Purpose of this Notice
This privacy notice explains our approach to any personal information that you might supply to us (or that might be collected from you) in connection with your use of Zoe and sets out your rights in respect of Zoe’s processing of your personal information.
This privacy notice will inform you how you can verify which of your personal information is collected by us through the Zoe Website and how you can request that we delete, update or transfer it.
This privacy notice is intended to assist you in making informed decisions when using the Zoe Website. Please take a moment to read and understand it. Please note that it should be read in conjunction with our Terms and Conditions.
Please also note that this privacy notice only applies to the use of personal information collected by us from your use of the Zoe Website or during your communications with us. It does not apply to personal information collected during your communications with third parties.
Who are we and what do we do?
This website, https://www.zoe-ai.com/ (the “Website”), is owned and operated by Zoe AI Limited. Zoe is the trading name of ZOE AI Limited, Incorporated in England & Wales, with Company No 11025645, having its registered office at 24 Park Road South, Havant, Hampshire, PO9 1HB.
Zoe is the data controller responsible for your personal information. Zoe is registered at the UK Information Commissioner’s Office with registration number ZA332279.
Zoe’s principal business activities include providing insurance concierge services to consumers through which Zoe may market insurance products of third parties in addition to managing the consumer’s insurance portfolio.
For the purposes of Data Protection Legislation (as defined below) Zoe AI Limited is the data controller. References to “Zoe”, “we”, “us” or “our” are references to Zoe AI Limited.
We take the privacy of your information seriously.
through your use of our Website (as defined below) and any or any Zoe application that we make available from time to time or by contacting us via any means including through our Website live chat, Facebook and other social media channels, by email or phone; or
by interacting with our content and/or services including by applying to be one of our employees.
This policy also applies to information held about suppliers and possible future suppliers, contacts and all other people we hold information about.
References to “you” are references to any natural person excluding any of our employee’s data but including any person accessing this Website.
Definitions and interpretation
“Data Protection Legislation” means the EU General Data Protection Regulation 2016/679 and the UK Data Protection Act 2018 together with all other applicable legislation relating to privacy or data protection and including any statute or statutory provision which amends, extends, consolidates or replaces the same. The terms “personal data”, “data subject”, “controller”, “processor”,“process” (and its derivatives) and “special categories of personal data” shall have the meanings given to them in the Data Protection Legislation;
“UK and EU Cookie Law” means The Privacy and Electronic Communications (EC Directive) Regulation 2003 as amended.
What information we collect
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
You have the flexibility to provide us with as little or as much information as possible, however, the more information you provide, the more you will get out of Zoe.
We will also collect information from your email account if you consent to us accessing it.
Please be aware that if you activate the option for Zoe to connect directly to your email account so that we can analyse your email account and find your insurance policies, this will provide Zoe with read access to your entire email account although we will only process personal information necessary for us to provide our services.
Data derived from connected emails account:
Zoe allows you to connect to your personal email accounts providers from google Gmail and Microsoft Outlook, to improve our application utility as an insurance portfolio management tool and insurance product price comparator.
Data derived from personal email accounts fall under a modified policy to enhance user protection.
Upon activating option from Zoe to connect directly to your email account, Zoe is enabled full read access to your entire email account, although no email data will persist in Zoe databases unless you explicitly authorise using the platform’s policy finder tool. The policy finder tool queries your email account for emails containing content relating to insurance policies. The policy finder tool cannot assure complete accuracy and responsibility falls on you as a consenting user to verify each document found is appropriate and safe to persist on Zoe databases.
Derived and aggregated data from email accounts:
Remain only in Zoe systems until the user instructs for required data to facilitate the purchase of insurance products. If the data is not required to facilitate the purchase of insurance products it is deleted from Zoe systems
Will never be sold to any third party or affiliates (whether anonymised or not).
Will never be used in any market research or advertising purposes.
Please refer to https://support.google.com/cloud/answer/9110914#restricted-scopes
We may collect and process different kinds of personal data about you which we have grouped together as follows:
Information that you voluntarily submit to us during your use our website or mobile application, during the course of email exchanges with us, as part of any customer support interactions and/or surveys, when participating in discussions and/or forums or when you enter a competition or promotion sponsored by us or third parties, and when you report any problem with our website.
Identity & Contact Data includes first name, last name, username or similar identifier, title, gender, email address and telephone number of you, and other people linked to your account.
Information about your current and previous insurance policies/products.
Information about your living situation including, but not limited to, home address, if you own or rent, number of people living in your home, high value item you own.
Information about your finances including, but not limited to, income, savings, financial assets, other financial support, mortgages and other financial loans, credit card debt.
Information about your health and the health of other people linked to your account including, but not limited to, medical conditions, prescribed medications, treatment history.
Information about your lifestyle including, but not limited to, pets, travel, car or other vehicle ownership/lease arrangements.
Technical & Usage Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website. We also collect information about how you use our website.
Marketing & Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
Claims history as part of the insurance pricing requirements, we require information about your previous claims history.
Exercising your rights: if you exercise any of your statutory rights under Data Protection law, we will keep a record of this and how we respond.
What we use your personal data for and why
Where we process your personal data because of our contract:
We process these items of your personal data to enter or fulfil the contract between us, including to:
|Reason or purpose||Personal data used|
|Provide our services to you and maintain your account (including handling any complaints you might make)|
|To deliver service communications (such as policy schedules) and tailoring those communications to your circumstances|
|Answer your complaints or questions|
|Understand what claims you make|
|Insurance pricing and modelling|
Where we process your personal data because we’re legally obliged to
We process these items of your personal data because we have a legal obligation to, including to:
|Reason or purpose||Personal data used|
|Investigating misuse of your account, crime and fraud|
|Assist law enforcement agencies, and other public authorities|
Where we process your personal data because there is a substantial public interest to
We process these items of your personal data because there is a substantial public interest that the public has access to insurance products:
|Reason or purpose||Personal data used|
|Insurance pricing and modelling|
Where we process your personal data because we have a legitimate interest to
We process these items of your personal data because we have a legitimate interest to improve the services we provide to you, or to identify new services you might be interested in, or to advertise our services to you, including:
|Reason or purpose||Personal data used|
|Maintain and improve our products and services, e.g. Optimise business processes, quality assurance purposes, support efficient management of our staff, analyse performance of webpages, provide relevant content, improve modelling and enhance marketing capability.|
|Assess which of our partner products and services that may be of interest to you e.g. To understand regional demographics and take up, tailor offers and recommendations to customers’ needs and reward loyal customers.|
|Direct Marketing. If you have not specifically consented to receive Direct Marketing, we will only send you Direct Marketing materials where we are allowed to because of law. However, we will never send you direct marketing where you have opted out of receiving direct marketing communications.|
|For market research purposes, e.g. to understand how you use our products and services or how we might improve them.|
|Protection of our staff|
|For the establishment, exercise or defence of legal claims|
|Maintain accuracy and relevance of your data|
|Assist law enforcement agencies and other public authorities|
Where we process your personal data because you have allowed us to
We process these items of your personal data because you have provided your consent to the processing, you may revoke your consent at any point, however this may affect our ability to provide our products and services to you:
|Reason or purpose||Personal data used|
Where we process your personal data so you can’t be identified any more
We may anonymise and aggregate any of the personal data we hold (so that it does not identify you). We may use anonymised and aggregated information for purposes that include testing our IT systems, research, data analysis, improving our site, apps, developing new products and services and assess future providers of services.
Sources we collect your personal data from
We will collect personal data from a number of sources. These include:
Directly from you: when you set up an account with us, purchase products or services from us, submit information via our websites or apps, complete forms we provide to you, enter our competitions and promotions, make a claim, make a complaint, exercise your statutory rights, contact us by phone, email or communicate with us directly in some other way.
Our website and apps: we collect information about how you use them and any smart devices you connect to them
Other companies we work with: provide us with information to help us deliver our products and services to you. These include:
Underwriters: who may provide information about claims and complaints they receive from you or your representatives.
Other companies’ websites mobile applications and products: provide us with information if you connect them to our products or services.
Lead generation providers: companies to which you give contact information, where you give permission for them to pass it on to us.
The government and regulators: provide us with information about the complaints they receive
Social media: information you submit to our social media accounts.
Our business customers: provide us with information about their own customers.
The police: may provide us with information.
Who we share your personal data with
7.1 We share personal data with the following categories of third parties:
|Our investors||British Gas Services Limited|
|Insurance Brokers||British Gas Services Limited|
Underwriters and industry partners
This list is not exhaustive and may vary from time to time as we add insurers to our panel.
|The government or our regulators||Information Commissioner’s Office (ICO), Ofgem, Financial Conduct Authority (FCA),|
|Ombudsman services||If you raise a dispute or complaint and are eligible for review by an ombudsman services, such as the Financial Ombudsman Service, we may share information pertinent to the complaint with the relevant Ombudsman Service.|
|Data and insight providers|
To comply with financial and audit regulations
|Companies that help us run our business, support our IT infrastructure and to further understand our customers|
|Law enforcement agencies and other public authorities|
We do not disclose personal data to anyone else.
7.2 User Data Protection
User data protection is paramount, and Zoe is subjected to 3rd party security assessors who conduct tests on:
External Network Penetration Testing: Identify potential vulnerabilities in external, internet-facing infrastructure, systems such as the following:
Discovery and enumeration of live hosts, open ports, services, unpatched software, administration interfaces, authentication endpoints lacking MFA, and other external-facing assets;
Automated vulnerability scanning combined with manual validation;
Brute-forcing of authentication endpoints, directory listings, and other external assets;
Analysis of potential vulnerabilities to validate and develop complex attack chaining patterns and custom exploits; and
Potential exploitation of software vulnerabilities, insecure configurations, and design flaws.
Application Penetration Testing: Identify potential vulnerabilities in the application that access user data such as the following:
Real-world attack simulation focused on identification and exploitation;
Discovery of attack surface, authorization bypass, and input validation issues;
Automated vulnerability scanning combined with manual validation;
Exploitation of software vulnerabilities, insecure configurations, design flaws, and weak authentication;
Analysis of vulnerabilities to validate and develop complex attack chaining patterns and custom exploits; and
Verify the ability for users to delete their account with no external indication that the user or user’s content is accessible.
Deployment Review: Identify exploits and vulnerabilities in developer infrastructure such as the following:
Gathering all available configuration settings and metadata as well as manual techniques to build a profile of the cloud environment;
Analysing collected information to identify any gaps or deviations from accepted cloud security best practices;
Manually examining configuration settings to locate anomalies and issues such as weak IAM policies, exposed storage containers, poorly defined security groups, insecure cloud services usage, and insecure key management;
Exploitation of vulnerabilities, insecure configurations, design flaws, and weak authentication – as needed;
Verify the storage of OAuth tokens is encrypted and encryption keys and secrets are stored in a hardware security module or equivalent strength key manager; and
Ensure developer access to the deployment environment is secured with multi-factor authentication;
Policy and Procedure Review: Review and examine the efficacy of information security policies and procedures such as the following:
Incident Response Plan: Establishes roles, responsibilities, and actions when an incident occurs;
Risk Management Policy: Identity, reduce and prevent undesirable incidents or outcomes;
Vulnerability Disclosure Program: Provide means for external parties to report vulnerabilities; and
Information Security Policy: Ensures all users comply with rules and guidelines related to the security of the information stored digitally at any point in the network.
You are required to be at least 16 years old to use the Zoe Website so we do not intentionally collect personal information from anyone under 16, and no one under 16 should attempt to submit any personal information to Zoe. Should we discover that any such personal information has been delivered to any of the sites, we will remove that personal information as soon as possible.
Email, SMS and post marketing: from time to time, we may contact you by email, SMS, telephone or post with information about products and services we believe you may be interested in. When you call Zoe we may also provide you with information about products and services we believe you may be interested in.
If you have not consented to receiving Direct Marketing communications, we will only send them to you when permitted to do so by law, but in all circumstances we will respect your marketing preferences which you set when you first create your account with us (or you first deal with us), or which you update from time to time.
You can let us know at any time that you do not wish to receive marketing messages by sending an email to us at email@example.com. You can also unsubscribe from our marketing by clicking on the unsubscribe link in any email marketing messages we send to you or by replying STOP to the number indicated on any marketing text messages we may send you.
Direct Marketing & Advertising on websites and mobile applications
The details here provide a high level overview of how and where we capture and/or use personal data on our own and third party websites and mobile applications.
Any adverts you may see whilst using the website anonymously will be generic in nature i.e. it will not use any personal data to ‘personalise’ the advert to you.
If you chose to complete an online application, enquiry or other form then the form will set out explicitly how the data you provide will be used.
When you log out we clear the cookie or if you are inactive for 1-hour we log you out and clear the cookie.
Third party websites and applications
We work with advertising partners, including social media sites and providers, to show you advertising about our products and services. This takes place on third party websites, applications and services where we or our advertising partners have purchased advertising space.
To provide you with the most appropriate advertising content, this uses information gathered via cookies and similar technologies about the websites, mobile applications, social media content and ads you interact with or view when connected to the Internet, as well as information which we provide (such as a hash of your email address or phone number), to make sure the advertising you see is more relevant to you.
The main third parties we work with are Google, Facebook and Microsoft.
|Site||How to stop seeing ads from partners like us||Privacy notice|
Transferring your personal data internationally
Zoe, in common with other organisations, uses third parties located in other countries to help us run our business. As a result, personal data may be transferred outside the countries where we and our customers are located. This includes countries outside the European Economic Area ("EEA") and to countries that do not have laws that provide specific protection for personal data.
We have taken and continue to take steps to ensure all personal data is provided with adequate protection and that all transfers of personal data outside the EEA are done lawfully. Where we transfer personal data outside of the EEA to a country not determined by the European Commission as providing an adequate level of protection for personal data, the transfers will be under an agreement which covers the requirements for the transfer of personal data outside the EEA, such as the European Commission approved standard contractual clauses.
How long we keep personal data for
We will keep your personal data for as long as necessary in order to achieve the processing purposes.
How to access your information and other rights
You have the following rights in relation to the personal information we hold about you:
Your right of access.
If you ask us, we will confirm whether we are processing your personal information and, if so, provide you with a copy of that personal information (along with certain other details). If you require additional copies, we may need to charge a reasonable fee.
Your right to rectification.
If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. If we have shared your personal information with others, we will let them know about the rectification where possible. If you ask us, where possible and lawful to do so, we will also tell you who we’ve shared your personal information with so that you can contact them directly.
Your right to erasure
You can ask us to delete or remove your personal information in some circumstances such as where we no longer need it or you withdraw your consent (where applicable). If we have shared your personal information with others, we’ll let them know about the erasure where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to restrict processing
You can ask us to ‘block’ or suppress the processing of your personal information in certain circumstances such as where you contest the accuracy of that personal information or object to us processing it. It won’t stop us from storing your personal information though. We will tell you before we lift any restriction. If we’ve shared your personal information with others, we will let them know about the restriction where possible. If you ask us, where possible and lawful to do so, we will also tell you who we have shared your personal information with so that you can contact them directly.
Your right to data portability.
With effect from 25 May 2018, you have the right, in certain circumstances, to obtain personal information you have provided us with (in a structured, commonly used and machine readable format) and to reuse it elsewhere.
Your right to object.
You can ask us to stop processing your personal information, and we will do so, if we are:
relying on our own or someone else’s legitimate interests to process your personal information except if we can demonstrate compelling legal grounds for the processing;
processing your personal information for direct marketing; or
processing your personal information for research unless such processing is necessary
for the performance of a task carried out in the public interest.
Your rights in relation to automated decision-making and profiling.
You have the right not to be subject to a decision when it’s based on automatic processing, including profiling, and it produces a legal effect or similarly significantly affects you unless such profiling in necessary for entering into, or the performance of, a contract between you and Zoe.
Your right to withdraw consent.
If we rely on your consent (or explicit consent) as our legal basis for processing your personal information, you have the right to withdraw that consent at any time.
Your right to lodge a complaint with the supervisory authority.
If you have a concern about any aspect of our privacy practices, including the way we’ve handled your personal information, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.
To exercise your legal rights please notify us using the contact details provided in section 19 of this privacy notice.
Your rights in relation to your personal data
You may have the following rights in relation to your personal data:
the right to be informed about the personal data we collect, how your personal data is being used, and from whom we collect your personal data when we obtain it from other sources;
the right to access the personal data we hold about you;
the right to request the correction of inaccurate personal data we hold about you;
the right to request the blocking or deletion of your personal data in some circumstances;
the right to request that we port elements of your data either to you or another service provider;
the right to object to us processing your personal data ((1) where we have a legitimate interest to do so, as listed in section 3, but your rights override ours based on your particular situation (which you will need to explain to us), (2) where we are processing it for the purpose of direct marketing, or (3) because we are using automated means to make decisions that have a legal or similarly significant effect); and
the right to withdraw your consent to those processing activities which we carry out on the basis of consent, listed in section 3.
You will only have the benefits of some of the above rights in limited circumstances, which depend on the legal reason why we collected your Personal Data
To exercise any of the above rights, or if you have any questions relating to your rights, please contact us by using the details above.
Getting in touch
If you have any privacy related questions or comments, please contact firstname.lastname@example.org.
If you are unhappy with the way we are using your personal data you can also complain to the UK Information Commissioner’s Office or your local data protection regulator. We are here to help and encourage you to contact us to resolve your complaint first.
Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other right or remedy.
Contacting us and complaints
If you have any concerns about our use of your information, you also have the right to make a complaint to the Information Commissioner’s Office, which regulates and supervises the use of personal data in the UK, via their helpline on 0303 123 1113.