Section 01

Introduction and Scope

This Privacy Policy (“Policy”) describes how Shurr Insurance Agency, LLC (“Agency,” “we,” “us,” or “our”) collects, uses, discloses, retains, and protects the personal information of our clients, prospective clients, website visitors, and other individuals with whom we interact in connection with our insurance services. We are committed to safeguarding your privacy and handling your information responsibly.

This Agency provides insurance products and services across the following lines of business:

• Property and Casualty Insurance (personal and commercial lines, including homeowners, auto, renters, umbrella, business owner policies, commercial property, general liability, workers’ compensation, and professional liability)
• Life Insurance (term life, whole life, universal life, and annuities)
• Health Insurance (individual and group health plans, Medicare supplements, dental, vision, and disability coverage)

This Policy is governed by the laws of the State of Indiana, including: IC § 27-2-27 IC § 24-15 IC § 24-4.9 and applicable federal law including the Gramm-Leach-Bliley Act (GLBA) and, where applicable, HIPAA.

This Policy applies to information collected through our website, telephone interactions, in-person consultations, written communications, and all other channels through which we conduct business. By engaging our services or using our website, you agree to the practices described in this Policy.

Section 02

Information We Collect

Section 03

How We Use Your Information

We use the personal information we collect for the following purposes:

3.1 Insurance Placement and Servicing

• Evaluating your eligibility for insurance coverage and determining appropriate coverage options
• Preparing, submitting, and binding insurance applications with carriers
• Issuing, amending, renewing, and canceling insurance policies
• Processing premium payments, billing, and financing arrangements
• Handling mid-term policy changes (endorsements, additions, deletions)

3.2 Claims Administration

• Reporting, investigating, and managing insurance claims on your behalf
• Coordinating with insurance carriers, adjusters, and legal counsel
• Facilitating claim payments and settlements
• Maintaining claims history records as required by carriers and regulators

3.3 Underwriting and Risk Assessment

• Sharing your information with insurance carriers for underwriting review
• Ordering and reviewing motor vehicle reports, credit reports, and inspection reports
• Assessing risk factors to match you with appropriate coverage and pricing

3.4 Legal and Regulatory Compliance

• Complying with state insurance department licensing, reporting, and record-keeping requirements
• Responding to lawful subpoenas, court orders, and government investigations
• Meeting obligations under the Gramm-Leach-Bliley Act (GLBA), Health Insurance Portability and Accountability Act (HIPAA) where applicable, and other applicable federal and state privacy laws
• Maintaining records required by the National Association of Insurance Commissioners (NAIC) model regulations

3.5 Business Operations and Communications

• Sending policy documents, renewal notices, billing statements, and coverage summaries
• Communicating important policy changes, carrier updates, and industry developments
• Conducting customer satisfaction surveys and improving our services
• Internal training, quality assurance, and agency management

3.6 Marketing (with Applicable Opt-Out Rights)

• Informing you about additional insurance products or services that may benefit you
• Sharing relevant product offerings from affiliated or partner carriers

You have the right to opt out of marketing communications at any time. See Section 9 for your opt-out rights.

Section 04

How We Share and Disclose Your Information

We do not sell your personal information to third parties. We share information only as described below and as permitted or required by law.

4.1 Insurance Carriers and Underwriters

We share your information with insurance carriers, reinsurers, MGAs, and Lloyd’s syndicates as necessary to obtain quotes, bind coverage, and service your policies. These entities are independently bound by their own privacy obligations.

4.2 Service Providers and Vendors

We engage third-party service providers who assist in our operations, including:

• Agency management system (AMS) and customer relationship management (CRM) providers
• Premium finance companies
• Electronic signature and document management providers
• IT, cybersecurity, and cloud storage providers
• Accounting, legal, and compliance services

These vendors are contractually obligated to maintain the confidentiality of your information and to use it only for the purposes for which it was shared.

4.3 Consumer Reporting Agencies and Industry Databases

With your authorization or as permitted by law, we may share or obtain information from consumer reporting agencies, the Medical Information Bureau (MIB), ISO/Verisk, and similar industry databases for underwriting and claims purposes.

4.4 Legal and Regulatory Authorities

We may disclose your information to law enforcement agencies, regulatory bodies, courts, or other governmental authorities where required by law, court order, or to protect our legal rights or the rights of others.

4.5 Business Transfers

In the event of a merger, acquisition, agency sale, or transfer of all or a portion of our business assets, your personal information may be transferred as part of that transaction. We will notify you via email or prominent website notice in the event of such a change and prior to your information becoming subject to a different privacy policy.

4.6 Co-Brokers and Referral Partners

Where we co-broker business or receive referrals from other licensed agents or agencies, we may share necessary information to facilitate the placement or servicing of your coverage, subject to applicable confidentiality agreements.

Section 05

Sensitive Information — Special Protections

5.1 Health Information

Health and medical information collected in connection with life and health insurance applications is treated with the highest level of confidentiality. Where HIPAA applies, we comply fully with its requirements regarding use, disclosure, and safeguarding of Protected Health Information (PHI). Authorizations for release of medical records are obtained in writing and are specific in scope and duration.

5.2 Social Security Numbers

We collect Social Security Numbers solely for lawful business purposes, including identity verification, credit-based insurance scoring, and tax reporting. We protect SSNs from unauthorized access and do not publicly disclose them.

5.3 Financial Account Information

Banking and payment information is used solely for the purpose of processing premium payments and claim disbursements. We do not store full payment card numbers and use PCI-DSS compliant payment processing systems.

Section 06

Data Security — Indiana Insurance Data Security Law (IC § 27-2-27)

As a licensed insurance producer domiciled in Indiana, Shurr Insurance Agency, LLC is subject to the Indiana Insurance Data Security Law, Indiana Code § 27-2-27 et seq., which took effect July 1, 2021. This law is based on the NAIC Insurance Data Security Model Law and establishes mandatory data security standards for all Indiana insurance licensees.

We maintain a written Information Security Program designed to protect Nonpublic Information (as defined in IC § 27-2-27-12), which includes all personal, financial, and health information of our clients. Our program includes:

• Encryption of sensitive data in transit (TLS/SSL) and at rest
• Access controls and role-based permissions limiting employee access to nonpublic information on a need-to-know basis
• Multi-factor authentication (MFA) for systems containing client nonpublic information, as required by IC § 27-2-27-16
• Annual risk assessments pursuant to IC § 27-2-27-17, identifying internal and external threats to nonpublic information
• Oversight of third-party service providers who handle nonpublic information, including contractual security requirements per IC § 27-2-27-18
• Employee training on data privacy, cybersecurity, and social engineering awareness
• A written Incident Response Plan maintained per IC § 27-2-27-20
• Secure destruction of physical and electronic records when retention periods expire

Despite our safeguards, no data transmission over the internet or electronic storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please notify us immediately using the contact information in Section 12.

6.1 Cybersecurity Event Notification — IC § 27-2-27-21

If we learn that a cybersecurity event has occurred or may have occurred that affects your Nonpublic Information, we are required under IC § 27-2-27-21 to conduct a prompt investigation. If the event meets the notification thresholds under Indiana law — including a reasonable likelihood of material harm to an Indiana consumer, or compromise of the nonpublic information of 250 or more Indiana consumers — we are required to notify the Indiana Department of Insurance (IDOI) as soon as possible, but no later than 3 business days after determining that notification is required.

6.2 Consumer Data Breach Notification — IC § 24-4.9

Under Indiana’s general data breach notification law, Indiana Code § 24-4.9-3, we are required to notify you without unreasonable delay — and within 45 days of discovery — if a breach of our data systems results in the unauthorized acquisition of your unencrypted personal information (or encrypted personal information where the encryption key was also compromised), and where such acquisition has resulted in or could reasonably result in identity theft, identity deception, or fraud. We are also required to notify the Indiana Attorney General when individual consumers are notified, and to notify consumer reporting agencies if more than 1,000 Indiana residents are affected. Violations of this law may result in civil penalties of up to $150,000 per violation.

Section 07

Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, to comply with applicable legal, regulatory, and contractual obligations, and to resolve disputes. Retention periods vary based on the type of information and applicable requirements:

• Policy and coverage records: Minimum of 5–7 years following policy expiration, or as required by state insurance regulations
• Claims records: Minimum of 7 years from claim closure, or longer if litigation is pending
• Health and medical records: As required by HIPAA and applicable state law
• Financial transaction records: 7 years as required by federal tax law
• Licensing and E&O compliance records: As required by state regulators

When personal information is no longer required, we securely destroy or de-identify it in accordance with applicable law and our data disposal procedures.

Section 08

Cookies and Online Tracking

Our website uses cookies and similar tracking technologies to enhance your browsing experience, analyze site traffic, and support our marketing activities.

8.1 Types of Cookies We Use

• Essential Cookies: Required for core website functionality, such as navigation and form submission
• Analytics Cookies: Used to understand how visitors interact with our website (e.g., Google Analytics)
• Preference Cookies: Used to remember your settings and preferences
• Marketing Cookies: Used to deliver relevant advertising and track campaign effectiveness

8.2 Your Cookie Choices

Most browsers allow you to control cookies through their settings. You may also opt out of certain analytics tracking by visiting the Google Analytics Opt-out page or by using our website’s cookie preference center if available. Note that disabling certain cookies may affect the functionality of our website.

Section 09

Your Privacy Rights

As an Indiana-domiciled agency serving clients across multiple states, we honor privacy rights under both Indiana and applicable state law. Depending on your state of residence, you may have some or all of the following rights with respect to your personal information:

• Right to Know: The right to request disclosure of the categories and specific pieces of personal information we have collected about you
• Right to Access: The right to obtain a copy of your personal information in a portable format
• Right to Correct: The right to request correction of inaccurate personal information
• Right to Delete: The right to request deletion of your personal information, subject to legal and regulatory exceptions
• Right to Opt Out of Marketing: The right to opt out of receiving marketing communications at any time by contacting us or using the unsubscribe link in our emails
• Right to Limit Use of Sensitive Information: Where required by applicable law, the right to limit use of sensitive personal data
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights

Please note that certain rights may be subject to exceptions under applicable insurance regulations. For example, we may be required to retain certain records regardless of a deletion request, or may need to continue processing information to fulfill a contractual or legal obligation.

9.1 How to Submit a Privacy Request

To exercise any of the rights described above, please contact us using the information in Section 12. We will verify your identity before processing your request and will respond within the time frame required by applicable law (typically 30–45 days).

Section 10

Indiana-Specific Privacy Disclosures and Governing Law

Shurr Insurance Agency, LLC is domiciled and licensed in the State of Indiana. Indiana law governs this Privacy Policy. The following Indiana statutes directly apply to our operations and your rights as a consumer:

10.1 Indiana Consumer Data Protection Act (IC § 24-15) — Effective January 1, 2026

The Indiana Consumer Data Protection Act (ICDPA), codified at Indiana Code Article 24-15, took effect January 1, 2026. It is important to note that as an insurance agency subject to the federal Gramm-Leach-Bliley Act (GLBA) and, where applicable, HIPAA, our data practices are largely governed by those federal frameworks. The ICDPA expressly exempts entities and data regulated by the GLBA and HIPAA (IC § 24-15-1-1(b)(2)-(3)). However, to the extent any of our data processing activities fall outside those federal exemptions, we comply with the ICDPA and provide Indiana residents the following rights:

• Right to confirm whether we are processing your personal data and to access that data (or a representative summary at our discretion) — IC § 24-15-3-1(b)(1)
• Right to correct inaccuracies in personal data you previously provided to us — IC § 24-15-3-1(b)(2)
• Right to obtain a copy or representative summary of your personal data — IC § 24-15-3-1(b)(3)
• Right to request deletion of your personal data — IC § 24-15-3-1(b)(4)
• Right to opt out of processing of your personal data for targeted advertising, sale of personal data, or profiling that produces significant legal effects — IC § 24-15-3-1(b)(5)

To exercise any of these rights, submit a written request to us using the contact information in Section 12. We will respond within 45 days of receipt; we may extend this period by an additional 45 days with notice. We will verify your identity before processing your request. If we deny your request, you may appeal our decision by contacting us in writing; if your appeal is denied, you may contact the Indiana Attorney General at indianaattorneygeneral.gov. The Indiana Attorney General has exclusive enforcement authority under the ICDPA and may seek injunctive relief and civil penalties of up to $7,500 per violation, following a mandatory 30-day cure period (IC § 24-15-10-2).

Note: The ICDPA does not provide a private right of action against us. Your enforcement recourse is through the Indiana Attorney General.

10.2 Indiana Insurance Data Security Law (IC § 27-2-27)

As described in Section 6, we are fully subject to the Indiana Insurance Data Security Law (effective July 1, 2021), which requires us to maintain an Information Security Program, conduct annual risk assessments, oversee third-party service providers, and notify the Indiana Department of Insurance (IDOI) of cybersecurity events. This law is the primary data security framework governing our handling of client Nonpublic Information as an Indiana-licensed insurance producer.

10.3 Indiana Security Breach Notification Law (IC § 24-4.9)

As described in Section 6.2, Indiana Code § 24-4.9 requires us to notify affected Indiana residents within 45 days of discovering a qualifying data breach, and to report to the Indiana Attorney General. Penalties for non-compliance may reach $150,000 per violation.

10.4 Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of Indiana, without regard to its conflict-of-law provisions. Any dispute arising out of or relating to this Policy shall be subject to the exclusive jurisdiction of the state and federal courts located in Porter County, Indiana.

10.5 Multi-State Operations

Because Shurr Insurance Agency, LLC sells and services insurance across multiple states, additional state privacy laws may apply to clients residing in those states. Where applicable state law provides consumers with privacy rights beyond those described in this Policy, we will honor those rights. The following are notable examples:

• California Residents (CCPA/CPRA): California residents have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act, including the right to opt out of the sale or sharing of personal information and the right to limit use of sensitive personal information. We do not sell personal information. To submit a California privacy request, contact us using the information in Section 12.
• Vermont and Maine Residents: These states impose opt-in requirements before sharing certain nonpublic personal financial information with non-affiliated third parties for marketing purposes. We will obtain your affirmative consent as required.
• Other State Privacy Laws: As of the effective date of this Policy, numerous states (including Colorado, Connecticut, Virginia, Texas, and others) have enacted comprehensive consumer data privacy laws. To the extent those laws apply to our handling of your information, we will comply with their requirements. GLBA and HIPAA exemptions apply in most states for insurance-related data.
• NAIC Model Privacy Act States: Many states where we are licensed have adopted the NAIC Insurance Information and Privacy Protection Model Act or similar statutes, which provide specific rights to access and correct personal information held by insurers and agents. These rights are in addition to those described elsewhere in this Policy.

10.6 HIPAA — Health and Life Insurance

To the extent we function as a Business Associate under HIPAA in connection with health insurance products we place or service, we comply with all applicable HIPAA Privacy Rule (45 CFR Part 164) and Security Rule requirements. Medical and health information collected for life and health insurance underwriting is subject to heightened protections and is used only as authorized and required. If you receive a separate Notice of Privacy Practices from a health insurance carrier, those terms govern that carrier’s handling of your Protected Health Information (PHI). HIPAA-regulated PHI is expressly exempt from the Indiana ICDPA (IC § 24-15-1-1(b)(3)).

Section 11

Gramm-Leach-Bliley Act (GLBA) — Financial Privacy Notice

As a licensed insurance agency, we are subject to the privacy provisions of the Gramm-Leach-Bliley Act (GLBA). We collect nonpublic personal information about you from the sources described in Section 2 of this Policy. We do not share your nonpublic personal information with nonaffiliated third parties except as permitted by the GLBA and applicable state law, including for purposes of:

• Servicing your insurance policies or processing transactions you have requested
• Maintaining or servicing your account, or responding to your requests
• Complying with legal, regulatory, and judicial requirements
• Preventing fraud and protecting the security of records

You have the right to opt out of certain disclosures of your nonpublic personal financial information to nonaffiliated third parties. If you wish to limit such disclosures, please contact us using the information in Section 12.

Section 12

Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or want to submit a complaint about our privacy practices, please contact us at:

Shurr Insurance Agency, LLC
Attn: Privacy Officer / Compliance Department
Address: 833 Lincolnway, Valparaiso, IN 46383
Phone: (219) 462-1146
Email: info@shurrinsurance.com
Website: https://shurrinsurance.com

Section 13

Changes to This Privacy Policy

We reserve the right to modify this Privacy Policy at any time. When we make material changes, we will update the Effective Date at the top of this Policy and, where required by law, provide notice to affected individuals via email or a prominent notice on our website. We encourage you to review this Policy periodically to stay informed of how we are protecting your information.

Your continued use of our services or our website following the posting of changes constitutes your acceptance of such changes, to the extent permitted by applicable law.