Home
About
Request a quote
Service Center
  • Make a Payment
  • Report A Claim
  • Request a Certficate
  • Request ID Card
  • Request Policy Change
  • Estimate Your Coverage
Contact
Products
Privacy Policy
CoverLand Brokerage
Home
About
Request a quote
Service Center
  • Make a Payment
  • Report A Claim
  • Request a Certficate
  • Request ID Card
  • Request Policy Change
  • Estimate Your Coverage
Contact
Products
Privacy Policy
More
  • Home
  • About
  • Request a quote
  • Service Center
    • Make a Payment
    • Report A Claim
    • Request a Certficate
    • Request ID Card
    • Request Policy Change
    • Estimate Your Coverage
  • Contact
  • Products
  • Privacy Policy
CoverLand Brokerage
  • Home
  • About
  • Request a quote
  • Service Center
    • Make a Payment
    • Report A Claim
    • Request a Certficate
    • Request ID Card
    • Request Policy Change
    • Estimate Your Coverage
  • Contact
  • Products
  • Privacy Policy

Privacy Policy

Privacy Policy, Cookie Policy & Data Processing Addendum CoverLand Brokerage Inc. 

Effective Date: January 2, 2024 

Last Updated: April 23, 2025 

Contact Email: contact@coverlandbrokerage.com 


Privacy Policy, Cookie Policy & Data Processing Addendum
CoverLand Brokerage Inc.
Effective Date: January 2, 2024
Last Updated: April 23, 2025
Contact: contact@coverlandbrokerage.com


This document constitutes the complete and integrated Privacy Policy, Cookie Policy, and Data Processing Addendum (DPA) of CoverLand Brokerage Inc., a regulated insurance brokerage, and is binding on all users, clients, data subjects, processors, and partners. It is structured into 50 legally robust sections, each containing five or more detailed subparts. It includes one-to-one consent terms establishing clear and verifiable agreement for the processing of personal data as governed by this document.


1. Introduction & Scope
1.1. Applicability: Applies to all visitors, clients, users, policyholders, vendors, and processors engaging with CoverLand services or www.coverlandbrokerage.com.
1.2. Legal Enforceability: This policy is enforceable under state, federal, and international law.
1.3. Consent: Use of our site or services implies acceptance of this document.
1.4. Integration: Combines all privacy-related declarations into one legal agreement.
1.5. Commitment: Reflects CoverLand's commitment to transparency, accountability, and regulatory compliance.

2. Definitions & Terminology
2.1. "Personal Data": Any information relating to an identified or identifiable individual.
2.2. "Processing": Any operation performed on personal data, whether automated or not.
2.3. "Data Subject": A natural person whose data is collected or processed.
2.4. "Controller": The entity that determines the purpose and means of processing data.
2.5. "Processor": The entity processing data on behalf of the controller.

3. Legal Basis for Processing
3.1. Contractual Necessity: To issue, renew, or service insurance policies.
3.2. Legal Obligation: Compliance with laws, subpoenas, and audits.
3.3. Legitimate Interest: Fraud prevention, customer service, internal analytics.
3.4. Consent: Explicit user consent for marketing and cookies.
3.5. Vital Interests: Emergency disclosures to protect life or safety.

4. Categories of Personal Data Collected
4.1. Identity Information: Name, DOB, SSN, DL number.
4.2. Contact Details: Email, address, phone number.
4.3. Policy Information: Insurance product type, limits, terms.
4.4. Claims Data: Incident reports, adjuster notes, third-party info.
4.5. Financial Data: Bank account, credit card (via processors), payment history.

5. Methods of Data Collection
5.1. Web Forms: Quote requests, contact forms, appointment booking.
5.2. Phone Calls: Calls may be recorded for quality and verification.
5.3. Email Communication: Through secure transactional mail services.
5.4. CRM Systems: Integration with Zoho CRM and internal tools.
5.5. Cookies and Trackers: Behavioral and session data from site visits.

6. Use of Collected Data
6.1. Quoting and Underwriting: Determining policy eligibility and pricing.
6.2. Claims Management: Assessing, processing, and settling claims.
6.3. Marketing and Outreach: Email campaigns, newsletters (opt-in only).
6.4. Customer Support: Responding to inquiries and technical support.
6.5. Legal Compliance: Retaining data for regulatory examinations.

7. Data Sharing and Disclosure
7.1. With Carriers: To bind coverage and fulfill underwriting requirements.
7.2. With Regulators: Compliance with DFS, FINRA, and other authorities.
7.3. With Vendors: Sub-processors under contract for technical services.
7.4. With Legal Entities: Attorneys, accountants, and courts as needed.
7.5. With Consent: Disclosures authorized by the data subject.

8. Sub-Processors and Third Parties
8.1. Zoho CRM: Used for relationship management.
8.2. AWS: Secure cloud storage and infrastructure.
8.3. Mailgun: Email communications.
8.4. Cloudflare: DDoS protection and CDN.
8.5. Allbound Subcontractors: Bound by equivalent contractual terms.

9. Cookies & Tracking Technologies
9.1. Essential Cookies: For login, forms, and security.
9.2. Performance Cookies: Used for analytics and usage statistics.
9.3. Targeting Cookies: Used for advertising (with opt-in).
9.4. Cookie Banner: Displayed at first visit and whenever updated.
9.5. User Preferences: Cookie settings available at all times.

10. Behavioral Advertising & Profiling
10.1. Marketing Pixels: Facebook, Google, and Bing tracking.
10.2. Segmentation: Grouping users by behavior for marketing.
10.3. Consent Requirement: No tracking without affirmative opt-in.
10.4. Opt-Out Options: Via browser settings and tracking-preference links.
10.5. No Sale of Data: CoverLand does not sell user data to third parties.

11. Data Subject Rights
11.1. Right to Access: View and request copies of personal data.
11.2. Right to Rectification: Correct inaccurate or incomplete data.
11.3. Right to Erasure: Request deletion of data under specific conditions.
11.4. Right to Restrict Processing: Temporarily stop data processing.
11.5. Right to Data Portability: Receive data in a structured, machine-readable format.

12. Data Processing Addendum (DPA)
12.1. Scope: Applies to all processing activities where CoverLand acts as a processor.
12.2. Instructions: Data only processed on controller’s documented instructions.
12.3. Confidentiality: Staff with access are under strict NDAs and training.
12.4. Technical Measures: Encryption, access controls, logging, and incident response.
12.5. Breach Notification: Controllers notified within 72 hours of breach discovery.

13. Children’s Privacy
13.1. No Services to Children: Not directed at children under 13.
13.2. No Intentional Collection: Data from children is not knowingly collected.
13.3. Parental Rights: Parents may contact us to delete data.
13.4. Verification Steps: Age confirmation implemented at relevant data entry points.
13.5. Prompt Deletion: Immediate action if child data is identified.

14. Security Safeguards
14.1. Encryption: All data encrypted in transit and at rest.
14.2. Access Controls: Role-based permissions with MFA.
14.3. Security Audits: Annual third-party penetration testing.
14.4. Monitoring: Real-time alerts for suspicious activities.
14.5. Staff Training: Annual mandatory data protection certification.

15. Data Retention Policy
15.1. Insurance Data: Retained for at least 7 years.
15.2. Claims Data: Held for 10 years or statute-defined periods.
15.3. Communications: Stored for 5 years minimum.
15.4. User Preferences: Updated and retained until consent withdrawn.
15.5. Secure Disposal: Shredding and cryptographic erasure procedures in place.

16. International Transfers
16.1. SCCs: Standard contractual clauses executed for data exports.
16.2. Transfer Impact Assessments: Conducted for every new jurisdiction.
16.3. US Frameworks: Compliance with DPF and equivalents.
16.4. Local Laws Review: Ongoing monitoring of foreign regulations.
16.5. EU Model Clauses: Supplemented by additional safeguards.

17. Vendor Oversight
17.1. Contractual Requirements: All vendors bound by DPA.
17.2. Performance Reviews: Quarterly service evaluations.
17.3. Security Due Diligence: Risk scoring prior to onboarding.
17.4. Breach Liability: Vendors contractually liable for security lapses.
17.5. Termination Rights: Immediate cessation if non-compliant.

18. Automated Decision-Making
18.1. Use Cases: Risk scoring and quote delivery.
18.2. Explanation Rights: Users may request explanation and review.
18.3. Manual Override: Always available on request.
18.4. Limitations: No automated decisions without legal or significant effect.
18.5. Consent: Explicit consent required for automated profiling.

19. Marketing Communications
19.1. Opt-In: Consent-based only.
19.2. Opt-Out: Unsubscribe link in every message.
19.3. Frequency Limits: No more than two contacts per month unless urgent.
19.4. Data Usage: Segmentation and personalization explained.
19.5. Suppression Lists: Maintained to honor unsubscribe requests.

20. Governing Law & Jurisdiction
20.1. Applicable Law: State of New York.
20.2. Forum: Suffolk County courts.
20.3. Arbitration: Optional upon mutual consent.
20.4. Severability: Invalid terms do not affect remaining terms.
20.5. Waivers: No waiver of rights without written consent.

21. Regulatory Disclosures
21.1. GLBA Compliance: Financial information protected accordingly.
21.2. HIPAA Applicability: If health insurance data is involved.
21.3. NY DFS Part 500: Fully compliant cybersecurity program.
21.4. CPRA/CCPA Rights: California consumer rights honored.
21.5. State Insurance Rules: All data uses reviewed by legal counsel.

22. Email and SMS Communication
22.1. Consent Management: Double opt-in for subscription.
22.2. Content Logging: Messages logged and encrypted.
22.3. Emergency Notifications: Sent regardless of opt-in status.
22.4. Contact Frequency: Limited and disclosed on signup.
22.5. Data Sharing: With delivery partners only (e.g., Mailgun).

23. Website Forms
23.1. Required Fields: Clearly marked.
23.2. Optional Fields: Minimized and clearly stated.
23.3. Data Retention: Stored securely for audit and verification.
23.4. Consent Checkbox: Explicit acceptance of privacy terms.
23.5. Captcha & Security: Spam and bot protection enforced.

24. Financial Transactions
24.1. PCI-DSS Compliance: All payment processors certified.
24.2. Tokenization: No raw credit card data stored.
24.3. Secure Portals: Hosted payment gateways only.
24.4. Billing Records: Retained for legal and tax purposes.
24.5. Refund Handling: Via secure process and tracked.

25. Document Retention & Destruction
25.1. Retention Schedule: Set by category and legal minimum.
25.2. Access Controls: Enforced at every stage.
25.3. Archiving: Secure backup of documents with access logs.
25.4. Disposal Methods: Paper shredding and secure data wipe.
25.5. Audit Trail: Maintained for all document lifecycle events.

26. Breach Notification Policy
26.1. Initial Notice: To controller and authorities within 72 hours.
26.2. Affected Parties: Prompt notice to users where required.
26.3. Internal Escalation: Incident response team mobilized.
26.4. Root Cause Analysis: Conducted post-breach.
26.5. Preventative Measures: Updated controls to avoid recurrence.

27. Record of Processing Activities (ROPA)
27.1. Maintenance: Updated quarterly.
27.2. Content: Purpose, categories, data types, transfers.
27.3. Accessibility: Available to regulators on request.
27.4. Accuracy: Regularly reviewed.
27.5. Controller Collaboration: Shared upon joint processing.

28. User Verification & Authentication
28.1. Email Confirmation: Double confirmation for changes.
28.2. KBA: Knowledge-based authentication for access requests.
28.3. MFA: Required for administrator-level functions.
28.4. CAPTCHA: Used across all public endpoints.
28.5. Identity Proofing: Required for access to sensitive data.

29. Internal Governance & Training
29.1. DPO Oversight: Data Protection Officer manages compliance.
29.2. Staff Training: Annual certifications in privacy and cybersecurity.
29.3. Policy Reviews: Conducted semi-annually.
29.4. Access Reviews: Quarterly permission audits.
29.5. Internal Breach Drills: Annual simulation exercises.

30. Changes to This Policy
30.1. Version Control: All changes logged and archived.
30.2. Notification: Email and banner alerts for material changes.
30.3. Feedback Option: Contact form for policy-related inquiries.
30.4. Binding Nature: Continued use implies consent.
30.5. Review Cycle: Minimum once per year by legal counsel.

31. Policyholder Identity Verification

31.1. Verification Tools: Use of LexisNexis, IDology, and Equifax ID Match.
31.2. Consent to Verify: Required at time of quote or application.
31.3. Red Flags Rule Compliance: Alerts checked against identity theft indicators.
31.4. Manual Review: For inconsistencies or system alerts.
31.5. Documentation Retention: Verification records held securely.

32. Consent Management Framework

32.1. Single Point Consent: Consent obtained per unique user instance.
32.2. Granular Controls: Separate consent toggles for marketing, cookies, profiling.
32.3. Consent Withdrawal: Can be revoked at any time via portal or contact.
32.4. Consent Receipts: Timestamped logs stored in CRM.
32.5. Reconfirmation: Requested every 12 months for sensitive data.

33. Third-Party Service Integration

33.1. APIs: Monitored for scope of data exchange.
33.2. Integration Agreements: Vendor contracts reviewed quarterly.
33.3. Permission Scoping: Access permissions limited by API type.
33.4. Transfer Logs: Tracked and secured for all outbound data.
33.5. Incident Response: Immediate alert on API failure or anomaly.

34. Mobile Access & App Policies

34.1. Mobile Interface: Responsive website with encrypted transmission.
34.2. App Store Rules: iOS and Android app privacy obligations.
34.3. Location Data: Never collected unless required for service.
34.4. App Permissions: Only minimum necessary permissions requested.
34.5. Remote Wipe: Emergency kill-switch for compromised sessions.

35. Artificial Intelligence & Machine Learning

35.1. Use Scope: Limited to internal automation and document scanning.
35.2. Explainability: All outputs auditable by compliance officers.
35.3. Non-Discrimination: Periodic fairness checks implemented.
35.4. Risk Profiling: No customer penalized solely by algorithm.
35.5. Human Oversight: Available in all decision-making workflows.

36. Social Media Engagement

36.1. Inbound Messaging: Monitored for privacy-sensitive content.
36.2. Social Ads: Run only with anonymized targeting.
36.3. User Comments: Removed if they include private information.
36.4. Account Admins: Trained in HIPAA and GLBA risks.
36.5. Social Analytics: Usage data anonymized before internal analysis.

37. Biometric Information

37.1. Collection Prohibited: No biometric data collected or stored.
37.2. Future Use Protocol: Only with opt-in and state-compliant disclosures.
37.3. Facial Recognition: Not deployed for any CoverLand service.
37.4. Surveillance Policy: No visual recordings stored without legal need.
37.5. Policy Updates: Required before any biometric capability.

38. Employee Access Controls

38.1. Principle of Least Privilege: Staff receive only essential access.
38.2. Background Checks: Required for all client-facing staff.
38.3. Role-Based Permissions: Controlled via admin panels.
38.4. Access Reviews: Conducted monthly.
38.5. Breach Consequences: Immediate access revocation upon policy violation.

39. Joint Controller Agreements

39.1. Defined Terms: When CoverLand co-determines processing purposes.
39.2. Shared Responsibilities: Documented in controller contracts.
39.3. Individual Rights Handling: Clear roles outlined for responding to DSARs.
39.4. Data Flow Map: Maintained for all joint operations.
39.5. Audit Rights: Mutual audits agreed for all joint controllers.

40. Insurance Carrier Disclosures

40.1. Permitted Disclosures: Only for underwriting, rating, or policy servicing.
40.2. State Filing: Carrier data agreements reviewed for regulatory compliance.
40.3. Cross-Carrier Transfers: Logged and reviewed.
40.4. No Unconsented Sharing: All transfers require data subject approval.
40.5. Data Use Transparency: Explained at time of quote.

41. Call Recording Policy

41.1. Disclosure at Start: Callers notified of recording.
41.2. Secure Storage: Encrypted audio files.
41.3. Limited Retention: Deleted after 12 months unless needed for legal use.
41.4. Quality Audits: Used for staff training only with masking.
41.5. Access Restrictions: Only authorized roles may access recordings.

42. Claims Data Handling

42.1. Separate Repository: Claims data stored separately from marketing or CRM.
42.2. Special Handling: Claims involving minors or injuries flagged.
42.3. Third Party Adjusters: Subject to independent NDAs.
42.4. Restricted Reuse: Claims data not used for sales or ads.
42.5. Extended Retention: Stored for 10+ years under NYDFS rules.

43. Opt-Out Protocols

43.1. Universal Opt-Out Link: Present on all marketing messages.
43.2. Request Channels: Online portal, email, phone options.
43.3. Compliance SLA: Requests honored within 5 business days.
43.4. Do Not Track: Respected where browser supports it.
43.5. Reinstatement Rights: Users may opt-in again at any time.

44. One-to-One Consent Terms

44.1. Binding Consent: Each user must affirmatively accept terms.
44.2. Signature Equivalency: Digital click considered valid under E-SIGN Act.
44.3. Unique Consent Logs: Stored by IP address, time, user agent.
44.4. Refusal Consequences: Use prohibited without accepted terms.
44.5. Consent Withdrawal: Stops all processing except legal obligations.

45. Legal Requests and Government Access

45.1. Subpoena Handling: Reviewed by legal counsel before release.
45.2. National Security Requests: Logged and counted in annual transparency report.
45.3. Emergency Exceptions: Life-threatening exceptions documented.
45.4. Prior Notice: Users notified unless gag ordered.
45.5. Non-U.S. Requests: Handled under GDPR Chapter V and local law.

46. Browser Fingerprinting

46.1. Technology Use: Not used for persistent identification.
46.2. Compatibility Scanning: Used only to support UI adjustments.
46.3. Data Minimization: Device and screen size only.
46.4. Fingerprint Hashing: No permanent identifiers stored.
46.5. Opt-Out Path: Disabling JS removes fingerprinting.

47. Legacy Data Review

47.1. Archive Scans: Periodic review of pre-policy data sets.
47.2. Data Segregation: Old records flagged.
47.3. Remediation Plans: In place for non-compliant legacy files.
47.4. Deletion Requests: Honored retroactively upon confirmation.
47.5. Migration Logs: Transfers to modern systems logged.

48. Sensitive Data Handling

48.1. Flagged Fields: SSN, medical records, DL marked as sensitive.
48.2. Separate Encryption: AES-256 applied.
48.3. Limited Exposure: Masking applied on user interfaces.
48.4. Extra Logging: All accesses logged.
48.5. Breach Priority: Top-level escalation in event of incident.

49. Third-Party Certification

49.1. SOC 2 Type II: Certification in progress.
49.2. ISO 27001: Considered for roadmap.
49.3. Privacy Shield: Used where applicable (now DPF).
49.4. NAIC Compliance: Annual documentation submitted.
49.5. Third-Party Audit: Minimum once every 18 months.

50. Document Versioning and Integrity

50.1. Version Log: All edits time-stamped and archived.
50.2. Chain of Custody: Changes made by approved users only.
50.3. Public Access: Latest version always accessible on website.
50.4. Digital Signature: Document hash available for authenticity verification.
50.5. Legal Review: Full legal counsel audit every 12 months.


For any inquiries regarding this policy, reach out to us at contact@coverlandbrokerage.com.


Connect With Us

  • Home
  • About
  • Request a quote
  • Request a Certficate
  • Contact
  • Privacy Policy

CoverLand Brokerage, Inc.

555 Broadhollow Road Suite 117, Melville, NY 11747

+1 (516) 696-3590

Copyright © 2025 CoverLand Brokerage, Inc.- All Rights Reserved.

This website uses cookies.

We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.

DeclineAccept