Data Privacy Policy (Website)

Data Privacy Policy (Website)

Ensuro Ltd. (“Ensuro”, “we”, “us”, or “our”) is committed to protecting the privacy and security of personal and institutional information entrusted to us. This Data Privacy Policy describes how Ensuro collects, uses, stores, discloses, and safeguards personal information in accordance with the Personal Information Protection Act of Bermuda (“PIPA”).

Ensuro operates technology-enabled insurance and risk transfer solutions, including services supported by digital infrastructure and smart contract–based mechanisms. Transparency, accountability, and lawful data processing are fundamental to our operations, and this Policy is intended to provide clear information regarding the handling of personal information when individuals or institutions interact with Ensuro, access our platform, or use our services.

2. Definitions

For the purposes of this Policy, “Personal Information” refers to any information relating to an identified or identifiable individual, including, without limitation, names, dates of birth, contact details, identification information, photographs, video footage, IP addresses, cookie identifiers, and telephone numbers. Information relating solely to organisations, companies, or public authorities does not constitute personal information.

“Sensitive Personal Information” includes information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual life, health, marital or family status, disabilities, trade union membership, religious beliefs, as well as biometric or genetic information.

“Informed Consent” means explicit authorisation provided by an individual after being informed of the purposes and manner in which their personal information will be processed.

“Data Processing” means any operation performed on personal information, whether or not by automated means, including collection, recording, organisation, storage, use, disclosure, transmission, restriction, erasure, or destruction.

The “Right to Withdraw Consent” refers to the right of an individual to revoke previously granted consent for the processing of personal information, subject to any legal or regulatory obligations that require continued processing.

A “Breach of Security” means any incident resulting in the loss of, unauthorised access to, unauthorised disclosure of, alteration of, or destruction of personal information.

3. Data Protection Principles

Ensuro processes personal information in a manner that is lawful, fair, and transparent. We take responsibility for complying with applicable data protection laws and for implementing appropriate safeguards to protect personal information against unauthorised or unlawful processing.

Personal information is collected only for specified, explicit, and legitimate purposes and is not further processed in a manner incompatible with those purposes. Ensuro limits the collection and use of personal information to what is necessary and proportionate to achieve its legitimate business and regulatory objectives. Reasonable steps are taken to ensure that personal information is accurate and, where necessary, kept up to date. Sensitive personal information is subject to enhanced protection measures consistent with its nature and associated risks.

4. Information We Collect

In the course of onboarding, due diligence, risk assessment, and the provision of our services, Ensuro may collect personal information, sensitive personal information where legally required or permitted, institutional or corporate information, transactional and contractual information, and technical information related to the use of our platform.

Information may be collected directly from individuals or institutional representatives, or indirectly from third parties such as service providers, counterparties, public registers, and regulatory or compliance sources, where permitted by law.

5. Purposes of Processing

Ensuro processes personal information to comply with applicable legal and regulatory obligations, including those relating to insurance, financial crime prevention, and regulatory oversight. Personal information is also processed to provide, operate, and maintain Ensuro’s services, to perform risk assessment and underwriting activities where applicable, to manage internal operations, audits, and governance, to protect the security and integrity of our systems, and to communicate with users, counterparties, and regulators.

In addition, personal information may be used to analyse and improve Ensuro’s products and services, provided such use is consistent with applicable law.

6. Accuracy, Integrity, and Retention

Ensuro is committed to maintaining the accuracy and integrity of personal information. Reasonable steps are taken to ensure that personal information is accurate, complete, and up to date for the purposes for which it is used. This may include periodic reviews of information obtained during onboarding and, where appropriate, consultation with individuals or reliance on reliable public sources.

Personal information is retained only for as long as necessary to fulfil the purposes for which it was collected, including compliance with legal, regulatory, accounting, and reporting requirements. Once personal information is no longer required, it is securely deleted or anonymised in accordance with Ensuro’s data retention policies. Individuals are responsible for informing Ensuro of any material changes to their personal information.

7. Privacy Notices

Ensuro provides clear and accessible privacy notices describing the categories of personal information collected, the purposes of processing, the categories of third parties with whom personal information may be shared, and the means by which Ensuro can be contacted regarding data protection matters. Privacy notices are provided before or at the time personal information is collected, or as soon as reasonably practicable thereafter.

Where personal information is publicly available or disclosure is required by law or a competent authority, Ensuro may be exempt from providing a separate privacy notice.

8. Purpose Limitation and Data Minimisation

Personal information is used strictly for the purposes for which it was collected, unless further processing is permitted or required by law or additional consent has been obtained. Ensuro applies data minimisation principles to ensure that personal information processed is adequate, relevant, and not excessive in relation to the intended purposes.

9. Security Measures

Ensuro implements appropriate technical, administrative, and physical safeguards designed to protect personal information against accidental or unlawful destruction, loss, unauthorised access, disclosure, or alteration. These safeguards include controlled access to facilities and systems, encryption and other technical security measures, internal policies and procedures governing access to personal information, and ongoing employee training and awareness.

10. Data Breaches

In the event of a breach of security involving personal information, Ensuro follows established incident response procedures, including prompt assessment of the nature and scope of the incident, implementation of mitigation measures, and notification to affected individuals and the Office of the Privacy Commissioner for Bermuda where required by law.

11. Data Transfers and Disclosure to Third Parties

Ensuro may disclose personal information to third parties where necessary for the operation of its business, including service providers, professional advisors, auditors, and regulatory or legal authorities. Where personal information is transferred to third parties, Ensuro takes reasonable steps to ensure that such parties provide an adequate level of protection consistent with PIPA. Ensuro remains accountable for personal information transferred to third parties on its behalf.

12. Children’s Information

Ensuro does not knowingly provide services to minors. Where applicable, appropriate controls are implemented to prevent access by individuals who do not meet minimum age requirements under Bermuda law.

13. Individual Rights

Subject to applicable law, individuals have the right to request access to their personal information, request correction or deletion of inaccurate or outdated information, and withdraw consent where processing is based on consent. Requests must be submitted in writing and may be subject to identity verification. Ensuro will respond to such requests within a reasonable timeframe and in accordance with legal requirements.

14. Changes to This Policy

Ensuro may update this Data Privacy Policy from time to time to reflect changes in legal requirements or business practices. Material changes will be communicated through appropriate channels, and additional consent will be obtained where required.

15. Contact Information

Questions, requests, or concerns regarding this Data Privacy Policy or the handling of personal information may be directed to:

[email protected]

16. Complaints

Individuals who have concerns regarding Ensuro’s handling of personal information may contact Ensuro directly. They also have the right to submit a complaint to the Office of the Privacy Commissioner for Bermuda.

17. Providers That Receive Personal Information From Ensuro Customers.