Important — Please read this Privacy Statement carefully.
This Privacy Statement explains how the Mavi Group of companies collects, uses, discloses and otherwise processes your personal data. It is intended for customers, policyholders, insured persons, service contract holders, beneficiaries and other individuals whose personal data we hold in connection with our products and services, including non insurance and insurance programmes.
By interacting with us, enrolling in our products or services, or submitting information to us, you acknowledge that you have read and understood this Privacy Statement.
We do not collect personal data by way of cookies or similar technologies on our websites.
Section 1
Who We Are
For the purposes of this Privacy Statement, "Mavi", "we", "us" and "our" refer to Mavi Holding Pte. Ltd. (incorporated in Singapore) and its subsidiaries and associated companies, which collectively act as data controllers / data fiduciaries in respect of your personal data.
1.1 Group Entities Covered
The following entities are covered by this Privacy Statement:
| Jurisdiction | Mavi Group Entities |
|---|
| Singapore | Mavi Holding Pte. Ltd.; Mavi Care Services Singapore Pte. Ltd.; Mavi Care Services Asia Pte. Ltd.; Mavi Automotive Solutions Singapore Pte. Ltd.; Mavi Automotive Solutions Pte. Ltd. |
| India | Mavi Corporate India Private Limited; Mavi Automotive Solutions India Private Limited; Mavi Care Services India Private Limited |
| Thailand | Mavi Automotive Solutions (Thailand) Company Limited |
| United Kingdom | Mavi Ins UK Limited |
Mavi Holding Pte. Ltd. acts as the primary data controller across all three markets. Local subsidiaries may act as data processors for local operations and will be subject to appropriate data processing agreements with Mavi Holding Pte. Ltd.
Section 2
Applicable Laws
This Privacy Statement is designed to comply with the following applicable data protection laws, as they apply to you based on your location and the nature of our relationship with you:
| Jurisdiction | Governing Law | Regulator |
|---|
| Singapore | Personal Data Protection Act 2012 (as amended 2020) ("SG PDPA") | Personal Data Protection Commission (PDPC) |
| Thailand | Personal Data Protection Act B.E. 2562 (2019) ("TH PDPA") | Office of the Personal Data Protection Committee (PDPC Thailand) |
| India | Digital Personal Data Protection Act 2023 ("DPDPA") | Data Protection Board of India |
| United Kingdom | UK General Data Protection Regulation ("UK GDPR") and Data Protection Act 2018 ("DPA 2018") | Information Commissioner's Office (ICO) |
The governing law applicable to your personal data is the law of the jurisdiction in which you are located or in which the relevant Mavi entity that holds your data is established, whichever is more protective of your rights. Where a provision of this Privacy Statement is required by one jurisdiction's law and there is no equivalent provision required in another jurisdiction, that provision shall still apply to all customers unless it is legally inconsistent with doing so.
Section 3
Personal Data We Collect
3.1 Categories of Personal Data
Depending on the nature of your interaction with us, we may collect the following categories of personal data:
(a) Identity and Contact Data
- Full legal name, NRIC, passport number or other government-issued identification number
- Date of birth and nationality
- Postal address, email address and telephone numbers
- Vehicle registration number and related vehicle identification data
(b) Financial Data
- Payment details (credit/debit card details, bank account information)
- Credit assessment information and credit scores used to determine eligibility for service contracts
- Loan and financing information where relevant to service contract or insurance eligibility
(c) Health and Medical Data [Sensitive Personal Data]
Note: Health and medical data is treated as sensitive personal data under all applicable laws and requires explicit consent except where collection is necessary for insurance or legal compliance purposes.
- Medical reports, hospital or clinic records obtained in connection with insurance claims
- Health assessments and reports relevant to claims processing
(d) Vehicle Telematics and Location Data [Sensitive Personal Data]
Note: Location data used for monitoring or profiling may require explicit consent under Thai and Indian law.
- EV battery telemetry data (state of charge, charging cycles, battery health indicators)
- Vehicle location data collected for EV battery monitoring and warranty management purposes
- Driving and usage patterns where relevant to warranty or service contract assessment
(e) Transaction and Contractual Data
- Details of insurance policies, service contracts and related products held by or through Mavi
- Premiums, fees and payment history
- Claims history and service request records
- Correspondence and communications relating to your policy or contract
(f) Technical and Usage Data
- IP address, browser type, operating system and device information
- Cookies and related tracking technologies (see Section 10)
- Website usage data and interaction logs
(g) Employment and Reference Data (Applicants Only)
- CV, qualifications and employment history
- References and background check information
3.2 How We Collect Personal Data
We collect personal data in the following ways:
- When you submit application, proposal, declaration or referral forms (in paper or electronic format)
- When you enter into a service contract, insurance policy or other agreement with us or with an insurer or other party on whose behalf we act
- When you interact with our staff, agents or representatives by telephone (which may be recorded), email, letter, in person or through digital platforms
- When you use our websites, mobile applications or online portals
- When a policyholder or contract holder takes up a product or service for your benefit
- Through EV telematics systems and connected vehicle platforms where you have enrolled in a relevant product
- From third parties such as insurance brokers, insurers, reinsurers, motor dealerships, hospitals, clinics, credit reference agencies and government authorities, where relevant
- When you attend events hosted by us (including photographic records)
- When you submit an employment or representative application
3.3 Data You Provide About Third Parties
If you provide us with personal data about another person (for example, a named beneficiary, co-insured, family member or vehicle user), you confirm that you have that person's authority to share their data with us and that you have informed them of this Privacy Statement.
3.4 Accuracy of Data
You are responsible for ensuring that all personal data you provide to us is complete, accurate and up to date. Please notify us promptly if your details change. Inaccurate or incomplete data may affect our ability to administer your policy or service contract.
Section 4
Lawful Bases and Purposes for Processing
4.1 Lawful Bases
We process your personal data on the following lawful bases, which vary by jurisdiction:
| Lawful Basis | Description and Application |
|---|
| Consent | You have given clear, informed and freely given consent to the processing of your personal data for one or more specific purposes. For sensitive personal data (health, financial, location/telematics data), we will always seek your explicit consent unless another lawful basis applies. You may withdraw consent at any time — see Section 12. |
| Contract Performance | Processing is necessary for the performance of a contract to which you are party, or in order to take steps at your request prior to entering into a contract. This includes administering your Mavi contract or insurance policy. |
| Legal Obligation | Processing is necessary for compliance with applicable laws and regulations, including insurance regulation, anti-money laundering laws, tax laws and court orders. |
| Legitimate Interests | Processing is necessary for the purposes of legitimate interests pursued by Mavi or a third party, except where such interests are overridden by your interests or fundamental rights. We will not rely on legitimate interests to send direct marketing communications to you without your consent. |
4.2 Purposes of Processing
We collect, use and disclose your personal data for the following purposes:
General Administrative Purposes
- Verifying your identity and assessing your eligibility for our products and services
- Processing your applications and requests for contracts and insurance programmes
- Administering, maintaining and managing your service contract, insurance policy or other contractual relationship with us
- Collecting premiums, service fees and other amounts due
- Processing claims and service requests, including by obtaining medical reports where relevant to insurance claims
- Managing renewals, cancellations and policy/contract amendments
- Communicating with you regarding your policy or contract, including administrative notices and updates
- Responding to your queries, complaints and feedback
EV Battery Service Contracts, warranty contracts, other after-sales contracts and Telematics
- Administration of your contract
- Monitoring EV battery health, performance and contract status
- Processing service requests and associated insurance claims
- Processing other contract claims
- Providing connected vehicle services where included in your product
Insurance Administration
- Assessing and determining risk, eligibility and premium levels
- Facilitating reinsurance arrangements
- Detecting and investigating fraud, money laundering and other financial crime
- Complying with insurance regulatory requirements
Credit Assessment
- Conducting credit assessments to determine eligibility for service contracts, including obtaining credit scores from credit reference agencies
- Debt recovery and collection in the event of default
Legal and Regulatory Compliance
- Complying with applicable laws, regulations, court orders and regulatory requirements
- Disclosing data to regulatory authorities, law enforcement agencies and courts as required or permitted by law
- Establishing, exercising or defending legal claims
Business Operations and Improvement
- Managing and improving our internal business operations
- Conducting data analytics, market research and service improvement activities using data analytics, artificial intelligence and machine learning techniques
- Facilitating corporate transactions such as mergers, acquisitions or asset sales
- Training, quality assurance and staff management
Marketing (Consent Required)
- Where you have given your consent, sending you information about Mavi products, services and promotions that may be of interest to you
- You may opt out of direct marketing communications at any time — see Section 12
Employment and Recruitment
- Processing job and representative applications, conducting background checks and pre-employment screening
- Managing the employment relationship, including performance reviews and training
Section 5
Sensitive Personal Data
We collect and process certain categories of sensitive personal data as described below. Under all applicable laws, sensitive personal data requires a higher standard of protection and, in most cases, your explicit consent.
Sensitive Data Categories and Handling
Health and Medical Data: collected where necessary for processing insurance claims. Basis: explicit consent and/or performance of insurance contract / legal obligation. Disclosed only to relevant insurance brokers, insurers, reinsurers, medical practitioners and loss assessors.
Financial Data (Credit Scores and Loan Information): collected for service contract eligibility assessment. Basis: explicit consent and/or legitimate interests (credit risk management). Disclosed to credit reference agencies as required.
Vehicle Telematics and Location Data: collected for EV battery service contract/ warranty product monitoring. Basis: explicit consent (where used for monitoring or profiling) and/or performance of service contract. You may withdraw consent for non-essential telematics collection without affecting core warranty services, subject to the terms of your contract.
For Thai customers, explicit consent is required for all sensitive personal data processing under Section 26 of the TH PDPA. For Indian customers, sensitive personal data (as defined under the DPDPA) will be processed only on the basis of explicit consent or as otherwise permitted by law.
Section 6
Disclosure of Personal Data
6.1 Recipients of Your Personal Data
Subject to applicable law, we may disclose your personal data to the following categories of recipients for the purposes described in this Privacy Statement:
- Other Mavi Group entities, for group administration and the purposes described in this Privacy Statement
- Insurers, insurance brokers and reinsurers as necessary for the arrangement and administration of insurance products
- Motor dealerships and distributors involved in EV service contracts, warranty programmes and other after sales programmes
- Third party service providers and agents (including IT service providers, cloud hosting providers, payment processors, couriers, call centres, legal advisers, auditors and debt collection agencies) engaged by Mavi to assist with its operations
- Credit reference agencies (including the Credit Bureau (Singapore) where applicable)
- Hospitals, clinics, motor workshops, loss adjusters, surveyors and private investigators in connection with claims and service requests
- Government regulators, law enforcement agencies and courts as required or permitted by applicable law
- Business partners, investors and transferees in connection with corporate transactions
- Third party referrers and co-brand partners
- Any other party to whom you have authorised us to disclose your personal data
6.2 No Sale of Personal Data
Mavi does not sell your personal data to third parties. We do not disclose your personal data to third parties for their own direct marketing purposes without your consent.
Section 7
International Transfer of Personal Data
Mavi operates across Singapore, India, Thailand, United Kingdom and EU/ EEA. In the course of our business, your personal data may be transferred to and processed in countries other than the country in which you are located. In particular:
- Personal data collected in Singapore and Thailand may be transferred to India for operational processing by Mavi group companies
- Personal data may be transferred to insurance, insurance brokers and reinsurers overseas
- Personal data is processed on cloud infrastructure with servers located in the United States and other regions
7.1 Safeguards for International Transfers
Where personal data is transferred internationally, we will ensure that appropriate safeguards are in place as required by applicable law:
Singapore (SG PDPA)
Transfers outside Singapore are subject to binding contractual obligations that require the overseas recipient to provide a standard of protection at least comparable to the SG PDPA, in accordance with the PDPC's Transfer Limitation Obligation.
Thailand (TH PDPA)
Transfers outside Thailand are subject to the requirements of Section 28 of the TH PDPA. We will ensure that the destination country provides an adequate level of personal data protection or that adequate safeguards (such as binding contractual clauses approved by the Thai PDPC) are in place. Where required, we will seek your explicit consent for transfers to countries not providing adequate protection.
India (DPDPA)
Transfers of personal data outside India will only be made to countries or territories notified by the Indian Central Government as permitting such transfers under Section 16 of the DPDPA, or as otherwise permitted under applicable rules. Transfers to countries not so notified will be subject to appropriate contractual safeguards.
United Kingdom (UK GDPR / DPA 2018)
Transfers of personal data outside the United Kingdom by Mavi Ins UK Limited (or other UK-established Mavi entities) are subject to the transfer restriction provisions of the UK GDPR (Article 46) and the DPA 2018. Such transfers will only be made where an adequacy regulation is in force in respect of the destination country, or where appropriate safeguards are in place, including International Data Transfer Agreements (IDTAs) or the International Data Transfer Addendum to the EU Standard Contractual Clauses, as issued by the ICO. Where no such safeguard is available, transfers will only be made in reliance on an exception under Article 49 UK GDPR and with appropriate documentation.
Section 8
Data Retention
We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required or permitted by applicable law. The following retention periods apply as a general guide:
| Category of Data / Relationship | Retention Period |
|---|
| Active service contract, warranty, other after-sales contract or insurance policy | Duration of contract / policy plus 7 years after expiry or termination |
| Contract service request/ claims and insurance claims records (including health / medical data) | 7 years from the date of final claims settlement or closure |
| Credit and financial assessment data | 5 years from the date of assessment or decision |
| Vehicle telematics and location data | 3 years from the end of the relevant warranty or service contract period, unless required longer for claims purposes |
| Customer enquiry and correspondence records | 3 years from the date of the last interaction |
| Employment application records (unsuccessful) | 12 months from the date of application, unless you consent to longer retention |
| Employee records | Duration of employment plus 7 years |
| Marketing consent records | Until consent is withdrawn, plus 3 years thereafter |
| Regulatory and compliance records | As required by applicable law, typically 5–10 years |
After the applicable retention period, personal data will be securely deleted, anonymised or de-identified in accordance with our data destruction procedures. Anonymised or aggregated data that can no longer identify you may be retained for longer periods for statistical and research purposes.
Different retention periods may apply in specific jurisdictions where required by local law.
Section 9
Data Security
Mavi takes the security of your personal data seriously. We implement and maintain appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, alteration or disclosure. These measures include:
- Encryption of personal data in transit and at rest
- Access controls and role-based permissions to limit access to personal data on a need-to-know basis
- Regular security assessments, penetration testing and vulnerability management
- Staff training on data protection and information security
- Contractual security requirements imposed on third party service providers
- Incident response and business continuity procedures
9.1 Data Breach Notification
In the event of a personal data breach, Mavi will take prompt steps to contain the breach and assess the risk to affected individuals. We will notify the relevant data protection authority and, where required by applicable law or where the breach is likely to result in high risk to your rights and freedoms, we will notify you directly.
- Singapore: Mandatory breach notification to the PDPC within 3 calendar days of assessment as a notifiable breach (SG PDPA, s.26D)
- Thailand: Notification to the Thai PDPC within 72 hours of becoming aware of a breach; notification to affected data subjects if the breach is likely to result in a high risk to their rights and freedoms (TH PDPA, s.37)
- India: Notification to affected Data Principals and the Data Protection Board of India in the manner and within the timeframe prescribed by applicable rules under the DPDPA
- United Kingdom: Mavi Ins UK Limited is required to notify the ICO of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, where the breach is likely to result in a risk to the rights and freedoms of individuals (UK GDPR, Article 33). Where the breach is likely to result in a high risk to individuals, those individuals must also be notified directly without undue delay (UK GDPR, Article 34).
Despite our security measures, no transmission of data over the internet is entirely secure. You should take appropriate precautions to protect your own credentials and data when communicating with us online.
Section 10
Cookies and Related Technologies
We do not collect personal data by way of cookies or similar technologies on our websites.
Section 11
Your Data Protection Rights
Subject to applicable law and certain exceptions, you have the following rights in respect of your personal data held by Mavi. The rights available to you and the procedures for exercising them may vary depending on your jurisdiction.
| Right | Description |
|---|
| Right of Access | You may request a copy of the personal data we hold about you and information about how we process it. [SG PDPA, TH PDPA, DPDPA] |
| Right of Correction / Rectification | You may request that we correct any inaccurate or incomplete personal data we hold about you. [SG PDPA, TH PDPA, DPDPA] |
| Right of Erasure / Deletion | You may request erasure of your personal data where it is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent and there is no other lawful basis for processing. This right is subject to applicable legal and regulatory retention requirements. [TH PDPA, DPDPA] |
| Right to Data Portability | Where processing is carried out by automated means on the basis of consent or contract, you may request that we provide your personal data in a structured, commonly used machine-readable format. [TH PDPA, DPDPA] |
| Right to Object / Restrict Processing | You may object to or request restriction of processing of your personal data in certain circumstances, including where processing is based on legitimate interests or where you contest the accuracy of data. [TH PDPA, SG PDPA] |
| Right to Withdraw Consent | You may withdraw consent at any time without detriment, where processing is based solely on consent. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal. Note that withdrawal of consent for purposes that are necessary for the provision of services may affect our ability to continue providing those services. [All jurisdictions] |
| Right to Grievance Redress (India) | Indian Data Principals have the right to have their grievances addressed by Mavi's Data Protection Officer within the timelines prescribed by the DPDPA and its rules. [DPDPA] |
To exercise any of these rights, please contact our Data Protection Officer using the details in Section 13. We will respond to your request within the timeframe required by applicable law (generally 30 days, subject to extension where permitted).
If your personal data was provided to us by a third party (such as a policyholder or contract holder who nominated you as a beneficiary or insured), you should contact that party directly and request that they make enquiries of us on your behalf.
Section 12
Withdrawal of Consent
You may withdraw your consent to our collection, use or disclosure of your personal data at any time by providing reasonable written notice to our Data Protection Officer. Withdrawal of consent does not affect the lawfulness of any processing carried out prior to the date of withdrawal.
Please note that if you withdraw consent for purposes that we consider necessary for the provision of our products and services — for example, the processing of your personal data for the administration of your insurance policy or service contract — this may affect our ability to continue providing those products and services to you. In such cases:
- We may be unable to maintain your insurance cover or service contract in force
- We may be unable to properly assess and process your claims or service requests
- Termination of your policy or contract may result in loss of coverage and other benefits
We will advise you of the likely consequences before acting on your withdrawal request. You may also opt out of direct marketing communications at any time without affecting your other contractual rights.
Section 13
Data Protection Officer and Contact Details
Mavi has appointed a Data Protection Officer (DPO) who is responsible for overseeing our compliance with applicable data protection laws and handling enquiries and requests relating to your personal data.
Data Protection Officer — Contact Details
Name / Title The Data Protection Officer, Mavi Group
Postal Address 100 Tras Street #16-01, 100 AM, Singapore 079027
Response Time We aim to acknowledge your request within 3 business days and respond substantively within 30 calendar days. Where additional time is required, we will notify you.
If you are an Indian Data Principal, you may also use the grievance mechanism established under the DPDPA to escalate unresolved complaints to the Data Protection Board of India.
If you are a Thai Data Subject, you have the right to lodge a complaint with the Office of the Personal Data Protection Committee (PDPC Thailand) if you believe your rights under the TH PDPA have been violated.
If you are a Singapore resident, you may lodge a complaint with the Personal Data Protection Commission (PDPC Singapore) at www.pdpc.gov.sg.
If you are located in the United Kingdom or your personal data is processed by Mavi Ins UK Limited, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk. You also have the right to seek a judicial remedy against Mavi Ins UK Limited if you consider that your rights under the UK GDPR have been infringed as a result of the processing of your personal data in non-compliance with the UK GDPR.
Section 14
Third Party Websites
Our website and digital platforms may contain links to websites operated by third parties. We are not responsible for the privacy practices of such third party websites. We encourage you to review the privacy policies of any third party websites you visit.
Section 15
Changes to This Privacy Statement
Mavi may update this Privacy Statement from time to time to reflect changes in our practices, applicable law or regulatory guidance. We will post the updated Privacy Statement on our website at www.mavi.group. Where changes are material, we will take reasonable steps to notify you directly, for example by email or by a prominent notice on our website.
The version date of this Privacy Statement is shown on the cover page. Your continued use of our products and services following the posting of a revised Privacy Statement constitutes your acknowledgment of the changes, subject to your rights to withdraw consent as described in Section 12.
Section 16
Governing Law
This Privacy Statement and the processing of your personal data are governed by the applicable data protection laws of the jurisdiction in which you are located or in which the Mavi Group entity that holds your data is established:
- Customers and individuals located in Singapore: Personal Data Protection Act 2012 (as amended) and the laws of Singapore
- Customers and individuals located in Thailand: Personal Data Protection Act B.E. 2562 (2019) and the laws of Thailand
- Customers and individuals located in India: Digital Personal Data Protection Act 2023 and the laws of India
- Customers and individuals whose personal data is processed by Mavi Ins UK Limited (United Kingdom): UK General Data Protection Regulation and Data Protection Act 2018, and the laws of England and Wales
The statutory data protection rights conferred upon you by the laws of your jurisdiction cannot be excluded or reduced by contract. To the extent that any provision of this Privacy Statement is inconsistent with mandatory statutory rights under applicable law, the applicable law shall prevail.
Schedule A
Jurisdiction-Specific Notes
A.1 Singapore
The following additional provisions apply specifically to customers and individuals in Singapore:
- Mavi relies on the deemed consent by notification framework under s.15A of the SG PDPA where it has provided prior notification of purposes in this Privacy Statement and given you a reasonable opportunity to opt out.
- Mavi relies on the deemed consent by contractual necessity framework under s.15B of the SG PDPA where the collection, use or disclosure of your personal data is reasonably necessary for the performance of a contract between you and Mavi or between Mavi and another organisation at your request.
- Where Mavi relies on the legitimate interests exception under s.17 of the SG PDPA, it will maintain records of its legitimate interests assessments in accordance with PDPC guidance.
- The Do Not Call (DNC) Registry: Mavi will check the DNC Registry before sending marketing messages by Singapore telephone number, as required by the SG PDPA.
A.2 Thailand
The following additional provisions apply specifically to customers and individuals in Thailand:
- Mavi Automotive Solutions (Thailand) Company Limited is a registered Data Controller in Thailand for the purposes of the TH PDPA.
- Explicit consent under Section 26 of the TH PDPA is required for the collection and processing of sensitive personal data, including health data, financial data and telematics/location data used for profiling. Such consent will be requested separately and specifically at the point of collection.
- You have the right to withdraw consent, access, rectify, erase, restrict processing, object to processing, and receive your data in a portable format, subject to the conditions and exceptions set out in the TH PDPA.
- Mavi has appointed a Data Protection Officer as required by the TH PDPA given the large-scale processing of sensitive personal data. The DPO's contact details are set out in Section 13.
- Transfers of your personal data outside Thailand will only be made where adequate safeguards are in place as required by Section 28 of the TH PDPA.
A.3 India
The following additional provisions apply specifically to customers and individuals in India:
- Mavi Automotive Solutions India Private Limited and Mavi Care Services India Private Limited are Data Fiduciaries for the purposes of the DPDPA in respect of personal data collected from Indian Data Principals.
- Under the DPDPA, you (as a Data Principal) have the right to: (i) access information about your personal data being processed; (ii) correction and erasure of your personal data; (iii) grievance redress through Mavi's DPO and, thereafter, the Data Protection Board of India; and (iv) nominate a person to exercise your rights in the event of your death or incapacity.
- Consent will be requested in a clear, plain language notice specifying the personal data to be collected and the purposes of processing. You may manage and withdraw consent through the Data Protection Officer (contact details in Section 13) or through any Consent Manager mechanism established by Mavi in accordance with applicable DPDPA rules.
- Mavi will take appropriate technical and organisational measures to protect personal data, and will report personal data breaches to affected Data Principals and the Data Protection Board of India as required by the DPDPA.
- Transfers of personal data outside India will only be made to countries or territories as permitted under Section 16 of the DPDPA and applicable rules.
- Children's data: Mavi does not knowingly collect personal data from children (individuals below 18 years of age) without verifiable parental consent. Where we become aware that we have collected personal data from a child without such consent, we will take prompt steps to delete it.
A.4 United Kingdom
The following additional provisions apply specifically to individuals whose personal data is processed by Mavi Ins UK Limited, an insurance and reinsurance broker incorporated in England and Wales and authorised and regulated by the Financial Conduct Authority ("FCA"):
- Mavi Ins UK Limited is a data controller for the purposes of the UK GDPR and the Data Protection Act 2018 ("DPA 2018") in respect of personal data it processes in connection with its insurance and reinsurance broking activities. It is registered with the Information Commissioner's Office (ICO) as a data controller.
- The processing of your personal data by Mavi Ins UK Limited is governed by the UK GDPR and the DPA 2018, and the laws of England and Wales. The lawful bases for processing set out in Section 4.1 of this Privacy Statement apply equally to processing by Mavi Ins UK Limited; references to the UK GDPR equivalents (Articles 6 and 9) apply in place of references to the laws of other jurisdictions.
- As an FCA-authorised insurance and reinsurance broker, Mavi Ins UK Limited is also subject to applicable FCA conduct of business rules, including requirements under the Senior Managers and Certification Regime (SM&CR) and relevant FCA Sourcebooks (including ICOBS and SYSC). Certain personal data processed in connection with regulatory compliance, financial crime prevention and client due diligence obligations may be processed on the basis of legal obligation under UK law.
- Under the UK GDPR, individuals whose personal data is processed by Mavi Ins UK Limited have the following rights: the right of access (Article 15); the right to rectification (Article 16); the right to erasure (Article 17); the right to restriction of processing (Article 18); the right to data portability (Article 20); and the right to object (Article 21). These rights are subject to the conditions, limitations and exemptions set out in the UK GDPR and the DPA 2018 (including those applicable to insurance and financial services).
- Where Mavi Ins UK Limited relies on legitimate interests as a lawful basis for processing (UK GDPR, Article 6(1)(f)), it will carry out and maintain a legitimate interests assessment (LIA) in accordance with ICO guidance. You have the right to object to such processing at any time; Mavi Ins UK Limited will cease processing unless it can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is for the establishment, exercise or defence of legal claims.
- Mavi Ins UK Limited does not carry out solely automated decision-making that produces legal or similarly significant effects without a human review mechanism, in accordance with Article 22 of the UK GDPR.
- If you wish to exercise any of your data protection rights in respect of personal data processed by Mavi Ins UK Limited, or if you have a complaint about how your personal data has been handled, please contact the Data Protection Officer using the details in Section 13. If you remain dissatisfied with the outcome, you have the right to lodge a complaint with the ICO at www.ico.org.uk or by calling 0303 123 1113.
