Privacy Policy

Effective Date: June 8, 2026 Last Updated: June 8, 2026

This Privacy Policy describes how Hughes Cornerstone Insurance (“Company,” “we,” “us,” or “our”) collects, uses, discloses, and otherwise processes the personal information of individuals who visit our website at www.hughescornerstone.com (together with all of the pages embedded in this website under the www.hughescornerstone.com domain, collectively, the “Site”) or otherwise interact with us, including prospective clients, prospective employees, and other visitors. This Privacy Policy also explains the rights you may have regarding your personal information under applicable privacy laws.

We are committed to transparency and to providing you with a meaningful understanding of our data practices. We encourage you to read this Privacy Policy carefully. If you have questions, please contact us using the information provided at the end of this policy.

Scope of This Policy

This Privacy Policy applies to personal information we collect through our Site, email communications, contact forms, and other interactions with us. It covers all individuals whose personal information we process, including website visitors, prospective and current clients, prospective acquisition partners, job applicants, and prospective employees.

As our business grows and our data practices evolve, we will update this Privacy Policy accordingly. We encourage you to review this policy periodically.

Categories of Personal Information We Collect

In the preceding 12 months, we have collected the following categories of personal information from consumers, as defined by Civil Code section 1798.140:

Identifiers. This includes your name, email address, postal address, phone number, and similar contact details that you provide through our Site contact forms (“Contact Us,” “Learn More,” or similar forms) or through direct communications with us.

Internet or Other Electronic Network Activity Information. This includes information about your interactions with our Site, such as your IP address, browser type and version, device identifiers, operating system, referring URLs, pages viewed, links clicked, date and time of your visit, and other browsing data collected through cookies, pixels, and similar tracking technologies.

Professional or Employment-Related Information. If you inquire about employment opportunities or submit an application through our Site, this may include your resume, cover letter, work history, professional qualifications, and related information.

Inferences Drawn from Personal Information. We may draw inferences from the information listed above to create a profile reflecting your preferences, interests, or other characteristics, such as your interest in our services or employment opportunities.

We do not currently collect sensitive personal information as defined by Civil Code section 1798.140(ae), including Social Security numbers, financial account information, precise geolocation data, racial or ethnic origin, health information, or biometric data.

Sources of Personal Information

We collect personal information from the following categories of sources:

Directly from you. When you submit a form on our Site, send us an email, communicate with us by phone or in person, or otherwise voluntarily provide information to us.

Automatically from your devices. When you visit our Site, we automatically collect certain information through cookies, pixels, web beacons, and similar technologies deployed on our Site or by our third-party analytics providers.

Third-party analytics and advertising providers. We may receive information about your website activity from analytics services such as Google Analytics that help us understand how visitors use our Site.

Purposes for Collection and Use

We collect and use personal information for the following specific business and commercial purposes:

Responding to inquiries and communications. To respond to your questions, requests for information, or other communications submitted through our contact forms or by email.

Providing information about our services. To share information about our back-office administrative services for insurance businesses with prospective clients and acquisition partners who express interest.

Website analytics and improvement. To understand how visitors interact with our Site, identify trends, diagnose technical issues, and improve our Site’s functionality and user experience.

Recruitment and talent acquisition. To evaluate job applicants and prospective employees, communicate about employment opportunities, and manage our hiring process.

Security and fraud prevention. To detect, investigate, and prevent fraudulent or unauthorized activity on our Site, and to protect the rights and safety of our users and our business.

Legal compliance. To comply with applicable laws, regulations, legal processes, or enforceable governmental requests.

Business operations. To facilitate business transactions, including potential mergers, acquisitions, or asset sales, where personal information may be reviewed as part of due diligence.

Cookies, Pixels, and Tracking Technologies

Our Site uses cookies, pixels, and similar tracking technologies. These technologies fall into the following categories:

Strictly Necessary Cookies. These cookies are essential for our Site to function properly and cannot be switched off. They include cookies that enable basic functions like page navigation, secure access, and session management. These cookies do not collect personal information used for marketing purposes.

Analytics Cookies. We use third-party analytics services, which may include Google Analytics, to collect information about website traffic and usage patterns. These cookies help us understand which pages are visited, how long visitors spend on the Site, and how visitors navigate between pages. Analytics providers may set their own cookies on your device.

Advertising and Tracking Pixels. Our Site may include pixels or tags provided by third-party advertising platforms. These technologies may collect information about your browsing behavior to deliver relevant advertisements or measure advertising effectiveness.

Important Notice Regarding “Sharing” Under the CCPA. The use of third-party analytics and advertising technologies on our Site may constitute “sharing” of personal information as defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), because these technologies may transmit personal information (such as device identifiers, IP addresses, and browsing behavior) to third parties for cross-context behavioral advertising purposes. You have the right to opt out of this sharing as described in the “Your Privacy Rights” section below.

Global Privacy Control (GPC). We honor opt-out preference signals, including the Global Privacy Control, as valid requests to opt out of the sale or sharing of personal information. When we detect a GPC signal from your browser, we will treat it as a request to opt out of the sale and sharing of personal information associated with that browser or device. You can enable GPC through supported browsers or browser extensions. For more information about GPC, visit https://globalprivacycontrol.org.

Categories of Third Parties Receiving Personal Information

We may disclose personal information to the following categories of third parties:

Service providers and contractors. We engage service providers and contractors who process personal information on our behalf to perform services such as website hosting, email delivery, data analytics, and information technology support. These parties are contractually obligated to use personal information only for the purposes specified in our agreements with them.

Analytics providers. We disclose internet or electronic network activity information to third-party analytics providers to help us understand and improve our Site.

Advertising networks. If we use advertising pixels or similar technologies, information about your website activity may be transmitted to advertising networks for purposes of targeted advertising and campaign measurement.

Professional advisors. We may disclose personal information to our attorneys, accountants, auditors, and other professional advisors as necessary for our business operations.

Legal and regulatory authorities. We may disclose personal information to government entities or regulators as required by law, regulation, legal process, or enforceable governmental request.

Business transaction parties. In connection with a merger, acquisition, divestiture, reorganization, or similar business transaction, we may disclose personal information to prospective transaction parties and their advisors subject to confidentiality obligations.

Sale or Sharing of Personal Information

We do not sell personal information for monetary consideration.

However, our use of certain third-party analytics and advertising technologies may constitute “sharing” of personal information under the CCPA, which defines “sharing” to include disclosing personal information to a third party for cross-context behavioral advertising. In the preceding 12 months, the following categories of personal information may have been shared with advertising networks and analytics providers:

  • Internet or other electronic network activity information (e.g., browsing behavior, device identifiers, IP addresses)

You have the right to opt out of this sharing. To exercise this right, please see the “Your Privacy Rights” section below or click the “Do Not Sell or Share My Personal Information” link in our Site footer.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Sensitive Personal Information

We do not currently collect or process sensitive personal information as defined by the CCPA. If our practices change in the future, we will update this Privacy Policy and provide a “Limit the Use of My Sensitive Personal Information” link as required by law.

Data Retention

We retain personal information only for as long as reasonably necessary to fulfill the purposes for which it was collected, or as required by applicable law. Our general retention periods are as follows:

Contact form submissions (identifiers and professional information). We retain this information for up to 3 years from the date of collection or your last interaction with us, unless a longer retention period is required for legal compliance or to establish, exercise, or defend legal claims.

Internet or electronic network activity information (analytics data). We retain analytics and tracking data for up to 24 months from the date of collection, consistent with the default retention settings of our analytics tools.

Job applicant information. We retain employment-related personal information for up to 5 years from the date the relevant position is filled or the date we receive your information, whichever is longer, to comply with record-keeping requirements under applicable employment laws and to consider you for future opportunities.

When the applicable retention period expires, we will securely delete or de-identify personal information unless retention is required by law.

Your Privacy Rights

Rights of California Residents

If you are a California resident, you have the following rights under the CCPA:

Right to Know. You have the right to request that we disclose the categories of personal information we have collected about you, the categories of sources from which we collected it, the purposes for collection, the categories of third parties to whom we have disclosed it, and the specific pieces of personal information we have collected about you.

Right to Delete. You have the right to request that we delete the personal information we have collected from you, subject to certain exceptions permitted by law (for example, where retention is necessary for legal compliance, to complete a transaction, or to detect security incidents).

Right to Correct. You have the right to request that we correct inaccurate personal information that we maintain about you.

Right to Opt Out of Sale/Sharing. You have the right to direct us to stop selling or sharing your personal information. You may exercise this right by:

  • Clicking the “Do Not Sell or Share My Personal Information” link in our Site footer;

  • Enabling the Global Privacy Control (GPC) signal in your browser; or

  • Contacting us using the methods described below.

When you opt out, we will cease sharing your personal information with third parties for cross-context behavioral advertising. We will process your opt-out request within 15 business days of receipt.

Right to Limit Use of Sensitive Personal Information. Because we do not currently collect or use sensitive personal information for purposes beyond those specified in the CCPA regulations (Section 7027(m)), this right does not currently apply to our processing activities.

Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights. We will not deny you goods or services, charge different prices or rates, provide a different level or quality of service, or suggest that you will receive a different price or level of quality for exercising your rights.

How to Exercise Your Rights

To submit a request to know, delete, or correct your personal information, you may contact us by:

You may make a verifiable consumer request to know or for data portability up to twice within a 12-month period. We will acknowledge your request within 10 business days and respond substantively within 45 calendar days. If we require additional time, we will notify you and may take up to 90 calendar days total.

To verify your identity, we may ask you to provide information that matches the personal information we have on file. We will only use information provided in a verification request to verify your identity or authority to make the request.

Authorized Agents

You may designate an authorized agent to submit a request on your behalf. If an authorized agent submits a request, we may require the agent to provide proof of signed written authorization from you, and we may require you to verify your own identity directly with us or confirm that you authorized the agent to act on your behalf.

Job Applicants and Prospective Employees

Since January 1, 2023, the CCPA’s protections fully apply to job applicants and employees. If you visit our Site to explore career opportunities or submit your information in connection with a potential employment relationship, the personal information you provide is subject to this Privacy Policy and the rights described herein.

We collect the following categories of personal information from job applicants: identifiers (name, email, phone number), professional or employment-related information (resume, work history, qualifications), and education information. We use this information solely for recruitment, evaluation, and communication purposes related to potential employment.

We do not sell or share job applicant personal information for cross-context behavioral advertising. We may disclose applicant information to service providers that assist with our recruitment process, such as applicant tracking systems and background check providers (where applicable and with appropriate notice).

As our recruiting activities expand, we will provide a supplemental Job Applicant Privacy Notice with additional detail regarding the specific categories of information collected, purposes of use, and applicable retention periods.

Other State Privacy Laws

In addition to California, we recognize that residents of other states may have privacy rights under their respective comprehensive data privacy laws. This section summarizes how we address the requirements of select state laws that are particularly relevant given our operations, client base, and workforce.

Texas Data Privacy and Security Act (TDPSA)

The Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541) took effect July 1, 2024, and applies to entities that conduct business in Texas or produce products or services consumed by Texas residents, that process or sell personal data, and that are not classified as a small business under the U.S. Small Business Administration definition. Financial institutions subject to the Gramm-Leach-Bliley Act are exempt from the TDPSA at the entity level.

If you are a Texas resident and we are subject to the TDPSA with respect to your personal data, you have the right to: confirm whether we are processing your personal data; access your personal data in a portable format; correct inaccuracies; request deletion; and opt out of processing for targeted advertising, the sale of personal data, or profiling that results in decisions concerning financial or lending services, insurance, healthcare, employment, or access to basic necessities. We will respond to authenticated consumer requests within 45 days. You may also designate an authorized agent, including through a universal opt-out mechanism such as Global Privacy Control, to exercise opt-out rights on your behalf. We honor GPC signals as valid opt-out requests under the TDPSA as of January 1, 2025.

The Texas Attorney General has exclusive authority to enforce the TDPSA, and civil penalties of up to $7,500 per violation may be imposed following a 30-day cure period. On January 13, 2025, the Texas AG filed its first TDPSA enforcement action, signaling active enforcement of the statute. There is no private right of action under the TDPSA.

Note: Because the TDPSA exempts entities subject to GLBA, if and when our operations become subject to GLBA as an insurance administrative services provider, portions of our personal data processing may fall outside the TDPSA’s scope. We will update this policy as our regulatory posture evolves.

New Jersey Data Privacy Act (NJDPA)

The New Jersey Data Privacy Act (N.J. Stat. § 56:8-166.4 et seq.) took effect January 15, 2025. It applies to controllers that conduct business in New Jersey or produce products or services targeted to New Jersey residents and that, during a calendar year, either (a) control or process the personal data of at least 100,000 New Jersey consumers (excluding data processed solely for completing payment transactions), or (b) control or process the personal data of at least 25,000 New Jersey consumers and derive revenue or receive a discount from the sale of personal data. Unlike most state privacy laws, the NJDPA applies to nonprofit organizations and does not include a revenue threshold.

The NJDPA exempts financial institutions subject to GLBA and insurance institutions subject to the New Jersey Insurance Information Practices Act. However, personal data not governed by those exemptions (such as website analytics data and marketing data from visitors who have not applied for insurance products) remains subject to the NJDPA.

If you are a New Jersey resident and we meet the applicable thresholds, you have the right to: confirm whether we process your personal data and access it; correct inaccuracies; request deletion; obtain a portable copy; and opt out of targeted advertising, sale of personal data, and profiling. Controllers must honor universal opt-out mechanisms (including GPC) as of July 15, 2025, and must process opt-out requests within 15 days—notably shorter than most other state laws.

The NJDPA requires opt-in consent before processing sensitive data, which includes financial information (a broader definition than most state laws), racial or ethnic origin, health data, precise geolocation, biometric data, and personal data of known children. Financial information under the NJDPA includes account numbers combined with security codes or passwords that would permit account access.

The New Jersey Attorney General has exclusive enforcement authority. During the first 18 months (through approximately July 2026), a 30-day cure period applies. Violations constitute a violation of the New Jersey Consumer Fraud Act, carrying penalties of up to $10,000 for initial violations and $20,000 for subsequent violations. Proposed implementing regulations were published on June 2, 2025, with a comment period closing August 1, 2025; final regulations are expected in 2026.

New York Privacy Landscape

New York does not yet have a comprehensive consumer privacy law comparable to California’s CCPA. Multiple versions of a “New York Privacy Act” have been introduced since 2019, but none has passed as of June 2026. The most active versions (S3044, A8158) advanced through committee in the 2025-2026 session but have not reached a floor vote. Businesses should monitor this legislation, as passage would likely create rights to access, correction, deletion, and opt-out of targeted advertising and data sales.

Notwithstanding the absence of an omnibus law, New York imposes significant privacy and security obligations through layered, targeted statutes:

SHIELD Act (N.Y. Gen. Bus. Law §§ 899-aa, 899-bb). The Stop Hacks and Improve Electronic Data Security Act applies to any person or business that owns or licenses computerized data containing the “private information” of a New York resident, regardless of where the business is located. There is no revenue or employee threshold. The SHIELD Act requires businesses to (1) implement and maintain reasonable administrative, technical, and physical safeguards and (2) notify affected residents within 30 days of discovering a breach (as amended effective December 21, 2024). Private information includes names combined with Social Security numbers, financial account numbers, biometric data, login credentials, and—as of March 21, 2025—medical information and health insurance information. Penalties include up to $5,000 per violation for failure to maintain safeguards and $20 per instance of failed notification (capped at $250,000).

For a company in the insurance administrative services space, the March 2025 expansion to include medical and health insurance information is particularly relevant, as policyholder claims data and explanation-of-benefits records now qualify as protected private information under the SHIELD Act.

NYDFS Cybersecurity Regulation (23 NYCRR Part 500). The New York Department of Financial Services cybersecurity regulation applies to all entities operating under a license, registration, charter, or similar authorization under the Banking Law, Insurance Law, or Financial Services Law. If our company or our insurance company clients are licensed or authorized by NYDFS, compliance with Part 500 is required. Part 500 mandates a written cybersecurity program, designation of a CISO, annual penetration testing, multi-factor authentication, encryption of nonpublic information, 72-hour incident reporting to DFS, and annual compliance certification. The regulation was significantly amended effective November 1, 2023, with phased implementation through November 2025. DFS has actively enforced Part 500 against insurance companies, including recent consent orders against Delta Dental ($2.25 million, April 2026) and multiple auto insurers ($14.2 million multistate settlement, October 2025).

Employee Monitoring Disclosure (Labor Law § 52-c). New York requires private employers to provide written notice to employees upon hiring that telephone, email, and internet use may be monitored. This applies as we build our workforce in New York.

Illinois Privacy Laws

Biometric Information Privacy Act (740 ILCS 14) (BIPA). BIPA is the most consequential biometric privacy law in the United States because it provides a private right of action with statutory damages. BIPA requires private entities to: (1) develop a written policy establishing a retention schedule and guidelines for permanently destroying biometric identifiers and information; (2) inform individuals in writing of the specific purpose and duration of collection; (3) obtain a written release before collecting biometric identifiers or information; and (4) refrain from selling, leasing, trading, or otherwise profiting from biometric data. Statutory damages range from $1,000 per negligent violation to $5,000 per intentional or reckless violation, and class action settlements have reached into the hundreds of millions of dollars.

At this time, our Site does not collect biometric identifiers or information. However, if our operations expand to include biometric verification for employees (e.g., fingerprint-based timekeeping) or clients, BIPA compliance will be critical, particularly given that biometric data claims accrue per-scan under recent Illinois Supreme Court precedent.

Illinois Personal Information Protection Act (815 ILCS 530) (PIPA). PIPA requires data collectors that own, license, or maintain personal information of Illinois residents to implement and maintain reasonable security measures. It also requires breach notification to affected residents “in the most expedient time possible and without unreasonable delay” (but no later than any deadline imposed by federal law or a state regulator). PIPA covers personal information defined similarly to other state breach notification laws (name plus SSN, driver’s license number, financial account number, medical information, or biometric data). Violations are enforced by the Illinois Attorney General under the Consumer Fraud and Deceptive Business Practices Act.

How a Single Privacy Policy Can Address Multiple States

A comprehensive privacy policy can satisfy disclosure requirements across multiple state laws simultaneously, provided it includes the following elements that address the broadest requirements of any applicable state:

  • Categories of personal data collected and purposes of processing (required by CCPA, TDPSA, NJDPA, and all other state comprehensive privacy laws)

  • Categories of third parties receiving personal data (required by all state laws)

  • Consumer rights descriptions and exercise methods, including at least two methods for submitting requests (required by TDPSA, NJDPA)

  • Disclosure of sale/sharing activities and opt-out mechanisms including GPC recognition (required by CCPA, TDPSA, NJDPA, and over a dozen other states)

  • Sensitive data disclosures with opt-in consent mechanisms where required (NJDPA requires broader sensitive data consent than CCPA)

  • Data retention periods (required by CCPA/CPRA; best practice under all state laws)

  • Non-discrimination statement (universal requirement)

Where requirements diverge, separate supplemental notices may be needed. For example, the NJDPA’s 15-day opt-out processing timeline is shorter than the CCPA’s 15-business-day timeline and the TDPSA’s 45-day response window. Similarly, if we operate in New York, we may need separate incident response and data security documentation to comply with the SHIELD Act’s safeguard requirements and, if applicable, NYDFS Part 500.

Residents of any state with applicable privacy legislation who wish to exercise their rights may contact us using the information provided below, and we will respond in accordance with applicable law.

International Visitors

Our Site is intended primarily for visitors located in the United States. If you access our Site from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

If you are located in the European Economic Area, United Kingdom, or Switzerland and the General Data Protection Regulation (GDPR) or equivalent legislation applies to our processing of your personal information, you may have additional rights including the right to access, rectification, erasure, restriction of processing, data portability, and objection. For EU/EEA visitors, our legal basis for processing is typically legitimate interest (for website analytics) or consent (for non-essential cookies, where applicable). To exercise any applicable rights or raise concerns, please contact us at the address below.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. We will post any changes on this page and update the “Last Updated” date above. We encourage you to review this policy periodically.

In accordance with the CCPA, we will review and update this Privacy Policy at least once every 12 months. If we make material changes that expand our use of your personal information, we will provide prominent notice on our Site.

Future Compliance Updates

As our business scales, this Privacy Policy will be supplemented to address additional regulatory obligations, which may include:

  • Gramm-Leach-Bliley Act (GLBA) compliance once our operations involve the processing of nonpublic personal information of insurance consumers;

  • NAIC Model Law and state insurance privacy regulation compliance as applicable to our role as a provider of administrative services to insurance companies;

  • Multi-state privacy law requirements as we expand our operations and workforce across additional jurisdictions; and

  • Cybersecurity audit and risk assessment disclosures as required under CCPA regulations effective through 2030.

Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, or if you wish to exercise your privacy rights, please contact us:

Hughes Cornerstone Insurance. Email: neil@hughesci.com