HelloSafe

Compliance & regulation

Distribute travel insurance without carrying the FCA authorisation

HelloSafe is an independent marketplace: we compare policies from FCA-authorised insurers and brokers, and we never sell or underwrite a policy ourselves. The advice, the regulatory documents, claims and complaints sit with our insurer partners. You keep the client relationship and the commission.

The distribution model

Who does what, exactly

Three roles, three sets of responsibilities. The regulated activity never sits with you, and it never sits with HelloSafe either.

You: the partner

You recommend and route: tracked links, widget, white-label or API. You follow the marketing rules and keep your client relationship.

  • Promote with the kit and your own content
  • Route travellers to the comparison or the checkout
  • No advice obligations, no regulatory documents

HelloSafe: the marketplace

HelloSafe compares policies and connects travellers to FCA-authorised insurers and brokers. We never sell or underwrite a policy ourselves; the regulated sale happens with our insurer partners.

  • Comparison, routing and a multilingual journey
  • Policy documents and required disclosures come from the insurers
  • Claims path and complaints handling sit with the insurer

Insurers: the risk carriers

FCA-authorised insurers such as Aviva, Zurich and Europ Assistance, and their appointed brands, underwrite the policies compared on HelloSafe. We distribute independently, with no exclusive agreements.

  • Underwriting and policy risk
  • Assistance networks on the ground
  • Disclosed rankings, disclosed commissions

Authorisation by integration mode

Do you need an FCA authorisation? No

Whatever the integration depth, the regulated insurance distribution stays with our FCA-authorised insurer partners. The only thing that changes is how the journey is embedded.

Links & widget

You refer, nothing more

Tracked links and the comparison widget route to HelloSafe's journey. You never collect insurance data, so no FCA registration is required on your side.

White-label

Our journey, your brand

Quote and checkout run on HelloSafe's marketplace, in your colours. The FCA-authorised insurers, the policy documents and the support remain theirs.

API

Your UI, our rails

Even with quotes rendered in your interface, binding happens with the FCA-authorised insurer, with the regulatory documents issued by them. Your product stays a product, not a brokerage.

Insurance distribution rules apply across the UK. Every partner is reviewed at signup: we flag anything specific to your setup before you go live.

Data & privacy

Private by default

The programme keeps personal data where it belongs: with the traveller and the insurer, not scattered across your systems. We follow UK GDPR and the Data Protection Act 2018, under the Information Commissioner's Office (ICO).

Privacy by design

Consent-first analytics, minimal collection and documented processing, from the click to the certificate.

No card data on your side

Payment runs on HelloSafe's hosted checkout. Card numbers never touch your stack: your PCI surface stays at zero.

Reporting without PII

Your dashboard works on clicks, quotes, sales and Sub-IDs. You receive neither identity documents nor insurance policy files.

Scoped, revocable access

API keys are scoped per caller and revocable one by one. Access to conversion data follows the same boundaries.

Fraud & integrity

An attribution chain you can audit

Commissions only move on signed, verified events. The controls that protect HelloSafe protect your revenue too.

Signed postbacks

Every conversion is signed with a per-caller HMAC-SHA256 key and rejected outside a 5 minute replay window.

Ownership guards

A ref must match the link's real owner. Forged or mismatched refs are refused, never silently accepted.

A strict state machine

pending, validated, cancelled: forbidden transitions return an error instead of overwriting the ledger.

Ceilings and audit trails

Per-conversion amount ceilings, FX rates frozen at ingest and an auditable trail on every state change.

Read the API security model →

Marketing rules

Promote hard, promote clean

The programme protects travellers and partners alike. The rules fit in two lists.

What works

  • Your own content, comparisons and reviews
  • The partner kit: banners, badges and approved brand mentions
  • Deep links, Sub-IDs and the embeddable widget
  • Newsletters, social posts and client messages (with consent)

What gets accounts closed

  • Bidding on the HelloSafe brand in paid search
  • Misleading claims about prices or cover
  • Unsolicited messaging and spam
  • Cashback mechanics and forced browser extensions

Compliance, in questions

What partners check before they sign.

Do I need an FCA authorisation to join the programme?

No. HelloSafe is an independent marketplace and never sells or underwrites insurance itself. Our FCA-authorised insurer and broker partners carry the regulated distribution. You recommend and route; the regulated sale happens on their side.

Who handles claims and complaints?

The insurer, alongside HelloSafe as the marketplace. The traveller gets a dedicated support path and a formal complaints process with the insurer. Your role ends at the recommendation, and your dashboard keeps the commission visible.

Do my systems ever touch card data?

No. Payment runs on HelloSafe's hosted checkout. Your stack never sees a card number, which keeps your PCI exposure at zero.

What personal data do I receive as a partner?

Practically none. Reporting is built on clicks, quotes, sales and the Sub-IDs you define. Identity documents and policy files stay between the traveller, HelloSafe and the insurer.

Is the white-label journey compliant too?

Yes. White-label changes the brand on the journey, not who carries the regulated activity. Regulatory documents, advice obligations and support remain the FCA-authorised insurer's responsibility.

Which marketing practices are prohibited?

Brand bidding on HelloSafe in paid search, misleading claims, spam, cashback mechanics and unsolicited extensions. The full list ships with the programme terms; accounts that cross it are closed.

Which countries can my audience be in?

Cover spans 190+ destinations, and one link routes each visitor to the journey localised for their market. At signup we review your audience and flag anything specific to your setup.

A compliance question we didn't cover? Contact us

No FCA authorisation needed, full speed

Distribute insurance, skip the brokerage

Tell us where your audience is and how you want to integrate. We confirm the compliant path for your setup within 24 hours.