Privacy Policy

Important information about Qdos' privacy policy

Qdos Broker and Underwriting Services Limited (“Qdos”, “we”, “us”, “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy (“Policy”) will inform you as to how we look after your personal data when you visit our website or otherwise engage with our products and services (collectively “Services”) and tell you about your privacy rights and how the law protects you.

Qdos is a wholly owned subsidiary of HCC International Insurance Company plc, a member of the Tokio Marine HCC Group of Companies.  Please see here for further information on the Group of Companies and here for a better understanding of our Global Privacy Policy.

It is important that you read this Policy together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data.  This Policy supplements the other notices and is not intended to override them.



Changes to the privacy notice

This version was last updated in April 2024.  This Policy may change from time to time, for example to keep it up to date or to comply with legal requirements or changes in the way we operate our business, so please check it periodically.



Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current.  Please keep us informed if your personal data changes during your relationship with us.



Third-party links

This website may include links to third-party websites, plug-ins and applications for your convenience and interest. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. Where visit any linked websites or social media tools not owned or controlled by Qdos, we encourage you to review their privacy notices/policies.



Who is responsible for looking after your personal data?

Our company is Qdos Broker and Underwriting Services Limited. Our registered office is The Grange, Grange Avenue, Rearsby, Leicester, LE7 4FY and our registered number is 06012716.


We are the Controller and responsible for your personal data, whether this is provided to us or we collect it directly from you, and we process it for the purposes described in this Policy.


We have appointed a Data Privacy Manager who is responsible for overseeing questions in relation to this Policy. If you have any questions about this Policy, including any requests to exercise your legal rights, please contact us using the details set out in the “Contact Us” section below.



What personal data do we collect about you?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).


We collect personal data that you provide to us when you sign up for our Services.  We may also collect information based on how you interact with our Services and/or other Internet or network activity (e.g., your online browsing history or mobile device information). 


More specifically, we may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows (it may vary according to the circumstances):

  • Identity Data includes first name, maiden name, last name, username or similar identifier, title, date of birth and gender;
  • Contact Data includes billing address, correspondence address, email address and telephone numbers;
  • Financial Data includes bank account and payment card details;
  • Transaction Data includes details about payments to and from you and other details of Services you have purchased from us;
  • Previous and current claims information about previous and current claims;
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website;
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
  • Usage Data includes information about how you use our website, and Services;
  • Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences;
  • Telephone Calls Data (to the extent permitted by applicable laws) includes the recording of the telephone calls made to or received from our numbers.


We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose.  Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.  For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.  However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Policy.

We do not generally collect any Special Categories of Data about you nor do we collect any information about criminal convictions and offences.  However, should we need to collect such data, you will be informed of the reasons why it is required at the time we request it.



How is your personal data collected?

We use different methods to collect personal data from and about you including through:


Direct interactions

You may give us your Identity, Contact and Financial Data and Previous and current claims by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:


  1. Apply for our services;
  2. Create an account on our website;
  3. Subscribe to our service or publications;
  4. Request marketing to be sent to you;
  5. Enter a competition, promotion or survey;
  6. Make an online payment (where possible, in accordance with the law and security protocols);
  7. Use our live chat; or
  8. Give us some feedback.

The personal data you are being asked to provide, and the reasons why you are asked to provide it, will be made clear in this Policy or at the point at which we ask for such information.

PLEASE NOTE: if you call our telephone numbers, your call will be recorded for training, quality and compliance purposes, in accordance with our legal obligations, for our legitimate interest, public interest or on the basis of your consent, where applicable.  Automated transcripts of the content of the conversation might be extracted on the same basis.



Automated technologies or interactions

As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions and patterns with your prior consent. In the UK, this information may be considered personal data.  We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy ( for further details.



Third parties or publicly available sources

From time to time, we may receive your personal data from third party sources but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal data to us.  These third parties and public sources may include:


  1. Analytics providers.
  2. Providers of technical, payment and delivery services).
  3. Companies House.
  4. Credit reference agencies;
  5. Anti-fraud and other databases;
  6. Government agencies;
  7. Electoral register;
  8. Court judgments;
  9. Sanctions lists;
  10. Providers of live chat web widgets/services;
  11. Family members; and
  12. Recruitment agencies and/or other related parties, to include engagers, lawyers and claim handlers.



How we use your personal data and what are the lawful bases we rely on?

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:


  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.
  • Where we are required to protect your vital interests or those of any other person, but only where it is necessary to protect a life and where you are not physically or legally capable of giving consent.

Generally, we do not rely on consent as a legal basis for processing your personal data.  However, if we do you will always be specifically informed of this when your consent is collected.  You have the right to withdraw consent at any time by contacting us.

Please refer to the Glossary to find out more about the types of lawful basis that we will rely on to process your personal data.



If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with Services).  In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.



Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.  Please contact us if you have questions about, or need further information concerning, the legal basis on which we collect and use your personal data, using the details set out in in the “Contact Us” section below.


 Purpose/Activity Type of data
(it might vary according to the circumstances)
Lawful basis for processing 
 To register you as a new customer

(a) Identity

(b) Contact

(c) Previous and current claims

Performance of a contract with you 
 Evaluating the risks to be covered and matching
 to appropriate policy and premium

(a) Identity

(b) Contact

(c) Previous and current claims

(d) Transaction

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to determine
the likely risk profile and appropriate insurance product)

 Customer Administration

 To process and deliver your order including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Marketing and Communications

 (a) Performance of a contract with you

(b) Necessary for our legitimate interests (to recover debts
due to us)

 To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or
privacy policy

(b) Asking you to leave a review or take a survey

(c) General client care, including communicating
with customers

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

(e) Usage

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our
records updated and to study how customers use our
Services, to answer customer's queries and to
correspond with customers in order to facilitate
the placing of orders and claims under insurance
policies, including through the live web chat service)

 Claims Processing
 Managing insurance claims, which will include
 defending or prosecuting claims

(a) Identity

(b) Contact

(c) Profile

(d) Transaction

(e) Previous and current claims

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to assist our
customers in assessing and making claims)

 Contacting customers in order to arrange the renewal
 of the insurance policy

(a) Identity

(b) Contact

(c) Profile

(d) Transaction

(e) Previous and current claims

(a) Performance of a contract with you 
 Consultancy Services

 To provide consultancy services, to include providing
 advice, general client care and evaluation of risk

(a) Identity

(b) Contact

(c) Profile

(d) Transaction

(a) Performance of a contract with you 
 Website and marketing activities
 To administer and protect our business and this website
(including troubleshooting, data analysis, testing, system
maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running
our business, provision of administration and IT services,
network security, to prevent fraud and in the context of a
business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and advertisements
to you and measure or understand the effectiveness of
 the advertising we serve you 

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(f) Technical

Necessary for our legitimate interests (to study how
customers use our Services, to develop them, to grow
our business and to inform our marketing strategy) 
To use data analytics to improve our website, Services,
marketing, customer relationships and experiences 

(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types
of customers for our Services, to keep our website
updated and relevant, to develop our business and
to inform our marketing strategy) 
To make suggestions and recommendations to you
about Services that may be of interest to you

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

Necessary for our legitimate interests (to develop our
Services and grow our business) 
 Legal and Regulatory
 Complying with our legal or regulatory obligations

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Profile

(f) Usage

(g) Marketing and Communications

(h) Telephone Calls Data

(a) Necessary to comply with a legal obligation

(b) Necessary for our legitimate interests (to take
pre-emptive steps to ensure legal and regulatory

(c) Public interest

Other specific processing activities and related information you should be aware of

Automated decision making

In some instances, our use of your personal data may result in automated decisions being taken (including profiling) that legally affect you or similarly significantly affect you.

Automated decision-making is the process of making a decision by automated means without any human involvement on the basis of a computer determination (using software algorithms).  For example, in certain instances we may use automated decisions to establish whether we will offer insurance coverage to a prospective insured.  We have implemented measures to safeguard the rights and interests of individuals whose personal data is subject to automated decision-making.

We will only use automated decisions-making when it is necessary for the entry into or performance of the contract; or is authorised by law; or is based on your explicit consent.

When we make an automated decision about you, you have the right to contest the decision, to express your point of view, and to require a human review of the decision.




We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.



Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which Services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased Services from us and you have not opted out of receiving that marketing.



Third-party marketing

We will obtain your express opt-in consent before we share your personal data with any company outside our corporate group for marketing purposes.



Opting out

You can ask us or third parties to stop sending you marketing messages at any time by logging into the website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product /service purchase, warranty registration, product /service experience or other transactions.  As your insurance broker we have a duty to act in your best interests. Where you opt out of receiving marketing messages, we will continue to communicate with you via telephone, email and post where we need to:


  • Collect information that we may require from you in order to provide our Services;
  • Notify you in advance of policy renewals;
  • Inform you of any changes to our Services;
  • Make you aware of any potential gaps in your insurance coverage, and to recommend Services to help address those gaps.

Customer reviews/feedback

Where relevant and necessary for the purpose of the processing activity, we may disclose your personal data to other appropriate organisations who have a need to know (so-called ‘third party recipients’), based on our legitimate interest.

With the purpose of helping us understand more about your experience using our Services, we may for example share your personal data with Feefo Holdings Ltd, an independent market research company, who will enable you to provide us with feedback and reviews of our Services.

Feefo shall only be permitted to contact you once in relation to each order you place with us, for the sole purpose of inviting you to submit a review of your experience of our Services.  Your details will not be used by Feefo for any other purpose.  Further information regarding Feefo can be found at /gb_en/about /b2c-customers.



Live chat

When you are contacting us through the live chat widget, be aware that our third party service provider may have access to your personal data for providing the Service.

Please do not share any kind of any Special Categories of Data about you in the message field.  



Additional information

When we share your personal data externally as described above, it will be subject to strict data processing agreements whereby Qdos remains the Controller and the third party acts as Processor.  The access and transfer of your personal data shall be restricted to trusted third party recipients who demonstrate an adequate level of data protection.  Moreover, these third-party recipients will be required to delete or return all the personal data to Qdos after the end of the provision of services relating to the processing and delete existing copies, unless the law requires storage of the personal data.

You may object at any time to the processing of your personal data by Qdos or any third-party recipient for this purpose, where such processing is carried out based on our legitimate interests.



Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.  If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.



Children's data

Our websites and applications are not directed to children under 16, and we do not knowingly collect any personal data directly from children under 16. If you believe that we are processing personal data pertaining to a child inappropriately, we ask you to contact us using the data provided under the “Contact Us” section below.



Who do we share your personal data with?

We may have to share your personal data with the parties set out below for the purposes set out in the table in the section above.


  • To our group companies, external Third Parties (as set out in the Glossary) or who otherwise process personal data for purposes that are described in this Policy (see (“How we use your personal data and what are the lawful bases we rely on?);
  • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Policy;
  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
  • To any other person with your consent to the disclosure.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

We do not sell (or transfer) your personal data or information for monetary compensation.



International transfers

Your personal data may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. Specifically, the servers of Qdos’ parent company, HCC Insurance Holdings Inc., are located in the United States.  However other TMHCC group companies are registered elsewhere, including in the EEA and operate around the world. This means that when we collect your information we may process it in any of these countries.

Furthermore, cookies and other technologies embedded into this website could determine the transfer of your personal data to third countries.  For more information, please refer to our Cookie Policy, which can be found here.

When transferring personal data to other countries we will protect your personal data in accordance with this Policy, or as otherwise disclosed to you.

We have implemented Standard Contractual Clauses for transfers of personal data between our group companies, which require all group companies to protect personal data they process from the UK, EEA, and Switzerland in accordance with UK, EU and Swiss data protection laws (our Standard Contractual Clauses can be provided on request). 

We may also transfer personal data to countries for which adequacy decisions have been issued, use contractual protections for the transfer of personal data to third party service providers and partners, such as the International Data Transfer Agreement (IDTA) or the International Data Transfer Addendum to the European Commission’s standard contractual or rely on other data transfer mechanisms relevant to your jurisdiction. 

You may contact us as specified in the “Contact Us” section below to obtain a copy of the safeguards we use to transfer personal data outside of your jurisdiction.



Data security

Qdos places great importance on the security of all personal data associated with our customers.  We have security measures in place designed to protect against the unauthorized access, acquisition, loss, misuse and alteration of personal data under our control, our security policies are periodically reviewed and enhanced as necessary.  

While we cannot ensure or guarantee that our physical, technical and administrative security measures can prevent the unauthorized access, acquisition loss, misuse or alteration of your data will ever occur, we will use reasonable and appropriate measures to prevent this.  If you have any concerns that your Qdos account or personal data has been put at risk, please contact us.



Data retention

How long will you use my personal data for?

We will keep your personal data or information on our records for as long as we have an ongoing legislative or legitimate business need to do so.  This includes providing you with a Service you have requested from us or to comply with applicable legal, tax or accounting requirements.  It also includes keeping your data for so long as there is any possibility that you or we may wish to bring a legal claim under your insurance contract, or where we are required to keep your data for legal or regulatory reasons.  

If you wish to receive further information regarding our record retention policy and procedures, please contact us using the data provided under the “Contact Us" section below.



Your legal rights

Under certain circumstances, you may have rights or choices listed below under data protection laws in relation to your personal data:


  • The right to be clearly informed about the processing of your personal data;
  • The right to access your personal data;
  • The right to rectification of your personal data;
  • The right to erasure of your personal data;
  • The right to object to processing of your personal data;
  • The right to restrict the processing of your personal data;
  • The right of data portability;
  • The right to withdraw consent;
  • The right to complain to us;
  • The right to complain to the Information Commissioner's Office (ICO);
  • The right to object automated decision-making; and/or
  • The right to request a list of our current service providers and partners.

Please refer also to the Glossary to better understand Your Legal Rights.

We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.  If you wish to exercise the rights described above and are entitled to do so, we may ask you to verify your identity.  We will not charge to reply to your request, but we may charge a reasonable fee or refuse your request if it is excessive or where additional copies are requested.


We will verify your identity in connection with any of the above requests and take steps to ensure that only you or your authorised representative can exercise your rights with respect to your information.  There may be situations where we will be unable to grant or completely fulfil your request.  If we are unable to grant your request, we shall provide a written explanation to explain the rationale for our decision and action.


Although the right of access always applies, there are some exemptions, which means you may not always receive all the information we process.


Contact details

If you have any questions about this Policy or want to exercise your rights in relation to your personal data, you can contact our Data Privacy Manager using the following details: 


Email: [email protected]
Postal address: Data Privacy Manager, Qdos Broker & Underwriting Services Limited, The Grange, Grange Avenue, Rearsby, Leicester, LE7 4FY.




Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Controller means a natural or legal person which determines the means and purposes of processing of personal data.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience.  We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).  You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Personal data means any information that relates to an identified or identifiable individual.

Processor means  a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

Process/Processing/Processed means any and all actions we take with respect to your personal data, including (without limitation) managing, viewing, holding, storing, deleting, changing, using and saving.


Special Categories of Data means any personal data relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership. 


External Third Parties include:

  • Service providers acting as Processors in the United Kingdom, the United States of America or elsewhere, who provide IT and system administration services, online payment services, customer care and feedback services and business support in general.
  • Professional advisers acting as Processors or joint Controllers including lawyers, bankers, auditors and insurers in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.
  • HM Revenue & Customs, regulators and other authorities acting as Processors or joint Controllers based in the United Kingdom who require reporting of processing activities in certain circumstances.
  • Parties you are contracted with, directly or indirectly, which will include (but not be limited to) those who will be in receipt of the assessment we carry out on your IR35/ tax status.

Your legal rights

You have the right to:

Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.  Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.  You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing
of your personal data.  This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer (portability) of your personal data to you or to a third party.  We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine- readable format.  Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal data.  However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain Services to you.  We will advise you if this is the case at the time you withdraw your consent.

Lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.  We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance, although you have a right to contact the ICO at any time. The ICO’s contact details are:

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel.: 0303 123 1113 E-Mail: [email protected] 

Have a question?

Ask away! One of our team will get back to you!

Prefer to talk to us in person?

Call our team on 0116 269 0999 or we can call you back at a time that suits you!