PRIVACY POLICY

This policy sets out how we process personal data. As we do not provide payment services to data subjects or individual policyholders, we do not capture personal data from data subjects directly, so this policy is published on our website at www.diesta.co.uk but is not directly accepted by individuals - it applies to individuals who use our website and you are deemed to have accepted its terms by visiting. We process personal data as a data processor on behalf of our customers, who are either data controllers or data processors. We are only a data controller in connection with personal data collected about website users.

This policy is not intended to be a contractual document unless expressly stated in any relevant contract we enter into.

Terms used within this policy shall have the meaning(s) given in the Data Protection Act 2018 (Act), the EU General Data Protection Regulation (2016/679) (GDPR) and/or the UK GDPR, as applicable.

Any changes or updates we make to this policy will be posted on this page. Any changes will apply when you continue to work with us after the date of the relevant change, so you may need to update policyholders directly.

If you have any queries relating to this policy, please contact us at hello@diesta.co.uk.

2.1 For the purposes of the Act, the data controller will be our customer. Diesta Limited (number 13969906) is a data processor only and our registered office is at 29 Gildredge Road, Eastbourne, East Sussex BN21 4RU.

We are registered with the ICO to process personal data and our registration number is ZB336764.

All personal data that we process is held and stored by us in our internal management systems on servers located either within the UK or the wider EEA. All of our staff who process, or are likely to process, personal data are UK based.

We do not process personal data on the basis of consent. Personal data is processed by us to perform our contract with our insurer, broker and MGA clients and provide our automated payment processing services and to process premium transaction data.

All personal data we process is reasonable and necessary to enable us to perform the above summarised services.

We do not contract with policyholders directly. By working with us, you must notify policyholders and other data subjects with whom you enter into your insurance contracts and process their personal data that you use our services, you transfer their personal data to us and that we will process their personal data.

We do not pass personal data to third parties; we don't sell personal data to third parties, including claims management companies or marketing agencies, for any purpose at any time.

We process personal data contained in policyholder and bordereaux and banking reports provided to us by our broker, insurer or other clients. These reports contain limited personal data relating to the policyholder, such as names and addresses only. We do not capture or receive any personal data relating to information used by insurers or brokers to quote and bind insurance policies.

The majority of insurance policies underwritten or incepted by our clients are non-consumer - only around 5% relate to individual, consumer policyholders. This further limits the volumes of personal data we actually process.

We do not receive bank, credit card or other payment details from policyholders directly, nor do we hold or receive premiums - we therefore sit outside of the flow of premium funds and any payment details captured from policyholders by our broker or insurance clients will be retained by their authorised payment gateways (e.g. STRIPE, WorldPay, PayPal, etc). We do not get access to that personal data at any time; the only bank details we process relate to our business and SME clients; not bank or card details belonging to individuals.

We do not process any personal data relating to insurance claims or insurance policy complaints.

We also collect personal data from website users through cookies and Google Analytics, a web analytics service provided by Google, Inc. (Google). Google Analytics uses "cookies", which are text files placed on your computer to help analyse how you use the Diesta website. The information generated by the cookie about your use of Diesta's website (including your IP address) will be transmitted to and stored by Google on servers in the USA. Google will use this information for the purpose of evaluating your use of our website, compiling reports on your activity for us and providing other services relating to website activity and internet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this your ability to use our website may be restricted. By using Diesta's website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

We automatically collect technical information about the device you use to visit our website, including your IP address, browser type / version and related settings. We also use cookies to monitor website use and how you interact with it.

5.1 We use personal data contained in reports provided to us to perform the following data analytics services and functions:

• (a)automating client internal reconciliation processes;
• (b)streamlining multi-entity reconciliation and report production; and
• (c)aggregation level data for analytics and insights.

In all cases, the personal data we process is returned to our customer who disclosed it to us. We do not pass the contents of any reports to third parties unless contractually agreed with our customer.

We do not use third parties to process any personal data on our behalf in connection with our services, our software, web portal or our contracts. Only our Cloud-hosting services provider is engaged to process our personal data at any time and they are based in the UK and Ireland.

Data subjects can contact us directly at any time to ask us to clarify what personal data (if any) we hold about them, how it was obtained and why we use it. Where we do process any of their personal data, they can ask us to amend any inaccurate data, delete data they think we no longer need, or to reduce the circumstances in which we process it.

We can provide support to our customer in connection with any rights exercised by data subjects at any time. Any support we do provide is as agreed with our customer in our customer agreement or other relevant contract.

We have the capacity to extract personal data from our databases, but as we do not capture personal data directly, any data we process duplicates personal data processed by our broker or insurer clients contained in the relevant bordereaux (or other) reports we receive from them, and you will need to also ask them to delete your personal data (if required). We cannot ask our customer to do that on your behalf.

If you wish to exercise your rights at any time, please contact us on the details set out at the beginning of this policy. We will require you to verify your identity to us before we can provide any personal data to you, and we reserve the right to ask you to specify the types of personal data you want to see. We may also notify our customer, if you have not already done so.

You have the right to ask for copies of your personal data we store and use. This is your right of access, also known as making a subject access request or SAR. We’ll normally respond at the latest within one calendar month of receiving your request. There may be times where we need longer or we may need to charge a reasonable fee for admin costs. Please download, fill and email the relevant word form (here) to dpo@diesta.co.uk.