Our Privacy Policy for Virginia Residents

Virginia Privacy Policy

Last Updated: January 1, 2023

This Virginia Privacy Policy applies to the processing of Virginia residents’ personal information (“consumer” or “you”) by Efinancial, LLC (“we,” “us,” or “our”). This Virginia Privacy Policy supplements and does not replace our website Privacy Policy and Terms of Use, and only applies to the extent the personal information is subject to Virginia’s privacy laws.

Collection and Use of Personal Information

We collect personal information identified in our general privacy policy and additional data noted below in the section titled “Collection and Use of Sensitive Personal Information” for the following purposes:

Help maintain the safety, security, and integrity of our website, information systems, databases and other technology assets;
Personalize the website experience and to deliver content and product and service offerings relevant to your interests;
Respond to legal requests;
Provide you with the services that you request, such as by completing transactions, processing registration, providing quotes, or processing your application for one of our products;
Communicate with you, such as responding to inquiries or providing you with information about products that may be of interest;
Maintain or improve the security of our website and information systems;
Support, personalize, and improve our website, products, and services.

We will not collect additional categories of personal information or use the personal information collected for materially different, unrelated, or incompatible purposes without providing notice.

Sale of Personal Information

We may obtain information about customers or potential customers from third parties. We use the information to market and offer products. We may also sell that information to other third parties.

In the preceding 12 months, we may have sold personal information to third parties to market insurance products that may be of interest to you.

To opt-out of sales, please submit a request using our privacy portal or call 888-305-783.

Targeted Advertising

We may also allow third parties to collect your personal information who then use that information to provide you targeted advertising. Our cookie policy has more information about how we use cookies.

To opt out of targeted advertising, please reject all cookies in our cookie preference center.

Your Rights

Virginia law provides you specific rights regarding your personal information, and we discuss below those rights and how you can exercise them. We understand the importance of these rights, and we will not discriminate against you for exercising them. You may only make a verifiable consumer request for access twice within a 12-month period.

Right to Access

You have the right to request that we confirm whether we have your personal data and, if we do, to provide you access to that data. You can also request that we provide you a copy of the personal data that you provided to us.

Once we process your verifiable consumer request, we will disclose the information you requested—unless an exception applies.

Right to Delete

Subject to some limitations, you also have the right to request that we delete any of your personal information that we have collected. Once we process your verifiable consumer request, we will delete your personal information from our records, unless an exception applies.

Right to Correct

Subject to some limitations, you have the right to request that we correct inaccurate information about you. If we received a verifiable consumer request, we will begin processing your request for correction. We may ask you to submit additional information to help us evaluate your contention that our information about you is not accurate. And, sometimes, we may delete your information rather than correcting it—but we will only do this if it will not negatively affect you, or you consent to the deletion.

Exercising Your Rights

We only honor verifiable consumer requests. We offer two ways to submit such a request:

Completing the form on our privacy portal.
Calling 888-305-7832.
Vendors. Submit requests using our vendor privacy portal.

When you use our online form, it will ask you for certain information. When information is designated as being mandatory, that means we will be unable to verify your identity (or the identity of your authorized agent) without it. We cannot respond to your request or provide you with personal information if we cannot both verify your identity or authority to make the request and confirm that personal information we have relates to you.

Security

We implement reasonable security practices and procedures to protect our assets from unauthorized access, destruction, modification, or disclosure. We have implemented various policies in data protection, threat prevention, application security, and security awareness and education to help guard against unauthorized access to our customers and company data. Please be aware that no data security practices can guarantee 100% security of the personal data you share with us.

Vulnerability Disclosure Policy

Introduction

Vericity, the parent of Efinancial, LLC, is committed to ensuring the security of the American public by protecting their information. This policy is intended to give security researchers clear guidelines for conducting vulnerability discovery activities and conveying our preferences about how to submit discovered vulnerabilities to us.

This policy describes what systems and types of research are covered under this policy, how to send us vulnerability reports, and how long we ask security researchers to wait before publicly disclosing vulnerabilities.

We encourage you to contact us to report potential vulnerabilities in our systems.

Authorization

If you make a reasonable faith effort to comply with this policy during your security research, we will consider your research to be authorized. Should legal action be initiated by a third party against you for activities conducted according to this policy, we will make this authorization known. We will work with you to quickly understand and resolve the issue, and Vericity will not recommend or pursue legal action related to your research.

Guidelines

Under this policy, “research” means activities in which you:

Notify us as soon as possible after you discover an actual or potential security issue.
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command-line access, or use the exploit to pivot to other systems.
Provide us with a reasonable amount of time to resolve the issue before you disclose it publicly.
Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, proprietary information, or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Prohibited testing methods

The following test methods are not authorized:

Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g., office access, open doors, tailgating), social engineering (e.g., phishing, vishing), or any other non-technical vulnerability testing
High intensity scanning that may affect the availability of Vericity’s systems and services.

Scope

This policy applies to Vericity Inc systems only. No third-party systems, service providers, or partners are in scope, e.g., Salesforce.

Any services not expressly listed above, such as any connected services, are excluded from the scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, contact us at security@vericity.com before starting your research.

Though we develop and maintain other internet-accessible systems or services, we ask that active research and testing only be conducted on the systems and services covered by the scope of this document. If there is a particular system not in scope that you think merits testing, please contact us to discuss it first.

Reporting a vulnerability

We accept vulnerability reports sent to security@vericity.com. Please encrypt the email using our PGP Public Key. Reports may be submitted anonymously. If you share contact information, we will acknowledge receipt of your report within three business days.

Vericity Security_0x2B046F5A_public.asc
04 May 2022, 04:07 PM

What we would like to see from you (Optional)

To help us triage and prioritize submissions, we recommend that your reports:

Describe the location the vulnerability was discovered and the potential impact of exploitation.
Offer a detailed description of the steps needed to reproduce the vulnerability (proof of concept scripts and screenshots are helpful).
Be written in English, if possible.
Your disclosure plans, if any.
Your desire for public recognition (include your name and LinkedIn profile, if desired)

What you can expect from us

When you choose to share your contact information with us, we commit to coordinating with you as openly and quickly as possible.

We will acknowledge that your report has been received within three business days.
To the best of our ability, we will confirm the existence of the vulnerability to you and be as transparent as possible about what steps we are taking during the remediation process, including on issues or challenges that may delay resolution.
We will maintain an open dialogue to discuss issues.

Questions

Questions regarding this policy may be sent to security@vericity.com. We also invite you to contact us with suggestions for improving this policy.

Updates to this Policy

We reserve the right to amend this Virginia Privacy Policy at any time. We will post the updated policy on our website at www.efinancial.com and any changes will become effective when we do so.

Contact Us

If you have any questions or comments about this Virginia Privacy Policy, the ways in which we collect and use your personal information, your choices and rights regarding your information, or wish to exercise your privacy rights under Virginia law, please do not hesitate to contact us at 888-305-7832.