Effective Date: May 8, 2025
PRIVACY POLICY
Welcome to www.acord.org (the “Site”), a website provided by ACORD Corporation, a not-for-profit Delaware corporation that enables the success of the global insurance industry by leveraging the flow of data and information across all industry stakeholders through relevant and timely data standards (“ACORD”). ACORD respects your privacy, and this privacy policy covers ACORD’s handling, use and disclosure of information about you. Such information may be collected from you through the Site, your interactions with ACORD, and/or other sources in the ordinary course of ACORD’s business. It also explains the rights you have in your information.
1) How we use Personal Information
“Personal Information” refers to any information that relates to an individual and that identifies, or can be used in conjunction with other information to identify, an individual. ACORD may collect and process Personal Information relating to you as set out in this privacy policy.
Personal Information may be collected by ACORD, whether electronically or manually, through (i) the Site, (ii) e-mail messages and other electronic communications that you may send to ACORD, and (iii) other sources in the ordinary course of ACORD’s business.
If you provide information to us about any person other than yourself, please ensure that they understand how their information will be used, and that they have given their permission for you to disclose it to us.
ACORD processes Personal Information in a number of different situations, as set out under the headings below.
- Clients (or Officers, Employees or Contractors of Clients)
Types of Personal Information we collect:
To provide your organization with our services, we may collect Personal Information about you, including your name, role at work, work address, work contact details, business address and banking details. We will, from time to time, also collect data on your areas of expertise and experience and your business interests. We may also process Personal Information relating to security and access control (including user authentication credentials and details of login activity). If we invite you to an event, we may occasionally ask for additional Personal Information about your dietary or accessibility requirements. This may include Sensitive Information (as detailed in Section 4), such as information relating to your religion or health status.
Usually, we obtain Personal Information directly from you or from your colleagues but we may also from time to time obtain Personal Information about you from third parties or public sources (for example, from LinkedIn).
Purposes of processing and lawful basis (where relevant under applicable data protection laws):
| Purpose of Processing | Lawful Basis (where relevant) |
|---|
| To provide our services (including technical support) and to carry out administrative tasks related to those services (for example, to send you invoices, process payments and contract administration). | Legitimate interests – providing our services to clients and administering our relationship with clients. |
| To manage and develop our relationship with you and to send you communications about our services (including marketing). | Legitimate interests – developing and growing ACORD’s business and to enable business communications. |
| Carrying out and tracking our engagement with you, helping to understand your business, and developing our business relationship with you. | Legitimate interests – expanding ACORD’s business, including negotiations and conducting business transactions. |
| Using your contact details and interests to invite you to and provide you with information about events. | Legitimate interests – facilitating engagement with ACORD services and expanding ACORD’s business. |
| Maintaining the security of our IT infrastructure and systems. | Legitimate interests – securing our services. |
| Maintaining information for compliance and audit purposes. | Legal obligation – to comply with audit and compliance requirements.
Legitimate interests – comply with our compliance and audit obligations. |
| Data storage/backup. | Legitimate interests – ensuring the resiliency of our services and keeping appropriate records. |
| Conduct of litigation, managing claims and addressing complaints. | Legitimate interests – for administrative purposes, to address complaints and to enable the establishment, exercise or defense of legal claims. |
| Organization, attendance and administration of events. | Legitimate interests – facilitating engagement with ACORD services and expanding ACORD’s business. |
Please note that, where we need to collect Personal Information to comply with the law, or under the terms of a contract we have with you or a client that you represent, and you fail to provide the relevant Personal Information when requested, we may not be able to perform the contract that we have with your or the client you represent.
You can unsubscribe from any marketing emails (including newsletters) you may receive from us at any time by responding to the email received or contacting an ACORD representative. Please note that if you opt out of marketing emails, we may still send you service-related communications as permitted by law.
Vendors or Suppliers to ACORD
We may collect and process certain Personal Information about individuals who are employees or contractors of, or otherwise associated with, vendors/suppliers to ACORD.
Types of Personal Information we collect:
To engage your organization as a vendor/supplier, we may need to collect Personal Information about you, including your name, role, work address, work contact details and business address.
Purposes of processing and lawful basis (where relevant under applicable data protection laws):
| Purpose of Processing | Lawful Basis (where relevant) |
|---|
| Receiving services from the vendor/support you represent, or for other administrative purposes (e.g., to pay invoices). | Legitimate interests – managing our supplier base in order to run our business and provide services to our clients. |
| Conduct of litigation, managing claims and addressing complaints. | Legitimate Interests – for administrative purposes, to facilitate business operations and to enable the establishment, exercise or defence of legal claims. |
Users of the Site
When you access the Site, we may collect information relating to your usage of the Site through the use of cookies, server log filles and other similar technologies. Personal Information collected in this way may include: (i) search engine terms inputted by you; (ii) your computer/device’s access date and time, browser, connection speed, internet protocol address, internet service provider, language, location, manufacturer, visit details, and operating system; (iii) usage metrics, performance and reliability data, error and accident logs; or (iv) any information that you submit via the Site (e.g. contact details). For further information about our use of cookies, please see our Cookie Policy here.
| Purpose of Processing | Lawful Basis (where relevant) |
|---|
| To record your use of the Site. | Legitimate interests – operational purposes and promoting ACORD’s business. |
| To diagnose problems with the Site. | Legitimate interests – for operational purposes and to enable provision and operation of the Site to provide our services to clients and client support. |
| To improve the Site and make the Site more useful to you and other users. | Legitimate interests – managing our Site and improving accessibility. |
| For marketing – to promote our Services. | Legitimate interests – promoting ACORD’s business. |
Job Candidates
We process Personal Information about individuals who have applied for a role at ACORD for recruitment purposes.
Types of Personal Information we collect:
The Personal Information we may collect in order to progress your application as a candidate includes personal contact details such as name, title, addresses, telephone numbers, personal email addresses, date of birth, gender, current salary, compensation history, annual leave entitlement, pension and benefits information, current notice period and other employment records from previous roles, start date and location of employment, recruitment information (including copies of right to work documentation, references and other information included in a CV/resumé, cover letter or as part of the application process), test assessment scores, background check verification results, information in relation to disability, accessibility or related workplace/reasonable adjustments, and visual images and any photographs provided for business purposes. We may collect such Personal Information directly from you, or indirectly from recruitment agents or public sources, such as LinkedIn. If you are successful in your application, to the extent relevant, we may transfer this Personal Information to your employment record.
Purposes of processing and lawful basis(where relevant under applicable data protection laws):
| Purpose of Processing | Lawful Basis (where relevant)
|
|---|
| To assess your candidacy as a potential employee or contractor of ACORD. | For successful candidates: steps taken prior to entering into a contract with you; our legitimate interests of considering you as a candidate; and to comply with our legal obligations, for example, occupational health laws and employment related laws.
For unsuccessful candidates, our legitimate interests in assessing potential candidates; and to comply with our legal obligations, for example, occupational health laws and employment related laws. |
| To process applications and conduct necessary verifications (including background checks) in the course of recruitment. | For successful candidates: steps taken prior to entering into a contract with you; our legitimate interests of considering you as a candidate; and to comply with our legal obligations, for example, occupational health laws and employment related laws.
For unsuccessful candidates, our legitimate interests in assessing potential candidates; and to comply with our legal obligations, for example, occupational health laws and employment related laws. |
| To provide reasonable adjustments (if required). | Legal obligation – to comply with employment law-related obligations. |
| Electronic storage of files. | Legitimate interests – to maintain a record of relevant steps in connection with job recruitment. |
2) Sensitive Information
“Sensitive Information” (sometimes known as “special category data”) are categories of Personal Information that require higher levels of protection and include any Personal Information of an individual that reveals (i) racial or ethnic origin, (ii) political opinions, religious or philosophical beliefs, (iii) trade union membership, (iv) genetic data, (v) biometric data, (vi) physical or mental health data or (vii) the sex life or sexual orientation of an individual. ACORD will only process Sensitive Information about you as allowed or required by law.
We may process Sensitive Information in situations where you have given your explicit consent (for example, with respect to dietary requirements and allergies at events we organize), where such processing is necessary for compliance with applicable laws (for example, to make reasonable adjustments for disabled job candidates), where it is in the public interest to do so (for example conducting pre-employment background checks) and, where necessary, for the establishment, exercise or defense of legal claims. Other lawful bases permitting the processing of Sensitive Information may apply under applicable law.
3) Retention of Personal Information
Regardless of the method used to obtain Personal Information, ACORD will retain Personal Information only as reasonably necessary for the purposes for which the Personal Information were collected. ACORD may retain Personal Information for a longer period where necessary, for example, to satisfy ACORD’s legal or regulatory obligations.
To decide on the appropriate retention period for Personal Information, we consider the amount, nature, and sensitivity of the Personal Information, the potential risk of harm from unauthorized use or disclosure of your Personal Information, the purposes for which we process your Personal Information and whether we can achieve those purposes through other means, and the applicable legal requirements.
ACORD generally retains client documentation for as long as there is an ongoing client relationship and an appropriate period thereafter, and once ACORD has no legal or commercial reasons to retain Personal Information, it will be securely deleted or destroyed.
4) Choice
If you refuse to provide any information when requested to do so by ACORD or the Site, you may not be able to access, or otherwise enjoy the benefits of, certain services from ACORD or the features of the Site.
5) Information Sharing and International Transfers
Information Sharing
In order to provide our services and operate our business, we may from time to time transfer Personal Information to a third party, for example, a third party processor, such as an IT services provider (e.g. software, cloud storage or digital communications service provider) or other third party that supports ACORD in the course of its business operations.
In limited circumstances, we may also share your Personal Information with other third parties, for example, where required by law, court order or regulation.
ACORD remains liable for the integrity of your Personal Information in the event of onward transfers to third party processors and ensures protection of Personal Information as described in this privacy policy and by way of appropriate contractual measures. Please see below for further information about the appropriate safeguards that we implement where we carry out international transfers.
International Transfers
ACORD generally processes Personal Information that is in electronic form using servers that are located at ACORD’s places of business in Little Falls, New Jersey and London, England, as well as servers located at off-site data centers located in the United States, England, Ireland and Italy.
We may transfer Personal Information: (i) outside of the United Kingdom (“UK”) or European Economic Area (“EEA”), such as to our offices in North America or to a third-party processor with servers outside of the UK or EEA; and (ii) outside of Québec or Canada, such as to our offices in the United States or the UK, or to a third-party processor with servers outside of the UK or EEA.
Where Personal Information is transferred outside of the UK, EEA or Québec, ACORD ensures that a consistent degree of protection is implemented in accordance with applicable law. The ways we do this include only transferring Personal Information to countries with adequate data protection regimes or using appropriate safeguards, such as specific contracts approved by the European Commission or UK government (as applicable) which are designed to give Personal Information the same level of protection it has in the UK or EEA (e.g. European Commission: Standard Contractual Clauses for international transfers and the UK International Data Transfer Agreement or Addendum) or any data transfer mechanism approved by the European Commission or the UK authorities as appropriate, such as the EU-US Data Privacy Framework and the UK Data Bridge.
6) Protection
We have put in place and maintain appropriate security measures to help protect Personal Information. ACORD will use commercially reasonable efforts to protect Personal Information from loss, misuse and unauthorized access, alteration, destruction and disclosure.
We have procedures in place to deal with any suspected Personal Information breach and will notify you and any applicable regulator of a breach where appropriate and required under applicable law.
7) Third-Party Sites
The Site may contain links to, or be accessible from, websites provided by third parties (“Third-Party Sites”). Your use of a Third-Party Site may be subject to its terms of use and other provisions, and you are responsible for complying with such terms of use and other provisions. This policy does not cover the privacy policies or practices of any Third-Party Site, and ACORD is not responsible for any information you submit to, or is otherwise collected by, any Third-Party Site. You should consult each Third-Party Site for its privacy policy or practice before submitting any information to, or otherwise using, such Third-Party Site.
8) Data Rights
Depending on where you reside, you may in certain circumstances have the following rights with respect to your Personal Information:
GDPR Data Rights
If you are located in the UK or the EEA or other locations with similar data protection regimes, you may have certain rights under applicable data protection laws in relation to your Personal Information. Please see below for further details of such rights.
- Request access to your Personal Information. This right enables you to request to receive a copy of the Personal Information we hold on you and to check that we are lawfully processing it. This is commonly known as a “data subject access request”.
- Request correction of the Personal Information that we hold about you. This right enables you to have any incomplete or inaccurate information we hold about you corrected. We ask that you please keep us informed if your Personal Information changes during your relationship with us.
- Request erasure of your Personal Information. This right enables you to ask us to delete or remove Personal Information where there is no good reason for us continuing to process such Personal Information. You may also have the right to ask us to delete or remove your Personal Information where you have exercised your right to object to processing (see below).
- Object to processing of your Personal Information. If we rely on a legitimate interest (or those of a third party) as our lawful basis, and there is something about your particular situation which makes you want to object to processing on this ground, you may be able to exercise this right. You may also object if we ever process your Personal Information for direct marketing purposes.
- Request the restriction of processing of your Personal Information. This right enables you to ask us to suspend the processing of Personal Information about you, for example, if you want us to establish its accuracy or the reason for processing such Personal Information.
- Request the transfer of your Personal Information to another party. This right enables you to request that your data be transferred to another party in a portable format.
If you want to exercise any of these rights, please contact us by sending an email to legalwork@acord.org. We may need to request specific information from you to help us confirm your identity in connection with any request you make. This is an appropriate security measure we take to ensure that Personal Information is not disclosed to any unauthorized person.
You will not have to pay a fee to access your Personal Information or to exercise any of the other rights, unless the request is repetitive, clearly unfounded, or excessive, in which case we reserve the right to charge you a reasonable fee or refuse to comply with the request.
Canada Data Rights
If you are in Canada, we will not collect, use, or disclose your Personal Information without your prior consent except in limited circumstances where we are not required to obtain your consent as permitted by law. Your consent may be express or implied. You may expressly give your consent in writing, verbally or through any electronic means. In certain circumstances, your consent may be implied by your actions. For example, providing ACORD Personal Information to apply for a job or to use ACORD’s services may constitute implied consent for ACORD to use your Personal Information for specific purposes. ACORD assumes that you have consented to its reasonable collection and use of Personal Information consistent with the purposes for which the information was given.
We do not collect, use, or disclose Personal Information without consent unless authorized or required by law to do so. You may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. In order to withdraw consent, you must provide notice to ACORD in writing.
Upon request, ACORD will provide you information regarding the existence, use and disclosure of your Personal Information and you will be given access to that information. ACORD will respond to an application for individual access to Personal Information within a reasonable time and at minimal or no cost to the individual. You may challenge the accuracy and completeness of the information and have it amended as appropriate.
NOTE: In certain circumstances, ACORD may not be able to provide access to all of your Personal Information that it holds. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons. ACORD will provide the reasons for denying access.
US Data Rights
Depending on where you reside, you may have the following rights with respect to your Personal Information, in certain circumstances:
- The right to know the categories and specific pieces of Personal Information we have collected about you in the last 12 months, the sources from which the Personal Information were collected, and the business purpose for collecting such information;
- The right to know whether and how we sell or disclose your Personal Information, to whom we sell or disclose your Personal Information and the categories of Personal Information sold or disclosed, and the business purposes for selling or disclosing your Personal Information;
- The right to request a copy of the specific pieces of Personal Information we have collected about you in the last 12 months;
- The right to request that we not sell your Personal Information;
- The right to request that we delete the Personal Information that we have collected from you, in certain circumstances;
- The right to opt out of targeted advertising;
- The right not to receive discriminatory treatment for the exercise of your privacy rights; and
- The right to appeal denial of your request.
You may make a request to exercise these rights by contacting us at legalwork@acord.org.
Upon receipt of a request to exercise your rights, we may request additional information in order to verify your identity. You may also be required to confirm your identity under relevant law or regulation. To the extent possible, we will utilize information already in our possession to verify your identity. Any information you provide in connection with such verification will be deleted as soon as practicable following your request and not used for any other purpose.
You may be able to designate an authorized agent to make a request on your behalf. If you submit a request through an authorized agent, we may require that the authorized agent provide proof that the authorized agent has been authorized by you to act on your behalf, and we may still require you to verify your identity in accordance with the above and directly confirm that you provided the authorized agent with permission to submit the request.
We will respond to your request in the time frame required by law, which is usually between one month and 45 days, depending on where you reside. As may be permitted by law, we may extend the time to respond to your request by up to 90 days, or three months, in total.
You may not be discriminated against for exercising your rights. For example, ACORD will not deny you services, charge different prices or rates for services, including through the use of discounts or other benefits or imposing penalties, provide a different level or quality of services to you, or suggest that you will receive a different price or rate for services or a different level or quality of services.
California Data Rights
If you are a California resident, the chart below summarizes our practices in relation to your Personal Information over the preceding 12 months. For information about the purposes for which we collect and use your Personal Information, please see Sections 1 and 2 above, and for information about retention periods, please see Section 3 above.
ACORD may function as a “service provider” (as defined under California privacy laws) to its clients, in which case, ACORD follows the express written and contractual instructions of its clients in relation to Personal Information. If a consumer wishes to make a request in relation to data that ACORD processes as a service provider, it should contact ACORD’s client directly.
| Category | Examples | Collected | Disclosed | Sold and/or Shared |
|---|
| Identifiers | Real name, alias, postal address, online identifier, Internet Protocol address, email address, account name or other similar identifiers | YES | YES | SOLD and SHARED |
| Personal information categories listed in the California Customer Records statute. | Signature, telephone number, bank account information or other financial information Some personal information included in this category may overlap with other categories. | YES | YES | NO |
| Protected classification characteristics under California or federal law. | Citizenship, physical or mental disability, medical condition, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions).
Some personal information included in this category may overlap with other categories. | YES | YES | NO |
| Commercial information. | Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. | YES | YES | NO |
| Biometric information. | Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. | NO | N/A | N/A |
| Internet or other similar network activity. | Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement. | YES | YES | SOLD and SHARED |
| Geolocation data. | Physical location or movements; in this instance, general location information obtained in connection with IP address use. | YES | YES | SOLD and SHARED |
| Audio, electronic, visual, thermal, olfactory, or similar information. | Photographs, video recordings (including security camera footage and recordings of video calls), voice recordings (including call recordings). | YES | YES | NO |
| Professional or employment-related information. | Current or past job history or performance evaluations. | YES | YES | NO |
| Non-public education information (per the Family Educational Rights and Privacy Act). | Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. | YES | YES | NO |
| Inferences drawn from other personal information. | We may create a profile about you reflecting your preferences where you are a client.
We may create a profile about you reflecting intelligence, abilities, and aptitudes where you are a job applicant. | YES | YES | N/A |
| Sensitive Personal Information. | Social Security number, driver’s license number, state identification number, passport number; racial or ethnic origin, religious, or philosophical beliefs, or union membership; health information; or sex life or sexual orientation information.
Some personal information included in this category may overlap with other categories. | YES | YES
Please note that we do not use or disclose sensitive personal information except for the purposes set out in Section 7027(m) of the CCPA regulations. | NO |
Do not Sell or Share my Personal Information
If you are a California resident, you have a right to opt-out of the “sale” and “sharing” of your Personal Information. “Sale” and “share” are given broad definitions under California’s privacy laws. We may “sell” or “share” your information when we disclose certain information to our advertising partners, such as search history, cookie identifiers or IP addresses. You may block the disclosure of this data to advertisers by setting global privacy controls via your browser or by opting out using the “Do Not Sell My Personal Information” link in our cookie banner. You can opt in or out from any page of the Site using the cookie icon in the bottom left of your browser window.
California “Shine The Light” Law
California’s “Shine The Light” Law allows California residents to request information from us regarding any information that is shared with a third party for direct marketing purposes once per year, by emailing us at legalwork@acord.org.
9) Children
We do not knowingly collect or sell information from children under the age of 16. Our Site is not directed at persons under the age of 16 and should not be used by them. We may obtain information regarding children under the age of 16; such information is only used pursuant to ACORD’s contract as a service provider and is not sold or used for marketing purposes. To request the removal of Personal Information of a child under 16 years of age, the parent or guardian should contact ACORD as set forth in Section 12, and provide information necessary to ACORD to assist it in identifying the information to be removed.
10) Concerns and Complaints
We commit to take appropriate steps to investigate and address complaints concerning our handling of Personal Information.
If you are located in the UK, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, at the details set out below.
Information Commissioner’s Office
Wycliffe House, Water Lane, Cheshire, SK9 5AF
United Kingdom
Telephone: +44 (0) 303 123 1113
Email: casework@ico.org.uk
If you are located in Ireland or another member of the EEA, see below for details of how to express your concerns, make a complaint or exercise your rights.
- If you are located in Ireland, you have the right to make a complaint at any time to the Data Protection Commissioner (DPC), the Irish supervisory authority for data protection issues (www.dataprotection.ie).
- If you are located in other states of the EEA, you have the right to make a complaint at any time to your applicable data protection authority (additional details of the supervisory authorities can be found here: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en).
If you are located in Canada, you can submit your concerns, complaints or send a note to exercise your rights to via the appropriate form located at https://www.priv.gc.ca/en/report-a-concern/file-a-formal-privacy-complaint/file-a-complaint-about-a-business/#s3.
If you are a resident of California and believe that your rights under California’s privacy laws have been violated you can submit a complaint to the California Privacy Protection Agency using this form https://cppa.ca.gov/webapplications/complaint
We would, however, appreciate the chance to deal with your concerns before you approach any data protection authority, so please contact us in the first instance.
We maintain procedures for addressing and responding to inquiries or complaints. We shall take appropriate steps to investigate and respond to complaints.
11) Revisions
ACORD may revise this policy from time to time by posting the revised policy on the Site. Any such revision will take effect immediately upon such posting. We encourage you to periodically check this policy on the Site for revisions.
12) Contacting ACORD
If you have any questions or would like to submit a request to exercise any of your rights in your Personal Information, please contact:
ACORD Corporation
Attn: General Counsel
150 Clove Road, 11th Floor
Little Falls, NJ 07424
United States of America
legalwork@acord.org