Privacy Policy – Little John

1) Who We Are

Little John provides an AI workspace for insurance brokers. For questions about this policy or your data, contact our DPO at admin@little-john.io.

2) Data We Collect

We may collect the following categories of personal data:

• Identity and contact data (name, email address, company, role).
• Professional and usage data related to our services.
• Technical data (IP addresses, device identifiers, logs, diagnostic data, cookies/analytics).

Sensitive data (GDPR Art. 9): Only where strictly necessary for service delivery, we may process sensitive data (e.g., health data, biometric data, union membership, political or ethnic data). Such processing is exceptional and subject to enhanced protections described below.

3) Purposes of Processing

• Provide, operate, and improve our services.
• User account management and authentication.
• Security, fraud prevention, and abuse detection.
• Compliance with legal and regulatory obligations.

4) Legal Bases

• Performance of a contract and legitimate interests for standard personal data.
• Explicit consent for sensitive data, unless another lawful basis applies (e.g., legal obligation or reasons of substantial public interest in the insurance sector).

You may withdraw your consent at any time by contacting admin@little-john.io. Withdrawal does not affect prior lawful processing.

5) Data Protection and Security Measures

We apply technical and organizational measures to protect all personal data, with heightened controls for sensitive data:

• Encryption in transit (TLS 1.2+ / TLS 1.3) and at rest (e.g., AES‑256).
• Pseudonymization or anonymization of sensitive data where feasible.
• Role‑based access control with least privilege, strong authentication, and periodic access reviews.
• Comprehensive logging and audit trails for access to sensitive data.
• Encrypted backups with restricted restoration procedures.
• Regular security testing, vulnerability management, and third‑party audits where appropriate.
• Documented incident response with breach detection, containment, and recovery.

6) Access Limitation and Purpose Restriction

Access to sensitive data is strictly limited to authorized personnel and systems on a need‑to‑know basis. Sensitive data is not used for secondary purposes without your explicit consent.

7) Retention and Secure Deletion

We retain personal and sensitive data only for as long as necessary for the stated purposes or to meet legal requirements. When no longer needed, data is securely deleted or irreversibly anonymized.

8) International Transfers and Subprocessors

Where data is transferred outside the EEA, we implement appropriate safeguards such as the European Commission’s Standard Contractual Clauses or other recognized mechanisms. We require our subprocessors to apply protections equivalent to ours and we conduct due diligence and periodic reviews.

9) Breach Notification

In the event of a breach impacting sensitive data, we will notify the competent supervisory authority and affected individuals without undue delay, and where feasible within 72 hours, including details of the incident, affected data categories, and remedial actions taken.

10) Your Rights

• Access, rectification, and erasure.
• Restriction of processing and objection.
• Data portability.
• Right to withdraw consent for sensitive data at any time.

To exercise your rights, contact: admin@little-john.io. We may need to verify your identity before responding.

11) Cookies and Analytics

We use cookies and similar technologies for essential functionality and analytics. Where required, we obtain consent via our banner. You can manage preferences in your browser or through the banner settings.

12) Changes to This Policy

We may update this policy from time to time. Material changes will be announced in‑product or by email before they take effect.

13) Contact and DPO

Data Protection Officer (DPO): Little John – DPO
Email: admin@little-john.io