Privacy Policy

Effective Date: 11th February 2026

Last Modified: 11th February 2026

1. Introduction

Rehuman Ltd (“Rehuman”, “we”, “us”, or “our”), trading as Longbow Insurance Technology (“Longbow”), is committed to protecting the privacy and security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard personal data when you use the Longbow platform, visit our website (longbowtech.co.uk), or otherwise interact with our services.

This policy applies to all users of the Longbow platform, including insurance broker firms, their employees and authorised users, and visitors to our website.

2. About Longbow

Longbow is not an insurance provider, broker, underwriter, or regulated financial services firm. We do not sell, arrange, or underwrite insurance products, nor do we provide financial, legal, or professional advice. Our platform is a document processing and data management tool designed to improve operational efficiency for licensed insurance intermediaries. For full details of our regulatory status, please see our Regulatory Disclaimer.

3. Data Controller and Data Processor Roles

Understanding who is responsible for personal data is important. Longbow operates in two distinct roles depending on the type of data involved:

When We Act as Data Controller
We are the data controller for personal data collected through account registration, website visits, and direct communications with Longbow. This means we decide why and how this data is processed. Examples include broker employee names, email addresses, login credentials, and billing details. The processing of this data is governed by this Privacy Policy.

When We Act as Data Processor
We are a data processor when processing insurance documents uploaded by broker customers. This means the broker (our customer) determines the purposes and means of processing, and we act on their instructions. Examples include policyholder names, premium figures, and coverage terms contained in uploaded documents. The processing of this data is governed by this Privacy Policy and the Data Processing Agreement (DPA) with each broker customer.

Where we act as a data processor, the broker customer remains the data controller and is responsible for ensuring they have a lawful basis to share personal data contained in insurance documents with Longbow for processing.

4. Information We Collect

A. Account and Business Information (Controller Data)

•  Full name, job title, and business email address of authorised users
•  Company name, registered address, and business contact details
•  Login credentials (email and password, securely hashed)
•  Billing and invoicing information

B. Insurance Document Data (Processor Data)
When brokers upload documents to Longbow, our AI processing pipeline may extract personal data contained within those documents, including but not limited to:

•  Policyholder and insured party names, addresses, and contact details
•  Policy reference numbers, coverage terms, and premium information
•  Claims information and loss history
•  Any other personal data contained within uploaded insurance documents

We process this data solely on behalf of and under the instructions of the broker customer. We do not use insurance document data for any purpose other than providing the Longbow service.

C. Technical and Usage Data

•  IP address, browser type, device type, and operating system
•  Pages visited, features used, and interaction logs within the platform
•  Platform performance data, error logs, and session information

D. Communications Data

•  Support enquiries, feedback, and correspondence with our team
•  AI chatbot (Policy Assistant) interaction logs within the platform

E. Cookie Data

See Section 10 (Cookies and Analytics) for full details.

5. How We Use Your Information

A. To Provide and Operate the Longbow Platform

•  Process, extract, and structure data from uploaded insurance documents using our AI pipeline (OCR, document parsing, and LLM extraction)
•  Generate and manage intelligent data schemas for each policy type
•  Provide citation tracking to link extracted data back to source document
•  Operate the Policy Assistant chatbot for natural-language policy queries
•  Enable customer and policy management, search, and export functionality
•  Provide dashboard analytics, including time-savings and processing metrics

B. To Manage Accounts and Relationships

•  Create and manage user accounts and authentication
•  Process billing and invoicing
•  Provide customer support and respond to enquiries

C. To Improve and Develop the Platform

•  Monitor platform performance, diagnose technical issues, and maintain security
•  Analyse anonymised and aggregated usage patterns to improve features and user experience
•  Test new functionality with a subset of users

D. To Comply with Legal Obligations

•  Fulfil legal, regulatory, and compliance obligations
•  Respond to lawful requests from public authorities

Important: We do not sell your personal data. We do not use insurance document data for marketing, advertising, or any purpose unrelated to providing the Longbow service to the broker customer who uploaded it.

6. AI and Automated Processing

Longbow uses artificial intelligence throughout its document processing pipeline. This section explains how AI is used and what safeguards are in place.

How AI is Used

•  OCR (Optical Character Recognition) extracts raw text from uploaded documents in any format (PDF, DOCX, scanned images)
•  Document parsing structures the extracted text into machine-readable segments
•  Large language models (LLMs) analyse parsed content and extract key information based on policy-specific schemas
•  The Policy Assistant chatbot uses AI to answer natural-language queries about extracted policy data

Safeguards

•  AI outputs are presented for human review. Brokers verify extracted data against the original document using our side-by-side viewer and citation tracking before relying on or exporting any data.
•  Longbow does not make automated decisions that produce legal effects or similarly significant effects on individuals. All extracted data is subject to broker review and approval.
•  We do not use customer insurance document data to train general-purpose AI models. Document data is processed solely to deliver the service.

Third-Party AI Subprocessors:
Our AI processing pipeline may involve third-party AI service providers acting as subprocessors. A current list of all subprocessors is maintained on our Subprocessors page and is referenced in our Data Processing Agreement. All AI subprocessors are bound by strict data processing terms.

7. Legal Basis for Processing

Under the UK GDPR and Data Protection Act 2018, we process personal data only where we have a lawful basis to do so. The bases we rely on are set out below.

Contract
Where processing is necessary to perform our contract with you or your employer. This includes providing the platform, managing your account, processing documents you upload, and billing.

Legitimate Interests
Where processing is necessary for our legitimate business interests, provided those interests are not overridden by your rights and freedoms. This includes platform security and fraud prevention, analytics and service improvement, and direct marketing to business contacts.

Legal Obligation
Where processing is necessary to comply with a legal requirement to which we are subject. This includes maintaining tax records, responding to regulatory requests, and fulfilling data breach notification obligations.

Consent
Where you have given clear, informed consent to the processing. This includes non-essential cookies, marketing communications, and optional data sharing.

Where we act as a data processor, the customer is responsible for establishing the legal basis for processing the personal data contained in those documents.

8. Sharing Your Information

We share personal data only in the following circumstances:

Service Providers and Subprocessors:
We use trusted third-party providers to help operate and deliver the Longbow platform, including cloud infrastructure, AI processing services, analytics tools, and payment processors. All service providers are bound by data processing agreements and are required to process data only on our instructions and in accordance with applicable data protection law. A current list of subprocessors is maintained on our Subprocessors page on the website.

Professional Advisors:
We may share information with our legal, accounting, or insurance advisors where necessary for the management of our business.

Legal and Regulatory Requirements:
We may disclose information where required by law, regulation, legal process, or enforceable governmental request, or to protect the rights, property, or safety of Rehuman, our customers, or others.

Business Transfers:
In the event of a merger, acquisition, reorganisation, or sale of assets, personal data may be transferred as part of that transaction. We will notify affected users of any change in ownership or control of personal data.

We do not sell, rent, or trade personal data to third parties for their marketing purposes.

9. International Data Transfers

Your data may be transferred to and processed in countries outside the United Kingdom, including by subprocessors located in the European Union and the United States. Where we transfer personal data outside the UK, we ensure appropriate safeguards are in place, including:

•  UK International Data Transfer Agreements (IDTAs) or Addendums to EU Standard Contractual Clauses
•  Transfers to countries recognised by the UK Secretary of State as providing adequate protection
•  Other approved transfer mechanisms under UK data protection law

Details of international transfers and the safeguards in place are set out in our Subprocessors page and Data Processing Agreement, both available on our website.

10. Cookies and Analytics

Our website and platform use cookies and similar technologies. We categorise these as follows.

Strictly Necessary Cookies:
These cookies are essential for the platform to function and cannot be switched off. They enable core functionality such as authentication, session management, and security. No consent is required for these cookies.

Analytics Cookies:
These cookies collect anonymised usage data to help us understand how users interact with the platform and improve features and performance. Analytics cookies require your consent before they are set.

Functional Cookies:
These cookies remember your preferences and settings to provide a more personalised experience. Functional cookies require your consent before they are set.

We do not use cookies for behavioural advertising or third-party ad tracking. A cookie consent banner is displayed on first visit, allowing you to set your preferences. You may update your preferences at any time via your browser settings or our cookie management tool.

11. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy, or as required by law.

Account Information
Retained for the duration of the customer relationship, plus a reasonable wind-down period.

Insurance Documents and Extracted Data
Retained as directed by the broker customer. Deleted within 30 days of customer request or account closure.

Platform Usage and Log Data
Retained for up to 12 months for security monitoring and performance analysis.

Billing Records
Retained for up to 7 years as required by UK tax and accounting legislation.

Support Correspondence
Retained for up to 24 months after resolution, unless longer retention is required by law.

When a broker customer terminates their account, we will delete or anonymise all associated insurance document data within 30 days, unless a longer period is required by law or agreed in the Data Processing Agreement.

12. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, alteration, disclosure, or destruction. These measures include:

•  Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent)
•  Secure cloud infrastructure with enterprise-grade providers
•  Role-based access controls and the principle of least privilege
•  Audit logging and monitoring of platform access
•  Regular security assessments and vulnerability management
•  Incident response procedures and breach notification processes

While we take all reasonable precautions, no method of transmission over the internet or electronic storage is completely secure. We cannot guarantee absolute security.

For comprehensive details of our security practices, including infrastructure security, AI processing security, operational security, incident response, and business continuity, please see our Security Policy on the website.

13. Personal Data Breaches

In the event of a personal data breach affecting data we control or process, we will:

•  Assess the breach promptly to determine its scope, severity, and the categories of data and individuals affected
•  Where we are the data controller: notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where the breach is likely to result in a risk to the rights and freedoms of individuals, in accordance with Article 33 of the UK GDPR
•  Where we are acting as a data processor: notify the affected broker customer (data controller) without undue delay, providing sufficient information to enable them to fulfil their own notification and mitigation obligations, in accordance with the terms of the Data Processing Agreement
•  Where the breach is likely to result in a high risk to individuals, notify affected individuals directly, in accordance with Article 34 of the UK GDPR
•  Conduct a post-incident review and incorporate lessons learned into our security practices

Full details of our incident response procedures are set out in our Security Policy and, for processor data, in the Data Processing Agreement.

14. Your Rights

Under UK data protection law, you have the following rights in relation to personal data for which we are the data controller.

Right of Access:
You have the right to request a copy of the personal data we hold about you.

Right to Rectification:
You have the right to request that we correct any personal data that is inaccurate or incomplete.

Right to Erasure:
You have the right to request deletion of your personal data in certain circumstances, for example where the data is no longer necessary for the purpose for which it was collected.

Right to Restriction:
You have the right to request that we restrict the processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have challenged.

Right to Data Portability:
You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller.

Right to Object:
You have the right to object to processing based on our legitimate interests, or to processing for direct marketing purposes. Where you object, we will stop processing unless we can demonstrate compelling legitimate grounds that override your interests.

Right to Withdraw Consent:
Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the consent was withdrawn.

Rights Relating to Automated Decision-Making:
You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significant effects concerning you. As noted in Section 6, Longbow does not make such automated decisions.

Where we act as a data processor (insurance document data), rights requests from individuals whose data is contained in broker-uploaded documents should be directed to the relevant broker in the first instance, as they are the data controller. We will assist broker customers in responding to such requests in accordance with our Data Processing Agreement.

To exercise any of these rights, contact us at info@longbowtech.co.uk. We will respond within one month of receiving your request. In exceptional circumstances, we may extend this period by a further two months, in which case we will inform you and explain the reason for the delay.

Right to complain: You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you believe your data protection rights have been infringed.

15. Data Processing Agreement

Where Longbow processes insurance document data on behalf of broker customers, we enter into a Data Processing Agreement (DPA) as required by Article 28 of the UK GDPR. The DPA covers:

•  The subject matter, duration, nature, and purpose of processing
•  The types of personal data processed and categories of data subjects
•  Obligations and rights of the data controller (broker)
•  Security measures and sub-processing arrangements
•  Assistance with data subject rights requests and data breach notifications
•  Data deletion or return upon termination

Our standard Data Processing Agreement is available on our website. For questions, contact info@longbowtech.co.uk.

16. Subprocessors

We use third-party subprocessors to deliver the Longbow platform, including providers of cloud infrastructure, AI and machine learning services, analytics, payment processing, and customer support tools.

A current, named list of all subprocessors is maintained on our Subprocessors page on the website. We will notify broker customers of any intended changes to the subprocessor list, providing reasonable notice and the opportunity to object, in accordance with the terms of the Data Processing Agreement.

17. Children’s Privacy

Longbow is a business-to-business platform and is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete it promptly.

18. Complaints

If you have a complaint about how we handle your personal data, we encourage you to contact us first at info@longbowtech.co.uk so that we can try to resolve the matter directly. We will acknowledge your complaint promptly and aim to provide a substantive response within one month.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

•  Website: ico.org.uk
•  Telephone: 0303 123 1113

As Longbow is not a regulated financial services firm, complaints about our service are not eligible for referral to the Financial Ombudsman Service. For further detail on our regulatory status, please see our Regulatory Disclaimer.

19. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulatory guidance, or our practices. Where we make material changes, we will notify you through the platform, by email, or by posting a prominent notice on our website. The “Effective Date” and “Last Modified” dates at the top of this policy will always reflect the current version.

20. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or have a concern about how your data is being handled, please contact:

Rehuman Ltd (trading as Longbow Insurance Technology)

Email: info@longbowtech.co.uk

Registered Address: 14 Grays Inn Road, London, Greater London, United Kingdom, WC1X 8HN