Privacy Policy

Iberlux LLC · iberluxseguros.com · iberluxacademy.com


Effective Date	April 30, 2026
Last Updated	April 30, 2026
Version	2.0
Applicable to	U.S. consumers in all 50 states (with state-specific supplements) and incidental EU/UK visitors
Primary Contact	privacy@iberlux.com
Do Not Sell or Share My Personal Information	https://iberluxseguros.com/preferencias-privacidad
Notice at Collection	https://iberluxseguros.com/aviso-de-recoleccion

Plain-Language Summary (Required by Cal. Civ. Code § 1798.130)

Iberlux LLC (“Iberlux”, “we”) is a U.S.-licensed insurance agency and lead-generation business focused on the Hispanic market. When you complete a quote form on iberluxseguros.com or enroll in our course at iberluxacademy.com, we collect your name, contact information, demographic data, insurance-relevant data (age, smoking status, household size, estimated income, ZIP code, in some cases self-reported general health information for ACA quotes), device and analytics data, and third-party verification artifacts (Jornaya LeadID, TrustedForm). We use this information to (i) generate insurance quotes; (ii) connect you with up to ten (10) licensed agents, agencies, or insurance carriers who pay us per-lead fees, commissions, or referral revenue; (iii) market our products to you by phone, SMS, email, and online ads (including via AI voice assistants); (iv) operate, secure, and improve the Services; and (v) comply with law. Because we receive monetary or other valuable consideration for disclosing your personal information to lead buyers and advertising partners, this disclosure constitutes a “sale” and “sharing” under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA”), Cal. Civ. Code § 1798.140(ad) and (ah). You have the right to opt out of this sale and sharing at any time, free of charge, with no loss of service, by visiting https://iberluxseguros.com/preferencias-privacidad, by emailing privacy@iberlux.com, or by transmitting a Global Privacy Control (“GPC”) signal from your browser, which we honor as a frictionless opt-out under 11 C.C.R. § 7025. You also have rights to know, delete, correct, and limit the use of sensitive personal information, and a right to be free from discrimination for exercising those rights. Detailed disclosures and instructions for each U.S. state are below.

1. About This Policy

This Privacy Policy (“Policy”) describes how Iberlux LLC, a Delaware/Florida limited liability company doing business as Iberlux and Iberlux Academy (together with its subsidiaries and affiliates, “Iberlux”, “we”, “us”, “our”), collects, uses, discloses, retains, and protects personal information when you:

Visit iberluxseguros.com, iberluxacademy.com, or any subdomain or related property (the “Sites”);
Submit a quote-request form, contact form, or callback request;
Enroll in Iberlux Academy courses or pay through Stripe;
Communicate with us by phone, SMS, email, web chat, or our voice AI agent operated through Vapi.ai (the “Voice AI Agent”);
Interact with our advertising on Meta (Facebook/Instagram), Google, TikTok, YouTube, or other platforms;
Are referred to us by an insurance carrier, agency, agent, or marketing partner

(collectively, the “Services”).

This Policy is incorporated by reference into our Terms of Service (/terminos) and is supplemented by our TCPA Disclosure (/divulgacion-tcpa), our Notice at Collection, and our Cookie Preference Center at /preferencias-privacidad. By using the Services, you acknowledge this Policy. Where consent is legally required (for example, for SMS marketing, certain EU/UK processing, or sharing of sensitive personal information for purposes that exceed Cal. Civ. Code § 1798.121), we obtain it separately and conspicuously.

If you do not agree with this Policy, do not use the Services.

2. Definitions

The following capitalized terms have the meanings set forth in this Section. Where a term is defined by statute, we adopt that statutory meaning. Statutory citations are illustrative and not exhaustive.

“Personal Information” or “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined under Cal. Civ. Code § 1798.140(v); Va. Code § 59.1-575; Colo. Rev. Stat. § 6-1-1303(17); Conn. Gen. Stat. § 42-515(20); Utah Code § 13-61-101(24); Tex. Bus. & Com. Code § 541.001(22) (“Texas Data Privacy and Security Act” or “TDPSA”); and analogous statutes. It does not include de-identified, aggregated, or publicly available information as defined under those statutes.
“Sensitive Personal Information” (“SPI”) means the categories listed in Cal. Civ. Code § 1798.140(ae), including but not limited to: government-issued identifiers (e.g., SSN, driver’s license); precise geolocation; racial or ethnic origin; religious or philosophical beliefs; union membership; the contents of mail, email, and text messages where Iberlux is not the intended recipient; genetic data; biometric information used for identification; personal information collected and analyzed concerning a consumer’s health; and personal information concerning sex life or sexual orientation. Iberlux’s collection of SPI is limited to the categories described in Section 4.4.
“Sale” has the meaning given in Cal. Civ. Code § 1798.140(ad): “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating … a consumer’s personal information by the business to a third party for monetary or other valuable consideration.” Iberlux discloses Personal Information for monetary and other valuable consideration; Iberlux therefore engages in “Sale” as that term is defined.
“Sharing” has the meaning given in Cal. Civ. Code § 1798.140(ah): disclosing personal information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. Iberlux engages in “Sharing” through its use of advertising pixels, Conversions API integrations, and lookalike-audience modeling on Meta, Google, TikTok, and similar platforms.
“Cross-Context Behavioral Advertising” has the meaning given in Cal. Civ. Code § 1798.140(k): the targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly-branded websites, applications, or services, other than the business with which the consumer intentionally interacts.
“Service Provider”, “Contractor”, and “Third Party” have the meanings given in Cal. Civ. Code § 1798.140(ag), (j), and (ai), respectively, and analogous meanings under the Virginia Consumer Data Protection Act (“VCDPA”), Va. Code § 59.1-575 et seq.; the Colorado Privacy Act (“CPA”), Colo. Rev. Stat. § 6-1-1301 et seq.; the Connecticut Data Privacy Act (“CTDPA”), Conn. Gen. Stat. § 42-515 et seq.; the Utah Consumer Privacy Act (“UCPA”), Utah Code § 13-61-101 et seq.; the TDPSA; the Oregon Consumer Privacy Act (“OCPA”), Or. Rev. Stat. § 646A.570 et seq.; the Montana Consumer Data Privacy Act (“MTCDPA”); the Iowa Consumer Data Protection Act (“ICDPA”); the Tennessee Information Protection Act (“TIPA”); the Indiana Consumer Data Protection Act (“INCDPA”); the Delaware Personal Data Privacy Act (“DPDPA”); the New Hampshire Privacy Act; the New Jersey Data Privacy Act (“NJDPA”); the Minnesota Consumer Data Privacy Act (“MNCDPA”); the Maryland Online Data Privacy Act (“MODPA”); and the Rhode Island Data Transparency and Privacy Protection Act (“RIDTPPA”).
“Targeted Advertising” is defined in the VCDPA, CPA, CTDPA, TDPSA, and other state statutes substantially identically to “Cross-Context Behavioral Advertising” under the CCPA/CPRA, with statute-specific exclusions.
“Profiling” means any form of automated processing of Personal Information to evaluate, analyze, or predict aspects concerning an individual, including economic situation, health, personal preferences, interests, reliability, behavior, location, or movements, as further defined under Va. Code § 59.1-575; Colo. Rev. Stat. § 6-1-1303(20); Conn. Gen. Stat. § 42-515; the EU General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), Art. 4(4); and analogous statutes.
“Consumer” has the meaning given by applicable statute, generally a natural person residing in the United States or, where applicable, the European Union or United Kingdom.
“Lead Buyer” means an insurance carrier, licensed insurance agency, licensed insurance agent, or aggregator/marketing partner that purchases or otherwise receives a lead from Iberlux for the purpose of contacting the consumer about Insurance Products. The current categories and counts of Lead Buyers are disclosed at iberluxseguros.com/partners.
“Insurance Products” means term life, whole life, indexed universal life (“IUL”), final expense, dental, vision, supplemental health, accidental death, hospital indemnity, critical illness, ACA-marketplace and private major-medical health insurance, and personal auto insurance.
“GPC” means the Global Privacy Control browser-level signal recognized by 11 C.C.R. § 7025 and analogous regulations.

3. Quick Reference: Categories of Personal Information

The following is a summary disclosure under Cal. Civ. Code § 1798.130(a)(5)(B) of categories of Personal Information collected, sources, business and commercial purposes for collection, and categories of recipients, in the twelve (12) months preceding the Last Updated date.

CCPA category (Cal. Civ. Code § 1798.140(v)(1))	Collected?	Sources	Purposes	Disclosed to (categories)	Sold/Shared?
(A) Identifiers (name, alias, postal address, IP, email, phone, online identifier, account name)	Yes	You; analytics; third-party leads; carriers	Quotes, marketing, fraud, compliance, advertising, course delivery	Lead Buyers; Service Providers; ad platforms; affiliates; legal/regulatory	Yes (Sale + Sharing)
(B) Cal. Customer Records (name, signature, address, telephone, education, employment, financial, medical/health insurance info)	Yes	You	Quotes, course payments, Lead Buyer matching	Lead Buyers; Service Providers; carriers	Yes (Sale)
(C) Protected classifications (age, gender, marital status, national origin)	Yes (limited)	You	Quote eligibility & rating	Lead Buyers; carriers	Yes (Sale)
(D) Commercial information (records of products considered, premium budget)	Yes	You; site analytics	Quotes, marketing	Lead Buyers; ad platforms	Yes (Sale + Sharing)
(E) Biometric information	No	—	—	—	No
(F) Internet/network activity (browsing, search history, interaction with ads)	Yes	Cookies, pixels, analytics	Analytics, advertising, fraud	Service Providers; ad platforms	Yes (Sharing)
(G) Geolocation (general; not precise)	Yes (general)	IP-based	Eligibility (state); fraud	Lead Buyers (state only); Service Providers	Yes (Sale)
(H) Sensory data (audio recordings of calls)	Yes	You	Training, quality assurance, dispute resolution, AI development	Service Providers; counsel	No Sale; no Sharing
(I) Professional/employment-related information	Yes (limited)	You	ACA subsidy eligibility; course leads	Lead Buyers; carriers	Yes (Sale)
(J) Education information (FERPA-protected)	No	—	—	—	No
(K) Inferences (preferences, characteristics, predispositions, behavior)	Yes	Derived	Lead scoring, ad targeting, course recommendations	Service Providers; Lead Buyers (limited); ad platforms	Yes (Sale + Sharing)
(L) Sensitive Personal Information	Yes (limited; see § 4.4)	You	Quote underwriting (ACA); see § 10	Carriers; Lead Buyers (limited); Service Providers	No Sale of SPI; no use beyond § 1798.121 purposes

4. Information We Collect

4.1 Information You Provide Directly

When you submit a quote form, contact form, callback request, account registration, course enrollment, or otherwise actively communicate with Iberlux, we collect:

Identifiers and contact data: full name (and preferred name); email address; mobile and landline telephone numbers; mailing address; ZIP code and county; date of birth; gender (self-reported); preferred language (Spanish/English).
Insurance-relevant data: desired coverage type and amount; smoking/tobacco status (self-reported); height and weight (self-reported, where collected); general health status (self-reported “excellent / good / fair / poor”); pre-existing conditions only as required for ACA, dental, or supplemental quotes; existing coverage; intended start date; household size and dependents; employment status; estimated annual household income; immigration status only where required by carrier (e.g., ACA subsidy eligibility) and only as a yes/no eligibility flag, not a document number.
Financial information (limited): premium budget; payment cadence preference. We do not collect bank account, debit card, or full credit card numbers on the Sites. Course payments through iberluxacademy.com are processed by Stripe, Inc. under Stripe’s privacy policy; Stripe shares with us only the last four (4) digits of the card, the brand, expiration month/year, and a tokenized reference.
Free-text fields: any unstructured notes you provide.
Authentication credentials: if you create an Iberlux Academy account, your hashed password (bcrypt or argon2id), MFA tokens, and account recovery email.
Communications content: voicemails, SMS replies, email replies, web chat transcripts, and recordings of calls in jurisdictions where one-party consent is permitted (and after disclosure where two-party consent is required, including but not limited to California, Connecticut, Florida, Illinois, Maryland, Massachusetts, Montana, Nevada, New Hampshire, Pennsylvania, and Washington, per applicable wiretap statutes).
Submitted documents: if you upload a document for verification (e.g., proof of address), we collect the file and any metadata it contains.

4.2 Information Collected Automatically

When you visit, navigate, or interact with the Services, we (and our service providers) automatically collect:

Device and connection data: IP address; ISP; coarse geolocation derived from IP (city/state level); browser type and version; operating system and version; device type; screen resolution and viewport size; language and timezone settings; mobile carrier; mobile network type.
Usage and interaction data: pages and screens viewed; time on page; scroll depth; clickstream; mouse-movement and tap heatmaps (via Microsoft Clarity); session replays (limited; PII fields are masked by default per Microsoft Clarity’s data-masking configuration); links clicked; form-field interaction (started/abandoned/completed); referring URL; exit URL; search queries inside our Sites.
Marketing identifiers and click identifiers: Urchin Tracking Module (“UTM”) parameters (utm_source, utm_medium, utm_campaign, utm_term, utm_content); Facebook click ID (fbclid); Google click ID (gclid); Microsoft click ID (msclkid); TikTok click ID (ttclid); LinkedIn click ID (li_fat_id).
Compliance and fraud-prevention artifacts: Jornaya LeadID consent verification token (third-party tamper-evident proof of TCPA consent issued by Jornaya, an Activeprospect company); TrustedForm certificate URL (third-party tamper-evident proof of form completion issued by ActiveProspect); hCaptcha token; behavioral signals (typing cadence, time-on-form); honeypot field state; submission velocity scores.
Cookies, pixels, web beacons, SDK identifiers (described in Section 8).

4.3 Information We Receive From Third Parties

Insurance carriers and Lead Buyers: application status; appointment outcomes; bound-policy data for compensation reconciliation; quality-feedback (e.g., wrong-number, deceased indicators).
Lead aggregators and co-registration partners (only if you submitted information on a partner site that disclosed sharing with Iberlux at the point of collection).
Identity, contact-validation, and skip-tracing vendors: ZeroBounce (email validation); Twilio Lookup / Numeracle (phone-line type, carrier, name match, robocall reputation); BlackList Alliance (TCPA litigator and serial-plaintiff screening); DNC.com (Federal Do Not Call Registry and state DNC scrubbing); Ekata / Whitepages Pro or similar (name/address verification).
Advertising platforms: Meta, Google, TikTok, and others may share aggregated audience-attribute information and conversion measurement data.
Public records and licensed data providers: for fraud detection and compliance (e.g., OFAC screening for course payments).
You via authorized agent or relative, where you have authorized them to act on your behalf.

4.4 Sensitive Personal Information

Consistent with Cal. Civ. Code § 1798.121 and its implementing regulations at 11 C.C.R. § 7027, Iberlux limits its collection and use of Sensitive Personal Information (“SPI”) to that which is reasonably necessary and proportionate to (i) provide the Services you request, (ii) prevent fraud and verify identity, (iii) ensure security and integrity of the Services, (iv) provide short-term, transient use, (v) perform services on Iberlux’s behalf, and (vi) comply with legal obligations. We do not use or disclose SPI to infer characteristics about you beyond these statutorily permitted purposes.

The categories of SPI we collect, by product:

Product	SPI Collected	Statutory basis for collection
ACA / health	Self-reported general health, tobacco use, household composition, income (for subsidy estimation), pregnancy status (where you disclose), preferred carrier network	Necessary for quote and Marketplace eligibility
Term Life / IUL / Final Expense	Self-reported tobacco use, height/weight, broad health categories	Necessary for indicative quote and carrier match
Dental / Vision / Supplemental	Limited; not typically SPI	n/a
Auto	Driver’s license number — only if collected by Lead Buyer post-handoff; Iberlux itself does not collect DL numbers on the Sites	n/a (collected by carrier)
Course (Iberlux Academy)	None beyond identifiers	n/a

Iberlux does not “Sell” Sensitive Personal Information. Iberlux discloses SPI to Lead Buyers and carriers as a Service Provider/Contractor disclosure or as a disclosure necessary to the consumer-requested service, in either case excepted from “Sale” under Cal. Civ. Code § 1798.140(ad)(2). California consumers may direct Iberlux to limit the use of SPI in accordance with Section 9.

4.5 Inferences and Derived Data

Iberlux derives inferences from the information described above to:

Score lead quality and likelihood-to-bind (e.g., 0-100 lead score) using statistical and machine-learning models trained on historical lead-and-outcome data;
Recommend products (e.g., consumers who research IUL often qualify for term life);
Build and refresh lookalike audiences on advertising platforms;
Optimize the timing, channel, and content of follow-up communications;
Personalize the course curriculum and marketing of Iberlux Academy.

Inferences derived solely from CCPA-category (A) Identifiers and (F) Internet activity are themselves Personal Information under Cal. Civ. Code § 1798.140(v)(1)(K) and are subject to your rights under this Policy.

5. How We Use Your Information

Iberlux uses Personal Information for the following business and commercial purposes (see Cal. Civ. Code § 1798.140(e), 11 C.C.R. § 7002; and the analogous “compatible” or “secondary use” frameworks under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, and other state statutes; and the lawful-basis taxonomy of GDPR Art. 6):

To provide the Services you request. We process the Personal Information you submit through quote forms in order to generate quotes, match you to Lead Buyers and carriers, transmit your information to those Lead Buyers and carriers, schedule call-backs, and deliver the Iberlux Academy course you purchase. Lawful basis (where GDPR applies): performance of a contract; pre-contractual measures (Art. 6(1)(b)).
TCPA-compliant marketing communications. Subject to the disclosures and prior express written consent obtained at the form level (see the TCPA Disclosure at /divulgacion-tcpa), we and our Lead Buyers contact you by call, prerecorded/artificial voice, autodialer, SMS/MMS, email, and direct mail, in each case in accordance with 47 U.S.C. § 227 and 47 C.F.R. § 64.1200, the FCC’s 2024-2025 amendments thereto, the federal Telephone Sales Rule, the federal CAN-SPAM Act, 15 U.S.C. § 7701 et seq., and analogous state statutes including Fla. Stat. § 501.059 (Florida Telephone Solicitation Act, “FTSA”), as amended; Wash. Rev. Code § 19.190 (Washington CEMA); Okla. Stat. tit. 15 § 775C.1 (Oklahoma TCPA); and the California Invasion of Privacy Act, Cal. Penal Code § 630 et seq. Lawful basis (GDPR): consent (Art. 6(1)(a)).
Fraud prevention and platform integrity. We screen submissions against TCPA-litigator lists (BlackList Alliance), DNC databases, IP-reputation feeds, and behavioral-fraud signals; we suppress duplicate and abusive submissions; we audit consent records. Lawful basis (GDPR): legitimate interests (Art. 6(1)(f)).
Regulatory compliance. We comply with federal and state insurance laws, IRS information-reporting requirements (1099-NEC, 1099-MISC for affiliates), state-level licensing rules, OFAC sanctions screening, anti-money-laundering rules, and lawful demands from courts, regulators, and law enforcement. Lawful basis (GDPR): legal obligation (Art. 6(1)(c)).
Service improvement and product development. We analyze usage data to identify defects, optimize conversion paths, A/B test creative, develop new products, train and tune internal AI/ML models for lead scoring, voice-AI dialog management, and re-engagement. We do not license your raw Personal Information to third parties to train their general-purpose AI models. Lawful basis (GDPR): legitimate interests (Art. 6(1)(f)).
Analytics and measurement. We use Google Analytics 4 (GA4), Microsoft Clarity, Looker Studio, and server-side telemetry to measure traffic, conversion, and quality. Lawful basis (GDPR): legitimate interests; consent where ePrivacy applies.
Cross-context behavioral and targeted advertising. We use Meta Pixel and Conversions API (“CAPI”), Google Ads / Enhanced Conversions, TikTok Pixel and Events API, and similar technologies to deliver, measure, attribute, and optimize advertising. We hash identifiers (SHA-256) before transmission to advertising platforms where supported. Lawful basis (GDPR): consent (Art. 6(1)(a)) where ePrivacy/GDPR applies; not applicable to U.S. residents on the basis of opt-out.
Joint marketing and lead-buyer disclosures. We disclose Personal Information (including, for ACA, limited SPI as authorized in Section 4.4) to Lead Buyers and carriers to enable them to market Insurance Products to you. As described in Section 6.5, this disclosure constitutes a “Sale” and (where applicable) “Sharing” under CCPA/CPRA and analogous “Sale” or “Targeted Advertising” definitions under VCDPA, CPA, CTDPA, TDPSA, and OCPA. Lawful basis (GDPR): consent (Art. 6(1)(a)).

We will not use Personal Information for materially different, unrelated, or incompatible purposes without notifying you and, where required, obtaining your consent.

6.1 Lead Buyers, Insurance Carriers, and Licensed Agents

Iberlux’s primary commercial purpose is to connect U.S. consumers with insurance products. When you submit a quote-request form, you direct us to share your Personal Information with up to ten (10) Lead Buyers drawn from the categories listed below, each of which is independently licensed in the relevant state(s) to transact insurance:

Insurance carriers (e.g., issuers of life, ACA, dental, supplemental, and auto policies);
National Marketing Organizations (“NMOs”) and Field Marketing Organizations (“FMOs”);
Independent insurance agencies;
Individually licensed insurance producers/agents;
Carrier-affiliated lead aggregators and call-center operators.

The current categories and a representative list of partners are published at iberluxseguros.com/partners and are snapshot-hashed at the time of your submission for evidentiary purposes (see TCPA Disclosure § 8). Each Lead Buyer is responsible for its own privacy practices once it receives your information; we encourage you to review each Lead Buyer’s privacy policy.

6.2 Service Providers and Contractors

We disclose Personal Information to entities that process information on our behalf under written contracts that comply with Cal. Civ. Code § 1798.140(ag) (CCPA) and analogous statutes (each a “Service Provider” or “Contractor”). The categories of Service Providers and representative vendors are:

Category	Representative providers
Cloud infrastructure & hosting	Cloudflare, Inc. (CDN, Pages, Workers, R2 object storage); Amazon Web Services, Inc. (us-east-1, where Supabase Postgres and storage reside)
Database / backend	Supabase, Inc. (managed Postgres, auth, storage; data resident in AWS us-east-1)
CRM / marketing automation	GoHighLevel, LLC (“GHL”)
Telephony, SMS, voice	Twilio, Inc.; Vapi.ai, Inc. (voice AI orchestration; see Section 15); CallTools; ElevenLabs, Inc. (TTS); OpenAI, L.L.C. (Whisper transcription, where used)
AI / ML	Anthropic, PBC (Claude API for content generation, classification, dialog assistance); OpenAI, L.L.C. (where used); HeyGen, Inc. (avatar/video)
Lead verification & TCPA evidence	ActiveProspect, Inc. (Jornaya LeadID, TrustedForm); BlackList Alliance, LLC; DNC.com; Numeracle, Inc.; ZeroBounce.net; hCaptcha (Intuition Machines, Inc.)
Analytics & session insight	Google LLC (GA4, Looker Studio, Tag Manager); Microsoft Corporation (Clarity heatmaps and session replay)
Advertising measurement	Meta Platforms, Inc.; Google LLC; TikTok Inc.; LinkedIn Corporation (in Service-Provider capacity for measurement only; in Third Party capacity for audience and ad-targeting)
Course payments	Stripe, Inc.
Direct mail	Lob.com, Inc.
Insurance back-office	FireLight (e-app) and similar carrier portals
Professional services	accountants, auditors, outside counsel, insurance brokers

Service Providers are contractually prohibited from (a) selling or sharing the Personal Information; (b) retaining, using, or disclosing the Personal Information outside of the direct business relationship with Iberlux; (c) combining the Personal Information with information received from other sources except as permitted by Cal. Civ. Code § 1798.140(ag)(1)(D) and 11 C.C.R. § 7050.

6.3 Marketing and Advertising Partners (Third Parties)

To the extent we use the Meta Pixel/CAPI, Google Ads, TikTok Pixel/Events API, and similar tags for cross-context behavioral advertising and audience-building (rather than purely for measurement on our behalf), the receiving platforms act as Third Parties under the CCPA/CPRA, and the disclosure of identifiers and event data constitutes “Sharing” within the meaning of Cal. Civ. Code § 1798.140(ah). We honor your opt-out as described in Section 9.

6.4 Legal, Safety, and Regulatory Disclosures

We may disclose Personal Information when we believe in good faith that disclosure is reasonably necessary to: (a) comply with applicable law, regulation, subpoena, civil investigative demand, court order, or other legal process, including a National Security Letter; (b) cooperate with state insurance regulators (e.g., the California Department of Insurance, the Texas Department of Insurance, the Florida Office of Insurance Regulation, the New York Department of Financial Services), state attorneys general, the Federal Trade Commission, the Federal Communications Commission, the Consumer Financial Protection Bureau, or law enforcement; (c) establish, exercise, or defend legal claims, including in TCPA and CIPA litigation; (d) protect the rights, property, or safety of Iberlux, our consumers, or the public; (e) detect, prevent, or address fraud, security, or technical issues; or (f) enforce our Terms of Service. We will provide notice of any disclosure unless prohibited by law or unless we determine in good faith that doing so would impede an investigation or risk harm.

Position taken. Because Iberlux receives per-lead, per-call, per-bound-policy, or commission revenue from Lead Buyers in exchange for disclosing your Personal Information to those Lead Buyers, those disclosures constitute a “Sale” of Personal Information within the meaning of:

CCPA/CPRA, Cal. Civ. Code § 1798.140(ad);
VCDPA, Va. Code § 59.1-575 (note: VCDPA defines “sale” more narrowly as for “monetary consideration” only; Iberlux’s per-lead fees are monetary, so the transactions are also “sales” under VCDPA);
CPA, Colo. Rev. Stat. § 6-1-1303(23);
CTDPA, Conn. Gen. Stat. § 42-515;
UCPA, Utah Code § 13-61-101(31) (Utah defines “sale” narrowly; per-lead monetary disclosures are nonetheless sales under UCPA);
TDPSA, Tex. Bus. & Com. Code § 541.001;
OCPA, NJDPA, MNCDPA, MDPA, DPDPA, NHPA, RIDTPPA, INCDPA, ICDPA, TIPA, MTCDPA, and analogous statutes.

Because Iberlux discloses identifiers and event data to advertising platforms for the purpose of cross-context behavioral advertising, those disclosures also constitute “Sharing” under Cal. Civ. Code § 1798.140(ah) and “Targeted Advertising” under VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, and analogous statutes.

Iberlux does not knowingly Sell or Share the Personal Information of consumers under sixteen (16) years of age without affirmative authorization (opt-in) of the consumer (if 13-15) or the consumer’s parent or guardian (if under 13), in compliance with Cal. Civ. Code § 1798.120(c) and 11 C.C.R. § 7070-7072.

You may opt out at any time, free of charge, with no degradation of service, as described in Section 9.

6.6 Business Transfers

If Iberlux is involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, sale of all or part of our assets, or transition of services to another provider, your Personal Information may be transferred as part of that transaction, subject to standard confidentiality protections and notice as required by law.

We may disclose Personal Information for any other purpose with your consent or at your direction.

7. Cross-Context Behavioral Advertising and Targeted Advertising

Iberlux engages in Cross-Context Behavioral Advertising (CCPA/CPRA) and Targeted Advertising (other state statutes) by transmitting hashed and unhashed identifiers and event data to Meta, Google, TikTok, LinkedIn, and similar advertising platforms via cookies, pixels, server-side Conversions APIs, and Customer-List uploads. The platforms use these signals to (i) attribute conversions, (ii) optimize ad delivery to consumers more likely to take action, (iii) build lookalike audiences, and (iv) suppress already-converted consumers from further advertising.

Opt-out mechanisms. You may opt out of Cross-Context Behavioral Advertising and Targeted Advertising by any of the following means, each of which we treat as effective under 11 C.C.R. § 7025 and analogous regulations:

Visit https://iberluxseguros.com/preferencias-privacidad and toggle off “Advertising” cookies and “Sale/Sharing” preferences;
Click “Do Not Sell or Share My Personal Information” in the footer of any page on the Sites;
Send a Global Privacy Control (“GPC”) signal from a supported browser or extension; we treat GPC as a valid opt-out of Sale and Sharing for the browser and (where you are logged in to an account) for the account;
Email privacy@iberlux.com with subject line “Opt Out of Sale/Sharing” from the email address associated with your submission.

Twelve-month validity. Opt-outs remain effective for at least twelve (12) months, after which we may, but will not be required to, ask you to re-affirm your preferences (Cal. Civ. Code § 1798.135(a)(4); 11 C.C.R. § 7026(g)).

Authorized agent. A consumer may use an authorized agent to submit an opt-out, subject to verification described in Section 9.

8. Cookies and Tracking Technologies

Our Sites use cookies, pixels, web beacons, software development kits (“SDKs”), local-storage objects, and similar technologies (collectively, “Tracking Technologies”). Tracking Technologies are categorized as follows:

Category	Examples	Function	Set by	Default state
Strictly necessary	Cloudflare WAF; load-balancer affinity; CSRF tokens; cookie-consent state	Required for the Sites to function and to comply with security and legal requirements	Iberlux	On (cannot be disabled)
Functional	Language preference (`lang=es`); state preference; saved form draft	Remember your choices	Iberlux	On unless you opt out
Analytics	Google Analytics 4 (`_ga`, `_ga_<id>`); Microsoft Clarity (`_clck`, `_clsk`); first-party measurement	Understand traffic patterns, page performance, error rates	Iberlux + service providers (Google, Microsoft)	On unless you opt out
Advertising / Targeting	Meta Pixel (`_fbp`, `fr`); Google Ads (`_gcl_au`, `IDE`); TikTok Pixel (`_ttp`); LinkedIn Insight	Deliver, measure, and optimize cross-context behavioral advertising	Iberlux + third-party platforms	Off until you consent (EU/UK); On until you opt out (U.S.)

Server-side tracking. Iberlux uses server-side conversion APIs (Meta CAPI, Google Ads Enhanced Conversions, TikTok Events API), implemented via Cloudflare Workers. We hash personal identifiers using SHA-256 before transmission where the receiving platform supports hashed signals. Server-side tracking is treated as Tracking Technology for purposes of the opt-outs described in this Section.

Controls available to you:

Iberlux Cookie Preference Center: /preferencias-privacidad lets you accept, reject, or customize categories at any time and manage your “Sale/Sharing” status.
Browser controls: most browsers allow you to delete and block cookies; check your browser’s documentation.
GPC: we honor the Global Privacy Control as a request to opt out of Sale and Sharing.
Do Not Track (“DNT”): because no industry consensus standard for DNT exists, we do not specifically respond to DNT signals; we honor GPC instead.
Platform-level opt-outs: Meta (facebook.com/settings/ads), Google (myadcenter.google.com), TikTok (in-app ad-personalization settings), LinkedIn (account ad settings), Network Advertising Initiative (optout.networkadvertising.org), Digital Advertising Alliance (youradchoices.com), European Interactive Digital Advertising Alliance (youronlinechoices.eu).

9. Your Privacy Rights by Jurisdiction

9.1 California (CCPA/CPRA, including 2024 amendments and implementing regulations effective March 29, 2023 and CPPA Final Rules of November 2024)

If you are a California resident, you have the rights under Cal. Civ. Code § 1798.100 et seq. summarized below.

Right	Citation	Description
Right to Know	§ 1798.100; § 1798.110; § 1798.115	Categories and specific pieces of Personal Information collected, sources, business and commercial purposes, categories of recipients, categories sold/shared and to whom, and categories disclosed for a business purpose, in the prior twelve (12) months — or, on request, beyond twelve months back to January 1, 2022 (subject to disproportionate-effort exception).
Right to Delete	§ 1798.105	Subject to enumerated exceptions including § 1798.105(d)(1)-(9).
Right to Correct	§ 1798.106	Correct inaccurate Personal Information.
Right to Opt Out of Sale/Sharing	§ 1798.120; § 1798.135	At any time, free of charge. We honor GPC.
Right to Limit Use of Sensitive PI	§ 1798.121	Direct us to limit SPI to the purposes enumerated in § 1798.121 and 11 C.C.R. § 7027.
Right to Opt Out of Profiling/Automated Decision-Making (ADMT)	11 C.C.R. § 7200 et seq. (CPPA Final ADMT Rules, effective 2026)	See Section 15.
Right to Non-Discrimination	§ 1798.125	We will not deny goods or services, charge different prices, provide different quality, or retaliate for exercising rights.
Right to Designate an Authorized Agent	§ 1798.135(c); 11 C.C.R. § 7063	See Section 9.8.
Right to Appeal a Denial	§ 1798.130(a)(2) (informal); cross-state harmonization	We provide an appeal process described in Section 9.10.

9.2 Virginia (VCDPA, Va. Code § 59.1-575 et seq.)

Virginia residents have rights to access, correct, delete, port, and opt out of (i) targeted advertising, (ii) sale, and (iii) profiling in furtherance of decisions producing legal or similarly significant effects.

9.3 Colorado (CPA, Colo. Rev. Stat. § 6-1-1301 et seq., and 4 C.C.R. 904-3)

Colorado residents have rights to access, correct, delete, port, opt out (targeted advertising, sale, profiling), and to use a Universal Opt-Out Mechanism (“UOOM”) on the Colorado AG’s approved list (currently including GPC) per 4 C.C.R. 904-3 Rule 5.

9.4 Connecticut (CTDPA, Conn. Gen. Stat. § 42-515 et seq.)

Connecticut residents have rights substantially similar to VCDPA and CPA, including UOOM (effective January 1, 2025).

9.5 Utah (UCPA, Utah Code § 13-61-101 et seq.)

Utah residents have rights to access, delete, port, and opt out of targeted advertising and sale. Utah does not provide a right to correct or a right to opt out of profiling.

9.6 Texas (TDPSA, Tex. Bus. & Com. Code § 541.001 et seq., effective July 1, 2024)

Texas residents have rights to access, correct, delete, port, and opt out of targeted advertising, sale, and profiling. Iberlux’s Sites display a TDPSA-compliant notice substantially as follows: “We may sell your sensitive personal data” and “We may sell your biometric personal data” only where applicable; per Section 4.4, Iberlux does not sell SPI or biometric data.

9.7 Other States (effective dates vary; current list as of the Last Updated date)

Currently effective comprehensive state privacy statutes also include: Oregon (OCPA, eff. July 1, 2024); Montana (MTCDPA, eff. October 1, 2024); Iowa (ICDPA, eff. January 1, 2025); Tennessee (TIPA, eff. July 1, 2025); Indiana (INCDPA, eff. January 1, 2026); Delaware (DPDPA, eff. January 1, 2025); New Hampshire (NHPA, eff. January 1, 2025); New Jersey (NJDPA, eff. January 15, 2025); Minnesota (MNCDPA, eff. July 31, 2025); Maryland (MODPA, eff. October 1, 2025); Rhode Island (RIDTPPA, eff. January 1, 2026). Residents of these states have rights similar to those described above, with state-specific variations. Where applicable rights have not yet taken effect, we will honor them on the effective date specified by statute.

In addition, Iberlux extends to residents of all U.S. states and territories the substantive rights afforded to California residents, to the extent consistent with applicable law.

If you are located in the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with a comparable data-protection regime, you have, in addition to the rights above, the following rights under Articles 12-23 of the GDPR (or UK GDPR or Swiss FADP, as applicable):

Right of access (Art. 15);
Right to rectification (Art. 16);
Right to erasure (“right to be forgotten”) (Art. 17);
Right to restriction of processing (Art. 18);
Right to data portability (Art. 20);
Right to object to processing based on legitimate interests, direct marketing, or profiling (Art. 21);
Right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects (Art. 22);
Right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal (Art. 7(3));
Right to lodge a complaint with a supervisory authority (Art. 77).

Lawful basis matrix (GDPR Art. 6/9):

Processing	Lawful basis
Quote generation, course delivery	Performance of contract / pre-contractual measures (Art. 6(1)(b))
TCPA-style marketing communications	Consent (Art. 6(1)(a)); withdrawable at any time
Health-related SPI for ACA quote	Explicit consent (Art. 9(2)(a))
Fraud prevention, security	Legitimate interests (Art. 6(1)(f))
Compliance with legal obligations	Legal obligation (Art. 6(1)(c))
Cookies (non-essential)	Consent under ePrivacy Directive 2002/58/EC and GDPR

Data Protection Officer / EU Representative. Iberlux processes EU/UK personal data only on an incidental basis and is not currently established in the EU/UK. To the extent Article 27 GDPR is triggered, Iberlux will appoint an EU/UK representative; until then, EU/UK consumers may contact dpo@iberlux.com.

9.9 Children: Florida Digital Bill of Rights, NY SHIELD Act, and COPPA

See Section 11.

9.10 How to Exercise Your Rights

You may submit a verifiable consumer request through any of the following channels:

Privacy request portal: https://iberluxseguros.com/privacy/request;
Email: privacy@iberlux.com (subject line: “Privacy Rights Request”);
Toll-free: call the number listed at iberluxseguros.com/contacto (operating during business hours; voicemail accepted);
Postal mail: Iberlux LLC, Attn: Privacy Officer, at the address in Section 18;
Authorized agent: see Section 9.8 below.

Verification. To prevent fraudulent or unauthorized requests, we verify your identity by matching information you provide in your request against information already in our records (typically two to three data points, e.g., name + email + phone or ZIP + DOB-month). For deletion requests involving sensitive information or large data volumes, we may require additional verification consistent with 11 C.C.R. § 7062-7064. We will not require you to create an account to make a request.

Response timeline. We acknowledge requests within ten (10) business days and respond within forty-five (45) calendar days, extendable by an additional forty-five (45) days when reasonably necessary, with notice to you. EU/UK requests are completed within one (1) month, extendable by two (2) months under Art. 12(3) GDPR.

Authorized agent (Cal. Civ. Code § 1798.135(c); 11 C.C.R. § 7063). California consumers may use an authorized agent to make a request. We require: (a) signed permission from the consumer or, if applicable, a power of attorney under Cal. Prob. Code § 4000 et seq.; (b) verification of the consumer’s identity directly with us; and (c) confirmation directly from the consumer that the agent is authorized. Authorized agents must be registered with the California Secretary of State to do business in California.

Appeal. If we deny your request, you may appeal by replying to our denial notice or emailing privacy@iberlux.com with subject “Privacy Rights Appeal” within sixty (60) days. We will respond within sixty (60) days (or longer where state law specifies a different timeline). If your appeal is denied, you may file a complaint with your state Attorney General. Consumers in Connecticut, Colorado, Virginia, and other states with statutory appeal rights have a statutory right of appeal; we honor those rights for consumers in all states.

No fee. We will not charge a fee to process or respond to your verifiable request unless it is excessive, repetitive, or manifestly unfounded; in such cases, we may charge a reasonable fee or decline the request, with notice to you.

10. Sensitive Personal Information — Specific Disclosures (CCPA/CPRA § 1798.121)

Iberlux’s collection and use of SPI is described in Section 4.4. Consistent with Cal. Civ. Code § 1798.121 and 11 C.C.R. § 7027:

We collect and use SPI only for the purposes enumerated in § 1798.121(a) and 11 C.C.R. § 7027(m), namely: to perform the services or provide the goods you request; to detect security incidents and resist malicious or fraudulent action; to ensure physical safety; for short-term, transient use including non-personalized advertising; to perform services on Iberlux’s behalf; and to verify and maintain the quality or safety of a service or device.
We do not use or disclose SPI to infer characteristics about you beyond those purposes.
California residents may direct us to limit our use and disclosure of SPI by clicking “Limit the Use of My Sensitive Personal Information” at https://iberluxseguros.com/preferencias-privacidad or by emailing privacy@iberlux.com.
For ACA / health-insurance quoting, the disclosure of self-reported health status to the carriers and Lead Buyers selected for your quote is necessary to provide the service you requested and is therefore not a use that would be limited by a § 1798.121 request.

11. Children’s Privacy

The Services are not directed to, designed for, or intended to attract children. We do not knowingly collect Personal Information from children under thirteen (13) years of age in violation of the Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501 et seq. (“COPPA”), and its implementing regulations at 16 C.F.R. Part 312 (including the FTC’s 2024-2025 amendments). We do not knowingly Sell or Share the Personal Information of consumers under sixteen (16) years of age in violation of Cal. Civ. Code § 1798.120(c). We comply with the Florida Online Protections for Minors law, the New York Stop Addictive Feeds Exploitation (SAFE) for Kids Act, and the Maryland Age-Appropriate Design Code Act, as applicable.

If you believe a child has provided Personal Information through the Services, please contact privacy@iberlux.com with subject line “COPPA — Child Data Concern” and we will promptly investigate and, if confirmed, delete the information.

12. Data Security

Iberlux implements reasonable and appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Personal Information, calibrated to the nature, scope, context, and risk of the processing. Our safeguards include, without limitation:

Encryption in transit: TLS 1.2+ (TLS 1.3 preferred) for all Site traffic and API communication;
Encryption at rest: AES-256 for database storage in Supabase / AWS us-east-1, S3-compatible R2 storage, and encrypted backups;
Key management: managed via cloud-provider KMS (AWS KMS / Cloudflare);
Access controls: role-based access control (RBAC), least privilege, principle of need-to-know; multi-factor authentication for all administrative access; periodic access reviews;
Network security: Cloudflare WAF, rate limiting, bot management, DDoS mitigation;
Logging and monitoring: centralized logging, anomaly detection, incident response procedures;
Vendor management: vendor risk assessments; data processing addenda (“DPAs”) with each Service Provider; SOC 2 / ISO 27001 evidence collected where applicable;
Personnel: confidentiality obligations; security training; background checks for personnel with access to Personal Information;
Incident response: documented IR procedures with breach-notification triggers under state breach-notification laws (Cal. Civ. Code § 1798.82; N.Y. Gen. Bus. Law § 899-aa; Fla. Stat. § 501.171; Tex. Bus. & Com. Code § 521.053; analogous statutes in 50 states; HHS HIPAA Breach Notification Rule, 45 C.F.R. §§ 164.400-414, where applicable; GDPR Art. 33-34).

No system can be guaranteed to be 100% secure. We do not warrant or guarantee absolute security; you transmit information at your own risk. If you have reason to believe your interaction with the Services is no longer secure (for example, if you feel that the security of your account has been compromised), please immediately notify us at security@iberlux.com.

13. Data Retention

Iberlux retains Personal Information only for as long as reasonably necessary for the purposes set out in this Policy and as required by applicable law. Specific retention periods, by category, are summarized below.

Data category	Retention
Lead-form submissions (active marketing)	Up to 36 months from last consumer engagement, then archived
TCPA consent records (form, disclosure version, Jornaya, TrustedForm, IP, UA, timestamps)	Minimum four (4) years from last contact, consistent with 47 U.S.C. § 227 four-year statute of limitations as recognized in 28 U.S.C. § 1658 and FCC guidance, generally retained longer for evidentiary purposes
Suppression list / opt-outs	Indefinitely (required to honor opt-outs perpetually)
Insurance applications, policy data, agent-of-record records	Up to seven (7) years post-termination, per state insurance department record-retention rules (varies; e.g., 5 years CA Ins. Code § 10508; 6 years NY 11 NYCRR 243; 7 years FL)
1099 records and payee tax data (Iberlux Academy affiliates, agents)	Seven (7) years after the tax year of the last reportable transaction, per IRS recordkeeping rules (26 C.F.R. § 1.6001-1; IRS Publication 583)
Course enrollment, learner progress, certificates	Duration of access plus seven (7) years (recordkeeping, refund disputes, consumer-protection statutes of limitations)
Stripe payment metadata (last-4, brand, expiry, charge IDs)	Seven (7) years
Server access logs, security logs	Up to two (2) years
Call recordings (where lawfully made)	Up to two (2) years; longer where necessary for dispute resolution
Voice AI Agent transcripts	Up to two (2) years
Analytics aggregates (de-identified)	Indefinite
Cookies	Per cookie expiry stated in the Cookie Preference Center

After the applicable retention period, we will delete, de-identify (in accordance with Cal. Civ. Code § 1798.140(m) and 11 C.C.R. § 7011 for de-identification), aggregate, or anonymize the Personal Information.

14. International Data Transfers

The Services are operated from, and our infrastructure is hosted in, the United States (primarily AWS us-east-1, with edge presence on Cloudflare’s global network). If you access the Services from outside the United States, your Personal Information will be transferred to and processed in the United States, where data-protection laws may differ from, and may afford a lower level of protection than, the laws of your jurisdiction.

For transfers of Personal Data subject to the GDPR or UK GDPR from the EEA, UK, or Switzerland to the United States, Iberlux relies, where applicable, on:

The European Commission’s Standard Contractual Clauses (Module Two: Controller-to-Processor; Module Three: Processor-to-Processor) issued under Commission Implementing Decision (EU) 2021/914;
The UK International Data Transfer Addendum issued by the UK Information Commissioner’s Office;
Where eligible, certification under the EU-U.S. Data Privacy Framework (“DPF”) and the UK Extension thereto (Iberlux’s certification status, if any, is at dataprivacyframework.gov); and
Supplementary measures consistent with EDPB Recommendations 01/2020.

You may request a copy of our cross-border transfer mechanism by contacting dpo@iberlux.com.

15. Automated Decision-Making, Profiling, and AI

15.1 What automated and AI systems we use

Lead-scoring models (statistical / machine-learning). Score leads 0-100 using historical features such as form completion behavior, time-of-day, ZIP, product, language, and prior outcomes. Used to (i) prioritize call queue and (ii) route to higher-tier Lead Buyers.
Voice AI Agent (Vapi.ai). A voice-AI assistant orchestrated through Vapi.ai, Inc. that may place outbound calls to leads to pre-qualify, schedule appointments, or relay information, and may also receive inbound calls. The Voice AI Agent uses speech-to-text (typically OpenAI Whisper or equivalent), large-language-model dialog management (typically Anthropic Claude or equivalent), and text-to-speech (typically ElevenLabs or equivalent). You will be informed at the start of every Voice AI Agent interaction that you are interacting with an automated voice assistant and you may at any time request a human representative; doing so will route you to a licensed human agent during operating hours or schedule a human callback.
AI-generated content. Marketing copy, email content, and SMS templates may be drafted with assistance from large-language models (e.g., Anthropic Claude). Such content is reviewed by humans before deployment.
Suppression and fraud-detection models. Statistical models, BlackList Alliance, behavioral signals, and IP-reputation feeds are used to suppress likely fraudulent or litigator submissions.

15.2 Disclosure under CPRA, CPA, CTDPA, VCDPA, OCPA, NJDPA, and Colorado AI Act

Where state law confers a right to opt out of profiling that produces legal or similarly significant effects, you may exercise that right at /preferencias-privacidad or by emailing privacy@iberlux.com. Iberlux’s lead-scoring and routing decisions do not, in our reasonable assessment, produce legal or similarly significant effects within the meaning of Va. Code § 59.1-575; Colo. Rev. Stat. § 6-1-1303(10); Conn. Gen. Stat. § 42-515; or 11 C.C.R. § 7220, because they affect only marketing prioritization, not access to insurance, employment, housing, financial services, healthcare, education, or essential services. Insurance underwriting decisions are made by carriers, not by Iberlux, and are subject to those carriers’ own automated-decision-making disclosures and opt-out rights.

For California consumers, beginning on the effective date of the CPPA’s Final Rules on Automated Decision-Making Technology (“ADMT”) (currently scheduled to phase in beginning January 1, 2027 with various sub-deadlines), Iberlux will provide:

Pre-use notice describing the logic, inputs, intended outputs, and consequences of any covered ADMT;
The right to opt out of covered ADMT (with limited statutory exceptions);
The right to access meaningful information about how the ADMT made or contributed to a decision affecting you.

Pre-use notices for covered ADMT will be linked from this Policy when applicable.

For Colorado residents, the Colorado AI Act (“CAIA”), C.R.S. § 6-1-1701 et seq. (effective February 1, 2026), imposes obligations on developers and deployers of “high-risk AI systems.” Iberlux’s lead-scoring and Voice AI Agent are not, in our reasonable assessment, high-risk AI systems within the meaning of the CAIA, but we monitor scope developments and will update this Policy as needed.

For EU/UK residents, you have the right under GDPR Art. 22 not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects. Iberlux’s profiling does not produce such effects; nonetheless you may object to profiling for direct-marketing purposes at any time under Art. 21(2).

15.3 Voice AI Agent specific notice

When you interact with the Voice AI Agent, the following will be true: (i) the Voice AI Agent will identify itself as an automated assistant at the start of the call; (ii) the call may be recorded for quality, training, and dispute resolution, with notice as required by applicable wiretap law; (iii) you may at any time say “human”, “agent”, “representative”, or equivalent to be transferred or scheduled with a human; (iv) the Voice AI Agent does not bind insurance, quote final premiums, or provide individualized financial, tax, or legal advice; (v) any commitments stated by the Voice AI Agent are non-binding pending confirmation by a licensed human agent.

16. Notice of Financial Incentive (CCPA/CPRA, Cal. Civ. Code § 1798.125(b); 11 C.C.R. § 7080)

Iberlux does not currently offer a financial incentive program, loyalty program, price discount, or service difference in exchange for the sale, sharing, retention, or deletion of Personal Information. If we introduce such a program, we will provide a Notice of Financial Incentive that includes a description of the material terms of the program, how to opt in, the right to withdraw, a good-faith estimate of the value of the consumer’s data, and a description of the methodology used to calculate the value, in compliance with applicable law.

The Iberlux Academy course is sold for monetary consideration unrelated to data processing; payment for the course is not a financial incentive within the meaning of Cal. Civ. Code § 1798.125(b).

17. Changes to This Policy

We may update this Policy from time to time. The “Last Updated” date at the top of this Policy reflects the most recent revision. For material changes, we will provide at least thirty (30) days’ prior notice by:

Posting a prominent notice on the Sites; and
For consumers with an Iberlux Academy account or who have an active marketing relationship with Iberlux, sending an email notice to the address most recently associated with the account or relationship.

Continued use of the Services after the effective date of an updated Policy constitutes your acknowledgment of the updates, except that consent-based processing under GDPR will not be affected by an update unless we obtain a new consent.

A versioned archive of prior Policies is maintained at iberluxseguros.com/privacidad/archivo.

18. How to Contact Us

Iberlux LLC Attn: Privacy Officer [STREET ADDRESS · CITY · STATE · ZIP] (physical address — populate prior to publish) United States of America


General privacy email	privacy@iberlux.com
Data Protection Officer / EU-UK matters	dpo@iberlux.com
Security incidents	security@iberlux.com
Legal notices	legal@iberlux.com
TCPA opt-out / STOP	stop@iberlux.com
Toll-free	as published at iberluxseguros.com/contacto
Privacy request portal	iberluxseguros.com/privacy/request
Cookie / preference center	iberluxseguros.com/preferencias-privacidad

California consumers may designate an authorized agent under Cal. Civ. Code § 1798.135(c), as described in Section 9.10.

EU/UK consumers may, in addition to contacting us, lodge a complaint with their local Data Protection Authority. A directory is available at edpb.europa.eu/about-edpb/about-edpb/members_en.

19. California Notice at Collection (Cal. Civ. Code § 1798.100(b); 11 C.C.R. § 7012)

This Notice at Collection is provided at or before the point at which Iberlux collects Personal Information, and is hyperlinked from each form, footer, and the Sites’ privacy menu.

Categories of Personal Information collected: see Section 3 and Section 4.
Categories of Sensitive Personal Information collected: see Section 4.4.
Purposes for which categories of Personal Information are collected, used, sold, or shared: see Sections 5 and 6.
Whether the categories listed are sold or shared: Yes, as described in Section 6.5.
Length of time Iberlux intends to retain each category: see Section 13.
Link to opt-out of Sale/Sharing and to Limit Use of SPI: https://iberluxseguros.com/preferencias-privacidad.
Link to this Privacy Policy: https://iberluxseguros.com/privacidad.

The standalone Notice at Collection page is at https://iberluxseguros.com/aviso-de-recoleccion.

20. Sources of Personal Information (Cal. Civ. Code § 1798.110(c)(2))

Iberlux collects Personal Information from the following categories of sources:

Directly from you through forms, communications, account creation, course enrollment, voice and SMS interaction;
From your device or browser automatically through cookies, pixels, and similar technologies;
From advertising platforms (Meta, Google, TikTok, LinkedIn) regarding the source, campaign, and click context;
From identity, contact, and fraud-prevention vendors (ZeroBounce, Twilio Lookup, Numeracle, BlackList Alliance, ActiveProspect, hCaptcha, Ekata or equivalent);
From insurance carriers, Lead Buyers, and licensed agents regarding application status, appointments, and quality feedback;
From co-registration partners and lead aggregators that obtained your consent to share information with Iberlux;
From public records and licensed data providers for verification and fraud prevention.

21. Annual Privacy Disclosure (Cal. Civ. Code § 1798.130(a)(5))

In compliance with Cal. Civ. Code § 1798.130(a)(5), Iberlux discloses the following in respect of the calendar year ending December 31, 2025 (figures will be updated annually within twelve (12) months of the end of each calendar year):

Metric	2025
Number of requests to Know received	[populate annually]
Number complied with in whole or in part	[populate annually]
Number denied (and reasons)	[populate annually]
Median number of days to respond	[populate annually]
Number of requests to Delete received	[populate annually]
Number complied with in whole or in part	[populate annually]
Number denied (and reasons)	[populate annually]
Number of requests to Correct received	[populate annually]
Number of requests to Opt Out of Sale/Sharing received	[populate annually]
Number of requests to Limit Use of SPI received	[populate annually]
Median days to act on opt-outs	[populate annually; statutorily must be ≤ 15 business days]

This disclosure will be updated annually. Iberlux will, where required, also publish equivalent disclosures for Colorado, Connecticut, and other states with statutory metrics-disclosure requirements.

22. Cross-References and Incorporated Documents

This Policy must be read together with:

Terms of Service at /terminos — including, without limitation, Section 11 (Dispute Resolution; Binding Arbitration; Class-Action Waiver; Governing Law; Opt-Out Procedure) and Section 9 (Limitation of Liability), each of which is incorporated by reference for purposes of any dispute relating to this Policy or the processing of Personal Information.
TCPA Disclosure at /divulgacion-tcpa — including the form-level prior-express-written-consent language for telephone, SMS, and prerecorded/artificial-voice marketing communications, and the partner list referenced therein at iberluxseguros.com/partners.
Cookie Preference Center / Privacy Preferences at /preferencias-privacidad — to manage cookies, opt-out of Sale/Sharing, limit use of SPI, and review GPC-honoring status.
Notice at Collection at /aviso-de-recoleccion.
Iberlux Partner List at iberluxseguros.com/partners (categories of Lead Buyers, snapshot-hashed at time of consent).

In the event of conflict between this Policy and the Terms of Service with respect to the processing of Personal Information, this Policy controls. In the event of conflict between this Policy and the TCPA Disclosure shown at the time of your form submission with respect to the scope of consent for telephone communications, the TCPA Disclosure controls.