I. Purpose of this Privacy Notice |
| 1.1 This Privacy Notice („Privacy Notice“) explains how Iute Affinity OÜ ("Iute Affinity", "we", "us") collects and processes personal data when individuals („you“) use our website and when we support insurance-related services provided by our partners. |
| 1.2 Iute Affinity primarily acts as a data processor, meaning that in many cases we process personal data on behalf of and under the instructions of other companies who act as data controllers. This Privacy Notice describes Iute Affinity’s role and processing activities only. |
| 1.3 Where another company determines the purposes and means of processing, that company’s privacy notice applies in parallel and provides additional information about how your personal data is used. |
| 1.4 Please read this Privacy Notice carefully before submitting your personal data to us. By providing your personal data, you acknowledge that you have read and understood this Privacy Notice. |
II. Who We Are |
| 2.1 Iute Affinity is established in Estonia, registered under 17382610, address Maakri 19/1, Tallinn, 10145 Estonia. |
| 2.2 Depending on the specific processing activity and product, Iute Affinity acts either as a data processor or, in limited cases, as an independent data controller: |
| - As a data processor, Iute Affinity processes personal data strictly on the documented instructions of its business partners acting as data controllers, primarily in connection with insurance-related products and services, including but not limited to payment protection insurance, health-related insurance and ancillary health services (such as second medical opinion), claims handling, administration, and related support services. |
| - The relevant data controllers are insurance providers or service partners offering such products, which may vary depending on the product, jurisdiction, and contractual arrangements. Information about the applicable data controller is provided to you at the point of data collection or within the relevant product documentation. |
| - As an independent data controller, Iute Affinity processes personal data only for limited purposes, such as operating and securing its customer portal, ensuring IT and information security, managing internal operations, and complying with applicable legal obligations. |
| 2.3 If you have any comments or questions about this Privacy Notice, feel free to contact us at dpo@iute.com. |
III. Personal Data We Collect |
| 3.1 We may collect and process the following categories of personal data depending on your interaction with us. |
| 3.2 Where Iute Affinity acts as a data processor, the lawful basis is determined by the relevant data controller and reflected below for transparency. |
A. Processing where Iute Affinity acts as data controller:
|
| Purpose |
Data types |
Lawful Basis |
| Website and portal operation |
IP address, device information, browser type, session identifiers, log files |
Article 6(1)(f) GDPR - legitimate interest in ensuring security and functionality |
| Email verification and data accuracy |
Email address, verification code, technical confirmation logs |
Article 6(1)(f) GDPR – legitimate interest in ensuring data accuracy and preventing misuse |
| Cookies and tracking |
Cookie identifiers, session IDs, usage preferences, and tracking pixels. |
Consent for non-essential cookies; Article 6(1)(f) GDPR for strictly necessary cookies, in accordance with our Cookie Policy. |
| Legal compliance and rights protection |
Audit logs, correspondence |
Article 6(1)(c) GDPR and Article 6(1)(f) GDPR |
| Security and fraud prevention |
Technical logs, access records, IP addresses, device identifiers |
Article 6(1)(f) GDPR – legitimate interest in cybersecurity and fraud prevention |
B. Processing where Iute Affinity acts as data processor:
|
| Purpose |
Data types |
Lawful Basis |
| Payment Protection Insurance (PPI) |
Identification and contact data, financial data, employment data, health data, uploaded documents |
Article 6(1)(b) GDPR; Article 9(2)(h) GDPR, as determined by Albsig |
| Second medical opinion (SMO) services |
Identification and contact data, medical records, diagnostic data, supporting documents |
Article 6(1)(a) GDPR; Article 9(2)(a) GDPR, based on explicit consent obtained on behalf of MediGuide |
| Clarification and completion of submissions |
Contact details, correspondence content |
Lawful basis determined by the relevant data controller |
| Accounting and reconciliation |
Aggregated financial data, payment amounts, reference numbers |
Article 6(1)(c) GDPR – legal obligation |
IV. Sharing Personal Data |
| 4.1 Where Iute Affinity acts as a data processor, personal data is transmitted solely on the documented instructions of the relevant data controller and only to recipients determined by that controller. These recipients may include: |
| - insurance companies, lenders, reinsurers, and insurance-related service providers, as approved and determined by Albsig in connection with the PPI. |
| - medical service providers and local partners designated by MediGuide in connection with SMO services. |
| 4.2 Where Iute Affinity acts as a data controller, we may share personal data with trusted third-party service providers acting as data processors, including: |
| - IT, hosting, and infrastructure providers supporting the operation and security of our website and systems; |
| - analytics service providers, where permitted by your cookie preferences (see our Cookie Policy for details); |
| - IT and hosting providers who assist in the operation of our website and communication tools; |
| - competent public authorities or regulators, where required by applicable law. |
| 4.2 All processors engaged by Iute Affinity are bound by written data processing agreements in accordance with Article 28 GDPR and are required to implement appropriate technical and organisational measures to protect personal data. |
| 4.3 We do not sell, rent, or otherwise commercially disclose personal data to third parties under. |
V. International Data Transfers |
| 5.1 Iute Affinity is established in Estonia (EU). Depending on the service, personal data may be transferred outside the EU/EEA only where necessary and only in accordance with the GDPR. |
| 5.2 In particular: |
| - where Iute Affinity acts as a data processor, personal data may be transmitted to data controllers or other recipients determined by those controllers, solely on their documented instructions. Where such recipients are located outside the EU/EEA and no adequacy decision applies, transfers are safeguarded by appropriate safeguards and, where required, supplementary technical and organizational measures. |
| - In connection with SMO services, personal and medical data is transferred only to local medical partners within the same country as the data subject, as designated by MediGuide. |
| - MediGuide, established in the United States, does not receive personal or medical data and is informed only of non-personal case status information (e.g. case opened or closed). |
| 5.3 Where Iute Affinity engages service providers located outside the EU/EEA in its role as data controller, transfers are carried out only where an adequacy decision applies or appropriate safeguards are in place. |
| 5.4 Iute Affinity does not independently determine international data transfers when acting as a data processor. |
| 5.4 If you would like more information about these transfers or the safeguards in place, please contact us using the details provided below. |
VI. Data Retention |
| 6.1 When acting as a processor, we retain data only for the duration defined by the relevant controller and delete or return it thereafter. |
| 6.2 When acting as a controller, typical retention periods include: |
| - Website and portal technical logs: 1 year |
| - Cookie data: see Cookie Policy for details. |
| 6.2 We may retain data longer where legally required or if necessary to resolve disputes or enforce agreements. |
| 6.3 If no specific retention period is stated, we determine the appropriate timeframe based on the nature of the data and the purpose for which it was collected. |
VII. Your Rights as a Data Subject |
| 7.1 To the extent required by applicable data protection regulations, you have all the rights of a data subject as regards your personal data. Such rights include the following: |
| - Right to access - know what personal data we hold and obtain a copy. |
| - Right to rectification - correct inaccurate or incomplete data. |
| - Right to erasure ("right to be forgotten") - request deletion under certain conditions. |
| - Right to restrict processing - suspend processing under specific circumstances. |
| - Right to data portability - receive your data in a structured, commonly used format. |
| - Right to object - to processing based on legitimate interest. |
| - Right to withdraw consent - at any time without affecting past lawful processing. |
| - Right to lodge a complaint - with us or a supervisory authority (see below). |
| 7.2 Where Iute Affinity acts as a data processor, we do not independently decide on your requests. Any request received by us will be forwarded without undue delay to the relevant data controller, who is responsible for responding in accordance with the GDPR. |
| 7.3 Where Iute Affinity acts as a data controller, we will respond to your request within one month in accordance with the GDPR. This period may be extended where permitted by law. |
| 7.4 To exercise your rights, contact us at dpo@iute.com. You will not be discriminated against for exercising any of your rights. |
VIII. Lodging a Complaint |
| 8.1 If you believe your rights have been violated, you can contact us at dpo@iute.com or lodge a complaint with a supervisory authority: |
| - with the supervisory authority in your country of habitual residence, |
| - with the supervisory authority of the relevant data controller, or |
| - with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), as the authority competent for Iute Affinity: |
| - Email: info@aki.ee |
| - Website: https://www.aki.ee |
IX. Changes to this Notice |
| 9.1 We reserve the right to update this Privacy Notice. All changes will be posted on this page, and significant changes will be communicated via our website. |
Last updated: 01.02.2026. |