Privacy Policy
1. Introduction & Scope
This Privacy Policy applies to personal data processed by Seawaysur, Inc. ("Seawaysur," "we," "us") in connection with our website and the client resource management platform (together, the "Services"). It describes the categories of personal data we collect, how we use and share it, and the choices and rights available to individuals.
The Services are designed for use by business customers — insurers, underwriters, law firms, and comparable regulated organizations ("Customers") — and their Authorized Users. Where Customers submit personal data about their own clients, policyholders, or matters ("Client Data") to the Services, Seawaysur processes that data on the Customer's behalf as described in Section 3 and in the applicable Data Processing Addendum, and this Policy should be read together with the Customer's own privacy notice governing that relationship.
2. Information We Collect
2.1 Account & Contact Information
When you or your organization register for the Services, we collect information such as name, business email address, job title, employer, and phone number, along with authentication credentials and, where applicable, single sign-on identifiers provided by your organization's identity provider.
2.2 Client Data
Customers and their Authorized Users may submit Client Data to the Services, which can include policy, claims, matter, and case information, and personal data relating to a Customer's own clients or policyholders. Seawaysur processes Client Data solely on documented instructions from the Customer, as described in Section 3.
2.3 Usage & Device Data
We automatically collect technical information when the Services are used, including IP address, browser type, device identifiers, operating system, referring URLs, pages viewed, and timestamps of activity, collected through server logs and similar technologies.
2.4 Cookies & Similar Technologies
We use strictly necessary cookies and similar technologies to operate the Services, including maintaining sessions, remembering theme and language preferences, and supporting authentication. See Section 6 for further detail.
2.5 Communications
When you contact us for support or other inquiries, we collect the content of your communications and any information you choose to provide.
3. Our Role: Controller & Processor
Seawaysur acts in two distinct capacities:
- As a data controller (or "business" under U.S. state privacy laws) with respect to account and contact information of Customer personnel, website visitor data, and information collected to manage the commercial relationship with Customers — this data is governed by this Privacy Policy.
- As a data processor (or "service provider"/"processor" under applicable law) with respect to Client Data submitted by Customers to the Services — this data is processed strictly on the Customer's documented instructions, under the terms of the Data Processing Addendum entered into with the Customer, and the Customer, not Seawaysur, determines the purposes and means of that processing.
If you are an individual whose personal data has been submitted to the Services by a Customer (for example, as a policyholder or client of one of our business customers), and you have questions about that data, please contact that Customer directly; Seawaysur will support the Customer in responding to your request in accordance with our contractual obligations.
4. How We Use Information
- To provide, maintain, secure, and support the Services, including authentication and account administration;
- To process transactions and manage billing in connection with a Customer's subscription;
- To communicate with Customers and Authorized Users about the Services, including updates, security notices, and support responses;
- To monitor, analyze, and improve the performance, reliability, and functionality of the Services;
- To detect, investigate, and prevent fraud, abuse, and security incidents;
- To comply with applicable legal, regulatory, and contractual obligations; and
- For any other purpose disclosed to you at the time the information is collected, with your consent where required.
5. Legal Bases for Processing
Where the General Data Protection Regulation ("GDPR") or UK GDPR applies, we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing and maintaining the Services under a subscription | Performance of a contract |
| Billing, tax, and regulatory recordkeeping | Legal obligation |
| Security monitoring, fraud prevention, service improvement | Legitimate interests |
| Optional communications and non-essential cookies | Consent, where required |
8. International Data Transfers
We may transfer personal data to countries other than the country in which it was originally collected, including to [the United States], where our infrastructure and personnel are located. Where such transfers involve personal data originating in the European Economic Area, the United Kingdom, or Switzerland, we rely on appropriate safeguards, such as the European Commission's Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum, together with supplementary technical and organizational measures as needed.
9. Data Retention
We retain account and contact information for as long as necessary to provide the Services and for a reasonable period thereafter to comply with legal, tax, accounting, and audit obligations, resolve disputes, and enforce our agreements, typically not exceeding [seven (7) years] after account closure unless a longer period is required by law. Client Data is retained in accordance with the Customer's instructions and the applicable Order Form, and is deleted or returned upon termination of the Customer's subscription as described in our Terms of Service, subject to limited retention where required by law or for legitimate backup and security purposes.
10. Data Security
We maintain administrative, technical, and physical safeguards designed to protect personal data against unauthorized access, disclosure, alteration, or destruction, including encryption of data in transit (TLS 1.3) and at rest (AES-256), role-based access controls, network segmentation, logging and monitoring, and periodic independent security assessments. No method of transmission or storage is completely secure, and we cannot guarantee absolute security, but we work to maintain safeguards appropriate to the sensitivity of the data involved.
11. Your Privacy Rights
Depending on your location, you may have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request deletion of your personal data; (d) request a portable copy of your data; (e) object to or request restriction of certain processing; and (f) withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal. To exercise these rights, contact us using the details in Section 17; we will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling a request.
12. California Privacy Rights
If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, "CCPA"), gives you the right to: know what personal information we collect, use, and disclose; request deletion or correction of your personal information; and not be discriminated against for exercising these rights. We do not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. Categories of personal information we collect generally correspond to those described in Section 2. To submit a verifiable consumer request, contact us using the details in Section 17. You may designate an authorized agent to make a request on your behalf, subject to verification.
13. EEA & UK Rights
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 11 under the GDPR or UK GDPR, and you have the right to lodge a complaint with your local data protection supervisory authority. Our contact for data protection matters, and, where required, our EU and UK representatives, are listed in Section 17.
14. Children's Privacy
The Services are intended for business use by professional organizations and are not directed at, nor knowingly used to collect personal data from, individuals under the age of 16. If we learn that we have inadvertently collected personal data from a child under this age, we will take reasonable steps to delete it.
15. Third-Party Links
The Services may contain links to third-party websites or services not operated by Seawaysur. This Privacy Policy does not apply to such third parties, and we encourage you to review their privacy practices before providing personal data to them.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. If we make material changes, we will provide reasonable advance notice, such as by email to account administrators or a prominent notice within the Services, before the changes take effect. The "Last updated" date at the top of this page indicates when this Policy was last revised.
17. Contact Us
Questions, requests, or complaints regarding this Privacy Policy or our data practices may be directed to:
Seawaysur, Inc.
Attn: Privacy Office
Email: [email protected]
EU/UK representative: [email protected]