Tin Leg, a Squaremouth LLC Subsidiary and Division of Specialty Program Group LLC Privacy Policy.

The U.S. Privacy Policy (this “Policy”) describes how Specialty Program Group LLC and its subsidiaries (collectively “SPG”) listed here use your “Personal Information” (as defined below) both during and after our direct (or indirect) business relationship with you. This Policy applies to your Personal Information that we may from time to time collect, use and disclose in the course of (1) performing insurance brokerage or other insurance or financial industry services on your behalf, (2) making available our mobile applications and websites, including specialtyprogramgroup.com, and (3) visiting a SPG location, attending a SPG event or using other services that link to this Policy. This Policy may be supplemented by additional privacy policies, terms, and notices relevant to the service. We take very seriously our privacy responsibilities to you, and we are committed to treating your Personal Information in a manner that is consistent with applicable law and this Policy. Please read this Policy carefully.

Updates to Policy, Accessibility of Policy, and Regional Differences

Updates to Policy. From time to time, we may change our privacy practices which will require changes to this Policy. The latest version of this Policy will be posted on our websites at the page it has historically appeared and the date it was last reviewed will be displayed. We encourage you to look for updates and changes to this Policy when you access our websites.

Your continued use of our websites and mobile applications following the posting of changes constitutes your acceptance of such changes with respect to your use of our websites and mobile applications.

Accessibility. If you have special needs with regard to accessing the content of this Policy, we recommend that you or someone on your behalf, contact us at: privacy.compliance@specialtyprogramgroup.com. Please include the words “Accessibility Issue” in your subject line.

Notice to California Residents. If you are a California resident, you may have additional privacy rights. Due to the detailed requirements under California privacy laws, please review the SPG Privacy Notice for California Residents for information about these additional rights in addition to this Policy.

Certain other jurisdictions provide enhanced personal information rights to residents depending on the jurisdiction and the reason SPG is processing your information. For example, certain privacy rights may not apply to personal information that is already subject to certain federal and state laws regulating insurance or health information. While these rights may differ based on the data collected, the type of product or service you choose, you can submit a personal information rights request by visiting the SPG Consumer Privacy Request Portal.

Notice to Residents of Colorado, Connecticut, Utah, Virginia. If you are a resident of Colorado, Connecticut, Montana, Oregon, Texas, Utah, or Virginia, you may also have additional rights such as (a) rights to know, access, correct, data portability, or restrict processing, (b) right to opt out of sale, (c) right to opt-out of automated decision making and (d) right to delete certain Personal Information, or (e) otherwise described below in this Policy. These rights can be asserted by visiting the SPG Consumer Privacy Request Portal.

Residents of Connecticut, Virginia, Texas, and Oregon have the right to appeal the outcome of a rights request to access, review, delete or correct personal information. Assertions of these appeal rights can be made to: privacy.compliance@specialtyprogramgroup.com. Please include “Appeal of Outcome” and your state name in the subject line of your email message to initiate the appeal request.

Definition and Exclusions of Personal Information at Specialty Program Group LLC

Generally, “Personal Information” means information that identifies (whether directly or indirectly) you, such as your name, postal address, email address, and telephone number. Due to the nature of our business as described under “Information Collection” below, Personal Information may also include:

• your name, Social Security Number, driver’s license or other government-issued identification;
• assets and income, occupation and employment status, dependent information, and other relevant financial information;
• information relating to any of your past claims, driving history, certifications, license details, previous insurance policy details, previous accident and claims history including any driving convictions;
• information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
• information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship including credit reference agencies, vetting and data validation agencies, advisory service providers, insurers, underwriters, reinsurers, other insurance brokers, business partners;
• your account activity and premium payment history;
• benefits information such as benefits elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits;
• information about your interest in and attendance at SPG sponsored events, including feedback responses;
• information from social media interactions with SPG’s social media presence, feedback forms or surveys;
• credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers;
• passive tracking information from our website or the Internet, including information obtained through the use of internet “cookies.”
• passive tracking information from our website or the Internet, including information obtained through the use of internet “cookies” as detailed in the “Cookie Notice and Notice of Other Web Technologies” section below; and
• inferences drawn from other Personal Information, precise geolocation data, and sensory data such as audio or visual information.

Personal Information does not include aggregated or anonymous information which does not identify and cannot reasonably be used to identify you. It also does not include other categories of information excluded by state or federal law.

Information Collection

We are generally unable to perform insurance brokerage or other insurance or financial industry services on your behalf without collecting, using, or disclosing your Personal Information. Typically, you will provide your Personal Information directly to us as your broker, or indirectly to us via another broker representing you, as part of a written application for insurance coverage. Other times, we may receive this and other Personal Information from third parties, including insurance carriers and other industry service providers, and other third parties with which you maintain a relationship (for example, your employer or financial service or medical or health providers). We may also develop this information over time based on your direct or indirect interactions with us, such as through the use of cookies on our websites.

Please keep in mind that when you provide information to us on a third-party site or platform, the information you provide may be separately collected by the third-party site or platform. We encourage you to read the privacy policies of other sites and mobile applications that may collect your Personal Information.

We generally collect the amount and types of Personal Information that are required for us to perform or support services on your behalf, whether directly or indirectly. This includes information that may be required by an insurance carrier or an industry service provider in the course of providing you with insurance coverage or related services. If you use our websites, we may collect information about your device, browser and other information regarding your web usage using tracking tools described in this Policy. Such information collection could include relevant market research designed to make our products and services better. This and other information may include the Personal Information as defined above.

We may use cookies and other technologies such as web beacons on our websites and mobile applications. Cookies are files which can store information in your computer hard drive or other devices and help us and our service partners to better understand user behavior. This information is collected for security and fraud prevention purposes, to identify which parts of our websites people have visited, and to facilitate and measure the effectiveness of advertisements and web searches. These technologies can also help to improve user experiences with the performance of websites and mobile applications.
We may combine information derived from cookies or web technologies with information provided directly by you as described in the “Information Collection” section above. We may use several different categories of cookies:

• Strictly Necessary Cookies. These cookies are necessary for the website or application to function. They are set as required to provide a specific feature or service that you have accessed or requested and that cannot be provided without the use of such cookies.
• Performance or Analytical Cookies. These cookies allow measurement of website activity by tracking user visits, the location of users and the volume of users. We use these cookies to help us to analyze data.
• Functional Cookies. These cookies enable the website to provide enhanced functionality and personalization. They may be set by us or by third party service providers. Disallowing these cookies may impact the ease with which the website or application functions for users.
• Targeting Cookies. These cookies are used to understand how visitors interact with our websites and online services, including by helping us to assess the effectiveness of web searches and so we can provide you with a more customized experience. Targeting cookies can include marketing cookies, which are used to provide you with personalized, relevant product offerings and advertisements. Another type of targeting cookie is a social media cookie. Social media cookies may result in the sharing of information you have provided to social networks’ websites by those websites, subject to those websites’ privacy policies and user consents.

SPG generally gives you choices to opt-out of the categories of cookies as described above, except for those that are essential to the services of the websites or tools you are accessing. This option is typically presented when you first visit our websites.

Your computers or devices also have tools within their browser settings that allow you to manage your acceptance of cookies. These can include the ability to disable or block non-essential cookies, remove cookies, automatically accept cookies or to notify you when a cookie is received. See “How To Manage Cookies” for detailed explanations by browser (e.g., Google Chrome). Generally, disabling or rejecting cookies can impact your user experience.

Certain features of our website may not be available if all cookies are disabled, and therefore, disabling, particularly of strictly necessary cookies, may not be available.
SPG uses both Adobe and Google as website service providers. To learn about Adobe Analytics privacy practices or to opt-out of Adobe cookies which are used to facilitate reporting, visit Adobe Privacy Center. To learn more about Google’s privacy practices, visit the Google Privacy Center. To access and use the Google Analytics Opt-out Browser Add-on, visit Google Opt-out.

Sales of Personal Information

In the preceding twelve (12) months, we have shared information for advertising purposes which might be considered a “sale” of Personal Information as defined by some state laws. This is described herein and in our Cookie Notice and Notice of Other Web Technologies in our U.S. Privacy Policy in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising purposes.

Global Privacy Control (GPC) Signal

You have the right to opt out of the use of your personal information for targeted advertising purposes. You may download one of the supported browsers or extensions to send the Global Privacy Control (“GPC”) signal, which will transmit your request to opt-out of targeted advertising automatically. A list of GPC enabled available browsers or extensions is available here: https://globalprivacycontrol.org/#download.

Use of Automation for Insurance Quoting

SPG’s online formats may utilize certain types of automation which assist carrier partners with their underwriting of insurance. Such automation may result in the use of your personal information by the insurer to create predictions about insurance products and premium pricing, and information about insurance carrier market categories that would be appropriate for you. The goal of such an interaction would be for you to receive one or more insurance quotations or estimations of premium and coverage details. Each insurer will have methodologies, including underwriting algorithms, to help with making underwriting decisions. Insurers’ underwriting decisions for insurance coverage, and the use of data for making those decisions, are each subject to the applicable privacy policy and privacy rights request process of that insurer. Your personal information is protected and is utilized consistently with the purposes and categories of this Policy and the intention of our use of this technology is that it operates without improper biases. Based on applicable law, you may have the right to opt out of automated technology which produces a legal effect. If available in your area, this right can be exercised through the SPG Consumer Privacy Request Portal.

Use and Disclosure of Personal Information

We generally only disclose your Personal Information to perform services on your behalf and provide you with the insurance products and services you expect from us. In addition, in order to operate our business and provide you with the services you request from us, information technology and other support service providers with which we maintain an arrangement may also have access to your Personal Information. Your Personal Information may be disclosed to third parties in connection with a merger, sale, or other transfer of organizational assets where Personal Information held by us about our clients is among the assets transferred.

We may from time to time disclose your Personal Information for the following reasons:

• to fulfill or meet the reason you provided the information and for our everyday business purposes, such as to obtain initial and renewal quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; to allow risk management or actuarial evaluation of prospective or existing placements; to confer with medical professionals if necessary regarding a relevant claim; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
• for legal reasons, such as to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities including government authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
• for our own marketing purposes, so that we may offer you our products and services, including through the use of targeted or similar advertising on the internet. You will be given the opportunity to opt out of direct marketing from SPG, and you can change your marketing preferences by contacting SPG as set forth in this Policy.
• for joint marketing purposes, so that we and any third-party product or service provider may together offer you products and services.
• for our affiliates’ everyday business purposes, such as to process or service transactions or to provide or receive shared organizational services.
• for our affiliates’ marketing purposes, so that they may offer you their products and services.
• for our and our affiliates’ fraud prevention purposes, where necessary to prevent and detect fraud.
• for non-affiliated third parties, whenever you consent to such sharing, when the information cannot reasonably identify you, when business partners or third-party companies play a related or expected role in an insurance transaction, or as needed for SPG to participate in insurance support organizations.
• for our internal and external auditors, where necessary for company audits, complaint investigation or investigation of a security threat.
• for other purposes, as may be permitted by law.
• to evaluate, negotiate or effect a business transaction (e.g., a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets), in which Personal Information held by us about our consumers or website users is among the assets evaluated or transferred.

To Limit Our Disclosure or Sharing of Information

To limit our disclosure of your Personal Information with affiliates or non-affiliates for marketing purposes (and for any other purpose which applicable law provides you a right to require us to limit our sharing of your Personal Information), you may at any time submit a request to us by:

• Visiting the SPG Consumer Privacy Request Portal
• Emailing us at: privacy.compliance@specialtyprogramgroup.com

California Residents: See the SPG Privacy Notice for California Resident.

Retention of Your Information

SPG retains certain records of your personal information as necessary to operate our business and comply with our legal and regulatory obligations. Such records are retained for legally defined retention periods that may extend beyond the period for which we provide services to you or on your behalf. We have implemented appropriate measures to confirm that private information is securely disposed of when no longer required.

Other Important Website Information

Our website contains links to third party sites. If you click on one of those links, you will be taken to websites we do not control. This Policy does not apply to the information practices of those sites. You should read the privacy policies of those other websites carefully. We are not responsible for those third-party sites. Links to third party sites do not constitute or imply endorsement by us of the linked site or any material displayed on those sites.

To the extent that SPG provides mobile application access for your use, please note that your Personal Information may be collected. In addition to being subject to this Policy, your use of a downloaded application provided by SPG is also subject to the privacy terms and conditions of the providers and developers of the application. SPG may have access to and utilize certain data collected by such providers or developers. SPG may utilize such data to better service your account, as well as to improve the performance of the application. Please see the “Cookie Notice and Notice of Other Web Technologies,” as well as the “Cookie Choices and Opt-Out” sections for more information.

SPG websites are not intended for children under 13 years of age. No one under age 13 may provide any information through our websites, and we do not knowingly collect Personal Information from children under thirteen. If you are under thirteen, do not use or provide any information on this website or otherwise provide any information about yourself to us, including your name, address, telephone number, email address, or any screen or username you may use. If we learn we have collected or received Personal Information from a child under thirteen without verification of parental consent, we will use commercially reasonable efforts to delete that information. If you believe we might have any information from or about a child under thirteen without parental consent, please contact us at the mailing address shown beneath the heading “Your Right to Review Your Information.”

Information Security Practices

We maintain technical and organizational security measures reasonably designed to protect the security of your Personal Information against loss, misuse, and unauthorized access, disclosure, or alteration. Specialty Program Group LLC and its affiliates take steps to secure your Personal Information with appropriate levels of security around storage and use. Despite this, the security of information cannot be guaranteed. If you have reason to believe that your Personal Information maintained by us is no longer secure, please immediately notify us utilizing the contact information set forth below. In the event of a breach impacting your Personal Information, we intend to provide you with notification to the extent required by applicable law.

Your Right to Review Your Information

You may have the right to review your Personal Information that we could reasonably locate and retrieve, and to request that we correct, amend, or delete any inaccurate information. To make a related request, or to ask any question concerning this Policy:

• Visit the SPG Consumer Privacy Request Portal
• Email us at: privacy.compliance@specialtyprogramgroup.com
• Call us at 866-415-2207
• Write us at:

Chief Legal Officer
Specialty Program Group LLC
150 N Riverside Plaza, 17th Floor
Chicago, IL 60606

Please include your name, address, telephone number and email address whenever you contact us, including by email. Please include “Personal Information Rights Request” in your subject line. This helps us handle your request correctly and allows us to verify your identity to protect your information. Depending upon the type of information request, we may require additional verification information.

Situations Where Rights Cannot Be Granted. There may be situations where we cannot grant a particular request — for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law or if we are unable to verify your identity through standard and reasonable means. We may also decline to grant a request where doing so would undermine our legitimate use of data for antifraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied could be that granting the request would jeopardize the privacy of others; that the request is substantively frivolous or vexatious; or that granting the request would be highly impractical in the context of our legitimate business purposes. If we are unable to fulfill your request to access, review, delete or correct your personal information; and, where required, we will respond with an explanation.

Privacy Policy Organizations

Each of the Specialty Program Group LLC Privacy Policy and Privacy Notice for California Residents is provided on behalf of Specialty Program Group LLC and the following organizations:

• American Medical Professional Alliance, Inc.
• Avant Specialty Claims, LLC
• Biz Choice Last Mile Logistics Purchasing Group
• Boater Rewards Association, PBC
• Butting Underwriters Purchasing Group LLC
• ERS Risk Purchasing Group Association, Inc.
• Global Product Protection, LP
• Global Product Protection, Inc.
• Global Product Protection of Florida, Inc.
• HDOL LLC
• SBR Administrative Services, LLC
• SBR Services, LLC
• SBR Analytics, LLC
• Scale Human Capital, LLC
• SHEL Risk Purchasing Group Association
• SPG Crane & Boom Truck Risk Purchasing Group, Inc.
• Squaremouth, LLC

Privacy Notice for California Residents

Effective Date: August 1, 2024

This Privacy Notice for California Residents (this “Notice”) supplements the information contained in the SPG Privacy Policy (the “Policy”) and is provided on behalf of Specialty Program Group LLC and its subsidiaries listed here.

This Notice provides our “notice at collection” and provides certain mandated disclosures about our treatment of California residents’ information, both online and offline. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as supplemented by the California Privacy Rights Act of 2020 (collectively, the “CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice (unless separately defined in this Notice or the Policy). This Notice applies solely to residents of the State of California as defined in the CCPA (“California Residents”) who do business with us directly and/or visit the mobile apps and websites of Specialty Program Group LLC and its subsidiaries (“our websites”).

Updates to this Notice and Accessibility

We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the websites and update the Notice’s effective date. We encourage you to look for updates and changes to this Notice when you access our websites. Your continued use of our websites and mobile applications following the posting of changes constitutes your acceptance of such changes with respect to your use of the websites and mobile applications.

Accessibility

If you have special needs with regard to accessing the content of this Notice, we recommend that you or someone on your behalf, contact us by email at: privacy.compliance@specialtyprogramgroup.com. Please indicate “Accessibility Request” in your subject line to help us to identify this request.

Definition and Exclusions of Personal Information and Sensitive Personal Information under the CCPA and at Specialty Program Group LLC

Generally, Personal Information under the CCPA and in this Notice means information that identifies (whether directly or indirectly) you, such as your name, postal address, email address, and telephone number. Due to the nature of our business, Personal Information we collect may also include:

• your name, Social Security Number, driver’s license, or other government-issued identification;
• assets and income, occupation and employment status, dependent information and other relevant financial information;
• information relating to any of your past claims, driving history, certifications, license details, previous insurance policy details, previous accident and claims history including any driving convictions;
• information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
• information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship including credit reference agencies, vetting and data validation agencies, advisory service providers, insurers, underwriters, reinsurers, other insurance brokers, business partners;
• your account activity and premium payment history;
• benefits information such as benefits elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits;
• information about your interest in and attendance at SPG sponsored events, including feedback responses;
• information from social media interactions with SPG’s social media presence, feedback forms or surveys;
• credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers;
• passive tracking information from our websites or the Internet, including information obtained through the use of internet “cookies” as detailed in the “Cookie Notice and Notice of Other Web Technologies” of our U.S. Privacy Policy; and
• inferences drawn from other Personal Information, precise geolocation data, and sensory data such as audio or visual information.

Personal Information as defined under the CCPA does not include:

• Publicly available information from government records as defined under Civil Code Section 1798.140;
• Deidentified or aggregated consumer information;
• Health or medical information to the extent covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
• Personal information to the extent covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994.

Certain types of Personal Information are considered “Sensitive Personal Information” under the CCPA. Specifically, Sensitive Personal Information is a specific type of Personal Information defined specifically as its own category under California law in the CCPA as information that reveals a consumer’s:

• Social Security, driver’s license, state identification card, or passport number;
• Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
• Precise geolocation;
• Racial or ethnic origin, religious or philosophical beliefs, or union membership;
• Mail, email, and text message content, unless the business is the intended recipient of the communication;
• Genetic data; and/or
• Biometric information, which may reference certain physiological, biological, or behavioral characteristics; or DNA information; which could potentially establish an individual’s identity. Retina scans, fingerprints or voice recordings could also be considered such information.

Personal Information We Collect

The following categories of Personal Information and/or Sensitive Personal Information may have been collected from California Residents within the last twelve (12) months. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below.

CategoryA. IdentifiersCalifornia Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationA real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers.CollectedYES
CategoryB. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80I).California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationA name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.CollectedYES
CategoryC. Protected classification characteristics under California or federal law.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationAge (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).CollectedYES
CategoryD. Commercial information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationRecords of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.CollectedYES
CategoryE. Biometric information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationGenetic, physiological, behavioral and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns and sleep, health, or exercise data.CollectedNO
CategoryF. Internet or other similar network activity.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationBrowsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.CollectedYES
CategoryG. Precise geolocation data.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationPhysical location or movements within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.CollectedYES
CategoryH. Sensory data.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationAudio, electronic, visual, thermal, or similar information.CollectedYES
CategoryI. Professional or employment-related information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationCurrent or past job history.CollectedYES
CategoryJ. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationEducation records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.CollectedYES
CategoryK. Inferences drawn from other personal information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationProfile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.CollectedYES

Sources of Personal Information We Collect

We may obtain the categories of Personal Information listed above from the following categories of sources:

• Directly from you – for example, from insurance applications or in connection with your other communications with us.
• From third parties – for example, from insurance carriers and other industry service providers, other insurance brokers, and other third parties with which you maintain a relationship, such as an employer, financial service or medical or health providers, or any industry provider from which we purchase or acquire industry assets or operations. This may occasionally include referral sources.
• Indirectly from you – for example, from observing your actions on our websites, including through the use of “cookies” as described on our websites, as permitted, or described in those other third-party sites’ own privacy policies, or as may otherwise be developed over time based on your interactions with us.

Use of Personal Information

We may from time to time use your Personal Information for the following reasons:

• to fulfill or meet the reason you provided the information and for our everyday business purposes, such as to obtain quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; to allow risk management or actuarial evaluation of prospective or existing placements; to confer with medical professionals if necessary regarding a relevant claim; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
• for legal reasons, such as to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities including government authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
• for our own marketing purposes, so that we may offer you our products and services, including through the use of targeted or similar advertising on the internet.
• for joint marketing purposes, so that we and any third-party product or service provider may together offer you products and services;
• for our affiliates’ everyday business purposes, such as to process or service transactions or to provide or receive shared organizational services.
• for our affiliates’ marketing purposes so that they may offer you their products and services.
• for our and our affiliates’ fraud prevention purposes, where necessary to prevent and detect fraud.
• for non-affiliated third parties, whenever you consent to such sharing, when the information cannot reasonably identify you, when business partners or third-party companies play a related or expected role in an insurance transaction, or as needed for SPG to participate in insurance support organizations.
• for our internal and external auditors, where necessary for company audits, complaint investigation or investigation of a security threat.
• for other purposes, as may be permitted by law, as described to you when collecting your Personal Information or as otherwise set forth in the CCPA.
• to evaluate, negotiate or effect a business transaction (e.g., a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets), in which Personal Information held by us about our consumers or website users is among the assets evaluated or transferred.

Sharing of Personal Information under the CCPA

Under the CCPA, the Sharing of Personal Information means sharing, disclosing, disseminating, making available or otherwise communicating a consumer’s Personal Information to a third party for uses such as targeted advertising for the benefit of the business.

California residents have certain rights under the CCPA around limiting the Sharing of their Personal Information.

The CCPA addresses two distinct categories of information disclosure by businesses, differentiating the Sharing of Personal Information for a Commercial Purposes from the Disclosure of Personal Information for a Business Purpose, as described below.

Sharing of Personal Information for a Commercial Purpose

The CCPA defines the Sharing of Personal Information for a Commercial Purpose as including the sale or sharing of a customer’s Personal Information for monetary or other consideration paid to the sharing business.
In accordance with that definition, in the preceding twelve (12) months, SPG has Shared Personal Information for a Commercial Purpose as disclosed within the Policy, including specifically as described in our Cookie Notice and Notice of Other Web Technologies in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.

As provided by the CCPA, California consumers have the right to opt-out of the “sale” of personal information to third parties. To opt-out of the “sale” or “sharing” of personal information related to targeted advertising, interest based advertising and cross context behavioral advertising, take the following steps:

  1. Turn off Social Media, Targeting and Advertising cookies by using the cookie consent mechanism available on our websites or by enabling the Global Privacy Control (“GPC”) signal on your browser; and
  2. Complete and submit a request using the SPG Consumer Privacy Request Portal

Your cookie selections are specific to the particular device, browser, and website you use. If you use another device or browser, you will need to opt out on each device and browser. Blocking or deleting cookies from your browser may remove your opt-out settings, requiring you to opt-out again.

Disclosure of Personal Information for a Business Purpose

The CCPA excludes from the definition of Sharing Personal Information any use of Personal Information which was requested by you (the customer), including the expected and typical use of that information by a third party for the reasonably necessary purposes to achieve the requested service. Such an information transfer is considered the Disclosure of Personal Information for a Business Purpose under the CCPA.

In the preceding twelve (12) months, we may have Disclosed the following categories of Personal Information for a Business Purpose:

Category A: Identifiers
Category B: California Customer Records Personal Information categories
Category C: Protected classification characteristics under California or federal law
Category D: Commercial information
Category F: Internet or other similar network activity
Category H: Sensory Data
Category I: Professional or employment-related information
Category J: Non-public education information
Category K: Inferences drawn from other Personal Information

We may Disclose to the following categories of third parties your Personal Information for a Business Purpose to perform services on your behalf and to provide you with the insurance products and services you expect from us:

• Service providers.
• Insurance carriers and other industry service providers.
• Other third parties with which you or we maintain a relationship regarding your insurance.

Sales of Personal Information

In the preceding twelve (12) months, we have sold or shared Personal Information as defined by the CCPA, as described herein and in our Cookie Notice and Notice of Other Web Technologies in the Policy in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.

Global Privacy Control (GPC) Signal

You have the right to opt out of the use of your personal information for targeted advertising purposes. You may download one of the supported browsers or extensions to send the Global Privacy Control (“GPC”) signal, which will transmit your request to opt-out of targeted advertising automatically. A list of GPC enabled available browsers or extensions is available here: https://globalprivacycontrol.org/#download.

Your computers or devices also have tools within their browser settings that allow you to manage your acceptance of cookies. These can include the ability to disable or block cookies, remove cookies, automatically accept cookies or to notify you when a cookie is received. Generally disabling or rejecting cookies can impact your user experience; Certain features of our website may not be available if all cookies are disabled, and therefore, disabling, particularly of strictly necessary cookies, may not be available.

Information Specific to Employment Data of Specialty Program Group LLC

In addition, for recruitment and/or employment purposes, in the past twelve (12) months we have collected or may have collected and retained the following categories of Personal Information as necessary from California residents. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below:

CategoryAdditional personal details, contact details and identifiers.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationAdditional personal details for recruitment/employment purposes, such as national identification number, Social Security number, insurance information, marital/civil partnership status, domestic partners, dependents, emergency contact information, and military history; professional/personal calendar availability/scheduling information for meeting/communication purposes.CollectedYES
CategoryEducation information and professional or employment-related information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationInformation about your education and professional or employment-related information, such as your employment history.CollectedYES
CategorySensitive data for recruitment purposes.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationCertain types of sensitive information when permitted by local law or with your consent, such as health/medical information (including disability status), trade union membership information, religion, race or ethnicity, minority flag, and information on criminal convictions and offences. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness (subject to legal limits on the timing of collection of such information and other applicable limitations) and to provide benefits; background checks and diversity-related Personal Information (such as race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination.CollectedYES
CategoryDocumentation required under immigration laws.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationData on citizenship, passport data, and details of residency or work permit (a physical copy and/or an electronic copy).CollectedYES, as to employees, some job candidates, and contractors of Specialty Program Group LLC
CategoryFinancial information for payroll/benefits purposes.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationYour banking and other relevant financial details we need for payroll/benefits purposes.CollectedYES
CategoryTalent management information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationInformation necessary to complete a background check, details on performance decisions and outcomes, performance feedback and warnings, e-learning/training programs, performance and development reviews (including information you provide when asking for/providing feedback, creating priorities, updating your input in relevant tools), driver’s license and car ownership information, and information used to populate biographies.CollectedYES
CategoryRequested recruitment information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationInformation requested to provide during the recruitment process, to the extent allowed by applicable law.CollectedYES
CategoryRecruitment information you submit.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationInformation that you submit in résumés / CVs, letters, writing samples, or other written materials (including photographs).CollectedYES
CategoryInformation generated by us during recruitment.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationInformation generated by interviewers and recruiters related to you, based on their interactions with you or basic Internet searches where allowed under applicable law.CollectedYES
CategoryRecruitment information received from third parties.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationInformation related to you provided by third-party placement firms, recruiters, or job-search websites, where applicable.CollectedYES
CategoryAudiovisual information processed during recruitment.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationPhotograph, and images/audio/footage captured on CCTV or other video systems when visiting our office or captured in the course of recruitment events or video recruitment interviews.CollectedYES
CategoryRecommendations.California Sensitive Personal Information may be considered to be within this Category (YES or NO)NOExamples of Personal InformationRecommendations related information provided on your behalf by others.CollectedYES
CategoryEmployment history and background checks.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationInformation about your prior employment, education, and where applicable and allowed by applicable law, credit history, criminal records or other information revealed during background screenings.CollectedYES
CategoryDiversity related information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationInformation about race / ethnicity / religion / disability / gender and self-identified LGBT status, for purposes of government reporting where required by law, as well as to understand the diversity characteristics of our workforce, subject to legal limits.CollectedYES
CategoryAssessment information.California Sensitive Personal Information may be considered to be within this Category (YES or NO)YESExamples of Personal InformationInformation generated by your participation in psychological, technical or behavioral assessments. You will receive more information about the nature of such assessments before your participation in any of them.CollectedYES

Retention of Your Information

SPG retains certain records of your Personal Information as necessary to operate our business and comply with our legal and regulatory obligations. Such records are retained for legally defined retention periods that may extend beyond the period for which we provide the Services to you. We have implemented appropriate measures to confirm that Personal Information is securely disposed when no longer required.

Your Rights and Choices

The CCPA at Section 7011 (e)(2) provides California Residents with specific rights regarding their Personal Information:

(A) Access. The right to know what Personal Information the business has collected about the consumer, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom the business discloses Personal Information, and the specific pieces of Personal Information the business has collected about the consumer;

(B) Deletion. The right to delete Personal Information that the business has collected from the consumer, subject to certain exceptions;

(C) Correction. The right to correct inaccurate Personal Information that a business maintains about a consumer;

(D) Opt-out of Sale or Sharing. If the business sells or shares Personal Information, the right to opt-out of the sale or sharing of their Personal Information by the business;

(E) Limitation on the Use of Sensitive Personal Information. If the business uses or discloses sensitive Personal Information for reasons other than those set forth in section 7027, subsection (m), the right to limit the use or disclosure of sensitive Personal Information by the business; and

(F) Non-discriminatory Treatment. The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicant’s, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights.

The following sections describe these CCPA rights in further detail and explain how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request for Access rights (see “Exercising Access, Data Portability and Deletion Rights”), we will disclose to you to the extent reasonably available, and to the extent that we can continue to protect your data while providing such disclosure:

• The categories of Personal Information we collected about you.
• The categories of sources for the Personal Information we collected about you.
• Our business or commercial purpose for collecting or selling that Personal Information.
• The categories of third parties with whom we share that Personal Information.
• The categories of Personal Information shared for a business purpose for each category of recipients.
• The specific pieces of Personal Information we collected about you (also called a data portability request).

In addition to the rights listed above, you may request limitations on the use of your Sensitive Personal Information consistent with the terms and limitations described in the CCPA, and pursuant to Civil Code Section 1798.120 et.seq. Limited use of Sensitive Information may continue to include those uses which the average consumer would reasonably expect in context, and for uses which are reasonably necessary and proportionate for our business.

Deletion Request Rights

You have the right to request that we delete any of your Personal Information that we collected from you and retained. Once we receive and confirm your verifiable consumer request (see “Exercising Access, Data Portability and Deletion Rights”), we will delete your Personal Information from our records, unless an exception applies.

We may deny your deletion request in whole or in part for other reasons and exceptions described in the CCPA.

Exercising Access, Data Portability and Deletion Rights

To exercise the access, data portability and deletion rights described above, please submit a verifiable consumer request to us by:

• Visiting the SPG Consumer Privacy Request Portal
• Emailing us at: privacy.compliance@specialtyprogramgroup.com
• Calling us at: 866-415-2207

To protect your information and privacy, only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. Please indicate in your subject line “California Privacy Rights Request” so that we can better respond to you. Designated agents making any request will be required to provide signed permission for the agent to submit a request. In addition, when an authorized agent submits a request, we may also require that you verify your own identity directly to us or confirm with us that you have requested that the agent to submit the request. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information as we may request that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative of such person, which may include personal and/or commercial identifiers, such as an insurance policy number. Depending on the sensitivity of the information you are requesting, we may ask for additional information to verify your identity.
• Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We will acknowledge receipt of your request within ten (10) days. We will endeavor to respond in substance to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the extension period which may not exceed an additional forty-five (45) days beyond the original forty-five (45) day period.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without significant hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California’s “Shine the Light” law (Civil Code Section § 1798.83) permits users of our website who are California Residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please write us at the mailing address shown beneath the heading “Contact Information for Requests under this Notice.”

Contact Information for Requests under this Notice

If you have any questions or comments about this Notice, the ways in which we collect and use your Personal Information described herein, and in the Policy, your choices, and rights regarding such use, or wish to exercise your rights under California law, please contact us at:

Postal Address:
Chief Legal Officer
Specialty Program Group LLC
150 N Riverside Plaza, 17th Floor
Chicago, IL 60606

Or by:

Visiting us at: the SPG Consumer Privacy Request Portal
Emailing us at: privacy.compliance@specialtyprogramgroup.com
Calling us at: 866-415-2207

Please indicate the purpose of your Email in the subject line, for instance “California Privacy Rights Request,” so that we can identify your Email properly.

Situations Where Rights Cannot Be Granted

There may be situations where we cannot grant a particular request — for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law, or if we are unable to verify your identity through standard and reasonable requirements. We may also decline to grant a request where doing so would undermine our legitimate use of data for antifraud and security purposes, such