Privacy notice
Summary of changes
This privacy notice is reviewed at least annually and was last updated in May 2026. We have made several updates, summarised below:
- Updating the section entitled “Who processes your personal information” to provide you with more information about who the controller of your data is depending on the service or product you have purchased or the provider with which you have interacted.
- Explaining in the section entitled “Collecting and sharing your personal information” that your personal information may be shared with third party administrators where you have purchased a global insurance policy
- Explaining in the section entitled “Marketing” where we may use your personal information for digital marketing purposes and how you may opt out of us doing so
We are committed to protecting and using your personal information responsibly.
If you have any questions about our privacy notice, please email [email protected]
Privacy notice sections
Who this notice is for
This privacy notice is for:
- anyone who buys, uses or contacts us about our products and services including our customers, patients and residents
- people who work with Bupa, such as intermediaries or suppliers (but not our employees or healthcare professionals)
- anyone who accesses our website at www.bupa.co.uk.
We have alternative privacy notices for visitors and relatives of residents in our care homes and retirement villages, and healthcare professionals. Please contact us if you would like a copy.
About us
Who we are
We are a healthcare organisation offering a wide range of services to support our customers’ health. When we say ‘Bupa’ in this notice, we mean one or more of our businesses within Bupa UK and Ireland, Bupa Global and Bupa Group:
- Bupa UK and Ireland means the Bupa companies that provide clinical and specialist primary care, dental, elderly care, hospital and specialist diagnostics services as well as health insurance services to customers based in the UK and the Republic of Ireland.
- Bupa Global provides international private medical insurance to customers globally.
- Bupa Group sets policy and standards for Bupa's businesses globally.
Who processes your information?
Depending on the services that you use or interact with, you may deal with one or more companies within Bupa. The company that decides the information that we need to collect from you and how and why we use that information is known as the data controller. There may be more than one data controller of your information, as set out below:
Insurance products in the UK
If you purchase an insurance product that provides you with cover in the UK, the controllers of your data will be Bupa Insurance Limited which is our insurance provider, as well as Bupa Insurance Services Limited which arranges and administers our insurance policies.
Insurance products from Bupa Global
If you have purchased insurance from Bupa Global, the controller of your data will be one of our Bupa Global entities listed here.
If you live in our care homes
If you reside in one of our care homes, the controller of your data will be Bupa Care Homes (ANS) Ltd. If you are a resident in one of our retirement villages, use our wellness spas or otherwise interact with Richmond Villages, the controller of your data will be Richmond Villages Operations Limited.
If you receive specialist treatment
If you receive specialist treatment (for example involving advanced diagnostics or treatment for more complex conditions), the data controller will be as set out below:
- Bupa Health Care Canary Wharf or King Edward VII’s Hospital:
Controller - Bupa Diagnostics and Secondary Care (London) Ltd. - New Victoria Hospital:
Controller - Bupa NVH Limited. - Basinghall Clinic or Cromwell Hospital:
Controller - Medical Services International Limited. - London Medical:
Controller - Metabolic Services Limited.
If you receive dental treatment
If you receive dental treatment from or otherwise interact with one of our Bupa dental clinics in the UK (including Bupa Dental Care, Total Orthodontics, Platinum Practices, Total Dental Care Implant Centres or Grosvenor House Orthodontic Practice) or at Bupa Health Care Canary Wharf, the controller will be Oasis Dental Care Limited.
If you receive dental treatment from or otherwise interact with one of our dental clinics in the Republic of Ireland (including Smiles Dental, ORTHO, Dental Excellence, Gate Dental Clinic and Quay Dental), the controller of your data will be Xeon Dental Services Limited.
Primary care services, Genomics products or Health subscription products
If you use our primary care services (including remote GP appointments, health assessments, dermatology, mental health support services such as Mindplace, and physiotherapy), or if you use our genomics products or purchase a health subscription product or service, Bupa Occupational Health Limited will be the controller of your personal data. The exception to this is our Bupa Well + Silver product, in respect of which the controller is Bupa Insurance Services Limited.
Central and Digital Services
In addition, Bupa Insurance Services Limited provides central and digital services for the benefit of all our customers and processes your personal data as a controller to provide those services. The services ensure you benefit from a holistic, joined up approach when interacting with Bupa. They include provision of the Bupa website and the My Bupa app; collating and linking your information and data across Bupa entities (where appropriate and lawful for us to do so) to enable us to provide you with connected care and services; and providing you with health and wellbeing resources and tools. Where Bupa Insurance Services Limited processes your personal data to provide these services, it does not replace any other Bupa entity you may have interacted with as controller of your data, although it may sit alongside them as a separate controller.
More information about the ways in which Bupa Insurance Services Limited has access to and processes your personal data within the My Bupa app is set out in the My Bupa terms and conditions, available within the app.
How we collect your personal information
From you
We collect your personal information from you when you get in touch with us:
- by phone, where we may record or monitor phone calls for quality assurance and to make sure we’re keeping to legal rules, codes of practice and internal policies
- by email
- through our websites, including webchats and virtual assistants
- through our apps
- by using our products and services
- by post
- by completing an application or other form(s)
- by entering competitions
- through social media
- face to face, for example during treatment
Third parties
We also collect information about you from third parties. Find out more about how we collect and share your personal information.
What personal information we collect
Basic personal data
Name, age, gender, marital status, and date of birth.
Contact
Username, address, email address, phone numbers, next of kin and emergency contacts.
Residency
The country you live in and national identifiers such as national insurance or passport number.
Communication
Details of any contact we have had with you, including audio recordings of phone calls, written complaints, survey responses and feedback.
Customer details
Patient ID, insurance details such as membership or registration number and nominated dependants
Financial details
Payments and bank account details.
Employment details
Your role and the company you work for if your employer pays for your insurance, scheme or treatment
CCTV
Footage captured on our premises.
Criminal convictions and offences
Your criminal offences and convictions, collected when carrying out anti-fraud or anti-money-laundering checks, or other background screening checks to prevent crime
Behavioural and usage information
How you use and access our digital services such as the MyBupa app and our websites
Technical
The devices and technology you use, website browser settings, and IP addresses
Special category information
Health Data
Information about your physical or mental health, including genetic information. We may get this information from:
- application forms
- claims and pre-authorisations
- notes and reports about your health and any treatment and care you’ve received or need
- notes from calls and other communications you’ve had with us
- referrals from your existing insurance provider or GP quotes
- quotes
- records of medical services and treatment you’ve received
Other special category information
Information about your:
- race and ethnicity
- religious or philosophical beliefs
- biometric information for identify verification purposes
- sex life and sexual orientation
How we use the personal information we collect
Under data protection laws, we can only process your information if we have a legal reason (known as a ‘lawful ground’) for doing so:
- Basic personal details
- Contact
- Communications
- Residency
- Customer details
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract we have entered into with you
- It’s required or allowed by law
- We have a legitimate interest to:
- a. deliver our products and services
- b. tailor the delivery of our products and services to your specific needs and interests
For special category information
- It’s necessary for health or social care purposes such as:
- preventive or occupational medicine
- medical diagnosis
- providing healthcare or treatment
- providing social care
- managing healthcare or social care systems or services
- With your consent (if required)
- When it's in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Customer details
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- It’s necessary to provide the services set out in a contract we have entered into with you
- It’s required or allowed by law
- We have a legitimate interest to:
- a. manage our relationship with you, our business and third parties
- b. deliver our products and services
- c. tailor the delivery of our products and services to your specific needs and interests
- d. communicate with our customers and business partners
- e. process insurance claims and collect money owed to us
For special category information
- It’s necessary for insurance purposes, such as:
- advising on, arranging, providing or managing an insurance contract
- dealing with a claim made under an insurance contract
- exercising our rights and meeting our responsibilities relating to an insurance contract or insurance law;
- audit, quality assurance and clinical governance.
In those cases we have determined that our processing is necessary for reasons of substantial public interest
- With your consent (if required)
- When it’s in your vital interests
- Basic personal details
- Contact
- Communications
- Residency
- Customer details
- Financial details
- Employment details
- Special category information
- Criminal convictions and offences
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- a. manage our relationship with you, our business and third parties
- b. resolve issues and answer questions about our products and services
- c. investigate and respond to complaints
- d. monitor how well we are meeting our clinical and non-clinical performance expectations
- e. protect the public against dishonesty, malpractice or other seriously improper behaviour
- f. manage a claim where a third party may be at fault
- With your consent (if required)
- Basic personal details
- Contact
- Communications
- Residency
- Customer details
- Financial details
- Employment details
- Criminal convictions and offences
- Behavioural and usage information
- Technical
- It’s required or allowed by law
- We have a legitimate interest to:
- a. detect and prevent fraud and financial crime
- b. ensure compliance with our terms and conditions and policies
- Basic personal details
- Contact
- Residency
- Customer details
- Employment details
- Behavioural and usage information
- Technical
- It's required or allowed by law
- We have a legitimate interest to:
- confirm that you’re an employee of the company that is paying for the product or service you’re using
- confirm you’re an employee of a business we’re purchasing products or services from
- identify you when you access our digital services and websites
- identify if you were redirected to our websites through an advert or referral link
- identify identify if you are under the age of 16
- identify fraud and fraudulent activity
- keep your records up to date
- Basic personal details
- Contact
- Residency
- Customer details
- Financial details
- Employment details
- It’s necessary to provide the services set out in a contract
- It’s required or allowed by law
- We have a legitimate interest to:
- a. take payment and charge for our products and services
- b. review invoices and make payments
- Basic personal details
- Contact
- Communications
- Behavioural and usage information
- Technical
- We have a legitimate interest to:
- a. market to our customers and prospective customers if they’ve shown an interest in us
- b. request feedback from customers and people we work with
- c. adhere to your contact and marketing preferences and to carry out automated decision making and profiling where appropriate (see section below entitled ‘cookies, AI, analytics and profiling’ for details on this)
- d. operate cookies on our websites and undertake other tracking to personalise our marketing activities
- e. develop and run tailored marketing
- With your consent (if required)
- Basic personal details
- Contact
- Communications
- Behavioural and usage information
- Technical
- Special category information
- We have a legitimate interest to:
- a. personalise your access to our digital services such as the MyBupa app
- With your consent (if required), including where we use your special category information to achieve our purposes
- Basic personal details
- Contact
- Communications
- Residency
- Financial details
- Employment details
- Special category information
- Behavioural and usage information
- Technical
- We have a legitimate interest to:
- a. undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
- b. understand our customers and the people we work with
- c. understand more about our products and services, and how to improve them
- With your consent (if required)
- Basic personal details
- Contact
- Residency
- Special category information
- Customer details
- Behavioural and usage information
- Technical
- CCTV Footage
- It’s required or allowed by law
- We have a legitimate interest to:
- a. secure our systems and digital services
- b. make sure we’re only providing and working with products and services in permitted locations
- c. exercise our rights and defend ourselves from legal claims
- Basic personal details
- Contact
- Customer details
- Personal information shared with us during a phone call or other method of communication, such as webchat and email
- Special category information
- We have a legitimate interest to:
- a. monitor phone calls to us for training and to review the quality of our services
- b. review online and email exchanges between you and us for training and to review the quality of our services
- It’s required or allowed by law
- Where our use of personal data, including special category information is for scientific research including research designed to improve understanding of health treatment or outcomes, improve diagnoses and develop technologies as well as AI training, validation and testing
- When our use of special category data is necessary for the management of healthcare systems
- With your consent (if required)
When we need your consent to process your personal information
We will only ask you for consent to process your personal information if there’s no other legal reason to process it, or we think it’s appropriate to do so.
We always tell you when we need it
We will tell you when we need your consent and ask you for it. If we can’t provide a product or service without your consent (for example, we can’t process health insurance claims without health information), we’ll make this clear when we ask for it.
You can always change your mind
If you later withdraw your consent, we will be unable to provide you with any product or service that relies on us having your consent to process your personal information. This will not affect our provision of products or services to you prior to you withdrawing your consent.
When we use anonymised information
Anonymised information is information from which you are no longer identified or identifiable because all names and other information that could identify you, such as a membership or registration number or IP address, have been removed. We use it for example:
- to support clinical research
- for research and statistical purposes
- to help us train our people
- to undertake analytics that help us understand more about our business and make decisions. You’ll find more on this in the analytics section of this privacy notice.
We always make sure we have a lawful basis for converting your personal data into anonymised information.
Collecting and sharing your personal information
Sometimes we need to collect your information from, or share it with, other people or organisations. We share as little of your information as possible, and only for specific purposes.
We have processes in place to make sure that your information is protected when we share it with third parties. If you are sharing someone else’s personal information with us, please make sure they have seen this privacy notice and are comfortable with you giving us their information.
You can view the types of third parties with which we collect and share information, and our reasons for doing so below. We may also disclose your personal information to other third parties if we are required or permitted to do so by law.
Description
- Our affiliated companies, listed at Bupa Legal Notices and Bupa Global Legal Notices
What we do
- We collect information from them
- We share information with them
Our reasons
- Deliver our products and services to you
- Provider you with personalised healthcare and services
- Send you communications about products and services that might interest you
- Provide you with digital services including our Bupa website and the MyBupa app
- Undertake statistical research and analysis to understand more about our products and services and how to improve them
- Understand and improve clinical outcomes for our customers
- Product and service development
- Fraud prevention and detection
- Report on business activity and success
- Enable us to deliver a seamless experience across Bupa, and give you easy access to products and services across our businesses
Description
You have given us consent to speak to a third party on your behalf, such as a family member, solicitor, or a person acting through a Power of Attorney.
What we do
- We collect information from them
- We share information with them
Our reasons
- Deliver our products and services to you
- Manage our relationship with you
- Set you up as a customer
- Meet our regulatory obligations or comply with legal requests or legal claims
- Manage complaints, claims or individual rights requests
Description
- You are under a group insurance scheme or health trust, or your employer is paying for our services
- You are working with us in a professional capacity as a business partner
What we do
- We collect information from them
- We share information with them
Our reasons
- Product or service administration
- Transfer to a new service provider
- Set you up as a customer
- Manage our relationship with your employer
- Process and validate invoices, and make or receive payments
Description
- Doctors, clinicians and other healthcare professionals
- Hospitals and clinics
- Dental laboratories
- Medical laboratories
- Individuals or organisations who pay for your care
- Patient record databases such as the NHS’s GP Connect or the Northern Ireland Electronic Care Record.
What we do
- We collect information from them
- We share information with them
Our reasons
- To enable healthcare providers to provide treatment and healthcare services, and to enable you to receive it
- To provide our healthcare professionals with access to the information they need to make informed clinical decisions (e.g. when prescribing medications)
- To process and validate invoices and make or receive payments
- To investigate complaints, claims and possible fraudulent activity
Professional associations our consultants belong to or are regulated by, including but not limited to:
- Care Quality Commission
- General Medical Council
- General Dental Council
- The Health and Care Professions Council
- Responsible Officer
What we do
- We collect information from them
- We share information with them
Our reasons
- For safeguarding purposes
- Investigate complaints and clinical incidents
- Monitor quality and performance
Description
- Health insurance counter-fraud groups
- Financial crime screening services
What we do
- We collect information from them
- We share information with them
Our reasons
- Detect and prevent fraud
- Meet our regulatory and legal obligations
Description
- Debt collection agencies we engage to act on our behalf
What we do
- We collect information from them
- We share information with them
Our reasons
- Recover money owed to us
Description
- Potential buyers or sellers of businesses and assets we’re buying or selling
- Third parties that assume responsibility for Bupa
What we do
- We collect information from them
- We share information with them
Our reasons
- Enable the third party to take over our business activities
- Support the third party’s decision making and processes to buy our business
Description
- Solicitors, auditors, actuaries and tax advisors
- Translators and interpreters
What we do
- We share information with them
Our reasons
- Support us to manage our business and meet our regulatory obligations
- Gain advice on business decisions and strategy
Description
- Government and their agencies
- Law enforcement agencies, like the Police
- Authorities and regulators such as the Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA)
- Data protection supervisory authorities
- HM Courts and Tribunals Service
What we do
- We share information with them
Our reasons
- Comply with our legal and regulatory obligations
- Protect our rights and defend ourselves against claims
Description
- Electoral register
- Information about you on social media
- For our business partners, public sources that include professional information about you
What we do
- We collect information from them
Our reasons
- Validate and update our records
- Understand how our customers and business partners have reviewed or discussed us or our competitors online
- Check our business partners are legitimate, of good standing and quality, and investigate possible fraudulent activity or complaints
Description
We put measures in place to ensure that our suppliers process your personal information fairly and in line with our expectations. We use the types of suppliers listed below:
- IT service providers: Cloud storage, databases and data repositories, practice management systems, customer relationship management systems (CRM), communication and phone software, back-up solutions, network security and monitoring solutions and other ‘software as a service’ providers
- Marketing, sales and business development: market and customer research consultants, social media platforms and marketing and digital marketing agencies, data set and contact list providers
- Customer service support: outsourced support with customer communication and servicing, including translation
What we do
- We share information with them
Our reasons
- Help us run our business
- Manage our relationship and communicate with you
- Provide our products and services to you
- Understand our customers and market to them – please see more information in the Digital Marketing section below
- Identify and communicate with people that might be interested in our products and services
- Grow our business and keep our customers
Description
We use embedded content on our website from third party providers. These providers may collect information about your use of the embedded content and your interaction with it.
What we do
- We share information with them
Our reasons
- So we can display content from third party providers, including YouTube, on our website
Description
- Main policyholder, if you are a dependant under an insurance policy
What we do
- We collect information from them
- We share information with them
Our reasons
- Manage our relationship with you and the policyholder
- Issue invoices, requests and take payment
Description
- Insurance brokers
- Your agents
- Other intermediaries
What we do
- We collect information from them
- We share information with them
Our reasons
- Confirm you are entitled to claim discounts on our products and services
- Manage our relationship with you through your broker or agent
- Discuss purchase, renewal and availability of our products and services through your broker and agent
- Set you up as a customer or business partner
Description
- Other health and benefit insurers
- Reinsurers
What we do
- We collect information from them
- We share information with them
Our reasons
- Set you up as a customer
- Support you to transfer to a new insurer
- Manage and settle claims that are a third party’s fault
- If reinsurance is necessary
Description
- Evacuation or repatriation providers
What we do
- We collect information from them
- We share information with them
Our reasons
- To arrange evacuation or repatriation
Description
- Local authorities, social services, and other public sector bodies
- Commissioners and embassies
- HM Courts and Tribunals Service
What we do
- We share information with them
Our reasons
- Enable the third party to pay for the services we’re providing to you
- Comply with our legal and regulatory obligations, including where we have a duty to protect your health, safety, or wellbeing
- Manage legal claims
Description
- Those providing your treatment such as consultants, clinicians, doctors, therapists and other healthcare professionals
- Hospitals, clinics and other healthcare providers
What we do
- We collect information from them
- We share information with them
Our reasons
- Provide you with your treatment
- Manage our relationship with consultants
- Process and validate invoices and make or receive payments
- When those providing treatment are involved in legal proceedings, such as for negligence or malpractice
- Manage, investigate and report on negligence or malpractice, and for legal claims
Description
- Cancer registry
- Joint and implant registries
What we do
- We share information with them
Our reasons
- Aid monitoring cancer rates, improve cancer care and aid cancer research
- Improve patient safety and maintain long-term record of the effectiveness of implants
Description
- NHS Cervical Screening recall system
What we do
- We share information with them
Our reasons
- Make sure the screening is safe and in accordance with national service specifications
Description
If your care is funded by the NHS, you have the right to opt out of your data being used for research and planning purposes. You can view or change your National Data Opt-Out choice at any time here.
What we do
- We collect information from them
- We share information with them
Our reasons
- To check your preferences
Description
- Health Protection Agency for infectious diseases such as tuberculosis and meningitis
- Private Healthcare Information Network (PHIN): the government-mandated body that publishes information about the safety, quality and costs of private healthcare.
What we do
- We share information with them
Our reasons
- Protect public health
Description
- If you’re referred or you’re transferring from or to a different provider
- The NHS and your general practitioner (GP)
What we do
- We collect information from them
- We share information with them
Our reasons
- Set you up as a customer
- Support you to transfer to the new provider
- Keep records up to date
- Ensure continuity of care
Description
- Partners that offer support and add-on services, such as patient finance and dental subscription plans
- Universities and research companies
- In some cases, the partner may be the data controller of the personal information they hold about you (this means they’ll be responsible for how your personal information is used). We’ll confirm this when you choose to use the product or service.
What we do
- We collect information from them
- We share information with them
Our reasons
- Offer you products and services that may interest you
- Enable you to purchase or take up offers on additional products and services offered by our partners
- Take part in research projects
Transferring your personal information abroad
We work with organisations (such as healthcare providers, other Bupa companies, and IT providers) that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from, a country outside of your country of residence.
We ensure we meet international transfer requirements in the following ways.
Protection by local law
The European Commission and UK government consider some countries safe to transfer your personal information to since they have adequate data protection laws.
For our customers in Europe and the UK we can freely transfer your personal information to these countries where needed.
For our customers in countries outside Europe and the UK, we respect local requirements.
Protection by other safeguards
We may also transfer personal information to countries that have not been assessed as adequate if we use appropriate safeguards. The main safeguards we use are:
- regulator-approved Standard Contractual Clauses
- additional contractual, organisational, and technical measures (as required following a risk assessment of the transfer)
Transfers within the Bupa group are covered by an agreement that contractually obliges each company to ensure an adequate and consistent level of protection.
How long we keep your information for
For our insurance businesses, we typically keep personal information for seven years after you stop being our customer or business partner in line with our legal obligations and business needs.
For our health care businesses, we typically keep personal information for 20 years to comply with the law and NHS guidance.
Where we provide dental services, we have a clinical duty to keep dental records for 11 years from the date of your last appointment or until your 26th birthday, whichever is later. We may have alternative retention periods in place depending on the reason for which we hold your information, for example, records of your interactions with us through our website contact forms or audio call recordings.
Some countries have different retention rules due to local laws. If you’d like to know more about how long we keep your information for, please get in touch.
How we decide the retention period for your information
How long we keep your information depends on several factors:
- how long you have been a customer with us, the types of products or services you have with us, any relevant events and when you will stop being our customer
- the purpose for which we hold your data and how long we may need your data for internal business purposes
- how long it is reasonable to keep records to show we’ve met the obligations we have to you and by law
- any periods set by law or recommended by regulators, professional bodies or associations
- any time limits for making a legal claim
- any relevant proceedings that apply
We often have to keep your personal information to comply with a legal obligation, and this means that if you ask us to delete your personal information before the retention period has expired, we’ll be unable to do so.
Cookies, AI, analytics, and profiling
Here you’ll find information on certain technologies we use to process your personal information:
Cookies and other similar technologies
What are these technologies?
When you use our websites and apps, we and third-party companies use cookies and similar technologies such as pixel tags to collect information.
A cookie is a text file containing small amounts of information which a server may download to your computer, mobile or tablet when you visit a website or use an app.
A pixel tag (sometimes called a web beacon) is an invisible image with a line of code placed in an email or on a web page.
For simplicity, we refer to all such technologies as ‘cookies’.
How do we use them?
There are different types of cookies to do different things, for example:
- letting you navigate between different pages on a website efficiently
- remembering preferences you’ve given, and
- helping us identify ways to improve your overall experience of using our websites and apps
Some cookies are used to show you advertising tailored to your interests, or to count the number of site visits and find out which are the most popular pages. We may also use cookies to support some of our digital marketing activities – please see the section entitled “Marketing” below for more information about those activities.
With the exception of cookies that are strictly necessary for our website to function properly, we will seek your consent to our use of cookies.
Managing cookies and tracking technologies
You can check and manage cookies
- You can use our cookies management tool to see and control what cookies we use, how they are categorised and how long they last
- You can also control, block, or delete cookies through your web browser settings, usually found under ‘settings’ on your chosen browser.
Analytics
Analytics is a process we use to analyse data, statistics and other information, either automatically by a computer or manually by a person.
Anonymous analytics
As part of our day-to-day business, we produce management information reports. These are typically aggregated which means the information is grouped together and not looked at on an individual basis, and often they do not contain personal information. For example, we produce reports showing business performance split by day, business area or customer type.
Analytics using personal information
We sometimes conduct analytics that cannot be performed without personal information where our aim is to make recommendations about changes to the business or improvements to the services we offer our customers.
For example, we may analyse how our customers access our apps so we can understand how popular they are and identify where we can make improvements. This will involve us capturing your personal information, such as your member or registration number or email address used to access the app.
As part of these analyses, we sometimes carry out profiling activities.
For example, if we want to know how many customers may be interested in our dental practices in a particular area, we will conduct analysis based on postcode.
Profiling and automated decision making
Like many businesses, we evaluate information about you and use technology to give you automatic responses and decisions (known as profiling and automated decision making). We use these processes for:
- business activities, to give you a quicker, more consistent and fair service
- marketing, to give you information we think will interest you
- personalising, your interaction with Bupa which may include using special category information about you where we have your consent
Business activities
Running our business and delivering our products and services
Profiling and automated decision making can help us identify how our products and services can be improved, as well as how we can achieve better outcomes for our customers and business partners. For example, we may profile you so we can give you relevant information and notices within our digital apps.
We may share some of your information (including your name, date of birth, sex and the country you live in) with third party companies who carry out fraud checks. This will allow us to identify matches and carry out further checks to detect and prevent fraud.
Even if you aren’t at risk of fraud or suspected of committing fraud, using a range of people’s information allows us to have better and more accurate anti-fraud processes.
We use technologies that automatically pre-authorise your treatment. This is more efficient for our customers, business partners and healthcare professionals. We need to use profiling to create a reliable system and this involves automated decision making. We typically make sure an adviser reviews any problems with treatment approval to guarantee a fair outcome to our customers.
We use profiling and automated decision making to help us decide what level of cover we can offer you. We’ll use technology to review your medical information and find out if you have any previous or existing health conditions which aren’t covered by your health policy or scheme.
We may use software to help us calculate the price of products and services based on what we know about you and other customers.
Our software may:
- analyse your previous claims and compare it with the information we hold to find out how likely you are to claim in future
- use data such as your age, where you live and details about your health (for example, existing health conditions and whether you smoke) to calculate prices for products
- evaluate your payment and previous claims, information you’ve given us about yourself, and other information we’ve received from third parties, to automatically:
- a. provide you with a renewal quote
- b. decide what incentives we can offer you
- c. choose the marketing messages you’ll receive
We use AI and machine learning technologies to do this automatically. The technology gives us more accurate and tailored information. You can find more information about this under AI and machine learning below.
Marketing
Conducting and improving our marketing activities
We use profiling for marketing purposes. This helps us understand what offers, incentives and information may interest you and other people. We take the following steps:
We collect your information
We collect information directly from you and through automated means both as part of your onboarding as a customer or business partner and during our relationship with you. We also collect information about you from third parties, such as your employer or insurance brokers.
We create data sets
We combine your information with other people’s information. This helps us understand our customers and business partners on a less individual level. We also segment the information into different categories, for example by type of customer. This gives us a more accurate picture of the marketing that might interest you and others.
We make predictions and gather insights about you and others
Profiling helps us evaluate information about you and others to improve our marketing activities. We undertake manual profiling, meaning our team will manually review a set of data and filter it by different categories. For example, we may predict that our female customers, in a given age range, will be interested in a female health initiative, or that if you’re already engaging with some of our digital products you may be interested in other useful digital features to improve your experience.
We also use AI and machine learning technologies to run the process automatically. The technology gives us more accurate information, such as predicting how likely you are to stop using our products and services. Read more about artificial intelligence and machine learning.
We market our products and services to you and others
We share personalised marketing communications by email and phone and within our apps and other digital services, displaying content that we think will be relevant to you. We also use the results of this to find other people with similar traits who might be interested in our products and services.
We use a combination of social media platforms and digital capabilities, such as customer relationship management tools, to send marketing, show our adverts and create personalised marketing campaigns using the results of our profiling and automated decision making.
Your rights about profiling and automated decision making
Right to object to profiling related marketing
If you object, we’ll stop these activities.
Right to object to a purely automated decision about you
If you object, a member of our team will manually review the decision that was made about you.
Marketing
What does our marketing look like?
We may use your information to send you information about our products and services that we think may be of interest to you.
Those communications may be sent by email, SMS, post, telephone and over social media as explained in the “Digital Marketing” section. You will always have the opportunity to opt out of receiving marketing communications from us. Please see the section below entitled “Opting out for marketing” for more information on exercising your rights.
Digital marketing
We may share your information with social media and online platforms so that they can use it to create target audiences.
This may take the form of a “lookalike” audience in which case your data is used to help us build target profiles and display advertisements to those audiences when they use the internet or social media.
It may also take the form of a “customer match” audience which means we share your data as an existing customer with social media and other platforms so that they may display ads for other Bupa products and services that we think you may be interested in when you use those platforms.
Any information we share for this purpose will consist of basic personal data or contact information only. It will never include special category data such as your clinical or health information. You may opt out of our use of your data for those purposes by opting-out within the platform or by contacting us.
We may use automated processes to help us provide you with personalised marketing based on certain attributes of your personal information, as set out above.
Artificial intelligence and machine learning
What are these technologies?
Artificial intelligence (AI) involves programming computers to think and act like humans. This includes tasks such as learning, problem solving and decision making.
Machine learning is a subset of AI that involves training machines to learn and improve from experience without being explicitly programmed. This is typically done by providing large amounts of data to the machine and allowing it to learn patterns and make predictions based on that data.
How do we use AI and machine learning?
- Customer service: AI and machine learning may be used to improve customer service by providing personalised recommendations and assistance. For example, chatbots powered by AI help customers claim or answer questions about their policies. This improves response times and our efficiency.
- Risk assessment and pricing
- Fraud detection
- Health and dental care: we use AI-powered tools to support clinical decision-making and triage, improve diagnostic accuracy, and reduce admin time for our clinicians. For example, when recording clinical notes and analysing x-rays.
- Training our model (the AI algorithm) that creates predictions for marketing and business activities
How do we use AI and machine learning responsibly?
We maintain and adhere to a responsible AI framework alongside appropriate governance and processes. We are committed to using AI responsibly by following five key principles:
- privacy and security
- fairness
- transparency
- safety
- accountability
Your choices and rights
Information on how to control your personal information and the rights you have under the law.
Opting-out from marketing
You can ask us to stop sending you email marketing by clicking on the ‘unsubscribe’ link in the message we send you.
For all other types of marketing, you can opt out (ask us not to send it) or change your preferences:
UK Insurance, Bupa Health Clinics and Richmond Village customers
Change your preferences in your MyBupa online account or app, or email [email protected]
Bupa Global customers
Opt out through the MembersWorld portal or email [email protected]
Dental patients
Change your preferences in the Patient Portal or email [email protected]
You can’t unsubscribe from service communications. These are communications we need to send you for administrative or customer service reasons.
You also have the right to object to us profiling you for direct marketing purposes.
Your rights
You have rights under privacy law about your personal information.
Right of access
You can ask us for a copy of the personal information we hold about you.
Right to rectification
You can ask us to correct or remove inaccurate information we hold about you.
Right to restriction of processing
You can ask us to use your information for restricted purposes only.
Right to portability
You can ask us to send your information to you or to someone else in a format that can be read by computer.
Right to erasure
You can ask us to delete your information. If there’s a reason why we can’t do this, for example legally we need to keep it for a certain length of time, we’ll let you know.
Right to withdraw consent
You can withdraw any consent you’ve given us. We’ll let you know if we have to stop providing a product or service to you as a result. Any processing of your personal information that happened before you withdrew your consent will remain lawful.
Right to object
You can object to us processing your information when:
- we’re processing it or profiling you for direct marketing purposes
- we’re processing it for a legitimate interest (see ‘how we use the personal information we collect’ for when this applies)
- our processing is based on a task carried out in the public interest (such as prevention of crime)
However, we may be unable to action your objection if there’s an overriding reason or the processing is necessary for legal claims. We’ll tell you if this applies when you contact us.
You don’t always have the right to object. We’ll let you know if you can’t and our reasons for turning down your objection.
Rights in relation to profiling and automated decision making
Where we are making solely automated decisions about you using your personal data we will:
- provide you with information about any significant decisions made about you.
- ensure you have the opportunity to make representations and challenge such decisions; and
- enable you to obtain human intervention in respect of such decisions.
You also have a right to make a complaint to your local privacy supervisory authority
If you’d like to do this, please tell us first, so we have a chance to address your concerns.
If you remain unsatisfied, you can complain to:
- the Information Commissioner’s Office, if you’re a customer based in the UK
- the supervisory authority of your country, if you’re an Irish or European Bupa Global customer
- if you’re based another country, we’ll let you know your relevant authority
How to exercise your rights
If you want to exercise your rights, please email:
- [email protected] for customers of our UK and Republic of Ireland businesses
- [email protected], if you’re a Bupa Global customer
To help us manage your request, please tell us in your email the Bupa business with which you are a customer or have interacted.
What to expect
1. Identification
We may ask you to confirm your identity and provide information that helps us understand your request better.
2. We’ll let you know if we can fulfil your request
Unless you’re exercising an absolute right, for example the right to object to the processing of personal information for direct marketing purposes, we may be unable to fulfil your request. We’ll let you know and explain why.
3. Our response
We’ll respond to requests about automated decisions in 21 days. For all other requests, we’ll tell you within one month what action we’ve taken, starting from the day we receive them.
How to get in touch or make a complaint
If you have any questions, comments or would like to complain about this notice, or any other questions about the way we process your information, please get in touch with our Data Protection Officer and privacy team.
Reach us by post
Address your letter to:
Bupa, Privacy Team,
1 Angel Court,
City of London, EC2R 7HJ,
United Kingdom