Privacy Notice

 The following terms and conditions (the "terms and conditions") are a legal agreement between the Member ("you") and Vitality Corporate Services Limited trading as VitalityHealth and VitalityLife ("we", "our", "us"), a company with a registered office at 3 More London Riverside, London SE1 2AQ and registered number 05933141.

These terms and conditions together with our privacy notice (See Clause 12 below) set out the terms on which you may make use of our Application (as defined below). Please read these terms and conditions and privacy notice carefully before you start to use our Application.

By downloading or using our Application, you agree that you accept these terms and conditions and that you agree to abide by them. If you do not agree to these terms and conditions, please refrain from using our Application.

1. DEFINITIONS AND INTERPRETATION
   In addition to the capitalised terms defined elsewhere in these terms and conditions, the following terms shall have the meanings set out below.
   
   1.1 “Active Rewards” means the weekly or monthly rewards earned as a result of you getting active or driving well in accordance with the requirements set out in full on the Member Zone.
   
   1.2 "Application" means the Application published by us for use on mobile telephones and smartphones, tablet computers, laptop computers and other devices through which you can review your benefits, generate your Active Rewards and track your Vitality points.
   
   1.3 "Intellectual Property Rights" means
                   (i) patents, pending patent applications, designs, trade-marks and trade names (whether registered or unregistered), copyright and related rights, database rights, knowhow and confidential information;
                   (ii) all other intellectual property rights and similar or equivalent rights anywhere in the world which currently exist or are recognised in the future; and
                   (iii) applications, extensions and renewals in relation to any such rights.
   
   1.4 “Member” means a customer of Vitality Corporate Services Limited who has the benefit of a VitalityHealth or VitalityLife Plan (including any named drivers on the Plan), or who is a beneficiary under a medical health scheme administered by VitalityHealth.
   
   1.5 “Member Zone” means the online portal https://member.vitality.co.uk/login through which you can review your Plan documents, benefits, understand your health, generate Active Rewards and track your Vitality points.
   
   1.6 “Plan” means a private medical insurance plan, protection plan or policy including a medical expenses trust administered by Vitality Corporate Services Limited.
   
   
2. TERMS AND CONDITIONS
   
   2.1 In consideration of you agreeing to abide by these terms and conditions we will provide the Application to you in accordance with these terms and conditions.
   
   2.2 You agree to comply with any third-party terms applicable to the downloading of our Application and in relation to the use of your device.
   
   
3. INFORMATION ABOUT US
   Our Application is operated by Vitality Corporate Services Limited, a company with a registered office at 3 More London Riverside, London SE 1 2AQ and registered number 05933141, with trading address at 5th Floor East, Eighty Strand London WC2R 0DT.
   
   
4. YOUR QUESTIONS
   If you have any questions on our Application, please email us using our secure web form which can be found at https://member.vitality.co.uk/Vitality/emailus
   
   
5. LICENCE
   
   5.1 Subject to these terms and conditions, we grant to you a non-exclusive, non-transferable, royalty free licence, without the right to grant sub licences, solely for your personal use and solely for the duration of this agreement between us to install one copy of the Application onto a single approved device as set out below. If you own more than one approved device, then you must download a separate copy of the Application to that device.
   
   
6. USING OUR APPLICATION
   
   6.1 By downloading our Application you warrant that:
   6.1.2 you will utilise the Application solely to review and utilise your benefits, generate your Active Rewards and track your Vitality points; 6.1.2 you are legally capable of entering into binding contracts;
   6.1.3 you are at least 18 years old; and
   6.1.4 you will abide by these terms and conditions in particular the prohibited uses at clause 9.
   
   
7. ACCESS TO OUR APPLICATION
   
   7.1 Access to our Application is permitted on a temporary basis, and we reserve the right to withdraw or amend the service we provide on our Application without notice (see below). We will not be liable if for any reason our Application is unavailable at any time or for any period.
   
   7.2 From time to time, we may restrict access to some parts of, or our entire Application.
   
   7.3 You are responsible for making all arrangements necessary for you to have access to our Application.
   
   7.4 You are responsible for controlling the access to and security settings of any device on which you install the Application.
   
   
8. HOW THE CONTRACT BETWEEN YOU AND US IS FORMED
   
   8.1 You enter into a contract with us in relation to your use of our Application when you download our Application onto your device. This contract is distinct to your rights and obligations under the terms and conditions set out in full on the Member Zone.
   
   
9. PROHIBITED USES OF APPLICATION
   
   9.1 You may use our Application only for lawful purposes. You may not use our Application:-
   9.1.1 in any way that breaches any applicable local, national or international law or regulation;
   9.1.2 in any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
   9.1.3 for the purpose of harming or attempting to harm adults and/or minors in any way;
   9.1.4 to transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam);
   9.1.5 in any way which contravenes the virus and hacking provisions as set out in Clause 13.
   
   
10. INTELLECTUAL PROPERTY RIGHTS
    
    10.1 We are the owner or the licensee of all Intellectual Property Rights in our Application, and either own all Intellectual Property Rights in, or are licensed to publish, the material on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. Nothing in these terms and conditions will be construed as conferring any licence of our Intellectual Property Rights except those licences expressly granted in these terms and conditions.
    
    10.2 Except as set out in this clause 10, you must not use, copy, store, download, sell, reproduce, redistribute, disclose, publish, rent, lease or lend the Application during or after the term of this agreement.
    
    10.3 You agree not to modify the Application, remove any copyright, trade mark or other Intellectual Property Rights from the Application or allow a third party to do so.
    
    10.4 You must not remove any copyright, trade mark or other Intellectual Property Rights legend from the Application.
    
    10.5 You agree not to make use of any of our trademarks or other Intellectual Property Rights in any manner unless we have given you express written permission to do so.
    
    10.6 You agree not to copy, duplicate, reverse engineer, reverse compile, disassemble, record or otherwise reproduce all or any part of the Application.
    
    10.7 You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.
    
    10.8 You must not use any part of our Application or materials on it for commercial purposes without obtaining a licence to do so from us and our licensors.
    
    10.9 If you print off, copy or download any part of our Application in breach of these terms and conditions, your right to use our Application will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.
    
    
11. RELIANCE ON INFORMATION POSTED
    
    11.1 You can view your Vitality points statement in the Application.
    
    11.2 Commentary and other materials posted on our Application are not intended to amount to advice on which reliance should be placed. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any user of our Application, or by anyone who may be informed of any of its contents.
    
    
12. PRIVACY NOTICE
    This privacy notice is complementary to, and should be read and understood together with, the general terms and conditions.
    
    12.1 The General Principles of our Privacy Notice
    12.1.1 This privacy notice covers how we treat your personal information collected electronically when you use the Application, register or apply online for any of our products or services, or when you contact us electronically.
    12.1.2 We respects your privacy and your personal information and for this reason, we take care to protect your personal information and to keep it confidential.
    12.1.3 When dealing with your personal information we apply the following:
                    (a) We will only disclose, collate and process (“use”) your personal information with your express written permission unless we are legally required to do so;
                    (b) We will not use your personal information for any other purpose, other than that which we disclosed to you, unless you give us your express written        permission to do so, or unless we are permitted or required to do so by law
    12.1.4 By using the Application, registering or applying online for any of our products or services, or contacting us electronically, you confirm that we may share your and your dependants and/ or beneficiaries information within the Vitality Corporate Service Limited group of companies for administration and fraud prevention purposes or where required to provide Group wide services, benefits and infrastructure to assist you in your personal or professional capacity.
    
    12.2 What do we mean by Personal Information
    12.2.1 Personal information refers to information that identifies or relates specifically to you, for example, your name, age and identity number or any information you use to register for the website. Any information about your health and wellness interests, your lifestyle, your eating habits and nutrition, your exercise regime and all related information will also be regarded as personal information.
    
    12.3 How we collect your Personal Information
    12.3.1 Whenever you use the Application, complete an application form, contact us electronically, or use one of the products, services, facilities, tools or utilities offered by us on the Application, we will collect your personal information.
    
    12.4 Why we collect and use Personal Information
    12.4.1 In order to make your use of the Application and the products, services, facilities, tools or utilities offered on the Application as informative and successful as possible, it is necessary for us to find out exactly what you need and want. The following are some of the reasons (i.e. disclosed reasons) why we would collect your personal information:
                    (a) for us to process your instructions or requests; or
                    (b) for us to ensure that we meet your needs, we may collect and analyse your personal information and combine all the information that we have about you     for research and statistical purposes. We may also use your personal information to personalise and tailor our services to meet your needs; or
                    (c) once we have collected and analysed your personal information, we may send you promotional material or details which we think may be of interest to      you.
                    (d) to conduct market research;
                    (e) to conduct academic research which may be used to evaluate and improve our product offerings. You are advised that information may be shared with               third parties such as academics and researchers. All such information collected will be kept strictly confidential and all data will be depersonalized to the   extent possible and where appropriate. No personal information will be made available to a third party unless such third party has agreed to abide by strict    confidentiality protocols. If we publish the results of this research, you will not be identified by name.
    12.4.2 Your privacy is important to us and we will therefore not sell, rent or provide your personal information to unauthorised third parties for their independent use, without your consent. If at any stage after you have given us your consent you no longer wish us to use or share your personal information, you may at any stage withdraw your consent.
    12.4.3 You accept that we may store your personal information outside of the region or country that you may submit or use it in.
    
    12.5 Location data
    12.5.1 Once you have given the Application access to your location, we collect the latitude and longitude of your device/s as well as information relating to your movement. Your location can be determined using the following:
                    (a) GPS;
                    (b) IP address;
                    (c) Sensor data from your devices; and;
                    (d) Mobile phone towers and Bluetooth-enabled devices near your device.
    12.5.2 We use your location data for certain features on the Application such as emergency assistance, or measuring your driving to allocate rewards.
    12.5.3 If you would no longer like us to collect location data, you may adjust your device settings. This will have an impact on certain features on the Application, such as the ability to locate you in case of emergency.
    
    12.6. Google user data
    12.6.1 Once you have given the Application access to your Google user data, we collect your activity (steps) and heart rate data from the Google Fit app/s on your device/s.
    12.6.2 We use your Google user data to award you points and rewards.
    12.6.3 The Application's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
    12.6.4 If you would no longer like us to collect your Google user data, you may adjust your Google Fit app settings. This will have an impact on our ability to award you points and rewards.
    
    12.7 Protection of your Personal Information
    12.7.1 We value the information that you choose to provide and will take reasonable steps to protect your personal information from loss, misuse or unauthorised alteration. The information we have concerning our members is stored in databases that have built-in safeguards to ensure the privacy and confidentiality of that information.
    12.7.2 When you use the products, services, facilities, tools or utilities provided by us in Member Zone, you may be given an access number, username, password and/or personal identification number (PIN). You must always keep your user name, access card, password and/or PIN a secret and ensure that you do not disclose it to anyone.
    
    12.8Correction of Personal Information
    12.8.1 If you ever want to update or correct any of your personal information held by us, you can e-mail us or you can phone our contact centre.
    
    12.9 Personal Information held by or disclosed by you or us to a third party
    12.9.1 Because we are not responsible for any representations or information or warranties or content on any third party website (including third party websites linked to this website, websites facilitated by us or websites that serve as social networks like Facebook or Twitter), we don’t exercise control over the privacy policies of these third parties and you should refer to the privacy notice of these third parties to see how they protect your privacy.
    12.9.2 We may enter into arrangements with its partners or other third party suppliers which will require us to disclose your personal information to these third parties for the purpose of transferring data to us from a device(s) that measures bodily functions or fluids. You hereby consent to us disclosing your personal information to these third parties for this purpose and you also consent to receiving data about yourself from these third parties. If at any time after you have given us your consent you no longer wish to disclose your personal information to these third parties, you may at any time withdraw your consent.
    
    12.10 Cookies and Online advertising
    12.10.1 We uses cookies. We use the word “cookie” to refer to information that is sent from Member Zone to your hard drive, where it is saved. In this way, the next time you use the Site Member Zone, we will know who you are and that you have visited Member Zone before. We also collect information about how you use the website, your preferences and past browsing history.
    12.10.2 We engage third parties that help us deliver banner advertisements and other online communications. The third parties may collect and use information about our members to help us understand the offers, promotions, and types of advertising that are most appealing to our members. The personal information they collect is aggregated and cannot be linked to a person.
    12.10.3 Third party vendors, including Google and DoubleClick, show our ads on sites on the internet.
    12.10.4 Third party vendors, including Google and DoubleClick, use cookies to serve ads based on a user's prior visits to our website.
    12.10.5 Users may opt out of Google and DoubleClick's use of cookies by visiting the Google advertising opt-out page or by visiting the Network Advertising Initiative opt out page.
    
    12.11 Changes to this Privacy Notice
    12.11.1 We may amend this privacy notice from time to time. We will give you notice of any material changes within a reasonable time, however, we recommend that you familiarise yourself with this privacy notice regularly.
    12.11.2 The current version of this privacy notice will govern the respective rights and obligations between you and us each time that you access and use Member Zone
    
    12.12 Which laws apply to this Privacy Notice
    12.12.1 This privacy notice is governed by the laws of the United Kingdom, and you consent to the jurisdiction of the English courts in respect of any dispute which may arise out of or in connection with the formation, interpretation, substance or application of this privacy notice.
    
    
13. VIRUSES, HACKING AND OTHER OFFENCES
    
    13.1 You must not misuse our Application by knowingly introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful.
    
    13.2 You must not attempt to gain unauthorised access to, interfere with, damage or disrupt our Application, the server, equipment or network on which our Application is stored, any software used in the provision of our Application or any server, computer or database connected to our Application. You must not attack our Application via a denial-of-service attack or a distributed denial of service attack.
    
    13.3 By breaching this clause 13, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities, and we will cooperate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our Application will cease immediately.
    
    13.4 We will not be liable for any loss or damage caused by a distributed denial of service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of our Application or to your downloading of any material posted on it, or on any website linked to it.
    
    13.5 You must not reproduce duplicate, copy or re-sell any part of our Application in contravention of the provisions of these terms and conditions.
    
    
14. SUSPENSION AND TERMINATION
    
    14.1 We will determine, in our discretion, whether there has been a breach of these terms and conditions. When a breach of these terms and conditions has occurred, we may take such action as we deem appropriate including terminating this agreement. If this agreement is terminated for any reason you will delete our Application from your device and we have the right to block your access to the Application.
    
    14.2 Failure to comply with these terms and conditions constitutes a material breach of these terms and conditions upon which you are permitted to use our Application, and may result in our taking all or any of the following actions:-
    14.2.1 immediate, temporary or permanent withdrawal of your right to use our Application;
    14.2.2 immediate, temporary or permanent removal of any posting or material uploaded by you to our Application;
    14.2.3 issue of a warning to you;
    14.2.4 legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach;
    14.2.5 further legal action against you;
    14.2.6 disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
    
    
15. OUR LIABILITY
    
    15.1 The Application is provided free of charge and therefore is provided to you on your own behalf without any guarantees, conditions or warranties as to its accuracy (whether express or implied). To the extent permitted by law, we, other members of our group of companies and third parties connected to us hereby expressly exclude liability for:-
    15.1.1 all conditions, warranties and other terms which might otherwise be implied by statute, common law or the law of equity;
    15.1.2 loss of profits;
    15.1.3 any direct, indirect or consequential loss or damage incurred by you in connection with our Application or in connection with the use, inability to use, or results of the use of our Application, any websites linked to it and any materials posted on it, including, without limitation any liability for:-
                    (a) loss of income or revenue (whether direct or indirect);
                    (b) loss of business (whether direct or indirect);
                    (c) loss of profits or contracts (whether direct or indirect);
                    (d) loss of anticipated savings (whether direct or indirect);
                    (e) loss of data (whether direct or indirect), except where we have materially breached any relevant data protection laws or regulations which apply to us;
                    (f) loss of goodwill (whether direct or indirect);
                    (g) wasted management or office time (whether direct or indirect); and
                    (h) for any other loss or damage of any kind, however arising and whether caused by tort (including negligence), breach of contract or otherwise, even if  foreseeable, provided that this condition shall not prevent claims for loss of, or damage to, your tangible property or any other claims for direct financial loss           that are not excluded by any of the categories set out above.
    
    15.2 This does not affect our liability for death or personal injury arising from our negligence, nor our liability for fraudulent misrepresentation or misrepresentation as to a fundamental matter, nor any other liability which cannot be excluded or limited under applicable law.
    
    15.3 Your sole right and remedy in the event of any defect in the Application or its operation, to the exclusion of all other remedies, will be to terminate the licences described in these terms and conditions and to delete the Application from your device.
    
    
16. OUR APPLICATION CHANGES REGULARLY
    We aim to update our Application regularly, and may change the content at any time. If the need arises, we may suspend access to our Application, or close it indefinitely. Any of the material on our Application may be out of date at any given time, and we are under no obligation to update such material.
    
    
17. OUR RIGHT TO VARY THESE TERMS AND CONDITIONS
    
    17.1 We may revise these terms and conditions at any time by amending this page. Please check this page from time to time which can be found on the Application login page. Material changes to these terms and conditions will be notified to you.
    
    17.2 You will be subject to the policies and terms and conditions in force at the time that you download our Application and then at the time that an Active Reward is generated, unless any change to those policies or terms and conditions is required to be made by law or governmental authority.
    
    
18. JURISDICTION AND APPLICABLE LAW
    
    18.1 The English courts will have exclusive jurisdiction over any claim or dispute arising from, or related to, the Application.
    
    18.2 These terms and conditions and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
    
    
19. ASSIGNMENT
    You may not sub-license, assign or transfer in any way any of your rights, liabilities and/or obligations under these terms and conditions on a temporary or permanent basis to any third party without our prior written consent.
    
    
20. SEVERABILITY
    If any provision of these terms and conditions (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions will remain unaffected and in force.
    
    
21. ENTIRE AGREEMENT
    
    21.1 These terms and conditions and any document expressly referred to in them constitute the whole agreement between us and supersede all previous discussions, correspondence, negotiations, previous arrangement, understanding or agreement between us relating to the subject matter of these terms and conditions.
    
    21.2 We each acknowledge that, in entering into these terms and conditions, neither of us relies on, or will have any remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in these terms and conditions or the documents referred to in them.
    
    21.3 Each of us agrees that our only liability in respect of those representations and warranties that are set out in these terms and conditions (whether made innocently or negligently) will be for breach of contract.
    
    21.4 Nothing in this clause limits or excludes any liability for fraud.

Thank you for using our Application.

Quote:

As a prospective customer you may request us to provide a quote for one or more of our products. We will assess your application for insurance, and if we can, the price and other teams we can offer. By submitting a quote, you acknowledged that we can contact you via phone, email or SMS regarding that quote. We will retain that information for 13 months.

If you do not take up the quote, we will contact you in 12 months to see if you are interested.

Renewal Dates:

Where applicable and with your agreement we will capture renewal dates to enable us to contact you a month before renewal to see if we can interest you in our products. We will retain that information for 13 months.

Telephone Calls:

If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud and to establish facts in the event of a complaints.

We may also use speech/text analytics to understand why you are calling to help direct your enquiry to the most appropriate contact area and to ensure compliance with internal standards.

Assessing your application:

Assessing your application for insurance, and if we can, the price and other terms we can offer.

When assessing your application your age and health status are the most important factors in determining insurability and the amount you pay for insurance coverage.

Your health status may be assessed through a physical exam, a health and medical history questionnaire, or a combination of both.

We will retain for 13 months if not proceeded with or 36 months if complaint received if no other Vitality relationship exists.

Business Lead Generation:

To help grow its business, Vitality engages third parties who provide telemarketing, lead generation, appointment setting and access to marketing databases. Use of such services involves the sharing of personal data. Vitality endeavours to only work with third parties who act with integrity and respect the privacy and security of personal data. Such contact is normally generated to you as the representative of your company not as an individual.

Back-Up purposes:

We retain a copy of all data to ensure that the information can be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.

The back-up data is not readily accessible to staff but held in isolation with additional controls. Retention: 5 years

Vitality is a UK-based company offering Life, Health, and general insurance to the UK market. We use a customer relationship system to provide great service, which means we keep your personal data to track your history with us. We collect your information when you:

• Get a quote
• Join a plan or workplace programme
• Take part in an event or competition
• Are named as a beneficiary
• Work with us as a supplier, partner, or advisor

Members

When you join Vitality, whether through insurance, investment, or a workplace programme, we use your personal data (like your name, contact info, and payment details) for various purposes:

Quotes & Renewals

• We personalise quotes for existing Members and may contact you by phone, email, or SMS.
• With your permission, we’ll note your renewal dates and get in touch a month before.

Phone Calls

• Calls may be recorded for training, service improvement, fraud prevention, and complaint handling.
• We use speech/text analysis to direct your call and ensure quality.

Insurance Applications

• We assess your age and health to decide coverage and pricing.
• Health checks may involve exams or questionnaires.

Identity Verification

• We securely verify your identity before discussing your plan or making changes, using details like your account number and date of birth.

Data Retention & Credit Checks

• We may run credit checks to assess affordability and verify identity.

Plan Management

• We manage your plan, payments, renewals, cancellations, and investments.

Regulatory Reporting

• We report to regulators and HMRC to meet legal and tax obligations.

Claims Handling

• We register and assess claims, process payments, and manage reinsurance.
• For workplace plans, only summary data is shared with your employer.

Complaints

• We log and resolve complaints and may share details with third parties if needed.

Debt Recovery

• We use your data to recover unpaid debts or damages.

Fraud Prevention

• We investigate fraud and money laundering, including undisclosed health conditions.

Internal Analysis

• We use data for audits, financial reporting, market research, and product development.
• We may profile Members using anonymised data to improve services and communication.

Training

• We review customer interactions to train staff and improve service.

Apps & Tools

• The Vitality App helps you access your Member Zone securely.
• The Age Calculator gives health insights but doesn’t affect your legal rights.

Marketing

• With your consent, we’ll contact you about other products.
• You can manage preferences or opt out anytime, but we’ll still send updates about your existing plan.

Third Parties

• We work with trusted partners to support services and rewards. You can view the full list online.

Surveys & Research

• We may invite you to take part in surveys or research—with your consent.
• Research may use anonymised data to improve products and understand health trends.

Between The Client; and Vitality Health Limited, the respective supplier engaged by the Client on the basis of the terms and condition of Service.

Both parties are Independent Data Controllers of the Shared Personal Data.

Vitality also receives personal and/or special category data of Employees and/or their Dependents directly from those Employees and/or their Dependents. This personal data and/or special category data is not Shared Personal Data. As such, this data falls outside of this Agreement and is governed by Vitality’s own Privacy Notice.

1. Interpretation

The following definitions and rules of interpretation apply in these terms and conditions (the “Agreement”).

1.1 Definitions

For the purposes of these this Agreement:

“Agreed Purposes” means the setting up, management and administration of private medical insurance pursuant to the Client’s Plan to the Client’s Employees and Employee Dependents;

“Client” shall mean the party which discloses Shared Personal Data to Vitality;

“Data Controller” means any party insofar as they are acting as a controller within the meaning of applied GDPR Art 4.7;

“Data Discloser” means the Client who agrees to share the Shared Personal Data with the Data Receiver;

“Data Receiver” means Vitality who agrees to use the Personal Data on the terms set out in this Agreement;

“Dependent” mean the husband, wife, partner or any dependent child of an Employee where added to the Plan by the Group Secretary;

“Employee” shall mean each individual with the benefit of private medical insurance cover under the Plan. “Personal data”, “Special Categories of data/Sensitive Data”,

“Group Secretary” means the person in control of the Client’s Plan;

“Plan” means the private medical insurance scheme underwritten by Vitality;

“Process/processing”, “Controller”, “Processor”, “Data Subject” and

“Supervisory Authority” shall have the same meaning as in the UK Data Protection Act 2018. For the purposes of this Agreement references to a “data subject” shall mean the Client’s Employees/Employee Dependents;

“Shared Personal Data” means the personal data to be shared between the parties, as further outlined at clause 2.4;

“UK Data Protection Laws”, all applicable data protection and privacy laws in force from time to time in the UK, including the UK General Data Protection Regulation, the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

2. Purpose

2.1 This Agreement sets out the framework for the sharing of Shared Personal Data between the parties as independent Data Controllers.

2.2 The parties consider this data sharing initiative necessary as part of the provision of private medical insurance. The aim of the data sharing initiative is to make it easier for the Clients Employees and/or Dependents to get healthier and reward them when they do. It will serve to benefit the Client, Employees and/or Dependents of the Client’s Plan.

2.3 Each party acknowledges and agrees that:
   a. the Client will regularly disclose to Vitality the Shared Personal Data collected by the Client for the Agreed Purposes;
   b. Vitality provides private medical insurance directly to each of the Client’s individual Employees and any Employee Dependants who qualify for cover under the Client’s Plan. Accordingly Vitality determines the ways and means of its processing of the Shared Personal Data and does not act on the instructions of the Client in relation to the processing of the Shared Personal Data.

2.4 The following types of Shared Personal Data will be shared between the parties during the term of this agreement:
   a. Name
   b. Date of Birth
   c. Designation
   d. Email contact details
   e. Address
   f. Telephone number
Special categories of Personal Data will not be shared between the parties.

3. Lawful, fair and transparent processing

3.1 Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 3.2.

3.2 Each party shall ensure that it has legitimate grounds under the Data Protection Laws for the processing of Shared Personal Data.

3.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the data subjects, in accordance with the Data Protection laws, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 13 of the applied GDPR including:

   a. if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable     the data subject to understand the purpose and risks of such transfer; and

   b. if Shared Personal Data will be transferred outside the EEA pursuant to clause 0 of this Agreement, that fact and sufficient information about such transfer,       the purpose of such transfer and the safeguards put in place by the controller to enable the data subject to understand the purpose and risks of such transfer.]

3.4 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection laws, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 14 of the applied GDPR including:

   a. if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable     the data subject to understand the purpose and risks of such transfer; and

   b. if Shared Personal Data will be transferred outside the EEA pursuant to clause 0 of this Agreement, that fact and sufficient information about such transfer,       the purpose of such transfer and the safeguards put in place by the controller to enable the data subject to understand the purpose and risks of such transfer.

4. Rights of Data Subjects

4.1 Each party agrees to have processes in place to comply with requests from Data Subjects to exercise their rights under the Data Protection Laws within the time limits imposed by the Data Protection Laws.

5. Data Retention and Deletion

5.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.

5.2 Notwithstanding clause 5.1, the parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.

5.3 The Data Receiver shall ensure that any Shared Personal Data are destroyed in accordance with its deletion procedure in the following circumstances:
   a. on termination of this Agreement;
   b. on expiry of the Term of this Agreement;
   c. once processing of the Shared Personal Data is no longer necessary for the
purposes it was originally shared for.

6. Transfers

6.1 For the purposes of this clause, transfers of personal data shall mean any sharing of Shared Personal Data by the Data Receiver with a third party, and shall include, but is not limited to, the following:
   a. subcontracting the processing of Shared Personal Data;
   b. granting a third party controller access to the Shared Personal Data.

6.2 If the Data Receiver appoints a third party processor to process the Shared
Personal Data it shall comply with Article 28 and Article 30 of the applied GDPR.

6.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the
EEA unless it:
   a. complies with the provisions of Articles 26 of the applied GDPR (in the event the third party is a joint controller); and
   b. ensures that:
      i. the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the applied GDPR;
      ii. there are appropriate safeguards in place pursuant to Article 46 of the applied GDPR;
      or
      iii. one of the derogations for specific situations in Article 49 of the applied GDPR applies to the transfer.

6.4 The Data Receiver is part of the Discovery Group of companies and is owned by
Discovery Limited, a financial services firm based in South Africa. As part of this relationship, Discovery undertake a number of business processes on behalf of the Data Receiver. Such processes include underwriting and claims administration services. The delivery of such services requires the Data Receiver to share data relating to its customers with Discovery and is undertaken in accordance with Article 46 of the applied GDPR.

7. Security and training

7.1 The parties undertake to have in place appropriate technical and organisational security measures to:
   a)   prevent:
      i. unauthorised or unlawful processing of the Shared Personal Data; and
      ii. the accidental loss or destruction of, or damage to, the Shared Personal Data;
   b)   ensure a level of security appropriate to:
      i. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
      ii. the nature of the Shared Personal Data to be protected.

7.2 It is the responsibility of each party to ensure that
   i) its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security of that party together with any other applicable national data protection laws and guidance and
   ii) have entered into confidentiality agreements relating to the processing of personal data.

8. Personal data Breaches and reporting procedures.

8.1 The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) data subjects in accordance with Article 33 of the applied GDPR.

8.2 Where appropriate Vitality will provide all reasonable information to the Client to enable them to manage their employee expectations, and will aim to do so within 72 hours, to ensure that any actions do not prejudice any internal investigations or those by the police/Regulator.

9. Resolution of disputes with data subjects or the Supervisory Authority.

9.1 In the event of a dispute or claim brought by a data subject or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, where appropriate, and will cooperate with a view to settling them amicably in a timely fashion.

9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or
other dispute resolution proceedings developed for data protection disputes.

9.3 Each party shall abide by a decision of a competent court of the Data Receiver's country  of establishment or of the Supervisory Authority.

10. Warranties

10.1 Each party warrants and undertakes that it will:
   a. Process the Shared Personal Data in compliance with all applicable laws,
enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
   b. Make available on request to the data subjects who are third party beneficiaries a copy of this Agreement, unless the Agreement contains confidential information.
   c. Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.
   d. Respond to Subject Access Requests in accordance with the Data Protection Law.
   e. Where applicable, pay the appropriate fees with all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.
   f. Take all appropriate steps to ensure compliance with the security measures set out in clause 0 above.

10.2 The Data Discloser warrants and undertakes that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that the Shared Personal Data are accurate.

10.3 The Data Receiver warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the EEA unless it complies with the obligations set out in clause 6.

10.4 Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.

11. Indemnity

11.1 The Data Discloser and Data Receiver undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Agreement, except to the extent that any such liability is excluded under clause 12.2.

11.2 Indemnification hereunder is contingent upon:
   a. The party(ies) to be indemnified (the “indemnified party(ies)”) promptly notifying the
other party(ies) (the “indemnifying party(ies)”) of a claim,
   b. the indemnifying party(ies) having sole control of the defence and settlement of any such claim, and
   c. the indemnified party(ies) providing reasonable co-operation and assistance to the indemnifying party(ies) in defence of such claim.

12. Limitation of liability

12.1 Neither party excludes or limits liability to the other party for:    
   a. fraud or fraudulent misrepresentation;
   b. death or personal injury caused by negligence;
   c. a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
   d. any matter for which it would be unlawful for the parties to exclude liability.

12.2 Subject to clause 12.1 neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), and misrepresentation (whether innocent or negligent), restitution or otherwise, for:
   a. any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
   b. loss (whether direct or indirect) of anticipated savings or wasted expenditure
(including management time); or
   c. any loss or liability (whether direct or indirect) under or in relation to any other contract.

12.3 Clause 12.2 shall not prevent claims, for:
   a. direct financial loss that are not excluded under any of the categories set out in clause 12.2 (a); or
   b. tangible property or physical damage.

13. Third party rights

13.1 Except as expressly provided in clause 4 (data subjects rights) a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

13.2 The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person.

14. Direct marketing

14.2 If the Data Receiver processes the Shared Personal Data for the purposes of direct marketing, each party shall ensure that:
   a. the appropriate level consent has been obtained from the relevant data subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Law; and
   b. effective procedures are in place to allow the data subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes.

15. Variation

15.1 No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

16. Waiver

16.1 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

17. Severance

17.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.

17.2 If any provision or part-provision of this agreement is deemed deleted under clause 17.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

18. Changes to the applicable law

18.1 If during the duration of this Agreement the Data Protection Law changes in a way that this Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that the parties will negotiate in good faith to review the Agreement in the light of the new laws.

19. No partnership or agency

19.1 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.

19.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.

20. Entire agreement

20.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

20.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.

20.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.

21 Further assurance

21.1 At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.

When you apply for a role, we collect your personal data through your account, login, and application details. We use this information to manage your application and support our equal opportunities policies.

Vitality receives your application and personal data either directly or via our online Applicant Tracking System – Eploy 
Eploy Privacy Statement - Eploy ATS.

By submitting your application, you agree to us using your data for these purposes.

• Recruitment Assessments and Data Sharing:
  As part of our hiring process, some roles may require assessments provided by trusted third-party specialists. By applying, you agree that we may share essential details, such as your name, date of birth, email, and phone number, with these providers.

Some of these providers may be based outside the UK and EEA. Where this applies, we ensure your personal data is transferred securely and in line with legal requirements, so your privacy and rights remain protected.

• Decisions: We follow our Recruitment Framework and don’t make automated decisions about your suitability, though some assessments may use automated tools.
• Data Retention:
• If you're hired, your application becomes part of your employment record.
• If not, we keep your application for at least 13 months then securely delete it.
• Some records must be kept longer due to legal or business requirements.
• Privacy: We receive your data directly or through our recruitment system provider. It won’t be shared with other organisations during the process.
• Your Responsibility: Make sure your information is accurate and let us know of any changes. You can manage or delete your application anytime through the application gateway link we’ll email you.

Cookies
Cookies are small files stored on your computer by websites to remember your preferences and make browsing easier. They can stay on your device after you leave the site, but you can delete or manage them through your browser settings.

Most browsers accept cookies by default, but you can change this anytime. Check your browser’s Help section to learn how. For more about cookies, visit the Information Commissioner’s Office website.

For more information on our Cookie policy please see https://www.vitality.co.uk/accessibility/cookies/ 

Other websites, web applications and third-party service providers
Our website may include links to third-party sites or apps, which have their own privacy policies and terms. While we try to work with trusted partners who follow data protection laws, we’re not responsible for how these third parties handle your data or for any issues that may arise from using their services.

When you book a service or sign up for a benefit, your personal data is managed by that provider for their own purposes. You can view the list of companies we work with by clicking the link provided.

Please click here to see the list of other companies who assist us in the provision of administration services, partners, and rewards.

Google Analytics
We use Google Analytics to understand how people use our website. It helps us see things like how many visitors we get, which pages are viewed, and where visitors came from. This info is anonymous and used to improve the site and your experience—it doesn’t identify you personally.

Personalised advertising
When you browse Vitality’s website, you might see personalised ads on other trusted websites or social media platforms. These ads are based on what you viewed on our site and are shown through companies like Google, Facebook, and LinkedIn using cookies.

These companies use general, non-personal info—like your IP address, browser type, and pages visited—but not your name, contact details, or payment info. You can opt out by visiting their privacy pages or clicking the corner of any ad and following the instructions.

User Accounts
We collect your information when you create an account and use our services, like accessing your membership, browsing online, or applying for a job. We keep this data only as long as needed, following our legal and business rules.

When it’s no longer required, we delete it securely. Some records may need to be kept longer due to legal or operational reasons. For more details, check the relevant sections of our Privacy Notice.

Surveys
We sometimes run surveys to help improve our website and services. Cookies are used to hide the survey when you return, so you don’t see it again unnecessarily. They also track how many people answered the survey and link results to website stats—but they don’t store any personal information.

Contacting Vitality
When you contact us through the website, send feedback, or fill out an enquiry form, we collect your name and contact details to respond and take any necessary action. We do this as part of our legitimate interest.

We don’t share this information with outside organisations. Your data is kept according to our retention schedule, then anonymised once it’s no longer needed. Some records may be kept longer due to legal or business requirements, but all personal data is securely deleted when no longer required.

Links to non-Vitality websites
Vitality accepts no responsibility or liability for content on third party websites. Users clicking on links to external sites should check the Terms and Conditions and Privacy Policy of the site they are visiting.

Brokers and Advisors
Before we discuss a Member’s plan or carry out a request, we’ll confirm your identity to make sure you’re authorised to act on their behalf. This secure ID check is available through phone, chat, web, and mobile.

Telephone Calls:
If you call us, we may record the conversation to improve our service, train staff, prevent fraud, and handle complaints. We may also use speech or text analysis to understand your reason for calling and direct you to the right team.

Vitality Academy/Training Service
If you sign up for Vitality Academy or other training services, we’ll use your data to track your activity and recommend relevant content. We may also let you know when new content is available.

Your data may be shared with your account manager or business consultant to support your learning and improve the platform. We may also share your course activity with your firm or network.

You will still be able to access the service, up to 6 years, if you move to another financial adviser firm

Competitions
Vitality sometimes runs competitions and collects your personal data when you enter, either directly or through a trusted third party. We use this data to manage your entry, share results, and arrange prize delivery.

If you win, we may need to process financial details to issue your prize. This information is kept for 6 years after the financial year ends.

To meet legal requirements, we may publish or share the winner’s name and entry to confirm the prize was awarded fairly. We also keep your name, contact details, and date of birth for future entry checks and statistics, following our retention rules.

When your data is no longer needed, we delete it securely. Some records may be kept longer due to legal or business reasons.

CCTV
Vitality may use CCTV in certain buildings to help protect visitors and staff. Not all locations have CCTV, as some are managed by the landlord. If a security incident occurs, footage—possibly including your image, may be shared with police or local authorities when legally required.

CCTV footage is deleted according to the building owner's retention policy, unless needed for an official investigation.

Some onsite services, like catering, cleaning, and security, are run by third-party providers. These providers follow their own privacy policies, not Vitality’s. While we aim to work with trusted partners who follow data protection laws, Vitality isn’t responsible for how these third parties handle your information or for any issues that arise from using their services.

We use software with artificial intelligence (AI), including machine learning, to help automate tasks, analyse data, and spot patterns. This improves efficiency and accuracy in areas like managing workloads, directing enquiries, and enhancing customer experience.

These tools support our teams and are checked manually to make sure they work correctly. We use them to:

• Route enquiries to the right team
• Manage staff workloads
• Improve customer service and website performance
• Detect fraud or misrepresentation
• Develop better products and services
• Support financial planning and reporting

We use AI to improve our services—not to make important decisions about you. Wherever possible, we avoid using personal data in these processes.

Use of Chatbots and Virtual Assistants

To enhance your experience and improve service efficiency, we may use chatbots and virtual assistants on our website, mobile apps, and customer service platforms. These tools may be either rule-based (responding to specific keywords or prompts) or AI-powered (using machine learning and natural language processing to understand and respond to your queries more dynamically).

What Information Is Collected

When you interact with our chatbots, we may collect:

• Your name and contact details (if provided)
• Policy or claim information

• Chat transcripts and usage data
• Technical data such as device type, browser, and IP address

Why We Use Chatbots

Our chatbots help:

• Answer frequently asked questions
• Guide you through policy options or claims processes
• Provide support outside of normal business hours
• Improve our services through usage analytics

How Your Data Is Used

Any personal data shared through chatbot interactions is processed in accordance with this Privacy Notice. We use this data to:

• Respond to your queries
• Improve chatbot performance and accuracy
• Ensure compliance with regulatory obligations

Automated Decision-Making

Some chatbot interactions may involve automated decision-making, such as eligibility checks or quote generation. You have the right to request human intervention or contest decisions made solely by automated means.

Your Rights

You retain all rights under applicable data protection laws, including the right to access, correct, or delete your personal data. For more information, please refer to the “Your Rights” section of this notice.

Freedom of Information Act enquiries
Vitality is not a public authority, so the Freedom of Information Act doesn’t apply. This means we’re unable to respond to requests made under that Act.

To exercise any of your rights please complete this form and we will respond as soon as possible.

Administering your Request under these Rights
We keep a record of any request you make about your data rights, like when it was received, clarified, and answered, to meet deadlines and show regulators we’ve handled it properly. Even if you ask for your data to be erased, some details may be kept for this purpose.

We respond to most requests within one month, except for objections to processing, which are handled within 21 days.

Using Portals
Some companies offer tools to help you manage your personal data, like making access, erasure, or correction requests. While these tools are easy to use and can contact many organisations at once, they often don’t give us enough information to identify you. Because of this, we may have to decline your request.

It’s better to contact us directly using the details provided for each type of request. To help us process your request, please include at least:

• If you're a Member or Ex-Member: your name, address, Membership/Entity number, and email address. Using contact details different from those we have on record may cause delays.
• If you're not a Member: your name, address, any unique reference number, and your relationship to us (e.g., quote, job applicant).

Right to be informed
You have the right to know how your personal data is collected and used. This Privacy Notice explains what Vitality does with your data, how long we keep it, and who we share it with. You can request this information, but it’s already included here.

Your right of access (Making a Data Subject Access Request)

• You
  When you ask for details about how we use your personal data or request a copy of it, this is called a Data Subject Access Request (DSAR). We use the information you provide, like your name and contact details, to record and respond to your request. If you use different contact details than those we have on file, we may ask for extra information to confirm your identity. This is part of our legal duty under data protection laws.
• We don’t share your DSAR information with outside organisations, except when required by regulators like the Financial Ombudsman Service or the Information Commissioner’s Office.
• We keep DSAR records for 2 years, or 3 years if linked to a complaint. Some anonymised data may be kept permanently for statistics. Once your personal data is no longer needed, we delete it securely, though some records may be kept longer due to legal or business requirements.
• Written responses will be in a standard format. Audio recordings are provided as audio files. Machine-readable formats are only used for data portability requests.

Requests of behalf of Children: 
Children have their own data protection rights, even if they’re too young to fully understand them. From age 13, they’re usually mature enough to give consent and make decisions about their data.

They can choose someone, like a parent or another adult, to act on their behalf, but we must make sure that this consent is freely given and in the child’s best interests.

Requests for personal information of a Deceased: 
Data protection laws don’t apply after someone has passed away. However, we understand how sensitive this can be, and we continue to treat their information with care and respect.

Unless the person clearly stated who could access their medical or health records, we’re unable to share that information—even with family members, next of kin, or plan beneficiaries. If you're seeking access to medical records, this must be requested through their GP, not Vitality.

As a beneficiary, you may still be entitled to some details about the plan or a claim decision, but not the person’s health information.

For help, you can email the privacy office. See contact details. Please also refer to the sections on Children and Deceased Persons for more guidance.

Right to Rectification.  
It’s important that your personal information is accurate, so please let us know if anything changes.

If you think we have incorrect or outdated details, you can ask us to update them. You’re welcome to write to us, but the fastest way is to call our usual phone line and ask an adviser to make the changes.

Right of erasure
You have the right to ask us to delete your personal data, but this isn’t always possible. We may need to keep it for legal or regulatory reasons, such as rules set by the Financial Conduct Authority. Here’s a simple guide to when deletion may apply:

• Quotes: If you requested a quote and have no other connection with Vitality, we can usually delete your data.
• Applications: If you didn’t go beyond the application stage, we may delete your data. But if your application led to a plan, we must keep it for 7 years after the plan ends. In some cases, like suspected fraud, we may keep it longer.
• Plan Holders/Dependents: If you’re a current or former Member, we must keep your data for the life of the plan or 7 years after it ends.
• Complaints: If you’ve made a complaint, we keep that data for 3 years after the complaint is closed.

Right to restrict processing
You can request that we limit how we use your personal data, but this only applies in specific situations, like if there’s a concern about the accuracy of the data or how it’s been used.

We’ll still keep your data while we look into the issue, but it may pause certain actions, such as processing a claim, until it’s resolved.

Right to data portability
You have the right to get and reuse your personal data in a format that works across different services, like CSV, XML, or JSON. This is called the Right to Data Portability.

It only applies to certain data, specifically, information you've given us under consent or a contract, and that’s processed automatically. Usually, this means your contact details and any fitness data from your devices.

It doesn’t include things like claims, health records, or points data. Written disclosures will be in a standard format, and call recordings are provided as audio files. Machine-readable formats are only used for data portability requests.

Right to object.
You have the full right to stop your data from being used for direct marketing.

If you're a current Vitality Member, you can update your marketing preferences in the Member Zone under "Manage My Preferences," or ask an advisor to do it for you. Changes may take up to a week, and some materials already in progress, like the magazine, might still be sent.

If you're a former member, your account is closed, please complete this form and we will respond as soon as possible.

Rights in relation to automated decision making and profiling
This right applies only to decisions made entirely by automated systems that have a legal or major impact on you, like offering insurance cover online, credit checks, or recruitment tests using set algorithms.

If this happens, you have the right to ask for a human to review the decision.

Not all automated decisions have a big impact. For example, tools like our age calculator or health prediction models don’t fall under this right.