Privacy Policy

Effective May 26, 2026

The short version

We collect the work contact details and free-text messages you give us through our website forms, plus aggregate analytics about how visitors use the site.

We use that data to reply to you, run our website, send the newsletters you signed up for, and meet our legal and insurance regulatory obligations.

We do not sell your personal data, we do not run targeted advertising, and we do not use website data to train AI models or make automated underwriting decisions about you.

Our analytics are cookieless (Vercel and Ahrefs). Our forms run through Formspark in Belgium with data stored in Ireland.

You can access, correct, or delete your data by emailing privacy@testudo.co. The full notice below explains the details.

This notice covers the Testudo website only. Personal information you give us as part of an insurance application, quote, bind, or claim is governed by a separate insurance privacy notice we provide at that point.

What's in this notice

Who we are and what this notice covers
What personal data we collect
How we use personal data
Legal basis for processing (EEA / UK)
Who we share data with
International data transfers
How long we keep personal data
How we secure personal data
Your privacy rights
How to exercise your rights
Cookies and tracking
AI underwriting and automated decisions
California residents
Other US state residents
Nevada residents
EEA and UK residents
Children's privacy
Changes to this notice
Contact us

Who we are and what this notice covers

Testudo Global, Inc. is a Delaware corporation headquartered in San Francisco, California. We distribute Generative AI Liability Insurance through brokers, with underwriting capacity provided by syndicates of Lloyd's of London. In this notice, "Testudo", "we", "us", and "our" all mean Testudo Global, Inc.

Testudo Global, Inc. operates two regulated affiliates: Testudo US, Inc., our wholly-owned U.S. subsidiary that holds the surplus-lines licenses listed on our Contact page, and Testudo UK Limited (registered in England and Wales, Company Number 15528400), which is an Appointed Representative of Pro MGA Solutions Ltd, authorised and regulated by the Financial Conduct Authority (Firm Reference Number 1017533). Testudo UK Limited operates from 3-7 Temple Avenue, Temple, London EC4Y 0DA, United Kingdom. The website testudo.co is operated by Testudo Global, Inc.

This Privacy Notice explains how we collect, use, share, and protect personal data through this website (testudo.co) and our marketing communications.

This notice does not cover:

Testudo personnel and job applicants. Our HR and recruiting privacy practices are governed by separate notices provided to candidates and employees.
Aggregated or de-identified data. Information that cannot reasonably be used to identify you is not personal data and is not subject to this notice.

What personal data we collect

We collect three buckets of personal data:

1. What you give us through forms

Demo or "Talk to Testudo" form. Your work email, your company name, a free-text message about what you're interested in, and which role you select (broker, business, or insurer). The page you submitted from is recorded as a context tag.
Newsletter signup. Your email address and the page you signed up from.
Broker forms (appointment, request a scenario, webinar). Your name, work email, phone number, agency, and free-text notes. The webinar form additionally collects your team size and the time windows you prefer.

2. What we collect automatically

Vercel Web Analytics. Aggregate pageviews, referrer, country-level location, and device category. Vercel derives a short-lived, daily-rotating hash from your IP address and user agent to count unique visits and discards the underlying inputs. No cookies are set.
Ahrefs Web Analytics. Pageviews, referrers, and country-level location. No cookies and no device fingerprinting.
Error reports and performance traces. If a page on this site fails to load in production, or our server or edge runtime hits an unhandled error, the error name, message, stack trace, the page URL, request context (including HTTP headers), browser metadata, and a timestamp are sent to Sentry. We also send performance traces of every production request (100% sampling) to Sentry so we can diagnose latency and routing issues. Sentry is operated by Functional Software, Inc. dba Sentry (United States) and the data is ingested in the United States. No personally identifying data is captured intentionally, but URLs, query strings, headers, and error context can contain inadvertent personal data.

3. What we receive from others

Referrals. A broker or contact may give us your name and contact details to introduce you to us.
Service providers. Our hosting, form processing, and analytics providers collect data on our behalf as described above.
Inferences. We may form basic inferences about the topics you're interested in based on which pages you visit and which forms you submit (for example, that a visitor who reads broker pages is likely a broker). We do not buy or use data broker profiles.

How we use personal data

We use the personal data we collect to:

Respond to your inquiry, fulfill your request, or follow up about a quote or appointment.
Send the marketing emails and newsletters you signed up for, and let you unsubscribe at any time.
Operate, secure, and improve the website, including diagnosing errors and preventing fraud or abuse.
Comply with our legal and insurance regulatory obligations, including record-keeping under applicable insurance law.
Bring or defend a legal claim, when needed.
Carry out a business transaction (merger, acquisition, financing, or sale of assets) if one happens, including transferring data to the counterparty.

What we do not do: We do not use website data to train AI models. We do not use website data to make automated underwriting decisions about you. We do not sell personal data. We do not run targeted advertising. We do not profile visitors for decisions that have legal or similarly significant effects.

Legal basis for processing (EEA / UK)

If you are in the European Economic Area or the United Kingdom, the legal bases we rely on under GDPR Article 6 and UK GDPR Article 6 are:

Consent for newsletter marketing and for non-essential analytics where local law requires opt-in. You can withdraw consent at any time.
Performance of a contract to respond to your inquiry, deliver a quote, or fulfill the services you ask for.
Legal obligation for insurance regulatory record-keeping, tax records, and similar requirements.
Legitimate interests for running, securing, and improving the website, preventing fraud, and direct marketing to existing professional contacts in a B2B context. We weigh these interests against your rights and you can object at any time (see Your Rights).

We do not rely on consent as our legal basis for processing professional B2B contact details where direct marketing to existing business contacts falls within our legitimate interests, but you can object to direct marketing at any time.

International data transfers

Our website is hosted in the United States but we use providers located in or transferring data through other countries. The transfers that may apply to your data are:

Form submissions are transferred to Formspark in Belgium and stored in Ireland.
Analytics data may reach Ahrefs in Singapore and Vercel's regional sub-processors.
Error reports and performance traces are ingested by Sentry (Functional Software, Inc.) in the United States.

If you are in the EEA or UK and your data leaves the EEA or UK, we rely first on the EU-US Data Privacy Framework and its UK Extension where the importer is certified (Sentry is a current DPF participant), and we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum issued by the Information Commissioner's Office as the layered safeguard for all importers (including Sentry, Formspark, Ahrefs, and any Vercel sub-processor outside the EEA or UK). We apply supplementary technical and contractual measures where required by Schrems II.

To request a copy of the transfer mechanism we use for any specific processor, email privacy@testudo.co.

How long we keep personal data

We keep personal data only as long as we need it for the purposes set out in this notice, or for longer where the law requires us to.

Form submissions and inquiry data: 24 months from your last contact, unless you ask us to delete sooner or a longer period is required by law.
Newsletter and marketing list: Until you unsubscribe, plus an additional 24 months on a suppression list so we honor your unsubscribe choice in future.
Vercel Web Analytics: Retention is governed by Vercel's policy (typically 90 days for full-resolution data).
Ahrefs Web Analytics: Retention is governed by Ahrefs' policy.
Error reports and performance traces: Stored by Sentry under its plan retention (typically 90 days for error events and 30 days for performance events). We do not retain a separate copy.
Legal hold: If we need data for a legal claim, regulatory matter, or audit, we may retain it for longer until the matter resolves.

How we secure personal data

We take reasonable technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

All traffic to and from this website is encrypted in transit using TLS.
Form submissions, CMS content, analytics data, and error and performance telemetry are stored by our service providers using their security controls (Formspark, Sanity, Vercel, Ahrefs, Sentry).
Access to personal data is restricted to the Testudo staff and contractors who need it to do their jobs.
We notify affected individuals and the relevant regulator of a personal-data breach where required by applicable law (within 72 hours under GDPR and per the timeframes set by US state laws and insurance regulation).

No system is perfectly secure and we cannot guarantee absolute security.

Your privacy rights

Depending on where you live, you have some or all of the following rights:

Access. Ask what personal data we hold about you and request a copy.
Correct. Ask us to fix inaccurate or incomplete data.
Delete. Ask us to delete your personal data, subject to legal exceptions (for example, where insurance retention rules require us to keep it).
Port. Receive the personal data you gave us in a structured, commonly used, machine-readable format.
Restrict or object. Restrict or object to how we use your personal data, including for direct marketing. You can opt out of marketing at any time using the unsubscribe link in any email.
Withdraw consent. Where we relied on your consent, you can withdraw it at any time without affecting the lawfulness of processing before your withdrawal.
Opt out of profiling. Opt out of profiling that produces legal or similarly significant effects. We do not profile website visitors for decisions of this kind.
Opt out of sale, sharing, or targeted advertising. We do not engage in any of these, but the right is preserved and you can confirm our posture in writing.
Universal Opt-Out Signals (GPC). We treat a valid Global Privacy Control signal from your browser as an opt-out of sale, sharing, and targeted advertising for residents of any state that recognizes it (California, Colorado, Connecticut, Oregon, Montana, Texas, New Jersey, Minnesota, Maryland, Delaware, New Hampshire, and others as they take effect).
Non-discrimination. Exercising any privacy right will not affect the price or quality of any service we offer you.
Complain to a regulator. Lodge a complaint with your supervisory authority (in the UK, the Information Commissioner's Office at ico.org.uk; in the EEA, your country's data protection authority) or your state Attorney General.
Appeal a denial. If we deny a privacy request, you can appeal it. In states that grant a right of appeal (Virginia, Colorado, Connecticut, Oregon, Montana, New Jersey, Minnesota, Maryland, Tennessee, Delaware, New Hampshire, Kentucky, Iowa, Indiana, and Texas), we will respond to your appeal within 45 days.

How to exercise your rights

Email privacy@testudo.co with your request. Tell us what right you want to exercise and (if you have one) the email or account information you use with us.

We verify your identity using information we already hold about you. If we need additional details to verify you, we will ask before processing your request.
We respond within 30 days for EEA and UK residents (GDPR / UK GDPR) and within 45 days for US state residents, and we will tell you if we need a one-time extension. If we can't fulfill your request, we will tell you why.
An authorized agent can submit a request on your behalf with written authorization from you. We may ask the agent to provide proof of authority.
Exercising any right is free of charge in most cases. We may charge a reasonable fee or refuse to act if a request is manifestly unfounded or excessive, and we will tell you in writing if we do.

Cookies and tracking

Our analytics stack is cookieless. Vercel Web Analytics and Ahrefs Web Analytics do not set cookies on your device and do not use device fingerprinting. We do not run third-party advertising trackers, social-media pixels, or session replay tools on this website.

If you visit our embedded Sanity Studio at /studio (a content authoring tool restricted to invited Testudo staff), Sanity sets its own cookies for authentication and authorization, governed by Sanity's privacy notice.

Most browsers and operating systems let you block cookies entirely. Blocking cookies will not break this website because we do not rely on any.

We honor the Global Privacy Control (GPC) browser signal and the Do Not Track (DNT) browser signal where state law requires us to. You can read more about GPC at globalprivacycontrol.org.

AI underwriting and automated decisions

Personal data collected through this website is used to communicate with you and to operate the website. It is not used to train AI models. It is not used to make automated underwriting decisions about you.

Any automated processing that would affect a Testudo insurance application is subject to your rights under GDPR Article 22, the profiling provisions of US state privacy laws (Colorado, Connecticut, Virginia, Oregon, Montana, New Jersey, Minnesota, Maryland, Tennessee, Delaware, New Hampshire, Kentucky, Iowa, Indiana, and Texas, as applicable), the NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, and any applicable EU AI Act obligations.

California residents

This section is our notice at collection and our annual disclosure under the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA / CPRA").

Categories of personal information collected in the past 12 months

Identifiers (name, work email, IP address, phone number on broker forms). Source: you, and automatically. Purpose: communicate with you, operate the site, and prevent fraud. Disclosed to: hosting, form processing, and analytics service providers.
Customer records as defined in California Civil Code Section 1798.80(e) (company name, professional contact details). Source: you. Purpose and recipients: same as above.
Internet or other electronic network activity (aggregate pageviews, referring URL). Source: automatically. Purpose: analytics and security. Disclosed to: analytics service providers.
Geolocation (country-level only, derived from IP). Source: automatically. Purpose: analytics. Disclosed to: analytics service providers.
Professional or employment-related information (role you select on the demo form, agency name on broker forms). Source: you. Purpose and recipients: same as above.
Inferences (topics of likely interest, derived from pages you visit). Source: internal. Purpose: marketing. Disclosed to: service providers only.
Sensitive personal information: none collected through this website.

We have not sold personal information for monetary consideration in the past 12 months and do not do so today. We have not shared personal information for cross-context behavioral advertising in the past 12 months and do not do so today. We do not knowingly sell or share the personal information of consumers under 16 years of age.

Your California rights

Right to know what personal information we have collected about you (general and specific pieces), the sources, the purposes, and the categories of recipients.
Right to delete personal information we have collected from you, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of any sale or sharing of personal information (we conduct none, but the right is preserved).
Right to limit the use and disclosure of sensitive personal information (we collect none).
Right to non-discrimination for exercising any of these rights.

To exercise any right, email privacy@testudo.co. An authorized agent can submit a request on your behalf with your written authorization.

Notice of financial incentive

We do not offer any financial incentive or price difference in exchange for personal information.

Shine the Light (California Civil Code Section 1798.83)

California residents can request a notice of personal information we disclose to third parties for those parties' own direct marketing purposes. We do not currently disclose any personal information for that purpose.

Other US state residents

If you live in Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Delaware, Iowa, Indiana, Tennessee, Montana, New Hampshire, New Jersey, Minnesota, Maryland, Rhode Island, or Kentucky, you generally have the right to:

Access the personal data we have about you and receive a copy.
Correct inaccurate personal data.
Delete your personal data (subject to legal exceptions, including insurance retention).
Receive your personal data in a portable format.
Opt out of the sale of personal data, of targeted advertising, and of profiling for decisions with legal or similarly significant effects. We do not engage in any of these, but the right is preserved.

We honor browser-based Universal Opt-Out Signals (Global Privacy Control / GPC) for residents of every state that recognizes them.

To exercise any state-level right, email privacy@testudo.co. We respond within 45 days. If we deny your request, you can appeal by replying within the response window and we will provide a written response within 45 days of the appeal. You can also contact your state Attorney General if you remain dissatisfied.

Nevada residents

Under Nevada Revised Statutes Chapter 603A, you have the right to opt out of the sale of certain personal data. We do not sell personal data as defined under Nevada law, but you can confirm the opt-out in writing by emailing privacy@testudo.co.

EEA and UK residents

If you live in the United Kingdom or the European Economic Area, this section identifies who controls your personal data and how UK GDPR and the GDPR apply to us.

United Kingdom. Testudo UK Limited (registered in England and Wales, Company Number 15528400) is an Appointed Representative of Pro MGA Solutions Ltd, which is authorised and regulated by the Financial Conduct Authority under Firm Reference Number 1017533. Testudo UK Limited is established in the United Kingdom and is the controller of personal data of UK data subjects processed through this website and our UK insurance distribution activities. Because Testudo is established in the United Kingdom through Testudo UK Limited and UK GDPR applies to that processing under Article 3(1) UK GDPR, no separate UK representative under Article 27 UK GDPR is required. UK residents can exercise any UK GDPR right and contact us about any UK GDPR matter by emailing privacy@testudo.co, and may lodge a complaint with the Information Commissioner's Office at ico.org.uk.

European Economic Area. Testudo Global, Inc. is the controller of personal data of EEA data subjects processed through this website. EEA residents can exercise any GDPR right by emailing privacy@testudo.co, and may lodge a complaint with the data protection authority of their country of residence, place of work, or place of the alleged infringement.

The lawful bases we rely on are listed in the Legal Basis section above. Your rights as a data subject, including the right to access, correct, delete, port, restrict, and object, are listed in the Your Rights section above.

International transfers of EEA and UK data are covered in the Transfers section above. We rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) and the UK International Data Transfer Addendum, with supplementary measures where required by Schrems II.

Children's privacy

Our services are not directed to individuals under 18, and we do not knowingly collect personal data from anyone under 13 (or any higher age that applies under local law). If you are a parent or guardian and believe your child has provided us with personal data, email privacy@testudo.co and we will take steps to delete it. If we learn that we have collected personal data from a child in violation of applicable law, we will delete the information.

Changes to this notice

We may update this notice from time to time. When we make changes, we update the effective date at the top of this page. For material changes, we notify registered contacts by email or by a prominent notice on this website at least 30 days before the change takes effect.

Contact us

For any privacy question or to exercise any privacy right, email privacy@testudo.co, or write to Testudo Global, Inc., 2261 Market Street, STE 10186, San Francisco, CA 94114, USA.