Privacy Policy

Prost Insurance Brokers Private Limited ("OneAssure")

1. Introduction

This Privacy Policy describes how Prost Insurance Brokers Private Limited ("OneAssure", "we", "us", or "our") collects, uses, stores, and protects your personal data when you use our website and services. We are committed to safeguarding your privacy in compliance with applicable Indian laws and international best practices.

1.1 Regulatory and Security Framework

Our data practices are governed by and aligned with the following frameworks:

• Digital Personal Data Protection (DPDP) Act, 2023 (India) – our primary regulatory obligation for personal data handling
• ISO/IEC 27001 – international standard for Information Security Management Systems (ISMS)
• SOC 2 Type II – independently audited controls for security, availability, processing integrity, confidentiality, and privacy
• IRDAI guidelines applicable to insurance intermediaries

2. Collection of Personal Information

When you use our website, we collect and store your personal data as provided by you from time to time. Our primary goal is to provide you a safe, efficient, smooth, and customized experience.

2.1 Information We Collect

We may collect the following categories of Personal Data:

• Identity Data: Name, date of birth, gender
• Contact Data: Email address, mailing address, phone number
• Financial Data: Billing address, payment instrument details (credit/debit card, UPI, net banking), transaction tracking information
• Policy Data: Details required to issue, renew, or service your insurance policy
• Technical Data: Browser name, operating system, Internet Service Provider (ISP) name, IP address, cookies

You may browse the website without disclosing personal information. However, certain services require registration and identity verification.

3. Data Storage and Geographic Jurisdiction

All personal data collected by OneAssure is stored and processed exclusively within the Republic of India. We do not transfer, store, or process your personal data on servers located outside India for any operational, marketing, or administrative purpose.

Our infrastructure is hosted in Indian data centres that meet the security standards required under the DPDP Act, 2023, ISO/IEC 27001, and SOC 2 Type II. Data residency controls are in place to prevent inadvertent cross-border data flows.

4. Cookies

A "cookie" is a small piece of information stored by a web server on a web browser so it can be later read back from that browser. Cookies enable the browser to remember information specific to a given user. We place both permanent and temporary cookies on your device for session management, security, and user experience purposes.

You may choose to set your web browser to refuse cookies or to alert you when cookies are being sent. Disabling cookies may affect the functionality of certain features on our website.

5. Use of Your Personal Data

We use your personal data only for lawful purposes, on the basis of your explicit consent or as otherwise permitted by law. Specifically, we may use your data to:

• Personalise and improve your user experience
• Issue, renew, or service your insurance policy
• Process payments and maintain financial records
• Improve our products, services, and website
• Respond to your customer service queries and complaints
• Send transactional communications (order updates, policy documents)
• Send periodic informational emails or newsletters – only with your explicit prior consent; you may unsubscribe at any time
• Contact you by email or phone to offer services related to products you have opted for – for a period of up to 30 days, irrespective of your NDNC registration, subject to your consent

6. Explicit Data Consent

6.1 How We Obtain Consent

We collect your explicit, informed, and freely given consent before processing your personal data. Consent is obtained:

• At the point of registration or account creation on our website
• Before processing sensitive personal data (financial details, health information for insurance purposes)
• Before sending marketing or promotional communications
• Separately for each distinct processing purpose – a single blanket consent does not cover all uses

Consent records are maintained electronically with timestamp, purpose, and version of the Privacy Policy at the time of consent.

6.2 Your Right to Withdraw Consent

You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

To withdraw consent, please submit a request to our Grievance Officer (details in Section 14). We will process your request within 14 calendar days.

Upon withdrawal of consent, we will:

• Cease all processing activities for which consent was the legal basis
• Retain data only to the extent required by applicable law (e.g., IRDAI record-keeping obligations) or to resolve pending disputes
• Notify you in writing once the withdrawal has been actioned

7. Sharing of Personal Data with Third Parties

7.1 General Principle – Need-to-Know Basis

We do not sell your personal data to any third party for any purpose whatsoever. Access to your personal data by third parties is granted strictly on a need-to-know basis and only to the extent necessary to deliver the service.

7.2 Permitted Sharing

We may share your personal data in the following limited circumstances:

• Insurers and underwriters: Necessary to process, issue, or service your policy
• Payment processors: Solely for secure transaction processing
• Corporate affiliates: For fraud detection, identity verification, and operational activities – bound by equivalent data protection obligations
• Legal and regulatory authorities: Where required by law, court order, or regulatory mandate

7.3 Cross-Border Data Access

As a general rule, your personal data is not accessed outside India. By way of exception, limited and controlled cross-border access may occur only where:

• It is strictly necessary to provide you with a better quality of service (e.g., accessing a globally hosted insurer's policy administration system on your behalf)
• Appropriate safeguards are in place (contractual clauses, data processing agreements)
• The purpose is service delivery – not promotion, marketing, or advertising

We do NOT share personally identifiable information with third-party advertising companies. We do NOT permit access to your data outside India for marketing, analytics, or profiling purposes.

8. Your Data Rights

Under the Digital Personal Data Protection Act, 2023, and as a matter of our policy, you have the following rights with respect to your personal data:

Your Right	Description	Turnaround Time (TAT)
Right to Access	Request a copy of the personal data we hold about you.	14 calendar days
Right to Correction	Request correction of inaccurate or incomplete data.	14 calendar days
Right to Erasure (Deletion)	Request deletion of your personal data. We will delete data not required to be retained by law.	14 calendar days
Right to Withdraw Consent	Withdraw consent for any or all processing activities.	14 calendar days
Right to Grievance Redressal	Raise a complaint about our data practices with our Grievance Officer.	Acknowledged within 48 hours; resolved within 30 days

9. Data Revocation and Deletion Process

9.1 How to Submit a Request

You may submit a data access, correction, withdrawal of consent, or deletion request by:

• Email: support@oneassure.in – with subject line "Data Privacy Request"
• Phone: +91 6364334343
• Written request: Addressed to the Grievance Officer (address in Section 14)

To process your request, we may need to verify your identity. Please include your full name, registered email address or mobile number, and the nature of your request.

9.2 Processing Timelines (TAT)

We are committed to the following turnaround times:

• Acknowledgement of request: Within 48 hours of receipt
• Identity verification (if required): Completed within 3 business days
• Completion of data access, correction, or withdrawal requests: Within 14 calendar days of verified receipt
• Completion of data deletion requests: Within 14 calendar days of verified receipt
• Notification of completion: Written confirmation sent to your registered contact

9.3 Limitations on Deletion

We may be required to retain certain data even after a deletion request, including:

• Data required by the Insurance Regulatory and Development Authority of India (IRDAI) or other regulators
• Data necessary to resolve pending claims, disputes, or legal proceedings
• Data required for tax, audit, or financial record-keeping obligations

Where we retain data under a legal obligation, we will inform you of the reason and the expected retention period.

10. Protection of Your Information

We adopt appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. Our security posture includes:

• ISO/IEC 27001-certified Information Security Management System (ISMS)
• SOC 2 Type II – independently audited controls covering security, availability, confidentiality, and privacy
• Encryption of personal data in transit (TLS 1.2+) and at rest
• Role-based access controls (RBAC) and the principle of least privilege
• Regular internal and third-party security audits and penetration testing
• Data loss prevention (DLP) measures and incident response procedures

11. Links to Third-Party Websites

Our website may contain links to third-party websites and services. We do not control and are not responsible for the content, privacy practices, or security of these external sites. We encourage you to review the privacy policy of any third-party website you visit.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, our business practices, or technology. When we make material changes, we will post a prominent notice on our website and, where feasible, notify you by email.

We encourage you to review this page periodically. Continued use of our website or services after changes are posted constitutes your acceptance of the revised policy, except where your renewed explicit consent is required by law.

13. Consent Declaration

"I hereby authorise and give consent to Prost Insurance Brokers Pvt. Limited to send me, either through itself or through any third-party service provider, various information, alerts, SMS, or other messages, calls, or commercial communications on the telephone numbers provided by me, whether or not these numbers are registered with the National Do Not Call (NDNC) Registry / National Customer Preference Register. I confirm that by receiving such messages or calls, I will not hold the Company or its authorised third-party service providers liable or institute any complaint under the Telecom Commercial Communications Customer Preference (TRAI) Regulations, 2010, or any amendment thereof. This consent is freely given and may be withdrawn at any time by submitting a written request to the Grievance Officer."

14. Complaints, Grievances and Contact

14.1 Grievance Officer

In accordance with applicable laws, we have appointed a Grievance Officer for privacy-related complaints and data requests:

Role	Grievance Officer / Data Protection Officer
Email	po@prostinsure.com
Phone	+91 9900003624
Response TAT	48 hours (acknowledgement); 30 days (resolution)

14.2 Customer Support

For general service, policy, or claim queries:

• Phone: +91 6364334343
• Email: support@oneassure.in

14.3 Regulatory Authority

If your grievance is not resolved to your satisfaction, you may approach:

• The Insurance Regulatory and Development Authority of India (IRDAI): https://www.irdai.gov.in
• The Data Protection Board of India (once notified under the DPDP Act, 2023)
• IRDAI Policyholder Grievance Portal: http://www.policyholder.gov.in/

Prost Insurance Brokers Private Limited
CIN: [Insert CIN] | IRDAI Registration No: [Insert Reg No] | Registered Office: [Insert Address]