Privacy Notice
Vitality Privacy Notice
We care about keeping your personal information safe.
This notice explains what information we collect about you, how we use it, and the choices you have.
We only use your information where necessary and in line with the law.
If you have any questions or would like more information, please contact us using the details below.
Contents
Our contact details
If you have a question about our Privacy Notice or the information, we hold about you then please contact:
Name: The Head of Data Protection.
Address: Privacy Office, Vitality, 5th Floor East, Eighty Strand, London WC2R 0DT
Changes to this Privacy Notice
This notice applies to all UK Vitality companies.
We may update it from time to time. Please check this page when you share your information with us so you can see the latest version.
Last updated: 30 June 2026
Who we are
We are part of the Vitality Group, owned by Discovery Limited, a financial services firm based in South Africa. We are based in the United Kingdom and to find out more about who the Vitality Group is, and to see the most up to date information go to www.vitality.co.uk/legal.
We provide insurance and related services.
Vitality will only use your personal information in line with this Privacy Notice, our internal data protection policies, and applicable data protection laws (including the UK GDPR and Data Protection Act 2018).
Our UK registration numbers are:
- Vitality Corporate Services Z105153X
- Vitality Health Limited Z8752490
- Vitality Life Limited ZA110112
- Vitality Healthy Workplace Limited ZA455278
Why we use your information
We must have a valid reason (legal basis) to use your information.
To provide your plan or service (contract)
- Setting up your plan
- Managing your account
- Handling claims
Job applications (contract, contract, legal obligations)
If you apply for a job, we use your information to:
- Review your application
- Manage recruitment
- Support fair and equal treatment
Business contacts
If you are a broker or adviser, we use your information to manage our relationship with you.
Legal and regulatory requirements (legal obligation)
For example:
- Tax reporting
- Fraud prevention
Our business needs (legitimate Interest/ public interest)
We may use your information to:
- Improve our services
- Prevent fraud
- Provide customer support
We only do this where it does not unfairly affect your rights.
Your consent
Where we rely on your consent, for example:
- Marketing
- Sharing information with certain partners
- Obtain medical information
You may opt to withdraw your consent at any time.
Emergency situations (vital interest)
We may use your information to protect someone in an emergency.
Using health information (contract)
We use health information where needed to provide insurance.
This is done under strict safeguards.
What information we collect
Depending upon your relationship with Vitality we will collect:
- Name and contact details
- Date of Birth
- Occupation
- Gender (Birth/Recognised)
- Medical and health data
- Claims information
- Payment details
- Payment transactions
- Information about what you are insuring provided by you, directly or via the company who sold you the plan.
- Information about your plan
- Information provided by brokers or advisors
- Names and contact details of brokers or advisors
- Broker & Advisors course enrolment details
- Job Applicants:
• Identification and contact details
• CV, employment history, qualifications
• Application responses and interview notes
• Assessment results
• Any information you choose to provide
Further information about our Privacy Notice
Managing your plan
We use your information to manage your plan.
This includes:
- Process Payments
- Manage renewals
- Make changes to your plan including cancellations
If you make a payment to us, we may retain your bank details to process refunds and help prevent fraud.
Quotes and applications
We use your information to:
- Provide quotes
- Assess applications
- Decide cover and price
We may also:
- Carry out credit checks
- Ask for health information
Claims
We use your information to assess and manage claims.
This includes:
- Assessing claims
- Making payments
- Working with trusted partners
For workplace plans, we only share summary information with employers.
We do not share personal or health information without your consent.
Communicating with you
Phone calls
We may record calls to:
- Improve our service
- Train our staff
- Prevent fraud
- Handle complaints
Contacting you
We may contact you by phone, email to text about:
- Your plan
- Your quote or renewal
- Your enquiries
Marketing
You can choose whether to receive direct marketing and change your preferences at any time.
We will still send you our newsletter, partner promotions etc if you have consented to these. These are separate consents to direct marketing.
We will still send important service updates, including changes to accessible partners on your plan.
Preventing fraud and keeping things secure
We use your information to:
- Confirm your identity
- Prevent and investigate fraud
- Protect your account
We may check your details with fraud prevention agencies.
Improving our services
We use your information to:
- Improve our services
- Develop new products
Where possible, we use information that does not identify you.
Surveys and research
We may invite you to take part in surveys or research.
- This is your choice
- We may use non-identifiable information
Survey may be carried out by our contracted third-party providers.
Legal and regulatory reasons
We may use or share your information when required to meet legal obligations or to defend our position.
Debt recovery
If money is owed to us, we may use your information to recover it.
Artificial intelligence
We may use AI to help us:
- Handle tasks
- Analyse data
- Improve services
This helps us:
- Respond faster
- Improve customer experience
- Detect fraud
- Develop new services
These tools support our staff and are subject to meaningful human oversight.
We do not rely solely on AI to make decisions that significantly affect you.
Automated decisions
We may use automated tools or artificial intelligence to generate insights or indicators, such as your “Vitality Age”.
These outputs are intended to provide general guidance and do not have a legal or similarly significant effect on you. They do not directly determine your cover, pricing, or claims outcomes.
Where automated processing is used to support decisions that may significantly affect you, appropriate safeguards, including the opportunity for human review, will apply.
Chatbots and virtual assistants
When you use a chatbot, we may collect:
- Information you provide
- Messages
- Technical details (like device and browser)
We use this to:
- Respond to queries
- Guide you through services
- Provide support outside normal hours
- Improve our services
- Meet legal obligations
Job application & assessment
We rely on:
- Legitimate interests (running an effective recruitment process)
- Steps necessary to enter into a contract (considering employment)
- Legal obligations (where applicable)
Where required by local law, additional consent mechanisms may apply (see regional sections).
Global access to your data
Your personal data may be accessed by:
- UK-based HR and recruitment teams
- Regional HR teams (including Asia)
- Hiring managers involved in recruitment
This reflects our global recruitment operating model.
International transfers
Because of our global operations:
- Your personal data may be accessed from or transferred to countries outside your country of application, including the UK.
- We implement safeguards required by applicable law to protect your data
Important: Additional safeguards and transparency apply for certain jurisdictions (see below, especially China).
Use of automated decision-making
We may use automated tools (e.g. application screening or scoring).
- These tools support decision-making only
- Human review is always involved
- No decisions are made solely by automated processing that have legal or similarly significant effects
How long we keep your data
We retain candidate data only for as long as necessary to:
- Complete recruitment processes
- Meet legal and regulatory obligations
Retention periods may vary by jurisdiction.
Your rights
Depending on your location, you may have rights to:
- Access your data
- Correct inaccurate data
- Request deletion
- Object to or restrict processing
- Data portability
We provide UK GDPR rights as a baseline and apply or facilitate local rights where applicable.
If you become an employee, a separate privacy notice will apply.
China – [Important Additional Information (PIPL)]
If you are applying from China, the following applies:
Purpose and necessity
We process your personal data only as necessary to:
- Assess your application
- Manage recruitment and hiring decisions
International transfers
Your personal data will be:
- Transferred outside of China, including to the UK.
- Accessed by non-China HR teams
Overseas recipients
Your data may be shared with:
- Group HR teams outside China
- Recruitment platform providers
- Testing (psychometric/behaviour) testing providers
- Forensic and vetting providers (background checks)
- Internal hiring managers
Safeguards
We apply safeguards required under applicable law for international transfers.
Consent (where required)
Where required under China PIPL:
- You will be asked to provide separate, explicit consent for:
o International transfers
o Processing by overseas recipients
Your rights (China)
You have rights under China PIPL, including:
- Access and copy your data
- Request correction or deletion
- Withdraw consent (where applicable)
Singapore – Additional Information (PDPA)
- We will notify you of the purposes for collecting, using, and disclosing your data
- By submitting your application, you consent to processing where required under PDPA
- Your data may be transferred outside Singapore with appropriate protections
Hong Kong – Additional Information (PDPO)
- We will use your data only for recruitment purposes
- We will take steps to ensure personal data transferred overseas is protected
- You have rights to access and correct your data
Acknowledgement
Depending on your location:
- You may be required to actively acknowledge or consent to:
o This privacy notice
o International data transfers (especially China)
Broker and Advisor Management
If you use our training services, we use your information to:
- Track your progress
- Recommend content
- Tell you about new training
To help support your learning we may share your activity with:
- Your account manager
- Your firm or network
You may still be able to access the service for up to 6 years if you move firms.
Competitions
If you enter a competition, we collect your information to:
- Manage your entry
- Contact you
- Deliver prizes
If you win, we may need financial details to arrange your prize. We may publish your name or entry to show the competition was fair.
We keep some information for checks and records.
When we no longer need your information, we delete it securely.
Some records may be kept longer for legal reasons.
Visitors to our premises
We may use CCTV in some buildings to keep people safe.
Not all locations have CCTV. If it is a managed location the CCTV may be controlled by the Landlord.
If needed, footage may be shared with police or authorities.
Footage is deleted in line with building rules, unless needed for investigation.
Onsite services
Some services (like cleaning, catering, and security) are provided by other companies.
These companies have their own privacy policies.
We aim to work with trusted providers, but we are not responsible for how they use your information.
Vitality App
The Vitality app has its own terms and conditions. Please read these alongside this privacy notice.
These terms and conditions together with our privacy notice (See Clause 12 below) set out the terms on which you may make use of our
Application (as defined below). Please read these terms and conditions and privacy notice carefully before you start to use our
Application.
By downloading or using our Application, you agree that you accept these terms and conditions and that you agree to abide by them. If you do not agree to these terms and conditions, please refrain from using our Application.
1. DEFINITIONS AND INTERPRETATION
In addition to the capitalised terms defined elsewhere in these terms and conditions, the following terms shall have the meanings set out below.
1.1 “Active Rewards” means the weekly or monthly rewards earned as a result of you getting active in accordance with the requirements set out in full on the Member Zone.
1.2 "Application" means the Application published by us for use on mobile telephones and smartphones, tablet computers, laptop computers and other devices through which you can review your benefits, generate your Active Rewards and track your Vitality points.
1.3 "Intellectual Property Rights" means
(i) patents, pending patent applications, designs, trade-marks and trade names (whether registered or unregistered), copyright and related rights, database rights, knowhow and confidential information;
(ii) all other intellectual property rights and similar or equivalent rights anywhere in the world which currently exist or are recognised in the future; and
(iii) applications, extensions and renewals in relation to any such rights.
1.4 “Member” means a customer of Vitality Corporate Services Limited who has the benefit of a VitalityHealth or VitalityLife Plan or who is a beneficiary under a medical health scheme administered by VitalityHealth.
1.5 “Member Zone” means the online portal https://member.vitality.co.uk/login through which you can review your Plan documents, benefits, understand your health, generate Active Rewards and track your Vitality points.
1.6 “Plan” means a private medical insurance plan, protection plan including a medical expenses trust administered by Vitality Corporate Services Limited.
2. TERMS AND CONDITIONS
2.1 In consideration of you agreeing to abide by these terms and conditions we will provide the Application to you in accordance with these terms and conditions.
2.2 You agree to comply with any third-party terms applicable to the downloading of our Application and in relation to the use of your device.
3. INFORMATION ABOUT US
Our Application is operated by Vitality Corporate Services Limited, a company with a registered office at 3 More London Riverside, London SE 1 2AQ and registered number 05933141, with trading address at 5th Floor East, Eighty Strand London WC2R 0DT.
4. YOUR QUESTIONS
If you have any questions on our Application, please email us using our secure web form which can be found at https://member.vitality.co.uk/Vitality/emailus
5. LICENCE
5.1 Subject to these terms and conditions, we grant to you a non-exclusive, non-transferable, royalty free licence, without the right to grant sub licences, solely for your personal use and solely for the duration of this agreement between us to install one copy of the Application onto a single approved device as set out below. If you own more than one approved device, then you must download a separate copy of the Application to that device.
6. USING OUR APPLICATION
6.1 By downloading our Application you warrant that:
6.1.2 you will utilise the Application solely to review and utilise your benefits, generate your Active Rewards and track your Vitality points; 6.1.2 you are legally capable of entering into binding contracts;
6.1.3 you are at least 18 years old; and
6.1.4 you will abide by these terms and conditions in particular the prohibited uses at clause 9.
7. ACCESS TO OUR APPLICATION
7.1 Access to our Application is permitted on a temporary basis, and we reserve the right to withdraw or amend the service we provide on our Application without notice (see below). We will not be liable if for any reason our Application is unavailable at any time or for any period.
7.2 From time to time, we may restrict access to some parts of, or our entire Application.
7.3 You are responsible for making all arrangements necessary for you to have access to our Application.
7.4 You are responsible for controlling the access to and security settings of any device on which you install the Application.
8. HOW THE CONTRACT BETWEEN YOU AND US IS FORMED
8.1 You enter into a contract with us in relation to your use of our Application when you download our Application onto your device. This contract is distinct to your rights and obligations under the terms and conditions set out in full on the Member Zone.
9. PROHIBITED USES OF APPLICATION
9.1 You may use our Application only for lawful purposes. You may not use our Application:-
9.1.1 in any way that breaches any applicable local, national or international law or regulation;
9.1.2 in any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
9.1.3 for the purpose of harming or attempting to harm adults and/or minors in any way;
9.1.4 to transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam);
9.1.5 in any way which contravenes the virus and hacking provisions as set out in Clause 13.
10. INTELLECTUAL PROPERTY RIGHTS
10.1 We are the owner or the licensee of all Intellectual Property Rights in our Application, and either own all Intellectual Property Rights in, or are licensed to publish, the material on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. Nothing in these terms and conditions will be construed as conferring any licence of our Intellectual Property Rights except those licences expressly granted in these terms and conditions.
10.2 Except as set out in this clause 10, you must not use, copy, store, download, sell, reproduce, redistribute, disclose, publish, rent, lease or lend the Application during or after the term of this agreement.
10.3 You agree not to modify the Application, remove any copyright, trade mark or other Intellectual Property Rights from the Application or allow a third party to do so.
10.4 You must not remove any copyright, trade mark or other Intellectual Property Rights legend from the Application.
10.5 You agree not to make use of any of our trademarks or other Intellectual Property Rights in any manner unless we have given you express written permission to do so.
10.6 You agree not to copy, duplicate, reverse engineer, reverse compile, disassemble, record or otherwise reproduce all or any part of the Application.
10.7 You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.
10.8 You must not use any part of our Application or materials on it for commercial purposes without obtaining a licence to do so from us and our licensors.
10.9 If you print off, copy or download any part of our Application in breach of these terms and conditions, your right to use our Application will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.
11. RELIANCE ON INFORMATION POSTED
11.1 You can view your Vitality points statement in the Application.
11.2 Commentary and other materials posted on our Application are not intended to amount to advice on which reliance should be placed. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any user of our Application, or by anyone who may be informed of any of its contents.
12. PRIVACY NOTICE
This privacy notice is complementary to, and should be read and understood together with, the general terms and conditions.
12.1 The General Principles of our Privacy Notice
12.1.1 This privacy notice covers how we treat your personal information collected electronically when you use the Application, register or apply online for any of our products or services, or when you contact us electronically.
12.1.2 We respects your privacy and your personal information and for this reason, we take care to protect your personal information and to keep it confidential.
12.1.3 When dealing with your personal information we apply the following:
(a) We will only disclose, collate and process (“use”) your personal information with your express written permission unless we are legally required to do so;
(b) We will not use your personal information for any other purpose, other than that which we disclosed to you, unless you give us your express written permission to do so, or unless we are permitted or required to do so by law
12.1.4 By using the Application, registering or applying online for any of our products or services, or contacting us electronically, you confirm that we may share your and your dependants and/ or beneficiaries information within the Vitality Corporate Service Limited group of companies for administration and fraud prevention purposes or where required to provide Group wide services, benefits and infrastructure to assist you in your personal or professional capacity.
12.2 What do we mean by Personal Information
12.2.1 Personal information refers to information that identifies or relates specifically to you, for example, your name, age and identity number or any information you use to register for the website. Any information about your health and wellness interests, your lifestyle, your eating habits and nutrition, your exercise regime and all related information will also be regarded as personal information.
12.3 How we collect your Personal Information
12.3.1 Whenever you use the Application, complete an application form, contact us electronically, or use one of the products, services, facilities, tools or utilities offered by us on the Application, we will collect your personal information.
12.4 Why we collect and use Personal Information
12.4.1 In order to make your use of the Application and the products, services, facilities, tools or utilities offered on the Application as informative and successful as possible, it is necessary for us to find out exactly what you need and want. The following are some of the reasons (i.e. disclosed reasons) why we would collect your personal information:
(a) for us to process your instructions or requests; or
(b) for us to ensure that we meet your needs, we may collect and analyse your personal information and combine all the information that we have about you for research and statistical purposes. We may also use your personal information to personalise and tailor our services to meet your needs; or
(c) once we have collected and analysed your personal information, we may send you promotional material or details which we think may be of interest to you.
(d) to conduct market research;
(e) to conduct academic research which may be used to evaluate and improve our product offerings. You are advised that information may be shared with third parties such as academics and researchers. All such information collected will be kept strictly confidential and all data will be depersonalised to the extent possible and where appropriate. No personal information will be made available to a third party unless such third party has agreed to abide by strict confidentiality protocols. If we publish the results of this research, you will not be identified by name.
12.4.2 Your privacy is important to us and we will therefore not sell, rent or provide your personal information to unauthorised third parties for their independent use, without your consent. If at any stage after you have given us your consent you no longer wish us to use or share your personal information, you may at any stage withdraw your consent.
12.4.3 You accept that we may store your personal information outside of the region or country that you may submit or use it in.
12.5 Location data
12.5.1 Once you have given the Application access to your location, we collect the latitude and longitude of your device/s as well as information relating to your movement. Your location can be determined using the following:
(a) GPS;
(b) IP address;
(c) Sensor data from your devices; and;
(d) Mobile phone towers and Bluetooth-enabled devices near your device.
12.5.2 We use your location data for certain features on the Application such as emergency assistance.
12.5.3 If you would no longer like us to collect location data, you may adjust your device settings. This will have an impact on certain features on the Application, such as the ability to locate you in case of emergency.
12.6. Google user data
12.6.1 Once you have given the Application access to your Google user data, we collect your activity (steps) and heart rate data from the Health Connect app/s on your device/s.
12.6.2 We use your Google user data to award you points and rewards.
12.6.3 The Application's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
12.6.4 If you would no longer like us to collect your Google user data, you may adjust your Health Connect app settings. This will have an impact on our ability to award you points and rewards.
12.7 Protection of your Personal Information
12.7.1 We value the information that you choose to provide and will take reasonable steps to protect your personal information from loss, misuse or unauthorised alteration. The information we have concerning our members is stored in databases that have built-in safeguards to ensure the privacy and confidentiality of that information.
12.7.2 When you use the products, services, facilities, tools or utilities provided by us in Member Zone, you may be given an access number, username, password and/or personal identification number (PIN). You must always keep your user name, access card, password and/or PIN a secret and ensure that you do not disclose it to anyone.
12.8Correction of Personal Information
12.8.1 If you ever want to update or correct any of your personal information held by us, you can e-mail us or you can phone our contact centre.
12.8.2 We keep a record of what you told us. If we wrote it down correctly, our record isn’t inaccurate, even if the information later turns out to be wrong. We may add the correct information, but we may also keep the original record so we have a complete and accurate history.
12.9 Personal Information held by or disclosed by you or us to a third party
12.9.1 Because we are not responsible for any representations or information or warranties or content on any third party website (including third party websites linked to this website, websites facilitated by us or websites that serve as social networks like Facebook or Twitter), we don’t exercise control over the privacy policies of these third parties and you should refer to the privacy notice of these third parties to see how they protect your privacy.
12.9.2 We may enter into arrangements with its partners or other third party suppliers which will require us to disclose your personal information to these third parties for the purpose of transferring data to us from a device(s) that measures bodily functions or fluids. You hereby consent to us disclosing your personal information to these third parties for this purpose and you also consent to receiving data about yourself from these third parties. If at any time after you have given us your consent you no longer wish to disclose your personal information to these third parties, you may at any time withdraw your consent.
12.10 Cookies and Online advertising
12.10.1 We uses cookies. We use the word “cookie” to refer to information that is sent from Member Zone to your hard drive, where it is saved. In this way, the next time you use the Site Member Zone, we will know who you are and that you have visited Member Zone before. We also collect information about how you use the website, your preferences and past browsing history.
12.10.2 We engage third parties that help us deliver banner advertisements and other online communications. The third parties may collect and use information about our members to help us understand the offers, promotions, and types of advertising that are most appealing to our members. The personal information they collect is aggregated and cannot be linked to a person.
12.10.3 Third party vendors, including Google and DoubleClick, show our ads on sites on the internet.
12.10.4 Third party vendors, including Google and DoubleClick, use cookies to serve ads based on a user's prior visits to our website.
12.10.5 Users may opt out of Google and DoubleClick's use of cookies by visiting the Google advertising opt-out page or by visiting the Network Advertising Initiative opt out page.
12.11 Changes to this Privacy Notice
12.11.1 We may amend this privacy notice from time to time. We will give you notice of any material changes within a reasonable time, however, we recommend that you familiarise yourself with this privacy notice regularly.
12.11.2 The current version of this privacy notice will govern the respective rights and obligations between you and us each time that you access and use Member Zone
12.12 Which laws apply to this Privacy Notice
12.12.1 This privacy notice is governed by the laws of the United Kingdom, and you consent to the jurisdiction of the English courts in respect of any dispute which may arise out of or in connection with the formation, interpretation, substance or application of this privacy notice.
13. VIRUSES, HACKING AND OTHER OFFENCES
13.1 You must not misuse our Application by knowingly introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful.
13.2 You must not attempt to gain unauthorised access to, interfere with, damage or disrupt our Application, the server, equipment or network on which our Application is stored, any software used in the provision of our Application or any server, computer or database connected to our Application. You must not attack our Application via a denial-of-service attack or a distributed denial of service attack.
13.3 By breaching this clause 13, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities, and we will cooperate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our Application will cease immediately.
13.4 We will not be liable for any loss or damage caused by a distributed denial of service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of our Application or to your downloading of any material posted on it, or on any website linked to it.
13.5 You must not reproduce duplicate, copy or re-sell any part of our Application in contravention of the provisions of these terms and conditions.
14. SUSPENSION AND TERMINATION
14.1 We will determine, in our discretion, whether there has been a breach of these terms and conditions. When a breach of these terms and conditions has occurred, we may take such action as we deem appropriate including terminating this agreement. If this agreement is terminated for any reason you will delete our Application from your device and we have the right to block your access to the Application.
14.2 Failure to comply with these terms and conditions constitutes a material breach of these terms and conditions upon which you are permitted to use our Application, and may result in our taking all or any of the following actions:
14.2.1 immediate, temporary or permanent withdrawal of your right to use our Application;
14.2.2 immediate, temporary or permanent removal of any posting or material uploaded by you to our Application;
14.2.3 issue of a warning to you;
14.2.4 legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach;
14.2.5 further legal action against you;
14.2.6 disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
15. OUR LIABILITY
15.1 The Application is provided free of charge and therefore is provided to you on your own behalf without any guarantees, conditions or warranties as to its accuracy (whether express or implied). To the extent permitted by law, we, other members of our group of companies and third parties connected to us hereby expressly exclude liability for:-
15.1.1 all conditions, warranties and other terms which might otherwise be implied by statute, common law or the law of equity;
15.1.2 loss of profits;
15.1.3 any direct, indirect or consequential loss or damage incurred by you in connection with our Application or in connection with the use, inability to use, or results of the use of our Application, any websites linked to it and any materials posted on it, including, without limitation any liability for:-
(a) loss of income or revenue (whether direct or indirect);
(b) loss of business (whether direct or indirect);
(c) loss of profits or contracts (whether direct or indirect);
(d) loss of anticipated savings (whether direct or indirect);
(e) loss of data (whether direct or indirect), except where we have materially breached any relevant data protection laws or regulations which apply to us;
(f) loss of goodwill (whether direct or indirect);
(g) wasted management or office time (whether direct or indirect); and
(h) for any other loss or damage of any kind, however arising and whether caused by tort (including negligence), breach of contract or otherwise, even if foreseeable, provided that this condition shall not prevent claims for loss of, or damage to, your tangible property or any other claims for direct financial loss that are not excluded by any of the categories set out above.
15.2 This does not affect our liability for death or personal injury arising from our negligence, nor our liability for fraudulent misrepresentation or misrepresentation as to a fundamental matter, nor any other liability which cannot be excluded or limited under applicable law.
15.3 Your sole right and remedy in the event of any defect in the Application or its operation, to the exclusion of all other remedies, will be to terminate the licences described in these terms and conditions and to delete the Application from your device.
16. OUR APPLICATION CHANGES REGULARLY
We aim to update our Application regularly and may change the content at any time. If the need arises, we may suspend access to our Application or close it indefinitely. Any of the material on our Application may be out of date at any given time, and we are under no obligation to update such material.
17. OUR RIGHT TO VARY THESE TERMS AND CONDITIONS
17.1 We may revise these terms and conditions at any time by amending this page. Please check this page from time to time which can be found on the Application login page. Material changes to these terms and conditions will be notified to you.
17.2 You will be subject to the policies and terms and conditions in force at the time that you download our Application and then at the time that an Active Reward is generated, unless any change to those policies or terms and conditions is required to be made by law or governmental authority.
18. JURISDICTION AND APPLICABLE LAW
18.1 The English courts will have exclusive jurisdiction over any claim or dispute arising from, or related to, the Application.
18.2 These terms and conditions and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
19. ASSIGNMENT
You may not sub-license, assign or transfer in any way any of your rights, liabilities and/or obligations under these terms and conditions on a temporary or permanent basis to any third party without our prior written consent.
20. SEVERABILITY
If any provision of these terms and conditions (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions will remain unaffected and in force.
21. ENTIRE AGREEMENT
21.1 These terms and conditions and any document expressly referred to in them constitute the whole agreement between us and supersede all previous discussions, correspondence, negotiations, previous arrangement, understanding or agreement between us relating to the subject matter of these terms and conditions.
21.2 We each acknowledge that, in entering into these terms and conditions, neither of us relies on, or will have any remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in these terms and conditions or the documents referred to in them.
21.3 Each of us agrees that our only liability in respect of those representations and warranties that are set out in these terms and conditions (whether made innocently or negligently) will be for breach of contract.
21.4 Nothing in this clause limits or excludes any liability for fraud.
Thank you for using our Application.
Between:
- The Client, and
- Vitality Health Limited (“Vitality”)
(together, “the parties”)
1. Overview of the Relationship
This addendum explains how the Client and Vitality share and use personal data in connection with the Client’s private medical insurance plan (“the Plan”).
Vitality provides insurance directly to Employees and their Dependants, (if permitted). In doing so:
- Vitality acts as an independent Data Controller
- The Client also acts as a Data Controller in its own right
This means:
- Each party decides independently how and why it processes personal data
- Vitality does not act on the Client’s instructions
- Vitality does not act as a Data Processor for the Client
Vitality delivers its services under its standard Terms and Conditions and operating model, which apply consistently across all clients.
Vitality does not agree to additional or bespoke data processing obligations on a client-by-client basis.
2. Purpose of Data Sharing
The parties share limited personal data to enable:
- The setup, administration, and management of the Plan
- The provision of private medical insurance to Employees and their Dependants
This arrangement benefits the Client, Employees, and Dependants by enabling access to healthcare and related services.
3. Nature of the Relationship
3.1 Independent Controllers
Both parties confirm that they act as separate and independent Data Controllers.
In particular:
- The Client discloses certain personal data to Vitality
- Vitality uses that data to provide insurance and related services
- Vitality determines the purposes and means of its processing independently
3.2 No Processor Relationship
Nothing in this Agreement:
- creates a controller–processor relationship
- requires Vitality to process personal data on behalf of the Client
- allows the Client to direct how Vitality processes personal data
4. Categories of Data Shared
The Client will share only limited personal data required to administer the Plan, such as:
- Name
- Date of birth
- Job title
- Email address
- Postal address
- Telephone number
Special category data (e.g. health data) is not shared by the Client under this Agreement.
5. Direct Collection by Vitality
Vitality has a direct relationship with Employees and their Dependants as plan holders or beneficiaries.
Vitality may collect personal (including special category) data directly from them. Where this happens:
- That data is processed under Vitality’s Privacy Notice
- It is not considered Shared Personal Data under this Agreement
6. Lawful Processing and Transparency
Each party is responsible for ensuring that:
- It processes personal data lawfully, fairly, and transparently
- It has a valid legal basis for processing
The Client must ensure Employees are informed about how their data is shared with Vitality.
Vitality will provide its own privacy information directly to individuals where required.
7. Data Subject Rights
Each party is independently responsible for:
- Handling data subject requests (e.g. access, rectification, deletion)
- Responding within applicable legal timeframes
8. Retention and Deletion
Each party will:
- Only retain personal data for as long as necessary for its purposes
- Apply its own retention policies and legal obligations
Vitality will securely delete data when it is no longer required, in line with its internal procedures.
9. Data Security
Each party will implement appropriate technical and organisational measures to:
- Prevent unauthorised access or processing
- Protect against loss or damage
Each party is responsible for ensuring its staff:
- Are appropriately trained
- Are subject to confidentiality obligations
10. Data Transfers
Vitality may share personal data with trusted third parties where necessary to deliver its services, including:
- Service providers
- Group companies (including Discovery Limited)
Where data is transferred outside the UK:
- Appropriate safeguards will be applied in line with UK Data Protection Laws
11. Personal Data Breaches
Each party shall comply with its respective obligations under applicable Data Protection Laws in relation to the identification, assessment and notification of Personal Data Breaches, including notifying the relevant Supervisory Authority and affected data subjects where required.
Vitality, in its capacity as an independent Data Controller, shall assess any Personal Data Breach and, where required, notify the relevant Supervisory Authority and/or affected data subjects without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with applicable law.
The fulfilment of these regulatory obligations shall take priority over any notification to the Client, in order to ensure legal compliance and to avoid prejudicing any regulatory or law enforcement investigation.
To the extent permitted and appropriate, Vitality shall notify the Client of a Personal Data Breach as soon as reasonably practicable following compliance with its regulatory obligations and may provide such information as it reasonably considers necessary to enable the Client to manage any related communications with Employees.
12. Complaints and Disputes
If a complaint or regulatory issue arises:
- The parties will cooperate where appropriate
- Each party remains responsible for its own compliance
13. Warranties
Each party confirms that it will:
- Comply with applicable data protection laws
- Maintain appropriate registration (where required)
- Respond to regulatory enquiries
The Client confirms that:
- It is entitled to share the personal data with Vitality
- The data provided is accurate
14. Liability
Each party is responsible for its own acts and omissions in relation to personal data.
Standard limitations of liability apply as set out in the underlying Terms and Conditions.
15. Relationship Between the Parties
Nothing in this Agreement:
- Creates a partnership or joint venture
- Appoints one party as agent of the other
Each party acts independently and in its own interests.
16. Entire Agreement
This addendum should be read alongside Vitality’s:
- Terms and Conditions
- Privacy Notice
These documents govern Vitality’s provision of services and its processing of personal data.
17. Changes to Law
If data protection laws change, the parties will cooperate in good faith to ensure continued compliance.
18. General
- Changes to this Agreement must be in writing
If any part is invalid, the rest remains
Website users
Cookies
Cookies are small files that websites store on your device.
They help:
- Remember your preferences
- Make the website easier to use
Cookies can stay on your device after you leave the site.
You can delete or manage them in your browser settings.
Most browsers accept cookies automatically, but you can change this at any time.
Check your browser’s Help section to learn how.
You can find out more about cookies on the Information Commissioner’s Office website.
For full details, see our Cookie Policy: https://www.vitality.co.uk/accessibility/cookies/
Other websites and services
Our website may link to other websites or apps.
These have their own privacy policies and rules.
We are not responsible for how they use your information.
If you sign up for a service or benefit, that company will use your information for their own purposes.
You can view the list of companies we work with using the link provided here or under the External Supplier section.
Google Analytics
We use Google Analytics to understand how people use our website.
This helps us see:
- How many people visit
- Which pages they view
- Where they came from
This information does not identify you. We use it to improve the website.
Personalised advertising
When you visit our website, you may see adverts on other websites or social media.
These are based on what you looked at on our site.
They use general information like:
- Your IP address
- Browser type
- Pages visited
They do not use your name, contact details, or payment details.
You can opt out by visiting the company’s privacy pages or clicking the options on the advert.
User accounts
We collect your information when you:
- Create an account
- Use our services
- Apply for a job
We only keep your information for as long as needed.
When we no longer need it, we delete it securely.
Sometimes we keep it longer to meet legal or business requirements.
Surveys
We may invite you to take part in surveys to improve our website and services.
Cookies may be used:
- So you don’t see the same survey again
- To count how many people respond
These cookies do not store personal information.
Contacting Vitality
If you contact us through the website or fill in a form, we collect your name and contact details.
We use this to:
- Respond to you
- Take any action needed
We do not share this information with other organisations.
We keep it in line with our retention rules and delete it when no longer needed.
Sometimes we keep it longer to meet legal or business requirements.
Links to other websites
We are not responsible for the content or privacy practices of other websites.
If you follow a link, please check that website’s terms and Privacy Notice.
We may share your information with:
- Companies that help us provide services
- Regulators and government organisations
- Organisations that help prevent fraud
- Professional advisers
We only share what is needed and we never sell or rent your information.
| Disclosure | Why |
|---|---|
| Our auditors | For management information purposes and in accordance with our statutory obligations under Financial Conduct Authority obligations. |
| Our Regulators |
To comply with our statutory obligations, we may share your personal data with our Regulators, where necessary. Our primary Regulators are:
|
| Government Departments | Such as HM Revenue and Customs for tax and fraud purposes. |
| Law Enforcement | To facilitate the prevention and detection of fraud or crime. It allows insurance companies to remain solvent after major claims events and is sometimes used for tax mitigation and other reasons. |
| Fraud prevention and detection |
To help prevent fraud and money laundering, we check your details against various fraud prevention databases, including those used by other insurers. If false or misleading information is found, we may share it with fraud agencies, other insurers, and law enforcement. These checks help us spot and investigate suspicious activity. We use the following fraud prevention agencies and databases:
|
| Re-Insurers: |
We may need to share your personal health or medical data provided by you with our re-insurers for them to do the following:
|
| Your authorised representative (Broker/Advisor) |
If you’ve chosen an insurance or financial adviser, we may share plan updates and renewal documents with them. We might also share claim details, but never medical information without your permission. If you appoint a new adviser, let us know so we can update our records—just note that changes may take a little time. |
| Credit Reference Agencies: | your application, we’ll run a “soft” credit check with credit reference agencies for security. This won’t affect your credit score or be seen by lenders. These checks are automated but allowed because they’re needed to set up or manage your contract with us. |
Some of the companies we work with are based in other countries.
When we share your information with them, we make sure it is protected and that all transfers are carried out in line with regulatory requirements, so your rights are kept safe.
We work with trusted companies to help manage your plan and services, including handling claims.
These companies must protect your information and meet our security standards.
We may also share your information, including health information, with benefit providers when you choose to use their services or agree to this.
This allows you to earn rewards and access benefits linked to your activity.
The full list of benefit and reward providers can be found here.
We take security seriously.
- Secure systems
- Access controls
- Safe storage and deletion
We use:
We usually store your information in secure locations, such as the UK or EU.
If it is stored elsewhere, we make sure it is protected and handled safely, using strong safeguards that keep your information secure.
While sharing information online can never be completely risk free, we take steps to protect it once we receive it.
We also keep secure backups to protect your information from loss or damage.
Access to these backups is tightly controlled, and only authorised teams can use them when needed.
We only keep your information for as long as needed. This depends on factors such as:
- Legal requirements
- Claims
- Business needs
As a general rule:
| Activity | Retention |
|---|---|
| Activity tracker | 7 years from life of plan |
| Administering and managing your plan | 7 years from life of last plan |
| Backup Data | 5 years |
| Complaints | 3 years from closure |
| Debt collection | 7 years from recovery or end of plan |
| Fraud / Misrepresentation (suspected) | 5 years |
| Fraud / Money Laundering court cases | 3 years after length of sentence |
| Job Applicants | Term of employment + 7 years or 13 months if unsuccessful |
| Marketing consent | Upon change by Member |
| Management Information (personal data) | 7 years |
| Quotes not taken up | 13 months |
| Quotes taken up | 7 years from life of plan |
| Renewal data | 13 months |
| Telephone calls | 7 years |
| Telephone calls training purposes | 3 years |
| Verifying Identity | 7 years |
| Vitality Academy Training | 6 years |
You have rights over your personal information. These include:
- Get a copy, known as a ‘Data Subject Access Request/DSAR
- Correcting inaccurate information*.
- Requesting deletion (in some cases)
- Restricting how we use your information
- Objecting to certain processing
- Stopping marketing
- Requesting human review of automated decisions
* If we record the information, you provide accurately at the time it is given, that information is not considered inaccurate simply because it later changes or is found to be incorrect. We may retain earlier information alongside any updates. This helps us maintain a complete record for assessing claims, meeting legal obligations, and ensuring decisions are fair and consistent.
Your rights may depend on how we use your information. Your rights only relate to you, you cannot ask for someone else’s’ personal data, unless you have parental control, or a Power of Attorney etc.,
Parents and guardians usually manage a child’s personal information. However, once a child is able to understand their choices, they have the right to decide how their information is used and who can access it, including access by a parent or guardian.
As a general approach, we consider children aged 13 or over to be able to make these decisions. Where this applies, we will respect their wishes where it is appropriate to do so.
You can contact us to use your rights.
We may need to confirm your identify before processing your request if it does not match the information we hold on you.
Important – making your request clearly.
You can make the request verbally or in writing, but written requests (email or letter) are recommended for clarity and record-keeping.
- You can make your request verbally or in writing, but email or letter is best for clarity and record keeping.
- AI tools can help draft requests, but they often add errors or make them more complex, which can cause delays.
- Please check your request carefully. AI frequently gets the law or your rights wrong.
- Keeping your request short and clear in your own words makes for a quicker, more helpful response.
- Please complete this form.
You’ll receive notifications from Discovery.co.za, as we work with Discovery Group and our service provider Onetrust.
Using Portals
Some companies offer tools to help you manage your personal data, like making access, erasure, or correction requests. While these tools are easy to use and can contact many organisations at once, they often don’t give us enough information to identify you. Because of this, we may have to decline the request.
It’s better to contact us directly using the details provided for each type of request. To help us process your request, please include at least:
- If you're a Member or Ex-Member: your name, address, Membership/Entity number, and email address. Using contact details different from those we have on record may cause delays.
- If you're not a Member: your name, address, any unique reference number, and your relationship to us (e.g., quote, job applicant).
Requests on behalf of children or deceased
Children have their own rights.
- From age 13, they can usually make decisions about their data.
- They can ask an adult to act for them or chose to make decisions themselves
- We check this is in their best interests.
Deceased individuals
We understand how important it is to handle personal information with care, especially after someone has passed away.
- Although data protection laws no longer apply, we continue to treat their information with respect and confidentiality.
• Unless they gave permission during their lifetime, we will not share their information.
• Please note that Powers of Attorney are no longer valid after death. - If needed, medical records should be requested through a GP.
- Beneficiaries may receive limited information, but not health details.
If you have a concern about how we use your personal data, please follow these steps:
- Contact our complaints team
Raise your concern with us first so we can investigate and try to resolve it. They will issue a decision letter. - Ask for a review
If you are not satisfied, you can ask us to review the decision. We will provide a final response once our review is complete. - Data protection review (if relevant)
If your concern relates specifically to how your personal information has been handled, you can then ask our Data Protection Officer (DPO) to review the complaints decision.
The DPO will consider your concern and provide their final decision.
Service delays, claims decisions, or technical problems are not normally data protection matters so may not be reviewed by the DPO.
To request a review, contact our Privacy Office:
• Email: [email protected]
• Or write to: Data Protection Officer, Vitality, 5th Floor East, Eighty Strand, London WC2R 0DT
- Contact the regulator
If you remain unhappy after we the Data Protection Officer has provided their final response, you can raise your complaint with the Information Commissioner’s Office (ICO).
You can make a complaint through their website using the link provided.
Information Commission – How to Make a Complaint