Effective date: December 28, 2018
Your personal information is important to us. That’s why we do so much to protect your information, while continually providing products and services you can count on.
The Policy is provided in a layered format so you can click through to the specific areas set out below. Alternatively, you can download a version of the policy (PDF).
About this policy
This Policy is issued on behalf of the Principal Financial Group (“Principal”, “we”, “us”, “our”). The Policy applies to this website, our mobile applications or online forms, and our producer websites that link to this Policy (together, “Digital Technologies”). Depending on the nature of our relationship with you (e.g., if you have purchased insurance products from us), other privacy policies may also apply.
Digital Technologies operated by non-Principal related entities may link to and from our website, but they may have different privacy policies from the one described here. We do not have control over, or responsibility for, the content or operation of the website of any non-Principal entity. These other sites may send their own cookies to your device, may independently collect data or solicit personal information, and may or may not have their own published privacy policies. Visitors should read the privacy statements of other websites they visit for information regarding their specific privacy practices.
Please take a few minutes to review this Policy before using our Digital Technologies. To the extent permissible under applicable law, by using our Digital Technologies you are consenting to the collection, use and disclosure of your information as set forth in this Policy. If you do not agree to be bound by this Policy, you may not access or use our Digital Technologies.
Principal collects personal information about you—information that can be used to identify you as an individual. Types of personal information we collect and use when you provide such information through our Digital Technologies include:
- Contact information – e.g., email address, physical address, telephone/fax number;
- Identity information – your name, date of birth, nationality, gender, photograph, identification number (e.g., passport number, tax number, social security number) or other information contained in identity-related documentation (e.g., passport, driver’s license, or birth certificate);
- Professional information – your occupational history, job title, or other professional information regarding the nature of our business relationship;
- Financial information – your income, assets, liabilities, tax residency, bank details, and other financial information, both current and historical;
- Transactional information – details about your accounts that you have with us and other details of products and services you have purchased from us;
- Contractual information – details about the products and services we provide to you;
- Technical information – details on the devices and technology you use;
- Communications information – information we obtain through letters, emails, telephone calls, conversations, social media interactions, or any other correspondence between us;
- Open Data and Public Records information – details about you that are available in public records or that are openly available on the internet;
- Usage information – information about how you use the products and services we provide to you;
- Medical and Health information – medical and health information required to provide the products and services you request.
The personal information collected varies depending upon the nature of your relationship with us, how you use the Digital Technologies, and the type of product or service you have with us.
For individuals that login as representatives of a business or corporate account, we may gather information based on your relationship with our organization for the purposes of providing customized online services.
For visitors who provide an email address or volunteer other information, such as contact information and/or site registration, we collect this information. Visitors who provide an email address may also be asked to provide feedback about our website via surveys. Additionally, visitors may receive periodic messages from us about new products and services or upcoming events. If you do not want to receive e-mail or other mail from us, please update your subscription and delivery services or click the “unsubscribe” link in the email correspondence received from us.
Connecting with Principal on social media sites
Mobile applications information
Information received from third parties
We may receive information about you from third parties such as consumer or other reporting agencies and medical or health care providers; or through your interactions with our affiliated companies. In addition, if you are on another website and you opt-in to receive information from us, that website will submit to us your email address and other information about you so that we may contact you as requested. We may supplement the information we collect about you through our Digital Technologies with such information from third parties in order to enhance our ability to serve you, to tailor our content to you and/or to offer you opportunities to purchase products or services that we believe may be of interest to you.
Cookies are used to store information on your computer and are a way to have your web browser "remember" specific bits of information about your previous visits to our site. They allow you to access secured information, conduct secured transactions, and take advantage of promotional opportunities. They are designed to help you have a better user experience within our website, and we use the information to improve our site content and site functionality.
Different websites store the information in cookies differently. Cookies allow us to identify your device, which in combination with other information we are collecting, may allow us to identify you personally. Any such information is stored in our protected systems and not in the cookie or on the Internet.
Cookies save you time as they help us to remember who you are and they help us to be more efficient. We can learn about what content is important to you and what is not. We can revise or remove web pages that are not of interest and focus our energies on content you want.
Types of cookies we use
We primarily use two types of cookies:
- Session cookies. These are temporary and expire when you leave our website or are inactive for a specified length of time. Session cookies allow the website to recognize you as you navigate between pages during a single browser session and allow you to use the website most efficiently.
- Persistent cookies. These store your preferences for a site, are stored on your computer, and are read by your browser each time you visit the website. They therefore enable the website to “recognize” you on your return, remember your preferences, and tailor services to you.
About spotlight tags
Spotlight tags analyze behavior of users who have previously clicked or viewed one of our online advertisements. Spotlight tags only collect anonymous, non-personally identifiable information, and at no time do spotlight tags record user name, password, email address, or Internet Protocol (IP) addresses. Spotlight activities are reported only if they are created by a user who meets the following three criteria:
- Clicks one of our ads and is redirected to our website, or views one of our ads and accesses our website later.
- Performs an activity on a page containing a spotlight tag.
- Performs this activity within 30 days of clicking and/or viewing one of our ads.
During some visits to our Digital Technologies we may collect session information, including page response times, download errors, what time you visited our website, how long you were on our website, if you've been to the website before, what web pages you visited, page interaction such as scrolling, clicks, and mouse overs, what type of browser you used to access our website and methods to browse away from the page. This information helps us identify ways to modify and improve our websites. Examples of information we collect and analyze include the Internet Protocol (IP) address or other unique identifier for the device you use to access the Internet, login email address, computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions and operating systems.
Principal considers the information collected through our Digital Technologies valuable. At this time, Principal does not respond to do-not-track signals or similar technologies sent by a browser setting. However, visitors will continue to have the ability to control cookie settings for Principal’s websites. The information we receive from your web browser and device may or may not be personally identifiable and we may combine it with other information.
How you can control what data is collected through cookies
The information we collect may depend on your web browser settings. Most browsers (Chrome, Safari, Firefox, Internet Explorer, etc.) automatically accept cookies, but you can usually alter the setting of your browser to prevent that; however, doing so may limit your access to certain sections of our website, including account information found behind the login.
If you do not wish to receive cookies, please refer to the help section of your browser to learn how to either block all cookies or receive a warning before a cookie is stored on your computer. In addition to altering the cookie settings on your browser, you can also install the Google Analytics Opt-out Add-on, which prevents Google Analytics from collecting information about your website visits.
How and why we use information collected through the Digital Technologies
We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:
- Where we need to perform the contract we are about to enter into or have entered into with you;
- Where it is necessary for our legitimate interests (i.e., we have a business or commercial reason for using your information) and your interests and fundamental rights do not override those interests;
- Complying with regulations that apply to us.
- Being efficient about how we fulfill our legal and contractual duties.
- Providing high quality customer service.
- Developing products and services, and what we charge for them.
- Defining types of customers for new products and services.
- Seeking your consent when we need it to contact you.
- Developing and improving the network security, efficiency and technical specification of our IT systems and infrastructure.
- Developing and improving how we deal with and manage financial crime.
- Providing our customers with high quality products, services and Digital Technologies features.
- Keeping our products, services and Digital Technologies features updated and relevant.
- Where we need to comply with a legal or regulatory obligation; or
- Where you consent.
We use your personal information for the following reasons:
- To provide and manage our products, services and Digital Technologies (including any online account with us).
- To create, process and deliver the accounts you hold with us or the products or services you receive from us.
- To comply with our legal and regulatory obligations (including verifying your identity and conducting identity and background checks for anti-money laundering, fraud, credit and security purposes) and to exercise our legal rights.
- To process transactions and carry out obligations arising from any contract entered into between you and us.
- To communicate with you and respond to your inquiries, including responding to complaints and attempting to resolve them.
- To exercise our rights in agreements and contracts to which we are a party.
- To administer auditing, billing and reconciliation activities and other internal and payment-related functions.
- To detect, investigate, report, and seek to prevent financial crime and to manage risk for us and our customers.
- To run our business in an efficient and proper way, including in respect of our financial position, business capability, corporate governance, audit, risk management, compliance, product development, strategic planning, marketing, and communications.
- To send you promotional and marketing materials, newsletters or other related communications (including making suggestions and recommendations to you about services that may be of interest to you).
- To conduct research and analysis to improve the quality of our marketing and the experience of and relationships with our customers.
- To administer and protect our business and our Digital Technologies (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).
- To develop, manage and improve our products, services and the Digital Technologies (including conducting research and analysis) and to test new products, services, and features of the Digital Technologies.
- Medical and Health Information for providing and servicing your policies, accounts, claims or contracts as allowed by the relevant laws protecting your privacy.
Failure to provide personal information
Where we need to collect personal information by law or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with services). In this case, we may have to cancel a product or service you have with us but we will notify you if this is the case at the time.
Change of purpose
We will only use your personal information for the uses and purposes set out above, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original uses and purposes. If we need to use your personal information for an unrelated purpose, we will notify you and will explain the legal basis which allows us to do so.
We may share your personal information to the following categories of recipient:
- With group companies and affiliates. We may share the information we collect about you with other member companies of Principal, including Principal Life Insurance Company, Principal National Life Insurance Company, Principal Global Investors and their affiliates for a variety of purposes. For example, we share information to assist us in providing service and account maintenance, to help us design and improve products and to offer products and services that may be of interest to you.
- With our service providers. We may disclose information to third party service providers that perform services for us in the processing or servicing of your account, or with third parties that perform marketing, research, or other services on our behalf. Third parties with whom we may have joint marketing agreements include financial services companies (such as other insurance companies, banks or mutual fund companies).
- With third parties as permitted or required by law. This includes disclosing your information to regulators, law enforcement authorities, tax authorities and credit bureaus. This information is only disclosed as required or permitted by law, and in accordance with established company procedures. We may transfer and disclose the information we collect about you to comply with a legal obligation, including responding to a subpoena or court order, to prevent fraud, to comply with an inquiry by a government agency or other regulator, to address security or technical issues, to respond to an emergency, or as necessary for other legal purposes.
- With our carefully selected business partners. We may share information with third parties that offer products or services that we believe may be of interest to you. Before we do so, we will provide you the opportunity to “opt out” or “opt in,” as required by applicable law so that you can say “no” to such sharing.
- As part of business transitions. In relation to an ongoing or proposed business transaction your information may be transferred to a successor organization. If such a transfer occurs, the successor organization’s use of your information will still be subject to this Policy and the privacy preferences you have expressed to us.
- With third party social media platforms and applications. We may provide functionality on our Digital Technologies that allows you to automatically post information to a third-party social media platform (such as Facebook, Twitter, or Pinterest). If you choose to take advantage of this functionality, people with access to your profile on the third-party platform will be able to see your post. Thus, you should have no expectation of privacy in those actions. Further, if you choose to link your profile on our Digital Technologies with an account on a third-party social media platform, we may share the information in your profile with that third-party platform. We may also use third-party social media platforms to offer you interest-based ads. To offer such ads, we may convert your email address into a unique value which can be matched by our partner company with a user on their platform. Although we do not provide any personal information to these platform vendors, they may gain insights about individuals who respond to the ads we serve.
- Agents and advisers who we use to help run your accounts and services, collect what you owe, and explore new ways of doing business;
- Fraud prevention agencies;
- Any party linked with you or your business’s product or service;
- Companies we have a joint venture or agreement with;
- Organizations that introduce you to us;
- Companies that we introduce you to;
- Companies you ask us to share your data with.
In addition, we may share non-personal (anonymized) information, such as aggregate data and Usage Information with other third parties.
How we protect your information
We understand the importance of appropriately safeguarding information you provide to us. It is our practice to protect the confidentiality of this information, limit access to this information to those with a business need, and not disclose this information unless required or permitted by law.
We have security practices and procedures in place to protect data entrusted to us. These procedures and related standards include limiting access to data and regularly testing and auditing our security practices and technologies.
All employees are required to complete privacy, security, ethics and compliance training. We also offer a wide variety of other training to all employees and temporary workers to help us achieve our goal of protecting your information.
For additional information regarding how we protect your information, please refer to the following:
Ultimately, no website, mobile application, database or system is completely secure or “hacker proof.” While no one can guarantee that your personal information will not be disclosed, misused or lost by accident or by the unauthorized acts of others, we continuously review and make enhancements to how we protect customer information.
Further, we cannot control dissemination of personal information you post on or through our Digital Technologies using any social networking tools we may provide and you should have no expectation of privacy in respect of such information.
Retention of data
It may not always be possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons. We will retain your information for as long as your information is necessary for the purposes for which it was collected. For example, we may retain your personal data if it is reasonably necessary to comply with any legal obligations, meet any regulatory requirements, resolve any disputes or litigation, or as otherwise needed to enforce this Policy and prevent fraud and abuse. If requested by a law enforcement authority, we may also retain your personal data for a period of time.
To determine the appropriate retention period for the information we collect from you, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the data, whether we can achieve those purposes through other means, and the applicable legal requirements.
Do Not Contact or Call Requests
We comply with all Federal regulations related to Do Not Call or Do Not Email requests by customers. If you do not wish to be contacted by mail, telephone, email or fax, you can indicate this on the Do Not Contact Form. We will not contact customers for the purpose of product sales based on the methods indicated on the Do Not Contact list. We retain the right to contact any customer for service-related issues.
Children’s privacy online
Our Digital Technologies are not directed toward children. We do not knowingly collect, use or post personal information from children under the age of 13. If we determine upon collection that a user is under this age, we will not use or maintain his or her personal information without parent or guardian consent. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make reasonable efforts to delete such information from our records.
Under certain circumstances, you have rights under EU data protection laws in relation to your personal information:
- Right to withdraw consent at any time: This applies where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
- Request access to your personal data: This enables you to request a copy of the personal data we hold about you and to check that it is accurate and that we are processing it lawfully. This is not, however, an absolute right, and the interests of other individuals may restrict your right of access. For additional copies requested by employees, we may charge a reasonable fee based on administrative costs.
- Object to processing of your personal data: This enables you to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. We will provide you with appropriate choices to opt-in or opt-out as set out above in our Policy.
- Request correction of your personal data: This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no lawful basis for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Request transfer of your personal data: This enables you to request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Request restriction of processing: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Right not to be subject to a decision based on automated profiling: This applies where the automated processing produces legal effects on you or similarly significantly affects you. Note, it does not apply if the decision: (a) is necessary for the performance of a contract between you and us; (b) is authorized by applicable law; or (c) is based on your explicit consent. However, where (a) or (c) applies, you have the right to obtain human intervention. You also have the right to be informed of the logic involved in such processes.
- Make a complaint: You have the right to make a complaint at any time to the relevant data protection supervisory authority in the EU member state in which you reside.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We require that your request be in writing. In addition, we may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within 30 days. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you of a 60-day extension.
You have the right to make a complaint to the relevant data protection supervisory authority in the EU member state in which you reside. We would, however, appreciate the chance to deal with your concerns before you approach your supervisory authority. You may contact us at: CorpPrivacy@exchange.principal.com or Compliance Director PGIE, 1 Wood Street, London, EC2V 7JB.
The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”).
We share your personal data within the Principal Financial Group which will involve transferring your data outside the EEA. Furthermore, many of our external third parties are based outside the EEA so their processing of your personal data will involve a transfer of data outside the EEA.
Where we transfer personal data to a destination outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
- Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Effective date and changes to this Policy
We are continually improving and adding to the features and functionality of our website and the services we offer through our Digital Technologies. As a result of these changes (or changes in the law), we may need to update or revise this Policy. Accordingly, we reserve the right to update or modify this Policy at any time, without prior notice, or providing any notice required under applicable law, by posting the revised version of this Policy behind the link marked “Privacy” at the bottom of each page of this website and as may otherwise be made available on our Digital Technologies. To the extent permissible under applicable law, your continued use of our Digital Technologies after we have posted the revised Policy constitutes your agreement to be bound by the revised Policy. However, we will honor the terms that were in effect when we gathered data from you.
For your convenience, whenever this Policy is changed, we will update the Effective Date at the top of this policy. Be sure you check the Effective Date to see if this Policy has been revised since your last visit. We recommend that visitors to our site review our online privacy policies from time to time to learn of new privacy practices and changes to our policies.
You may access the current version of this Policy at any time by clicking the link marked “Privacy” at the bottom of each page of this website.
If you have any questions about this Policy, or about how we collect and use your personal information or if you would like to exercise any rights you may have in relation to your personal information, please contact us at: CorpPrivacy@exchange.principal.com or Compliance Director PGIE, 1 Wood Street, London, EC2V 7JB.