Nomadsurance

Privacy Policy

How Nomadsurance collects, uses, and protects personal data — written in plain English.

Last reviewed:

Draft notice: This page is a first draft and is pending legal review. The content is provided in good faith but may be refined before launch.

Last updated: 2026-05-25

This Privacy Policy explains how Nomad Insurance Broker OÜ ("Nomadsurance", "we", "us") collects, uses, and protects personal data when you visit nomadsurance.com or use our insurance matching service.

We've written this in plain English. If anything is unclear, email us at {{ENTITY_EMAIL}} and we'll explain.

1. Who is the Controller

The data controller responsible for your personal data is:

  • Company: {{ENTITY_NAME}} (Nomad Insurance Broker OÜ)
  • Registered address: {{ENTITY_ADDRESS}}
  • Registry code: {{ENTITYREGISTRYCODE}}
  • Email for privacy matters: {{ENTITY_EMAIL}}
  • Jurisdiction: Estonia, European Union

We do not currently have a statutory obligation to appoint a Data Protection Officer (DPO), but the email above reaches the person responsible for privacy at Nomadsurance.

2. What This Policy Covers

This policy applies to:

  • The nomadsurance.com website and any subdomains we operate.
  • Forms you submit to request insurance recommendations, quotes, or information.
  • Newsletter signups and any direct communication with us.
  • Cookies, analytics, and performance measurement on our website.

It does not cover the insurance providers we may introduce you to. Once you proceed with an insurer, that company becomes an independent controller of your data under their own privacy policy.

3. What We Collect and Why

3.1 Data You Give Us Directly

When you fill out our insurance matching form, request a quote, contact us, or subscribe to the newsletter, we collect information such as:

  • Name and email address
  • Country of residence and nationality
  • Age or date of birth
  • Travel plans, destination countries, planned duration
  • Profession or nomad status (employee, freelancer, business owner, etc.)
  • Health-related information you choose to share (e.g. pre-existing conditions) — only when needed to match you with a suitable policy
  • Any free-text notes you add to forms

We only ask for what's needed to give you a useful recommendation. You can skip optional fields.

3.2 Data We Collect Automatically

When you visit the site, we automatically receive:

  • Approximate location (derived from IP address, not precise GPS)
  • Browser type, device type, operating system, screen size
  • Pages you visit, time on page, referring source
  • Performance metrics (page load speed, Core Web Vitals)

This is collected through privacy-friendly analytics (Vercel Analytics and Speed Insights) and our hosting infrastructure. We do not use cross-site tracking pixels or advertising cookies by default.

3.3 Cookies

We use a small number of cookies and similar technologies:

  • Strictly necessary cookies — required for the site to function (e.g. remembering your cookie choice, session state). No consent needed.
  • Analytics cookies — only set if you consent. They help us understand which pages work and which don't.
  • Functional cookies — used by embedded tools such as Heyflow when you interact with a form.

You can change your choice at any time via the cookie banner or your browser settings.

4. Legal Bases for Processing

Under GDPR Article 6, we rely on the following legal bases:

  • Contract (Art. 6(1)(b)) — when you ask us to match you with insurance options, we process your data to perform that service at your request.
  • Consent (Art. 6(1)(a)) — for newsletter signups, non-essential cookies, and any optional marketing communication. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f)) — for security (e.g. blocking abusive traffic via Cloudflare), basic analytics on aggregated traffic, fraud prevention, and improving our service. We balance this against your rights and you can object at any time.
  • Legal obligation (Art. 6(1)(c)) — when we have to retain records to comply with Estonian or EU law (e.g. accounting, tax, anti-money-laundering where applicable).

Where you share health-related information (a "special category" of data under Art. 9), we rely on your explicit consent (Art. 9(2)(a)), which you give by submitting it on the matching form. You can withdraw it at any time, but doing so may mean we can no longer recommend suitable policies.

5. AI-Assisted Matching (Not Solely Automated)

Nomadsurance uses AI tooling to help match your situation with relevant insurance products. This is decision-supportive, not solely automated within the meaning of GDPR Art. 22:

  • The AI produces recommendations and rankings.
  • A human-defined ruleset and editorial oversight govern which products are eligible to appear.
  • You make the final purchase decision yourself, on the insurer's platform.

You are not subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. If you'd like a human to review the recommendations you received, contact {{ENTITY_EMAIL}}.

6. Who We Share Data With (Processors and Sub-Processors)

We work with carefully selected service providers ("processors") who handle data on our behalf under written data processing agreements. We do not sell your data.

Hosting and Infrastructure

  • Vercel Inc. (United States) — hosts our website, runs serverless functions, and provides Vercel Analytics and Speed Insights. Data may be processed in the EU and US regions.
  • Cloudflare, Inc. (United States) — DNS, content delivery, and web application firewall (WAF). Used for security and performance.

Content Management

  • Sanity.io (Sanity AS, Norway / EU and US infrastructure) — stores the editorial content of the site. Generally does not store personal data submitted through forms, but may incidentally process IP addresses of editors.

Communications and CRM

  • Brevo SAS (France, EU) — CRM, newsletter delivery, and transactional email. Sub-processors to be confirmed; current list available from Brevo on request.
  • Resend, Inc. (United States) — transactional email fallback (e.g. confirmation emails when Brevo is unavailable).

Forms and Feedback

  • Heyflow GmbH (Germany, EU) — interactive forms and feedback flows currently used on the site.
  • Trustpilot A/S (Denmark, EU) — review collection and display. Integrated only where indicated; activates when you choose to leave a review.

Automation

  • n8n GmbH — workflow automation that routes form submissions between the systems above. Hosting location to be confirmed; if hosted outside the EEA, transfers are protected by Standard Contractual Clauses (see Section 7).

Internal Operations

  • Google Workspace (Google Ireland Limited) — used internally for email, documents, and team collaboration. Personal data you send us by email is processed in Workspace.

We may update this list as we add or remove tools. Material changes will be reflected in this policy.

7. International Data Transfers

Some of our processors are based in the United States or process data outside the European Economic Area (EEA). When that happens, we rely on one or more of the following safeguards under GDPR Chapter V:

  • EU Standard Contractual Clauses (SCCs) — signed with each non-EEA processor.
  • EU–U.S. Data Privacy Framework (DPF) — where the receiving company is certified under the framework.
  • Additional technical and organizational measures where appropriate (e.g. encryption in transit and at rest).

You can request a copy of the relevant transfer mechanism for any specific processor by emailing {{ENTITY_EMAIL}}.

8. How Long We Keep Your Data

We keep personal data only as long as we need it. Default retention periods:

  • Insurance matching form submissions (lead data): 24 months after our last contact with you, unless you ask us to delete sooner or you become a returning user.
  • Newsletter subscribers: until you unsubscribe, plus a short grace period (up to 30 days) to process the unsubscribe and keep a suppression record.
  • Transactional email logs: 12 months for deliverability and support purposes.
  • Customer support email threads: 24 months after the conversation ends.
  • Analytics data (aggregated): up to 25 months in tools such as Vercel Analytics; raw event data is shorter (to be confirmed per tool).
  • Cookie consent records: 12 months.
  • Accounting records (where applicable): 7 years, in line with Estonian law.

After these periods, data is deleted or anonymized.

9. Your Rights

Under GDPR Articles 15–22, you have the right to:

  • Access (Art. 15) — get a copy of the personal data we hold about you.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure (Art. 17) — ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction (Art. 18) — ask us to limit how we use your data while a question is being resolved.
  • Data portability (Art. 20) — receive your data in a structured, machine-readable format, or have it transferred to another controller where technically feasible.
  • Object (Art. 21) — object to processing based on legitimate interest, including direct marketing.
  • Withdraw consent — at any time, where processing is based on consent. Withdrawal doesn't affect the lawfulness of processing before withdrawal.
  • Not be subject to solely automated decisions (Art. 22) — see Section 5.

How to Exercise Your Rights

Email {{ENTITY_EMAIL}} from the address you used to contact us, or describe enough information for us to identify you. We respond within one month, extendable by up to two further months for complex requests (we'll tell you if that applies).

There's no fee for reasonable requests. We may charge a reasonable fee, or refuse, if a request is manifestly unfounded or excessive.

Right to Complain

If you believe we've handled your data unlawfully, you can complain to the Estonian Data Protection Inspectorate:

  • Andmekaitse Inspektsioon (AKI)
  • Website: aki.ee
  • Email: info@aki.ee

You can also complain to the supervisory authority in the EU country where you live or work.

10. Security

We take reasonable technical and organizational measures to protect your data, including:

  • HTTPS/TLS encryption on all pages and form submissions.
  • Web application firewall and bot protection via Cloudflare.
  • Access controls and least-privilege permissions for team members.
  • Encrypted storage and backups via our hosting and CMS providers.
  • Regular review of integrations and processor security posture.

No system is perfectly secure. If we ever experience a personal data breach that's likely to result in a risk to your rights, we'll notify the supervisory authority within 72 hours where required, and inform affected users without undue delay.

11. Children

Nomadsurance is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has submitted data to us, please contact {{ENTITY_EMAIL}} and we'll delete it.

12. Changes to This Policy

We may update this policy as our service evolves or as legal requirements change. When we do, we'll update the "Last updated" date at the top. For material changes, we'll give clear notice on the website or by email where appropriate.

13. Contact

For any privacy questions, requests, or concerns:

  • Email: {{ENTITY_EMAIL}}
  • Postal address: {{ENTITYNAME}}, {{ENTITYADDRESS}}

Disclaimer: First draft, pending legal review.