Effective: January 1, 2024

We at Woodruff-Sawyer & Co. and our affiliated entities, including Woodruff-Sawyer Retirement Plan Services, Inc., Woodruff-Sawyer Oregon, Inc., Nomadx, Nomadx Retirement Plan Services, Inc., and Nomadx Oregon, Inc. (collectively, “Company,” “we,” “our”, “us,” or “Woodruff Sawyer”) appreciate the trust you have placed in us as your insurance broker and consultant. In the course of serving you, we are given access to information that is often both sensitive and proprietary. We want you to know that integrity––in the way we operate and the methods by which we conduct business––is a top priority and our most essential core value. As such, we take the responsibility of protecting your personal information very seriously.

This policy applies to information we collect:

It does not apply to information collected by third parties that maintain applications, platforms and services which are linked to or accessed from our Website, such as Zywave, CSR24, and E-Risk. The information practices of third parties, including social media platforms that host our branded social media pages, are governed by their privacy statements, which we encourage you to review.

Where we collect information in the course of providing our brokerage and consulting services under a contract we have with a commercial client, we act as a “service provider” or “processor” under applicable privacy laws and are obligated to process personal information according to instructions from our client, the business ultimately responsible for determining how your information will be handled. If you disclose information to us in connection with your role as an employee of our client, or by virtue of some other relationship you have with our client, we encourage you to review that client’s privacy notice to understand how your personal information will be handled.

This policy may change from time to time. If we make changes, we will update the “Effective Date” at the top of this page and post it on our Websites. Where required by law, we will also notify you of any changes in accordance with the law.

Privacy Regulations

Various regulations, such as the Gramm-Leach-Bliley Act (GLBA, a US regulation), General Data Protection Regulation (GDPR, an EU regulation), and California Consumer Privacy Act and California Privacy Rights Act (CCPA and CPRA) require us to provide you with notice of our privacy policies and practices. Please also review our GDPR Privacy Notice and CCPA/CPRA Notice, both of which supplement this privacy policy.

Woodruff Sawyer Privacy Policies and Practices

When you use our Website, or when we provide our services, we collect different types of information, which can include personal information. Personal information means any information relating to an identified or identifiable natural person. The legal bases for the processing of the personal information we collect are primarily that the processing is necessary for us to provide our services and that the processing is in Woodruff Sawyer’s legitimate interests, which is explained in greater detail below. We may also process data on your consent.

We do not intentionally collect personal information directly from children under 13; however, when an adult enrolls in products or services for their children, in those circumstances information about the child would be collected from the adult enrolling the child. If your child provides us with their personal information without parental consent, please contact us to address the issue.

Categories of Personal Information We Collect

A. Information We Collect About You and How We Collect It

We collect several types of information from and about you, including:

  • Information by which you may be personally identified, such as name, postal address, email address, telephone number, Social Security number, and/or driver’s license number – that is, your personal information.
  • Information about your transactions with us from the insurance companies we contact to underwrite your insurance.
  • Information we receive from the Department of Motor Vehicles (DMV) or other consumer reporting agencies.
  • Information contained in medical records or from medical professionals that is related to insurance claims.
  • Information about your internet connection, the equipment you use to access our Website, usage details.
  • Information about you as an applicant to our Company or a prospect to our Company available from public data sources.

We collect this information:

  • Directly from you when you provide it to us.
  • From third parties, for example, clients who provide information about their employees or claims, the insurance companies we contact to underwrite your insurance, DMV or other consumer reporting agencies, vendors that aggregate your information as an applicant or prospect from various publicly available data sources, and medical professionals who are providing information in connection to your insurance claim with us.
  • Automatically as you navigate through our Website. Information collected automatically may include usage details, IP addresses and information collected through cookies, web beacons and other tracking technologies.

We may collect personal information from individuals other than those proposed for coverage

B. Information You Provide to Us

The information we collect may include:

  • Information that you provide to us by filling out applications and other forms, including financial statements, census lists and pro forma business plans.
  • Information that you provide to us via our Website, including applications and forms, consultation requests, claims forms, accident reports, underwriting worksheets, newsletter subscriptions, and seminar and workshop registration.
  • Records and copies of your correspondence (including email addresses), if you contact us.
  • Your search queries on our Website.

C. Information We Collect Through Automatic Data Collection Technologies

As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions and patterns, including:

  • Details of your visits to our Website, including traffic data, location data, logs and other communication data and the resources that you access and use on the Website.
  • Information about your computer and internet connection, including your IP address, operating system and browser type.

We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking).  The information we collect automatically helps us to improve our Website and to deliver a better and more personalized service.

The technologies we use for this automatic data collection may include:

  • Cookies (or Browser Cookies). A cookie is a small file placed on the hard drive of your device. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of our Website. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website. Please see our section on Cookies for more information.
  • Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies.
  • Web Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
  • Do Not Track.  While some internet browsers offer a “do not track” or “DNT” option that lets you tell websites that you do not want to have your online activities tracked, these features are not yet uniform and there is no common standard adopted by industry groups, technology companies, or regulators. Therefore, we do not currently commit to responding to browsers’ DNT signals with respect to our websites. We will make efforts to continue to monitor developments around DNT browser technology and the implementation of a standard.

Cookies may be placed on non-Woodruff Sawyer sites so that when you click on a Woodruff Sawyer advertisement located on these sites, Woodruff Sawyer is provided with this information to enable us to measure and improve the effectiveness of our advertising and to reduce the frequency of ads that are not relevant to each user’s interests. One example of this is Google Marketing Platform. Information about opting out of third party vendor cookies is located here.

How We Use Your Information

Woodruff Sawyer may use the personal information received from you or a third party such as your insurance carrier, employer, group or benefit program/plan sponsor to:

  • Verify your identity;
  • Register and service your online account;
  • Contact you when necessary and respond to your requests and inquiries;
  • Process an insurance transaction, enrollment or service requested by you directly, or by a third party. This may include:
    • The procurement of insurance (new and renewals);
    • Insurance policy administration;
    • Claims processing;
    • Consulting and related risk control services; and/or
    • General risk modeling, benchmarking and/or other analytics services;
  • Allow you to manage the services requested by you, or through or third party;
  • Market our services to you, including ours, those of our affiliates and those of third parties, including personalizing and evaluating the overall effectiveness of our marketing activities and Websites. This may include:
    • Using the information to understand and analyze the usage trends and preferences of our Visitors and Users;
    • Use automatically collected information, as well as through cookies and similar technologies to: (i) personalize our services, such as remembering a User’s or Visitor’s information so that the User or Visitor will not have to re-enter it during a visit or on subsequent visits; (ii) provide customized content, and information; (iii) monitor and analyze the effectiveness of our services and marketing activities; and (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed.
    • Using Google Analytics to measure and evaluate access to and traffic for our Website administrators. Google operates independently from us and has its own privacy policy, which we strongly suggest you review. Google may use the information collected through Google Analytics to evaluate Users’ and Visitors’ activity on our Site. For more information, see Google Analytics Privacy and Data Sharing.
  • Analyze, administer, develop, personalize, and improve our products and services and evaluate the overall effectiveness of our services.
  • Maintain network security and performance and protect against cyber-attacks;
  • Comply with and enforce applicable laws, industry standards, and our own policies;
  • Prevent and detect fraud and other legal or policy violations;
  • Perform benchmarking and analytics that support our client services;
  • De-identify information; and/or
  • As otherwise described to you at the point of collection, for our legitimate business purposes, or pursuant to your consent.

Disclosure of Your Personal Information

We may disclose information to third parties if you consent to us doing so, as well as in the following circumstances.

A. For Legitimate Business Purposes

We may disclose information, such as information from your application or other forms of data or your transactions with us, to a/an (i) affiliated entity to our company; (ii) third party if the disclosure will enable that party to perform a business, professional or insurance function for us, including credit reporting agencies, and our attorney and auditors, (iii) medical care institution or medical professional in order to verify coverage or benefits, or to conduct an audit that would enable us to verify treatment, (iv) State Insurance Division or Department of Insurance or other insurance regulatory authority, law enforcement, or other governmental authority in order to protect our interest or if we are required by law to divulge the information and, (v) contracted service providers, who provide services such as research and analytics, marketing, events planning, customer support and data enrichment for the purposes and pursuant to the legal bases described in this privacy policy. Contracted service providers may also deliver artificial intelligence and generative artificial intelligence capabilities to enable us to better analyze data, determine trends, make predictions and create AI-generated responses or other content for the purposes and pursuant to the legal bases described in this privacy policy.

The contractors and other third parties we use to support our business are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.

B. Technical Service Providers

We work with third party service providers who provide website, application development, hosting, maintenance, and other services for us. These third parties may have access to, or process personal information or client data as part of providing those services for us. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions, and our contracts with them require them to maintain the confidentiality of such information.

C. Non-Personally-Identifiable Information

We may make certain automatically-collected, aggregated, or otherwise non-personally-identifiable information available to third parties for various purposes, including (i) for business or marketing purposes; or (iii) to assist such parties in understanding our clients’, Users’ and Visitors’ interests, habits, and usage patterns for our Website and services.

D. Law Enforcement, Legal Process and Compliance

We may disclose personal information or other information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a facially valid court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

We also reserve the right to disclose personal information or other information that we believe, in good faith, is appropriate or necessary to (i) take precautions against liability, (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity, (iii) investigate and defend ourselves against any third-party claims or allegations, (iv) enforce or apply our terms of use and other agreements, including for billing and collection purposes.  (v) protect the security or integrity of our services and any facilities or equipment used to make our services available, (vi) protect our property or other legal rights, enforce our contracts, or protect the rights, property, or safety of others.

E. Consent

We may also disclose information to third parties with your consent, within the parameters your provide it.

F. Change of Ownership

Information about you, including personal information, may be disclosed and otherwise transferred to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.

In connection with the potential sale or transfer of its interests, Woodruff Sawyer and its affiliates will disclose information to a third party only if it (1) concentrates its business in a similar practice, product or service; (2) agrees to be Woodruff Sawyer’s successor in interest with regard to the maintenance and protection of the information collected; and (3) agrees to the obligations of this Privacy Policy.

G. To Comply with Applicable Laws and the FCRA

We may disclose your information in accordance with requests from law enforcement or court of competent jurisdictions’ decree, order or subpoena. We may also be required to make certain disclosures pursuant to the FCRA to credit agencies or bureaus if initiated, requested or authorized by you in order for Woodruff Sawyer to perform its services.

Your Choices

You have the following rights. You may have the right to access, correct, delete and opt-out of sharing your personal information as detailed below under the GDPR, CCPA, CPRA, FCRA or other applicable data protection regulation. You have the right to non-discrimination. That is, we will not discriminate against you for exercising any of these rights. You have the right to opt-out of the sale of your personal information and to limit what we may do with your highly sensitive information as defined under applicable laws such as the CPRA.

A. Access, Correction, Deletion

We respect your privacy rights and provide you with reasonable access to the personal information that you may have provided through your use of this Website and services. If you wish to access or amend any other personal information we hold about you, or to request that we delete or transfer any information about you that we have obtained, you may contact us as set forth in the sections below. At your request, we will have any reference to you deleted or blocked in our database.

You may update, correct, or delete your account information by contacting us or as provided by our services. Please note that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain all information you submit for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.

You may decline to share certain personal information with us, in which case we may not be able to provide to you some of the features and functionality of our Website or services.

At any time, you may object to the processing of your personal information, on legitimate grounds, except if otherwise permitted by applicable law. If you believe your right to privacy granted by applicable data protection laws has been infringed upon, please contact us. You also have a right to lodge a complaint with the appropriate regulatory body.

This provision does not apply to personal information that is part of data provided by a client. In this case, the management of the client data may be subject to other policies, including the client’s own privacy policy. Any request for access, correction or deletion should be made to the client responsible for the uploading and storage of such data onto our service.

Your right includes the right to know the source of the information and the identity of the persons, institutions or types of institutions to whom we have disclosed such information within one or two years prior to your request, depending on your jurisdiction. This information can be copied in person, received via email or mail.

To exercise your rights under these data protection regulations, you may email us at HERE, or fill out our privacy request form.

The request should include the identifying information about yourself and the relevant recorded information at issue. The request should state how you would like to access your information. Upon receipt of your request, we will contact you within ten (10) days confirm your requests and within the appropriate regulatory timeframes to make the relevant arrangements. Where you request that certain information be corrected, amended, or deleted, we will either notify you that we have made the correction, amendment or deletion, or that we refuse to do so and the reasons for the refusal, which you will have the opportunity to challenge.

Please note that to protect your information, we may need to verify your identity before processing your request. In some cases, we may need to collect additional information to verify your identity, such as a government issued ID.

You may exercise these rights yourself or you may designate an authorized agent to make these requests on your behalf. We may request that your authorized agent have written permission from you to make requests on your behalf and may need to verify your authorized agent’s identity.

B. Opting out from Commercial Communications

If you receive marketing emails from us, you may unsubscribe at any time by following the instructions contained within the email or by sending an email to the address provided below. Please be aware that if you opt-out of receiving marketing email from us it may take up to ten (10) business days for us to process your request. Additionally, even after you opt-out from receiving commercial messages from us, you will continue to receive administrative messages from us regarding the use of our services.

Woodruff Sawyer has no direct relationship with a client’s customers or third party whose personal information it may process on behalf of a client. An individual who seeks access, or who seeks to correct, amend, delete inaccurate data or withdraw consent for further contact should direct his or her query to the client they deal with directly. If the client requests we remove the data, we will respond to its request within thirty (30) days. We will delete, amend or block access to any personal information that we are storing only if we receive a written request to do so from the client who is responsible for such personal information, unless we have a legal right to retain such personal information. We reserve the right to retain a copy of such data for archiving purposes, or to defend our rights in litigation. Any such request regarding client data should be addressed as indicated in the section below, and include sufficient information for us to identify the client or its customer or third party and the information to delete or amend.

C. Opting out of Disclosure of Personal Information to Third Parties

We do not share your personal information with third parties unless we obtain consent or are required to do so in order to perform services that you have requested. You have the right to opt-out of the disclosure of personal information to non-affiliated third parties. If we intend to share your personal information with non-affiliated third parties then we will provide a clear and conspicuous notice of your rights to opt-out of such disclosure in accordance with the GLBA.

D. Sale of Personal Information

We do not sell your personal information. However, we support the CCPA and CPRA by allowing California residents to opt out of any future sale of their personal information. If you would like to record your preference that the Company not sell your data in the future, you may email us at, or fill out our privacy request form.

Third Party Services

The Website may contain features or links to websites and services provided by third parties. Your use of the third-party websites, applications and any information you instruct us to send to the third party (via clicking and accessing third party websites or applications) will be subject solely to the third party’s terms and conditions and their privacy notice, and will not be subject to this privacy policy.

Additional Rights of California Residents

Under the CCPA and CPRA, California residents may have additional rights as set forth in our Privacy Policy for California Residents HERE.

Information Confidentiality and Security

We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect non-public information in order to protect against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the personal information in our possession. This includes, for example, firewalls, password protection and other access and authentication controls.

However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store with us, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your Personal information has been compromised, please contact us as set forth in the “Contact Us” section.

If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.

Woodruff Sawyer is a business associate within the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. As a business associate, we restrict the use and disclosure of protected health information (PHI) on behalf of our clients. We also provide for the security of electronic protected health information (ePHI) on behalf of clients.

Data Retention

We only retain personal information for as long as the purposes for which we have initially collected it. Where we collect that information through the consent provide by an individual (not client), but that individual withdraws consent, we will delete that information within a reasonable time. Where that information is retained and necessary for us to comply with our legal obligations, resolve disputes, enforce our agreements, or comply with insurance regulations, we will retain that information for the period of time required for that purpose or ten (10) years from that date.

Data Transfer

We may transfer, process and store personal information we collect through our services in centralized databases and with service providers located in the U.S. The U.S. may not have the same data protection framework as the country from which you may be using our services. When we transfer personal information to the U.S., we will protect it as described in this Privacy Policy.

Our services are hosted in the United States. If you choose to use our services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you may be transferring your client data and personal information outside of those regions to the United States for storage and processing by our service providers.

We will comply with GDPR requirements providing adequate protection for the transfer of personal information from Europe to the U.S. Also, we may transfer your data to the U.S., the EEA, or other countries or regions deemed by the European Commission to provide adequate protection of personal information in connection with storage and processing of data, fulfilling your requests, and operating our services. We may also transfer your personal information to the other countries or regions not in the EEA or U.S., but will do so only with your consent or where we have agreements in place on such restricted data transfers with the relevant third party. Woodruff Sawyer does not own, control or direct the use of any of the client data stored or processed by us. We process client data on the direction of the client in providing them with services under their relevant agreements with us. For client data, Woodruff Sawyer is not acting in the capacity of data controller in terms of the European Union’s General Data Protection Regulation (Regulation (EU) 2016/679, also known as the GDPR) and only acts as a processor on behalf of its clients.

Changes To Our Privacy Policy

It is our policy to post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users’ personal information, we will notify you by updating  this Privacy Policy. The date the privacy policy was last revised is identified at the top of the page. Please periodically visit our Website and this privacy policy to check for any changes.

Contact Us

For any requests under this privacy policy, or should you have any questions about our organization or privacy policy please contact us at: Attn: Legal, Woodruff Sawyer, 50 California Street, Floor 12, San Francisco, CA 94111, email us at or fill out our privacy request form.


Information about cookies

We use cookies to personalize content, to provide social media features, and to analyze our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Continued usage of this website (without answering the consent dialog) is the same as consenting. Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognizes that cookie. Cookies are useful because they allow a website to recognize a user’s device. Cookies do many different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improve the user experience. They can also help to ensure that the content you see are relevant to you. The cookies used on this website have been categorized based on the categories found in the ICC UK Cookie guide. The cookies used on this website are listed below, and fall under these categories. A. Strictly Necessary cookies We consider these cookies essential for you to navigate our site and use its features, such as logging into secure, customer only areas of the site.  Without these cookies, services you have paid for cannot be provided. Examples of Strictly Necessary cookies:

  • Registered Visitor cookie: Each registered user gets a unique id number, which is used to recognize them during the site visit and also upon their return. (Also applies to Functionality cookies below.)

B. Performance cookies Aggregated, non-personally identifiable information is collected about each user on each visit and use of this website. For example: which pages you visit the most often, and if you get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is anonymous and is only used to improve how this website works. Examples of Performance Cookies include:

  • Referrer URL (internal page): Stores the URL of the previous page visited. Allows us to track how visitors navigate throughout our site.
  • Referrer URL (set on external pages, such as clicking on links on Woodruff Sawyer social media pages):  Stores the URL which refers a visitor to our site so we may understand which URLs are referring visitors to our site.
  • URL history:  Stores the pages visited by a user.
  • Unregistered Visitor cookie: Allows analysis on how unregistered visitors use our site
  • Session Management cookies: Allows us to follow the actions of a user on our website during a browser session. A browser session begins when a user opens the browser window, visits our site, and ends when the visitor leaves the site and closes the browser window. Session Management cookies are created temporarily but deleted once the browser window is closed.

C. Functionality cookies Allows us to remember choices a user makes (such as a user name, language or the region) in order to provide more enhanced, personal, and persistent features.  None of these collect personally identifying information.  Each user is counted as an anonymous ID. These cookies cannot track browsing activity on other websites. They don’t gather any information about website visitors that could be used for advertising or remembering where a user has been on the Internet outside our site. Examples of Functionality Cookies include:

  • Registered Visitor cookie: Used to identify a registered user to our site with a unique id, so that we may serve them content and offers based on their profiles. Also used for analysis and marketing purposes. (See also Strictly Necessary cookies above.)

D. Targeting cookies Used from time to time to: (1) deliver advertisements more relevant to you and your interests; (2) limit the number of times you see an advertisement; (3) help measure the effectiveness of the advertising campaign; and (4) understand people’s behavior after they view an advertisement. They are usually placed on behalf of advertising networks with the site operator’s permission. They remember that you have visited a site and quite often they will be linked to site functionality provided by the other organization. Examples of Targeting Cookies include:

  • Retargeting and re-engagement cookies: Allows us to display advertising to people who have previously visited the website or used our apps, and match the right people with the right message.
  • Gathering analytics and intelligence cookies
  • Third Party cookies: The Targeting cookies as described above may also be used on third party websites and third parties may use them on our websites as follows:
    • Social media sites: Third-party social media sites may log information about you. This may include activities such as when you click an “Add This” or “Like” button for a social media site while on our site. We do not control such sites or their activities. You may be able to find information about social media sites on the sites themselves. We recommend you read the terms of use and privacy policy of such sites before using them.