Privacy Policy

Updated March 2026

1. Introduction

Agile Underwriting Services Pty Ltd (ABN 48 607 908 243) ('Agile', 'we', 'us', or 'our') is committed to protecting the privacy and security of personal information we hold about individuals.

This Privacy Policy explains how we collect, use, disclose, store, and protect personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in that Act.

We operate as a Lloyd's Coverholder and Managing General Agent, providing niche insurance products across Australia and related markets. In the course of providing these services, we collect and handle personal information from policyholders, claimants, prospective customers, and other individuals.

This Policy applies to all personal information we hold, regardless of how it was collected, and to all our activities as an insurance intermediary and coverholder.

If you have any questions about this Policy or how we handle your personal information, please contact our Privacy Officer at compliance@withagile.com.

2. What is personal information

Personal information is information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether or not the information is true and whether or not it is recorded in a material form.

Examples of personal information we may hold include your name, address, date of birth, contact details, financial information, insurance history, and details about your occupation, assets, or activities relevant to the provision of insurance products.

Some categories of personal information are treated as sensitive information under the Privacy Act and attract a higher level of protection. Sensitive information includes health information, genetic information, and information about racial or ethnic origin, religious beliefs, or criminal record. We only collect sensitive information where it is reasonably necessary for our functions, you have consented, or we are otherwise permitted by law.

3. How we collect personal information

We collect personal information in various ways, depending on the nature of our relationship with you.

Directly from you

We collect most personal information directly from you when you apply for an insurance product, make a claim, or contact us. This may occur through our website, online forms, telephone conversations, email, or in person.

From third parties

In some circumstances, we collect personal information from third parties, including:

• Insurance brokers and agents acting on your behalf
• Other insurers or reinsurers involved in your policy
• Claims administrators and loss adjusters
• Medical practitioners or other health professionals (where relevant to a claim)
• Publicly available sources, including regulatory registers
• Our related entities and affiliates where relevant to providing you with services

Where we collect personal information about you from a third party, we will take reasonable steps to notify you of that collection unless it would be impracticable or unreasonable to do so, or unless an exception under the Privacy Act applies.

Automatically through our website and digital services

When you visit our website, we may automatically collect certain technical information, including your IP address, browser type, operating system, referring URLs, and pages visited. This information is collected using cookies and similar technologies and is generally used in an aggregated, non-identifiable form to improve our website and services.

You may configure your browser to refuse cookies, but doing so may affect the functionality of certain features of our website. By continuing to use our website without adjusting your cookie settings, you consent to our use of cookies as described in this Policy.

4. Why we collect and use personal information

We collect and use personal information for the following purposes:

• Assessing and processing applications for insurance products and providing quotations
• Issuing, managing, and administering insurance policies
• Assessing and managing insurance claims
• Conducting sanctions checks and anti-money laundering screening as required by law
• Complying with our legal and regulatory obligations as a Lloyd's Coverholder
• Communicating with you about your policy, claims, or enquiries
• Improving our products, services, and customer experience
• Detecting, investigating, and preventing fraud
• Where you have consented, providing you with information about our other products and services

We will only use or disclose personal information for the purpose for which it was collected, a related purpose you would reasonably expect, or as otherwise permitted under the Privacy Act.

5. Disclosure of personal information

Who we share your information with

In the course of providing insurance products and services, we may disclose your personal information to:

• Lloyd's underwriters and syndicates that provide the insurance capacity for your policy
• Reinsurers involved in reinsuring the risks we underwrite
• Insurance brokers and agents acting on your behalf or as part of the distribution of our products
• Claims administrators, loss adjusters, and legal advisors assisting with the management of claims
• Medical practitioners and other health professionals where relevant to a claim assessment
• Sanctions screening and compliance service providers
• Technology and data service providers who assist us in operating our business
• Our related entities and affiliates where relevant to providing services to you
• Government agencies, regulators, and law enforcement bodies where required or authorised by law

Where you provide us with personal information about another person, you confirm that you have their consent to provide it to us and for us to handle it in accordance with this Policy.

Overseas disclosure

Some of the parties we work with are located outside Australia, including Lloyd's underwriters and syndicates based in the United Kingdom, reinsurers in international markets, and technology service providers whose infrastructure is hosted overseas.

Where we disclose personal information to overseas recipients, we take reasonable steps to ensure that those recipients handle your information in a manner consistent with the Australian Privacy Principles. In some cases, this is achieved through contractual protections, certification schemes, or the regulatory requirements applicable to those recipients in their home jurisdiction.

By providing us with your personal information, you acknowledge that it may be transferred to and processed in countries outside Australia, including the United Kingdom and the United States.

6. Artificial intelligence and automated processing

How we use AI tools internally

Agile uses enterprise-grade artificial intelligence tools to assist our staff with internal operational tasks, including drafting correspondence, conducting research, and analysing information. These tools are provided by Anthropic (Claude) and Google (Gemini for Google Workspace).

Both tools operate under enterprise agreements that include:

• Data Processing Agreements governing how your information may be handled
• A commitment that inputs are not used to train AI models
• Security and access controls consistent with our obligations under the Privacy Act

What personal information AI tools may process

In the course of assisting our staff, AI tools may process personal information contained in documents or correspondence that staff are working on. This may include information contained in claims files, underwriting submissions, or policyholder correspondence.

We apply strict internal controls to govern which information may be processed through which tools. Sensitive information — including health information, financial data that directly identifies an individual, and claims details — is processed only through our Google Workspace AI environment, which is covered by our existing Google Cloud data processing agreement and configured to process data within approved geographic regions.

General drafting and research tasks that do not involve identifiable personal information may be conducted using either of the approved AI tools. We may process certain transient data momentarily (such as temporary session tokens or real-time API data streams) to facilitate fraud detection or secure data transmission. This data is destroyed or anonymised immediately after the real-time processing task is complete.

No automated decision-making

We do not use AI tools to make automated decisions about you. This means:

• No insurance coverage decision — whether to accept, decline, or price a risk — is made by an AI system without meaningful review by a qualified underwriter
• No claims decision — whether to accept, decline, or settle a claim — is made by an AI system without review by a qualified claims professional
• No automated profiling of individuals occurs for the purposes of making decisions that affect your legal rights or insurance entitlements

AI tools are used solely to assist our staff in working more efficiently. The final judgment on any matter affecting your insurance rests with a qualified professional.

Your rights in relation to AI processing

If you have questions about how AI tools may be used in processing your personal information, or if you wish to request that a specific matter be handled without the use of AI-assisted tools, please contact our Privacy Officer at compliance@withagile.com. We will make reasonable efforts to accommodate such requests.

7. Information security

We take the security of personal information seriously and implement reasonable technical and organisational measures to protect personal information against unauthorised access, use, disclosure, alteration, or destruction.

Our security measures include access controls that limit who within our organisation can access personal information, staff training on data-handling obligations, contractual protections with third-party service providers, and technical security controls across our information systems.

No data transmission over the Internet can be guaranteed to be completely secure. While we take all reasonable steps to protect personal information once we receive it, we cannot guarantee the security of information transmitted to us electronically.

If you become aware of any security concern relating to your personal information, please contact us immediately at compliance@withagile.com.

8. Retention and destruction of personal information

We retain personal information for as long as it is needed for the purposes for which it was collected, or as required by applicable law.

In the context of insurance, retention periods are generally governed by:

• The duration of the insurance policy and any applicable claims period
• Legal and regulatory obligations — including Lloyd's requirements applicable to us as a coverholder
• Limitation periods applicable to potential legal proceedings
• Financial records obligations under the Corporations Act 2001 (Cth) and applicable taxation legislation

As a general guide, we retain policy and claims records for a minimum of seven years from the date a policy expires or a claim is finalised. We may retain information for longer where it is needed to defend legal proceedings, comply with a regulatory requirement, or where destruction is not technically practicable.

When personal information is no longer required, and there is no legal obligation to retain it, we take reasonable steps to destroy or de-identify it securely.

9. Your privacy rights

Access to your personal information

You have the right to request access to the personal information we hold about you. To make an access request, please contact our Privacy Officer at compliance@withagile.com. We will respond to access requests within 30 days.

Access may be refused in limited circumstances permitted by the Privacy Act, including where providing access would be unlawful, would prejudice legal proceedings, or is frivolous or vexatious. If we decline to provide access, we will explain why and advise you of the available review mechanisms.

We may charge a reasonable fee to cover the cost of providing access. If a fee applies, we will advise you before proceeding.

You also have the right to erasure of your personal data (the right to be forgotten), and the right to object to profiling / processing of your information. If you wish to exercise these rights you should contact us and we will advise you on what actions we will take.

Correction of personal information

If you believe that personal information we hold about you is inaccurate, incomplete, or out of date, please contact us and we will take reasonable steps to correct it. If we decline to make a correction, we will explain why and note your request on your record.

Complaints

If you have a concern about the way we have handled your personal information, we encourage you to contact our Privacy Officer in the first instance:

10. Data breaches

We are subject to the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act. If we have reasonable grounds to believe that a data breach has occurred that is likely to result in serious harm to any affected individual, we are required to notify both the affected individual and the OAIC as soon as practicable.

If you believe that your personal information held by us has been compromised, please contact our Privacy Officer immediately at compliance@withagile.com so that we can investigate and, where required, take the steps necessary under the NDB scheme.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The current version of this Policy will always be available on our website and through our help centre.

Where a change is material, we will take reasonable steps to notify affected individuals. Continued use of our products and services following publication of an updated Policy constitutes acceptance of the updated terms.

The version number and effective date of this Policy are shown on the cover page.

12. Contact us

For all privacy-related queries, access requests, correction requests, and complaints, please contact: