Introduction

This Privacy Notice explains how MLP Newco 1 Limited, which is sometimes referred to as “MLP”, MLP Newco 1” or “Machine Learning Programs” (referred to in this notice as “MLP”, “we” or “us”), collects and processes your personal data through use of our website.

We are established in the United Kingdom and registered with the UK Information Commissioners Office (ICO).

By providing us with your data, you warrant to us that you are over 13 years of age.

MLP is the data controller of personal data collected on this site.

MLP are also an appointed data processor to several data controllers. We have strict data processing agreements and contracts in place with these data controllers which detail our obligations and requirement to process personal data of individuals under their explicit instruction.

We have an appointed Data Protection Officer who handles privacy related matters. If you have any questions about this privacy notice, or the way your data is being processed, its accuracy, etc., please contact our Data Protection Officer using the details set out below.

Postal Address
The Data Protection Officer
Open GI Limited
Buckholt Drive
Warndon
Worcester
WR4 9SR

Telephone
UK – 01905 754455

Email
dpo@opengi.co.uk

What is personal data

Personal data is any data that is capable of directly or indirectly identifying a living individual.

Anonymised data, or any other type of data that cannot be used to identify an individual is not considered personal data.

Here is the meaning of personal data as defined in the UK and EU GDPR:

“personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “

In addition to this, there are “Special Categories” of personal data. In earlier regulations these were referred to as sensitive personal data. These data categories cover:

  • race
  • ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data
  • biometric data (where this is used for identification purposes)
  • health data
  • sex life
  • sexual orientation

What data we collect and why

Here at MLP we provide machine learning and artificial intelligence services to the general insurance and financial service markets to help identify predictive behaviours and generate powerful insights from both complex and combined datasets. For the purposes of these engagements, we act as a Data processor under strict contractual instructions of our customers, primarily General Insurance Brokers or Insurers. We do not provide services to consumers (members of the public).

  • Data we may capture through or as a result of this website includes any communication that you send to us whether through the Contact Us form, through email, text, social media messaging, social media posting or any other communication that you send us. We process this data for the purposes of communicating with you, for our record keeping or for the establishment, pursuance, or defence of legal claims. Our lawful ground for this processing is our legitimate interests which in this case are to reply to communications sent to us, to keep records and to establish, pursue or defend legal claims.
  • Customer identity data including data relating to any purchases or potential purchases of our services, such as your name, title, business name, business email address, phone number and other contact details you choose to share with us. Our website may collect this through our Contact Us Our lawful ground for this processing is the performance of a contract between you and us and/or taking steps at your request to enter such a contract.
  • Our website does not collect your data for marketing purposes. However, if you do wish to be kept up to date with our products, please use the Contact Us form to submit your request or drop us an email. We will not share this with anybody else outside of our group of companies.
  • We do not collect any Special Category or Criminal Convictions and offences data about you through this website. None of this data is required by us and we do not request you send it. Please refer to the What is Personal Data section within this Privacy Notice for more information on Special Category Data.
  • We do not carry out automated decision making or any type of automated profiling through this website.
  • Data we collect from you via this website and any communication channels for purposes of potential employment, such as your submission of your details and a CV through means of your choosing will be processed under the legal basis of taking steps to enter into a contract, namely a contract of employment.

The following list are the categories of data we may collect from you via our website. In all cases this data is submitted to us by you through our Contact Us page.

  • Name (free text)
  • Email address (any valid email address accepted)
  • Contact number (any valid mobile or land-line number)
  • Message (free text entry for your message)

We also process personal data relating to our own employees or contractors. These individuals can find more information on this in our internal data privacy policy. We process employee data under the lawful basis of necessary for a contract we have with the individual (namely a contract of employment), or for taking steps towards entering such a contract. Unless appropriate, we do not rely on consent for the processing of employee data due to the imbalance of power between employer and employee, and the practical implications of consent withdrawal. If we need your consent for certain processing, we will seek it before carrying out that processing.

We may also store and process business identities data of our own customers (Brokers or Insurers) to the maximum extent of business contact details or logon related information for access to certain parts of our solutions. This data is protected using the same technical and organisational controls stated throughout this notice. You have the same rights in relation to this data such as requesting access, correction, erasure, etc.

MLP as a data processor
In relation to personal data that we process on behalf of our own customers (data controllers), such as Insurance Brokers, any questions or concerns regarding this processing must in the first instance be raised directly with the data controller who collected your data, and who likely referenced us in their privacy notice. We have no direct authority to respond on their behalf, but we do have legal and contractual obligations to assist them as appropriate and wherever relevant. This privacy notice aims to provide you with details on our contractual relationship, and how we protect and process any data that may relate to you as an individual.

We may process the following categories of personal data about you. However, as we provide several different solutions, and as our data processing instructions vary from controller to controller, this list is merely indicative of the most data we are ever likely to be processing. You are strongly encouraged to contact the entity that collected your data (and provided it to us) for further information.

Examples of Identifiable Personal Data that could be Processed:

  • Information about you, such as: date of birth, your occupation, your address, and your education.
  • Information about your vehicle such as: its age, possible modifications, the number of seats, engine size and MOT test results.
  • Information about your experience as a driver such as: how long you have held a license, years no claims discount, incidents, and convictions.

Automated decision making and profiling

This website does not perform any kind of automated decision making or profiling. All information you provide via our Contact Us page or other regular communication channels is read and acted upon by an MLP employee.

The nature of the products we provide to our clients is to provide predictions of a likely outcome based on the data it receives. Whilst this does fall under the heading of automated decision making or profiling, it should not in all cases be solely automated decision making. In most cases, the outcome would be reviewed by a human. However, as MLP has no control over the operational methods of its clients, you are encouraged to discuss any concerns or raise any questions with the entity that has collected your data and are using the service we provide them.

You have a right to request not to be subject to a decision based solely on automated processing, including profiling. However, depending on the lawful basis upon which the data controller bases the data collection, this right may not be exercisable (please see the section “Your legal rights” within this Privacy Notice).

Please click to expand the following links for more information on our products and how they work.

Artificial intelligence is a technology which can create intelligent systems that simulate human intelligence.

Machine learning is a subset of artificial intelligence, which enables machines to learn from past data or experiences without being explicitly programmed.

ML uses statistical techniques to enable programs to ‘learn’ through training, rather than being programmed with set rules. Machine learning systems process training data to progressively improve performance on a task, providing results that improve with experience.

Machine learning is therefore about extracting knowledge from data.

At MLP, machine learning is used to help our partners make decisions about you. Among other purposes, we use your data to determine how likely you are to make a claim on your insurance, which a Broker can use to determine how to do business with you. We receive this data from companies with whom you want to do business, not directly through our own website. In other cases, we might use your data to help inform brokers to give you a more competitive quote by adjusting their prices. In each of these cases, we do this by using your data to compare you to thousands of other sets of data. This lets us find similarities and differences between you and other people. We then use these patterns, the similarities, and differences between individuals, to group you together with other individuals who have similar patterns or set you apart if you have a lot of differences.

Disclosure of your personal data

We may have to share your personal data with the parties set out below:

  • Other companies in our group for legitimate business purposes such as sales, provision of infrastructure, support, governance and compliance oversight, and other such areas.
  • Service providers who provide IT and system administration services.
  • Professional advisers including lawyers, bankers, auditors, and insurers.
  • Government bodies that require us to report processing activities.
  • Third parties to whom we may sell, transfer, or merge parts of our business or our assets.

We always require all third parties to whom we may transfer your data to respect the security of your personal data and to treat it in accordance with the law. We only allow such third parties to process your personal data for specified purposes and in accordance with our instructions.

We would never sell any personal data we hold about you to another party.

International transfers

As our employee base is diverse in location, any data you provide to us through our Contact Us page, or other methods as defined under “What data do we collect and why”, may be processed outside of the United Kingdom and within the European Economic Area (EEA).

We will ensure that certain safeguards are in place to ensure an appropriate degree of security for your personal data, and in line with relevant regulations and standards.

Any international processing is done so under the knowledge and instruction of the data controllers to whom we offer our services.

Generally, this website is hosted in the UK and any data captured from you via our contact-us form is captured in the UK but may be transmitted via email or other secure messaging means to our employees located within the European Union. Our Machine Learning solutions are hosted within the EU and is where such processing would take place. The UK (and MLP) is currently relying on the EU’s temporary adequacy decision for any data that may flow into the UK from the EU.

The UK Government has stated that transfers of data from the UK to the EEA are permitted. It says it will keep this under review. MLP continue to monitor this.

Data can still flow freely from the EEA to the UK because the EU has agreed to delay transfer restrictions for at least four months, which can be extended to six months (known as the bridge) from the moment of Brexit. If the bridge ends without the adoption of adequacy decisions, transfers from the European Economic Area (EEA) to the UK will need to comply with EU GDPR transfer restrictions. In the unlikely event that this happens, we will either implement Standard Contractual Clauses or relocate the EU processing to be in the United Kingdom. Any changes will be reflected in this notice and within the contractual clauses we have in place with our own customers.

Security of your data

We have put in place security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed without authorisation. We also allow access to your personal data only to those employees or partners who have a business need to process such data. They will only process your personal data on our instructions, and they must keep it confidential.

We have procedures in place to deal with any suspected breach of personal data and will notify you and any applicable regulator of a breach if we are legally required to.

At MLP we fully understand and appreciate the importance of keeping data safe and secure. Our measures include the following controls:

  • We use data centre facilities that are certified as secure. Our data centre and provider is OVH and they adhere to the TIER 3 standard for data centres. Click [here] for more information on data centre tiers. Please note we have no affiliation with the site and link we have provided. This is for information only.
  • Fully established Data Governance Committee.
  • Internal policies to underpin our processes.
  • Oversight by experienced and qualified internal data protection professionals.
  • Detailed Data Protection Impact Assessments (DPIA’s) performed where appropriate.
  • Strict contractual agreements and constant contact with our own customer base.
  • Processing performed on hardened Linux systems using the latest patches and recommended security settings.
  • Password-less access controls, utilising individual Secure Shell (SSH) key-based access.
  • Client data never leaves our data centre. Nothing is copied to our employees’ desktops or laptops.
  • Three tiers of separation of duties and access controls to platforms and data.
  • Sales and product staff have no access to the data science infrastructure.
  • File sharing and inter-company messaging all end-to-end encrypted.
  • Fully encrypted backups performed nightly to a secure remote location.

Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

When deciding what the correct time is to keep the data for, we look at its amount, nature and sensitivity, potential risk of harm from unauthorised use or disclosure, the processing purposes, if these can be achieved by other means and legal requirements.

In some circumstances we may anonymise your personal data for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

For data that we process as a data processor on behalf of a data controller, we may retain some data for purposes of retraining, error checking, or to fulfil any obligations in relation to demonstrating meaningful information of the logic involved in decision making. This will be retained for a period no longer than that agreed with each data controller.

Your legal rights

Under data protection laws you (as a Data Subject) have rights in relation to your personal data that include the right to request access, correction, erasure, restriction, transfer, to object to processing, to portability of data, rights in relation to automated decision making and profiling, and, where the lawful ground of processing is consent, to withdraw consent.

Note – As the applicability of many of these rights are dependent on the designation of the entity (whether it is a Data controller or a Data processor), the following rights are listed in general and are not intended to indicate whether they are exercisable by us in all cases.

The right of access
Data controllers, must provide you with:

  • confirmation that your data is being processed and why.
  • access to your personal data.
  • other supplementary information as detailed in data privacy regulations.

This information is provided by way of a Data Subsect Access Request (DSAR).

In most cases, no charge is made for this service.

If an exemption or restriction applies, or if the request is manifestly unfounded or excessive, this right may be refused partially or in whole.

The right to rectification
You can ask a Data controller to correct any personal information it holds about you to ensure it is accurate.

The right to erasure (sometimes referred to as the right to be forgotten)
Under certain circumstances, you have the right to ask that your personal data is erased where:

  • It is no longer necessary in relation to the purpose for which it was collected or is being processed;
  • you withdraw your consent or object to the processing and there is no other legal ground to continue processing;
  • you object to the processing and there are no overriding legitimate grounds for the processing;
  • it was unlawfully processed or should be erased to comply with a legal obligation;
  • you object to the processing and your personal data was processed for direct marketing purposes; or
  • it is processed in relation to the offer of information society services to a child.

A Data controller can refuse to erase your personal data where it is processed:

  • to comply with a legal obligation or for the performance of a task of public interest;
  • for the exercise or defence of legal claims; or
  • for purposes relating to public health, archiving in the public interest, scientific/historic research or statistics.

If your data has been disclosed to a third party, the Data controller will ask them to erase that data, unless this proves impossible or involves disproportionate effort. You may ask who those third parties are, and the Data controller should inform you accordingly.

The right to restrict processing
You have the right to restrict the processing of personal data held by the Data controller or one of its processors where:

  • you contest its accuracy;
  • you have objected to the processing and the Data controller is considering whether they have a legitimate ground which overrides this;
  • processing is unlawful; or
  • the Data controller no longer needs the data, but you require it to establish, exercise or defend a legal claim.

The right to data portability
This right allows individuals the way of moving, copying or transferring personal data from one processing environment to another in a safe and secure way, and in a structured, commonly used and machine-readable format. This enables you to obtain and reuse your personal data across different services.

The right to data portability only applies:

  • to personal data that an individual has personally provided to the Data controller;
  • where the lawful basis of the processing is based on “consent” or “the performance of a contract” (only consent for special category data); and
  • where processing is carried by automated means.

The right to object
You have the right to object to processing of your personal data in certain circumstances and have an absolute right to stop your data being used for direct marketing.

You can also object if the processing is for:

  • a task carried out in the public interest;
  • the exercise of official authority vested in the Data controller; or
  • the Legitimate Interests of the Data controller or that of a third party.

However, in these circumstances the right to object is not absolute and you must give specific reasons why you are objecting to the processing of your data.

Please note that a Data controller would be able to continue processing your personal data if:

  • It can demonstrate compelling legitimate grounds for the processing, which override the interests, rights, and freedoms of the individual; or
  • where the processing is for the establishment, exercise, or defence of legal claims.

Rights relating to automated decision making and profiling
Automated decision making and profiling takes place when an electronic system uses personal information to make decisions. This may be with or without human intervention. You have the right to request not to be subject to a decision made solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. However, this right does not apply where the decision is:

  • necessary for entering into, or the performance of a contract between you and the Data controller, such as entering into a contract of insurance;
  • is authorised by domestic or EU law;
  • is based on your explicit consent; or

Please note that whilst you can request exercising of these rights, some may not be exercisable as they can depend on why we are processing that data or what other purposes we may have to process it. In some circumstances, another law or regulation may override the UK or EU GDPR. More information can be found [HERE].

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, a reasonable fee may be charged if your request is clearly unfounded, repetitive, or excessive, or may be refused in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made several consecutive requests. In this case, we will notify you of this before the one-month period.

If you wish to request exercise any of the rights set out above, and where we are the data controller for your data, please email us at dpo@opengi.co.uk.

If you are not happy with any aspect of how we collect and use your data, you have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (https://ico.org.uk/). We would be grateful if you Contact Us first if you do have a complaint as we would welcome the opportunity to try and resolve this for you.

Third-party links

This website may include links to third-party websites. Clicking on those links may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website and enter these other sites, we encourage you to read their own privacy notices.

Cookies

We have implemented a Cookie Management system into our website in line with regulatory guidance and the Privacy and Electronic Communications Regulation (PECR). Non-Essential Cookies will not be stored on your device without your prior consent.

Any cookies we use (including essential cookies) do not collect any personal data that could identify you as an individual.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. While we make every effort at providing full functionality, if you disable or refuse cookies some parts of this website may become inaccessible or not function properly. Please see below for more information about the cookies we use.

Cookies we use

Please scroll right to view entire table.

Cookie Name Description Expires After
_ga

_gid

_gat

_gat_gtag_xxx

Google Analytics (non-essential performance cookies). These cookies are used to collect information about how visitors use our website. We use the information to compile reports and to help us improve the website. The cookies collect information in an anonymous form, including the number of visitors to the website, where visitors have come to the website from, and the pages they visited on this site. 2 years

24 hours

10 minutes

1 minute

quform_session_xxx Essential session only cookie. This is for the contact forms on our website and are used to maintain sessions between page changes. No personal information or data is stored. The Contact Us form functionality will not work without this cookie. We therefore consider this to be an essential cookie. End of session

Updates

We may make changes to our Privacy Notice in the future. Any updates or changes will be posted on this page and will be reflected in the version date.

Page last updated: May 2021