Privacy Policy for VitalityCar members

If you have a plan with us or you are considering getting a plan with us, we collect information as you and any joint planholders when you get a quote for insurance, when you buy or renew an insurance plan from us, when you amend or cancel your insurance plan or when you make a claim under your insurance plan.

If you are claiming under another person’s plan as a third party claimant, we collect information about you when you make a claim under the insurance plan.

If you are a witness to an event giving rise to a claim, we collect your information to help us handle the claim.

We only collect information that is relevant and necessary for us to provide the insurance product and to handle claims made under the insurance plan.

If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud.

• Personal information provided by you, about you and any additional drivers, directly or via the company who sold you the plan:
  - Contact details
  - Date of birth
  - Occupation
  - Homeowner status
  - Marital status
  - Driving licence details
  - Residency status
  - Driving behaviour
  - Images and videos from dash camera footage
  - Other information about you provided by the company who sold you the plan
• Financial information provided by you, directly or via the company who sold you the plan:
  - Payment details
  - Details of County Court Judgments (CCJs) and bankruptcy
  - Transactions and payments made to us for your plan
• Sensitive information provided by you, directly or via the company who sold you the plan:
  - Motoring criminal convictions and offences
  - Health information including medical conditions and associated restrictions on your driving licence
• Information about what you are insuring and the cover you require provided by you, directly or via the company who sold you the plan:
  - Your vehicle details including the car registration, car make and model, annual mileage, value, class of use, where the vehicle is kept etc.
• Information about your insurance history provided by you, directly or via the company who sold you the plan:
  - Recent quotes for insurance
  - Your insurance history
  - Claims details
• Information relating to fraudulent or potentially fraudulent activity provided by fraud agencies and databases or collected from publicly available sources of information:
  - History of fraud
  - Indicators of fraudulent behaviour
  - Investigations into fraud
• Your credit information provided by credit reference agencies:
  - Your credit history and score
  - Information on the electoral register
• In addition to the information above, we also collect information from third parties, to assist us in assessing your insurance risk. Some of this information is publically available such as census data. We also collect information regarding your vehicle from HPI Ltd.

The information we collect may be used by us, our employees and third party insurers and/or service providers who are acting under our instruction, for the reasons detailed below. We must always have a lawful basis for processing your information.

When we process your sensitive personal information, we must always have an additional lawful basis.

For each reason for processing your information, we have set out our lawful basis:

Why do we use your information	Our lawful bases for processing	Our legitimate business interest, where applicable	Retention Guide
To provide you with a quote Assessing your application for insurance and, if we can, the price and other terms we can offer	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Substantial public interest - insurance	To price our products based on your insurance risk and to set plan acceptance parameters to determine when we want to insure certain risks.	13 months or 4 years if linked to Fraud.
To administer and manage your insurance plan Administering the purchase of your plan Managing your plan Processing your insurance premiums Arranging the renewal, cancellation or lapse of your plan	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Establish, exercise or defend our legal rights Substantial public interest - insurance	To price our products based on your insurance risk and to set plan acceptance parameters to determine when we want to insure certain risks	7 years from end of the last active policy across Vitality Group as per standards
To handle claims made against an insurance plan Registering your claim Assessing your claim Processing payments for your claim Processing reinsurance recoveries	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Establish, exercise or defend our legal rights Substantial public interest - insurance	To undertake checks to validate and settle your claim.	As above. 21years & 4mths for claims involving minors.
To resolve any complaints you may have Register complaints Manage and resolve complaints	Personal Information: Entering into and the performance of a contract Legitimate interest Sensitive Information: Establish, exercise or defend our legal rights Substantial public interest - insurance	To investigate and resolve any complaints made.	3 years from date of closure.
To recover any debt that you owe to us Recovery of unpaid debts or reimbursement of damages under a contract	Personal Information: Entering into and the performance of a contract  Legitimate interest	To recover any debt that is owed to us even if we do not hold a contractual relationship with you.	7 years after debt recovered or end of policy whichever is longer
To conduct credit reference checks and to assess your application for credit Verifying your identity Making decisions about credit	Personal Information: Entering into and the performance of a contract Legitimate interest	To check the details you provide to verify your identity. To check your ability to afford the finance you are purchasing.	7 years
To prevent, detect and investigate fraud or money laundering Investigating suspicions of fraud and money laundering Prosecuting fraud	Personal Information: Legitimate interest Sensitive Information: Substantial public interest - preventing or detecting unlawful acts	To prevent fraud and money laundering.	Civil cases & criminal cases: 6 years.   Upon sentence 3 years after length of sentence.
For management information purposes and internal analysis of products and services Accounting and financial records, analysis and reporting Audit requirements Legal and professional advice Research into market trends and customer demographics Pricing and underwriting analysis System security and effective operation	Personal Information: Legitimate interest Sensitive Information: Substantial public interest - insurance	To monitor our business performance and maintain appropriate company records. To develop, manage and improve our products and services.	7 years after which personal data removed
For training purposes to improve your customer experience Assessing customer experiences Developing and improving our customer experience	Personal Information: Legitimate interest Sensitive Information: Substantial public interest - insurance	To improve the service we provide to customers.	Call recordings 3 years.

For all of our annual plans, we will contact you prior to your plan expiration date with details of whether we can provide you with another insurance plan and the price of the plan, if you choose to stay with us.

Some of our plans will automatically renew so that you have continuity of cover. This means you need to contact us advising that you do not wish to renew otherwise the plan will automatically renew. We will always make it clear in your renewal letter if this will happen and we will always give you enough time to notify us of the lapse of your plan.

Applying for a quote and holding an insurance plan with us: If you apply for a quote and/or take out an insurance plan with us, we will carry out checks with fraud prevention agencies and databases. This helps us to prevent and detect fraud and money laundering.

If we suspect fraudulent behaviour, we may not offer you insurance or we may void your plan.

We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering.

Making a claim: If you make a claim against one of our insurance plans, we will carry out checks with fraud prevention agencies and databases. This helps us to prevent and detect fraud and money laundering.

If we suspect fraudulent behaviour, we may not be able to accept your claim. We investigate potentially fraudulent claims and where appropriate, we will use surveillance to assist our investigation. We appoint fraud investigation and surveillance suppliers to conduct these investigations on our behalf. We also conduct searches with publicly available sources of information including internet searches and social media searches.

We will keep a record of individuals and any associated investigations to prevent and detect future fraud or money laundering.

Fraud agencies and databases: To prevent and detect fraud, we check your details against a range of databases and agencies including other insurers' databases. If false or inaccurate information is provided and fraud is identified, details will be passed to fraud prevention agencies, fraud databases and other insurers. Law enforcement agencies may access and use this information.

We access and use the information recorded by fraud prevention agencies or fraud databases to prevent fraud and money laundering. These checks are done to identify, predict, investigate and evaluate potentially fraudulent behaviour.

We use the following fraud prevention agencies and databases:

• CIFAS National Fraud Database
• CUE (Claims and Underwriting Exchange)
• IFB (Insurance Fraud Bureau)
• IFIG (Insurance Fraud Investigators Group)
• IFED (Insurance Fraud Enforcement Agency)
• IFR (Insurance Fraud Register)
• NFIB (National Fraud Intelligence Bureau)
• NCA (National Crime Agency)
• OFSI (Office of Financial Sanctions Implementation)
• LexisNexis
• Motor Insurance Database
• MIAFTR (Motor Insurance Anti-Fraud and Theft Register)
• DVLA (Driver and Vehicle Licensing Agency)

We will perform credit and identity checks on you with one or more credit reference agencies (CRAs) in the following circumstances:

• When you apply for an insurance quote with us;
• Prior to renewals on all existing planholders;
• When you apply for credit from us.

To do this, we will supply your personal information to CRAs and they will give us information about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply to us both public (including the electoral register) and shared credit, financial situation and financial history information and fraud prevention information.

We will use this information to:

• Assess your creditworthiness and whether you can afford to take the product;
• Verify the accuracy of the data you have provided to us;
• Prevent criminal activity, fraud and money laundering;
• Manage your account(s);
• Trace and recover debts; and
• Ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your settled accounts. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search from us they will place a search footprint on your credit file that may be seen by other lenders.

If you are making a joint application, or tell us that you have a spouse or financial associate, we will link your records together, so you should make sure you discuss this with them, and share with them this information, before lodging the application. CRAs will also link your records together and these links will remain on your and their files until such time as you and your partner successfully files for a disassociation with the CRAs to break that link.

The identities of the CRAs, their role also as fraud prevention agencies, and the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail at www.transunion.co.uk/crain.

Some of our reasons for processing will involve automated decision making. These decisions are set out below. You have a right to obtain human intervention for any of our automated decisions. If you object to an automated decision, we may not be able to offer you an insurance quotation or renewal.

Offering an insurance plan and pricing: We ask you a series of questions when you obtain a quote for insurance from us. This is so we can understand the insurance risk that we are being asked to consider and make an underwriting assessment and decision. The information you provide along with other information helps us to decide whether we can offer you a quote and the price you will need to pay for insurance.

We use lots of factors to assess whether we can provide insurance cover, the price of your plan and any other terms of your plan. These factors include, but are not limited to, your age, your health/lifestyle, your geographical location, claims history, the past performance of the insurance product, etc.

Based on this information, an automated decision will be produced on acceptability of cover, the price you will need to pay for your plan and any other terms we need to apply.

Credit checks: When we carry out credit checks, an automated score is produced by the credit reference agency. We use this to assess the terms and price on which cover may be offered, verify your identity and prevent and detect fraud.

Driving score: When you participate in the Good Driving programme, we receive information on your driving behaviour and habits from our technology and analytics providers. We use your driving information to assess the terms on which cover may be offered and your driving habits may affect your premium.

In order to sell, manage and provide our products and services, prevent fraud and comply with legal and regulatory requirements, we may need to share your information with third parties, including:

Our re-insurers

Re-insurance is insurance that is purchased by an insurance company. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons.

We may need to share your personal health or medical data provided by you with our re-insurers in order for them to do the following:

• to analyse key demographic information;
• to analyse patterns of claims by customers and their claims experiences;
• to analyse the risk they are reinsuring and to set a price for the re-insurance with Vitality;
• to determine the validity of a claim; and
• to set approval limits for claims and underwriting.

Our auditors (for management information purposes) 

Vitality will only share your personal data with other companies or organisations where there is a legitimate reason for doing so. For example we are obligated to provide information to specific Government departments such as HM Revenue and Customs and to regulatory bodies who govern our activity such as:

• Information Commissioner’s Office (ICO)
• Financial Conduct Authority (FCA)
• Prudential Regulation Authority (PRA)
• Financial Ombudsman Service (FOS)

We may also share your personal data where we conduct further investigations with law enforcement and fraud prevention agencies and databases, our regulators (such as the FCA, PRA and ICO) as well as other insurers, to facilitate the prevention and detection of fraud or crime.

Fraud prevention agencies

Crime prevention agencies, including the police

Sharing your personal data with your authorised representative

If you have appointed an insurance or financial adviser, we may send them copies of correspondence relating to the plan and any renewal documentation. We may disclose information to them if you have made a claim although no medical information will be provided without your consent.

Please be sure to tell us if you authorise a new representative so that we are able to only send your personal data to the right representative so that we send your personal data to the right person.

Our use of other companies to provide our products and services to you

To assist us in the provision of administration, services or benefits for your plan and any claims you make, we use other companies who work under contracts with us. We ensure that the level of security and the quality of service provided by those other companies is equivalent to the standard of services we provide to you.

We need to advise you that as part of the application process we will share your data with credit reference agencies for security purposes. This check (known as a “soft search” or “quotation search”) will not affect your credit score or be visible to lenders.

Some of the companies who work under contracts with us are located in countries outside of the European Economic Area. Where this is the case we transfer your personal data to them on terms that are approved by the Information Commissioner. This is to ensure the appropriate security for your information, both in the transfer stage and when it is processed, and that your rights and confidentiality are protected in the same way as they would be if your personal data was processed in the UK.

Please click here to see the list of other companies who assist us in the provision of administration services.

Sharing your personal data with benefit providers

The Vitality group’s products are designed to enable you to accrue points related to your fitness and this in turn enables you to access a number of rewards and benefits. The exchange of your personal data, health and medical information will only occur with your consent and only with the benefit providers you choose to engage with.

The full list of benefit and reward providers can be found here.

Vitality Group

The Motor Insurers’ Bureau (MIB) is the Data Controller for the Claims Underwriting and Exchange Register (CUE) and the Motor Insurance Anti-Fraud and Theft Register (MIAFTR). For more information please visit www.mib.org.uk.

Information about your insurance plan will be added to the Motor Insurance Database (MID), managed by MIB. MIB process personal information about you, this information may include your personal details, goods and services, financial details, education and employment details. On occasion MIB may collect special category data such as records of any personal injury claims. The police, the Driver and Vehicle Licensing Agency (DVLA), the Driver and Vehicle Agency (DVA), the Insurance Fraud Bureau and certain other authorised organisations may use the MID and the information stored on it for purposes including:

• Electronic licensing;
• Continuous insurance enforcement (to reduce the number of people driving without insurance)
• Enforcing the law (preventing, detecting, cautioning or prosecuting offenders)
• Providing government services or other services aimed at reducing the number of uninsured drivers.

MIB’s legitimate interests in providing the CUE/MIAFTR data to the industry is detecting and preventing fraud. By preventing consumers from making multiple or illegitimate claims against insurance plans it will save the insurance industry a considerable sum of money. This in turn will reduce the cost of insurance premiums for the insurance industry, benefiting the wider consumer public.

The purpose of MIB processing your personal information is to provide access for the insurance industry to the MIAFTR database and facilitate access for the insurance industry to CUE; to enable underwriting decisions to be made by subscribers; validating claim information; verifying facts during a claim investigation; law enforcement to detect suspected cases of fraud; activities relating to the provision or administration of motor insurance plans; the provision of motor vehicle condition history checks (commonly known as "vehicle provenance checks") to trade and general public consumers; and to maintain MIB accounts and records and to promote MIB services and to support and manage MIB employees.

If you're involved in a road traffic accident (either in the United Kingdom, the European Economic Area or certain other territories), insurers and the MIB may search the MID for relevant information.

People (including citizens of other countries) making an insurance claim following a road traffic accident (and their appointed representatives) may also get relevant information which is held on the MID. You can find out more about this from us, or at www.mib.org.uk

Where you have consented we send you details of other products and services available within the Vitality Group.

We have detailed third parties that we share your information with in the 'How we share your information' section. Some of these third parties may be in countries outside of the European Economic Area (EEA).

Under data protection law, when personal information is being transferred outside the EEA, we as data controller, are under an obligation to ensure that such transfers are performed in a manner that ensures that your personal information is adequately protected.

In the event that we transfer your personal information outside of the EEA, we will always put in place adequate safeguards to ensure that your personal information is protected. Adequate safeguards may include placing contractual obligations on the third party that we are transferring your information to or ensuring that the third party is certified to the EU-US Privacy Shield Framework, if we are making transfers to third parties located in the United States.

There may be some circumstances where we will be required to transfer your information outside of the EEA and we will rely on it being necessary for the performance of your insurance contract. For example, claims made abroad where we need to instruct a local supplier so that we can handle your claim.

We only keep your information for as long as is necessary in line with the purposes for which we collected your information. We have set out our general retention periods below however in certain circumstances it will be necessary for us to keep your information for longer, for example when we are required to due to legal obligations or to defend or manage legal claims.

If you get a quote from us but do not take up the plan, we will keep your information for 4 years from the expiry date of the quote. This is to support customers returning in the near future and to prevent and detect fraud.

In most cases, we will keep your information for 7 years from the expiry date of the plan or from the settlement/closure of the claim, whichever is the latter. This is applicable if you get a quote from us and you buy the plan, if you have a plan with us, if you make a claim under one of our plans (including if you are a third party claimant) or if you are a witness to an event giving rise to a claim under one of our plans. This is so that we can administer the contract of insurance and handle claims made against the plan.

There are some exceptions to this, for example, we need to keep the information where there has been or is the potential (for example a minor was present at an accident) to have claims from minors and we will hold the data for 21 years and 4 months. This is so that we can handle potential future claims and meet our legal requirements.

If we suspect, detect or investigate fraud or money laundering, information will be held on a case by case basis for up to 7 years.

Data protection laws give you certain rights. For details of your data protection rights rights please click here.

The provision of this service is through our business partner Covea Insurance, who are a separate data controller. The Privacy Notice for Covea Insurance can be found at: coveainsurance.co.uk/dataprotection

We have appointed a Data Protection Officer who is responsible for overseeing how we handle your information. If you have any questions about our Privacy Policy or the information we hold about you, please contact them here.

In the first instance we would ask that you notify us of any concerns you have about how we handle your data but if you are still unhappy then you can contact the Information Commissioners Office here.

We reserve the right to update this Privacy Policy from time to time. Such changes may be necessary, for example, due to changes or developments in data protection laws, privacy best practice or the introduction of new technologies. You should check our website periodically to view the most up-to-date Privacy Policy. This Privacy Policy was last updated on 27 January 2021

Our Privacy Notice on how we will use your personal data in relation to your driving behaviour is under development and will be published in May 2021.