PRIVACY NOTICE

1. Introduction

HelloIX Technologies Limited ("HelloIX") is a proprietary insurance exchange platform built to facilitate improved collaboration for insurers and brokers. This platform was built especially for parties that do not have the capacity to build their own insurance infrastructure and would better leverage an existing one.

This Privacy Notice discloses the privacy practices of the Insurance Exchange. This privacy notice applies solely to information collected by HelloIX and it will notify you of the following:

  1. What personally identifiable information is collected from you, how it is used and with whom it may be shared.
  2. The retention of the data you provide.
  3. What choices are available to you regarding the use of your data.
  4. The security procedures in place to protect the misuse of your information.
  5. Grievance address channel(s) and inquiries.

2. The Personal Data We Collect About You

Visitors to our website can access every area of our website, without having to disclose any personal data. However, we may collect information captured in our web logs, such as device information (e.g. device brand and model, screen dimensions, etc.), unique identification numbers (e.g. IP address and device ID), browser information (e.g. URL, browser type, pages visited, date/time of access), website traffic and pages viewed, behavioral information, and other information about how you interacted with our website.

During our business relationship with you, we may collect certain personal data that can be used to contact, identify you or for performance of our obligation. Personal data may include, but is not limited to:

  1. contact information about you or related parties, such as principals in your organisation;
  2. financial information, such as payment information, including name, billing address and payment details (e.g. credit/debit cards, bank details, and other information required for billing and fraud prevention);
  3. contact information you provide about other people you would like us to contact; and
  4. other personal data when you reach out to us through the Contact Us form on our website, communicate with us over the phone, or via email and other electronic means to initiate a business relationship, make general enquiries, or suggestions about our services.

Apart from the personal data provided in the manner described above, we usually require your personal data to be able to provide our insurance or financial industry services for you and on your behalf. Typically, you will provide this required information to us directly within our insurance applications or when you complete the HelloIX Know Your Customer (KYC) – Due Diligence.

3. How We Use Your Personal Data

We may use the personal data collected from you:

  1. to contract with you and provide our Services to you;
  2. to analyse and improve the safety and security of our products and Services;
  3. to create, administer, and communicate with you about your account (including any purchases and payments);
  4. to fulfil a specific request and provide customer support, such as responding to inquiries and handling complaints;
  5. to improve the accuracy of our records so that we can better understand your needs and preferences;
  6. to carry out communication with you, deal with any complaints, and administer claims you may have;
  7. to carry out KYC checks and screening, in compliance with extant anti-money laundering laws and regulations in Nigeria, prior to starting a new engagement;
  8. to contact you in relation to current, future and proposed engagements, send you our newsletters, know-how, promotional material and other marketing communications;
  9. to defend ourselves against fraud (and this may include the verification of identity), or to verify the legitimacy of a legal claim;
  10. to maintain and protect the security of our products, Services and Online Channels, preventing and detecting security threats, fraud or other criminal or malicious activities. This may involve us using your IP address to track you in the event of a security threat, fraud etc.;
  11. in the event of a merger, sale, or other transfer event, your personal data held by us will be transferred held by us about you is among the assets transferred;
  12. for commercial purposes: to contact you about products and services that we believe may be of interest to you; and to provide your information to third parties upon your consent;
  13. to meet comply with statutory requirements imposed by our regulators as well as other legal requirements, including complying with court orders, valid discovery requests, valid subpoenas, and other appropriate legal mechanisms; and
  14. to fulfil other purposes disclosed at the time you provide personal data or otherwise where we are legally permitted or are required to do so. Where we need to process your personal data for additional purposes that we have not identified at the time of collection, we will make sure to obtain your consent or the appropriate legal basis for these additional uses to the extent required by applicable law.

4. Our Principles of Data Processing

  1. Personal data will be processed lawfully and transparent manner.
  2. Personal data will be processed for a specific purpose and not in a way which is incompatible with the purpose which we have collected it.
  3. Personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
  4. Personal data will be kept accurate and, where necessary kept up to date;
  5. Personal data will not be kept for no longer than it is necessary for the purposes for which it is processed.
  6. Appropriate steps will be taken to keep personal data secure.

5. Remedy in the event of violation of Privacy Notice

  1. Where there is any perceived violation of your rights, we shall take appropriate steps to remedy such violations, once confirmed. You shall be appropriately informed of the remedies employed. In the event of a data breach, we shall, within 72 (seventy-two) hours of having knowledge of such breach, report the details of the breach to NDPC. Furthermore, we will notify you immediately via email if the breach results in risk and danger to your rights and freedoms.
  2. If you have any complaints regarding our compliance with this Privacy Notice, please contact our Data Protection Officer at dpo@helloix.com. We will investigate and attempt to resolve complaints and disputes regarding use and disclosure of personal data within thirty (30) days in accordance with this Privacy Notice and in accordance with applicable law and regulations.
  3. If you feel that your personal data has not been handled correctly or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have a right to lodge a complaint with the NDPC. The contact details are:
    1. Nigeria Data Protection Commission
    2. Tel: +2349160615551
    3. Email: info@ndpc.gov.ng
    4. Website: www.ndpc.gov.ng

6. Information Sharing with Third Parties

Occasionally, we may share your personal data with third party service providers such as entities providing insurance, claims recovery, and auditing services. We also share data with third parties during business including:

  1. We may share or transfer your personal data in connection with, or during negotiations of, any merger, sale of Company assets, financing, or acquisition of all or a portion of our business to another company;
  2. We share with our business partners, agents, vendors, and affiliates, especially where we have to request another more localised or specialist or intermediary to act as our sub-agent and assist us in the placement of an insurance contract;
  3. In connection with, or during due diligence or and negotiations of, any proposed or actual financing, merger, purchase, sale, joint venture, or any other type of acquisition or business combination;
  4. If you give your explicit consent;
  5. If we have to complete a contract on your behalf;
  6. If there is a legal obligation on us to share such data under existing laws and regulations. The Company may disclose your personal data in the good faith and belief that such action is necessary to:
    1. Comply with a legal obligation;
    2. Protect and defend the rights or property of the Company;
    3. Prevent or investigate possible wrongdoing in connection with the Service;
    4. Protect the personal safety of Users of the Service or the public; and
    5. Protect against legal liability.

7. Data Security

We take precautions to protect your information. When you submit sensitive information via the web platform, your information is protected both online and offline via data transit and data storage encryption.

Wherever we collect sensitive information, that information is encrypted and transmitted to us via secure channels. While we use encryption to protect sensitive information transmitted online, we also protect your information offline. Only designated employees who need the information to perform a specific job (for example, billing or customer service) are granted access to personally identifiable information.

We are very particular about preserving your privacy and protecting your data at HelloIX Technologies Limited ("HelloIX"). Therefore, to avoid the loss, theft, misuse and unauthorised access, disclosure, alteration, and destruction of your information, we have put in place a range of administrative, technical, organisational and physical safeguards. Despite this, we cannot completely guarantee the security of any information you transmit via our Online Channels, as the internet is not an entirely secure place. We are committed to doing our best to protect you.

8. Lawful Basis for Processing Your Personal Data and Purposes of Processing

Here, we have set out the relevant lawful basis upon which we process your personal data and purposes for processing same:

LAWFUL BASIS PURPOSE OF PROCESSING
Consent We may process your personal data where you have given us explicit consent to do so, for instance, to share marketing information, to share newsletter updates, to share details of events etc. If we have to use consent as a legal basis, we will provide you with a consent form and you have the right to refuse to consent or withdraw your consent at any time by contacting us at dpo@helloix.com. However, withdrawal of consent will not affect the lawfulness of any processing carried out before you withdraw your consent.
Performance of a Contract We may also process your information on the basis that we need to perform and fulfill a contract with you for the provision of our Services or to take steps at your request prior to entering a contract.
Legal Obligation We may process your information where a legislation specifically mandates us to or if it is necessary to respond to a lawful request from a law enforcement or regulatory authority, body or agency; in the defense of legal claims or in order to investigate, prevent or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person.
Legitimate interests We may process your data for our legitimate interests or the legitimate interests of a third party, provided these interests are not outweighed by your rights and interests. Our processing for legitimate interests may include for website improvement, network security, direct marketing etc.
Vital Interests We may process your information where it is necessary to protect an interest, which is essential for your life, health, and bodily safety. This basis is limited in scope.

9. What Constitutes Consent?

We will not ask for your personal data unless we need it to provide services to you. At any point where consent is the appropriate lawful basis for processing of your personal data, we will provide you with the option to either accept or not. In addition, whenever we introduce new services and technologies, we will ensure you understand and agree to any new ways in which your information will be processed.

You will be considered to have given your consent to HelloIX for the processing of your personal data when;

  1. You complete any form issued by HelloIX at any of our service points (mobile, online etc.) requesting for such personal data;
  2. You register, check or tick the acceptance box on any of our electronic platforms (Online or Mobile) relating to terms and conditions of any service or product offered; and
  3. You accept the installation of cookies on your device.

If we ask for your personal data for a secondary reason, like marketing, we will either ask you directly for your express consent, or provide you with an opportunity to say no. However, we should mention that withdrawal of consent would not affect the lawfulness of any processing carried out before you withdrew your consent.

10. How do I withdraw my consent?

If after you opt-in, you change your mind, you may withdraw your consent to the continued processing of your personal data, at any time, by contacting us at dpo@helloix.com

11. Your Rights as a Data Subject

Here is something we have not told you yet: because we determine the purposes for and the way your personal data may be processed, we are regarded as a data controller.

As a data subject, the law vests you with certain rights—they include the right to:

  1. access personal data we hold about you by requesting for a copy of the personal data we hold about you. Including all or some of the following information such as NIN, Email Address, Phone Number, Occupation, Date of Birth, Contact Address, Residential Address, Means of Identification, Insurance Type. For businesses we collect CAC, KYC info, and notice information.
  2. rectify such information where you believe it to be inaccurate.
  3. restrict the processing of your personal data in certain circumstances.
  4. object to the processing of your Personal data where we intend to process such data for marketing purposes; where feasible, receive all personal data you have provided to us—in a structured, commonly used, and machine-readable format—and to transmit the information to another data controller.
  5. withdraw your consent.
  6. request the erasure of your personal data (also known as the right to be forgotten).
  7. request the portability of your data; and
  8. lodge a complaint with a relevant authority, where you have reason to believe that we have violated the term(s) of this Privacy Notice. (You may lodge a complaint or seek redress from us within 30 days from the time you first detected the alleged violation.)

You may seek to exercise any of the above rights at any time by sending us an email at dpo@helloix.com

For the purpose of this notice, the supervisory authority is the Nigeria Data Protection Commission (NDPC) and the complaint can be sent via email at info@ndpc.gov.ng

12. International Transfer Of Data

HelloIX is based in Nigeria and we store and process your personal data on our computers in Nigeria and in any other place where the parties involved in the processing are located. It means that this information may be transferred to — and maintained on — computers located outside Nigeria or other governmental jurisdiction where the data protection laws may differ than Nigeria.

When we transfer personal data to a country outside of Nigeria, we ensure that the recipient of the personal data is subject to a law, binding corporate rules, contractual clauses, code of conduct, or certification mechanism that affords an adequate level of protection in accordance with the Nigeria Data Protection Act.

Our data transfers to the countries that do not offer an adequate level of protection are subject to any of the conditions in accordance with the Nigeria Data Protection Act and the Nigeria Data Protection General Application and Implementation Directive. We will therefore, only transfer personal data out of Nigeria on one of the following conditions:

  1. The consent of the Data Subject has been obtained;
  2. The transfer is necessary for the performance of a contract to which a Data Subject is a party or in order to take steps at the request of a Data Subject, prior to entering into a contract.
  3. The transfer is solely for the benefit of a Data Subject and –
    1. It is not reasonably practicable to obtain the consent of the Data Subject to that transfer, and
    2. If it were reasonably practicable to obtain such consent, the Data Subject would likely give it.
  4. The transfer is necessary for important reason of public interest;
  5. The transfer is for the establishment, exercise or defense of legal claims.
  6. The transfer is necessary to protect the vital interests of a Data Subject or other persons, where a Data Subject is physically or legally incapable of giving consent.

To obtain any relevant information regarding any transfers of your personal data to third countries (including the relevant transfer mechanisms), please contact our Data Protection Officer at dpo@helloix.com

13. Our Personal Data Breach Management Process

While we are committed to doing our best to ensure that your personal data is protected, we acknowledge that in rare circumstances, a personal data breach may occur.

In the event of a personal data breach, our management process may take the following order.

  1. We will receive a complaint about an alleged breach through dpo@helloix.com
  2. We will immediately conduct an initial assessment of the breach including confirmation of the:
    1. Extent of the breach.
    2. Cause of the breach.
    3. Other information concerning the breach
    4. Confirmation of possible containment.
    5. If the breach is a systemic problem or an isolated incident
    6. Assessment of the risk or other harm because of the breach i.e. The loss of trust, reputational damage, legal liability, or breach of secrecy provisions.
    7. If the information that has been compromised is sensitive or likely to cause humiliation or embarrassment.
  3. We will assess the need to notify you where the breach is likely to result in high risks to your rights and freedoms.
  4. We will take all necessary steps to prevent future breaches, once immediate steps have been taken to mitigate the risks associated with the instant breach.
  5. Following our investigations, we make recommendations and take appropriate steps including:
    1. Making appropriate changes to our policies and procedures if necessary.
    2. Revising our internal staff practices if necessary; and
    3. Updating this data breach procedure where required.

14. Cookie and Similar Technologies

A cookie is a small text file, which includes a unique identifier, which is sent by a web server to the browser on your computer, mobile phone or any other internet-enabled device when you visit an on-line site. Cookies and similar technologies are widely used to make websites work efficiently and to collect information about your online preferences. For simplicity, we refer to all these technologies as "cookies".

We do not use cookies on our website.

15. Links to Other Websites

Please note that our Online Channels may contain links to other third-party websites and features that are not owned or controlled by HelloIX. We advise that you review the privacy notices of these third parties before consenting to the submission of your information or data on their platforms.

16. Retention of Personal Data

We will retain Your Personal Data only for as long as is necessary for the purposes set out in this Privacy Notice. We will retain and use Your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies. Also, a contract between us could also prescribe a retention period, we will not retain your data beyond the duration prescribed in the contract.

We will also retain Usage Data for internal analysis purposes. Usage Data is generally retained for a shorter period, except when this data is used to strengthen the security or to improve the functionality of Our Service, or We are legally obligated to retain this data for longer time periods.

17. Changes to Our Privacy Notice

We will continually assess our privacy and data protection practices to ensure that your privacy is guaranteed. To this end, we may amend this Privacy Notice at any time. If changes are made, we will indicate at the top of this Privacy Notice when it was most recently updated or send you a notification that the Notice has been updated. Your continued use of our Online Channels or Services will signify that you agree to any such changes. Please be assured that we will not use any previously collected personal data, to the extent that it is not collected under the new privacy notice, in a manner materially different than represented at the time it was collected.

18. Contact Us

If you have any complaints or wish to make an inquiry as to how your data is managed, you can contact us via email at dpo@helloix.com