Effective Date: 24 February 2025
This Privacy Policy applies between you, the individual accessing this Website and the BrokerCentral platform, and Nuworks Ltd, the owner and provider of this Website and Service. Nuworks Ltd takes the privacy of your information very seriously. This Privacy Policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website or our services. This Privacy Policy should be read alongside, and in addition to, our Terms of Service, which can be found at: https://www.brokercentral.co.uk/legal/terms-of-service. Please read this Privacy Policy carefully.
BrokerCentral acts as controller where it determines the purposes and means of processing Personal Data. This may include processing relating to:
BrokerCentral acts as processor where it processes Personal Data on behalf of a Customer through the BrokerCentral Platform and Services in accordance with the Customer’s instructions. This may include Personal Data relating to the Customer’s clients, policyholders, claimants, prospects, brokers, employees, contractors, authorised users, business contacts, suppliers, and other individuals whose information is uploaded to, stored within, or processed through the Platform by or on behalf of the Customer.
This Privacy Policy does not apply to third-party websites, services, or applications that can be accessed from the BrokerCentral website or Platform, including links to social media, unless expressly stated otherwise.
Where BrokerCentral acts as controller, BrokerCentral may collect and process:
Where BrokerCentral acts as processor on behalf of a Customer, BrokerCentral may process Personal Data submitted to, stored within, generated by, or processed through the Platform by or on behalf of that Customer.
Where BrokerCentral acts as controller, BrokerCentral may use Personal Data to:
operate, administer, secure, monitor, maintain, and improve the website, Platform, and Services;
create, administer, manage, and support customer accounts;
provide demonstrations, onboarding, training, support, account management, and customer relationship management;
process billing, payments, invoicing, subscriptions, renewals, and contract administration;
respond to enquiries, complaints, requests, and communications;
send service communications, administrative notices, security alerts, and operational updates;
send marketing communications where permitted by law;
monitor service performance, usage, reliability, security, fraud, abuse, and compliance;
conduct analytics, diagnostics, troubleshooting, product improvement, and operational reporting;
manage suppliers, contractors, professional advisers, recruitment, and business contacts;
comply with legal, regulatory, tax, accounting, audit, insurance, security, and compliance obligations;
establish, exercise, or defend legal claims; and
protect the rights, property, security, integrity, and availability of BrokerCentral, Customers, individuals, and others.
Where BrokerCentral acts as processor, BrokerCentral processes Customer platform data only:
to provide, operate, secure, maintain, support, and improve the Services;
to host, store, retrieve, transmit, back up, restore, display, process, and manage Customer Data through the Platform;
to provide customer support, troubleshooting, maintenance, integrations, analytics, telemetry, communications, AI Functionality, and operational services connected with the Platform;
to send communications explicitly triggered or configured by the Customer within BrokerCentral, such as policy documents, quotes, renewal notices, or other Customer-directed communications;
to comply with the Customer’s documented instructions;
as set out in the Data Processing Agreement and Terms of Service;
as necessary to comply with applicable law; and
as otherwise permitted under applicable Data Protection Laws.
Where Customer platform data relates to a Customer’s clients, policyholders, claimants, prospects, brokers, employees, contractors, suppliers, or other individuals, the Customer’s own privacy notice will generally explain the Customer’s purposes and lawful bases for processing that Personal Data.
BrokerCentral processes Personal Data only where a valid lawful basis exists under applicable Data Protection Laws. Where BrokerCentral acts as controller, BrokerCentral is responsible for identifying the applicable lawful basis for its processing. Where BrokerCentral acts as processor on behalf of a Customer, the Customer is responsible for identifying and documenting the applicable lawful basis for the Customer’s processing of Personal Data through the Platform. BrokerCentral processes such Personal Data in accordance with the Customer’s documented instructions, the Data Processing Agreement, the Terms of Service, and applicable Data Protection Laws. Depending on the circumstances, BrokerCentral may rely on different lawful bases for different processing activities.
Purpose of Processing Categories of Personal Data Lawful Basis Provision of the Platform and Services Account data, user data, Customer Data, configuration data, transactional data Performance of a contract and legitimate interests in operating and delivering the Services Customer onboarding, account management, billing, and subscription administration Contact data, billing data, account information, communication records Performance of a contract, legal obligations, and legitimate interests Customer support, technical assistance, troubleshooting, and service communications Contact data, support requests, usage information, technical diagnostics, communication records Performance of a contract and legitimate interests in supporting and maintaining the Services Authentication, access control, security monitoring, fraud prevention, and incident detection Login data, authentication data, device data, IP addresses, technical logs, usage data Legitimate interests, legal obligations, and security obligations under applicable Data Protection Laws Platform analytics, operational telemetry, service optimisation, diagnostics, and performance monitoring Usage data, technical data, device data, interaction data, analytics information Legitimate interests in improving, securing, monitoring, and operating the Services AI-enabled functionality and AI-assisted processing Prompts, inputs, outputs, Customer Data, usage data, operational data Performance of a contract, legitimate interests, and other lawful bases applicable to the Customer’s use of AI Functionality Compliance with legal, regulatory, audit, insurance, fraud prevention, and law enforcement obligations Relevant Customer Data, transactional data, communications, audit records, compliance data Compliance with legal obligations, legitimate interests, and substantial public interest obligations where applicable Marketing communications, newsletters, updates, and promotional communications Contact data, communication preferences, engagement data Consent, soft opt-in, or other lawful basis or exemption permitted under applicable Data Protection Laws and PECR Cookies, Tracking Technologies, analytics, and preference management Device data, browser data, cookie identifiers, usage information Consent where required, legitimate interests, and performance of a contract for essential functionality Recruitment, employment, contractor, and business relationship management Contact data, CVs, employment data, communications, business records Performance of a contract, legitimate interests, legal obligations, and employment-related lawful bases Supplier, partner, and vendor management Business contact data, contractual records, communications, financial information Performance of a contract, legitimate interests, and legal obligations Data retention, backups, disaster recovery, and business continuity operations Customer Data, technical data, backup records, system archives Legitimate interests, legal obligations, security obligations, and operational continuity requirements
Where processing involves Special Category Data, automated processing, electronic communications, AI-enabled functionality, or international transfers, additional safeguards, lawful bases, conditions, or regulatory requirements may apply under applicable Data Protection Laws.
BrokerCentral may update or refine the lawful bases relied upon from time to time to reflect:
AI Functionality is live within the BrokerCentral Platform and provides AI-assisted workflow support. This may include assistance with drafting, summarisation, recommendations, operational workflow support, and other AI-enabled functionality made available within the Services. AI Functionality may be made available within normal BrokerCentral Platform workflows and, unless otherwise agreed with the relevant Customer, may not be separately disabled at Customer level.
generating recommendations, summaries, drafts, or operational assistance;
supporting insurance broking, compliance, underwriting, or workflow activities;
improving platform functionality and user experience;
monitoring system performance, reliability, and security;
fraud prevention and abuse detection;
analytics, diagnostics, and service optimisation;
customer support and troubleshooting; and
maintaining, securing, and improving the Services.
AI-generated outputs may be probabilistic in nature and may be inaccurate, incomplete, unreliable, biased, unexpected, or unsuitable for a particular purpose. Users should apply appropriate human review, verification, and professional judgment before relying on AI-generated outputs. AI-generated outputs must not be used as the sole basis for regulated, legal, financial, insurance, employment, compliance, customer-facing, or similarly significant decisions. BrokerCentral does not use Customer Data, Customer Personal Data, prompts or outputs to train public or shared AI models, and contractually restricts relevant AI providers from doing so, unless expressly agreed in writing. BrokerCentral may use anonymised and aggregated operational telemetry, analytics, performance metrics, and usage information for:
service improvement;
security monitoring;
reliability and operational support;
diagnostics;
fraud prevention;
capacity planning; and
platform optimisation,
provided that such information does not reasonably identify any individual. Certain AI, analytics, telemetry, support, infrastructure, or security providers used in connection with the Services may process Personal Data on BrokerCentral’s behalf in accordance with applicable contractual, security, confidentiality, and Data Protection Law obligations. Where AI-enabled processing, profiling, automated processing, or analytics activities involve Personal Data, BrokerCentral will process such information in accordance with applicable Data Protection Laws and implement safeguards appropriate to the nature of the processing activities.
Where Personal Data is transferred outside the United Kingdom or European Economic Area, Nuworks Ltd will ensure that such transfers are carried out in accordance with applicable Data Protection Laws and are subject to appropriate safeguards and lawful transfer mechanisms.
We use technical and organisational measures to safeguard your Data, including:
Encryption of sensitive Data and tokens at rest and in transit.
Access control — all accounts are secured with unique login credentials.
Hosting in secure UK data centres (AWS London).
Security testing, vulnerability scanning, and monitoring measures designed to identify and address security risks.
If you suspect misuse, loss, or unauthorised access to your Data, please contact us immediately at [email protected].
Retention, Deletion, Backups, and Archives
BrokerCentral retains Personal Data only for as long as reasonably necessary for the purposes for which it is processed, including to provide the Services, administer accounts, manage contracts, provide support, comply with legal and regulatory obligations, maintain security, resolve disputes, support business continuity, and meet audit, tax, accounting, insurance, professional indemnity, complaint-handling, and regulatory requirements. Retention periods may differ depending on whether BrokerCentral acts as controller or processor, the category of Personal Data, the purpose of processing, the Customer’s instructions, applicable contractual terms, and applicable legal or regulatory obligations. The table below summarises BrokerCentral’s standard retention approach. Category Typical Retention Approach Account registration and user administration records Retained for the duration of the customer relationship and for a reasonable period afterwards for account administration, audit, security, dispute-resolution, and compliance purposes. Billing, payment, invoicing, subscription, and contract records Retained for the duration required for contract administration, tax, accounting, audit, legal, insurance, and regulatory purposes. Customer support records, enquiries, complaints, and correspondence Retained for as long as reasonably necessary to manage the relevant request, complaint, account, legal issue, audit requirement, or customer relationship. Customer Data processed through the Platform where BrokerCentral acts as processor Retained in accordance with the Customer’s instructions, the Terms of Service, the Data Processing Agreement, applicable retention settings, and applicable legal, regulatory, security, backup, archive, and operational requirements. OAuth tokens, authentication tokens, integration tokens, and connected account credentials Retained only for as long as necessary to provide the relevant integration, authentication, account connection, or security function, unless earlier revoked, disconnected, expired, or deleted. Audit logs, security logs, access logs, operational telemetry, and diagnostic records Retained for a reasonable period for security, fraud prevention, abuse detection, troubleshooting, audit, operational resilience, legal, and compliance purposes. Marketing contact records and communication preferences Retained for as long as necessary to manage marketing communications, suppression lists, consent records, opt-outs, and communication preferences. Recruitment, supplier, contractor, adviser, and business contact records Retained for as long as reasonably necessary for the relevant relationship, process, legal obligation, audit requirement, or legitimate business purpose. Routine operational backups Retained for up to ninety (90) days. Monthly archive snapshots May be retained for up to twelve (12) months where reasonably necessary for legal, regulatory, FCA-related record keeping, complaint handling, audit, tax/accounting, insurance, professional indemnity, dispute resolution, security investigation, legal preservation, business continuity, or other legitimate operational purposes. Annual archive snapshots May be retained for up to seven (7) years where reasonably necessary for legal, regulatory, FCA-related record keeping, complaint handling, audit, tax/accounting, insurance, professional indemnity, dispute resolution, security investigation, legal preservation, business continuity, or other legitimate operational purposes. Legal, regulatory, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, or litigation-hold records Retained for as long as reasonably necessary to comply with applicable legal, regulatory, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, legal preservation, or enforcement requirements. Personal Data may remain in routine operational backups, disaster recovery copies, restricted archive snapshots, logs, or archival systems after deletion from live systems. Backup and archive data is protected by appropriate safeguards and is not actively accessed, restored, searched, or otherwise used except where reasonably necessary for service restoration, security investigation, legal or regulatory compliance, audit, complaint handling, dispute preservation, insurance, professional indemnity, business continuity, or other legitimate operational purposes. Where BrokerCentral acts as processor on behalf of a Customer, deletion or return of Customer Personal Data is handled in accordance with the Data Processing Agreement, the Terms of Service, the Customer’s documented instructions, and applicable Data Protection Laws, subject to any permitted backup, archive, legal, regulatory, security, audit, complaint-handling, insurance, professional indemnity, dispute-resolution, or operational retention requirements.
If you have concerns about how your Personal Data is handled, you may contact Nuworks Ltd using the contact details set out in this Privacy Policy. Where Nuworks Ltd acts as a data controller, we will investigate and respond to privacy-related complaints in accordance with applicable Data Protection Laws and our internal complaint-handling procedures. Where Nuworks Ltd processes Personal Data solely on behalf of a Customer as a data processor, we may direct or refer the complaint or request to the relevant Customer responsible for determining the purposes and means of processing that Personal Data. Nuworks Ltd may maintain records of privacy complaints, requests, investigations, and resolutions for compliance, security, audit, and legal purposes. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your Personal Data has been processed unlawfully.
Cookies, Tracking Technologies, Analytics, and Electronic Communications
BrokerCentral may use cookies, local storage objects, session technologies, analytics technologies, scripts, tags, telemetry technologies, and similar tracking or electronic communications technologies (“Tracking Technologies”) in connection with the Platform, website, communications, and Services. At present, BrokerCentral uses Tracking Technologies that are necessary or reasonably required for the operation, security, administration, and delivery of the website, Platform, and Services. These may be used for purposes including:
authentication and security;
maintaining user sessions;
access control and account administration;
fraud prevention and abuse detection;
service functionality;
load balancing and network management;
performance monitoring;
customer support;
operational telemetry;
troubleshooting;
service reliability; and
maintaining the security and integrity of the Platform and Services.
Certain Tracking Technologies may be strictly necessary for the website, Platform, or Services to function properly and may be used without consent where permitted under applicable law, including PECR and applicable Data Protection Laws. BrokerCentral does not currently use non-essential cookies or similar Tracking Technologies for behavioural advertising or third-party marketing purposes unless and until appropriate transparency information and consent mechanisms are implemented where required by applicable law. Where BrokerCentral introduces non-essential Tracking Technologies that require consent under applicable law, BrokerCentral will take appropriate steps to provide relevant information and obtain any required consent before placing or accessing those Tracking Technologies on a user’s device. Users may manage certain cookies and similar technologies through their browser settings, device settings, or other controls made available by their browser or device provider. Disabling certain cookies or Tracking Technologies may affect the availability, performance, functionality, or security of parts of the website, Platform, or Services. BrokerCentral may use third-party hosting, infrastructure, support, communications, AI, security, analytics, or integration providers in connection with the Services. Such providers may process limited technical, operational, usage, or communications-related information where necessary to provide, secure, support, monitor, or improve the website, Platform, or Services. Where Personal Data is processed through Tracking Technologies, such processing will be carried out in accordance with this Privacy Policy, the Data Processing Agreement where applicable, and applicable Data Protection Laws. BrokerCentral may update its use of Tracking Technologies from time to time to reflect:
changes in the Services;
operational requirements;
legal or regulatory developments;
security requirements;
implementation of cookie consent or preference management tools; or
evolving industry practices.
BrokerCentral will send electronic marketing communications only where permitted under applicable Data Protection Laws and PECR, including where:
BrokerCentral does not currently operate a dedicated cookie preference management platform or detailed cookie settings page. Users may control or restrict cookies and similar technologies through their browser settings, device settings, or other controls made available by their browser or device provider. If BrokerCentral implements non-essential cookies, analytics technologies, advertising technologies, or similar Tracking Technologies that require consent under applicable law, BrokerCentral will provide appropriate information and consent controls before those technologies are used. BrokerCentral may maintain or introduce a separate Cookie Notice, cookie table, or cookie preference management platform in the future to provide additional information about specific Tracking Technologies, providers, purposes, retention periods, and consent controls.
BrokerCentral may update this Privacy Policy from time to time to reflect:
BrokerCentral is a business-to-business platform intended for use by insurance professionals, brokers, commercial organisations, and business users. The Services are not directed to, intended for, or designed for use by children. BrokerCentral does not knowingly collect Personal Data directly from children or intentionally provide Services to individuals below the age of 18 acting in a personal or consumer capacity. If BrokerCentral becomes aware that Personal Data relating to a child has been provided unlawfully or without appropriate authority, BrokerCentral may take steps to delete or restrict such information in accordance with applicable law.
If you have any questions about this Privacy Policy or how we handle your Data, please contact: Email: [email protected] Post: Nuworks Ltd, Suite 5, 26-27 West Street, Horsham, West Sussex, RH12 1PB, United Kingdom