McCosh Holdings Limited (t/a Yokahu) – Privacy Notice

Please read this privacy notice carefully as it contains important information on who we are and how and why we collect, store, use and share your personal data. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.

When we use personal data we are regulated by the Information Commissioner under the Retained Regulation EU 2016/679 (“UK GDPR”) and the UK Data Protection Act 2018 (together, “Data Protection Legislation”). We are accountable as Controller of that personal data for the purposes of Data Protection legislation.

Key terms

It would be helpful to start by explaining some key terms used in this policy:

We, McCosh, Yokahu, us, our McCosh Holdings Limited, trading as Yokahu, incorporated and registered in England and Wales with company number 12061729, whose registered office is at 2 City Limits, Danehill, Reading, Berkshire, England, RG6 4UP.
Personal data Any information relating to an identified or identifiable natural person
Special category personal data

Personal data revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership

Genetic and biometric data

Data concerning health, sex life or sexual orientation

Personal data we collect

In the course of your interaction with us and our provision to you of insurance against damage to your home occasioned by certain categories of hurricane in Caribbean Territories, using parametric underwriting technologies, we will collect from you the following personal data:

  • Your full name
  • Your residential address in the Caribbean Territories
  • Certain details relating to the property by which the Insured might be identified, such as Plot Registration number, plans, photographs and GPS location data)
  • Mobile number
  • Your email address and associated internet protocol address
  • Your credit or debit card details
  • Other bank account information for debit payments and for payment of claims
  • Other ID verification documents as may be required by local law or regulation such as Passport details or ID card information

This personal data is required to enable us to provide our insurance services. If we are not provided with the personal data we ask for, it may delay or prevent us from providing the services which you are requesting.

How personal data is collected

We collect your personal data directly when you enter your details on line via a web portal which may also include the branding of an insurance broker local to you in your Caribbean Territory. Your personal data is entered by you directly onto a platform which is controlled by us.

How and why we use personal data

Under Data Protection legislation, we can only use personal data if we have a legal basis for doing so. Our legal bases for collecting your personal data are for the performance of our contract with you or to take steps before entering into a contract with you, and to comply with our legal and regulatory obligations.

This does not apply to special category personal data, which we do not anticipate that we will process. Should this situation change, we will update this Privacy Notice.

Promotional communications

We will always treat personal data with the utmost respect and never sell it to other organisations for marketing purposes.

Who we share personal data with

We share personal data with our retained external third party service providers such as Amazon Web Services for data storage; Stripe and Vitesse PSP Ltd. for premium collection and payments; Shufti Pro for mandatory ID verification and a weather data provider for claim assessments.

We only allow our retained external third parties to handle personal data if we are satisfied they take all appropriate measures to protect all personal data and only on our written instructions.

In addition, we may share some personal data with one or more insurance syndicates at Lloyds of London, so that risk may be placed with them and eventual claims paid to you and with certain insurers and insurance brokers local to you. We may also share certain personal data with the Corporation of Lloyds as part of their supervision and oversight of the insurance market.

We may very occasionally disclose and exchange information with regulatory bodies to comply with our legal and regulatory obligations.

Where personal data is held

Personal data is kept securely on encrypted servers in Amazon Web Services Dublin EU, managed by McCosh Holdings Limited staff.

Keeping personal data secure

The privacy and the security of personal data is our utmost priority, and we recognise our obligation to keep it secure and private. We have put in place industry-leading security practices to prevent personal data from being accidentally lost or used or accessed unlawfully. All data is encrypted in transit between You and Us as well as when stored in our databases. All servers are SSL enabled. Decryption keys are managed securely and information is retained within a single, secure Virtual Private Cloud. We use SHA256 and TLS 1.3 for encryption.

How long personal data will be kept

We will retain credit card and bank information of insured data subjects for the duration of our contractual relationship with those insured and for a period of six [6] years following termination of that contract as required by our legal and regulatory obligations.

When it is no longer necessary to retain personal data, we will delete it.


All data subjects have the following rights, which can be exercised free of charge:

Access The right to be provided with a copy of personal data held on a data subject
Rectification The right to require us to correct any mistakes in a data subject’s personal data
To be forgotten The right to require us to delete personal data—in certain situations
Restriction of processing The right to require us to restrict processing of certain personal data—in certain circumstances, e.g. if the accuracy of the data is contested
Data portability The right to receive the personal data provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party—in certain situations
To object

The right to object:

—at any time to personal data being processed for direct marketing (including profiling);

—in certain other situations to our continued processing of personal data, e.g. processing carried out for the purpose of our legitimate interests

Not to be subject to automated individual decision-making The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning a data subject
To withdraw consent The right to withdraw consent as a legal basis for processing, at any time

For further information on each of those rights, including the circumstances in which they apply, please contact us or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under Data Protection Legislation.

To exercise any of those rights, please contact us —see below: ‘How to contact us’.


A cookie is a text file containing a small amount of data which is downloaded to your computer when you first visit our website. Some cookies are essential to enable you to move around our website and use its features. They also help us arrange the content and layout of our website and recognise those computers that have been to our website before. These are known as Analytical or Functionality cookies. They do not “push” advertising to your computer.

You may choose to remove or to block cookies at any time by adjusting your browser settings. To learn more about cookies including how to manage or delete them, visit

How to complain

We hope that we can resolve any query or concern raised about our use of personal information.

Data Protection Legislation also gives the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner who may be contacted at or telephone: 0303 123 1113.

Changes to this privacy policy

We may change this privacy policy from time to time, when we do we will inform data subjects by the most appropriate means.

How to contact us

We can be contacted by post or email. Our mailing address is at the top of this Privacy Notice.

Our email address is:

For all data subject rights, please contact:

Last updated: October 2021