Last updated August 2021.
We are committed to protecting your privacy when dealing with your personal information. This privacy and cookie notice provides details about the information we collect about you, how we use it and how we protect it. It also provides information about your rights. For more information on this, please read the ‘Your rights’ section below. The information we process, and the reasons why we process it, may be different across our products and services. For example, the information we process to provide insurance services may be different to the information we process to provide dental or care-home services. We explain any differences in this privacy and cookie notice.
If you have any questions about how we handle your information, please
contact us at firstname.lastname@example.org.
We (British United Provident Association Limited or Bupa) are registered with the Information Commissioner’s Office, registration number Z6831692. Bupa is made up of a number of trading companies (see Legal Notices), many of which also have their own data-protection registrations.
In this privacy notice, ‘we’, ‘us’ and ‘our’ mean Bupa. Visit https://www.bupa.co.uk/legal-notices/trading-addresses to find out more.
Depending on which of our products and services you ask us about, buy or use, different companies within our organisation will process your information. Visit https://www.bupa.co.uk/legal-notices/trading-addresses to find out more about the companies that handle your information based on the products and services you access or use.
This privacy notice applies to anyone who interacts with us about our products and services (‘you’, ‘your’), in any way (for example, by email, through our website, by phone, through our app). We will give you further privacy information if necessary for specific contact methods or in relation to specific products or services. For example, if you use our apps we may give you privacy notices which apply just to a particular type of information which we collect through that app.
If you have any questions about this, please contact us at email@example.com.
We collect personal information from you and from third parties (anyone acting on your behalf, for example, brokers, health-care providers and so on). Please see below for more information.
Where you provide us with information about other people, you must make sure that they have seen a copy of this privacy notice and are comfortable with you giving us their information.
We collect personal information from you:
We also collect information from other people and organisations.
For all our customers, we may collect information from:
If we provide you with insurance products and services, we may collect information from:
If we provide you with health-care, dental or care-home services, we may collect information from:
For all our services , we process the following categories of personal information about you and (where this applies) your dependants:
For more information about these categories of information, see below.
Standard personal information includes:
Special category information includes:
We process your personal information for the purposes set out in this privacy notice. We have also set out some legal reasons why we may process your personal information (these depend on what category of personal information we are processing). We normally process standard personal information if this is necessary to provide the services set out in a contract, it is in our or a third party’s legitimate interests or it is required or allowed by any law that applies. Please see below for more information about this and the reasons why we may need to process special category information.
By law, we must have a lawful reason for processing your personal information. We process standard personal information about you if this is:
We process special category information about you because:
We may process information about your criminal convictions and offences (if any) as a result of anti-fraud and anti-money-laundering checks or to check other unlawful behaviour or carry out investigations with other insurers and third parties for the purpose of detecting fraud. We do this if it is necessary to prevent or detect a crime.
We process your personal information for a number of legitimate interests, including managing all aspects of our relationship with you, for marketing, to help us improve our services and products and in order to exercise our rights or handle claims. More detailed information about our legitimate interests is set out below.
Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:
We may use your personal information to send you marketing by post, by phone, through social media, by email and by text.
We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described above.
If you don’t want to receive emails from us, you can click on the ‘unsubscribe’ link that appears in all emails we send. If you don’t want to receive texts from us you can tell us by contacting us at any time. Otherwise, you can always contact us by email to update your contact preferences.
You have the right to object to direct marketing and profiling (the automated processing of your information to help us evaluate certain things about you, for example, your personal preferences and your interests) relating to direct marketing. Please see the section about your rights for more details.
Like many businesses, we sometimes use automation to provide you with a quicker, better, more consistent and fair service, and marketing information we think will be of interest to you (including discounts on our products and services). This will involve evaluating information about you and, in some cases, using technology to provide you with automatic responses or decisions (automated decisions). You can click below for more information about this.
You have the right to object to direct marketing and profiling relating to direct marketing. You may also have the right to object to other types of profiling and automated decision-making set out below. In these cases, you have the right to ask us to make sure that one of our advisers reviews an automated decision, to let us know how you feel about it and to ask us to reconsider
the decision. You can contact us to exercise these rights.
By law, we must tell you about:
This is because you have certain rights relating to both automated decision-making and profiling. You have the right to object to profiling relating to direct marketing. If you do this, we will no longer carry out profiling for direct marketing purposes. You also have the right to object to profiling in other circumstances set out below.
When we make decisions using only automated processing which produce legal effects which concern you or which have a significant effect on you, we will let you know. You then have 21 days to ask us to reconsider our decision or to make a new decision that is not based only on automated processing. If we receive a request from you, within 21 days of receiving your request, we will:
You can contact us to ask about these rights. For more information on all your rights, please read the ‘Your rights’ section below.
Profiling and automated decision-making
The processes set out below, which only apply to our insurance products and services, involve both profiling and automated decision-making.
For all our services, the processes set out below involve profiling.
Sharing your information
We share your information within the Bupa group of companies, with relevant policyholders (including your employer if you are covered under a group scheme), with funders arranging services on your behalf, with people acting on your behalf (for example, brokers and other agents) and with others who help us provide services to you (for example, health-care providers and medical-assistance providers) or who we need information from to allow us to handle or confirm claims or entitlements (for example, professional associations). We also share your information in line with the law. For more information about who we share your information with, please see below.
We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice. The exact information we share depends on the reason we are sharing it. For example, if we need to share information in order to provide health care, we will share special categories of information, such as medical details, with the treatment provider.
For all our customers, we share your information with:
If we provide insurance or manage a health-care trust, we share your information with:
If we provide health-care, dental and care-home services, we share your information with:
If we share your personal information, we will make sure appropriate protection is in place to protect your personal information in line with data-protection laws.
We support ethically approved clinical research. We may use anonymised information (with all names and other identifying information removed) or information that is combined with other people’s information, or reveal it to others, for research or statistical purposes. You cannot be identified from this information and we will only share the information in line with legal agreements which set out an agreed, limited purpose and prevent the information being used for commercial gain.
We work with companies that we partner with, or that provide services to us (such as health-care providers, other Bupa companies and IT providers) that are located in, or run their services from, countries across the world. As a result, we transfer your personal information to different countries including transfers from within the UK to outside the UK, and from within the EEA (the EU member states plus Norway, Liechtenstein and Iceland) to outside the EEA, for the purposes set out in this privacy notice.
We take steps to make sure that when we transfer your personal information to another country, appropriate protection is in place, in line with global data-protection laws.
We keep your personal information in line with set periods calculated using the following criteria.
If you would like more information about how long we will keep your
information for, please contact us at firstname.lastname@example.org.
You have the right to access your information and to ask us to correct any mistakes and delete and restrict the use of your information. You also have the right to object to us using your information, to ask us to transfer information you have provided, to withdraw permission you have given us to use your information and to ask us not to use automated decision-making which will affect you. For more information, see below.
You have the following rights (certain exceptions apply).
Please note: Other than your right to object to us using your information for direct marketing (and profiling for the purposes of direct marketing), your rights are not absolute. This means they do not always apply in all cases, and we will let you know in our correspondence with you how we will be able to meet your request relating to your rights.
If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. We have 21 days to respond to requests relating to automated decisions. For all other requests we have one month from receiving your request to tell you what action we have taken.
In order to exercise your rights please contact email@example.com.
If you have any questions, comments, complaints or suggestions relating to this notice, or any other concerns about the way in which we process
information about you, please contact our Privacy Team at firstname.lastname@example.org. You can also use this address to contact our Data Protection Officer.
You also have a right to make a complaint to your local privacy supervisory authority. Our main establishment is in the UK, where the local supervisory authority is the Information Commissioner:
Information Commissioner’s Office
Cheshire, United Kingdom
Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)
You can also make a complaint with another supervisory authority which is based in the country or territory where:
When you use our sites, we and third-party companies collect information by using cookies and other technologies such as pixel tags (for simplicity we refer to all such technologies as ‘cookies’). A cookie is a text file containing small amounts of information which a server may download to your computer, mobile or tablet when you visit a website or use an app. A pixel tag (sometimes called a web beacon) is an invisible image with a line of code which is placed within an email message or on a web page.
There are different types of cookies which are used to do different things. These include letting you navigate between different pages on a website efficiently, remembering preferences you have given and helping us to identify ways to improve your overall site experience. Others are used to provide you with advertising, which is more tailored to your interests, or to measure the number of site visits and the most popular pages. To find
out more about cookies visitaboutcookies.org or allaboutcookies.org.
To help you understand the different types of cookies we use on this website and what they do, we have grouped cookies into four categories as described in the ‘Cookies used on our sites’ section below. To see the cookies used on this site that fall into these categories, to control the types of cookies used and to see how long the cookies last, please use our cookies management tool.
The cookies used on this site do not collect directly identifiable personal information such as name, address, email address etc. However, certain cookies may collect information which relate to a unique ID or another identifier which, when combined with other information, allow a profile to be created. This profile is used to target adverts to your interests. This ad personalisation is explained more detail in the section below.
We have grouped the cookies used on our sites into four categories as set out below. As well the cookies we use, we work with third-party companies who place cookies on your device. For a list of third parties we use, please see our cookies management tool. Please note that the data they collect may also be subject to their privacy policies.
When working with third-party companies we take steps to protect your data. For example, we place contractual limits on how data collected about people using our services is used and we regularly audit our sites to make sure only cookies we have authorised are being used.
These cookies let you move around the website and use essential features such as accessing secure areas of the website and identifying you as being logged in. These cookies don’t gather any information about you that could be used for marketing or remembering where you’ve been on the internet. As these cookies are necessary for the correct functioning of our website, you are unable to control their use from within the cookies management tool.
These cookies collect information about how visitors use our websites including details of the site where the visitor has come from (e.g. referring domains, search engines, marketing campaigns), pages viewed, the site path of the visitor, which content visitors are clicking on, which products visitors are interested in and purchase and the total number of times a visitor has been to our website.
We use the information to improve our website and enhance the experience of its visitors. We may share this information with analytics and search engine providers that assist us in the improvement and optimisation of our site.
These cookies allow our websites to remember choices you make (such as your username, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
These cookies are used to collect information about your browsing habits to deliver advertising more relevant to you and your interests. The personalisation of ads may be based on data collected about your use of our services (for example what pages you visit) and other data attributed to you by the ad platform. These include data points such as interests, age, gender and similar statistical characteristics inferred from internet browsing or marketing data that an advertiser holds about you.
To personalise our advertising and web experiences, unique identifiers such as an ID stored by a Cookie, or a Mobile Ad ID are used to help create an ad profile. These are unique codes set on your device’s mobile operating system. Data that identifies you directly, such as name, mobile number or email address is not collected by the cookies or used for the purposes of advertising.
We work with carefully selected partners to show both personalised and non-personalised ads. These partners include advertising agencies and tech platforms who perform data analysis to enable personalised ad delivery and tracking. These companies may also use data collected from cookies dropped by other websites you have browsed on your device. This enables the display of ads based on your browsing behaviour, which may mean the ads you see are more relevant to your interests. This can also help to limit the frequency of adverts you see across the internet if you have already seen a particular ad.
These partners may use a process called cookie syncing to process data from other sources, including your browsing of other websites, to infer what type of ad might interest you. This activity is performed by matching the cookie ID assigned to your device with another cookie ID likely attributable to you but held in a different database. To find out more about how ad personalisation works please visit https://www.youronlinechoices.com/