Privacy Policy

Yonder Technology Limited, trading as Kota,  (“Kota”) is a private company limited by shares incorporated in Ireland with company number 711366 and having a registered office at Dogpatch Labs, The CHQ Building, Customs House Quay, Dublin 1, County Dublin, Ireland 

Yonder Financial Technology Limited, trading as Kota, incorporated and registered in the UK with company number 14135818 and having registered address is at The Stable Yard Vicarage Road, Stony Stratford, Milton Keynes, Buckinghamshire, England, MK11 1BN (“we”/ “us”/ “our”).

We provide insurance and pension distribution services through our website (https://www.kota.io/) (“our Site” or “the Site”) and/or Kota app (the “App”) (together, the “Services”).

About our Privacy Policy

We respect your right to privacy and take seriously our responsibilities in relation to the processing of personal data. We do not collect or process personal data unnecessarily.

This privacy policy (the “Policy”) sets out important information about your rights in relation to the processing of your personal data, and the basis on which any personal data we collect from you, or that you provide to us, will be processed in connection with your use of the Services. This may include special categories of personal data, where relevant, such as health data and biometric data.

We do not knowingly attempt to solicit or receive information from children, unless necessary for the provision of the Services. Given the nature of the Services we provide, information relating to children, including their personal data, may be provided to and processed by us from time to time. For example, in circumstances where a parent or legal guardian wishes to obtain health insurance for their children and/or to add them to any particular health insurance plan, information, such as their children’s name, age, address may be collected and processed together with data concerning their health to the extent necessary for the purposes of assessing any application for and/or providing health insurance. In such circumstances, explicit consent will be obtained from the parent or legal guardian.

Under this Policy, and unless we have entered into a different agreement with you, we will be what’s known under the General Data Protection Regulation (EU) 2016/679 (the “GDPR”) as the “controller” of the personal data you provide to us.

The information we collect

We will collect and process the following data about you for the following purposes:

Information you give us.

Your Data. This is information about you that you give us by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise. It includes information you provide when you use our Site, or the Services, or report a problem with our Site and/or the App.

The information you give us may include:

• Identity Data: your full name, address, e-mail address, gender, phone number, age, date of birth, title,marital status photograph, tax ID,employee role,identification details (e.g., passport details, driving licence details).

• Financial Data: your financial, including bank account details, billing contact email address, salary details, and VAT number.

• Previous Health Insurance Data: your past policy details, limited to identifying previous cover

• Biometric Data: Pictures for facial recognition system.

Information we collect about you.

Automatically Collected Information. With regard to each of your visits to our Site we will automatically collect the following information:

Technical Data: technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, operating system and platform, how often you use the application and other performance data; and

Usage Data: information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page).

Special categories of personal data.

We will only process special categories of personal data, such as health data and biometric data, where it is necessary and proportionate for the purposes of providing the Services, or to comply with a legal obligation.

Cookies

What are cookies and why do we use them?

The Site may use cookies from time to time. “Cookies” are small text files which are stored by your browser on your computer and are normally used to gather statistical information and to analyse trends of use or access to a website. Cookies cannot be used to run programs or deliver viruses to your computer.

Cookies may be used to save your personal preferences so you do not have to re-enter them each time you access the Site.

For more about our use of cookies and how you can disable them, please see our Cookie Policy.

What we do with your information

We will only use your personal information when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.

• Where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests.

• Where we need to comply with a legal or regulatory obligation.

We have set out below, in table format, a description of the ways we plan to use your personal data and the legal basis we rely only to do so. We have also identified our legitimate interests where appropriate to:

Provide the Services to you - We may use Identity Data, Health Data, Technical Data and Usage Data to provide the core Kota Services to you such as enrolling you in various financial services, providing you updates about said services as well as securing, troubleshooting and otherwise supporting our core services.

Provide support - We may use Identity Data, Technical Data and Usage Data to provide support to you if you encounter issues with our Services or otherwise need support from us. We may use this data to help identity issues and troubleshoot causes in the course of providing this support.

Process transactions - We may use Identity Data and Financial Data to carry out our role in processing transactions for our core Services. Examples of this would be warning you of entering into arrangements that don't appear financially prudent, informing you about upcoming charges or renewals or attempting to recover monies owed to us.

Provide updates - We may use Identity Data, Technical Data and Usage Data to manage our relationship with you, including notifying you about changes to the Services, or our policies, or security updates on our App.

Communicate and reply to requests - We may use Identity Data, Technical Data and Usage Data to communicate with you, response to requests and repose to requests seeking information.

Administer, protect and improve our Services - We may use Identity Data, Technical Data, Usage Data and Biometric Data (your likeness, for the purposes of verifying your identity) to administer our business, protect our services and operations, comply with legal obligations and better understand usage of our services and apply these learnings to better those services in order to offer an improved service, reliability and/or experience to you.

In the context of providing Services relating to health insurance, to process information relating to health insurance plans relevant to you and/or your family -

We may use Identity Data and Health Data to facilitate the creation of contracts of health insurance where you have explicitly decided to purchase said contract of insurance and share this data with the insurance provider to allow them to provide the service.

In the context of providing Services relating to pensions, verify your identity

We may collect Identity Data and Biometric Data - to match your face with your passport - in order to comply with our legal obligations, such as Anti-Money Laundering and KYC rules, when providing certain financial services such as investment products such as pensions and to use this to facilitate the creation of a membership in a either a private pension or of an occupational or group scheme.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us at [email protected]. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so. Please note that we may process your personal data without your knowledge or consent, in compliance with this Policy, where this is required or permitted by law.

How long we keep your information.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. This means that the period of time for which we store your personal data may depend on the type of data we hold. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. For more information about our data retention policies please contact us at [email protected].

Disclosure of your information

We do not sell your personal information to third parties for marketing purposes. We may disclose information to third parties if you consent to us doing so as well as in the following circumstances:

You agree that we have the right to share your personal information with the following recipients or categories of recipients:

• Any department or authorised person within our company or any member company within our group, which means any subsidiary or holding company within the meaning of sections 7 and 8 of the Companies Act 2014.

Selected third parties including:

• Business and insurance partners, suppliers and subcontractors, including (to the extent applicable to your plan or policies) insurance brokers, agents and underwriters, pension administrators and pension providers, for the performance of any contract we enter into with them or you in relation to the Services;

• Third-party processors that process personal information on our behalf, such as IT service providers who manage our IT and back-office systems and telecommunications networks, accounting and payroll providers, and CRM providers.

• Analytics and search engine providers (e.g Google Analytics, Plausible, Intercom) that provide us with other analytics information and assist us in the improvement and optimisation of our Site and services. You can find out more information about what information Google collects and how it uses and discloses that information here: http://www.google.com/policies/privacy. You can opt out of Google’s collection and processing of data generated by your use of the Services by going to http://tools.google.com/dlpage/gaoptout.;

• Credit reference agencies for the purpose of assessing your credit score to the extent this is a condition of us entering into a contract with you.

We will disclose your personal information to third party recipients:

• in the event that we sell or buy any business or assets, in which case we will disclose your personal data to the prospective seller or buyer of our business or assets.

• if Kota or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets.

• if we are under a duty to disclose or share your personal data in order to comply with any law, legal obligation or court order, or in order to enforce rights under the GDPR or other agreements.

• to protect our rights, property or safety, our customers, or others. This includes exchanging information with other companies and organisations for the maintenance and security of the Site and Services.

International Transfers

Personal Data may be transferred to our trusted partners and service providers who maintain their servers outside of the European Economic Area (“EEA”), where the privacy and data protection laws may not be as protective as those in your jurisdiction. This is only for the purposes of providing, and to the extent necessary to provide, the Services to you. There are special requirements set out under Chapter V of the GDPR (with which we would comply) to regulate such data transfers and ensure that adequate security measures are in place to safeguard and maintain the integrity of your personal data on transfer.

For more information about this and the safeguards in place relating to the transfer, please contact us by email at [email protected].

Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your personal data and rights

Accessing your Personal Data

You may request access at any time to a copy of the personal data we hold about you. Any such request should be submitted to us in writing and sent to [email protected]. We will need to verify your identity in such circumstances and may request more information or clarifications from you if needed to help us locate and provide you with the personal data requested.

There is usually no charge applied to access your personal data (or to exercise any of the other rights). However, if your request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee. Alternatively, we may refuse to comply with your request in these circumstances.

Right of Restriction

You may restrict us from processing your personal data in any of the following circumstances:

• you have contested the accuracy of the personal data we hold on record in relation to you or for a period of time to enable us to verify the accuracy of the personal data;

• the processing of your personal data is unlawful and you request the restriction of use of the personal data instead of its erasure;

• we no longer require your personal data for the purpose of processing but you require this data for the establishment, exercise or defence of legal claims; or

• where you have contested the processing (under Article 21(1) of the GDPR) pending the verification of our legitimate grounds.

Corrections or Erasure (Right to Rectification and Right to Be Forgotten)

If we hold personal data concerning you which are no longer necessary for the purposes for which they were collected or if you withdraw consent for us to process your personal data, you can request the deletion of this personal data. This right, however, will not apply where we are required to process personal data in order to comply with a legal obligation or where the processing of this information is carried out for reasons of public interest in the area of public health. If the personal information we hold about you is inaccurate, you may request to have your personal information updated and corrected. To do so at any time, please contact us by email at [email protected].

Your Right to Object

You have the right to object to the processing of your personal data at any time:

• for direct marketing purposes

• for profiling to the extent it relates to direct marketing

• where we process your personal data for the purposes of legitimate interests pursued by us, except where we can demonstrate compelling legitimate grounds for this processing which would override your interests, rights and freedoms or in connection with the enforcement or defence of a legal claim.

To exercise your right to object at any time, please email [email protected].

Should this occur, we will no longer process your personal data for these purposes unless doing so is justified by a compelling legitimate ground as described above. For more information about our marketing practices, please see the Marketing Communications section below.

Data Portability

Where we process your personal data by automated means (i.e., not on paper) and this processing is based on your consent or required for the performance of a contract between us, you have the right to request from us a copy of your personal data in a structured, commonly used machine-readable format and, where technically feasible, to request that we transmit your personal data in this format to another controller.

Profiling

Profiling is an automated form of processing of personal data often used to analyse or predict personal aspects about an individual person. This could relate to a person’s performance at work, economic situation, health, personal preferences, reliability, behaviour, location or movements. An example of this would be where a bank uses an automated credit scoring system to assess and reject a loan application.

You have the right to be informed if your personal data will be subject to automated decision making, including profiling. You also have the right not to be subject to a decision based solely on automated process, including profiling, where that decision impacts on your legal rights. There are some exceptions to this rule, where, for example, the decision is necessary in connection with the performance of a contract between us, is authorised by law or where you have given your explicit consent to this automated processing. In this case, however, we do not engage in profiling or automated processing for profiling purposes.

Personal Rights

The rights described in this section are personal rights and are exercisable only by the individual person (or data subject) concerned.

Marketing communications

General

We will not use your data to send marketing communications to you about promotions, competitions, updates and new products or services that may be of interest to you, unless we have your permission to do so.

Your right to object

You have the right to object to the processing of your personal data for our marketing purposes. To object or if you change your mind at any later time, you can withdraw your consent to the processing of your personal data for such marketing purposes by contacting us at [email protected]. You may also opt out of receiving marketing communications at any time by selecting the unsubscribe option when you receive an electronic marketing communication from us. The withdrawal of your consent will not impact upon the lawfulness of processing based on your consent prior to the withdrawal.

Third party material

We always endeavour to deal with vendors and other third parties who are GDPR compliant or, in the case of the third parties located outside of the EEA who have adequate security measures in place to safeguard the security of personal data. That said, we, our employees, agents, holding company and subsidiaries, accept no liability whatsoever arising for the content or reliability of any third party materials or websites referenced by hyperlink or other means on the Site or for the data collection and use practices or security measures used by such third parties. If you submit personal data to any of those sites, your personal data is governed by their privacy policy. We encourage you to carefully read their privacy policies.

Changes to this policy

Any changes made to this Policy from time to time will be published at the Site.

Any material or other change to the data processing operations described in this Policy which is relevant to or impacts on you or your personal data, will be notified to you in advance by email. In this way, you will have an opportunity to consider the nature and impact of the change and exercise your rights under the GDPR in relation to that change (e.g., to withdraw consent or to object to the processing) as you see fit.

Questions or complaints

Contact Us - If you have any questions or complaints relating to this Policy, please contact us at:

Yonder Technology Limited, Dogpatch Labs, The CHQ Building, Customs House Quay, Dublin 1, County Dublin, Ireland

Email: [email protected]

Website: https://www.kota.io/

Supervisory Authority - We are committed to complying with the terms of the GDPR and to the processing of personal data in a fair, lawful and transparent manner. If, however, you believe that we have not complied with our obligations under the GDPR, you have the right to lodge a complaint with the Data Protection Commission.

Effective Date of this Policy: October 2023