Search in Trust Center…

Back to overview

Privacy & Data Processing

Onesurance privacy as a fundamental right. We process personal and insurance data in accordance with the GDPR with complete transparency, accountability, and respect for individual rights.

Core principles: Privacy by Design • Transparency • Accountability

GDPR Compliance

Data Protection Officer (DPO)

Contact: onesurance

Responsibilities:

  • Monitoring GDPR compliance

  • Advice on DPIAs

  • Employee training and awareness

  • Contact point for the Dutch Data Protection Authority (AP)

  • Processing requests from data subjects

Status: Certified, independent, reports to management

Legal Foundations

We only process personal data with a valid legal basis:

Contractual necessity - Execution of contracts with customers
Legitimate interest - Service provision, security, fraud prevention
Legal obligation - Laws and regulations
Consent - Specific cases (marketing, optional features)

GDPR Principles in Practice

  • Legitimacy & transparency - Clear communication about data usage

  • Purpose limitation - Data only for specific, legitimate purposes

  • Minimal processing - Only necessary data collected

  • Accuracy - Mechanisms for correcting incorrect data

  • Storage restriction - Defined retention periods, automatic deletion

  • Integrity & confidentiality - Encryption, access controls, monitoring

  • Accountability - Demonstrable compliance through documentation & audits

Rights of Data Subjects

We respect and facilitate all GDPR rights. Response time: within 1 month

Law

Article

Procedure

Information

Article 15

Privacy notice on website, proactive updates

Access

Article 15

Via onesurance, ID verification required

Correction

Article 16

Via email or customer portal, immediate correction

Removal

Article 17

Free initial application, written confirmation

Restriction

Article 18

Technical block during dispute/verification

Portability

Article 20

JSON/CSV/XML export, direct transfer possible

Objection

Article 21

Balancing test, direct marketing: unconditional

Automated decision-making

Article 22

Always human-in-the-loop for critical decisions

Contact: onesurance
Identification: Copy of ID required for identity verification
Costs: First application free of charge

Data processing

Processing purposes

We process personal data for:

  • Implementation of our SaaS services

  • Customer support and product development

  • Security and compliance

  • Analytics (anonymized)

Detailed information about processing activities and data categories is available in our Data Processing Agreement (DPA) and upon request at onesurance.

Retention periods

Data category

Retention period

Basis

Customer data

Contract + 30 days

Contractual

Communication

Contract + 1 year

Legitimate interest

Invoices

7 years

Legal (tax)

Support tickets

2 years

Legitimate interest

Security logs

1 year (7 years in case of incident)

Legitimate interest

Marketing data

Until consent is withdrawn

Permission

Analytics (aggregated)

Unlimited

No personal data

Data Protection Impact Assessment (DPIA)

When Executed

  • New technology with high privacy risk

  • Large-scale processing of special categories

  • Systematic monitoring

  • Automated decision-making

Our DPIAs

Scope: AI models, new high-risk processing operations
Latest DPIA: November 2024
Outcome: Acceptable risk with mitigating measures
Measures: Anonymization, aggregation, human oversight
Review: Upon changes or annually

International Data Transfer

Data location

Primary: Azure West Europe (Netherlands)
Backup: Azure West Europe (geographically redundant within the EU)
No transfer outside the EU/EEA

Subcontractors

Microsoft Azure:

  • Location: EU data centers

  • Safeguards: Standard Contractual Clauses

Other vendors:

  • Preference: EU-based

  • New subprocessors: Prior customer approval possible

  • List available: Upon request

Privacy by Design & Default

Design Principles

✓ Proactive (not reactive)
✓ Privacy as default setting
✓ Embedded in design (not an add-on)
✓ End-to-end security
✓ Transparency for users
✓ User-centric

Implementation

  • Minimization: Only essential data fields required

  • Access controls: Least privilege by default

  • Encryption: Default for sensitive data

  • Audit logging: Transparency regarding data access

  • Retention: Automatic deletion

  • Portability: Built-in export functionality

Data breaches & Reporting obligation

Detection & Response

Monitoring: 24/7 security monitoring
Initial assessment: Within 4 hours of detection
AP notification: Within 72 hours (if required)
Parties involved: Immediately in case of high risk

Reporting criteria

Reporting is mandatory in the following cases:

  • Likely risk to the rights of those involved

  • Possible physical, material, or immaterial claim

  • Cannot be mitigated by measures

Contact: Proactive communication with customers in the event of an incident

Cookies & Tracking

Cookie categories

Type

Status

Objective

Strictly necessary

Always active

Essential for operation

Functional

Opt-in

User experience

Analytics

Opt-in

Statistics (IP anonymized)

Marketing

Opt-in

Personalization

Consent management: Granular control per category
Withdrawal: Easy withdrawal via settings
No selling: We never sell data to third parties

Processor responsibility

Onesurance Processor

Our role:

  • Processing data only on customer instruction

  • Assisting with GDPR compliance

  • Facilitating the rights of those involved

  • Assisting with DPIAs

  • Report data breaches directly to the customer

Data Processing Agreement (DPA)

Status: Standard DPA available
Compliant with: Art. 28 GDPR
Available upon: Contract signing or upon request

Contains:

  • Subject and duration of processing

  • Type of personal data and data subjects

  • Security measures

  • Subcontractors

  • Audit rights

  • Deletion/return of data

Register of Processing Activities (ROPA)

Scope: All processing activities documented
Update: For new processing activities, review at least once a year
Availability: For supervisory authority upon request

Documented per processing:

  • Purposes and categories of data subjects/data

  • Recipients and transfer to third countries (not applicable)

  • Retention periods

  • Technical and organizational measures

Contact & Transparency

Data Protection Officer:
📧 onesurance
⏱️ Response: Within 5 business days

Languages: Dutch and English
Escalation: Management in case of dissatisfaction with FG response

Supervisor

Dutch Data Protection Authority (AP)
🌐 autoriteitpersoonsgegevens.nl

Those involved can file a complaint with AP if they are dissatisfied with our response.

Privacy Notice

Location: Website, in-app, contract documentation
Updates: Version control, email for material changes
Archive: Previous versions available