California Privacy Notice
State of California Privacy Notice – As Prescribed by the California Consumer Privacy Act (“CCPA”) of 2018 and as amended by the California Privacy Rights and Enforcement Act (“CPRA”) of 2020, also known as Proposition 24.
Effective Date: January 1, 2023. The CRPA replaces and amends several parts of the existing California Consumer Privacy Act effective January 1, 2021, and, although effective January 1, 2023, any data collected by businesses from January 1, 2022, is subject to compliance with the CPRA.
Scope of this Privacy Notice
These California Resident Privacy Notice terms and conditions (“Privacy Notice”) are effective January 1, 2023, with data collected from January 1, 2022, subject to compliance, and supplement the information contained in Brown & Brown, Inc.’s governing website Privacy Statement. This Privacy Notice applies solely to consumers who are California residents.
Tri Star Advisors, Inc., through its operating subsidiaries (“we”), endeavor to protect the privacy and confidentiality of the personal information with which we are entrusted. This California Resident Privacy Notice outlines the personal information we collect or process about California residents in connection with the services we provide or offer specifically to you as a consumer, including through any site, application, or product that links to this Privacy Notice (the “Service”), how we use, share, and protect that personal information, and what your rights are with respect to your personal information that we gather and process.
In this California Resident Privacy Notice, “personal information” has the same meaning as under the CPRA Section 1798.140(v): information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include publicly available information or lawfully obtained, truthful information that is a matter of public concern or information that has been de-identified or aggregated. “Sensitive personal information” has the same meaning as under the CPRA Section 1798.140(ae). Sensitive personal information does not include information that is publicly available.
Under certain circumstances, we may collect your personal information for the Service pursuant to a contract we have with a commercial client (our “Client”). In such instances, we may be acting as a “service provider” and are obligated to process the personal information we collect or are provided in connection with the Service in accordance with instructions from or the contract with our Client, which is the “business” ultimately responsible for determining how your personal information will be handled. Accordingly, if you are using the Service in connection with your role as an employee of our Client, or by virtue of some other relationship with our Client, we encourage you to review that Client’s privacy notice to understand the full scope of how your personal information will be handled. Further, in any case where we are acting as a service provider or contractor to a Client, if you or your authorized agent (together referred to hereinafter, where applicable, as “you”) wish to exercise any rights that may be available to you under certain data privacy laws (for example, the right to disclosure, correction, or deletion if you are a resident of California as described below), you should direct your request to our Client, who is the party responsible for receiving, assessing, and responding to your requests, as we do not have any legal obligation, and, notwithstanding anything in this Privacy Notice to the contrary, may elect not, to respond to your requests. If you are not certain whether we are acting as a service provider or contractor to a Client in your particular circumstance, we urge you to contact us through one of the methods described at the end of this Privacy Notice.
What Personal Information Do We Collect, Share, and/or Sell and for What Purpose?
In the past 12 months, we may have collected and shared the following types of personal information and sensitive personal information from or about users of our Service.
We may also use or share de-identified information that is not reasonably likely to identify you for commercially legitimate business purposes.
We do not sell personal information to any third parties for monetary or other valuable consideration and have not done so in the preceding 12 months. We may, however, engage in targeted advertising.
Please note that the CCPA/CPRA contain certain carve-outs or exemptions. This Privacy Notice does not apply to:
- Publicly available information from government records;
- Lawfully obtained, truthful information that is a matter of public concern;
- De-identified or aggregated consumer information.
Furthermore, personal information does not include:
Information or organizations excluded from the CCPA/CPRA’s scope, including medical information governed by the California Confidentiality of Medical Information Act (CMIA), protected health information collected by a covered entity or business associate governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), personal information collected as part of a clinical trial or other biomedical research study subject to, or conducted in accordance with, the Federal Policy for the Protection of Human Subjects, also known as the Common Rule, pursuant to good clinical practice guidelines issued by the International Council for Harmonisation or pursuant to human subject protection requirements of the United States Food and Drug Administration, or personal information collected, processed, sold, or disclosed pursuant to certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), federal Farm Credit Act of 1971 (FCA), and the Driver’s Privacy Protection Act of 1994 (DPPA).
Under the limited circumstances where we are acting as a business, and your personal information is not otherwise excluded as set forth above, the following information applies as to how we collect, use, share and/or sell your personal information.
Your Rights as a California Resident
Pursuant to California law, some California residents have specific rights regarding their personal information as described below. These rights are subject to certain exceptions.
When legally required, we will respond to most requests within 45 days, unless it is reasonably necessary for us to extend our response time.
1. Right to Request Deletion of Personal Information
You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will determine if retaining the information is necessary for us or our service providers or contractors to:
-
-
- Complete a transaction for which we collected the personal information, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you;
- Help to ensure security and integrity to the extent the use of your personal information is reasonably necessary and proportionate to those purposes;
- Debug products to identify and repair errors that impair existing intended functionality;
- Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law;
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.);
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information’s deletion may likely render impossible or seriously impair the research’s achievement, if you previously provided informed consent;
- Enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; and/or
- Comply with a legal obligation.
-
If none of the above retention conditions apply, we will delete your personal information from our records.
2. Right to Correct Inaccurate Personal Information
You have the right to request that we correct inaccurate personal information that we maintain about you. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will use commercially reasonable efforts to correct inaccurate personal information, as directed.
3. Right to Know What Personal Information is Being Collected, Sold, Shared, and to Whom; Right to Access or Request Disclosure of Personal Information
You have the right to request that we disclose certain information regarding our business practices with respect to personal information. If you submit a valid and verifiable request and we confirm your identity and/or authority to make the request, we will disclose to you any of the following at your direction:
- The categories of personal information we have collected or shared about you.
- The categories of sources for the personal information we have collected about you
- Our business or commercial purpose for collecting or sharing that personal information.
- The categories of third parties to whom we disclose or with whom we share that personal information by category or categories of personal information for each category of third parties to whom the personal information was shared.
- The specific pieces of personal information we collected about you.
- If we disclosed your personal information to a third party for a business purpose, a list of the personal information types each recipient received and the category of third party type to whom it was disclosed.
4. Right to Opt-Out of Sale or Sharing of Your Personal Information
As a California resident, you have the right to direct a business that sells or shares your personal information to third parties not to sell or share your personal information. This right is referred to as “the right to opt-out.” If you submit a valid and authenticated request and we confirm your identity and/or authority to make the request, we will cease selling or sharing your personal data. Because we are not selling your personal data for monetary compensation or other valuable consideration, we do not provide an opt-out for these activities. Since we engage in sharing and may engage in targeted advertising, we provide you with the option to opt-out of such processing for these purposes. To do so, select the “Right to Opt-Out (Do Not Sell or Share Personal Information)” request type option from the menu when completing the California request web form.
5. Right to Limit Use and Disclosure of Sensitive Personal Information
You have the right, at any time, to request that we limit the use of your sensitive personal information that we maintain about you to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services, in the event we use or disclose your sensitive personal information for any other purpose. As a result, we provide you with the option to limit the use and/or disclosure of your sensitive personal information. To do so, select the “Limit Use & Disclosure of Sensitive Personal Information request type option from the menu when completing. If you submit a valid and verifiable request and we can confirm your identity and/or authority to make the request, we will use commercially reasonable efforts to limit the use of your sensitive personal information, as directed.
How to Exercise the Above Rights
To exercise your rights to disclosure, deletion, or correction as described above, please submit a verifiable consumer request to us by visiting our online privacy rights portal and completing the California request webform.
Alternatively, you may email us at HelpDesk@TriStarAdvisors.com and provide the requested information
Only you or a person who can demonstrate that they are legally authorized to act on your behalf may make a verifiable consumer request related to your personal information. You may make a verifiable consumer request for access or deletion no more than twice within a 12-month period. The verifiable request must:
-
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. Such verification process will involve you confirming details of the personal information we have collected about you and will increase in scope in the event the nature of your request relates to the disclosure of sensitive personal information or the deletion of any personal information. In some instances, you may be required to submit proof of your identity (e.g., a driver’s license); and
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
You will not be required to create an account with us to submit a verifiable request or to exercise your right to opt-out, though we may communicate with you about your request via a pre-established account, if applicable. However, in order to safeguard the personal information in our possession, if we cannot verify your identity or authority to act on another’s behalf, we will be unable to comply with your request. We will only use personal information you provide when submitting a verifiable request to confirm your identity or authority, or to fulfill your request.
Right to Non-Discrimination
-
- You may exercise your rights under the CCPA/CPRA without discrimination. For example, unless the CCPA/CPRA provides an exception, we will not:
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties;
- Provide you a different level or quality of goods or services;
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services;
- Retaliate against an employee, application for employment, or independent contractor; or
- Degrade your experience on our website.
Direct Marketing and Do Not Track Signals
Under California’s “Shine the Light” law, California residents may request and obtain a notice once a year about the personal information we shared with other businesses for their own direct marketing purposes. Such a notice will include a list of the categories of personal information that were shared (if any) and the names and addresses of all third parties with which the personal information was shared (if any). The notice will cover the preceding calendar year. To obtain such a notice, please contact us as described below. In addition, under this law you are entitled to be advised how we handle “Do Not Track” browser signals. We do collect personal information about your online activities over time and across third party websites or online services. When we see a browser set to “do not track”, signals transmitted from web browsers do not apply to our sites, and we do not alter any of our data collection and use practices upon receipt of such a signal.
Minors
We do not knowingly collect online information from children under the age of 13. Our services are marketed towards adults. If we are notified that we have collected personal information, as defined by the Children’s Online Privacy Protection Act (“COPPA”), of a child under the age of 13, we will delete the information as expeditiously as possible.
We never sell or share the personal information of minors under 16 years of age and would not do so in the future without affirmative authorization of the consumer if between 13 to 16 years of age, or the parent or guardian of a consumer less than 13 years of age.
Questions, Requests or Complaints
To submit a request* to access or delete your information, please visit our online request portal.
Alternatively, you may call us at HelpDesk@TriStarAdvisors.com and provide the requested information
*Please note that, as described above, in certain cases we may collect your personal information as a service provider pursuant to a contract we have with a commercial Client to provide the Service. In any case where we are acting as a service provider to a Client, you should direct your requests to exercise your rights available under data privacy laws to our Client, who is the party responsible for receiving, assessing, and responding to your requests. As a service provider, we do not have any obligation, and, notwithstanding anything in this Privacy Notice to the contrary, may elect not, to respond to your direct requests, but we will provide assistance to a business with which we have a contractual relationship in responding to your verifiable consumer request.
Changes to the Privacy Notice
You may request a copy of this Privacy Notice from us using the contact details set out above.
Where changes to this Privacy Notice will have a fundamental impact on the nature of our processing of your personal information or otherwise have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise any rights you may have under applicable law (e.g., to object to the processing).
We reserve the right to make changes to our Privacy Statement at any time consistent with applicable local laws. Such changes, as long as they do not have a fundamental impact on the nature of our processing of your personal information or otherwise have a substantial impact on you, will be posted on this page. We encourage you to review the website and the Privacy Statement periodically for any updates or changes
Virginia Privacy Notice (CDPA)
State of Virginia Privacy Notice – As Prescribed by the Virginia Consumer Data Protection Act
Effective Date: January 1, 2023
Policy Last Revised: January 1, 2023
Scope of this Privacy Notice
These Virginia Resident Privacy Notice terms and conditions (“Privacy Notice”) are effective January 1, 2023, and supplement the information contained in Brown & Brown, Inc.’s governing website Privacy Statement. This Privacy Notice applies solely to consumers who are Virginia residents.
The CDPA applies only to persons that conduct business in Virginia or produce products or services that are targeted to Virginia residents AND that, during the calendar year, control or process personal data of at least 100,000 consumers OR control or process personal data of at least 25,000 consumers and derive over 50 percent of gross revenue from the sale of personal data.
Tri Star Advisors, Inc. through its operating subsidiaries (“we”) endeavor to protect the privacy and confidentiality of the personal data with which we are entrusted. This Virginia Resident Privacy Notice outlines the personal data we collect or process about Virginia residents in connection with the services we provide or offer specifically to you as a consumer, including through any site, application, or product that links to this Privacy Notice (the “Service”), how we use, share, and protect that personal data, and what your rights are with respect to your personal data that we gather and process.
In this Virginia Resident Privacy Notice, “personal data” has the same meaning as defined in the Virginia Consumer Data Protection Act (“CDPA”): any information that is linked or reasonably linkable to an identified or identifiable natural person. Personal data does not include information that has been de-identified or is publicly available.
Under certain circumstances, we may collect your personal data for the Service pursuant to a contract we have with a commercial client (our “Client”). In such instances, we may be acting as a “service provider” and are obligated to process the personal data we collect or are provided in connection with the Service in accordance with instructions from or the contract with our Client, which is the business ultimately responsible for determining how your personal data will be handled. Accordingly, if you are using the Service in connection with your role as an employee of our Client, or by virtue of some other relationship with our Client, we encourage you to review that Client’s privacy notice to understand the full scope of how your personal data will be handled. Further, in any case where we are acting as a service provider to a Client, if you (“you”) wish to exercise any rights that may be available to you under certain data privacy laws (for example, the right to access or deletion under the CDPA if you are a resident of Virginia as described below), you should direct your request to our Client, who is the party responsible for receiving, assessing, and responding to your requests, as we do not have any legal obligation, and, notwithstanding anything in this Privacy Notice to the contrary, may elect not to respond to your requests. If you are not certain whether we are acting as a service provider to a Client in your particular circumstance, we urge you to contact us through one of the methods described at the end of this Privacy Notice.
What Personal data Do We Collect, Share, and/or Sell, and for What Purpose?
In the past 12 months, we may have collected and shared the following types of personal information and sensitive personal information from or about users of our Service.
We may also use or share de-identified information that is not reasonably likely to identify you for commercially legitimate business purposes.
We do not currently sell personal data to any third parties for monetary consideration and have not done so in the preceding 12 months. We may, however, engage in targeted advertising and/or profiling.
CDPA contains certain carve-outs or exemptions. This Privacy Notice does not apply to:
- Publicly available information;
- De-identified consumer information;
- Protected health information under HIPAA;
- Health records for purposes of Title 32.1;
- Patient identifying information for purposes of 42 U.S.C. §§ 290dd-2;
- Identifiable private information for the purposes of the federal policy for the protection of human subjects under 45 C.F.R. Part 46; that is otherwise information collected as part of human subjects research pursuant to the good clinical practice guidelines issued by The International Council for Harmonisation of Technical Requirements for Pharmaceutical for Human Use; the protection of human subjects under 21 C.F.R. Parts 6, 50, and 56 of personal data used or shared in research conducted in accordance with the requirements set forth in Chapter 53 or the Consumer Data Protection Act, or other research conducted in accordance with applicable laws;
- Information and documents created for purposes of the federal Health Care Quality Improvement Act of 1986;
- Patient safety work product for purposes of the federal Patient Safety and Quality Improvement Act;
- information originating from, and intermingled to be indistinguishable with, or information treated in the same manner as exempt information that is maintained by a covered entity or business associate as defined by HIPAA or a program or a qualified service organization as defined by 42 U.S.C. §§ 290dd-2;
- information used only for public health activities and purposes authorized by HIPAA;
- the collection, maintenance, disclosure, sale, communication, or use of any personal information bearing on a consumer’s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by a consumer reporting agency or furnisher that provides information for use in a consumer report to the extent such activity is regulated under the Fair Credit Reporting Act;
- personal data collected, processed, sold, or disclosed in compliance with the federal Driver’s Privacy Protection Act of 1994;
- personal data regulated by the federal Family Educational Rights and Privacy Act;
- personal data collected, processed, sold, or disclosed in compliance with the federal Farm Credit Act; or
- data processed or maintained in the course of an individual applying to, employed by, or acting as an agent or independent contractor of a controller, processor, or third party used within the context of those roles, the emergency contact information of an individual used for emergency contact purposes, or that is necessary to retain to administer benefits for another individual relating to the individual and used for the purpose of administering those benefits.
Under the limited circumstances where we are conducting business in Virginia or producing products or services targeted to Virginia residents and control or process the personal data of at least 100,000 consumers during the calendar year, and your personal data is not otherwise excluded as set forth above, the following information applies as to how we collect, use, and share your personal data.
Your Rights as a Virginia Resident
Pursuant to Virginia law, some Virginia residents have specific rights regarding their personal data as described below. These rights are subject to certain exceptions.
When legally required, we will respond to most requests without undue delay, within 45 days of receipt of the request, unless it is reasonably necessary for us to extend our response time.
1. Right to Confirm and Access
You have the right to request confirmation from us as to whether or not we are processing your personal data and to access such personal data. If you submit a valid and authenticated request and we confirm your identity and/or authority to make the request, we will confirm for you whether or not we are processing your personal data and/or grant you access to your data.
2. Right to Request Correction of Inaccuracies
You have the right to request that we correct any inaccuracies in any of your personal information, which is under our control, taking into account the nature of the data and the purposes of processing that data. If you submit a valid and authenticated request and we confirm your identity and/or authority to make the request, we will correct the personal information.
3. Right to Request Deletion of Personal Data
You have the right to request that we delete any of your personal data that we collected from or about you and retained. If you submit a valid and authenticated request and we can confirm your identity and/or authority to make the request, we will delete your personal data from our records and direct our service providers to do the same, if no exceptions or retention conditions apply.
4. Right to Request Disclosure of Information
You have the right to request a copy of your personal data previously provided to us in a portable and, to the extent technically feasible, readily usable format, thereby permitting you the ability to transmit the data without hindrance.
5. Right to Opt-Out of Processing
As a Virginia resident, you have the right to direct a business that processes your personal data for the purposes of targeted advertising, sale, and/or profiling, in furtherance of decisions that produce legal or similarly significant effects concerning you, not to process for these purposes. This right is referred to as “the right to opt-out.” If you submit a valid and authenticated request and we confirm your identity and/or authority to make the request, we will cease processing your personal data for the limited purposes of targeted advertising, sale, and/or profiling. Because we are not selling your personal data for monetary compensation, we do not provide an opt-out for these activities. Since we may engage in targeted advertising and/or profiling, we provide you with the option to opt-out of such processing for these purposes. To do so, select the “Right to Opt-Out of Processing” option from the menu when completing the CDPA request webform.
How to Exercise the Above Rights
To exercise your rights described above, please submit an authenticated consumer request to us by visiting our online privacy rights portal and completing the CDPA request webform.
Alternatively, you may email us at HelpDesk@TriStarAdvisors.com and provide the requested information
You may make an authenticated consumer request no more than twice within a 12-month period. The authenticated request must:
-
- Provide sufficient information that allows us to reasonably verify and authenticate you are the person about whom we collected personal data. Such verification process will involve you confirming details of the personal data we have collected about you and will increase in scope in the event the nature of your request relates to the disclosure of sensitive personal data or the deletion of any personal data. In some instances, you may be required to submit proof of your identity (e.g., a driver’s license); and
- Specifies the consumer rights you wish to invoke; and
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
You will not be required to create an account with us to submit an authenticated request, though we may communicate with you about your request via a pre-established account, if applicable. However, in order to safeguard the personal data in our possession, if we cannot verify your identity or authority to act on another’s behalf using commercially reasonable efforts, we will be unable to comply with your request and may request additional information from you. We will only use personal data you provide when submitting an authenticated request to confirm your identity or authority, or to fulfill your request.
If we refuse to act on your request, you have the right to appeal our decision within a reasonable period of time after receipt of our initial decision. We will inform you in writing, within 60 days of receipt of an appeal, of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions.
To exercise your right to appeal described above, please submit an authenticated consumer appeal request to us by visiting our online privacy rights portal and entering “Lodge an Appeal” on the CDPA request webform.
If your appeal is denied, you may contact the Attorney General to submit a complaint by visiting the Office of the Attorney General’s website to complete an Online Consumer compliant Form or by calling the Consumer Protection Hotline at 1-800-552-9963 (within Virginia) or 804-786-2042 (outside Virginia).
Right to Non-Discrimination
You may exercise your rights under the CDPA without discrimination. For example, unless the CDPA provides an exception, we will not:
-
- Deny you goods or services;
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; or
- Provide you a different level or quality of goods or services
Minors
We do not knowingly collect online information from children under the age of 13. Our services are marketed towards adults. If we are notified that we have collected personal data, as defined by the Children’s Online Privacy Protection Act (“COPPA”), of a child under the age of 13, we will delete the information as expeditiously as possible.
We never sell the personal data of minors under 16 years of age and would not do so in the future without affirmative authorization of the consumer if between 13 to 16 years of age, or the parent or guardian of a consumer less than 13 years of age.
Questions, Requests or Complaints
To submit a request* concerning your personal information, please visit our online request portal.
Alternatively, you may email us at HelpDesk@TriStarAdvisors.com and provide the requested information.
*Please note that, as described above, in certain cases, we may collect your personal data as a service provider pursuant to a contract we have with a commercial Client to provide the Service. In any case where we are acting as a service provider to a Client, you should direct your requests to exercise your rights available under data privacy laws to our Client, who is the party responsible for receiving, assessing, and responding to your requests. As a service provider, we do not have any obligation, and, notwithstanding anything in this Privacy Notice to the contrary, may elect not, to respond to your requests.
Changes to the Privacy Notice
You may request a copy of this Privacy Notice from us using the contact details set out above.
Where changes to this Privacy Notice will have a fundamental impact on the nature of our processing of your personal data or, otherwise, have a substantial impact on you, we will give you sufficient advance notice so that you have the opportunity to exercise any rights you may have under applicable law (e.g., to object to the processing).
We reserve the right to make changes to our Privacy Notice at any time consistent with applicable local laws. Such changes, as long as they do not have a fundamental impact on the nature of our processing of your personal data or, otherwise, have a substantial impact on you, will be posted on this page. We encourage you to review the web site and the Privacy Notice periodically for any updates or changes.
Updated April 2023