Last Updated: May 23, 2018
We at Woodruff-Sawyer & Co., Woodruff-Sawyer Retirement Plan Services, Inc. and Woodruff-Sawyer Oregon, Inc. (collectively, “Company,” “we,” “us,” or “Woodruff Sawyer”) appreciate the trust you have placed in us as your insurance broker and consultant. In the course of serving you, we are given access to information that is often both sensitive and proprietary. We want you to know that integrity––in the way we operate and the methods by which we conduct business––is a top priority and our most essential core value. As such, we take the responsibility of protecting your company information very seriously.
This policy applies to information we collect:
- On this website at https://woodruffsawyer.com/ (our “Website”), including in email, text and other electronic messages between you and this Website (as a “Visitor”).
- In connection with our role as your insurance broker and consultant while using our Client Access portals, including Woodruff360 and Risk Solution Partners Management Center (as a “User”).
Purpose Of This Notice
The GLBA, which became effective July 1, 2001, and related privacy laws of the various states, generally prohibit us from sharing nonpublic, personal information about you with a third party in a manner not permitted by law. Further, they require us to provide you with this annual notice of our privacy policies and practices. Similarly, the GDPR, as of May 25, 2018, prohibits us from processing any personal data of an individual without authorized grounds. This policy and practice notification describes the types of information that we collect about you and the categories of persons or entities to whom that information may be disclosed.
Woodruff Sawyer Privacy Policies And Practices
When you use this Website, as a User of our client portals or simply a Visitor, we collect different types of information, which can include personal data. Personal data means any information relating to an identified or identifiable natural person. The legal bases for the processing of the personal data we collect are primarily that the processing is necessary for us to provide our services and that the processing is in Woodruff Sawyer’s legitimate interests, which is explained in greater detail below. We may also process data on your consent, asking for it as appropriate.
Information We Collect
A. Information We Collect About You and How We Collect It
We collect several types of information from and about Users of our Website, including:
- Information by which you may be personally identified, such as name, postal address, email address, telephone number, Social Security number, and/or driver’s license number – that is, your personal data.
- Information about your transactions with us from the insurance companies we contact to underwrite your insurance.
- Information we receive from the Department of Motor Vehicles (DMV) or other consumer reporting agencies.
- Information contained in medical records or from medical professionals that is related to insurance claims.
- Information about your internet connection, the equipment you use to access our Website, usage details.
We collect this information:
- Directly from you when you provide it to us.
- From third parties, for example, clients who provide information about their employees or claims, the insurance companies we contact to underwrite your insurance, DMV or other consumer reporting agencies, and medical professionals who are providing information in connection to your insurance claim with us.
- Automatically as you navigate through our Website. Information collected automatically may include usage details, IP addresses and information collected through cookies, web beacons and other tracking technologies.
We may collect nonpublic personal data from individuals other than those proposed for coverage.
B. Information You Provide to Us
The information we collect on or through our Website may include:
- Information that you provide to us by filling out applications and other forms, including financial statements, census lists and pro forma business plans.
- Information that you provide to us via our website, including applications and forms, consultation requests, claims forms, accident reports, underwriting worksheets, newsletter subscriptions, and seminar and workshop registration.
- Records and copies of your correspondence (including email addresses), if you contact us.
- Your search queries on our Website.
C. Information We Collect Through Automatic Data Collection Technologies
As you navigate through and interact with our Website, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions and patterns, including:
- Details of your visits to our Website, including traffic data, location data, logs and other communication data and the resources that you access and use on the Website.
- Information about your computer and internet connection, including your IP address, operating system and browser type.
We also may use these technologies to collect information about your online activities over time and across third-party websites or other online services (behavioral tracking). The information we collect automatically helps us to improve our Website and to deliver a better and more personalized service.
The technologies we use for this automatic data collection may include:
- Flash Cookies. Certain features of our Website may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from and on our Website. Flash cookies are not managed by the same browser settings as are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see http://www.adobe.com/devnet/security.html.
- Web Beacons. Pages of our Website and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity).
- Do Not Track. Many web browsers support Do Not Track technology. If you enable Do Not Track, we will not use information about your web viewing activities to tailor your online experience.
How We Use Your Information
We use information that we collect about you or that you provide to us, including any personal data in the following ways.
We use this information to (i) provide you with information or services that you request from us and to provide customer service, (ii) carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including for billing and collection, and (iii) provide you with notices about your account, including expiration and renewal notices.
We use the information to understand and analyze the usage trends and preferences of our Visitors and Users, to improve the services we provide, and to develop new products, services, features, and functionality. Should this purpose require Woodruff Sawyer to process any personal data, then the data will only be used in anonymized or aggregated form.
D. Cookies and Tracking Technologies
We may use automatically collected information, as well as through cookies and similar technologies to: (i) personalize our services, such as remembering a User’s or Visitor’s information so that the User or Visitor will not have to re-enter it during a visit or on subsequent visits; (ii) provide customized content, and information; (iii) monitor and analyze the effectiveness of our services and marketing activities; and (iv) monitor aggregate site usage metrics such as total number of visitors and pages viewed. You can obtain more information about cookies by visiting http://www.allaboutcookies.org.
We take measures to protect the technical information collected by our use of Google Analytics. The data collected will only be used on a need to know basis to resolve technical issues, administer the Website and identify Visitor preferences; but in this case, the data will be in non-identifiable form. We do not use any of this information to identify Visitors or Users.
With your consent, we can also use the information we collect (i) to fulfill any other purpose for which you provide it and (ii) in any other way we may describe when you provide the information.
Information Disclosed To Third Parties
Except as described in this policy, we will not intentionally disclose personal data that we collect or store to third parties without the consent of the applicable User, Visitor, or client. We may disclose information to third parties if you consent to us doing so, as well as in the following circumstances.
A. Managing Business On Your Behalf
We may disclose information, such as information from your application or other forms of data or your transactions with us, to a (i) third party if the disclosure will enable that party to perform a business, professional or insurance function for us, including credit reporting agencies, and our attorney and auditors, (ii) medical care institution or medical professional in order to verify coverage or benefits, or to conduct an audit that would enable us to verify treatment and, (iii) State Insurance Division or Department of Insurance or other insurance regulatory authority, law enforcement, or other governmental authority in order to protect our interest or if we are required by law to divulge the information.
The contractors and other third parties we use to support our business are bound by contractual obligations to keep personal data confidential and use it only for the purposes for which we disclose it to them.
B. Technical Service Providers
We work with third party service providers who provide website, application development, hosting, maintenance, and other services for us. These third parties may have access to, or process personal data or client data as part of providing those services for us. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions, and our contracts with them require them to maintain the confidentiality of such information.
C. Non-Personally-Identifiable Information
We may make certain automatically-collected, aggregated, or otherwise non-personally-identifiable information available to third parties for various purposes, including (i) for business or marketing purposes; or (iii) to assist such parties in understanding our clients’, Users’ and Visitors’ interests, habits, and usage patterns for our Website and services.
D. Law Enforcement, Legal Process and Compliance
We may disclose personal data or other information if required to do so by law or in the good-faith belief that such action is necessary to comply with applicable laws, in response to a facially valid court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.
We may also disclose information to third parties with your consent, within the parameters your provide it.
F. Change of Ownership
Information about Users and Visitors, including personal data, may be disclosed and otherwise transferred to an acquirer, successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets.
Client data may be physically or electronically transferred to an acquirer, or successor or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which information is transferred to one or more third parties as one of our business assets, for the sole purpose of continuing operations.
In connection with the potential sale or transfer of its interests, Woodruff Sawyer and its affiliates will disclose information to a third party only if it (1) concentrates its business in a similar practice, product or service; (2) agrees to be Woodruff Sawyer’s successor in interest with regard to the maintenance and protection of the information collected; and (3) agrees to the obligations of this privacy statement.
You have the right to access, amend, and delete your personal data as detailed below.
A. Access, Correction, Deletion
We respect your privacy rights and provide you with reasonable access to the personal data that you may have provided through your use of this Website and services. If you wish to access or amend any other personal data we hold about you, or to request that we delete or transfer any information about you that we have obtained, you may contact us as set forth in the sections below. At your request, we will have any reference to you deleted or blocked in our database.
You may update, correct, or delete your account information by contacting us or as provided by our services. Please note that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain all information you submit for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.
You may decline to share certain personal data with us, in which case we may not be able to provide to you some of the features and functionality of our Website or services.
At any time, you may object to the processing of your personal data, on legitimate grounds, except if otherwise permitted by applicable law. If you believe your right to privacy granted by applicable data protection laws has been infringed upon, please contact us. You also have a right to lodge a complaint with data protection authorities.
Your right includes the right to know the source of the information and the identity of the persons, institutions or types of institutions to whom we have disclosed such information within two years prior to your request. This information can be copied in person, received via email or mail.
B. Opting out from Commercial Communications
If you receive marketing emails from us, you may unsubscribe at any time by following the instructions contained within the email or by sending an email to the address provided below. Please be aware that if you opt-out of receiving marketing email from us it may take up to ten (10) business days for us to process your request. Additionally, even after you opt-out from receiving commercial messages from us, you will continue to receive administrative messages from us regarding the use of our services.
Woodruff Sawyer has no direct relationship with a client’s customers or third party whose personal data it may process on behalf of a client. An individual who seeks access, or who seeks to correct, amend, delete inaccurate data or withdraw consent for further contact should direct his or her query to the client they deal with directly. If the client requests we remove the data, we will respond to its request within thirty (30) days. We will delete, amend or block access to any Personal Data that we are storing only if we receive a written request to do so from the client who is responsible for such personal data, unless we have a legal right to retain such personal data. We reserve the right to retain a copy of such data for archiving purposes, or to defend our rights in litigation. Any such request regarding client data should be addressed as indicated in the section below, and include sufficient information for us to identify the client or its customer or third party and the information to delete or amend.
We use the following types of cookies on our Website.
- strictly necessary/essential cookies – These cookies are essential in order to enable you to move around the website and use its features, such as accessing secure areas of the website. Without these cookies services you have asked for cannot be provided. These cookies don’t collect information that identifies a visitor.
- performance cookies – These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works.
We may use the following types of cookies in the future.
- functionality cookies – These cookies allow the website to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customize. They may also be used to provide services you have asked to access. The information these cookies collect may be anonymized and they cannot track your browsing activity on other websites.
- behaviourally targeted advertising cookies – These cookies are used to deliver advertisements more relevant to you and your interests They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaigns. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organizations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organization.
The following cookies are used.
|Service Provider||Cookie Name||Expiration||Content|
|Google Analytics||_ga||2 years||Used to distinguish users.|
|Google Analytics||_gid||24 hours||Used to distinguish users.|
|Google Analytics||_gat||1 minute||Used to throttle request rate.|
Third Party Services
The Website may contain features or links to websites and services provided by third parties. Any information you provide on third-party sites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through us. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through our Website. We encourage you to learn about third parties’ privacy and security policies before providing them with information.
California Privacy Rights
We will not share any personal data with third parties for their direct marketing purposes to the extent prohibited by California law. If our practices change, we will do so in accordance with applicable laws and will notify you in advance.
Accessing, Correcting, Amending, or Deleting Your Information
Contact us at detailed below in the “Contact Us” section to access, correct, amend, or delete your information.
The request should include the identifying information about yourself and the relevant recorded information at issue. The request should state how you would like to access your information. Upon receipt of your request, we will contact you within 30 business days to make the relevant arrangements. Where you request that certain information be corrected, amended, or deleted, we will either notify you that we have made the correction, amendment or deletion, or that we refuse to do so and the reasons for the refusal, which you will have the opportunity to challenge.
Information Confidentiality And Security
We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain appropriate administrative, technical and physical safeguards to protect personal data against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the personal data in our possession. This includes, for example, firewalls, password protection and other access and authentication controls.
However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. We cannot ensure or warrant the security of any information you transmit to us or store with us, and you do so at your own risk. We also cannot guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards. If you believe your Personal Data has been compromised, please contact us as set forth in the “Contact Us” section.
If we learn of a security systems breach, we will inform you and the authorities of the occurrence of the breach in accordance with applicable law.
We restrict access to your nonpublic, personal data to employees on a “need to know” basis. If the employee is not involved with your account, he or she does not need access to your information. We maintain physical, electronic, and procedural safeguards that comply with Federal and State regulations to guard your nonpublic personal data. We will continue to protect and treat your information as confidential.
Woodruff Sawyer is a business associate within the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations. As a business associate, we restrict the use and disclosure of protected health information (PHI) on behalf of our clients. We also provide for the security of electronic protected health information (ePHI) on behalf of clients. All of our Privacy and Security policies and procedures ensure compliance with HIPAA’s privacy and security requirements.
We only retain personal data for as long as the purposes for which we have initially collected it. Where we collect that information through the consent provide by an individual (not client), but that individual withdraws consent, we will delete that information within a reasonable time. Where that information is retained and necessary for us to comply with our legal obligations, resolve disputes, enforce our agreements, or comply with insurance regulations, we will retain that information for the period of time required for that purpose or 10 years from that date.
Our services are hosted in the United States. Iif you choose to use our services from the European Union or other regions of the world with laws governing data collection and use that may differ from U.S. law, then please note that you may be transferring your client data and personal data outside of those regions to the United States for storage and processing by our service providers.
We will comply with GDPR requirements providing adequate protection for the transfer of personal information from Europe to the U.S. Also, we may transfer your data to the U.S., the EEA, or other countries or regions deemed by the European Commission to provide adequate protection of personal data in connection with storage and processing of data, fulfilling your requests, and operating our services. We may also transfer your personal data to the other countries or regions not in the EEA or U.S., but will do so only with your consent or where we have agreements in place on such restricted data transfers with the relevant third party.
Data Controller and Data Processor
The client or the user is the data controller under the GDPR for any client data containing personal data, meaning that such party controls the manner such personal data is collected and used as well as the determination of the purposes and means of the processing of such personal data.
Where we collect information on our own behalf, and not to effectuate our services for a client, we are a data controller for purposes of the GDPR as to personal data of data subjects. For example, where we collect personal data for marketing purposes, we are a data controller. Where Woodruff Sawyer is a data controller under the GDPR, we will comply with the requirements to provide adequate data privacy and protection of the personal data that we control.
Attn: Legal, Woodruff Sawyer, 50 California Street, Floor 12, San Francisco, CA 94111, call us at 844.972.6326, or email us at firstname.lastname@example.org.