Privacy Notice — Apex Insurance Brokers

This notice explains how Apex Insurance Brokers Limited collects, uses, shares and protects personal data, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Apex Insurance Brokers Limited ("we", "us", "our") is the controller of the personal data we collect from and about you under this notice. We are an FCA-authorised independent commercial insurance broker based in Bristol.

Trading address: QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ
Registered office: c/o Westcas, 5 Anglo Office Park, Bristol BS15 1NT
Companies House registration: 07014570
FCA Firm Reference Number: 724952 — verifiable at register.fca.org.uk
ICO registration number: ZA195912
Telephone: 0117 325 0027
Email for privacy queries: info@apexinsurancebrokers.co.uk

We are not required to appoint a statutory Data Protection Officer. The Director, Matt Bartlett, is the data protection lead and is the first point of contact for any privacy-related question.

2. What personal data we collect

To place and administer insurance for you, we may collect:

Identity and contact data — name, date of birth, gender, postal address, email address, telephone numbers.
Business data — company name, role, professional qualifications, turnover, employee numbers, claims history, regulatory status.
Financial data — bank account or card details for premium payment, payment history, credit checks where you opt for premium finance.
Risk-assessment data — details specific to the cover you are buying (for example, project details for design-and-construct cover, fee income split by work type for solicitors PI).
Special category data under Article 9 UK GDPR — for example, health information for personal accident or travel insurance, or details of criminal convictions for proposal disclosure. We only collect this where necessary for the cover you have asked us to arrange.
Technical data from this website — IP address, browser type, pages visited, referrer, cookie identifiers. See our Cookie Policy for detail.
Marketing preferences where you have given consent to hear from us about products or services.

3. Where we get personal data from

Directly from you when you ask us for a quote, take out a policy, make a claim, or contact us.
From insurers, managing general agents and reinsurers in the course of placing or renewing your cover.
From credit reference agencies (Experian, Equifax, TransUnion) where you have applied for premium finance.
From anti-fraud databases including the Claims and Underwriting Exchange (CUE), the Motor Insurance Anti-Fraud and Theft Register (MIAFTR), and the Insurance Fraud Bureau, which we and our insurer partners use to detect and prevent fraud.
From public sources, including the FCA Financial Services Register, Companies House, the SRA, ARB, RICS, ICAEW and other professional regulators where we are verifying the regulatory status of a client firm.
From your authorised representatives — for example, a broker introducer, accountant or solicitor.

4. The legal bases we rely on

We process your personal data only where one of the following lawful bases under Article 6 UK GDPR applies:

Performance of a contract with you (Article 6(1)(b)) — to source quotes, place cover, collect premiums, administer claims and renewals.
Legitimate interests (Article 6(1)(f)) — for risk assessment, fraud prevention, business administration, the security of our IT systems, the recovery of debts, and to develop and improve our services. We balance our interests against your rights and only rely on this basis where we are satisfied that the processing does not unduly affect you.
Legal obligation (Article 6(1)(c)) — to comply with the FCA Handbook (including SYSC and ICOBS), anti-money-laundering and sanctions law, HMRC requirements, court orders, and other legal duties.
Consent (Article 6(1)(a)) — for direct marketing communications and for the use of non-essential cookies. You can withdraw consent at any time.
Vital interests (Article 6(1)(d)) — exceptionally, where processing is necessary to protect someone's life (for example, in an emergency claims situation).

Where we process special-category data under Article 9 UK GDPR, we rely on:

Substantial public interest — insurance purposes (Article 9(2)(g) UK GDPR together with paragraph 20 of Schedule 1 to the Data Protection Act 2018), which permits the processing of health and other special-category data where necessary for an insurance contract or claim; or
Your explicit consent (Article 9(2)(a)) where the insurance condition is not available.

Where we process criminal-offence data, we rely on Article 10 UK GDPR together with the appropriate Schedule 1 DPA 2018 condition (typically paragraph 20 — insurance — or paragraph 14 — preventing or detecting unlawful acts).

5. How we use your personal data

To understand your requirements and present suitable insurance options.
To place and renew insurance contracts with your chosen insurer.
To collect premiums, including via premium-finance arrangements where you choose.
To administer and handle claims, including liaising with insurers, loss adjusters, solicitors and third-party experts on your behalf.
To carry out anti-fraud, anti-money-laundering, sanctions and other regulatory checks required of an FCA-authorised firm.
To respond to complaints and to record-keep in line with the FCA's DISP rules.
To comply with our reporting obligations to the FCA, HMRC, the Information Commissioner's Office (ICO), the Financial Ombudsman Service (FOS) and other regulators or authorities.
To send you service messages (renewal reminders, policy changes, urgent notices) — this is part of the contract and does not require separate consent.
To send you marketing communications where you have asked to hear from us.
To operate and improve our website, including troubleshooting, security monitoring and analytics.

6. Who we share personal data with

We share personal data with the following categories of recipient, only where necessary and under appropriate contractual or regulatory safeguards:

Insurers, reinsurers and managing general agents on whose paper your insurance is placed.
Other insurance intermediaries where we use a wholesale broker, network or sub-broker to access specialist markets on your behalf.
Claims handlers, loss adjusters, appointed solicitors, surveyors and other experts appointed to handle a claim.
Premium-finance providers (for example, Close Premium Finance, Premium Credit, Investec) where you opt to pay your premium by instalments.
Credit-reference agencies (Experian, Equifax, TransUnion) for credit checks linked to premium finance.
Anti-fraud and risk-prevention databases including the Claims and Underwriting Exchange (CUE), the Motor Insurance Anti-Fraud and Theft Register (MIAFTR), and the Insurance Fraud Bureau.
Regulators and authorities — the FCA, ICO, HMRC, FOS, FSCS, the National Crime Agency, police and other public bodies where we are legally obliged to disclose.
Professional advisers — our auditors, compliance consultants, lawyers and accountants, under appropriate confidentiality.
IT, hosting and software service providers who process data on our behalf under written data-processing agreements (including our CRM, email host, website host, telephone systems and analytics tools).
Successors in the event of a sale, merger, restructure or transfer of our business — strictly under confidentiality and only to the extent necessary.

We do not sell your personal data and we do not allow our service providers to use it for their own marketing.

7. International transfers

Most of the personal data we hold is processed in the United Kingdom. Where we transfer personal data outside the UK — for example, to an insurer or reinsurer based in the European Economic Area, the United States, or elsewhere — we rely on one or more of the following safeguards:

A UK adequacy regulation, where the receiving country has been recognised by the UK Government as providing an adequate level of protection (this currently includes all EEA countries).
The UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, where adequacy does not apply.
An applicable derogation under Article 49 UK GDPR — for example, where the transfer is necessary for the performance of your insurance contract.

You can request a copy of the safeguards in place for any specific transfer by emailing us.

8. How long we keep personal data

We keep personal data only for as long as is necessary for the purposes for which it was collected, and for the periods required by law and regulation:

Client and policy records — at least seven years from the end of the business relationship, in line with the FCA's record-keeping requirements (SYSC) and HMRC's tax-record requirements. Some categories may be kept longer where a long-tail liability exists (for example, professional indemnity insurance), in which case we may keep records for the lifetime of the policy plus an extended run-off period.
Claims records — at least seven years from the date the claim is finally closed.
Complaints records — at least six years, in line with the FCA's DISP rules.
Anti-money-laundering and sanctions records — five years from the end of the business relationship, in line with the Money Laundering Regulations 2017.
Marketing data — until you withdraw consent, or for three years from your last interaction, whichever is sooner.
Website analytics and cookie data — as set out in our Cookie Policy, typically up to 26 months for analytics identifiers.

After these periods, records are securely deleted or anonymised.

9. Your rights under UK GDPR

You have the following rights in respect of personal data we hold about you. We will respond to any request within one month, free of charge in most cases.

Right of access — to be told whether we hold personal data about you and, if so, to receive a copy and information about how we process it.
Right to rectification — to have inaccurate data corrected and incomplete data completed.
Right to erasure ("right to be forgotten") — to have personal data deleted where we no longer need it, subject to legal and regulatory retention obligations.
Right to restrict processing — to ask us to limit how we use your data while a query is resolved.
Right to data portability — for data you provided to us under a contract or with your consent, in a structured, machine-readable format.
Right to object — to processing based on legitimate interests, to direct marketing (absolute), or to processing for research or statistical purposes.
Rights in relation to automated decision-making and profiling — see section 10 below.
Right to withdraw consent — where we rely on consent (for example, for marketing), you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, email info@apexinsurancebrokers.co.uk or write to us at our trading address. We may need to verify your identity before we respond.

10. Automated decision-making and profiling

Some insurers we work with use automated underwriting tools or profiling to calculate quotes and premiums. Where an insurer's decision about you is based solely on automated processing and has a legal or similarly significant effect, the insurer is required to give you information about the logic involved, the significance and the consequences, and to provide a route to human review. We will pass on any such information you ask us for. We do not ourselves make solely-automated decisions about you.

11. Use of artificial-intelligence (AI) tools

We make limited use of artificial-intelligence tools (for example, generative-AI assistants such as Anthropic's Claude and OpenAI's ChatGPT) to support our day-to-day work. Where AI is involved, it is used in support of — never instead of — a qualified human broker. No decision that has a legal or similarly significant effect on you is made by AI alone.

What we use AI for.

Drafting and improving outbound communications (emails, sector briefings, renewal summaries) before a broker reviews and sends them.
Summarising long documents — policy wordings, claims correspondence, regulatory updates — so we can advise you quickly.
Internal research, market analysis and content development.
Improving the operational efficiency of our website and business processes.

What we do not use AI for.

We do not use AI to make underwriting, pricing or claims decisions about you. Those decisions are made by us as your broker, and by your insurer under its own processes.
We do not feed AI tools any more personal data than is necessary for the task in hand. Where reasonably practical, we use anonymised or pseudonymised inputs and avoid sharing special-category data with AI tools at all.
We do not give AI providers permission to use your personal data to train or improve their models. Our AI provider agreements are configured so that submitted data is not retained beyond the immediate request and is not used for training.

International transfers. AI providers are typically based in the United States. Where personal data is shared with an AI provider it is on the basis of a written data-processing agreement that includes UK-GDPR-compliant safeguards (UK International Data Transfer Agreement, or the EU Standard Contractual Clauses with the UK Addendum, plus the no-training, no-retention configurations described above).

Lawful basis. Where AI processing is necessary to perform a contract with you, we rely on Article 6(1)(b) UK GDPR. Where AI processing supports our legitimate interest in operating efficiently and developing our services, we rely on Article 6(1)(f) and balance that interest against your rights and freedoms.

Article 22 — solely-automated decisions. Where an insurer uses fully-automated underwriting that has a legal or similarly significant effect on you, your rights under Article 22 UK GDPR (to information about the logic involved, and to human review on request) apply against that insurer. We will assist you in raising any such request.

If you would prefer we did not use AI in handling your business, please let us know and we will accommodate that where it is practical to do so.

12. Marketing

We will only send you marketing communications (newsletters, sector briefings, renewal-window prompts that are not part of an existing contract) where you have asked us to. You can opt out at any time by using the unsubscribe link in any email, by emailing us, or by writing to us at our trading address. Opting out of marketing will not affect any service messages required by your insurance contract.

13. Cookies and this website

This website uses cookies and similar technologies. Strictly-necessary cookies (for security, consent and basic operation) are set without consent. Analytics and other non-essential cookies are only set after you have given consent through our cookie banner. The full list of cookies and how to manage them is in our Cookie Policy.

14. How we keep personal data safe

We maintain technical and organisational measures appropriate to the risk of the data we process, including:

Encryption in transit (HTTPS for all web traffic, TLS for email between supporting providers).
Access controls on our systems, with multi-factor authentication on key tools.
Staff training on data protection, FCA Consumer Duty, and security awareness.
Regular review of access permissions and security configuration.
Written data-processing agreements with all third-party processors.
A documented incident-response process. We will notify the ICO of any personal-data breach within 72 hours of becoming aware of it, where required by law, and we will notify you directly where the breach is likely to result in a high risk to your rights and freedoms.

15. Complaining about how we handle your data

If you have a concern about how we have used your personal data, please contact us first so we can try to resolve it: info@apexinsurancebrokers.co.uk.

You also have the right to complain to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk/make-a-complaint/

Complaining to the ICO does not affect any other remedy available to you, including your right to seek compensation through the courts.

16. Changes to this notice

We may update this notice from time to time. The "Last reviewed" date at the top of the page is the date of the current version. Material changes will be brought to your attention by a notice on this page, by email, or both, before they take effect.

17. Contact us

For any question about this notice or about how we handle personal data:

Apex Insurance Brokers Limited
QCS, 53 Queen Charlotte Street, Bristol BS1 4HQ
0117 325 0027 · info@apexinsurancebrokers.co.uk