Privacy Policy
Section 1: What Information We Collect and How We Obtain It
BriteCo collects personal information that enables us to quote and service your insurance policy, process appraisals, and operate our business in compliance with applicable law. We collect information from the following sources:
1.1 Information You Provide Directly
- Insurance Applications: Name, date of birth, address, email address, and phone number, as well as other information you may provide in connection with an application for coverage.
- Appraisals: Your name, address, telephone number, email address, appraisal values, item descriptions, photographs of jewelry and personal property, and other information submitted through BriteCo’s platform.
- Transactions: Insurance coverage selections, payment instrument information (credit card), and communications related to policy servicing.
- Communications: Information you provide when you contact us by phone, email, chat, or through online forms, including your name, contact information, and the content of your communications.
1.2 Information We Collect Automatically
When you use our websites or mobile applications, we may automatically collect:
- Internet Protocol (IP) address and approximate location derived therefrom
- Device identifiers (UDID, advertising ID, or equivalent)
- Browser type, version, and operating system
- Pages visited, links clicked, and features used on our Services
- Referring URLs and search terms used to find our Services
- Session timestamps and duration
We collect this information through cookies, web beacons, pixel tags, and similar tracking technologies described in Section 8. We do not link automatically collected technical data to your personally identifiable information for purposes other than fraud prevention, security, and service improvement, except as disclosed in this Privacy Policy.
1.3 Information from Third Parties
- Consumer Reporting Agencies: Insurance credit scores and other information used to support quoting and underwriting.
- Your Jeweler Partner: If you obtain a BriteCo appraisal through a participating retail jeweler, your jeweler may provide us with appraisal information on your behalf.
- Public Records: Publicly available information used to verify information you provide or to support underwriting decisions.
1.4 Sensitive Personal Information
Certain categories of information we collect may constitute “sensitive personal information” under applicable law. For BriteCo, this may include:
- Payment card information
- Information related to losses or prior incidents collected on insurance applications
- Criminal background history collected on insurance applications
- Precise geolocation data (when collected for fraud detection or claims purposes)
- Photographs of personal property processed by AI-assisted appraisal tools
We use sensitive personal information only as necessary to provide the Services or as otherwise permitted by law. California residents have the right to limit our use and disclosure of sensitive personal information as described in Section 6.
1.5 What We Do Not Collect
BriteCo does not intentionally collect Social Security numbers except as required by specific state insurance regulatory filings. We do not collect biometric identifiers (such as fingerprints, retina scans, or facial geometry) through our standard Services. See Section 11 (Illinois Biometric Data Notice) for more detail.
Section 2: How We Use Your Information
BriteCo uses the personal information we collect for the following purposes:
- To provide and service insurance products: Processing applications, issuing policies, handling claims, and responding to your inquiries.
- To generate and process appraisals: Creating appraisal reports and supporting insurance coverage decisions.
- To comply with legal and regulatory obligations: Meeting requirements under the Gramm-Leach-Bliley Act (GLBA), state insurance regulations, and other applicable laws.
- To detect and prevent fraud: Identifying potentially fraudulent applications, claims, or transactions.
- To improve our Services: Analyzing how our Services are used to improve functionality, user experience, and our product offerings.
- For marketing and communications: Sending you information about our products and services, subject to your communication preferences.
- For automated decision-making: Using algorithmic models to generate insurance quotes, assess risk, and support underwriting, as further described in Section 9.
| Data Minimization Commitment
We collect only the personal information that is reasonably necessary and proportionate to accomplish the purposes described in this Privacy Policy. We will not use personal information for purposes that are materially different from those disclosed at the time of collection without providing you with notice and, where required, obtaining your consent. |
Section 3: What Personal Information We Disclose and to Whom
3.1 Categories of Recipients
| Recipient Category | Purpose | Data Shared | Type |
| Insurance carriers and reinsurers | Underwriting, policy issuance, claims | Application and policy data | Service Provider |
| Claims administrators | Claims handling | Claims and coverage data | Service Provider |
| Independent insurance agents | Policy placement and servicing | Application and policy data | Third Party |
| Payment processors | Processing premium payments | Payment instrument data | Service Provider |
| Cloud hosting / infrastructure | Operating our platform | All categories | Service Provider |
| Analytics & marketing tech providers | Website analytics, advertising | Web usage, contact info | Third Party |
| Fraud detection vendors | Detecting fraudulent activity | Application, claims, behavioral data | Service Provider |
| Law enforcement / government | Legal compliance, regulatory | As required by law | Third Party |
| Legal counsel and auditors | Legal defense, financial audit | As necessary | Service Provider |
| Successor entity (merger/acquisition) | Business transfer | All categories (see 3.5) | Third Party |
3.2 Service Providers vs. Third Parties
We distinguish between two categories of recipients:
- Service Providers: Companies that receive personal information solely to perform functions on our behalf and under our instructions. Service providers are contractually prohibited from using your personal information for their own purposes.
- Third Parties: Companies that may use personal information for their own business purposes. When we share personal information with third parties, we do so only as described in this Privacy Policy and as permitted by applicable law.
3.3 Marketing-Related Sharing
We may share your contact information and general policy type with affiliated companies for marketing of related financial products and services, where permitted under GLBA’s joint marketing exception or with your consent. We do not sell your personal information. To the extent any sharing with advertising or analytics technology partners constitutes a “sale” or “sharing” under applicable state law (such as California’s CCPA), you may opt out as described in Section 7.
| California Residents: In addition to the opt-out right in Section 7, if BriteCo’s sharing of your personal information is not exempt under GLBA or the California Financial Information Privacy Act (FIPA), you may have the right to opt in before we share certain information with nonaffiliated third parties for non-service purposes. Contact [email protected].
Vermont Residents: Under Vermont’s Financial Privacy Act, we will not share your nonpublic personal financial information with nonaffiliated third parties for purposes not covered by a statutory exception unless you have affirmatively opted in to such sharing. |
3.4 Mobile Messaging
No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. Text messaging originator opt-in data and consent will not be shared with any third parties.
3.5 Business Transfers
In the event of a merger, acquisition, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will require any acquirer to assume the privacy obligations set forth in this Privacy Policy or provide you with notice and the opportunity to exercise applicable rights before material changes to those obligations take effect.
3.6 De-Identified and Aggregated Data
We may disclose de-identified or aggregated data that does not identify you to third parties for research, analytics, and business purposes. We commit not to attempt to re-identify de-identified data, and we contractually require recipients to make the same commitment.
Section 4: Gramm-Leach-Bliley Act (GLBA) Privacy Notice
BriteCo Inc. is a licensed insurance agency subject to the Gramm-Leach-Bliley Act (GLBA) and the state insurance privacy regulations implementing GLBA in each state where we operate. These regulations are based on the National Association of Insurance Commissioners (NAIC) model privacy regulations.
Information We Collect. We collect nonpublic personal information (“NPI”) about you from: (a) information you provide on applications and other forms; (b) information about your transactions with us, our affiliates, or others; and (c) information we receive from consumer reporting agencies.
Information We May Disclose. We may disclose all NPI we collect to companies that perform services on our behalf, including marketing services. We do not disclose your NPI to nonaffiliated third parties for their own marketing purposes except as described in this Privacy Policy and as permitted by law.
Opt-Out Right (General). To the extent we share your NPI with nonaffiliated third parties in ways not covered by a GLBA exception, you have the right to opt out. Contact us at [email protected] or call the number listed in your Policy Documentation.
Confidentiality and Security. We restrict access to your NPI to employees who need it to provide products or services to you. We maintain physical, electronic, and procedural safeguards compliant with applicable federal and state regulations.
Enhanced State Protections
| State | Enhanced Protection |
| California | Additional rights under the California Insurance Information and Privacy Protection Act (IIPPA) and the California Financial Information Privacy Act (FIPA) may require affirmative opt-in consent before sharing certain NPI with nonaffiliated third parties. Contact [email protected]. |
| Vermont | Vermont’s Financial Privacy Act requires you to affirmatively opt in before we share your NPI with nonaffiliated third parties for non-GLBA-exception purposes. We will obtain your written consent before any such sharing. |
| North Dakota & New York | Residents may have additional rights under state-specific financial privacy laws. Contact [email protected] to learn more. |
| All Other States | Your state insurance regulator may have adopted NAIC model regulations providing additional notice, opt-out, and accuracy rights. Contact us to learn about rights specific to your state. |
Section 5: How We Protect Your Information
BriteCo is committed to protecting your information from unauthorized access and disclosure. Our security program includes:
- Encryption: Personal data is encrypted in transit using TLS 1.2 or higher
- Access Controls: Role-based access controls limit employee access to personal information on a need-to-know basis. Protected access is required for all administrative systems handling personal information.
- Vendor Security Requirements: We contractually require third-party service providers handling personal information to maintain appropriate data security practices consistent with applicable law.
- Security Assessments: We conduct regular reviews of our data collection, storage, and processing practices, including periodic security assessments.
- Employee Training: All employees with access to personal information receive training on data privacy and security responsibilities.
- Incident Response: We maintain a documented incident response plan. In the event of a security breach, we will notify you as required by applicable state law (see Section 13).
No security system is 100% secure. We cannot guarantee that information you transmit to us will never be compromised. To help protect your account, we recommend using a strong password of at least 12 characters including letters, numbers, and special characters. For security concerns, contact [email protected].
Section 6: Your Privacy Rights
The rights available to you depend on your state of residence and applicable law. BriteCo will respond to verifiable consumer requests within the timeframes required by applicable law — generally 45 days from receipt of a verified request, extendable by an additional 45 days with notice where permitted.
6.1 Rights Available to All U.S. Residents
| Right | Description |
| Right to Know | Request the categories and specific pieces of personal information we have collected about you, the sources, and the purposes for which we use it. |
| Right to Correct | Request that we correct inaccurate personal information about you. |
| Right to Delete | Request deletion of personal information we have collected, subject to legal exceptions (e.g., information required to complete an insurance transaction or retain under state insurance regulations). |
| Right to Opt Out of Sale/Sharing | Opt out of the sale or sharing of your personal information with third parties for targeted advertising or other non-service purposes (see Section 7). |
| Right to Non-Discrimination | BriteCo will not deny you services, charge different prices, or provide a different level of quality because you exercised a privacy right. |
6.2 Additional Rights for California Residents (CCPA/CPRA)
| Right | Description |
| Right to Limit Use of Sensitive Personal Information | Direct BriteCo to limit use and disclosure of sensitive personal information to purposes necessary to provide the Services. |
| Right to Opt Out of ADMT | Opt out of BriteCo’s use of automated decision-making technology (ADMT) that produces legal or significant effects on you, including algorithmic insurance pricing. See Section 9.3 for details and consequences of opting out. |
| Right to Data Portability | Receive a copy of your personal information in a portable, machine-readable format. |
| Shine the Light | Request information about disclosures of personal information to third parties for direct marketing purposes in the prior calendar year (California Civil Code § 1798.83). |
6.3 Additional Rights for Colorado, Connecticut, Virginia, Indiana, Kentucky, Rhode Island, and Other Comprehensive State Law Residents
| Right | Description |
| Right to Data Portability | Receive your personal information in a portable, machine-readable format. |
| Right to Appeal | If BriteCo denies your privacy request, you may appeal within 60 days of receiving our denial. BriteCo will respond to appeals within the timeframe required by your state’s law, generally 45–60 days. |
| Right to Opt Out of Profiling | Opt out of processing of personal information for profiling in furtherance of solely automated decisions with legal or similarly significant effects. |
| Right to Opt Out of Targeted Advertising | Opt out of the use of your personal information for targeted advertising purposes. |
6.4 How to Submit a Privacy Request
You may submit a privacy rights request by:
- Email: [email protected] (subject line: “Privacy Rights Request”)
- Mail: BriteCo Privacy Team, 805 Greenwood St, Evanston, Illinois 60201
BriteCo will verify your identity before processing your request. We will not require you to create an account to submit a request. We will not charge a fee for a reasonable request, though we reserve the right to charge a fee if a request is manifestly unfounded or excessive.
Section 7: Do Not Sell or Share My Personal Information
BriteCo does not sell your personal information for monetary consideration.
To the extent BriteCo shares your personal information with third-party advertising partners or analytics providers through cookies or similar tracking technologies in a manner that constitutes a “sale” or “sharing” under applicable state law (including California’s CCPA/CPRA and the laws of Indiana, Kentucky, Rhode Island, and other applicable states), you may opt out by:
- (a) Email: Send a written request to [email protected] with the subject line “Do Not Sell or Share My Personal Information”
- (b) Cookie Preference Center: Adjust your cookie preferences through BriteCo’s cookie preference center (where available on the BriteCo website)
- (c) Global Privacy Control (GPC): BriteCo honors GPC browser signals as an opt-out of sale/sharing for residents of all states where this is required by law, including California, Colorado, Connecticut, Montana, Oregon, Texas, Indiana, Kentucky, Rhode Island, and others. BriteCo will not require you to take additional steps once a GPC signal is detected.
We will process opt-out requests within 15 business days (California), or within the timeframe required by applicable law for other states.
Section 8: Cookies and Tracking Technologies
When you use our websites, we may use cookies and other tracking technologies to collect information about your browsing activity.
| Cookie Type | Purpose | Examples | Can Be Disabled? |
| Strictly Necessary | Required for website function | Login sessions, security tokens | No |
| Functional | Remember preferences and settings | Language preference, appraisal tool state | Yes (reduced functionality) |
| Analytics | Understand how visitors use the site | Google Analytics, internal analytics | Yes |
| Marketing / Targeting | Deliver relevant advertising | Third-party ad pixels, retargeting | Yes |
| Performance | Helps in delivering a better user experience for the visitors. | Third-party performance apps | Yes |
Managing Cookies. You can control cookies through your browser settings or, where available, through BriteCo’s cookie preference center. Disabling certain cookies may affect website functionality.
Global Privacy Control (GPC). BriteCo treats GPC browser signals as a request to opt out of the sale or sharing of personal information, for residents of all applicable states. This applies to California, Colorado, Connecticut, Montana, Oregon, Texas, Indiana, Kentucky, Rhode Island, and all other states requiring GPC recognition.
Third-Party Tracking Technologies. Our websites may include tracking technologies from third-party analytics and advertising providers. BriteCo does not control these technologies and is not responsible for third parties’ privacy practices. We encourage you to review the privacy policies of third-party providers.
Do Not Track. BriteCo does not currently respond to browser-based “Do Not Track” signals because no universally accepted standard exists. We do, however, honor GPC signals as described above.
Section 9: Artificial Intelligence and Automated Processing
BriteCo may use artificial intelligence (AI), machine learning, and other automated technologies in connection with our Services. This section describes how we use automated systems and your rights with respect to automated decisions.
9.1 How We Use Automated Systems
| Use Case | Description | Data Used |
| Insurance Quoting | Algorithmic pricing models generate real-time insurance quotes | Item value, item type, location, applicant information |
| Underwriting Support | AI-assisted tools assess risk to support underwriting decisions | Application data, submitted data, credit information |
| Appraisal Processing | Automated processes generate appraisal reports from submitted data | Item description, photographs, appraisal values |
| Fraud Detection | Automated systems detect potentially fraudulent applications and claims | Application data, behavioral signals, device information, claims patterns |
| Claims Routing & Assessment | AI tools support routing, review, and initial assessment of insurance claims | Claims data, policy data, submitted documentation |
9.2 Automated Decision-Making: Your Rights
No decision producing a legal or similarly significant effect on you — including denial of coverage, cancellation of a policy, or a material increase in premium — will be made solely through automated means without the opportunity for human review.
If you believe an automated decision has negatively affected you, contact [email protected] to request human review. BriteCo will acknowledge your request within 5 business days and complete the human review within 45 days.
9.3 California Residents — ADMT Opt-Out (Effective January 1, 2026)
Under California’s CPRA, California residents have the right to opt out of BriteCo’s use of automated decision-making technology (ADMT) for decisions that produce legal or similarly significant effects, including insurance pricing.
| What Opting Out Means in Practice:
• BriteCo uses algorithmic models to generate instant online insurance quotes, considering your item’s appraised value, item type, geographic location, and other rating factors.
• If you opt out of ADMT, BriteCo cannot provide an instant automated quote. Your application will be routed to a licensed underwriter for manual review, typically taking 5-10 business days.
• You may exercise this right at any time. Mid-term changes may require a new underwriting review. |
To exercise your ADMT opt-out right, contact [email protected] with the subject line “ADMT Opt-Out Request.”
9.4 Submitted Content and AI
Photos of jewelry or other items you submit through our Services may be processed by AI-powered image recognition tools to support appraisal and insurance services.
| BriteCo does not use your submitted content, insurance application data, or claims information to train general-purpose, commercial AI models for sale or licensing to third parties, without your separate, explicit consent. |
Section 10: Children’s Privacy
Our Services are not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe that we have inadvertently collected information from a child under 13, please contact us immediately at [email protected] and we will promptly delete that information.
For consumers between the ages of 13 and 17 in states with specific minor protections (including New Jersey and Maryland): We do not use personal information of consumers we know to be minors for targeted advertising or behavioral profiling without affirmative parental consent. Contact [email protected] with questions about data practices involving a minor’s information.
Section 11: Illinois Biometric Data Notice
BriteCo is headquartered in Illinois and is subject to the Illinois Biometric Information Privacy Act (BIPA), which regulates the collection, use, and storage of biometric identifiers and biometric information (including fingerprints, retina scans, voiceprints, and facial geometry).
BriteCo does not intentionally collect biometric identifiers or biometric information through the BriteCo Site or its standard insurance services. Photographs of jewelry items submitted through our Services are not biometric data.
If you believe BriteCo has inadvertently collected your biometric data, please contact [email protected] immediately.
Notice to Jeweler Partners: Retail jewelers and other partners using BriteCo’s appraisal platform are independently responsible for their own BIPA compliance obligations, including obtaining required written consent from their customers before using any biometric scanning or recognition technology in connection with BriteCo’s platform.
Section 12: Data Retention
BriteCo retains your personal information for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements.
| Data Type | Retention Period | Basis |
| Insurance application data | Duration of policy + 7 years | State insurance regulatory requirements |
| Active policy data | Duration of policy + 7 years | State insurance regulatory requirements |
| Claims data | 7 years after claim resolution | State insurance regulatory requirements |
| Appraisal data | 7 years from appraisal date | State insurance regulatory requirements |
| Payment information | As required by PCI-DSS and applicable law | Financial regulations |
| Website usage / analytics data | Up to 24 months | Legitimate business interest |
| Marketing communications records | Until opt-out or account deletion | Consent |
| Deleted account data | 90 days post-deletion, then purged | Backup and recovery |
| AI / automated decision records | 3 years from decision date | Regulatory and legal accountability |
After the applicable retention period, BriteCo will securely delete or anonymize your personal information. Certain data may be retained longer if required by law, ongoing legal proceedings, or regulatory requirements.
Section 13: Data Breach Notification
In the event of a security incident resulting in unauthorized access to or disclosure of your personal information, BriteCo will notify affected individuals and applicable regulatory authorities as required by the laws of your state of residence.
| State | Notification Timeline |
| Illinois | As soon as reasonably possible and without unreasonable delay |
| California | In the most expedient time possible; sensitive personal information incidents trigger notification regardless of harm threshold; generally within 45 days |
| New York | Without unreasonable delay |
| Colorado and Oregon | Within 30 days of determining that a breach occurred |
| All Other States | Per applicable state breach notification law; all 50 states have enacted breach notification requirements |
Notifications will be provided via email to the address associated with your BriteCo account, or by mail if email is unavailable. Notification content will comply with applicable state law and will include a description of the incident, the information involved, the steps we are taking, and steps you may take to protect yourself.
To report a suspected security incident or unauthorized access, contact [email protected] immediately.
Section 14: Links to Third-Party Websites
Our websites may include links to third-party websites whose privacy practices differ from BriteCo’s. Information you submit to those sites is governed by their privacy policies, not this one. We encourage you to review the privacy policy of any website you visit.
Social media widgets and features on our sites (such as share or like buttons) may collect your IP address and set cookies; your interactions with such features are governed by the providing company’s privacy policy.
Section 15: Changes and Updates to This Privacy Policy
We may revise this Privacy Policy from time to time. If we make material changes, we will notify you by email (to the address on your account) or by posting a notice on our website.
Your continued use of our Services after a revised Privacy Policy becomes effective constitutes your acceptance of the changes. We will maintain a version history of prior policies accessible upon request.
Section 16: Contact Us
| BriteCo Privacy Team
805 Greenwood St, Evanston, Illinois 60201 Privacy Requests: [email protected] (subject: “Privacy Rights Request”) ADMT Opt-Out: [email protected] (subject: “ADMT Opt-Out Request”) Do Not Sell/Share: [email protected] (subject: “Do Not Sell or Share”) Security Incidents: [email protected] (subject: “Security Incident”) General Inquiries: [email protected] |
