PRIVACY POLICY FOR FALCON RISK SERVICES

*Last Updated: October 18, 2024

Your privacy is important to us. At Falcon Risk Services (hereinafter referred to as “[Falcon]”), we are committed to protecting non-public personal information as required by law. This Privacy Policy explains how we collect, use, store, and protect personal information. We are committed to safeguarding privacy and ensuring the confidentiality and security of personal data. Please take a moment to review this policy to understand how we handle information.

What is Personal Information?

In this privacy policy, references to ‘Personally Identifiable Information (PII)’, “personal information”, or “personal data” are references to information that relates to an identified or identifiable individual. Some examples of personal data are your name, company, e-mail address, address, social security number, and telephone number but it may also include information such as your IP address and location, in certain jurisdictions.

1. Information Collection:

We collect personal information from various sources, including:

  • Information provided by you: We collect personal information when you apply for insurance, make a claim, or interact with us in any other way.
  • Information from third parties: We may obtain information from third parties, such as brokers, agents, credit agencies, data providers or other insurance companies, to assess risks, underwrite policies, process claims, or comply with legal requirements.

The information we receive about you or from you may be used by us to process your inquiry or request, to comply with any law, regulation, or court order, and to help improve our website or the products or services we offer. 

2. Use of Information:

We use the collected information for the following purposes:

  • Assessing insurance risks and underwriting policies.
  • Processing applications, policy renewals, and policy changes.
  • Providing policy quotes and insurance services.
  • Evaluating and processing claims, including investigating, and settling claims.
  • Communicating with you regarding policies, claims, or other insurance-related matters.
  • Conducting internal research, analysis, and quality assurance to improve our products and services.
  • Complying with legal obligations and regulations.

3. Data Governance, Classification, and retention:

Falcon implements a data governance framework that includes classifying personal information according to its sensitivity and ensuring that it is retained only as long as necessary for business purposes or as required by law. We have established policies and procedures for securely disposing of data that is no longer needed.   

4. Promotional Messaging or Advertising:

Any Promotional Messaging or Advertising material is for general informational purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product or service.

5. Information Sharing:

We are committed to ensuring the privacy and security of our customers’ personal data. Falcon adheres to strict privacy standards, including limiting data access to authorized personnel and implementing encryption for sensitive data. We do not share customer data with third parties without consent, except as required by law or necessary to provide services.


We may share personal information with the following categories of third parties:

  • Service Providers: We may engage trusted third-party service providers to assist us in delivering our services, such as claims adjusters, reinsurers, IT providers, or legal advisors.
  • Business Partners: We may share information with our business partners when necessary to provide you with requested services or products. For example, Falcon may share the information with a Third-Party Administrator in order to process the claim. The information may be shared with another carrier in a subrogation situation. It may also need to be shared with a state regulator upon request.
  • Regulatory Authorities: We may disclose information to comply with legal obligations or respond to regulatory or government requests, such as reporting claims data to insurance regulators.
  • Affiliated Companies: We may share information with our affiliated companies for administrative purposes or to offer you related products or services that may be of interest to you. We will only do so if permitted by applicable law or with consent, if required.
  • If Personal Information is provided to any of these third parties, we will require that they maintain such information in strictest confidence in compliance with this policy.
  • We will not add your name to mailing lists unless you specifically request that we do so. We do not share, sell, lease, or rent our mailing or customer lists to third parties with the exception of the third parties noted previously in this section.
We take reasonable steps to ensure that these third parties handle personal information securely and in accordance with applicable privacy laws.

6. Data Security:

We implement appropriate technical and organizational measures to protect personal information from unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Secure storage and transmission: We use industry-standard encryption and secure storage systems to protect data.
  • Access controls: Access to personal information is restricted to authorized personnel on a need-to-know basis.  We enforce the principle of least privilege and require multi-factor authentication (MFA) for accessing critical systems. Regular reviews of access privileges are conducted to ensure they align with current job responsibilities.
  • Regular security assessments: We conduct regular assessments of our systems and procedures to identify and address vulnerabilities.
  • Employee training: We provide training to our employees on data protection and privacy best practices.
In the event of a data breach or other security incident that compromises personal information, we will take immediate steps to mitigate the breach, notify affected individuals and applicable external governing authorities, and comply with applicable legal requirements. As noted above, although we take appropriate measures to protect the security of the information communicated through the website, no Internet connected computer system can be made absolutely secure from intrusion. We, therefore, cannot and do not guarantee that information communicated by you to us will be received or that it will not be altered before or after its transmission to us. If you elect to use the website to communicate with us, you do so at your own risk.

7. Individual Rights:

You have certain rights regarding your personal information, including:

  • Right to access: You can request a copy of the personal information we hold about you.
  • Right to rectification: You can request the correction or update of inaccurate or incomplete information.
  • Right to erasure: You can request the deletion of your personal information, subject to legal obligations or legitimate interests.
  • Right to object: You can object to the processing of your personal information for certain purposes, such as direct marketing.
To exercise these rights or make any inquiries related to your personal information, please contact us using the contact details provided at the end of this Privacy Policy. We will promptly respond to your request.

8. Ability to Opt-in/Out:

If we propose to use your personal information for any purposes other than those described in this Policy and/or in the specific service notices, you may "opt-out"—or say no to—having your information shared by contacting us through details provided at the end of this Privacy Policy. We will not collect or use sensitive information for purposes other than those described in this Policy and/or in the specific service notices unless we have obtained your prior consent.

If you do choose to decline to submit personal information to any of our services, there may be some instances in which we may not be able to provide those services to you.

9. Cookies and Tracking Technologies:

This website may use "cookies" to enhance your viewing experience. A cookie is a tiny element of data that is sent to your browser to be stored on your hard drive so that we can recognize you when you return. You may set your browser to notify you when you receive a cookie and either accept or decline the cookie. You may also delete all cookies from your browsers’ history at any time.

Please note, if you reject or delete cookies stored from this website, it is possible that some web pages may not load properly, your access to certain information might be denied, or you might be required to enter information more than once.

10. The Health Insurance Portability and Accountability Act of 1996 (HIPAA):

Falcon is required by law to take reasonable steps to ensure the privacy of your personally identifiable health information, and to inform you about:

  • The Company's uses and disclosures of Protected Health Information ("PHI");
  • Your privacy rights with respect to your PHI;
  • The Company's duties with respect to your PHI;
  • Your right to file a complaint with the Company and to the Secretary of the U.S. Department of Health and Human Services ("HHS"); and
  • The person or office to contact for further information regarding the Company's privacy practices.
PHI includes all individually identifiable health information transmitted or maintained by Falcon regardless of form (e.g. oral, written, electronic). A federal law, the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), regulates PHI use and disclosure by Falcon. You may find these rules at 45 Code of Federal Regulations Parts 160 and 164.

11. State Specific Privacy Laws:

Many states and territories have their own privacy regulations which apply to individuals and corporations that live or do business in, frequent, or offer goods and services to its residents. The individual laws of these states vary and as such you should familiarize yourself with your individual state laws.

Addendum 1 which can be found at the end of this notice summarizes each current state privacy regulation. 

12. Special Disclosures:

Collection of Information from Children

Our Services and Site are not directed at children under the age of 13, and we do not knowingly collect Personal Information from children under the age of 13. It is our procedure to promptly delete any Personal Information collected from a child under the age of 13 upon discovery of such a circumstance. If you believe that we may have collected Personal Information from a child under the age of 13, please contact us using the contact information at the end of this Policy and we will take appropriate steps to rectify this inadvertent collection.

For more information about protecting your child's privacy online, visit the Federal Trade Commission website at https://www.ftc.gov.

13. Other Considerations:

When you use some Falcon products, services, or applications or post on a Falcon forum, chat room, or social networking service such as Facebook, Twitter, or other such social media sites, the personal information and content you share is visible to other users and can be read, collected, or used by them.

14. Policy Updates:

This privacy policy may be updated periodically. You are encouraged to review the policy periodically to stay informed about how your personal information is handled. 

15. Contact Information:

If you have any questions or comments in regard to this privacy statement, or if you have any concerns as to the validity of information made available within these pages, we recommend you seek verification by contacting us via our ‘Contact Us’ page or via Compliance@falconriskservices.com.

Please note that we may update and modify this Privacy Statement. It remains your responsibility to access and check these terms and conditions whenever you access the Website as the latest version of these terms and conditions will govern. We do not accept any liability for any errors or omissions.

Email: Compliance@falconriskservices.com 

Postal Address:
Falcon Risk Services
Attn: Compliance Division
225 Liberty St
Floor 36
New York, NY 10281

 

Addendum 1

California Privacy Rights

California Civil Code Section §1798.83 and the California Consumer Privacy Act (CCPA) permits users of our Website that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. The CCPA also provides California residents the right ‘To Be Forgotten’ by a company.

A California resident has the right to know what Personal Information is collected, used, disclosed, or sold, to delete any Personal Information collected, to opt-out of the sale of Personal Information, and to not be discriminated against for exercising such rights.

Right to Know
A California resident has the right to request that we disclose what Personal Information we collect, use, disclose or sell. You may request that we disclose the following information upon receipt of a verifiable consumer request:

  • The categories of Personal Information collected and categories of sources from which the Personal Information is collected;
  • The business or commercial purpose for collecting or selling Personal Information;
  • The categories of third parties with whom we share Personal Information; and
  • The specific pieces of Personal Information we have collected about you.

Right to Delete
As a California resident, you have the right to request that we delete any Personal Information about you which we have previously collected. If it is necessary for us to maintain the Personal Information for certain purposes, we are not required to comply with your deletion request. If we determine that we will not delete your Personal Information when you request us to do so, we will inform you and tell you why we are not deleting it.

Right to Opt-Out of Sale of Personal Information
We do not sell Personal Information, including the Personal Information of minors under the age of 16. However, pursuant to applicable law, a California resident may request that their information not be sold in the future. To do so please send a request via our ‘Contact Us’ page.

No Discrimination
You have the right not to be discriminated against because you exercised any of your rights under the CCPA.

If you would like to exercise any such rights, please send a request via our ‘Contact Us’ page.

Virginia Consumer Data Protection Act

The Virginia Consumer Data Protection Act (VCDPA) provides consumers with certain rights related to their personal data. Under the Act, these rights include:

  • The right to know, access, and confirm personal data;
  • The right to delete personal data;
  • The right to correct inaccuracies in personal data;
  • The right to data portability (i.e., easy, portable access to all pieces of personal data held by a company);
  • The right to opt-out of the processing of personal data for targeted advertising purposes;
  • The right to opt-out of the sale of personal data;
  • The right to opt-out of profiling based upon personal data; and
  • The right to not be discriminated against for exercising any of the foregoing rights.
If you are a Virginia resident and would like to exercise any such rights, please send a request via our ‘Contact Us’ page.

 

Colorado Privacy Act

The Colorado Privacy Act (CPA) provides consumers with certain rights related to their personal data.

The CPA provides five main rights for the consumer.

Right of Access
You have the right to confirm whether a controller is processing your personal data and to have the sole right to access your personal data.

Right to Correction
You have the right to correct inaccuracies in any personal data, taking into account the nature of the personal data and the purposes of the processing of your personal data.

Right to Delete
You have the right to delete personal data concerning the consumer.

Right to Data Portability
You have the right to obtain your personal data in a portable and, to the extent technically feasible, readily usable format that allows you the consumer to transmit the data to another entity without hindrance.

Right to Opt-Out
You have the right to opt out of the processing of your personal data purposes of:

  • targeted advertising;
  • the sale of personal data; or
  • profiling in furtherance of decisions that produce legal or similarly significant effects on you as the consumer.

Right to appeal
The CPA also provides you the right to appeal a business’ denial to take action within a reasonable time period. A business must respond to a request within 45 days of receipt and may subsequently extend that deadline by an additional 45 days when reasonably necessary. When a business elects to extend that deadline, it must notify you within the initial 45-day response period.

If you are a Colorado resident and would like to exercise any such rights, please send a request via our ‘Contact Us’ page.

 

Massachusetts Information Privacy Act

MGL c.214, § 1B Right of Privacy of the Massachusetts Information Privacy Act (MIPA) provides that any Massachusetts resident (resident) shall have a right against unreasonable, substantial, or serious interference with his privacy. Information may only be collected with the resident’s express permission and any company that holds such information must immediately delete it upon a request to do so from the impacted resident.

To make any such request as a resident of the Commonwealth of Massachusetts, please send a request via our ‘Contact Us’ page.

 

Connecticut Data Privacy Act

The Connecticut Data Privacy Act (CTDPA) gives Connecticut residents certain rights over their personal data and establishes responsibilities and privacy protection standards for data controllers that process personal data. It protects a Connecticut resident acting in an individual or household context, such as browsing the Internet or making a purchase at a store.

What is considered personal data?
Personal data is any information that can be linked to an identifiable individual, excluding publicly available information. Examples of personal data include: a home address, a driver’s license or state identification number, passport information, a financial account number, login credentials, and payment card information.
 
Access
Consumers have the right to confirm whether a controller is processing their personal data and access such personal data, unless such actions would reveal a trade secret.

Correction
Consumers have the right to correct inaccuracies in their personal data (with some limitation).

Deletion
Consumers have the right to delete personal data provided by or about the consumer.

Data Portability
Consumers have the right to obtain a portable copy of their personal data to the extent technically feasible and provided the controller will not be required to reveal any trade secret.24

Opt-Out of Certain Data Processing
Consumers have the right to opt out of the processing of personal data for purposes of:

  • targeted advertising;
  • the sale of personal data; or
  • profiling in connection with automated decisions that produce legal or similarly significant effects concerning the consumer.

Designation Rights
Consumers have the sole right to designate another person as an authorized agent to exercise the right to opt out on their behalf.

To make any such request as a resident of the State of Connecticut, please send a request via our ‘Contact Us’ page.

 

The Utah Consumer Privacy Act

The Utah Consumer Privacy Act (UCPA) is applicable to the following:

  • Any controller or processor who:
    • Conducts business in the state of Utah; or
    • Produces a product or service that is targeted to consumers who are residents of the state of Utah.
  • Any owner of the information (Consumer) who:
    • Is a resident of the state of Utah; or
    • Is provided a good or a service from a business that conducts its business in the state of Utah.
The UCPA provides consumers the right to:
  • Confirm whether a controller is processing the consumer's personal data.
  • Access the consumer's personal data.
  • Delete the consumer's personal data that the consumer has provided to the controller.
  • Obtain a copy of the consumer's personal data, that the consumer previously provided to the controller, in a format that:
    • is portable;
    • is readily usable; and
    • allows the consumer to transmit the data to another controller without impediment.
  • Opt-out of the processing of the consumer's personal data for purposes of:
    • targeted advertising; and/or
    • the sale of personal data.

 

Texas Data Privacy and Security Act

The Texas Data Privacy and Security Act (TDPSA) regulates the collection, use, processing, and treatment of consumers’ personal data and provides residents the following rights:

  • Confirm whether a controller is processing personal data and be provided the ability to access the personal data.
  • Correct inaccuracies in their personal data.
  • Delete personal data provided by or obtained about the consumer.
  • Obtain a copy of their personal data, if available, in a portable and readily usable format.
  • Opt-out of processing personal data for targeted advertising, the sale of personal data, or its use for profiling.

All data subject or opt-out requests must be addressed “without undue delay,” but no later than 45 days after the receipt of the request. Furthermore, a data subject or opt-out request must be provided free of charge at least twice annually per consumer.

The law applies to those who conduct business in the state of Texas or produce a product or service consumed by residents of the state of Texas; process or engage in the sale or personal data; and are not a small business, as defined by the U.S. Small Business Administration.

Texas Data Privacy Law Requirements
The TDPSA outlines duties for controllers related to collecting personal data, including limiting collection to what is adequate, relevant, and reasonably necessary, and requiring them to establish data security practices.

Controllers cannot:

  • Collect personal data for reasons not disclosed to the consumer without consent.
  • Process data in violation of state and federal laws that prohibit unlawful discrimination or discriminate against a consumer for exercising their rights.
  • Process sensitive data without consent or process sensitive data of a child unless it's in accordance with the Children’s Online Privacy Protection Act of 1998 (COPPA).

 

Florida Data Privacy Law

The Florida Digital Bill of Rights applies to any person that:

  • Conducts business in Florida or produces products or services "used" by Florida residents, and
  • Processes or engages in the "sale" of personal data.

Definition of a Controller
A "controller" is an entity that:

  • Is organized or operated for the profit or financial benefit of its shareholders or owners.
  • Conducts business in the state of Florida.
  • Collects personal data about consumers or is the entity on behalf of which such information is collected.
  • Determines the purposes and means of processing personal data about consumers alone or jointly with others.
  • Makes in excess of $1 billion in global gross annual revenues.

Definition of a Processor
A "Processor" is defined as a person, entity or otherwise who processes personal data on behalf of a controller.

Duties of a Controller
Controllers are required to provide consumers with a reasonably accessible and clear privacy notice, which, among other things, discloses:

  • The categories of personal data processed by the controller.
  • The purpose of such processing.
  • To consumers how they may exercise their privacy rights.
  • How controller processes personal data to the extent such processing is "reasonably necessary and proportionate" and "adequate, relevant, and limited to what is necessary" for the certain specified purposes.
  • How controller has implemented reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data and reduce reasonably foreseeable risks of harm to consumers.
  • How controller has conducted and documented data protection assessments in connection with certain processing activities, such as processing personal data for targeted advertising or certain profiling purposes, selling personal data, processing sensitive data, or any other processing activity that presents a heightened risk of harm to consumers.
  • That controller will review and update the privacy notice at least annually.

Consumer Rights and Requests

  • The right to access and obtain a copy of any data that the controller may hold.
  • The right to delete or correct inaccuracies in their personal data.
  • The right to opt-out of the selling and/or sharing of personal data for targeted advertising, including removal of personal data from voice or facial recognition technologies.
  • Permits parents and guardians to exercise rights on behalf of their children.

A controller must respond to a consumer's request to exercise their right within forty-five (45) days of receipt of such request. If the controller denies the consumer of their request, the controller must offer a right of appeal that is conspicuously available and similar to the process for submitting consumer request.

Selling Personal Data
The Florida Digital Bill of Rights defines the "sale of personal data" as "the sharing, disclosing, or transferring of personal data for monetary or other valuable consideration by a controller to a third party”.

The transfer of personal data is not considered a sale of personal data under the following circumstances:

  • To a processor that processes personal data on behalf of the controller.
  • To a third party for purposes of providing a product or service requested by the consumer.
  • That the consumer intentionally made available to the general public through a mass media channel and did not restrict to a specific audience.
  • To a third party as an asset that is part of a merger or an acquisition under the condition of a non-disclosure agreement.

Targeted Advertising
Targeted advertising is defined as displaying to a consumer an advertisement selected based on personal data obtained from that consumer's activities over time across affiliated or unaffiliated websites and online applications used to predict the consumer's preferences or interests.

A consumer may opt-out of any and all targeted advertising as described previously.

Consumers Right of Action
If a consumer is not satisfied by any response or action by a data controller or processer, the consumer may file a formal complaint with the Florida Department of Legal Affairs. The Florida Department of Legal Affairs can bring action against violators for an unfair or deceptive act or practice

Oregon Consumer Privacy Act

To whom does the Oregon Consumer Privacy Act (OCPA) apply?
The OCPA imposes transparency and disclosure obligations on a "controller" (an individual or legal entity who, "alone or jointly with another person, determines the purposes and means for processing personal data") who either:

  • Conducts business in Oregon; or
  • Produces products or services that are targeted to the residents of Oregon;

and a for profit or non-profit entity that during a calendar year:

  • Controls or processes personal data of not less than 100,000 Oregon residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • Controls or processes personal data of not less than 25,000 Oregon residents and derives more than 25 percent of its gross revenue from the sale of personal data.

What rights does the OCPA grant to consumers?
The Oregon Consumer Privacy Act grants residents acting in an individual context, ("consumers"), certain access and control rights concerning their personal data. Consumers do not include those in a commercial or employment context:

A consumer may submit authenticated requests to a controller to:

  • Confirm whether the controller is processing the consumer's personal data;
  • Obtain a copy of the consumer's personal data (i.e., data portability);
  • Correct inaccurate personal data of the consumer;
  • Delete personal data about the consumer;
  • Disclose, at the controller's discretion, the list of third parties to whom the controller has disclosed the consumer's, or any consumer's personal data;
  • Opt-out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer (profiling); and
  • Revoke previously given consent to process the consumer's personal data, which must be honored within 15 days of receiving the request.

A controller must respond to consumer requests to exercise their rights granted by the statute within 45 days. The OCPA also grants consumers the right to appeal the controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 45 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Oregon Attorney General.


What obligations does the OCPA impose on controllers and processors?
The OCPA applies to "personal data." Personal data is defined as any information that is linked or reasonably linkable to a consumer or to a device that is reasonably linkable to a consumer. The definition of personal data notably excludes de-identified data or publicly available information.

Controllers will limit the collection of personal data to what is adequate, relevant, reasonably necessary, and proportionate in relation to the purposes for which the personal data is processed and establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and security of consumers' personal data; and disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out.

What obligations does the OCPA impose on Processers?

A processer must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing.


Disputes Concerning Consumer Data Privacy

If the consumer is not satisfied with a response or action of a controller a formal complaint may be filed with the Oregon office of the Attorney General (AG).

 

Montana Consumer Data Privacy Act

Who does the Montana Consumer Data Privacy Act (MCDPA) apply to?

The MCDPA imposes transparency and disclosure obligations on a "controller" (an individual who or legal entity that, alone or jointly with others, determines the purpose and means of processing personal data) who either:

  • Conducts business in Montana; or
  • Produces products or services that are targeted to the residents of Montana;
and that:
  • Controls or processes personal data of not less than 50,000 Montana residents, excluding personal data controlled or processed solely for the purpose of completing a payment transaction; or
  • Controls or processes personal data of not less than 25,000 Montana residents and derives more than 25% of its gross revenue from the sale of personal data.

What rights does the MCDPA grant consumers?

The MCDPA grants Montana residents acting in an individual context, ("consumers"), certain access and control rights concerning their personal data. Consumers do not include those in a commercial or employment context.

A consumer may submit authenticated requests to a controller to:

  • Confirm whether the controller is processing the consumer's data.
  • Provide access to the consumer's data.
  • Correct inaccurate personal data of the consumer.
  • Delete personal data about the consumer.
  • Obtain a copy of the consumer's personal data (i.e., data portability).
  • Opt-out of the processing of the consumer's personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.

A controller must respond to consumer requests to exercise their rights within 45 days. Furthermore, a consumer is granted the right to appeal a controller's refusal to take action on requests to exercise their rights. A controller must respond to an appeal in writing within 60 days and, if the appeal is denied, the controller must provide the consumer with a method for contacting the Montana Attorney General.

What obligations does the MCDPA impose on controllers?

Controllers will limit the collection of personal data to what is adequate, relevant, reasonably necessary, and proportionate in relation to the purposes for which the personal data is processed and establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and security of consumers' personal data; and disclose if the controller sells consumers' personal data to third parties or engages in targeted advertising, and provide consumers an opportunity to opt out.

What obligations does the MCDPA impose on Processers?

A processer must assist the controller in meeting its obligations under the act, including its obligations regarding consumer rights requests and security of data processing.

Disputes Concerning Consumer Data Privacy

If the consumer is not satisfied with a response or action of a controller a formal complaint may be filed with the Montana Attorney General Investigations and Enforcement unit.