Subcontext Consumer Notice
This notice explains how the Subcontext platform handles your information when you interact with an insurance quote, application, or support journey that is powered by our technology — for example a chat window, an online quote form, a help pop-up, or an SMS, WhatsApp, or phone conversation.
It is written once and applies to every business that uses Subcontext, so it does not name a specific company. The business whose service you are actually using — the broker, insurer, or other firm — is referred to throughout as the Provider.
Important: This notice is supplementary. The Provider you are dealing with is responsible for your information and decides how it is used (it is the "data controller"). The Provider's own privacy policy is the primary document and governs your relationship with them. This notice simply explains the technology layer that sits behind the Provider's journey, so you can see how the platform and its suppliers process your data. Where the two documents overlap, the Provider's policy and your rights against the Provider take precedence.
1. About Subcontext and our role
Subcontext Ltd ("Subcontext", "we", "us") provides the technology that powers the Provider's customer journey. We act as a data processor — meaning we process your information only on the Provider's documented instructions and on their behalf. We do not decide what your data is collected for or sell it.
Subcontext company details:
- Registered name: Subcontext Ltd, a company registered in England and Wales (Company No. 17019645)
- Registered office: 124 City Road, London, EC1V 2NX
- Registered with the Information Commissioner's Office under reference ZC098511
- Contact for this notice: hello@subcontext.com
2. The experience this notice covers
Subcontext powers the interactive parts of a Provider's journey, which may include any of:
- A chat window ("webchat") embedded on the Provider's website or mini-site.
- An online quote and application form ("quoteform").
- An inline help assistant that explains a form field when you click for guidance ("formguide").
- Conversations continued over SMS, WhatsApp, email, or phone/voice.
These are delivered as embedded components on the Provider's pages, or through messaging and voice channels connected to the platform.
3. Information the platform processes
When you use a Subcontext-powered journey, the platform processes two kinds of information on the Provider's behalf.
(a) Information you provide. Whatever you enter into the chat, form, or messages — for example your name, contact details, the answers you give (which, for insurance, can include health and lifestyle information), free-text you type, and any payment details you submit. What is collected and why is determined by the Provider and explained in the Provider's privacy policy.
(b) Information collected automatically. To run the journey securely and reliably, the platform also records technical information, including:
- Your IP address and browser/device user-agent.
- A randomly-generated visitor identifier and a session token, which we store in your browser's local storage so we can recognise your session and keep your conversation connected (see Section 7).
- The page or context you started from (for example which product or form you were viewing).
- Usage and security logs of requests to the platform, which may include request and response details (with sensitive fields such as passwords and full card numbers filtered out).
- A full transcript of your conversation, including the messages you send and the assistant's replies. Because you may type personal or health information into the conversation, the transcript can contain that information.
4. How the AI assistant works
The Provider's journey may be guided by an AI assistant. So you understand what that involves:
- Chat (text): Your messages — together with the conversation so far and the assistant's instructions — are sent to a third-party large-language-model service, Amazon Web Services (AWS) Bedrock, hosted in the EU/UK region, which generates the assistant's replies and helps prepare indicative quotes. Because you may share personal or health information in the chat, that content is included.
- Voice (phone): If you speak to an AI voice assistant, the live call audio is streamed to OpenAI's Realtime service to understand and respond to you in real time.
- Indicative quotes shown during the journey are generated automatically from the information you provide.
- Human help is always available: you can ask to speak to a person, and the platform supports handing your conversation over to one of the Provider's human advisers. Final decisions that significantly affect you are subject to that human review.
We do not use your conversations to train Subcontext's own AI models. The model providers above process your data under contract and on our instructions.
5. Suppliers we use (sub-processors)
The platform relies on the following suppliers ("sub-processors") to deliver the service. Each processes only the data needed for its function, under contract:
| Supplier | What it's used for | Data involved | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting, file/document storage (S3), and outbound email delivery (SES) | All platform data; emailed documents | UK/EU (eu-west-1) |
| AWS Bedrock | AI text chat / assistant responses | Conversation content (may include health info) | UK/EU (eu-west-1) |
| OpenAI | Real-time AI voice calls only | Live call audio | United States |
| Twilio | SMS, WhatsApp, and voice connectivity | Phone number, message content, call audio | United States / global |
| Stripe | Card payment processing | Payment card and transaction details (entered directly into Stripe) | United States / global |
| Data8 | UK address lookup and phone-number validation | Postcode, address, phone number | United Kingdom |
This list can change as the platform evolves; this notice is updated when it does. No third-party advertising or analytics tracking services are used in the journey.
6. International transfers
Platform data is hosted in the UK/EU region (eu-west-1). Some suppliers listed above — in particular Stripe, Twilio, and OpenAI (for voice) — may process data outside the UK. Where that happens, the transfer is protected by appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or a UK adequacy decision.
7. Cookies and local storage
The embedded journey uses your browser's local storage to keep a session token and visitor identifier. These are strictly necessary to run the conversation — without them we could not keep your chat connected or recognise your session. They are not used for advertising, profiling, or cross-site tracking.
To display the journey, the page may also load a small number of third-party scripts and resources, including Stripe.js (for secure card entry), web fonts, and embedded video players (YouTube/Vimeo) where the Provider includes them. The platform does not load advertising or analytics trackers.
8. How we keep your data secure
- Encryption in transit: all connections use TLS/HTTPS.
- Encryption at rest: particularly sensitive data — such as bank account details captured for Direct Debit and any medical evidence documents — is encrypted where it is stored.
- Access controls and audit logging: access is restricted and administrative actions are logged.
- Regional hosting: data is held in the UK/EU region.
9. How long platform data is kept
Information collected through the journey is retained on the Provider's behalf for as long as the Provider requires it — see the Provider's privacy policy for their retention periods. In addition:
- Voice-call recordings (where calls are recorded) are kept for a configurable retention period and then automatically deleted.
- Security and usage logs are kept for a limited period to protect the service and investigate problems.
10. Your rights
Because the Provider is the controller of your information, you exercise your data-protection rights (such as access, correction, deletion, or objection) through the Provider — their privacy policy explains how. When the Provider asks us to action a request on their instruction, we will help them do so. We process your data only on the Provider's instructions and do not use it for our own purposes.
If you want to raise something directly about the platform, you can contact us at hello@subcontext.com, and we will direct it appropriately.
11. Changes to this notice
We may update this notice as the platform or its suppliers change.