Universal Sompo General Insurance Company Limited ("Company", "we", "our", “Universal Sompo” or "us") is unequivocally committed to safeguarding the privacy, confidentiality, and integrity of the personal data entrusted to us by our customers and digital visitors. Operating within the dynamic landscape of the Indian general insurance sector, we recognize that the collection and processing of diverse data sets—spanning from financial histories and vehicular telematics to highly sensitive health and medical records—is the foundational element of precise risk assessment, policy administration, and rapid claims settlement.
This Comprehensive Privacy Policy and Notice ("Notice") serves as the definitive articulation of our data governance architecture. It delineates the methodologies through which we collect, process, secure, retain, and responsibly share personal data across all user interactions with our primary website (www.universalsompo.com), customer self-service portals, mobile applications including the USGI PULZ application, and all associated digital touchpoints.
This Notice is architected and published to ensure strict adherence to the prevailing regulatory ecosystem.
Within the framework of the DPDPA, 2023, Universal Sompo General Insurance Company Limited operates primarily as a Data Fiduciary. In this capacity, we determine the fundamental purposes and the technological means of processing your personal data.
To deliver complex insurance solutions effectively, we engage specialized third-party entities—including Third-Party Administrators (TPAs) for health claims, independent loss surveyors, cloud infrastructure hosting providers, and advanced data analytics vendors. All designated third-party entities are bound by rigorous, legally enforceable non-disclosure agreements, are strictly prohibited from utilizing your data for their independent commercial purposes, and are contractually obligated to deploy technical and organizational safeguards equivalent to or exceeding our internal Information Security Policy.
The scope of this Notice encompasses all natural persons ("Data Principals", "you", or "your"), including prospective applicants, active policyholders, non-active policyholders, insured beneficiaries, legally appointed nominees, and general visitors navigating our digital ecosystem.
In strict compliance with the transparency mandates of Rule 3 of the DPDP Rules, 2025, we reject the use of broad, opaque data collection clauses. We ensure absolute clarity regarding the precise data points ingested into our systems. Depending on the specific insurance vertical you engage with (e.g., comprehensive health coverage, motor insurance, or commercial property risk), we may collect and process the following itemized categories of personal data:
Data Category | Specific Data Elements Processed |
Identity & Demographic Information | Full legal name, date of birth, gender, marital status, photographic images, physical or digital signatures, and government-issued identifiers including PAN and Aadhaar Numbers (processed via authorized e-KYC mechanisms where voluntarily provided). |
Contact & Location Data | Residential addresses, permanent addresses, registered email addresses, mobile and landline telephone numbers, and geolocation data captured during roadside assistance requests or digital application usage. |
Insurance & Underwriting Data | Policy numbers, historical coverage details, risk declarations, occupational profiles, sum insured preferences, and the identity details and relationships of appointed nominees or beneficiaries. |
Financial & Transactional Data | Bank account details (account numbers, IFSC codes for NEFT settlements), credit/debit card tokens and UPI handles (processed securely via PCI-DSS compliant payment gateways), premium payment histories, and data retrieved from the Central KYC Registry. |
Health & Medical Records | Detailed medical histories, declarations of pre-existing diseases, diagnostic laboratory reports, hospital discharge summaries, lifestyle declarations (e.g., tobacco or alcohol consumption), and comprehensive medical documentation submitted during the claims adjudication process. |
Asset & Vehicular Telematics | Vehicle registration numbers, engine and chassis configurations, driving license credentials, historical accident reports, real-time vehicular telematics (where opted-in for usage-based insurance), and property valuation details for home or commercial lines. |
Digital Technical & Usage Metrics | IP addresses, device identifiers (IMEI/MAC addresses), operating system specifications, browser typologies, authentication logs, and granular user interaction metrics captured across our web and mobile applications. |
Important Notice Regarding Sensitive Data: We recognize that health, medical, and detailed financial data command the highest threshold of confidentiality. Consequently, we subject these data categories to enhanced cryptographic controls, stringent Role-Based Access Controls (RBAC), and rigorous monitoring in alignment with IRDAI security mandates.
Our data collection strategy is governed by the principle of data minimization; we ingest only the data essential for the provision of insurance services. Personal data enters our ecosystem through the following primary vectors:
Data explicitly and voluntarily inputted by you into our digital proposal forms, premium calculators, claims intimation portals, or through the USGI PULZ application.
Information securely transmitted through our network of licensed insurance brokers, corporate agents, web aggregators, and certified point-of-sale persons (POSPs) acting on your behalf.
Medical dossiers received directly from network hospitals and diagnostic centers during cashless claim processing, as well as incident reports generated by IRDAI-licensed independent surveyors and loss assessors.
Information systematically retrieved from the Central KYC Registry, the Insurance Information Bureau of India (IIB), and the Ministry of Road Transport and Highways (VAHAN) databases, strictly subject to regulatory allowances.
Technical and behavioral data continuously gathered via cookies, server access logs, and integrated analytics engines during your navigation of our digital properties.
We process your personal data exclusively for lawful, predefined purposes. The processing of your data is the mechanical engine that enables the provision of the following specific goods, services, and operational functions:
To evaluate individual and aggregate risk profiles, determine eligibility across our health, motor, cyber, and commercial portfolios, and calculate actuarially sound premium structures.
To generate and issue legally binding policy documents, process mid-term endorsements, manage automated renewal cycles, and maintain accurate, auditable registries of insured individuals and their appointed nominees.
To verify the authenticity and validity of submitted claims, coordinate seamlessly with TPAs and medical facilities for cashless authorizations, deploy predictive models for fraud detection, and execute secure electronic fund transfers for final claim disbursements.
To authenticate your identity during service inquiries, facilitate emergency roadside assistance, manage policyholder complaints, and execute the directives of internal grievance redressal committees or the Insurance Ombudsman.
To adhere to the exhaustive compliance mandates of the IRDAI, fulfill anti-money laundering (AML) and counter-terrorism financing (CTF) obligations, process taxation requirements, and report mandatory operational metrics to statutory bodies and the Data Protection Board of India.
To monitor digital traffic patterns for anomalous behavior, authenticate user sessions to prevent account takeovers, deploy threat intelligence mechanisms to thwart cyber attacks, and continually refine the user interface and functionality of our digital platforms.
The processing of personal data within our infrastructure is executed strictly upon the foundational lawful basis:
The vast majority of our data processing relies upon your free, specific, informed, unconditional, and unambiguous consent. This consent is obtained through clear affirmative action—such as checking a digital consent box
In highly specific scenarios where obtaining immediate consent is impossible or statutorily exempted, data may be processed under the doctrine of legitimate uses. Such scenarios include:
Modern insurance operations function within a highly interconnected ecosystem. To deliver seamless policy issuance and claims settlement, it is operationally requisite to share specific, minimized data points with authorized external entities. Universal Sompo categorically does not sell, rent, or commercially trade your personal data to unauthorized third parties. Disclosures are strictly limited to the following categories of recipients:
Third-Party Administrators (TPAs) facilitating health insurance claims, independent surveyors investigating motor or property damage, and specialized medical professionals engaged for complex underwriting assessments.
Data shared strictly to distribute large-scale risk and ensure compliance with complex reinsurance treaty obligations, ensuring the financial stability required to honor high-value claims.
Providers of secure cloud hosting infrastructure, operators of PCI-DSS compliant payment gateways, communication API providers, and IT infrastructure vendors who architect and maintain our digital ecosystem.
Mandatory disclosures made to the IRDAI, SEBI, the Insurance Information Bureau (IIB), various taxation authorities, and law enforcement agencies to satisfy unyielding statutory obligations and actively participate in industry-wide fraud prevention initiatives.
The architecture of modern cloud computing and the mechanics of the global reinsurance market occasionally necessitate the transfer of specific operational data to servers or entities located outside the territorial borders of India. Universal Sompo ensures that any such cross-border data transmission is executed strictly in accordance with the DPDPA, 2023, and sectoral data localization guidelines. Data is transferred exclusively to jurisdictions that have not been restricted by the Government of India. Furthermore, all international transfers are governed by rigorous Standard Contractual Clauses (SCCs) and binding corporate rules that guarantee the receiving entity applies data protection standards entirely equivalent to those mandated within India.
We adhere to the principle of storage limitation. Personal data is retained within our active databases solely for the duration required to fulfill the specific purposes enumerated in this Notice, or as dictated by superseding statutory requirements.
Policyholder records, underwriting data, and comprehensive claims dossiers are retained in strict compliance with the IRDAI (Maintenance of Insurance Records) Regulations and our internal corporate Records Retention Policy. This ensures data is available for necessary actuarial analysis, long-tail claim adjudication, and regulatory audits.
System, network, and application access logs are retained for a rolling period of at least 180 days, directly aligning with the mandates of the IRDAI Information and Cyber Security Guidelines to facilitate post-incident forensic investigations.
Upon the expiration of the defined statutory or operational retention period, or upon the successful processing of a valid request for erasure from a Data Principal, personal data is permanently purged or irreversibly anonymized using secure, cryptographic erasure protocols. We will issue a proactive notification to the Data Principal at least 48 hours prior to the execution of the final data erasure.
Universal Sompo deploys a defense-in-depth security architecture to safeguard your personal data against unauthorized access, malicious modification, accidental disclosure, or total destruction. Our security posture is aggressively mapped against ISO 27001 standards, the IRDAI Cyber Security Guidelines, and SEBI’s Cyber Security and Cyber Resilience Framework (CSCRF). Key technological and organizational controls include:
Mandatory end-to-end encryption of all sensitive personal data, utilizing industry-standard algorithms both while the data is at rest in our databases and in transit across external networks.
Strict enforcement of Role-Based Access Control (RBAC) and mandatory Multi-Factor Authentication (MFA) for all personnel and vendors accessing internal systems holding policyholder data.
Deployment of advanced intrusion detection/prevention systems (IDS/IPS), continuous network traffic monitoring, and automated vulnerability scanning across all digital assets.
Operation of a dedicated Security Operations Center (SOC) equipped with predefined Cyber Crisis Management Plans to ensure rapid containment of anomalies. In the highly unlikely event of a verified personal data breach, we maintain highly drilled protocols to notify the Data Protection Board of India, CERT-In, and all affected Data Principals within the legally prescribed 72-hour timeframe.
Our digital platforms, including the primary website and the USGI PULZ application, utilize cookies, web beacons, and similar analytic technologies to maintain secure user sessions, remember individual interface preferences, and generate aggregated analytics to optimize system performance.
These are deployed automatically upon your arrival at our platforms, as they are technically indispensable for core website functionality, load balancing, and fundamental security.
These tracking mechanisms are deployed exclusively upon receiving your explicit affirmative consent via our integrated Cookie Consent Management interface. You retain total autonomy to modify, restrict, or entirely withdraw your cookie preferences at any time through the configuration settings of your web browser.
Universal Sompo does not independently solicit, nor do we intentionally collect, personal data directly from children (defined under the Act as individuals below 18 years of age) for the purposes of behavioral profiling, tracking, or targeted marketing.
When the processing of a child's personal data is an absolute necessity for the execution of an insurance contract—such as enrolling a minor as a dependent in a comprehensive family health insurance plan or designating them as a legal nominee—we ensure that consent is obtained directly from the parent or lawful guardian.
The Digital Personal Data Protection Act, 2023, transitions privacy from a corporate courtesy to a statutory right. As a Data Principal, you are empowered with comprehensive control over your personal data. You possess the following unalienable rights:
You hold the right to obtain a clear, concise summary of the personal data we are actively processing, the specific processing activities being undertaken, and the identities of all third-party Data Processors with whom your data has been shared.
You may request the immediate correction of materially inaccurate data, the completion of incomplete data profiles, or the updating of personal information that has become obsolete.
You may demand the permanent deletion of your personal data when it is no longer strictly necessary for the specified purpose for which it was collected, provided that this request does not conflict with our overriding legal, taxation, or regulatory retention obligations.
You possess the absolute right to revoke your consent for data processing at any juncture. We guarantee that the mechanism for withdrawing consent is as frictionless and accessible as the mechanism used to grant it. (Please note: The withdrawal of consent is applied prospectively and may inherently restrict our operational ability to continue providing specific insurance coverages, process active claims, or honor policy renewals).
You hold the right to formally nominate another competent individual to exercise your statutory rights under the Act in the unfortunate event of your death or severe physical/mental incapacity.
You have the right to register formal complaints regarding our data governance practices directly with our designated Grievance Officer. Should our internal resolution prove unsatisfactory, you retain the right to escalate the matter to the Data Protection Board of India.
To exercise any of these statutory rights, please utilize the dedicated Data Principal Rights a formal request to our Data Protection Officer using the contact parameters detailed in Section 15.
To ensure the systemic integrity of the insurance ecosystem and to prevent the facilitation of fraud, the DPDPA legally mandates that Data Principals observe specific duties. While exercising your rights, you are statutorily required to:
Provide personal data that is verifiably authentic, accurate, and current.
Strictly refrain from impersonating another individual, utilizing synthetic identities, or submitting fraudulent or manipulated documentation.
Ensure that no material information is suppressed or concealed—particularly regarding historical health conditions or vehicular modifications—as the suppression of material fact directly nullifies the fundamental premise of utmost good faith (uberrimae fidei) upon which all insurance contracts are based.
Refrain from registering frivolous, vexatious, or entirely false grievances with either the Company or the Data Protection Board of India.
To exercise any of these statutory rights, please utilize the dedicated Data Principal Rights a formal request to our Data Protection Officer using the contact parameters detailed in Section 15.
We view the rapid and transparent resolution of privacy concerns as a critical component of our operational mandate. If you possess queries regarding the interpretation of this Privacy Notice, require assistance exercising your statutory rights, or wish to register a formal grievance concerning our data processing methodologies, please direct your communication to our designated Data Protection Officer / Grievance Officer:
Data Protection Officer / Grievance Officer Universal Sompo General Insurance Company Limited Registered Office: 8th Floor and 9th Floor (South Side), Commerz International Business Park, Oberoi Garden City, Off Western Express Highway, Goregaon East, Mumbai – 400063. Designated Privacy Email: privacyofficer@universalsompo.com
Upon receipt of a formal communication, our privacy team will execute a comprehensive investigation and resolution process within the strict timelines prescribed by the DPDPA, DPDP Rules, and IRDAI grievance redressal frameworks.
Universal Sompo retains the right to unilaterally update, amend, or structurally modify this Comprehensive Privacy Policy and Notice to accurately reflect continuous improvements in our technological security posture, shifts in our operational processing practices, or mandatory adaptations to evolving legal and regulatory frameworks.
In the event of material modifications—particularly those altering the fundamental purposes of data processing, expanding third-party sharing, or impacting your statutory rights—we will proactively communicate these changes via direct email correspondence or through highly visible, mandatory acknowledgment notifications within our mobile applications and web portals prior to the changes taking effect. The "Last Updated" positioned at the genesis of this document signifies the effective date of the currently active architectural version.
Universal Sompo General Insurance Company ("Company") or any payment gateway provider associated with the Company shall not be liable for any losses and / or damages that may be incurred by any person in respect of any loss of access and/or use or interruption in the use of the Website, payment methodology online whether or not due to any upkeep and maintenance being performed on the Website or any other reason whatsoever.
There is no guarantee or warranty that the site is free from any virus or other malicious software, damaging or corrupting code, program or macros. Further, there is no warranty that there will be uninterrupted access to and/or use of the Website, information herein or purported services. The information contained in this website is solely for providing information about the Company to interested parties. While all attempts are made to provide comprehensive access to content and services related to a wide variety of subjects of interest to visitors, the content is provided on "as is" basis, as a general guidance to users. Please verify the information before you act upon it by calling the concerned office of the Company.
The visitors to the website are assumed to access the content and services at their own will and not hold Company or its associates responsible for any liability arising out of the use of the content and services, explicit or implicit, provided in the website.
Statutory warning :- "No person shall allow or offer to allow, either directly or indirectly, as an inducement to any person to take out or renew or continue an insurance in respect of any kind of risk relating to lives or property in India, any rebate of the whole or part of the commission payable or any rebate of the premium shown on the policy, nor shall any person taking out or renewing or continuing a policy accept any rebate, except such rebate as may be allowed in accordance with the published prospectus or tables of the insurer."
Universal Sompo General Insurance Co. Ltd. purpose is to keep you updated on the latest products and services. We convey such information email or over the phone and only to those whom we think will find these products and services interesting and beneficial. Universal Sompo respects and values your privacy and understand that some of you may not wish to be contacted over the phone for promotions for our telemarketing activities or receive any e-mailers.
In case you do not want us to contact you on your cell phone or landline number or email address, you may use the Do Not Call form given below and register your phone number(s) that you want excluded from our telemarketing list. The details that you enter in the form will remain confidential.
We will take all efforts not to disturb you on the numbers and email addresses provided by you. Please allow 30 working days for the removal of the specified numbers from our telemarketing lists.