Privacy Notice

1. Who we are

AsfaliApp is operated by a Cyprus-licensed insurance brokerage. We are registered with and supervised by the Insurance Companies Control Service (ICCS) of the Cyprus Ministry of Finance under Cyprus Law 35(I)/2018 (the Cyprus implementation of the EU Insurance Distribution Directive 2016/97).

For the precise legal name, ICCS registration number, registered office address, and complaint contact, see the IDD pre-contractual disclosure your broker provides at the start of any insurance advisory relationship.

2. What personal data we process

When you become a client, we collect and process:

• Identity: name, date of birth, national ID / passport number.
• Contact: address, email, phone, preferred language.
• Insurance information: policy details, premium history, claims, complaints, communications with you.
• Financial: payment records (bank transfers, cards via a regulated payment provider — we don't store full card numbers).
• KYC documents: passport / ID scans, verified via Veriff Ltd. (Estonia) under their privacy notice.

3. Why and on what legal basis

• Performance of your insurance contract (GDPR Art. 6(1)(b)): issuing policies, renewing them, settling claims, recording payments, generating policy and IDD documentation.
• Legal obligation (Art. 6(1)(c)): KYC / anti-money-laundering screening, IDD demands-and-needs records, complaints handling under Cyprus Law 35(I)/2018, CySEC reporting (annual return, statistics), and 7-year retention of policy records as required by Cypriot financial-services law.
• Legitimate interest (Art. 6(1)(f)): system security, fraud prevention, internal analytics (anonymised), broker training and performance review.
• Consent (Art. 6(1)(a)): marketing communications such as cross-sell offers, newsletters, market updates. You may withdraw marketing consent at any time without affecting policy administration.

4. Who we share your data with

• Insurers we place your policies with (e.g. AXA, CNP Cyprialife, Ethniki, Eurolife, Generali) — they receive only what they need to underwrite and administer your policy.
• Veriff Ltd. (Tallinn, Estonia) for KYC verification. Their processing is governed by their own privacy notice.
• SendGrid, Twilio, AWS as technical service providers (email, SMS, hosting, encrypted storage). All under standard EU data processing agreements with adequate safeguards.
• Anthropic PBC (San Francisco, USA) for AI assistant features. Conversation content is processed under SCCs; no client identifiers are sent unless the broker explicitly references them in a prompt.
• Regulators and law-enforcement when compelled by law (CySEC, MOKAS, courts).

We do not sell or rent personal data to anyone.

5. How long we keep your data

• Policy records, claims, complaints, audit log: 7 years after the policy ends (statutory retention under Cypriot financial-services law).
• KYC documents: 5 years after verification (Cyprus AML retention).
• Communications logs: 3 years.
• Inactive clients with no policies: 3 years from last activity, then anonymised.
• Marketing communications: until you withdraw consent or 2 years of inactivity, whichever is sooner.

6. Your rights

Under GDPR you have the right to:

• Access your personal data (Art. 15) — we will provide a copy within 30 days.
• Rectify inaccurate data (Art. 16).
• Erase data (Art. 17), subject to statutory retention (we cannot erase policy records younger than 7 years).
• Restrict processing (Art. 18).
• Port data to another controller (Art. 20).
• Object to processing based on legitimate interest (Art. 21).
• Withdraw consent for marketing (Art. 7(3)) at any time, without affecting policies already in force.
• Lodge a complaint with the Cyprus Data Protection Commissioner (dataprotection.gov.cy) or the Cyprus Financial Ombudsman.

To exercise any of these rights, contact your broker or our data protection officer using the details below. We aim to respond within 30 days.

7. Security

All data is encrypted in transit (TLS 1.2 / 1.3) and at rest (AES-256 with KMS-managed keys). The platform is hosted on AWS in the EU (Ireland). Access to client data is gated by role-based permissions, audited on every change, and protected by multi-factor authentication for back-office and administrative roles. The audit log is immutable and retained for seven years.

8. Contact

For any privacy-related question, complaint, or rights request:

9. Changes to this notice

We will update this notice when our processing practices change. The "Last updated" date at the top reflects the most recent change. For material changes we will notify you by email or in-app banner before they take effect.