Hero Image

Privacy notice

This privacy notice explains what information we collect about you, how we use it and how we protect it. It also gives you information about your rights.

Summary of changes

This privacy notice is reviewed at least annually and was last updated in May 2026. We have made several updates, summarised below:

  • Updating the section entitled “Who processes your personal information” to provide you with more information about who the controller of your data is depending on the service or product you have purchased or the provider with which you have interacted.
  • Explaining in the section entitled “Collecting and sharing your personal information” that your personal information may be shared with third party administrators where you have purchased a global insurance policy
  • Explaining in the section entitled “Marketing” where we may use your personal information for digital marketing purposes and how you may opt out of us doing so

We are committed to protecting and using your personal information responsibly.
If you have any questions about our privacy notice, please email [email protected]

Privacy notice sections

Who this notice is for

About us

Who processes your information?

Depending on the services that you use or interact with, you may deal with one or more companies within Bupa. The company that decides the information that we need to collect from you and how and why we use that information is known as the data controller. There may be more than one data controller of your information, as set out below:

How we collect your personal information

What personal information we collect

How we use the personal information we collect

Under data protection laws, we can only process your information if we have a legal reason (known as a ‘lawful ground’) for doing so:

  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Customer details
  • Financial details
  • Employment details
  • Special category information
  • Behavioural and usage information
  • Technical
  • It’s necessary to provide the services set out in a contract we have entered into with you
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. deliver our products and services
    • b. tailor the delivery of our products and services to your specific needs and interests

For special category information

  • It’s necessary for health or social care purposes such as:
    • preventive or occupational medicine
    • medical diagnosis
    • providing healthcare or treatment
    • providing social care
    • managing healthcare or social care systems or services
  • With your consent (if required)
  • When it's in your vital interests
  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Customer details
  • Financial details
  • Employment details
  • Special category information
  • Behavioural and usage information
  • Technical
  • It’s necessary to provide the services set out in a contract we have entered into with you
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. manage our relationship with you, our business and third parties
    • b. deliver our products and services
    • c. tailor the delivery of our products and services to your specific needs and interests
    • d. communicate with our customers and business partners
    • e. process insurance claims and collect money owed to us

For special category information

  • It’s necessary for insurance purposes, such as:
    • advising on, arranging, providing or managing an insurance contract
    • dealing with a claim made under an insurance contract
    • exercising our rights and meeting our responsibilities relating to an insurance contract or insurance law;
    • audit, quality assurance and clinical governance.

In those cases we have determined that our processing is necessary for reasons of substantial public interest

  • With your consent (if required)
  • When it’s in your vital interests
  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Customer details
  • Financial details
  • Employment details
  • Special category information
  • Criminal convictions and offences
  • Behavioural and usage information
  • Technical
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. manage our relationship with you, our business and third parties
    • b. resolve issues and answer questions about our products and services
    • c. investigate and respond to complaints
    • d. monitor how well we are meeting our clinical and non-clinical performance expectations
    • e. protect the public against dishonesty, malpractice or other seriously improper behaviour
    • f. manage a claim where a third party may be at fault
  • With your consent (if required)
  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Customer details
  • Financial details
  • Employment details
  • Criminal convictions and offences
  • Behavioural and usage information
  • Technical
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. detect and prevent fraud and financial crime
    • b. ensure compliance with our terms and conditions and policies
  • Basic personal details
  • Contact
  • Residency
  • Customer details
  • Employment details
  • Behavioural and usage information
  • Technical
  • It's required or allowed by law
  • We have a legitimate interest to:
    • confirm that you’re an employee of the company that is paying for the product or service you’re using
    • confirm you’re an employee of a business we’re purchasing products or services from
    • identify you when you access our digital services and websites
    • identify if you were redirected to our websites through an advert or referral link
    • identify identify if you are under the age of 16
    • identify fraud and fraudulent activity
    • keep your records up to date
  • Basic personal details
  • Contact
  • Residency
  • Customer details
  • Financial details
  • Employment details
  • It’s necessary to provide the services set out in a contract
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. take payment and charge for our products and services
    • b. review invoices and make payments
  • Basic personal details
  • Contact
  • Communications
  • Behavioural and usage information
  • Technical
  • We have a legitimate interest to:
    • a. market to our customers and prospective customers if they’ve shown an interest in us
    • b. request feedback from customers and people we work with
    • c. adhere to your contact and marketing preferences and to carry out automated decision making and profiling where appropriate (see section below entitled ‘cookies, AI, analytics and profiling’ for details on this)
    • d. operate cookies on our websites and undertake other tracking to personalise our marketing activities
    • e. develop and run tailored marketing
  • With your consent (if required)
  • Basic personal details
  • Contact
  • Communications
  • Behavioural and usage information
  • Technical
  • Special category information
  • We have a legitimate interest to:
    • a. personalise your access to our digital services such as the MyBupa app
  • With your consent (if required), including where we use your special category information to achieve our purposes
  • Basic personal details
  • Contact
  • Communications
  • Residency
  • Financial details
  • Employment details
  • Special category information
  • Behavioural and usage information
  • Technical
  • We have a legitimate interest to:
    • a. undertake statistical research and analytics (see ‘cookies, AI, analytics and profiling’ for details on this)
    • b. understand our customers and the people we work with
    • c. understand more about our products and services, and how to improve them
  • With your consent (if required)
  • Basic personal details
  • Contact
  • Residency
  • Special category information
  • Customer details
  • Behavioural and usage information
  • Technical
  • CCTV Footage
  • It’s required or allowed by law
  • We have a legitimate interest to:
    • a. secure our systems and digital services
    • b. make sure we’re only providing and working with products and services in permitted locations
    • c. exercise our rights and defend ourselves from legal claims
  • Basic personal details
  • Contact
  • Customer details
  • Personal information shared with us during a phone call or other method of communication, such as webchat and email
  • Special category information
  • We have a legitimate interest to:
    • a. monitor phone calls to us for training and to review the quality of our services
    • b. review online and email exchanges between you and us for training and to review the quality of our services
  • It’s required or allowed by law
  • Where our use of personal data, including special category information is for scientific research including research designed to improve understanding of health treatment or outcomes, improve diagnoses and develop technologies as well as AI training, validation and testing
  • When our use of special category data is necessary for the management of healthcare systems
  • With your consent (if required)

Collecting and sharing your personal information

Sometimes we need to collect your information from, or share it with, other people or organisations. We share as little of your information as possible, and only for specific purposes.

We have processes in place to make sure that your information is protected when we share it with third parties. If you are sharing someone else’s personal information with us, please make sure they have seen this privacy notice and are comfortable with you giving us their information.

You can view the types of third parties with which we collect and share information, and our reasons for doing so below. We may also disclose your personal information to other third parties if we are required or permitted to do so by law.

Description

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Deliver our products and services to you
  • Provider you with personalised healthcare and services
  • Send you communications about products and services that might interest you
  • Provide you with digital services including our Bupa website and the MyBupa app
  • Undertake statistical research and analysis to understand more about our products and services and how to improve them
  • Understand and improve clinical outcomes for our customers
  • Product and service development
  • Fraud prevention and detection
  • Report on business activity and success
  • Enable us to deliver a seamless experience across Bupa, and give you easy access to products and services across our businesses

Description

You have given us consent to speak to a third party on your behalf, such as a family member, solicitor, or a person acting through a Power of Attorney.

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Deliver our products and services to you
  • Manage our relationship with you
  • Set you up as a customer
  • Meet our regulatory obligations or comply with legal requests or legal claims
  • Manage complaints, claims or individual rights requests

Description

  • You are under a group insurance scheme or health trust, or your employer is paying for our services
  • You are working with us in a professional capacity as a business partner

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Product or service administration
  • Transfer to a new service provider
  • Set you up as a customer
  • Manage our relationship with your employer
  • Process and validate invoices, and make or receive payments

Description

  • Doctors, clinicians and other healthcare professionals
  • Hospitals and clinics
  • Dental laboratories
  • Medical laboratories
  • Individuals or organisations who pay for your care
  • Patient record databases such as the NHS’s GP Connect or the Northern Ireland Electronic Care Record.

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • To enable healthcare providers to provide treatment and healthcare services, and to enable you to receive it
  • To provide our healthcare professionals with access to the information they need to make informed clinical decisions (e.g. when prescribing medications)
  • To process and validate invoices and make or receive payments
  • To investigate complaints, claims and possible fraudulent activity
Description

Professional associations our consultants belong to or are regulated by, including but not limited to:

  • Care Quality Commission
  • General Medical Council
  • General Dental Council
  • The Health and Care Professions Council
  • Responsible Officer

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • For safeguarding purposes
  • Investigate complaints and clinical incidents
  • Monitor quality and performance

Description

  • Health insurance counter-fraud groups
  • Financial crime screening services

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Detect and prevent fraud
  • Meet our regulatory and legal obligations

Description

  • Debt collection agencies we engage to act on our behalf


What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Recover money owed to us

Description

  • Potential buyers or sellers of businesses and assets we’re buying or selling
  • Third parties that assume responsibility for Bupa


What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Enable the third party to take over our business activities
  • Support the third party’s decision making and processes to buy our business

Description

  • Solicitors, auditors, actuaries and tax advisors
  • Translators and interpreters

What we do

  • We share information with them

Our reasons

  • Support us to manage our business and meet our regulatory obligations
  • Gain advice on business decisions and strategy

Description

  • Government and their agencies
  • Law enforcement agencies, like the Police
  • Authorities and regulators such as the Financial Conduct Authority (FCA) or Prudential Regulation Authority (PRA)
  • Data protection supervisory authorities
  • HM Courts and Tribunals Service

What we do

  • We share information with them

Our reasons

  • Comply with our legal and regulatory obligations
  • Protect our rights and defend ourselves against claims

Description

  • Electoral register
  • Information about you on social media
  • For our business partners, public sources that include professional information about you

What we do

  • We collect information from them

Our reasons

  • Validate and update our records
  • Understand how our customers and business partners have reviewed or discussed us or our competitors online
  • Check our business partners are legitimate, of good standing and quality, and investigate possible fraudulent activity or complaints

Description

We put measures in place to ensure that our suppliers process your personal information fairly and in line with our expectations. We use the types of suppliers listed below:

  • IT service providers: Cloud storage, databases and data repositories, practice management systems, customer relationship management systems (CRM), communication and phone software, back-up solutions, network security and monitoring solutions and other ‘software as a service’ providers
  • Marketing, sales and business development: market and customer research consultants, social media platforms and marketing and digital marketing agencies, data set and contact list providers
  • Customer service support: outsourced support with customer communication and servicing, including translation

What we do

  • We share information with them

Our reasons

  • Help us run our business
  • Manage our relationship and communicate with you
  • Provide our products and services to you
  • Understand our customers and market to them – please see more information in the Digital Marketing section below
  • Identify and communicate with people that might be interested in our products and services
  • Grow our business and keep our customers

Description

We use embedded content on our website from third party providers. These providers may collect information about your use of the embedded content and your interaction with it.

For more information about our use of YouTube API services, please see Google’s privacy policy: www.google.com/policies/privacy
More information can also be found in YouTube's Terms of Service: www.youtube.com/t/terms

What we do

  • We share information with them

Our reasons

  • So we can display content from third party providers, including YouTube, on our website

Description

  • Main policyholder, if you are a dependant under an insurance policy

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Manage our relationship with you and the policyholder
  • Issue invoices, requests and take payment

Description

  • Insurance brokers
  • Your agents
  • Other intermediaries


What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Confirm you are entitled to claim discounts on our products and services
  • Manage our relationship with you through your broker or agent
  • Discuss purchase, renewal and availability of our products and services through your broker and agent
  • Set you up as a customer or business partner

Description

  • Other health and benefit insurers
  • Reinsurers

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Set you up as a customer
  • Support you to transfer to a new insurer
  • Manage and settle claims that are a third party’s fault
  • If reinsurance is necessary

Description

  • Evacuation or repatriation providers

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • To arrange evacuation or repatriation

Description

  • Local authorities, social services, and other public sector bodies
  • Commissioners and embassies
  • HM Courts and Tribunals Service


What we do

  • We share information with them

Our reasons

  • Enable the third party to pay for the services we’re providing to you
  • Comply with our legal and regulatory obligations, including where we have a duty to protect your health, safety, or wellbeing
  • Manage legal claims

Description

  • Those providing your treatment such as consultants, clinicians, doctors, therapists and other healthcare professionals
  • Hospitals, clinics and other healthcare providers



What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Provide you with your treatment
  • Manage our relationship with consultants
  • Process and validate invoices and make or receive payments
  • When those providing treatment are involved in legal proceedings, such as for negligence or malpractice
  • Manage, investigate and report on negligence or malpractice, and for legal claims

Description

  • Cancer registry
  • Joint and implant registries

What we do

  • We share information with them

Our reasons

  • Aid monitoring cancer rates, improve cancer care and aid cancer research
  • Improve patient safety and maintain long-term record of the effectiveness of implants

Description

  • NHS Cervical Screening recall system

What we do

  • We share information with them

Our reasons

  • Make sure the screening is safe and in accordance with national service specifications

Description

If your care is funded by the NHS, you have the right to opt out of your data being used for research and planning purposes. You can view or change your National Data Opt-Out choice at any time here

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • To check your preferences

Description

  • Health Protection Agency for infectious diseases such as tuberculosis and meningitis

  • Private Healthcare Information Network (PHIN): the government-mandated body that publishes information about the safety, quality and costs of private healthcare.

What we do

  • We share information with them

Our reasons

  • Protect public health

Description

  • If you’re referred or you’re transferring from or to a different provider
  • The NHS and your general practitioner (GP)



What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Set you up as a customer
  • Support you to transfer to the new provider
  • Keep records up to date
  • Ensure continuity of care

Description

  • Partners that offer support and add-on services, such as patient finance and dental subscription plans
  • Universities and research companies
  • In some cases, the partner may be the data controller of the personal information they hold about you (this means they’ll be responsible for how your personal information is used). We’ll confirm this when you choose to use the product or service.

What we do

  • We collect information from them
  • We share information with them

Our reasons

  • Offer you products and services that may interest you
  • Enable you to purchase or take up offers on additional products and services offered by our partners
  • Take part in research projects

Transferring your personal information abroad

We work with organisations (such as healthcare providers, other Bupa companies, and IT providers) that operate in, or from, various countries worldwide. This means that your information will be transferred to, or accessed from, a country outside of your country of residence.

We ensure we meet international transfer requirements in the following ways.

How long we keep your information for

Cookies, AI, analytics, and profiling

Here you’ll find information on certain technologies we use to process your personal information:

Profiling and automated decision making

Like many businesses, we evaluate information about you and use technology to give you automatic responses and decisions (known as profiling and automated decision making). We use these processes for:

  • business activities, to give you a quicker, more consistent and fair service
  • marketing, to give you information we think will interest you
  • personalising, your interaction with Bupa which may include using special category information about you where we have your consent

Business activities

Running our business and delivering our products and services

Profiling and automated decision making can help us identify how our products and services can be improved, as well as how we can achieve better outcomes for our customers and business partners. For example, we may profile you so we can give you relevant information and notices within our digital apps.

We may share some of your information (including your name, date of birth, sex and the country you live in) with third party companies who carry out fraud checks. This will allow us to identify matches and carry out further checks to detect and prevent fraud.

Even if you aren’t at risk of fraud or suspected of committing fraud, using a range of people’s information allows us to have better and more accurate anti-fraud processes.

We use technologies that automatically pre-authorise your treatment. This is more efficient for our customers, business partners and healthcare professionals. We need to use profiling to create a reliable system and this involves automated decision making. We typically make sure an adviser reviews any problems with treatment approval to guarantee a fair outcome to our customers.

We use profiling and automated decision making to help us decide what level of cover we can offer you. We’ll use technology to review your medical information and find out if you have any previous or existing health conditions which aren’t covered by your health policy or scheme.

We may use software to help us calculate the price of products and services based on what we know about you and other customers.

Our software may:

  • analyse your previous claims and compare it with the information we hold to find out how likely you are to claim in future
  • use data such as your age, where you live and details about your health (for example, existing health conditions and whether you smoke) to calculate prices for products
  • evaluate your payment and previous claims, information you’ve given us about yourself, and other information we’ve received from third parties, to automatically:
    • a. provide you with a renewal quote
    • b. decide what incentives we can offer you
    • c. choose the marketing messages you’ll receive

We use AI and machine learning technologies to do this automatically. The technology gives us more accurate and tailored information. You can find more information about this under AI and machine learning below.

Marketing

Conducting and improving our marketing activities

We use profiling for marketing purposes. This helps us understand what offers, incentives and information may interest you and other people. We take the following steps:

Marketing

Artificial intelligence and machine learning

What are these technologies?

Your choices and rights

Information on how to control your personal information and the rights you have under the law.

Opting-out from marketing

Your rights

You have rights under privacy law about your personal information.

How to exercise your rights

If you want to exercise your rights, please email:

To help us manage your request, please tell us in your email the Bupa business with which you are a customer or have interacted.

What to expect

How to get in touch or make a complaint

If you have any questions, comments or would like to complain about this notice, or any other questions about the way we process your information, please get in touch with our Data Protection Officer and privacy team.

Content is loading