Dear User,

This Privacy Policy sets out the rules for the collection, processing and use of personal data in connection with the use of the Website

www.trupanion.eu

(hereinafter referred to as the "Website") operated by Smart Paws GmbH trading as Trupanion, taking into account applicable law, in particular the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as "GDPR") and, where applicable, the Swiss Federal Act on Data Protection of 25 September 2020 (hereinafter referred to as "FADP"){{1}}. We make every effort to ensure that your privacy is respected, and that information obtained during your visit to our Website is protected, and we take all necessary measures to this end.

{{1}} References to Swiss data protection legislation in this Privacy Policy apply to the processing of personal data subject to the FADP.

1. WHO PROCESSES YOUR DATA?

The controller of your personal data processed in connection with visiting our Website and using its services is:

Smart Paws GmbH with its registered office in Bad Schwartau (23611), Gutenbergstraße 3, 23611, Germany ("Controller" or "We"). In Switzerland, we operate through our branch: Smart Paws GmbH, Zweigniederlassung Basel, Innere Margarethenstrasse 5, 4051 Basel, Switzerland, serves as our representative in Switzerland within the meaning of Article 14 of the FADP.

Contact:

You can contact us by writing to one of the addresses above or by e-mail at dataprotection@trupanion.eu.

2. WHAT DATA DO WE COLLECT AND FOR WHAT PURPOSE?

2.1 Data necessary in "Get a quote" form:

• First Name,

• Last name,

• Country,

• Postal code,

• City,

• Address,

• Telephone number,

• Primary Owner e-mail address,

• Your pet’s information,

• Secondary Owner information (optional):

  • First Name,

  • Last name,

  • Telephone number

The personal data in question will be processed to enable Website users obtaining policy via the Website and to administer the policy via the Member Portal (see section 2.2.), including claims submission and handling, in particular for the following purposes:

• the conclusion and performance of the contract [pursuant to Article 6(1)(b) of the GDPR],

• the management of the insurance policy [pursuant to Article 6(1)(b) of the GDPR],

• where appropriate, to establish, protect and recover claims based on our legitimate interest [pursuant to Article 6(1)(f) of the GDPR],

• the fulfilment of legal obligations [pursuant to Article 6(1)(c) of the GDPR].

• to perform business analysis behalf on the basis of our legitimate interest [Article 6(1)(f) of the GDPR],

• to contact the user on matters concerning the policy purchased, if applicable, in connection with the necessity to perform the concluded contract [Article 6(1)(b) of the GDPR] or on the basis of our legitimate interest [Article 6(1)(f) of the GDPR],

• to notify the customer by email and/or SMS of the forthcoming expiry date of the insurance policy and the terms of the renewal, based on our legal obligation [Article 6(1)(c) of the GDPR],

• to ensure accountability (including demonstrating compliance with legal obligations) - on the basis of our legitimate interest [Article 6(1)(f) of the GDPR].

Information relating to payments made in connection with the purchase of insurance is collected and processed by the payment service providers available on the Website. We, as the administrator, do not collect or have access to information such as credit card numbers.

Providing Primary Owner information is required to obtain a quote and purchase your pet's policy.

The provision of the data of the Secondary Owner is optional and is not necessary for the purchase of the insurance policy.

The legal basis for processing the Secondary Owner's personal data is the legitimate interest [Article 6(1)(f) of the GDPR] of enabling the policy holder to add the Secondary Owner so that the Secondary Owner can interact with Trupanion on behalf of the Primary Owner. Secondary Owners will not be able to manage the account in the same way as the Primary Owner, such as cancelling the account or updating the Primary Owner's information.

Our Website stores your details when you use our pre-purchase quote form. We may use the stored information, in accordance with the consents granted [pursuant to Article 6(1)(a) of the GDPR] for the following purposes:

• Customer journey analytics,

• Marketing & conversion follow-up,

• Follow-up communications.

This data is retained for 30 days after active refusal, last unsuccessful contact or until consent is withdrawn. You may withdraw your consent to receive commercial information at any time by clicking on the unsubscribe link that will be included in any commercial message that we send to you.

If you would like to receive a quote without entering your email, please call us to continue the quote process.

For further information on the processing of personal data after you have purchased a policy, please see the section below.

2.2 Member Portal:

Once you have purchased your policy, you will be asked to register an account on the Member Portal, which will allow you to manage your policy and submit claims. You will find information about your account and your plan there.

Your personal data provided to us when you purchased your policy will be processed on the Portal as set out in section 2.1 above, together with billing and payment information relating to the administration of your policy. The purpose of the processing is to administer the policy and any claims submitted.

The legal basis for the processing of the data in question is the necessity for the performance of the contract concluded in connection with the purchase of the insurance policy and the contract for the provision of the Portal account service, in accordance with Article 6.1(b) of the GDPR.

The remaining purposes and legal bases for processing the data are the same as those indicated in section 2.1.

In the event of non-renewal of your policy, your details will be retained by us for a period of 10 years in the absence of a claim and 15 years in the event of a claim.

Your details may also be accessed by our partner vets who may submit a claim on your behalf during your visit to the vet or, in the case of urgent treatment, apply for pre-approval of your cover.

In appropriate cases, we may be required to share information with the underwriter (the insurer, as specified in the terms and conditions of the policy). We will not provide the insurer with information that would allow individual customers to be identified. The underwriter will only receive data that allows them to review and assess pricing and underwriting performance. We also may transfer anonymised business data to Trupanion group companies.

2.3 Partnerships with Veterinarians - data necessary to use the contact form:

• Name,

• E-mail address,

• Phone number,

• Hospital or clinic name,

• Postal code,

• Any additional information (optional),

We collect the relevant data to process a request for partnership on the basis of necessity to take steps at the request of the data subject prior to entering into a contract in the case of collaboration with natural persons [Article 6(1)(b) of the GDPR]. In the case of a request for cooperation on behalf of a veterinary practice run by a legal entity, the legal basis for processing the personal data will be our legitimate interest in processing the request in order to establish a relationship [Article 6(1)(f) of the GDPR].

The provision of data is voluntary, but necessary to inform us of your interest in having Trupanion's portal in your practice and to schedule time with our Business Relationship Managers for you to learn more.

If a relationship is not established, your information will be deleted within 6 months of receipt of your notification, unless it is public information.

2.4 Vet Portal

When you become our partner - you will have access to a Portal. Through this Portal you can:

• Let us know if a pet owner is interested in the free TruCover insurance offer,

• Receive pre-approval to verify coverage for emergency treatment,

• Make an immediate claim for the pet owner.

We will process the information that you have provided in your application, as referred to in the section above, through the Portal. The Portal also contains information about the bank account into which we will pay your claim. You can also access certain reports from the Portal.

The legal basis for the processing of the data in question is the necessity for the performance of the veterinary agreement concluded with you (if you are a natural person running a veterinary practice) and the agreement for the provision of the Portal account service [pursuant to Article 6(1)(b) of the GDPR], or on the basis of our legitimate interest in the provision of tools for the implementation of cooperation in the event that you are performing the agreement concluded by us with a legal entity that is a veterinary practice [pursuant to Article 6(1)(f) of the GDPR].

After termination of the partnership, your data will be retained for a period of 10 years in the absence of a claims processed and 15 years in the event of a claims processed.

We will retain data relating to payments made directly to the practice in accordance with tax and accounting legislation.

2.5 Sign up for notifications, data related to sending commercial information and direct marketing

• Email address.

We will process your email address for the purpose of fulfilling your subscription if you subscribe to receive the latest updates about Trupanion, the veterinary community and articles, or if you have given us separate consent to do so.

The legal basis for this processing will be the consent you have given as part of your active subscription or by ticking the relevant checkboxes [pursuant to Article 6(1)(a) of the GDPR].

The provision of the data is voluntary but is required for the subscription.

You may withdraw your consent to receive commercial information at any time by clicking on the unsubscribe link that will be included in any commercial message that we send to you.

If you choose to withdraw your consent, your e-mail address will be removed from our database of subscribers to our mailing list.

Notwithstanding the above, if you are a policy holder, we will notify you by email or SMS of the forthcoming expiry date of your insurance policy and the terms of your renewal, based on our legal obligation to inform you [pursuant to Article 6(1)(c) of the GDPR].

2.6 Where applicable, we may receive, on the basis of your consent, your personal data such as:

• First Name,

• Last Name,

• Phone number,

• Email address,

• Country,

• Postal code,

• City,

• Address,

• Information about your pet.

from our Partners, such as breeders and veterinarians, in connection with your request to receive a free month of Trupanion insurance.

Once the policy is activated, the data will be processed for the purposes of administering your pet insurance policy in accordance with sections 2.1. and 2.2. of this Privacy Policy.

If you do not activate your policy, the above data will be deleted from our systems within 90 days after active refusal or last unsuccessful contact. Until then, we may process the data for follow-up communications on the basis of your consent communicated through our Partner [pursuant to Article 6(1)(a) of the GDPR]. You may withdraw your consent to receive electronic communication at any time by clicking on the unsubscribe link that will be included in any commercial message that we send to you, by email (

dataprotection@trupanion.eu

) or during a conversation with a member of our staff.

2.7 Satisfaction Survey

We may send our customers a link to an anonymous survey about their enrolment experience basing on our legitimate interest [Article 6(1)(f) of the GDPR]. The survey does not collect any personally identifiable information.

2.8 Interacting with us through our social media profiles

The information you provide to us by interacting with our social media profiles may include your name/nickname, picture and other information provided in messages or comments.

As a general rule, we do not combine this information with information you may have provided to us in other ways (e.g. by email) unless the circumstances dictate otherwise (e.g., you have sent us a private message on Facebook/Instagram in which you have included an email address and requested contact).

As part of the operation of our profiles on the social media platforms operated by Meta (Facebook and Instagram), Meta Platforms Ireland Limited provides us with high-level trends to help us better understand the types of activity users are engaging in on our profile ("Page Insights").

For more information about the data processed within Facebook Page Insights, please click

here

.

Meta Platforms Ireland Limited and we act as joint controllers in relation to the processing of data for Page Insights. All information about the joint controllers' obligations in relation to the processing of data for the purposes of Page Insights can be found

here

.

Other social media providers may also provide us with aggregate statistics about activity on our social profiles.

In connection with your interaction with our social media profiles, your data will be processed by us on the basis of Article 6(1)(f) of the GDPR in order to:

• respond to comments, messages and reviews posted on our social media profiles where appropriate,

• maintain relationships,

• manage the content posted on our profiles,

• conduct research and analysis regarding the effectiveness of communications,

• for statistical purposes.

Personal data relating to your activity on our social media profiles will be stored until you delete or restrict it, which you can do yourself using the social media provider's internal systems.

2.9 Personal data processed in connection with the recording of calls to our helpline

Calls to our hotline are recorded with the consent of the caller.

The retention of call recordings is justified by our legitimate interest in establishing, asserting or defending claims relating to the services provided.

Depending on the purpose for which the caller contacts us, his or her personal data may be processed for different purposes.

In the case of a policy quote and purchase over the telephone, we may collect and retain the information as set out in sections 2.1. and 2.2. of this Privacy Policy.

For existing customers, we may collect information for verification purposes, such as name, policy number(s), pet name(s), telephone number, postcode.

The recordings are encrypted, and only authorised personnel have access to them. The recordings are stored for approximately 12 months on servers located within the European Union. Notwithstanding the foregoing, the retention period of your personal information provided to us during a telephone call will depend on the matter for which you have contacted us. The processing period may be reasonably extended if the processing is necessary for the establishment, investigation or defence of any claims, and thereafter only if and to the extent required by law. At the end of the processing period, the data will be irreversibly deleted or made anonymous.

2.10 Additional Information

We also collect, use and disclose aggregate information, such as statistical or demographic information. For example, we may aggregate data about the use of our website to calculate the percentage of users accessing a particular feature of the website. However, if we combine aggregated information with your personal information, you may be directly or indirectly identifiable.

We do not collect special categories of personal data (including data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sexuality or sexual orientation). We also do not collect information about criminal convictions or offences.

Our Website is not intended for use by children, and we do not knowingly collect information from children.

2.11 Data from server logs

Use of the Website involves sending a query to our server. Individual requests are recorded and stored in server logs. The information contained in the logs consists of IP address, time of request, time of response and information about the user's operating system. These data are not linked to specific users of the Site and are not used to identify users in any way; they are used solely for server administration purposes and are processed only for the time necessary to provide and manage the service. The server logs are kept for 30 days.

2.12 Data processing in connection with the use of cookies

Cookies are small text files sent by the Website and stored on your device that contain certain information relating to your use of the Website.

Cookies are used, among other things, to enable you to visit our Website, to display our Website properly and to use all of its features, and to protect our Website from abuse and spam.

Subject to your consent, we may use cookies to personalise content and advertising on our Website (and other sites) and to analyse traffic on our Website. We may also share information about your use of our Website with our partners, who may combine it with other information that you have provided to them or that they have collected as a result of your use of their services.

By accepting marketing cookies, you consent to the sharing of your data with advertising and business partners, who may combine it with other information that you have provided to them or that they have collected as a result of your use of their services, and to the automated processing of your data to personalise content and advertising on and off our website.

For more information about the cookies used on the site, please see our

Cookie Policy

.

Our Website may contain links to other websites or applications, including those of our business partners. Please note that third party websites may also use cookies or similar technologies. We have no control over third party websites. If you choose to click on a link or application, please be aware that each has its own policy regarding the use of cookies. We encourage you to read their privacy policies before using other websites or applications.

2.13 Processing of personal data in connection with email communications

As part of our email correspondence, we generally process your personal data for the following purposes, depending on the specific case:

• to respond to your message on the basis of our legitimate interest [Article 6(1)(f) GDPR],

• to provide you with an offer in relation to your request on the basis of our legitimate interest [Article 6(1)(f) GDPR] or, where applicable, to take steps at your request prior to entering into a contract [Article 6(1)(b) GDPR],

• to continue and properly perform the contractual relationship with you [Article 6(1)(b) of the GDPR],

• for the performance of the contractual relationship between us and the entity with which you have an employment relationship or with which you cooperate, or the entity which you represent or serve on the bodies of such entities, on the basis of our legitimate interest [Article 6(1)(f) of the GDPR],

• to establish or maintain a business relationship between us and you or the entity you represent or serve on the boards of such entities, on the basis of our legitimate interest [Article 6(1)(f) of the GDPR],

• where the processing of your data is required by law, we will process your data on the basis of necessity for the performance of a legal obligation incumbent upon us [Article 6(1)(c) GDPR],

• to retain data for accountability purposes (including to demonstrate our compliance with legal obligations) on the basis of our legitimate interest [Article 6(1)(f) GDPR],

• where appropriate, for the establishment, exercise or defence of legal claims based on our legitimate interest [Article 6(1)(f) GDPR],

• to store data for statistical purposes - based on our legitimate interest [Article 6(1)(f) GDPR].

We have obtained the personal data that we process in connection with our correspondence directly from you or the organisation that you represent or work for. In some cases, we may have obtained this information from publicly available sources, in particular publicly available registers.

In the context of email correspondence, we generally have categories of personal data such as contact details, i.e. email address, telephone number, first and last name, and possibly other data contained in the footer of your email. The categories of personal data processed will also depend on the subject matter of the email correspondence between you and us.

The provision of personal data is voluntary, but to a certain extent necessary for email correspondence.

Personal data will be kept for as long as is necessary for us to correspond with you about the subject matter and thereafter, where applicable, for as long as is necessary to comply with any obligations imposed on us by law, subject to any issues relating to claims that may be made against us and that we may have against you in relation to the above purposes.

If a contract is entered into - we will process your personal data for as long as is necessary for the performance of the contract and for as long as is required by applicable law, taking into account, where applicable, the statute of limitations for claims arising from the civil law relationship between you and us. In general, we will process data based on our legitimate interest until you object (if applicable) or until we no longer need the data for the purpose it was collected, or until we have achieved the purpose for which the data was collected, whichever comes first.

For data processing subject to the FADP - Smart Paws is a company based in Germany, so when you contact us, you are transferring your personal data outside of Switzerland.

We use communication tools whose providers maybe based in the US. Depending on their participation in the 'EU-US Data Privacy Framework', the legal basis for the transfer of data to the United States will be the European Commission's adequacy decision or the relevant standard contractual clauses prepared on the basis of the European Commission's decision. You can obtain a copy of the clauses by emailing us at: dataprotection@trupanion.eu

If the matter in question requires the transfer of your personal data to another company within the Trupanion group, your data may be transferred in accordance with the relevant data protection safeguards:

• to the United Kingdom on the basis of the European Commission/Federal Council decision finding an adequate level of protection under European/Swiss data protection law,

• to the United States - on the basis of the applicable standard contractual clauses in accordance with the European Commission decision/ recognition by the FDPIC concluded between companies of the Trupanion Group,

• to Canada on the basis of the European Commission/Federal Council decision finding an adequate level of protection under European/Swiss data protection law.

In the case of the processing of personal data subject to the FADP regulations, data transfers to Trupanion companies based in the European Union and to Microsoft Ireland Operations Limited will take place on the basis of the Federal Council adequacy decision.

3. TOOLS WE USE

In order to optimise the use of the information collected through cookies and similar technologies, we use analytical tools and tools that allow us to manage the advertising and marketing of our products and services, including the display of targeted advertising.

These tools also allow us to process the information collected in ways that support our research and development and marketing activities.

Subject to your consent, your personal data (including that collected through cookies) may be processed automatically (including in the form of profiling) and we may use the information collected (for example, data about your preferences) to tailor the advertising content displayed on and off our Site.

Subject to your consent, we may also share information about your use of our Website with our social, advertising and analytics partners, who may combine it with other information that you have provided to them or that they have collected as a result of your use of their services.

3.1 Platform enabling users to manage cookies and privacy controls

We use a dedicated platform to lawfully allow users of our Website to consent to the installation of the relevant cookies, where applicable, the associated processing and sharing of personal data, and to collect the user's other consents and other privacy declarations of the user.

The user's consent is recorded by registering the Iubenda created ID, Iubenda created owner ID, source, timestamp (UTC), preferences, IP address, legal notices (identifiers: Privacy policy, cookies, policy, terms - including which version the user agreed to), content: pet name, email, country, postal code, consent (true/false), first name, last name, site or portal where consent is given. After 6 months, the consent is removed from the log.

The legal basis for this data processing is our legitimate interest in relation to the implementation of the principle of accountability, arising from the provisions of the GDPR [pursuant to Article 6(1)(f) of the GDPR].

3.2 Plausible Analytics

We use Plausible Analytics to measure and analyse the use of a Website, to assess the performance of a Website and to see what we can do to improve and optimise our future efforts. Plausible Analytics does not use cookies, browser cache or local storage. It does not store, retrieve or extract anything from users' devices. Plausible Analytics uses the IP address and the user agent sent to the server but generates a daily changing identifier from the visitor's IP address and user agent to anonymize these data points and make them impossible to relate back to the user.

The data in question is collected for the purpose of compiling Website statistics on the basis of our legitimate interest [Article 6(1)(f) of the GDPR].

3.3 Google's tools we use

3.3.1 Google Ads

Google's advertising system enables the display of personalised ads across the Google advertising network, Google search and YouTube. We use Google Ads marketing tools that process data relating to your activity on our Website, including online identifiers, to provide you with personalised advertising based on profiling or to monitor your choices.

We will only use these tools if you consent to the use of certain types of cookies, including consenting to automated decision making and the transfer of data to our advertising partners [Article 6(1)(a) of the GDPR].

You can review/change your consent settings at any time by using the cookie installation consent management tool. A link to this tool is provided in the footer of our Website.

To delete cookies already stored on your computer, please follow the instructions on the cookie management help page of your browser manufacturer's product.

We do not retain any information about our customers who engage with our ads on Google Ads. No personal information about users of our Website is shared with Google in scope of conversions. Google Ads shows personalised ads to users who have opted in. We only send the number of people who convert within each campaign to help with bidding strategy - when a user visits our site, we send anonymous conversion data back to Google Ads if we have a conversion and which campaign it is for with a timestamp.

You can find out more about how Google uses your information by following this link:

How Google uses data from websites and apps that use Google's services

.

Google's privacy management help center can be found

HERE

.

3.3.2 Google reCAPTCHA

We use the reCAPTCHA service on the Site, which is subject to

Google's Privacy Policy

and

Terms of Service

. We use the reCAPTCHA service solely to combat spam and abuse on our Website.

The reCAPTCHA service collects and sends to Google for analysis data such as answers to questions, clicks, keypress events, motion sensor events, mouse movements, scroll position, touch events, trackers and usage data. In accordance with the reCAPTCHA Terms of Service, the information collected when a visitor enters a part of the site with the reCAPTCHA service enabled will be used to improve the service and for general security purposes. It will not be used by Google to personalise advertising. Our legal basis for this processing is our legitimate interest in protecting our Website from abuse and spam [Article 6(1)(f) of the GDPR].

3.3.3 Transfer of data to countries outside of the EEA in connection with the use of tools made available by Google

In connection with our use of tools provided by Google, your personal data may be transferred to third countries, including the United States. The legal basis for transferring personal data to the United States in this case is Google LLC's participation in the EU-US Privacy Framework. Under FADP transfers to United States will be based on the applicable standard contractual clauses in accordance with the recognition by the FDPIC.

Please note that Google may also transfer data to entities outside the European Economic Area in connection with the use of Google's services. If Google uses the services of entities located in countries that are subject to the European Commission / Federal Council decision finding an adequate level of protection under European / Swiss data protection law, the transfer of data to a third country will be based on such a decision. In the case of entities located in countries that are not subject to the European Commission / Federal Council adequacy decision, the basis for Google's transfer of data to a third country will be the relevant standard contractual clauses (“SCCs”) in accordance with the European Commission decision / recognition by the FDPIC.

The data processing policies for Google advertising services

for which Google is a processor

include the relevant SCC prepared by the European Commission and recognized by the FDPIC . Similarly

, the Data Protection Terms of Relationship between Controllers

for

services for which Google is the controller

include the relevant SCC.

3.3.4 Google Tag Manager

Google Tag Manager (GTM) is a tool that allows us to manage scripts by easily adding code snippets to our Website. With GTM, we can track user interactions on our Website, such as event completions, and efficiently configure our Website's analytics. As part of Google Tag Manager, users’ data is processed in the form of online identifiers, including cookie identifiers and IP addresses. We will only use these tools if you provide consent for certain types of cookies (measurement) [Article 6(1)(a) of the GDPR]. You can review or change your consent settings at any time using the cookie installation consent management tool, accessible via the footer of our Website. If you wish to delete cookies already stored on your device, please follow the instructions provided on your browser manufacturer’s cookie management help page.

3.4 Facebook advertising tools

Depending on the user's consent to the use of certain types of cookies, in connection with the use of marketing tools provided by Facebook (Meta Platforms Ireland Limited), third parties, including Facebook (Meta Platforms Ireland Limited), may use cookies and similar technologies to collect or receive information from the Website and other places on the Internet and use that information to provide measurement services, target and deliver ads[Article 6(1)(a) of the GDPR].

The Meta Pixel is a short code placed on advertisers' websites that allows website owners to measure the effectiveness of ads by analysing the actions users take on the website. The use of the Meta Pixel allows us to show ads to the right audience, increase sales and measure the results of our ads.

The tools provided by Meta Platforms Ireland Limited enable us to serve ads to people who have already interacted with us (e.g. visited our website or viewed our advertisements).

Registered Facebook users can use the Ads Management Interface in their Facebook profile to prevent marketing data from other sites from influencing the selection of ads.

Notwithstanding the foregoing, personal data may be processed as part of the use of Meta Business Tools, in particular in the form of:

• information contained in HTTP headers, which contain information about the browser or application used (e.g. user agent, country/language of location),

• information about standard/optional events, such as "page view" or "application installation", other object properties and buttons pressed by website visitors, depending on the configuration of the business tool,

• online identifiers, including IP addresses and, where provided, Facebook-related identifiers or device identifiers (e.g. mobile OS advertising IDs) and ad tracking opt-out/restriction.

Together with Meta Platforms Ireland Limited, we are the

joint data controllers

for the purposes of targeting advertising to individuals who have a relationship with us and use Meta's business tools. Detailed information required by GDPR provisions and more information on how Meta Platforms Ireland Limited processes personal data, the legal basis of the processing and how data subjects can exercise their rights against Meta Platforms Ireland Limited can be found in the "Data Privacy Policy" available at:

https://www.facebook.com/about/privacy

. Joint controllers’ arrangements are available at:

Attachment Personal data administrator

.

In connection with the use of tools provided by Meta Platforms Ireland Limited, your personal data may be transferred to third countries, including the United States. The legal basis for the transfer of personal data to the United States in this case is Meta Platforms, Inc.'s participation in the EU-US Privacy Framework. Under FADP transfers to United States will be based on the applicable standard contractual clauses in accordance with the recognition by the FDPIC.

Please note that Meta Platforms Ireland Limited may also transfer data to entities outside the European Economic Area in connection with the use of the services of such entities. Where Meta Platforms Ireland Limited uses the services of entities located in countries that are subject to a European Commission / Federal Council decision finding an adequate level of protection under European / Swiss data protection law, the transfer of data to a third country will be based on such a decision. Where Meta Platforms Ireland Limited uses the services of entities located in countries that are not subject to a European Commission adequacy decision, the basis for the transfer of data by Meta Platforms Ireland Limited to a third country will be the relevant standard contractual clauses in accordance with the European Commission decision / recognition by the FDPIC.

You can also opt out of the collection and use of information for ad targeting. The mechanism that allows users to make this choice is provided in the following links:

http://www.aboutads.info/choices

,

http://www.youronlinechoices.eu/

.

3.5 Microsoft Clarity

We use the analytics service “Microsoft Clarity” provided by Microsoft Corporation. Microsoft Clarity enables us to better understand how users interact with the Website by recording anonymised usage data such as mouse movements, scrolling, clicks, and general navigation patterns. This data is used to optimise user experience and improve Website performance.

As part of Microsoft Clarity, users’ data is processed in the form of local storage. We will only use these tools if you provide consent for certain types of cookies (measurement) [Article 6(1)(a) of the GDPR]. You can review or change your consent settings at any time using the cookie installation consent management tool, accessible via the footer of our Website. If you wish to delete cookies already stored on your device, please follow the instructions provided on your browser manufacturer’s cookie management help page.

Further information on data processing by Microsoft can be found in the

Microsoft Privacy Statement

.

Transfer of data to countries outside of the EEA in connection with the use of tools made available by Microsoft

4. TECHNICAL MEASURES

We make every effort to keep your information secure and safe from the actions of third parties. We use all necessary security measures for servers, connections and the website. In particular, the communication between your device and our server when we collect your personal information is encrypted using SSL (Secure Socket Layer). In addition, our databases are protected from access by third parties. All connections related to your electronic payments, if you choose this option, will be made via a secure encrypted connection. Where we use the services of sub-contractors - we carefully check their credibility and the security measures they use to protect the data of users of our Website. However, the measures we take may not be sufficient if you do not follow the security rules yourself. In particular, we encourage you to keep your member account login and password confidential at all times and not to share them with third parties.

5. RECIPENTS OF YOUR DATA & DATA TRANSFERS

Where applicable, we may disclose your information to:

5.1 persons authorised by us, our employees, and agents who need access to the data in order to perform their duties,

5.2 processors to whom we outsource certain functions, e.g. companies involved in the operation of our technology systems or providing technology tools and hosting services, companies providing consultancy, business support and marketing services, suppliers of analytical and marketing tools used by us to the extent that they process data on our behalf (including in connection with the provision of automated marketing communications tools),

5.3 other entities who process personal data as independent data controllers: e.g. the underwriter, payment processing companies, business partners (including advertising partners) as part of the marketing tools used on the Website,

5.4 public bodies, where this is required by law

5.5 other companies in the Trupanion group if the matter you are addressing or in which we are communicating by email requires it.

For data processing subject to the FADP - Smart Paws is a company based in Germany, so when you contact us, you are transferring your personal data outside of Switzerland.

In addition to the above and the information about transfers of personal data outside the EEA referred to in the sections of this Privacy Policy relating to the use of tools provided by Google and Meta Platforms, in connection with inter-company relationships and the provision of support services by other companies in the Trupanion group, where necessary, your personal data may be transferred to the United States. The United States ensures an adequate level of protection for personal data transferred from the European Union to organisations in the United States that are listed in the Data Privacy Framework. Until the Trupanion US companies join the UE-US Data Privacy Framework, the legal basis for such transfers will be the standard contractual clauses adopted pursuant to a decision of the European Commission. You can obtain a copy of the clauses by emailing us at: dataprotection@trupanion.eu.

We also use other tools (e.g. to support our customer communications and marketing activities) whose providers are based in the US. Depending on their participation in the 'EU-US Data Privacy Framework', the legal basis for the transfer of data to the United States will be the European Commission's adequacy decision or the relevant standard contractual clauses prepared on the basis of the European Commission's decision. You can obtain a copy of the clauses by emailing us at: dataprotection@trupanion.eu.

6. HOW LONG WE KEEP YOUR DATA

The above sections of the Policy generally indicate the retention periods for personal data, where applicable, or the criteria for determining them. General information on the principles for determining retention periods is set out below.

Your personal data processed in connection with the conclusion and performance of the contract concluded with you will be processed for the period necessary for the performance of the contract and for the period provided for by applicable law, in particular the period of limitation of claims arising from civil law relations between you and us.

We may continue to process your personal data that we process on the basis of your consent until you withdraw your consent or until the processing of your personal data is no longer necessary for the purposes for which it was processed, or until the purposes for which it was processed have been achieved and completed, whichever is earlier.

In the case of responding to your enquiries or requests, your personal data will be processed by us until we have responded to your enquiry or dealt with your request. We may retain your information to defend against claims made against us and to enforce any claims we may have against you.

Data that we process on the basis of our legitimate interest will continue to be processed until you object, or until the processing of your personal data is no longer necessary for the purpose for which it was processed, or until the purpose for which it was processed has been achieved and completed, whichever is earlier.

Detailed information on the persistence of each cookie is provided in the

Cookie Policy

.

7. YOUR RIGHTS

In relation to the processing of your personal data, you have the following rights within the limits of the law and where applicable:

7.1 to request access to, rectification, erasure of personal data or restriction of processing and to data portability,

7.2 in situations where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time, but this will not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal,

7.3 at any time, object to the processing of personal data on the grounds of our legitimate interest for reasons relating to your particular situation,

7.4 where your personal data is processed for direct marketing purposes, you have the right to object to the processing of your personal data for such marketing at any time,

7.5 if you believe that the processing of your personal data is not in accordance with the applicable European data protection law, you may lodge a complaint with the data protection supervisory authority in the country where you have your habitual residence, place of work or where the alleged breach occurred. A list of the competent authorities in each Member State can be found

here

. Under FADP the

Federal Data Protection and Information Commissioner

(“FDPIC”) is responsible for tasks in the areas of data protection and the principle of freedom of information.

You can exercise some of the above rights on your own:

• Opting out of receiving commercial communications by using the "unsubscribe" function available in the footer of each commercial communication sent by us is tantamount to withdrawing consent to the processing of personal data for the purpose of sending commercial communications.

• You may revoke your consent to the installation of cookies in connection with the processing of personal data for the purposes determined by the function of such cookies by using the cookie installation management tool, a link to which can be found in the footer of our Website under the keyhole-shaped button (in the lower left corner of the Website).

You can exercise your other rights by sending an e-mail to: dataprotection@trupanion.eu.

We will endeavour to deal with your request promptly and to answer any questions you may have regarding the processing of your personal data. We will respond within 30 days of receiving your request. If this period is extended due to the complexity of the request or the number of requests we receive, we will inform you of the extension and the reasons for it.

If we have reasonable doubt as to the identity of the person making the request - we may request additional information necessary to confirm the identity of the person making the request. It is not compulsory to provide this information, but failure to do so will result in the request being refused.

We keep information about the requests we receive to demonstrate compliance in line with the principle of accountability referred to in the GDPR and to establish, protect and pursue claims.

8. OTHER INFORMATION

This Privacy Policy may change, for example, in connection with website development or in the event of legislative changes.

_____________________________

{{1}}References to Swiss data protection legislation in this Privacy Policy apply to the processing of personal data subject to the FADP.