Welcome to Onda’s Software and Services Privacy Notice

Last updated: August 2025

This Privacy Notice (“Privacy Notice”) provides information on how Onda AI, Inc.,[1] its affiliated companies, Onda AI Limited,  Onda SAS and Onda Insurance Services, Inc. all subsidiaries of Onda Holding Company, S.A., and CKRe Limited[2], trading as Onda in the United Kingdom, (“Onda"/“we” /”us"/"our”) collect, use, process and transfer Personal Data and information in operating Onda’s software to quote, bind, underwrite and issue cyber insurance policies (where authorized), provide external cyber risk scanning, internal telemetry, integrated software and applications, and generate dashboards, automated guidance and risk reports (“Software and Services”).

Onda reserves the right to modify or amend this Privacy Notice at any time to reflect changes in our products and service offerings, accommodate new technologies, regulatory requirements, or for other purposes. If we modify our Privacy Notice, we will update the “Effective Date”, and such changes will be effective upon posting. It is your obligation to check our current Privacy Notice for changes. In some cases, we may provide you with more prominent notice of updates and changes by adding a bold or prominent statement to our homepage or by sending you an email notification.

This Privacy Notice does not apply to information collected or obtained by any third party, including through any application or content that may link to or be accessible from or in our Software and Services. This Privacy Notice is integrated into our Terms & Conditions of Use for our Software and Services (“Terms and Conditions”).

 

Important information and who we are

Onda acts as a controller and is responsible for your Personal Data collected, originated or created through your access to the Software and Services and is a processor of data supplied by third parties to whom you or the company on whose behalf you access or use the Software and Services have authorized access.  Onda’s Software and Services are directed towards our commercial and potential business clients and are not designed for personal, family or household purposes.

Onda takes data protection and privacy very seriously. If you have any questions about this Notice or about our data and privacy protection practices, please contact us at privacy@onda.ai or through other means identified below.

Contact details

If you have questions about this Privacy Notice or Onda’s collection or use of Personal Data, you may contact us at: Onda AI, Inc. 1110 Brickell Avenue, Suite 515, Miami, FL 33131-3136. You can also reach us by email at: privacy@onda.ai  

 

For residents in the United Kingdom and European Economic Area (EEA), CKRe Limited has its registered address at: 2nd Floor 40 Lime Street, London, EC3M 7AW, and is registered with the Information Commissioner’s Office (“ICO”) under registration number ZA187731. The ICO is the UK’s independent authority set up to uphold information rights in the public interest. Their website can be found at https://ico.org.uk/   

 

The data we collect about you and how we collect it

When you use our Software and Services, we may collect, use, store, disclose, transfer or otherwise process data, including Personal Data about individuals (‘you” and “your”) upon your request or the request of the company for which you access or enroll in the Software and Services. To provide our threat detection services, we may also maintain information obtained from third parties, that may include limited personal data relating to actors involved in those incidents.

We may collect, use, process, store, and transfer the following Personal Data about you to provide the Software and Services:

  • Identity Data – your name and professional title
  • Contact Data – your professional email address, telephone number and business address
  • Technical Data – includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website
  • Profile Data – includes your username and password
  • Usage Data – details you provide us on how you use our website and Software and Services
  • Employer, location of employment or workplace if you access our Software and Services on behalf of a business entity 
  • Communications with us when using our Software or Services, should you choose to contact us, including text, email, photos, videos, audiovisual content, documents, spreadsheets and comments or chat you make on any Onda platform 

We also collect, use and share aggregated data as statistical or demographic data for any purpose (“Aggregated Data”). Aggregated Data could be derived from your Personal Data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate data regarding your use of our Software and Services to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this privacy policy.

We are required to conduct various checks to comply with money laundering and other applicable laws and regulations. This may include “sensitive data” referring to political affiliation and trade union memberships or limited personal data relating to actors involved in cyber incidents.

We collect this data through our direct interaction with you or with the business entity contracting with us or providing you with access to our site to enable us to set you up to use and interact with us regarding the Software and Services. We may sometimes collect additional information from third parties about cyber incidents or criminal events when assessing the cyber vulnerability of a business customer, based on your consent or as otherwise permitted or required by law. 

If you access or use our Software and Services on behalf of another organization or through another organization’s site, your use may be administered by, and your personal data and information may be subject to the use and protection policies of a third party. Please refer to the third party’s privacy policy and direct any questions to those organizations. We may sometimes collect additional information from third parties about cyber incidents or criminal events when assessing the cyber vulnerability of a business customer, based on your consent or as otherwise permitted or required by law.

How we use your Personal DataWe will only use your Personal Data for the purpose for which we collected it which include the following:

  • To register you as a new user to use our software – the legal basis we use is performance of the contract we are about to enter into or have entered into with the company you represent.
  • To manage your relationship with us - the legal basis we use is: (i) performance of the contract we are about to enter or have entered into with you or the company you represent; and (ii) necessary to comply with a legal obligation.
  • To improve our products/services, marketing or customer relationships (including feedback from you and analyzing the use of our software) – the legal basis we use is where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests.
  • To recommend products or services which may be of interest to you - the legal basis we use is where it is necessary for our legitimate interest (or those of a third party) and your interests and fundamental rights do not override those interests.
  • To comply with a legal obligation – the legal basis we use is compliance with a legal obligation.

Automated Decision-Making/Profiling

We do not currently perform automated decision-making or profiling.

How we share your Personal Data

We may share your Personal Data within Onda, with companies trading under the Onda name and external third parties (such as cloud providers) to provide or make available our Software and Services to you and to enable Onda to comply with legal and regulatory obligations. Separate privacy notices apply to other products or services offered by other companies. Please consult the privacy notices applicable to those products and services for more information.

International transfers

To provide our Software and Services, we may transfer, store and process your Personal Data outside the US, EU, and the UK (transfers between the EU and UK are deemed by each other to provide an adequate level of protection for Personal Data and therefore do not require legal transfer mechanisms).

Where we transfer your Personal Data out of the US,  EU or the UK, we will always do so using the permitted legal transfer mechanisms.

Please contact us if you would like further information on the specific mechanism used by us when transferring your Personal Data out of the US, EU or the UK at privacy@onda.ai

Your legal rights

If we hold your Personal Data, you are a Data Subject and have a number of rights under data protection laws, including:

  • The right to be informed that your Personal Data is being collected. We do this by making this notice available to you and in limited circumstances where we ask for your written consent; 
  • The right to access your Personal Data and know what data we hold. You should use the contact information below in the first instance and we will ask you for proof of identity as part of the process; 
  • The right to rectification. If you believe that your Personal Data held by us is inaccurate you can ask us to correct the data; 
  • The right to erasure. You can ask us to erase your Personal Data but there are circumstances where we will continue to be entitled to process your data and we will explain any relevant reasons at that time; 
  • The right to restrict processing. You can ask us to restrict how we use your data; 
  • The right to portability. You can ask us to provide your Personal Data in a format that can be transmitted to another data controller; 
  • The right to object. You can object to a data controller processing your data, typically where it is used for marketing purposes. We do not use Personal Data for marketing; 
  • The right to be free from discrimination for exercising your rights under the privacy laws;
  • Rights related to automated processing, typically related to automated decisions and profiling. We do not use Personal Data to automate our decisions without human intervention but you can ask us if we do this. 

If you are in the UK, you have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK regulator for data protection issues (www.ico.org.uk). CKRe Limited has its registered address at: 2nd Floor 40 Lime Street, London, EC3M 7AW, and is registered with the Information Commissioner’s Office (“ICO”) under registration number ZA187731

We would like the opportunity to resolve any issues you might have with us first before you contact a regulator, so please contact us if you have further questions, wish to access your data or wish to make a complaint: privacy@onda.ai or by letter to Onda AI, Inc. 1110 Brickell Ave., Suite 515, Miami, Florida 33131-3136.  

 

Data Security 

We have put in place measures to protect the security of your information. Details of these measures are available upon request. Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure. We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so. In the event that your Personal Data held by us should be compromised due to an information security breach, the company would act quickly to identify the cause of this violation and would take appropriate remedial action. Depending on the type of incident, and in accordance with the law in force, you will be informed. 

Holding Personal Data

The Personal Data we hold, the purposes for which we hold it, how long we hold it and what we do with it will be different for different parties. Please click on the relevant link below to find out more. 

·     People who visit our website

·     People who send emails to us

·     People who complain to us

·     Policyholders

·     Claimants

·     Agents, Producing Brokers and Insurers

·     People employed by us

 

This Privacy Notice does not extend to other sites accessible via links on this website. Where you access other websites via these links you should read the privacy notices contained on those sites and we can take no responsibility for personal data held or processed by the organizations concerned. 

The information below describes the purposes and means by which we process personal data and the scope of use and sharing with other parties. The limitations on scope in relation to sharing with other parties do not apply where we are obliged by law or regulation to a party entitled to receive the personal data. 

People who visit our website 

We use a third-party service, Hotjar, to collect details of website visitor patterns. We do this to understand which pages and information are of most interest to visitors to our site to enable us to update and develop the content on your site.

We do not hold any Personal Data about visitors to our website and our contracts with third-party service providers do not permit them to do so either.

People who send emails to us 

You should be aware that unless we have established Transport Layer Security (TLS) or other technical means, email traffic between us may be vulnerable to interception. 

If an email you sent to us was intended for our sole use and that was made clear to us, we will not share it with other parties or provide your contact details. 

If an email was sent to us in connection with an insurance policy or claim where we are acting on behalf of you or your client, we may share such emails with (re)insurers, or their agents, in connection with the relevant insurance policy or claim. 

In that event, they will be Data Controllers with their own obligations and responsibilities in connection with processing your data and you should contact them directly. We will only share this information where it is necessary for dealing with a claim or fulfilling an insurance policy. We can provide you with details of firms with which we have shared your Personal Data if you request this from us. 

People who complain to us 

Our terms of business agreements, including our Producer Agreements,  set out the process and contact points for dealing with complaints. Where we receive a complaint in relation to our services, we will file that information together with other complaint details gathered by us in the course of investigating and resolving the complaint. This information and any Personal Data will not be shared with any other organizations. 

Where we receive complaints about the services of another party; for example, an insurer, we will pass details of the complaint, including any personal data provided to us, to the party responsible for the provision of the services. We will advise you where we do this. We will retain a summary of the complaint details for use in analyzing the overall service experience of our clients and policyholders.

Policyholders 

While our activities are primarily concerned with placing insurance covers for commercial policyholders, and assessing and monitoring their cyber risk and threats, in the course of quoting and placing insurance policies we may have been provided with Personal Data; for example, details of the owners or directors of the firm or employees’ contact information such as name, business email or phone number. 

We will only ever use this information in the course of activities necessary to enter into or fulfil an insurance contract and where required as part of the claims process. We will supply this information to insurers or their agents for these purposes but will otherwise not provide personal data to other parties. 

We can provide you with details of firms with which we have shared your Personal Data if you request this from us. 

Claimants 

In the course of collecting information to provide insurers, or their agents or administrators, with the information needed to enable them to administer or agree to pay a claim, we may be provided with additional Personal Data where the claim is on behalf of the persons involved in purchasing or who are named in the policy. 

We may also be provided with Personal Data, including “special categories” of more sensitive or medical data, by third parties alleging that they have suffered an injury or other loss caused by the policyholder. 

We will only ever use Personal Data obtained and processed as part of the claims process for the purpose of recording, communicating with (re)insurers or their agents or administrators, or, with respect to our own administration activities, to resolve the claim. 

We can provide you with details of firms with which we have shared your Personal Data, if you request this from us. 

Agents, Producing Brokers, and (Re)insurers 

To set up your account access to the Software and Services, we may request Personal Data. In the course of our dealings, we may be provided with Personal Data relating to the owners, directors, managers, and other individuals in your agent organisation including email addresses and telephone numbers. We may also collect, store and process “special categories” of more sensitive personal information for the purposes of contracting with you to quote and service an insurance policy.

We may also collect your information from a third party based on your consent or as otherwise permitted or required by law. The terms of business agreements between us and your agency will provide more details on data collection, storage and use for these purposes. Contact us if you would like more details.

This information will only be held and processed in connection with efficiently managing our business relationship and in that respect will be shared with those of our employees involved in the business between us.

People employed by us 

We request your name and email address to provide you with access to the insurance administration system to perform your duties as an employee. We hold this information in the same manner for all users. We need to hold a range of this and other Personal Data related to employees, which may have been provided by employees, or gathered in the course of employment.

We will have informed you in detail at the time of your engagement about the Personal Data we hold or expect to hold for Employees, the purposes for which it is processed, and asked you to consent in writing to your Personal Data being held and processed in this way. We will also have told you about your various rights under the legislation.

We hold your data on the basis of consent unless that consent has been withdrawn by you and, when we obtained your consent, we will have explained how long we will normally hold the data. This information is available in a separate Consent Notice related to people who are employed by us or applying for employment with us. If you have not retained a copy of the Consent Notice you can obtain a copy by contacting Human Resources.

How long do we keep your data?

We keep Personal Data in line with set periods calculated using the following criteria:

  • How long it is reasonable to keep records to show we have met the obligations we have to you and by law;
  • How long a policyholder has been a customer with us;
  • Time limits for making claims;
  • Any periods for keeping information with are set by law or recommended by regulators, professional bodies or associations;
  • Any relevant proceedings that apply.

If you would like more information about how long we will keep your information for, please contact us at privacy@onda.ai

Minors  

The Software and Services are not intended for individual use and is not intended for, designed for or directed at children under the age of majority in any jurisdiction of residence. We do not knowingly collect Personal Information from minors, nor will we under any circumstances allow use of our services by minors under the age of majority without prior consent or authorization by a parent or legal guardian. If a parent or guardian becomes aware that their child has provided us with Personal Information without their consent, they should contact us at privacy@onda.ai  

Your California Privacy Rights  

If you are a California resident, California Civil Code Section 1798.83 may permit you to request information regarding the disclosure of personal information about you by Onda AI, Inc. or its affiliates to third parties for the third parties’ direct marketing purposes. To make such a request, please send an email to privacy@onda.ai or write to us at: Onda AI, Inc., 1110 Brickell Ave., Suite 515, Miami, Florida 33131-3136.  

Notice to Nevada Residents  

This section of the Notice applies solely to Nevada residents, describes rights that Nevada residents may have, and how they can exercise those rights. We provide this information to comply with chapter 603A of the Nevada Revised Statutes and any terms defined under Nevada law have the same meaning when used below.  

Please see “The data we collect about you” section above for the categories of information that we collect through our website, and above sections “How we use your Personal Data” and “International Transfers” for information about third parties with whom we may share your Personal Data. Nevada law requires an operator to establish a designated request address through which a consumer may submit a request not to sell covered information collection by the operator. You may make such a request through the “How to Contact Us” information provided above, but please note, we do not sell your personal information.

If you would like to review and request changes to your Personal Data, please contact us using the information provided in “How to Contact Us.”  

Nevada law requires an operator to establish a designated request address through which a consumer may submit a verified request not to sell covered information collected by such operator. However, we do not sell your Personal Data. 

Further details

If you are looking for more information on how we process your Personal Data including on data security, data retention and lawful processing bases, please contact us for further details at privacy@onda.ai

[1]  Onda AI, Inc. is incorporated in the state of Delaware, with a registered address at 800 N. State Street, Suite 403, Dover, DE, 19904.  Onda Insurance Services, Inc. is a licensed insurance agency in more than 46 jurisdictions with business offices at 8865 Stanford Boulevard, Suite 202, Columbia, Maryland 21045-5422.

[2] CKRe Limited is registered in England & Wales with company registration number 03600683 and has its registered address at: 2nd Floor 40 Lime Street, London, EC3M 7AW. CKRe Limited is authorised and regulated by the Financial Conduct Authority and distributes and underwrites cyber insurance in the UK trading as Onda.