Updated: January 29, 2024

Origami Risk LLC (together with its subsidiaries, “Origami Risk,” “we,” “our,” or “us”) respects your privacy and is committed to protecting it through our compliance with this Privacy Policy. This Privacy Policy describes (1) the types of personal information we may collect from you or that you may provide when you visit our website located at www.origamirisk.com or www.origamirisk.co.uk (our “Website”), and (2) our practices for collecting, using, protecting and disclosing that information. This Privacy Policy also describes how we collect and use data in connection with our software-as-a-service offering and related professional services that we provide pursuant to written agreements with our customers (herein referred to as the “Services”).

Collection and Use of Personal Information
 

Origami Risk Website

Personal information collected from you on our Website will be used to carry out the actions you have requested or authorized. Additionally, we may use your personal information to provide you with information about our Services.

Our Website may collect certain information about your visit, such as the name of your Internet service provider and the Internet Protocol (IP) address through which you access the Internet; the browser you are using; the date and time you access our Website; the pages that you access while at our Website and the Internet address of the Website from which you linked directly to our Website. This information is used to help improve our Website, analyze trends, and administer our Website.

From time to time, we may engage Google Analytics or other third-party providers of marketing services to assist us with the purposes set forth above. We maintain contracts with each of these third parties restricting their access, use and disclosure of personal data. For more information on how Google Analytics collects and processes data, please visit “How Google uses information from sites or apps that use our services” linked here. We otherwise do not disclose personal information collected from our Website to non-agent third parties without authorization from the individual that submitted such information to us.

Notwithstanding the foregoing, for those individuals visiting our www.origamirisk.co.uk website, or those users visiting our website from a UK or EU-based IP address, we provide an “opt-in” approach to the use of cookies and storage of personal information.

We provide the opportunity for individuals to “opt-out” of having their personal information (as collected from our Website) used for the purposes set forth above, and we provide the right to be “forgotten” (i.e., we will remove all of your personal information from our records). If you do not wish your personal information (as collected from our Website) to be stored on our systems, or provided to third parties, we will remove your information from these systems. Simply email legal@origamirisk.com with the details of your request and we will respond promptly.

Origami Risk Services

As part of our Services, we provide a web-based system to our customers (primarily companies and governmental entities) and their designated third-party users (collectively, our “Users”) that tracks information related to insurance and risk in order to help our Users manage insurance claims, improve safety and reduce costs. In providing the Services to our Users, we store and process data that our Users submit to us or instruct us to process. We use such information in order to provide the Services to our Users pursuant to the terms of the written agreement between us and our customer, and we do not use this information for any other purpose.

While our Users decide what data to submit, it typically includes insurance-related information such as claims, incidents, and policies, as well as related supporting documentation and analysis. This information may include personally identifiable information. When we provide our Services to our Users, in some instances we process personal information about third parties that is provided by our Users.

We use a limited number of third-party service providers to assist us in providing our Services to our Users. These service providers fall into one of the following categories:

  • Hosting providers (we currently use Amazon Web Services)
  • Providers of additional functionality for our Services (as set forth in the written agreement between us and our customer)

These third parties may access, process, or store personal data in the course of providing their services. We will only provide personal information to these third parties for the purpose of providing our Services to our Users. We maintain contracts with each of these third parties restricting their access, use and disclosure of personal data. Our customers and Users generally will not have the opportunity to opt out of having their personal information shared with these third-party service providers for these purposes while receiving our Services. We otherwise do not disclose personal information to non-agent third parties except as may be contemplated by a written agreement with our customer or otherwise as directed by our Users.

Our Services may be accessible on a mobile device via mobile application (“Origami Mobile”). Origami Mobile itself does not generate user session cookies. However, upon successful user authentication, a session cookie token is generated and transmitted to Origami Mobile, which is stored locally on the user’s device, facilitating the management of the user's use of the Services and ensuring the security of each session.

These session tokens used by Origami Mobile are "strictly necessary cookies," as they are crucial for the authentication process and the secure functioning of the app. These tokens are necessary for enabling authenticated feature requests to Origami's API. The tokens are not utilized for user tracking, analytics, performance measurements, or any form of marketing related to Origami Mobile.

Disclosure Required by Law

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

We reserve the right to disclose personal information as required by law and when we believe that disclosure is necessary to protect our legal rights and/or to comply with a judicial proceeding, court order, or legal process.

Access to Personal Information

We acknowledge the right of individuals to access their personal data as collected through our Website. Individuals wishing to review, edit, supplement or delete their personal data as collected through our Website may do so by contacting us at legal@origamirisk.com, and we will promptly respond to any such request.

Individuals wishing to review, edit, supplement or delete their personal data as provided to us by our Users for use with our Services should contact the applicable User that provided this data to us. Alternatively, such an individual can contact us at legal@origamirisk.com and we will work with our User to respond to the request. However, note that we are contractually bound to our customers to maintain the confidentiality and integrity of the personal information that we store as part of our Services, and any such request from an individual that is not our customer would need to be approved by our customer except as otherwise required by law.

Security of your Personal Information

We are committed to protecting the security of your personal information. While no computer system is completely secure, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure your personal information.

Cross-Border Transfers of Personal Information

To the extent that our processing of personal data as part of the Services is subject to the EU or UK General Data Protection Regulation (GDPR), we will work with our customers to ensure that an adequate transfer mechanism exists for any such cross-border transfers of such data to the extent required by applicable law.

EU-U.S. Data Protection Framework (DPF), Swiss-U.S. DPF, and the United Kingdom Extension to the EU-U.S. DPF

Origami Risk complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. Origami Risk has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Pursuant to the Data Privacy Frameworks, EU, UK, and Swiss individuals have the right to obtain our confirmation of whether we maintain personal information relating to you in the United States. Upon request, we will provide you with access to the personal information that we hold about you. You may also correct, amend, or delete the personal information we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under the Data Privacy Frameworks, should direct their query to legal@origamirisk.com. If requested to remove data, we will respond within a reasonable timeframe. 

We will provide an individual opt-out choice, or opt-in for sensitive data collected on our Website, before we share your data with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of your personal information collected on our Website, please submit a written request to legal@origamirisk.com.  To request to limit the use and disclosure of your personal information collected in connection with the Services, please submit a request to the applicable customer of Origami Risk.

Origami Risk’s accountability for personal data that it receives in the United States under the Data Privacy Frameworks and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Origami Risk remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process personal data on its behalf do so in a manner inconsistent with the Principles, unless Origami Risk proves that it is not responsible for the event giving rise to the damage. 

In compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), Origami Risk commits to resolve complaints about our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF, the UK extension to the EU-U.S. DPF, and the Swiss-U.S. DPF. EU, UK, and Swiss individuals with inquiries or complaints should first contact Origami Risk. 

Additionally, in compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, Origami Risk commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

Origami Risk has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, BBB NATIONAL PROGRAMS. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf  

With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, Origami Risk is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Your Rights

Individuals located in certain countries have certain statutory rights in relation to their personal data. Subject to any exemptions provided by law, you may have the right to request access to information, as well as to seek to update, delete or correct this information. If you are an Origami client, you can usually do this using the settings and tools provided in your account. If you cannot use the settings and tools, please contact us (at the contact information set forth below) for assistance.

To the extent that our processing of your personal data is subject to the GDPR, we only collect, use, and process personal data where we have lawful grounds to do so, which may include, without limitation: (i) in order to provide the requested Services, (ii) in connection with our legitimate interests, (iii) in connection with our fulfillment of legal obligations, or (iv) as otherwise consented to by you. For the avoidance of doubt, we may process personal data for direct marketing purposes as set forth above and you have a right to object to our use of your personal data for this purpose at any time.

Data Protection Officer

To communicate with our Data Protection Officer, please email dpo@origamirisk.com.

UK and EU Representative and Data Protection Authority

Our representative in the United Kingdom is Origami Risk Ltd. You can contact this representative as follows:

Origami Risk Ltd. | 150 Minories | London, EC3N 1LS | United Kingdom

Email: legal@origamirisk.com

If you are in the EU, you may address privacy-related inquiries to our EU representative pursuant to Article 27 of GDPR as follows:

EU-REP.Global GmbH | Attn: Origamirisk | Hopfenstr. 1d | 24114 Kiel | Germany  origamirisk@eu-rep.global 

If you are a resident of the United Kingdom and believe we maintain your personal data within the scope of the UK GDPR, while we request that you attempt to resolve any issues with us first, you may direct concerns or complaints to the UK’s Information Commissioner’s Office, our lead supervisory authority, at any time as noted below:

www.ico.org.uk

Information Commissioner’s Office | Wycliffe House, Water Lane | Wilmslow, Cheshire, SK9 5AF | United Kingdom | Phone: 0303 123 1113

If you are a resident of the European Economic Area and believe we maintain your personal data within the scope of the EU GDPR, while we request that you attempt to resolve any issues with us first, you may direct concerns or complaints to your supervisory authority in the region in which you live by contacting the applicable supervisory authority set forth here.

California Privacy Rights

If you are a resident of California, this section provides additional details about the personal information we collect about you, and your rights under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights Act ("CPRA").

We may collect, transmit and store various categories of your personal information. Over the last 12 months, we have collected the following categories of personal information:

CATEGORY EXAMPLES
Identifiers First name, last name, email address
Commercial Information Records of software products and/or services purchased, obtained or considered
Internet or other electronic network or device activity information Search history, information on interactions with a website application or advertisement
Geolocation Data Approximate physical location (derived from an IP address)
Professional or employment information Current or past employment, job title, employer name
Inferences Activity on the site to infer interest in certain products and categories
Sensitive personal information Account login and password information

Subject to certain limitations, the CCPA and CPRA provide you the right to request:

  • That we provide you access to details on the categories or specific pieces of personal information we collect and/or sell (including how we use and disclose this information, to whom we may sell it);
  • That we delete any of your personal information;
  • That we correct any inaccuracies in your personal information;
  • To opt out of any “sale” or "sharing" of your personal information that may occur, including sensitive personal information; and
  • To not be discriminated against for exercising any of the above rights.

If you would like to submit a request to exercise your California privacy rights, you may do so by emailing legal@origamirisk.com with your request. We will verify your request using information associated with your account, including your email. Further identification may be required. You may also designate an authorized agent to act on your behalf.

Please note that Origami Risk may retain a record of your request to delete your personal information.

This section does not cover the Personal Information we process as a ‘service provider’ in connection with the Service provided to our business customers, such as your organization. Our commitments as a service provider are set forth in the applicable agreement between Origami Risk and our business customer.

Choice of Future Communications

From time to time, we may send you information about our Services that may be of interest to you. At such a time, you will be given an opportunity to opt out of future communications.

Cookies and Tracking

We may use technology, such as Google Analytics, to track the patterns of behavior of visitors to our Website. This can include using a “cookie,” a text file sent by a web server to a web browser and stored by the browser for record-keeping purposes. As a result, it is possible to speed up your future activities on our Website and allow us to provide you with a personalized browsing experience.

You can choose to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. This may prevent you from taking full advantage of the features of our Website.

Our Website does not process or respond to web browsers’ “do not track” signals or other similar transmissions that indicate a request to disable online tracking of users who visit our Website.

Notwithstanding the foregoing, for those individuals visiting our www.origamirisk.co.uk website, or those users visiting our website from a UK or EU-based IP address, we provide an “opt-in” approach to the use of cookies and storage of personal information.

Links to Third-Party Websites

Our Website and our Services may provide links to unaffiliated third-party websites. As we do not control these websites, we encourage you to review the policies of these third-party sites.

Changes to this Privacy Policy

We may occasionally update this Privacy Policy. When we do, we will also revise the “Updated” date at the top of this Privacy Policy. If we make material changes to this Privacy Policy, we will notify you by prominently posting a notice of such changes. We encourage you to periodically review this Privacy Policy to stay informed about how we are helping to protect the personal information we collect. Your continued use of our Website or Services constitutes your agreement to this Privacy Policy and any updates.

Contact and Enforcement Information

If you have any questions regarding this Privacy Policy, please contact us at legal@origamirisk.com. If you believe that we have not adhered to this Privacy Policy, please contact us at legal@origamirisk.com, and we will attempt to promptly determine and remedy the problem. You can also contact our Data Protection Officer at any time at dpo@origamirisk.com.