Privacy Notice for Research Participants


Last Updated: 28 September 2023


About This Notice

This Privacy Notice sets out how Humn.ai Limited (Humn, we, our, us) will process your personal data in relation to research and user experience surveys. This includes personal data relating to research and survey participants.

Research is a systematic investigation into a particular subject using data collection, analysis  and interpretation of information. Humn.ai conducts research for behavioural insights and user experience. Information collected during your interactions with us as part of research activities will be used in accordance with the participant information provided to you for the particular research study you are participating in.

Please refer to this for information about the study including, the purpose of the study, the criteria for participating, what is involved in participating, and the outputs of the study.

How We Receive This Information

We collect personal information directly from you through interactions with you as part of the research activity. This will typically be done in person, by telephone, e-mail, survey, webform or through video conferencing software.  

The Personal Information We Collect

The information collected will be determined by the research being undertaken.

Basic Categories Data

  • Biographical information such as your name, title, date of birth, age, occupation;
  • Personal contact information such as home address, personal email address, telephone number;
  • Professional contact information such as the name of your employer, work address, work e-mail and telephone number;
  • Online and transactional information such as details of your IP address and interactions that you have with our websites and digital platforms including email open rates;
  • Telematics data (if applicable for the type of research) such as GPS location, time and date, direction of travel, speed, accelerometer data, advanced Driver assistance systems data;
  • Vehicle data such as registration, VIN, make and model;
  • Your opinions and preferences;
  • Your experience of insurance such as purchasing insurance and making claims;
  • Your driving behaviour and habits such as how many miles you drive.

Special Categories Data

Special Categories data that we process include:
  • Health Information or philosophical beliefs, if you provide any information as part of your answers during the research.

Criminal Offence Data

Some studies may involve questions around criminal offence data such as if you have been in a road traffic accident or if you have any endorsements on your license. If we seek to process this data we will be relying upon a condition under Schedule 1 Part 1(1) of the Data Protection act 2018.  

If you would like further information in relation to how we process this information in particular you can request a copy of our Special Categories and Criminal Offence Data Processing Policy from the Data Protection Office whose details are set out below.

What We Use Your Data For

Whenever we process personal data we must have a legal basis in order to do so. Please refer to the sections below to find out more about our processing activities.

Consent

We will gather your consent to participate in the research including the use of audio and video recordings of any interview sessions. Please note that when we rely on consent as the legal basis upon which we process your personal data then you may withdraw your consent at any time. In order to affect this right please contact the Group Data Protection Officer whose details can be found below.

Legitimate Interest

We will process your personal information as part of the research:
  • In furtherance of our commercial activities such as to maintain and manage our business operations, management reporting information and internal process requirements;
  • To develop existing and new products and services;
  • To communicate with you about our research projects and surveys and any queries you raise with us.
Where we rely on this lawful basis, we conduct a balancing exercise to ensure that our interests are proportionate and do not override your rights and interests as a data subject.  In some instances, you also have the right to object to this kind of use. If you wish to object to this type of processing please contact the Data Protection and Privacy Office details of which can be found below.

Legal or Regulatory Obligation

  • To fulfil our obligations as an entity regulated by the Financial Conduct Authority (FCA) and The Financial Ombudsman Service;
  • To fulfil your data rights under data privacy laws, handle complaints about data privacy or our insurance products and services and to comply with other legal requirements.
In this respect, please note that we may have to process your data to comply with other legal obligations such as requests from law enforcement agencies or other international and national governmental and regulatory bodies. This will be covered more fully in the section below regarding “Data Sharing”.

Data Sharing

We may share your information with:
  • Regulators who govern how we operate, including the FCA, PRA, FOS, HMRC, ICO and the Advertising Standards Authority;
  • The police, courts and other third parties or law enforcement agencies where reasonably necessary for the prevention or detection of crime;
  • Any personal representatives appointed by you to act on your behalf;
  • Legal advisers, accountants, auditors, financial institutions and professional service firms who act on our or your behalf, or who represent a third-party claimant;
  • Our third-party services providers such as IT suppliers;
  • Third parties in connection with any sale, transfer, or disposal of our business;
  • Other entities within the Humn Group;
  • We may also disclose your personal information to other third parties where the disclosure is required by law or by a regulator with authority over us on the grounds of substantial public interest.
If you would like further details in relation to how we share your information and with whom please contact the Data Protection and Privacy Office, details of which can be found below.

Automated Decision Making and Profiling

Any automated decision making and profiling will be dependent on the research being undertaken. You should refer to the participant information provided to you when you signed up to participate in the research. This will confirm whether this type of processing is applicable for the study you are taking part in.  

You have the right to contest any decision produced by a solely automated means and request for human intervention. In order to affect this right please contact the Data Protection and Privacy Office details of which can be found below.

Transferring Data Internationally

Data protection law places restrictions on transferring personal data outside of the United Kingdom (UK) and the European Economic Area (EEA).

There may be circumstances where we transfer information to our service providers in countries outside the UK and the EEA. If we do so, then your personal data will only be transferred on one of the following bases:  
  • where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. Data Transfer Assessments and Standard Contract Clauses adopted by the European Commission and/or the UK IDTA and UK Addendum as adopted by the UK Government);
  • a European Commission or UK Government decision provides that the country or territory to which the transfer is made ensures an adequate level of protection; or
  • there exists another situation where the transfer is permitted under applicable law (for example, where we have your explicit consent).

Marketing Activities

We will only send you marketing information if you consent to receive such material. If you do choose to stop receiving marketing communications from us, we will ensure that you do not receive such material going forward unless you specifically request it in the future.

Security Measures

The safety and security of your data is important to us. As such we are committed to applying the appropriate technical and organisational security measures to meet our legal and regulatory obligations. Our Data Protection Policy and Protocols ensure the principles of Confidentiality, Integrity and Availability form the core structure of our service offering. Our security controls include the following:
  • Identity and Access Management, based on strong Authentication (SSO and a Zero Trust Model) and Role-Based-Access-Control to enforce granular access to data;
  • Data Loss Prevention, through Backup & Recovery standards as well as Business Continuity & Disaster Recovery procedures;
  • Encryption and Anonymisation, leveraging AES-256 based data encryption at rest and TLS v1.3 for data in-transit, whilst utilising SHA256 for PII hashing.


How Long We Keep Your Data For

We will retain your Personal Data for as long as is reasonably necessary for the purposes explained in this Notice.  

The participant information provided to you for the particular research you are participating in will explain the length of time for which we expect to keep your data in identifiable form, and why we retain it for this period. This will also include information about the duration of the research and whether we will anonymise data to retain statistical information regarding the study and outcomes.

In some cases we may retain your Personal Data for longer periods of time so that we have an accurate record of your dealings with us in the event of any complaints or challenges, or if we reasonably believe there is a prospect of litigation relating to your relationship with us. Where your Personal Data is no longer required we will ensure it is either securely deleted or stored in away that no longer identifies you.  If you would like further details regarding our records retention then please contact the Data Protection and Privacy Office details of which can be found below.

Your Rights Under The Law

Under data protection legislation you have the following rights:
  • The right to be informed – We are required to provide individuals with clear and precise transparency information regarding who we are and what we do with your data. This Privacy Notice along with other transparency information gives effect to this right;
  • The right of access – Individuals have the right to access and receive copies of their personal data alongside other supplementary information as required. If you wish to affect this right please contact the Group Data Protection Officer on the details provided below;
  • The right to rectification – Individuals have the right to ensure that the information that we hold about them is accurate. If you believe that the personal information that we hold about you is inaccurate or incomplete, then please contact us to request that we amend or update our records;
  • The right to erasure – You have the right to request that all data pertaining to you be erased from our systems. Please note that there are certain circumstances where this request may not be possible. If we are unable to comply, we will issue you with meaningful information regarding why this is the case;
  • The right to restriction of processing – There may be circumstances where we will restrict the processing of your data. For example, if we are investigating a claim that your personal information is no longer accurate or you object to the processing taking place;
  • The right to data portability - You have the right to request that your information be compiled into a common, machine-readable format and either provided directly to you or sent by us to a third-party you nominate. If this is not possible, we will issue you with information setting out why this cannot be done;
  • The right to object – You have the right to object to us processing your data or a category of data that we hold about you. If we are unable to comply with your request, we will issue you with meaningful information regarding why this is the case;
  • Rights in relation to automated decision making and profiling – As set out above you have the right to request human intervention into any process involving automated decision - making or profiling where that processing results in legal or similarly significant effects. Please note that this right would not apply to underwriting decisions as this automated decision-making is required for entering into the insurance contract however, we would be happy to review your case and provide you with further information regarding the process and your case.
Please note that the above rights are not absolute and requests may be refused where exemptions apply. You can find out more about your rights at www.ico.org.uk

Contact Humn

If you would like further information regarding this Privacy Notice or you would like to exercise any of your data rights, you can contact the Data Protection and Privacy Office by email at privacy@humn.ai  or in writing to:
FAO The Group Data Protection Officer
Humn.ai Ltd
C/O Onside Accounting
Arquen House
4-6 Spicer Street
St. Albans
England
AL3 4PQ

Changes To This Notice

Humn reserve the right to amend this policy at any time without notice in response to changes in data protection legislation and our legal and regulatory obligations. We recommend that you check our privacy page on a regular basis to ensure that you are aware of any changes which may affect you.