reports but can only Zoe may use this id to uniquely identify the user

    Google - OAuth, is used to access email accounts, all data obtained can be deleted

    Microsoft graph api - same use case as google OAuth

Law enforcement agencies and other public authorities
  • Police forces

  • HMRC

We do not disclose personal data to anyone else.

7.2 User Data Protection

User data protection is paramount, and Zoe is subjected to 3rd party security assessors who conduct tests on:

  1. External Network Penetration Testing: Identify potential vulnerabilities in external, internet-facing infrastructure, systems such as the following:

  • Discovery and enumeration of live hosts, open ports, services, unpatched software, administration interfaces, authentication endpoints lacking MFA, and other external-facing assets;

  • Automated vulnerability scanning combined with manual validation;

  • Brute-forcing of authentication endpoints, directory listings, and other external assets;

  • Analysis of potential vulnerabilities to validate and develop complex attack chaining patterns and custom exploits; and

  • Potential exploitation of software vulnerabilities, insecure configurations, and design flaws.

  1. Application Penetration Testing: Identify potential vulnerabilities in the application that access user data such as the following:

  • Real-world attack simulation focused on identification and exploitation;

  • Discovery of attack surface, authorization bypass, and input validation issues;

  • Automated vulnerability scanning combined with manual validation;

  • Exploitation of software vulnerabilities, insecure configurations, design flaws, and weak authentication;

  • Analysis of vulnerabilities to validate and develop complex attack chaining patterns and custom exploits; and

  • Verify the ability for users to delete their account with no external indication that the user or user’s content is accessible.

  1. Deployment Review: Identify exploits and vulnerabilities in developer infrastructure such as the following:

  • Gathering all available configuration settings and metadata as well as manual techniques to build a profile of the cloud environment;

  • Analysing collected information to identify any gaps or deviations from accepted cloud security best practices;

  • Manually examining configuration settings to locate anomalies and issues such as weak IAM policies, exposed storage containers, poorly defined security groups, insecure cloud services usage, and insecure key management;

  • Exploitation of vulnerabilities, insecure configurations, design flaws, and weak authentication – as needed;

  • Verify the storage of OAuth tokens is encrypted and encryption keys and secrets are stored in a hardware security module or equivalent strength key manager; and

  • Ensure developer access to the deployment environment is secured with multi-factor authentication;

  1. Policy and Procedure Review: Review and examine the efficacy of information security policies and procedures such as the following:

  • Incident Response Plan: Establishes roles, responsibilities, and actions when an incident occurs;

  • Risk Management Policy: Identity, reduce and prevent undesirable incidents or outcomes;

  • Vulnerability Disclosure Program: Provide means for external parties to report vulnerabilities; and

  • Information Security Policy: Ensures all users comply with rules and guidelines related to the security of the information stored digitally at any point in the network.

  1. Children

You are required to be at least 16 years old to use the Zoe Website so we do not intentionally collect personal information from anyone under 16, and no one under 16 should attempt to submit any personal information to Zoe. Should we discover that any such personal information has been delivered to any of the sites, we will remove that personal information as soon as possible.

  1. Direct Marketing

Email, SMS and post marketing: from time to time, we may contact you by email, SMS, telephone or post with information about products and services we believe you may be interested in. When you call Zoe we may also provide you with information about products and services we believe you may be interested in.

If you have not consented to receiving Direct Marketing communications, we will only send them to you when permitted to do so by law, but in all circumstances we will respect your marketing preferences which you set when you first create your account with us (or you first deal with us), or which you update from time to time.

You can let us know at any time that you do not wish to receive marketing messages by sending an email to us at privacy@centrica.com. You can also unsubscribe from our marketing by clicking on the unsubscribe link in any email marketing messages we send to you or by replying STOP to the number indicated on any marketing text messages we may send you.

  1. Direct Marketing & Advertising on websites and mobile applications

You can find out more about cookies and how to manage their use by reading our cookie policy.

The details here provide a high level overview of how and where we capture and/or use personal data on our own and third party websites and mobile applications.

Zoe Website

When you visit any of our websites you will always be provided with access to the site’s or application’s own privacy notice and cookie policy.

Our aim is to ensure that our websites are always working optimally for those who use them. When you visit our websites and are an anonymous visitor, we will use cookies and similar technologies - in accordance with your cookie preferences - to track anonymously details such as response times, the pages you view and the functionality you use. No individual is uniquely identifiable from this data and it is used purely to enable us to constantly review and improve these services.

Any adverts you may see whilst using the website anonymously will be generic in nature i.e. it will not use any personal data to ‘personalise’ the advert to you.

If you chose to complete an online application, enquiry or other form then the form will set out explicitly how the data you provide will be used.

If you are logged in we will use cookies and similar technologies - in accordance with your cookie preferences - to track your use of the site or application. In this instance some data may be recorded to your record to enable us to provide the best ongoing service to you.

When you log out we clear the cookie or if you are inactive for 1-hour we log you out and clear the cookie.

Third party websites and applications

We work with advertising partners, including social media sites and providers, to show you advertising about our products and services. This takes place on third party websites, applications and services where we or our advertising partners have purchased advertising space.

To provide you with the most appropriate advertising content, this uses information gathered via cookies and similar technologies about the websites, mobile applications, social media content and ads you interact with or view when connected to the Internet, as well as information which we provide (such as a hash of your email address or phone number), to make sure the advertising you see is more relevant to you.

The main third parties we work with are Google, Facebook and Microsoft.

SiteHow to stop seeing ads from partners like usPrivacy notice
Facebookhttps://www.facebook.com/help/568137493302217https://www.facebook.com/about/privacy
Twitterhttps://help.twitter.com/en/safety-and-security/privacy-controls-for-tailored-ads>https://twitter.com/en/privacy
  1. Transferring your personal data internationally

Zoe, in common with other organisations, uses third parties located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our customers are located. This includes countries outside the European Economic Area ("EEA") and to countries that do not have laws that provide specific protection for personal data.

We have taken and continue to take steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EEA are done lawfully. Where we transfer personal data outside of the EEA to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the requirements for the transfer of personal data outside the EEA, such as the European Commission approved standard contractual clauses.

  1. How long we keep personal data for

We will keep your personal data for as long as necessary in order to achieve the processing purposes.

  1. How to access your information and other rights

You have the following rights in relation to the personal information we hold about you:

  1. Your right of access.

  • If you ask us, we will confirm whether we are processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.

  1. Your right to rectification.

  • If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal information with so that you can contact them directly.

  1. Your right to erasure

  • You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or you withdraw your consent (where applicable). If we have shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.

  1. Your right to restrict processing

  • You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or object to us processing it. It won’t stop us from storing your personal information though. We will tell you before we lift any restriction. If we’ve shared your personal information with others, we will let them know about the restriction where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.

  1. Your right to data portability.

  • With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere.

  1. Your right to object.

  • You can ask us to stop processing your personal information, and we will do so, if we are:

    • relying on our own or someone else’s legitimate interests to process your personal information except if we can demonstrate compelling legal grounds for the processing;

    • processing your personal information for direct marketing; or

    • processing your personal information for research unless such processing is necessary

    • for the performance of a task carried out in the public interest.

  1. Your rights in relation to automated decision-making and profiling.

  • You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, and it produces a legal effect or similarly significantly affects you unless such profiling in necessary for entering into, or the performance of, a contract between you and Zoe.

  1. Your right to withdraw consent.

  • If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.

  1. Your right to lodge a complaint with the supervisory authority.

  • If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.

To exercise your legal rights please notify us using the contact details provided in section 19 of this privacy notice.

  1. Your rights in relation to your personal data

You may have the following rights in relation to your personal data:

  • the right to be informed about the personal data we collect, how your personal data is being used, and from whom we collect your personal data when we obtain it from other sources;

  • the right to access the personal data we hold about you;

  • the right to request the correction of inaccurate personal data we hold about you;

  • the right to request the blocking or deletion of your personal data in some circumstances;

  • the right to request that we port elements of your data either to you or another service provider;

  • the right to object to us processing your personal data ((1) where we have a legitimate interest to do so, as listed in section 3, but your rights override ours based on your particular situation (which you will need to explain to us), (2) where we are processing it for the purpose of direct marketing, or (3) because we are using automated means to make decisions that have a legal or similarly significant effect); and

  • the right to withdraw your consent to those processing activities which we carry out on the basis of consent, listed in section 3.

You will only have the benefits of some of the above rights in limited circumstances, which depend on the legal reason why we collected your Personal Data

To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details above.

  1. Getting in touch

If you have any privacy related questions or comments, please contact hello@zoe-ai.com.

If you are unhappy with the way we are using your personal data you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage you to contact us to resolve your complaint first.

  1. General

    1. You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be adversely affected.

    2. If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.

    3. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other right or remedy.

    4. This privacy policy is governed by and interpreted according to English law. All disputes arising under this privacy policy are subject to the exclusive jurisdiction of the English courts.

  2. Changes to this privacy policy

    1. We may change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website.

    2. You are deemed to have accepted the terms of the privacy policy by your use of the Website following the alterations. If you do not accept the changes made to this privacy policy you should immediately stop using the Website.

  3. Contacting us and complaints

    1. If you have any questions about this privacy policy you may contact by email at hello@zoe-ai.com.

    2. If you have any concerns about our use of your information, you also have the right to make a complaint to the Information Commissioner’s Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113.

We use cookies to provide a better experience. Carry on browsing if you’re happy with this, or click here to manage cookies.