Chubb California Consumer Privacy Act Business Contact Privacy Notice

This Privacy Notice (“Notice”) describes how Chubb Group of Insurance Companies, and our brands, affiliates, and subsidiaries (“Chubb,” “we,” “us” and “our”) collect, use, and disclose the Personal Information (defined below) of California residents when they interact with Chubb as a business contact. This Notice is intended to satisfy our applicable notice requirements under the California Consumer Privacy Act 2018, as amended by the California Privacy Rights Act 2020, and its implementing regulations (collectively, the “CCPA”).

This Notice applies to the Personal Information we collect and process when you interact with Chubb in a business-to-business capacity. This Notice applies to our Business Contacts who are representatives or employees of companies we do business with who are California residents (e.g., business partners, vendors and service providers, contractors, agents and brokers, third-party administrators, or other business contacts (“Business Contacts” or “you”).

For purposes of this Notice, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with you, or could reasonably be linked, directly or indirectly, with you. This Notice does not address or apply to our handling of Personal Information that is exempt under the CCPA, which includes, but is not limited to, publicly available information, information we receive from consumer reporting agencies that are subject to the Fair Credit Reporting Act, or deidentified or aggregated information.

Additional Disclosures. Depending on how you interact with us, we may provide you with other privacy notices that include additional details about our privacy practices. For example, this Notice does not apply to any personal information related to policyholders or insureds that may be shared with us by our agents and brokers. Additionally, when you interact generally with our website, our data privacy practices are defined by our website’s Privacy Policy.

When you interact with us as a Business Contact, we typically collect your Personal Information through our websites, systems, mobile applications or portals, email, or other non-electronic means (e.g., paper-based information we collect at various business functions). The following describes the categories of Personal Information we may collect about you (and may have collected in the last twelve (12) months).

• Identifiers, such as name, alias, account name, business address, telephone number, email address, billing and shipping address, unique personal identifier, online identifier, IP address, or similar identifiers.
• Online Identifiers, such as unique personal identifiers, device IDs, ad IDs, IP addresses, and cookie data.
• Characteristics of Protected Classifications, such as age, gender, or nationality.
• Customer Records, such as name, account name, other characteristics or descriptions, contact information, account credentials, communications preferences, billing and payment information, customer service and support tickets and records, and other information you provide.
• Commercial Information, such as records, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
• Professional or Employment-Related Information, such as job title, role, company name, occupation, licenses, and professional membership.
• Internet or Other Electronic Network Activity Information, such as browsing history, clickstream data, search history, and information regarding interactions with our website, applications, portals, and emails, including other usage data related to your use of any of our services.
• Geolocation Data, such as location information about a particular individual or device.
• Inferences, such as inferences drawn from any of the information described in this section reflecting our Business Contacts’ preferences, characteristics, behaviors, attitudes, abilities, and aptitudes.
• Sensitive Personal Information, in limited circumstances, we may collect information such as social security, driver’s license, state identification card, or passport number, or account log-in in combination with a password or credentials allowing access to an account.

Sources of Personal Information. We generally collect Personal Information from the following categories of sources:

• Directly from you and automatically;
• Your employer;
• Our affiliates and subsidiaries;
• Our vendors and service providers;
• Operating systems and platforms; and
• Publicly available information and sources.

Purposes for Collecting and Disclosing Personal Information. Generally, we may use the categories of Personal Information described above for the following business or commercial purposes (and any directly related purposes):

• Operate Our Business. To conduct business with you or your employer, such as to perform our contractual obligations for your employer or principal; to ensure we are receiving products or services appropriately and on terms most beneficial to us; to maintain your account and provide you access to our systems; for billing, collections, and payment purposes.
• Manage Our Relationship. To manage our agent/broker relationships, including to assist with insurance quotes, underwriting, and claims administration; to maintain your account and otherwise run our day-to-day operations; to provide you and your employer with marketing materials about products, services, news, offers, promotions, and events which we think may be of interest to you; to communicate with you and your employer, including to fulfill requests, answer questions and other requests from you, provide customer support; to operate and expand our business activities and evaluate, develop, and improve the quality of our products and services.
• Communicate With You. To respond to your inquiries, send you requested materials and newsletters, as well as information and materials regarding our services and offerings, such as changes to our terms, conditions, and policies, and for other similar purposes.
• Evaluate and Improve Our Products and Services. To evaluate, analyze, improve, and develop our products and services, to tailor the content and information that we may send or display to you, and to otherwise personalize your experience while using our services.
• Fraud and Security and Protection of Rights. To protect our business operations, to protect our rights or those of our stakeholders, to prevent and detect fraud, unauthorized activities and access to our platforms, and other misuse; for security and safety when you visit our facilities, and where we believe necessary to investigate, prevent or take action regarding illegal activities, suspected fraud, or situations involving potential threats to the safety or legal rights of any person or third party.
• Risk Management Purposes. To manage our technology resources (e.g., cyber-risk management, infrastructure management and business continuity), and for vendor management purposes, including vendor risk management.
• Marketing and Advertising. For marketing purposes, including to send you content about certain products and services.
• Planning and Managing Events. For event and webinar planning, and other event management-related purposes, such as registration, attendance, connecting you with other event attendees, and contacting you about relevant events and service offerings.
• Audits and Assessments. To conduct financial, tax and accounting audits; audits and assessments of our operations, privacy, security and financial controls, risk, and compliance with legal obligations; our general business, accounting, record keeping and legal functions, and to maintain appropriate business records and other similar purposes.
• Compliance and Legal Process. To comply with applicable legal or regulatory obligations, including as part of a judicial proceeding; to respond to a subpoena, warrant, court order, or other legal process; or as part of an investigation or request, whether formal or informal, from law enforcement or a governmental authority.
• Reviewing, Reporting, and Other Internal Operations. For our business purposes, such as data analysis, audits, fraud monitoring and prevention, enhancing, improving or modifying our service offerings, identifying usage trends, operating and expanding our business activities, and for internal quality control and training purposes.
• Mergers, Acquisitions, and Other Business Transactions. To assess and implement mergers, acquisitions, reorganizations, bankruptcies, and other business transactions such as financings, and to administer our business, accounting, auditing, compliance, recordkeeping, and legal functions.

Sensitive Personal Information. Notwithstanding the purposes described above, we do not collect, use, or disclose “sensitive personal information” beyond the purposes authorized by the CCPA. Accordingly, we only use and disclose sensitive personal information as reasonably necessary and proportionate: (i) to perform our services requested by you; (ii) to help ensure security and integrity, including to prevent, detect, and investigate security incidents; (iii) to detect, prevent and respond to malicious, fraudulent, deceptive, or illegal conduct; (iv) to verify or maintain the quality and safety of our services; (v) for compliance with our legal obligations; (vi) to our service providers who perform services on our behalf; and (vii) for purposes other than inferring characteristics about you.

Retention of Personal Information. We retain your Personal Information for as long as needed, or permitted, based on the reason we obtained it (consistent with applicable law). When deciding how long to keep your Personal Information, we consider whether we are subject to any legal obligations (e.g., any laws that require us to keep records for a certain period of time before we can delete them) or whether we have taken any legal positions that require data retention (e.g., issued any legal holds or otherwise need to preserve data). From time to time, we may also deidentify your personal information, retain it and use it for a business purpose in compliance with CCPA.

Disclosure of Personal Information to Third Parties and Other Recipients. The categories of personal information we have disclosed for a business purpose in the preceding twelve (12) months include: identifiers, online identifiers, customer records, financial information, characteristics of protected classifications, usage data, biometric information, education information, geolocation data, audio, video, and other electronic data, professional or employment-related information, inferences, and sensitive personal information.

The categories of third parties and other recipients to whom we may disclose personal information for a business purpose may include: 

• Affiliates, subsidiaries, and business partners;
• Vendors and service providers;
• Acquirers of business assets;
• Advisors, auditors, consultants, and representatives;
• Regulators, government entities, and law enforcement;
• Operating systems and platforms; and
• Others as required by law.

Additionally, the CCPA defines “sale” as disclosing or making available personal information to a third-party in exchange for monetary or other valuable consideration, and “sharing” includes disclosing or making available personal information to a third-party for purposes of cross-contextual behavioral advertising. While we do not “sell” Personal Information, we may “share” the following categories of Personal Information: online identifiers, and usage data. We disclose this information to third-party advertising networks, analytics providers, and social networks for purposes of marketing and advertising. We do not sell or share “sensitive personal information,” nor do we sell or share any Personal Information about individuals who we know are under sixteen (16) years old.

The CCPA provides California residents with certain rights regarding their Personal Information. This section describes those rights and how to exercise them. Subject to certain conditions and exceptions, Business Contacts who are California residents may have the following rights:

Right to Know/Access. With respect to the Personal Information we have collected about you in the prior twelve (12) months, you have the right to request:

• The categories or personal information we collected about you;
• The categories of sources from which the personal information is collected;
• Our business or commercial purposes for collecting, selling, or sharing personal information;
• The categories of third parties to whom we have disclosed personal information; and
• A copy of the specific pieces of personal information we have collected about you.

Right to Correct. You have the right to request that we correct inaccuracies in your Personal Information.

Right to Delete. You have the right to request we delete your Personal Information.

Right to Opt-Out. You have the right to opt-out of “sales” and “sharing” of your Personal Information, as those terms are defined under the CCPA. While we do not “sell” Personal Information, our use of certain third-party analytics and advertising cookies may constitute “sharing” under the CCPA. To exercise your right to opt-out of the “sharing” of your Personal Information, please use the Do Not Sell or Share My Personal Information link at the bottom of our website at www.chubb.com.

Right to Limit the Use and Disclosure. We do not use or disclose sensitive Personal Information for any purpose that would require us to provide you with a right to limit the use of your sensitive Personal Information under the CCPA.

Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.

Exercising Your California Privacy Rights. If you are a California resident, you may submit a request to exercise your CCPA rights via the methods described below:

• Access our Data Subject Request web page
• Call us at 1-833-324-9798

Authorized Agent. You may designate someone as an authorized agent to submit requests and act on your behalf. Authorized agents will be required to provide proof of their authorization in their first communication with us, and we may also require that you directly verify your identity and the authority of your authorized agent.

Businesses operating as an authorized agent on behalf of a California resident must provide both of the following:

(1) Certificate of good standing with its state of organization; and

(2) A written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the business to act on behalf of the California resident.

Individuals operating as an authorized agent on behalf of a California resident must provide a written authorization document, signed by the California resident, containing the California resident’s name, address, telephone number, and valid email address, and expressly authorizing the individual to act on behalf of the California resident.

We reserve the right to reject (1) authorized agents who have not fulfilled the above requirements, or (2) automated CCPA requests where we have reason to believe the security of the requestor’s personal information may be at risk.

Verification. Before responding to your request, we must first verify your identity using the Personal Information you recently provided to us. The information we need in order to verify your identity differs depending on the request made and our relationship with you and might include (as applicable) your name, email address you regularly use to interact with us, address, and your phone number.

We will take steps to verify your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary to process your request. In some cases, we may also carry out checks, including with third party identity verification services, to verify your identity before taking any action with your Personal Information. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for the denial.

If you have any questions or comments about this Notice, the ways in which we collect and use your Personal Information, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Chubb Group
Attention: Privacy Inquiries
202 Hall’s Mill Road, P.O. Box 1600
Whitehouse Station, NJ 08889-1600
Telephone: 1-833-324-9798
E-mail: NAPrivacyOffice@chubb.com