We value the trust of our customers and others with whom we do business. This document provides an overview of our practices regarding the collection, use and disclosure of personal information.
Why does World Travel Protection collect personal information?
We collect personal information for the purpose of administering and/or servicing an insurance policy, handling a claim or providing requested medical, travel and security assistance services. World Travel Protection does not sell your personal information, and we do not sell or pass on mailing lists to any third parties.
- We partner with another controller jointly to deliver you a service or product
- We partner with another controller separately to provide you with a service or product
How does World Travel Protection ensure that my personal information is accurate?
World Travel Protection verifies the accuracy of your personal information whenever you contact the company with respect to a claim or for assistance under an existing policy of insurance or to purchase additional insurance (directly from World Travel Protection Canada Inc.). Our staff ensure that your name, date of birth, address and contact information is accurate, up-to-date and complete. If there is a change to be made to your personal information, this change is recorded and saved in our database, and the out-of-date or inaccurate information is expunged.
Your duty to inform us of changes
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.
From whom is personal information collected?
Personal information may be collected from such sources as our affiliates, independent insurance brokers, other financial institutions, credit bureaus, government departments, claims organizations, a policyholder, a customer, a customer’s employee, a claimant, a claimant’s employer or a claimant’s employee. We may collect personal information from persons who witnessed incidents, or persons retained by a claimant or by us in the process of administering or servicing a policy, providing assistance or security services or handling a claim. Such people might include physicians, lawyers, accountants, repair shops, consumer reporting agencies and appraisers as permitted or required by law.
Your health information, such as pre-existing medical conditions, is generally required to arrange travel insurance, to make a determination on a claim or to provide you with medical assistance. If you make a telephone call into one of our service centers, the call may be recorded for training and quality control purposes. You will be informed if your call is being recorded.
If you provide health information to your agent or consultant to provide to us as part of the policy application or claims process, we rely on you having provided them with your consent to disclose this information to us. In addition, when you provide information, including sensitive information about other individuals on your travel insurance policy, we rely on you to inform them of the information you are providing, how we will use, hold, collect and disclose this information and on you obtaining their consent.
If we do not have your consent, we will not collect your sensitive personal information. This is subject to some exceptions including where the collection, use and disclosure of the information:
- is necessary for the provision of emergency assistance;
- is required by law, including but not limited to compliance with applicable anti-money laundering laws and regulations/compliance with active sanctions as applicable; and
- is necessary for the establishment, exercise or defence of a legal claim.
Your privacy on the internet and when using mobile devices
A cookie is a small, text-based file used frequently on some websites and portals. A cookie is designed to assist and streamline the exchange of information between your computer’s browser and our computer systems. We may use some cookies to collect information about the use of our websites and web portals. The information collected includes where visitors connect from, what version of browser they use and their path through the website. It helps us to provide personalized features and keeps our content fresh and relevant.
If you are our current or former customer, we may use a special cookie that identifies you. We may use the cookie to collect the website and browser information referred to above and may combine that information with your customer history and other personal information we hold about you. We may use and disclose the combined information to perform analysis services and send you marketing communications and targeted advertising as described in this Policy, as well as use and disclose it for other purposes described in this Policy.
- Web beacons: Our web pages may contain electronic images, known as web beacons or spotlight tags. These enable us to count users who have visited certain pages of our website. Web beacons and spotlight tags are not used by us to access your personal information, but are simply a tool we use to analyse, in aggregate, which web pages customers view.
- Links to other websites: Our websites may contain links to websites that are not ours. Whilst such links are provided for your convenience, you should be aware that the information handling practices of the linked websites might not be the same as ours.
- Location information: With your consent, we may collect information about your physical location when you use our mobile applications and when you request or purchase products or services. When we have location information, we use this to tailor our services to you and others. If you have ‘background location’ turned on, our mobile application will, from time to time, tell us about your device’s location even if you are not directly interacting with the application. You may stop the collection of this information at any time by changing the settings on your mobile device. Some features of our mobile applications may no longer function if you do so.
- Native Applications on Mobile Devices: Some features of our mobile applications may require access to certain native applications on your mobile device, such as the camera, photo album and the address book applications. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting associated information. You may revoke your consent at any time by changing the settings on your device.
- Push Notifications: With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these notifications or alerts at any time by changing the notification settings on your mobile device or within our mobile applications.
- Device Information: means information about the device which may (but does not necessarily) include: Device Geolocation Data, mobile advertising identifier, device type (e.g., tablet, smartphone), operating system (e.g., iOS, Android), app name or identifier, IP address, network provider, mobile carrier, mobile browser type (e.g., Firefox, Chrome), timestamp, time zone, information about the speed, bearing, orientation, and altitude of a device, or other device identifying information, including cross-device information.
- Device Geolocation Data means precise geolocation data from or about a Consumer’s device, which may be expressed by latitude-longitude coordinates obtained through GPS tools, WiFi data, cell tower triangulation or other techniques, and linked to a mobile advertising ID.
What kind of personal information is collected?
Personal information that may be collected includes, but is not limited to:
- Identity Data includes first name, last name, username or similar identifier, title, and date of birth.
- Contact Data includes billing address, home address, email address and telephone numbers.
- Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.
- Profile Data includes your login details, bookings, purchases or orders made by you, feedback, and survey responses (if applicable).
- Usage Data includes information about how you use our website, products, and services.
- Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.
- Itinerary: Details of your travel plans;
- Medical/Health Information includes:
- Information about your medical history and the medical history of any other person insured under your travel insurance policy;
- Health information, about anyone who requires assistance under their travel insurance policy;
- Information about the medical history of any person that results in a claim that we have to assess;
- Claims Details includes information about claims you make or wish to make under your policy;
- Your bank account details so that we may pay your claim;
- The last eight digits of your credit card;
- Other information required to administer the product or services you have requested including determining a claim;
- Any details contained within identity documents provided to us including government identifiers such as a passport number, OHIP, GHIC, EHIC and Medicare card number;
- The type of medical and non-medical assistance you have been provided with either by us, our service providers or your own medical practitioner;
- Employment and income information for cancellation and loss of income claims;
- Background checks/Sanction Screens;
- Technical Data/Metadata includes internet protocol (IP) address, unique mobile device identification numbers (such as your Media Access Control (MAC) address, and/or International Mobile Equipment Identity (IMEI), type of device, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access our website; and
- Any information contained within a health or activity tracking device or mobile application (referred to as “Health Trackers”) where you have authorized us to do so.
How is personal information used?
We use personal information to administer or service a policy; administer a claim; provide assistance and security services; comply with the law; and as otherwise permitted by law. The transfer of your personal information to an affiliate or third party for processing purposes is defined as a “use” of your personal information. Affiliated and non-affiliated third parties that may receive or have access to the personal information in our care are not authorized to use such information for any marketing purposes except as permitted by law. They may not copy or disclose personal information to any other party and may use it only for the purpose of performing their responsibilities to us, one of our policyholders or claimants and as otherwise permitted or required by law.
The metadata collected (referred to above) are used to improve the way in which our website operates, for statistical and systems administration purposes (which may include the our cybersecurity).
Will you change the purpose for which you collect my personal information?
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is requited or permitted by law.
Do you limit the collection of my personal information?
Yes. We collect only the information that is necessary for us to process your policy of insurance, provide assistance and security services or administer your claim for benefits. In the event of a claim for medical coverage, we only request medical records for the pre-existing and/or eligibility periods and do not ask for social insurance numbers. When we collect your credit card information to confirm coverage, only the BIN number (the first 6 digits) of the credit card is saved and the rest of the digits are masked to ensure your privacy.
To whom might personal information be disclosed?
Personal information may be shared with companies affiliated with the Zurich Insurance Group Ltd., and non-affiliated third parties in Canada, the United States, the United Kingdom, Australia and other countries abroad in order to provide assistance services, administer or service an insurance policy or a claim, and as otherwise permitted or required by law. Our affiliates include insurance companies, third-party insurance administrators and other providers of financial products and services. Examples of unaffiliated third parties include independent insurance brokers, the policyholder, persons or organizations retained to assist in the administration of policies and/or claims (such as adjusters, appraisers, repair shops and medical service providers), insurance support organizations, companies with whom we have joint marketing agreements, information processing facilities and others as permitted or required by law.
Depending on the nature and sensitivity of your personal information, your consent to the collection, use and disclosure of personal information may be required. This consent can be express (oral or written) or implied and, subject to legal or contractual restrictions, may be withdrawn.
Cross Border Transfers
We may transfer your personal information to service providers across borders to ensure the continuation of your service and support. The service providers we use may be located in or have access to your personal data from a “third country”, i.e., a country that is not recognized to possess an adequate level of data protection by the standards of EU law. In these cases, we put appropriate safeguards in place to make the respective cross border data flow lawful, typically by way of executing the Standard Contractual Model Clauses approved by the Commission of the EU.
What happens if I failed to provide personal information?
Where we need to collect personal data by law or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services, policy coverage or claims handling).
What security features are in place to protect personal information?
Access to personal information is limited to those with a specific “need to know” in order to provide products and services to policyholders and to others as permitted or required by law. We maintain contractual, physical, electronic and procedural safeguards to protect against the misuse of personal information under our control.
Can I access or change my personal information?
Yes. To access your personal information on file, please send a request in writing to our Privacy Officer at the relevant address provided below. Please specify the kind of information you are seeking. You will be contacted by our Privacy Officer and asked to provide some form of identification to confirm your right to access this information.
How long do you retain my personal information?
It is World Travel Protection’s policy to retain data pertaining to claimants for a period of seven (7) years, after which time it is destroyed/erased from our records.
What are your rights under GDPR?
The European Union’s GDPR came into force on May 25, 2018. Under GDPR, residents and citizens of the EU (“data subjects”) have greater control over who collects their data, how the information is used, and for how long.
GDPR: Rights of Data Subjects
The rights of data subjects under GDPR are detailed in Chapter 3 – Articles 12 to 23. There are eight fundamental rights under GDPR.
- Right to Access Personal Data
Under GDPR, data subjects have the right to access the data collected on them by a data controller. The data controller must respond to that request within 30 days (Article 15).
- Right to Rectification
Data subjects have the right to request modification of their data, including the correction or errors and the updating of incomplete information (Article 16).
- Right to Erasure
The right to erasure – also referred to as the right to deletion or the right to be forgotten – allows a data subject to stop all processing of their data and request their personal data be erased (Article 17).
- Right to Restrict Data Processing
Data subjects, under certain circumstances, can request that all processing of their personal data be stopped (Article 18).
- Right to be Notified
Data subjects must be informed about the uses of their personal data in a clear manner and be told the actions that can be taken if they feel their rights are being impeded. Data subjects must also be informed of any rectification or erasure of their personal data under articles 16, 17, and 18 (Article 19).
- Right to Data Portability
A data subject can request that their personal data file be sent electronically to a third party. Data must be provided in a commonly used, machine readable format, if doing so is technically feasible (Article 20).
- Right to Object
If a request to stop data processing is rejected by a data controller, the data subject has the right to object to their Article 18 right being denied (Article 21).
- Right to Reject Automated Individual Decision-Making
Data subjects have the right to refuse the automated processing of their personal data to make decisions about them if that significantly affects the data subject or produces legal effects – profiling for example (Article 22).
Rights of Data Subjects under GDPR are Not Absolute
While data subjects have the above rights under GDPR, in certain situations those rights cannot be granted.
For example, the right to restrict data processing does not apply is when data are processed for the purposes of the prevention, investigation, detection or prosecution of criminal offences. The same applies to the processing of personal data in the prevention of threats to public security.
Data subjects have the right to access their personal data file, although not if that access adversely affects the rights and freedoms of others.
While data controllers must be aware of the rights of data subjects, they should also be aware of the circumstances under which those rights can be denied, and when charges can be applied for granting data subjects’ rights.
As applicable, personal information provided by you will be held and used in accordance with the requirements of the UK Data Protection Act 2018 which incorporates the EU General Data Protection Regulation.
Please click on the headings below, as applicable to your situation:
What Privacy Rights Apply to Children?
We support the Children’s Online Privacy Protection Act (“COPPA”) and other frameworks like the General Data Protection Regulation and the “UK GDPR” (together, the “GDPR“). Our goal is to minimize the information gathered from and disseminated about Children while allowing us to provide the Services for which they are covered under policies of insurance.
A. How We Collect Personal Information About Children
We require parental/guardian consent to collect personal information about Children for the purposes of providing the Services. Children’s personal information is used for the same purposes as set out above.
B. How is Personal Information About Children Used?
We use personal information to administer or service a policy; administer a claim; provide assistance and security services; comply with the law; and as otherwise permitted by law. The transfer of Children’s personal information to an affiliate or third party for processing purposes is defined as a “use” of your personal information.
What Are My Privacy Rights as a California Resident?
If you are a California resident, California law may provide you with additional rights regarding our use of your personal information; subject to exclusions from the rights granted under California law with respect to certain information governed by certain sector-specific privacy laws.
Subject to certain exceptions under California law, California residents may have the following rights with respect to their personal information collected by World Travel Protection:
- The right to know and access. California residents have the right to request we disclose (i) a copy of the personal information that we collect about you; (ii) the categories of personal information that we collected about you in the preceding 12 months; (iii) the categories of purposes for which such personal information was disclosed in the preceding 12 months; (iv) the categories of sources such personal information was collected for; and (v) the categories of third parties such personal information may have been shared with.
- The right to deletion. California residents have the right to request that we delete the personal information that we or our vendors collected about you. There may be circumstances under which we will be unable to delete your personal information, such as if we need to comply with our legal obligations or complete a transaction for which your personal information was collected. If we are unable to comply with your request for deletion, we will let you know the reason why.
- The right to equal service. If a California resident chooses to exercise any of these rights, we will not discriminate against the California resident in anyway. However, if a California resident exercises certain rights, such California resident may be unable to use or access certain features of the Sites.
- Exercising California Resident Rights
To exercise any of these rights, contact us at email@example.com or by calling 1-866-236-5009. In connection with submitting a request, you must provide the following information: name, email, phone number, state of residence, and policy number and you must state what type of request you are making.
We have the right to require you to provide written permission granting authority to your representative and for your agent to verify its identity directly with us, and we may deny a request from your representative who does not submit proof of authorization as we request.
A California resident may only make a verifiable consumer request for access or data portability twice within a 12-month period. The request must provide sufficient information that allows us to reasonably verify the requestor is the person about whom we collected personal information or an authorized representative and describe the request with sufficient detail that allows us to properly understand, evaluate, and respond to it. We cannot respond to a request or provide personal information if we cannot verify the identity or authority to make the request.
We will endeavour to confirm receipt of a request within 10 days following submission and provide information about how we will process the request. We will endeavour to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to an additional 45 days), we will provide notice in writing explaining the reason for the extended time period. We may deliver our written response by mail or electronically, at your option.
Any disclosures we provide will only cover the 12-month period preceding the request receipt date. If we deny a request, we will provide a response explaining the reasons we cannot comply with a request, if applicable.
- Sharing of California Resident Personal Information
We may have collected and disclosed the following categories of personal information from a California resident for a business purpose in the preceding 12 months:
- Various identifiers, including, name, address, online identifier, Internet Protocol (IP) address, email address, account name, or other similar identifiers.
- Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)), including, telephone number or financial information.
Geolocation data, including, physical location or movements.
- Protected classification characteristics, including, race, colour, national origin, marital status, sex, veteran or military status.
- Personal records, such as, power of attorney, family history or power of attorney.
- Information received from a government entity or other third party.
We may collect the above categories of personal information directly from you, indirectly as you interact with our website, from or through other third-party sources, including our customers, or through email or other electronic messages between you and our website.
- Sale of California Resident Personal Information
In the prior 12 months, we have not sold personal information of a California resident.
- “Shine the Light” Law
California’s “Shine the Light” law, Civil Code section 1798.83, requires certain businesses to respond to requests from California consumers asking about the business’ practices related to disclosing personal information to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to firstname.lastname@example.org.
How We Respond to “Do Not Track” Signals
Our website does not respond to DO NOT Track signals. Third parties cannot collect any other personally identifiable information from our website unless you provide it to them directly.
What Are My Privacy Rights as a Nevada Resident?
Nevada residents may have certain rights to opt-out of sales of their personal information under Nevada Revised Statutes Chapter 603A. However, please know World Travel Protection does not sell data triggering this Nevada statute’s opt-out requirements. If you have questions with respect to this right, please contact email@example.com.
Your privacy on the internet and when using mobile devices What Are My Choices?
- Location Information: With your consent, we may collect information about your actual location when you use our mobile applications and when you request or purchase products or services. You may stop the collection of this information at any time by changing the settings on your mobile device; but note that some features of our mobile applications may no longer function if you do so.
- Native Applications on Mobile Device: Some features of our mobile applications may require access to certain native applications on your mobile device, such as the camera, photo album and the address book applications. If you decide to use these features, we will ask you for your consent prior to accessing the applications and collecting associated information. Note that you can revoke your consent at any time by changing the settings on your device.
- Cookies: Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject browser cookies. Please note that if you choose to remove or reject cookies, this could affect the availability and functionality of the website.
- Push Notifications: With your consent, we may send push notifications or alerts to your mobile device. You can deactivate these messages at any time by changing the notification settings on your mobile device or within our mobile applications.
What if I have a question, concern or complaint?
Phone: (416) 977-4701
Toll Free: 1-866-236-5009
Fax: (416) 205-4676
World Travel Protection Canada Inc.
#300 – 901 King Street West
Canada M5V 3H5
Phone: 1300 72 88 22
The Privacy Officer
Cover-More Insurance Services Pty Ltd
Private Bag 913, North Sydney, NSW 2059
Office of the Privacy Commissioner of Canada
30 Victoria Street
Office of the Australian Information Commissioner
GPO Box 5218
Sydney NSW 2001
Inquiries: 1-800-282-1376 (from within Australia)
Inquiries: 61 2 9284 9749 (from outside of Australia)
Information Commissioner’s Office
Telephone: 0303 123 1113
Fax: 01625 524510