LifeStar Health Limited – Privacy Notice

LifeStar Health Limited acts as an insurance agent for Bupa Global Designated Activity Company, which has passported its services through the European Passport Rights for Insurance and Reinsurance Undertakings. LifeStar Health Limited is registered as an insurance agent and is regulated by the Malta Financial Services Authority.

LifeStar Health Limited is registered in Malta under company number C6393 and having its registered office at Testaferrata Street, Ta' Xbiex XBX 1403, Malta.

Bupa Global Designated Activity Company is a designated activity company limited by shares registered in Ireland under company number 623889 and having its registered office at Second Floor, 10 Pembroke Place, Ballsbridge, Dublin 4, D04 V1W6, and is regulated by the Central Bank of Ireland.

Bupa Global DAC is part of the Bupa group of companies, for more information on Bupa and the Bupa group of companies please see https://www.bupaglobal.com/en/legal/legal-notices.

This privacy notice applies to you if you ask us about, buy or use our products and services. It describes how we handle your information, regardless of the way you contact us (for example, by email, through our website, by phone, through our app and so on). We will provide you with further information or notices if necessary, depending on the way we interact with each other, for example if you use our apps we may give you privacy notices which apply just to a particular type of information which we collected through that app. If you have any questions about this, please contact us at [email protected].

We collect personal information from you:

• through your contact with us, including by phone (we may record or monitor phone calls to make sure we are keeping to legal rules, codes of practice and internal policies, and for quality assurance purposes), by email, through our websites, through our apps, by post, by filling in application or other forms, by entering competitions, through social media or face-to-face (for example, in medical consultations, diagnosis and treatment).

We also collect information from other people and organisations.

For all our customers, we may collect information from:

• your parent or guardian, if you are under 18 years old;
• a family member, or someone else acting on your behalf;
• doctors, other clinicians and health-care professionals, hospitals, clinics and other health-care providers;
• any service providers who work with us in relation to your product or service, if we don’t provide it to you direct, such as providing you with apps, medical treatment, dental treatment or health assessments;
• organisations who carry out customer-satisfaction surveys or market research on our behalf, or who provide us with statistics and other information (for example, about your interests, purchases and type of household) to help us to improve our products and services;
• fraud-detection and credit-reference agencies; and 
• sources which are available to the public, such as the edited electoral register or social media.

If we provide you with insurance products and services, we may collect information from:

• the main member, if you are a dependant under a family insurance policy;
• your policy holder (usually your employer), if you are covered by an insurance policy they have taken out on your behalf;
• brokers and other agents (this may be your broker if you have one, or your employer's broker if they have one); and
• other third parties we work with, such as agents working on our behalf, other insurers and reinsurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt-collection agencies, credit-reference agencies, fraud-detection agencies (including insurance counter-fraud groups), regulators, data-protection supervisory authorities, health-care professionals, other health-care providers and medical-assistance providers.

Standard personal information includes:

• contact information, such as your name, username, address, email address and phone numbers;
• the country you live in, your age, your date of birth and national identifiers (such as your ID card number or passport number);
• information about your employment;
• details of any contact we have had with you, such as any complaints or incidents;
• financial details, such as details about your payments and your bank details;
• the results of any credit or any fraud checks we have made on you;
• information about how you use our products and services, such as insurance claims; and

Special category information includes:

• information about your physical or mental health, including genetic information or biometric information (we may get this information from application forms you have filled in, from notes and reports about your health and any treatment and care you have received or need, or it may be recorded in details of contact we have had with you such as information about complaints or incidents, and referrals from your existing insurance provider, quotes and records of medical services you have received)
• information about your race, ethnic origin and religion (we may get this information from your medical preferences to allow us to provide care that is tailored to your needs); and information about any criminal convictions and offences (we may get this information when carrying out anti-fraud or anti-money-laundering checks, or other background screening activity).

By law, we must have a lawful reason for processing your personal information.

We process standard personal information about you if this is:

• necessary to provide the services set out in a contract − if we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you and your dependants with our products and services);
• in our or a third party’s legitimate interests − details of those legitimate interests are set out in more detail in the 'Legitimate Interest' section below; or
• required or allowed by law.

We process special category information about you because:

• it is necessary for the purposes of preventive or occupational medicine, to assess whether you are able to work, medical diagnosis, to provide health or social care or treatment, or to manage health-care or social-care systems (including to monitor whether we are meeting expectations relating to our clinical and non-clinical performance);
• it is necessary for an insurance purpose (for example, advising on, arranging, providing or managing an insurance contract, dealing with a claim made under an insurance contract, or relating to rights and responsibilities arising in connection with an insurance contract or law);
• it is necessary to establish, make or defend legal claims (for example, claims against us for insurance);
• it is necessary for the purposes of preventing or detecting an unlawful act in circumstances where we must carry out checks without your permission so as not to affect the outcome of those checks (for example, anti-fraud and anti-money-laundering checks or to check other unlawful behaviour, or carry out investigations with other insurers and third parties for the purpose of detecting fraud);
• it is necessary for a purpose designed to protect the public against dishonesty, malpractice or other seriously improper behaviour (for example, investigations in response to a safeguarding concern, a member's complaint or a regulator (such as the Medical Council) telling us about an issue);
• it is in the public interest, in line with any laws that apply; 
• it is information that you have made public; or
• we have your permission. As is best practice, we will only ask you for permission to process your personal information if there is no other legal reason to process it. If we need to ask for your permission, we will make it clear that this is what we are asking for, and ask you to confirm your choice to give us that permission. If we cannot provide a product or service without your permission (for example, we can’t manage and run a health trust without health information), we will make this clear when we ask for your permission. If you later withdraw your permission, we will no longer be able to provide you with a product or service that relies on having your permission.

Legitimate interest is one of the legal reasons why we may process your personal information. Taking into account your interests, rights and freedoms, legitimate interests which allow us to process your personal information include:

• to manage our relationship with you, our business and third parties who provide products or services for us (for example, to check that you have received a service that you’re covered for, to validate invoices and so on);
• to provide health-care services on behalf of a third party (for example, your employer);
• to make sure that claims are handled efficiently and to investigate complaints (for example, we may ask your treatment provider for information to make sure we receive accurate information and to monitor the quality of your treatment and care);
• to keep our records up to date and to provide you with marketing as allowed by law; 
• to develop and carry out marketing activities and to show you information that is of interest to you, based on our understanding of your preferences (we combine information you give us with information we receive about you from third parties to help us understand you better); 
• for statistical research and analysis so that we can monitor and improve products, services, websites and apps, or develop new ones;
• to contact you about market research we are carrying out;
• to monitor how well we are meeting our clinical and non-clinical performance expectations in the case of health-care providers;
• to enforce or apply our website terms of use, our policy terms and conditions or other contracts, or to protect our (or our customers’ or other people’s) rights, property or safety;
• to exercise our rights, to defend ourselves from claims and to keep to laws and regulations that apply to us and the third parties we work with; and
• to take part in, or be the subject of, any sale, purchase, merger or takeover of all or part of the Bupa business.

Profiling and automated decision-making

The processes set out below involve both profiling and automated decision-making.

• Depending on the type of insurance product that you want to benefit from, to help us decide what level of cover we can offer you, we will ask you to provide information about your medical history. We may use software to review this information to find out whether you have any previous or existing health conditions which we cannot cover you for and which will be excluded from your policy. 
• We may use software to help us calculate the price of products and services based on what we know about you and other customers. For example, our technology may analyse information about your claims history and compare it with the information we hold about previous claims to evaluate how likely you are to need to make a claim. We may also evaluate your age, where you live and other details relating to your health (such as existing health conditions and whether you smoke) to calculate prices for community-rated products which are based on predefined groups with similar risk profiles.

Profiling

The processes set out below involve profiling. 

• In order to improve outcomes and be more efficient, and allow us to offer advice about different treatment paths (for example, alternatives to surgery or other invasive treatments), we may use software to evaluate medical history and information about the general population in an area to identify customers who are likely to need that advice most. 
• When your policy is due for renewal, our software tells us this and may also evaluate your payment and claims history, other information you have given us about yourself, and other information we have received from third parties to automatically provide you with information about what incentives we can offer you and the marketing messages you will receive. 
• We ask other organisations to carry out some of our consumer and market analysis to improve our marketing processes. This involves sharing personal information relating to our customers with third parties who specialise in profiling and segmenting people (putting people into groups of different types of customer, based on different kinds of information collected about them, to help us to better target our products to them). These companies match the information we give them with information they get from other sources to improve the accuracy of their analysis. We use the results of this analysis to help us target marketing and offers. 
• We may use information about the products you have bought, and information about what other customers who have bought the same products you have bought, to make sure we send you information about the products you are most likely to be interested in. 
• We may share your personal information (including your name, date of birth, sex and the country you live in) with third-party companies, such as Acuris Risk Intelligence, who carry out fraud checks. We will review any matches from this process. (We will not use automated decision-making for this.)

We sometimes need to share your information with other people or organisations for the purposes set out in this privacy notice.

For all our customers, we share your information with:

• Bupa Global DAC;
• other organisations you belong to, or are professionally associated with, in order to confirm your entitlement to claim discounts on our products and services;
• doctors, clinicians and other health-care professionals, hospitals, clinics and other health-care providers;
• suppliers who help deliver products or services on our behalf;
• people or organisations we have to, or are allowed to, share your personal information with by law (for example, for fraud-prevention or safeguarding purposes);
• the police and other law-enforcement agencies to help them perform their duties, or with others if we have to do this by law or under a court order;
• if we, Bupa Global DAC (or any member of the Bupa group) sell or buy any business or assets, the potential buyer or seller of that business or those assets; and
• a third party who takes over any or all of the Bupa Group’s assets (in which case personal information we hold about our customers or visitors to the website may be one of the assets the third party takes over).

If we provide insurance or manage a health-care trust, we share your information with:

• the policy holder or their agent if you are not the main member under an individual policy (we will send them all membership documents and confirmation of how we have dealt with a claim, and all people who are insured on the policy may have access to correspondence and other information we provide through our online portal)
• your employer (or a their broker or agent) for product or service administration purposes if you are a member or beneficiary under your employer’s group scheme; 
• your broker or agent (or both);
• other third parties we work with to provide our products and services, such as agents working on our behalf, other insurers and reinsurers, actuaries, auditors, solicitors, translators and interpreters, tax advisers, debt-collection agencies, credit-reference agencies, fraud-detection agencies (including insurance counter-fraud groups), regulators, data-protection supervisory authorities, health-care professionals, health-care providers and medical-assistance providers; and;
• organisations who provide your treatment and other benefits, including travel-assistance services.

If we share your personal information, we will make sure appropriate protection is in place to protect your personal information in line with data-protection laws.

You have the following rights (certain exceptions apply).

• Right of access: You have the right to make a written request for details of your personal information and a copy of that personal information.
• Right to rectification: You have the right to have inaccurate information about you corrected or removed.
• Right to erasure ('right to be forgotten'): You have the right to have certain personal information about you deleted from our records.
• Right to restriction of processing: You have the right to ask us to use your personal information for restricted purposes only.
• Right to object: You have the right to object to us processing (including profiling) your personal information in cases where our processing is based on a task carried out in the public interest or where we have let you know it is necessary to process your information for our or a third party’s legitimate interests. You can object to us using your information for direct marketing and profiling purposes in relation to direct marketing.
• Right to data portability: You have the right to ask us to transfer the personal information you have given us to you or to someone else in a format that can be read by computer.
• Right to withdraw consent: You have the right to withdraw any permission you have given us to handle your personal information. If you withdraw your permission, this will not affect the lawfulness of how we used your personal information before you withdrew permission, and we will let you know if we will no longer be able to provide you with your chosen product or service. 
• Right in relation to automated decisions: You have the right not to have a decision which produces legal effects which concern you or which have a significant effect on you based only on automated processing, unless this is necessary for entering into a contract with you, it is authorised by law or you have given your permission for this. We will let you know if we make automated decisions, our legal reasons for doing this and the rights you have.

Please note: Other than your right to object to us using your information for direct marketing (and profiling for the purposes of direct marketing), your rights are not absolute. This means they do not always apply in all cases, and we will let you know in our correspondence with you how we will be able to meet your request relating to your rights.

If you make a request, we will ask you to confirm your identity if we need to, and to provide information that helps us to understand your request better. We have 21 days to respond to requests relating to automated decisions. For all other requests we have one month from receiving your request to tell you what action we have taken.

If we do not meet your request, we will explain why.

In order to exercise your rights, please contact us at [email protected].