Privacy Notice

The following terms and conditions (the "terms and conditions") are a legal agreement between the Member "you") and Vitality Corporate Services Limited trading as VitalityHealth and VitalityLife ("we", "our", "us"), a company with a registered office at 3 More London Riverside, London SE1 2AQ and registered number 05933141.

These terms and conditions together with our privacy notice (See Clause 12 below) set out the terms on which you may make use of our Application (as defined below). Please read these terms and conditions and privacy notice carefully before you start to use our Application.

By downloading or using our Application, you agree that you accept these terms and conditions and that you agree to abide by them. If you do not agree to these terms and conditions, please refrain from using our Application.

1. DEFINITIONS AND INTERPRETATION
   In addition to the capitalised terms defined elsewhere in these terms and conditions, the following terms shall have the meanings set out below.
   
   1.1 “Active Rewards” means the weekly or monthly rewards earned as a result of you getting active or driving well in accordance with the requirements set out in full on the Member Zone.
   
   1.2 "Application" means the Application published by us for use on mobile telephones and smartphones, tablet computers, laptop computers and other devices through which you can review your benefits, generate your Active Rewards and track your Vitality points.
   
   1.3 "Intellectual Property Rights" means
   (i) patents, pending patent applications, designs, trade-marks and trade names (whether registered or unregistered), copyright and related rights, database rights, knowhow and confidential information;
   (ii) all other intellectual property rights and similar or equivalent rights anywhere in the world which currently exist or are recognised in the future; and
   (iii) applications, extensions and renewals in relation to any such rights.
   
   1.4 “Member” means a customer of Vitality Corporate Services Limited who has the benefit of a VitalityHealth, VitalityLife, VitalityInvest and/or VitalityCar Plan (including any named drivers on the Plan), or who is a beneficiary under a medical health scheme administered by VitalityHealth.
   
   1.5 “Member Zone” means the online portal https://member.vitality.co.uk/login through which you can review your Plan documents, benefits, understand your health, generate Active Rewards and track your Vitality points.
   
   1.6 “Plan” means a car insurance plan, a private medical insurance plan, protection plan or policy including a medical expenses trust administered by Vitality Corporate Services Limited.
   
   
2. TERMS AND CONDITIONS
   
   2.1 In consideration of you agreeing to abide by these terms and conditions we will provide the Application to you in accordance with these terms and conditions.
   
   2.2 You agree to comply with any third-party terms applicable to the downloading of our Application and in relation to the use of your device.
   
   
3. INFORMATION ABOUT US
   Our Application is operated by Vitality Corporate Services Limited, a company with a registered office at 3 More London Riverside, London SE 1 2AQ and registered number 05933141, with trading address at 5th Floor East, Eighty Strand London WC2R 0DT.
   
   
4. YOUR QUESTIONS
   If you have any questions on our Application, please email us using our secure web form which can be found at https://member.vitality.co.uk/Vitality/emailus
   
   
5. LICENCE
   
   5.1 Subject to these terms and conditions, we grant to you a non-exclusive, non-transferable, royalty free licence, without the right to grant sub licences, solely for your personal use and solely for the duration of this agreement between us to install one copy of the Application onto a single approved device as set out below. If you own more than one approved device, then you must download a separate copy of the Application to that device.
   
   
6. USING OUR APPLICATION
   
   6.1 By downloading our Application you warrant that:
   6.1.2 you will utilise the Application solely to review and utilise your benefits, generate your Active Rewards and track your Vitality points; 6.1.2 you are legally capable of entering into binding contracts;
   6.1.3 you are at least 18 years old; and
   6.1.4 you will abide by these terms and conditions in particular the prohibited uses at clause 9.
   
   
7. ACCESS TO OUR APPLICATION
   
   7.1 Access to our Application is permitted on a temporary basis, and we reserve the right to withdraw or amend the service we provide on our Application without notice (see below). We will not be liable if for any reason our Application is unavailable at any time or for any period.
   
   7.2 From time to time, we may restrict access to some parts of, or our entire Application.
   
   7.3 You are responsible for making all arrangements necessary for you to have access to our Application.
   
   7.4 You are responsible for controlling the access to and security settings of any device on which you install the Application.
   
   
8. HOW THE CONTRACT BETWEEN YOU AND US IS FORMED
   
   8.1 You enter into a contract with us in relation to your use of our Application when you download our Application onto your device. This contract is distinct to your rights and obligations under the terms and conditions set out in full on the Member Zone.
   
   
9. PROHIBITED USES OF APPLICATION
   
   9.1 You may use our Application only for lawful purposes. You may not use our Application:-
   9.1.1 in any way that breaches any applicable local, national or international law or regulation;
   9.1.2 in any way that is unlawful or fraudulent, or has any unlawful or fraudulent purpose or effect;
   9.1.3 for the purpose of harming or attempting to harm adults and/or minors in any way;
   9.1.4 to transmit, or procure the sending of, any unsolicited or unauthorised advertising or promotional material or any other form of similar solicitation (spam);
   9.1.5 in any way which contravenes the virus and hacking provisions as set out in Clause 13.
   
   
10. INTELLECTUAL PROPERTY RIGHTS
    
    10.1 We are the owner or the licensee of all Intellectual Property Rights in our Application, and either own all Intellectual Property Rights in, or are licensed to publish, the material on it. Those works are protected by copyright laws and treaties around the world. All such rights are reserved. Nothing in these terms and conditions will be construed as conferring any licence of our Intellectual Property Rights except those licences expressly granted in these terms and conditions.
    
    10.2 Except as set out in this clause 10, you must not use, copy, store, download, sell, reproduce, redistribute, disclose, publish, rent, lease or lend the Application during or after the term of this agreement.
    
    10.3 You agree not to modify the Application, remove any copyright, trade mark or other Intellectual Property Rights from the Application or allow a third party to do so.
    
    10.4 You must not remove any copyright, trade mark or other Intellectual Property Rights legend from the Application.
    
    10.5 You agree not to make use of any of our trademarks or other Intellectual Property Rights in any manner unless we have given you express written permission to do so.
    
    10.6 You agree not to copy, duplicate, reverse engineer, reverse compile, disassemble, record or otherwise reproduce all or any part of the Application.
    
    10.7 You must not modify the paper or digital copies of any materials you have printed off or downloaded in any way, and you must not use any illustrations, photographs, video or audio sequences or any graphics separately from any accompanying text.
    
    10.8 You must not use any part of our Application or materials on it for commercial purposes without obtaining a licence to do so from us and our licensors.
    
    10.9 If you print off, copy or download any part of our Application in breach of these terms and conditions, your right to use our Application will cease immediately and you must, at our option, return or destroy any copies of the materials you have made.
    
    
11. RELIANCE ON INFORMATION POSTED
    
    11.1 Your Vitality points may take longer to update on the Application than on the Member Zone. Please log into the Member Zone to view your most up to date and accurate Vitality points statement.
    
    11.2 Commentary and other materials posted on our Application are not intended to amount to advice on which reliance should be placed. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any user of our Application, or by anyone who may be informed of any of its contents.
    
    
12. PRIVACY NOTICE
    This privacy notice is complementary to, and should be read and understood together with, the general terms and conditions.
    
    12.1 The General Principles of our Privacy Notice
    12.1.1 This privacy notice covers how we treat your personal information collected electronically when you use the Application, register or apply online for any of our products or services, or when you contact us electronically.
    12.1.2 We respects your privacy and your personal information and for this reason, we take care to protect your personal information and to keep it confidential.
    12.1.3 When dealing with your personal information we apply the following:
    (a) We will only disclose, collate and process (“use”) your personal information with your express written permission unless we are legally required to do so;
    (b) We will not use your personal information for any other purpose, other than that which we disclosed to you, unless you give us your express written permission to do so, or unless we are permitted or required to do so by law
    12.1.4 By using the Application, registering or applying online for any of our products or services, or contacting us electronically, you confirm that we may share your and your dependants and/ or beneficiaries information within the Vitality Corporate Service Limited group of companies for administration and fraud prevention purposes or where required to provide Group wide services, benefits and infrastructure to assist you in your personal or professional capacity.
    
    12.2 What do we mean by Personal Information
    12.2.1 Personal information refers to information that identifies or relates specifically to you, for example, your name, age and identity number or any information you use to register for the website. Any information about your health and wellness interests, your lifestyle, your eating habits and nutrition, your exercise regime and all related information will also be regarded as personal information.
    
    12.3 How we collect your Personal Information
    12.3.1 Whenever you use the Application, complete an application form, contact us electronically, or use one of the products, services, facilities, tools or utilities offered by us on the Application, we will collect your personal information.
    
    12.4 Why we collect and use Personal Information
    12.4.1 In order to make your use of the Application and the products, services, facilities, tools or utilities offered on the Application as informative and successful as possible, it is necessary for us to find out exactly what you need and want. The following are some of the reasons (i.e. disclosed reasons) why we would collect your personal information:
    (a) for us to process your instructions or requests; or
    (b) for us to ensure that we meet your needs, we may collect and analyse your personal information and combine all the information that we have about you for research and statistical purposes. We may also use your personal information to personalise and tailor our services to meet your needs; or
    (c) once we have collected and analysed your personal information, we may send you promotional material or details which we think may be of interest to you.
    (d) to conduct market research;
    (e) to conduct academic research which may be used to evaluate and improve our product offerings. You are advised that information may be shared with third parties such as academics and researchers. All such information collected will be kept strictly confidential and all data will be depersonalized to the extent possible and where appropriate. No personal information will be made available to a third party unless such third party has agreed to abide by strict confidentiality protocols. If we publish the results of this research, you will not be identified by name.
    12.4.2 Your privacy is important to us and we will therefore not sell, rent or provide your personal information to unauthorised third parties for their independent use, without your consent. If at any stage after you have given us your consent you no longer wish us to use or share your personal information, you may at any stage withdraw your consent.
    12.4.3 You accept that we may store your personal information outside of the region or country that you may submit or use it in.
    
    12.5 Location data
    12.5.1 Once you have given the Application access to your location, we collect the latitude and longitude of your device/s as well as information relating to your movement. Your location can be determined using the following:
    (a) GPS;
    (b) IP address;
    (c) Sensor data from your devices; and;
    (d) Mobile phone towers and Bluetooth-enabled devices near your device.
    12.5.2 We use your location data for certain features on the Application such as emergency assistance, or measuring your driving to allocate rewards.
    12.5.3 If you would no longer like us to collect location data, you may adjust your device settings. This will have an impact on certain features on the Application, such as the ability to locate you in case of emergency.
    
    12.5. A Google user data
    12.5.1A Once you have given the Application access to your Google user data, we collect your activity (steps) and heart rate data from the Google Fit app/s on your device/s.
    12.5.2A We use your Google user data to award you points and rewards.
    12.5.3A The Application's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
    12.5.4A If you would no longer like us to collect your Google user data, you may adjust your Google Fit app settings. This will have an impact on our ability to award you points and rewards.
    
    12.6 Protection of your Personal Information
    12.6.1 We value the information that you choose to provide and will take reasonable steps to protect your personal information from loss, misuse or unauthorised alteration. The information we have concerning our members is stored in databases that have built-in safeguards to ensure the privacy and confidentiality of that information.
    12.6.2 When you use the products, services, facilities, tools or utilities provided by us in Member Zone, you may be given an access number, username, password and/or personal identification number (PIN). You must always keep your user name, access card, password and/or PIN a secret and ensure that you do not disclose it to anyone.
    
    12.7 Correction of Personal Information
    12.7.1 If you ever want to update or correct any of your personal information held by us, you can e-mail us or you can phone our contact centre.
    
    12.8 Personal Information held by or disclosed by you or us to a third party
    12.8.1 Because we are not responsible for any representations or information or warranties or content on any third party website (including third party websites linked to this website, websites facilitated by us or websites that serve as social networks like Facebook or Twitter), we don’t exercise control over the privacy policies of these third parties and you should refer to the privacy notice of these third parties to see how they protect your privacy.
    12.8.2 We may enter into arrangements with its partners or other third party suppliers which will require us to disclose your personal information to these third parties for the purpose of transferring data to us from a device(s) that measures bodily functions or fluids. You hereby consent to us disclosing your personal information to these third parties for this purpose and you also consent to receiving data about yourself from these third parties. If at any time after you have given us your consent you no longer wish to disclose your personal information to these third parties, you may at any time withdraw your consent.
    
    12.9 Cookies and Online advertising
    12.9.1 We uses cookies. We use the word “cookie” to refer to information that is sent from Member Zone to your hard drive, where it is saved. In this way, the next time you use the Site Member Zone, we will know who you are and that you have visited Member Zone before. We also collect information about how you use the website, your preferences and past browsing history.
    12.9.2 We engage third parties that help us deliver banner advertisements and other online communications. The third parties may collect and use information about our members to help us understand the offers, promotions, and types of advertising that are most appealing to our members. The personal information they collect is aggregated and cannot be linked to a person.
    12.9.3 Third party vendors, including Google and DoubleClick, show our ads on sites on the internet.
    12.9.4 Third party vendors, including Google and DoubleClick, use cookies to serve ads based on a user's prior visits to our website.
    12.9.5 Users may opt out of Google and DoubleClick's use of cookies by visiting the Google advertising opt-out page or by visiting the Network Advertising Initiative opt out page.
    
    12.10 Changes to this Privacy Notice
    12.10.1 We may amend this privacy notice from time to time. We will give you notice of any material changes within a reasonable time, however, we recommend that you familiarise yourself with this privacy notice regularly.
    12.10.2 The current version of this privacy notice will govern the respective rights and obligations between you and us each time that you access and use Member Zone
    
    12.11 Which laws apply to this Privacy Notice
    12.11.1 This privacy notice is governed by the laws of the United Kingdom, and you consent to the jurisdiction of the English courts in respect of any dispute which may arise out of or in connection with the formation, interpretation, substance or application of this privacy notice.
    
    
13. VIRUSES, HACKING AND OTHER OFFENCES
    
    13.1 You must not misuse our Application by knowingly introducing viruses, trojans, worms, logic bombs or other material which is malicious or technologically harmful.
    
    13.2 You must not attempt to gain unauthorised access to, interfere with, damage or disrupt our Application, the server, equipment or network on which our Application is stored, any software used in the provision of our Application or any server, computer or database connected to our Application. You must not attack our Application via a denial-of-service attack or a distributed denial of service attack.
    
    13.3 By breaching this clause 13, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities, and we will cooperate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use our Application will cease immediately.
    
    13.4 We will not be liable for any loss or damage caused by a distributed denial of service attack, viruses or other technologically harmful material that may infect your computer equipment, computer programs, data or other proprietary material due to your use of our Application or to your downloading of any material posted on it, or on any website linked to it.
    
    13.5 You must not reproduce duplicate, copy or re-sell any part of our Application in contravention of the provisions of these terms and conditions.
    
    
14. SUSPENSION AND TERMINATION
    
    14.1 We will determine, in our discretion, whether there has been a breach of these terms and conditions. When a breach of these terms and conditions has occurred, we may take such action as we deem appropriate including terminating this agreement. If this agreement is terminated for any reason you will delete our Application from your device and we have the right to block your access to the Application.
    
    14.2 Failure to comply with these terms and conditions constitutes a material breach of these terms and conditions upon which you are permitted to use our Application, and may result in our taking all or any of the following actions:-
    14.2.1 immediate, temporary or permanent withdrawal of your right to use our Application;
    14.2.2 immediate, temporary or permanent removal of any posting or material uploaded by you to our Application;
    14.2.3 issue of a warning to you;
    14.2.4 legal proceedings against you for reimbursement of all costs on an indemnity basis (including, but not limited to, reasonable administrative and legal costs) resulting from the breach;
    14.2.5 further legal action against you;
    14.2.6 disclosure of such information to law enforcement authorities as we reasonably feel is necessary.
    
    
15. OUR LIABILITY
    
    15.1 The Application is provided free of charge and therefore is provided to you on your own behalf without any guarantees, conditions or warranties as to its accuracy (whether express or implied). To the extent permitted by law, we, other members of our group of companies and third parties connected to us hereby expressly exclude liability for:-
    15.1.1 all conditions, warranties and other terms which might otherwise be implied by statute, common law or the law of equity;
    15.1.2 loss of profits;
    15.1.3 any direct, indirect or consequential loss or damage incurred by you in connection with our Application or in connection with the use, inability to use, or results of the use of our Application, any websites linked to it and any materials posted on it, including, without limitation any liability for:-
    (a) loss of income or revenue (whether direct or indirect);
    (b) loss of business (whether direct or indirect);
    (c) loss of profits or contracts (whether direct or indirect);
    (d) loss of anticipated savings (whether direct or indirect);
    (e) loss of data (whether direct or indirect), except where we have materially breached any relevant data protection laws or regulations which apply to us;
    (f) loss of goodwill (whether direct or indirect);
    (g) wasted management or office time (whether direct or indirect); and
    (h) for any other loss or damage of any kind, however arising and whether caused by tort (including negligence), breach of contract or otherwise, even if foreseeable, provided that this condition shall not prevent claims for loss of, or damage to, your tangible property or any other claims for direct financial loss that are not excluded by any of the categories set out above.
    
    15.2 This does not affect our liability for death or personal injury arising from our negligence, nor our liability for fraudulent misrepresentation or misrepresentation as to a fundamental matter, nor any other liability which cannot be excluded or limited under applicable law.
    
    15.3 Your sole right and remedy in the event of any defect in the Application or its operation, to the exclusion of all other remedies, will be to terminate the licences described in these terms and conditions and to delete the Application from your device.
    
    
16. OUR APPLICATION CHANGES REGULARLY
    We aim to update our Application regularly, and may change the content at any time. If the need arises, we may suspend access to our Application, or close it indefinitely. Any of the material on our Application may be out of date at any given time, and we are under no obligation to update such material.
    
    
17. OUR RIGHT TO VARY THESE TERMS AND CONDITIONS
    
    17.1 We may revise these terms and conditions at any time by amending this page. Please check this page from time to time which can be found on the Application login page. Material changes to these terms and conditions will be notified to you.
    
    17.2 You will be subject to the policies and terms and conditions in force at the time that you download our Application and then at the time that an Active Reward is generated, unless any change to those policies or terms and conditions is required to be made by law or governmental authority.
    
    
18. JURISDICTION AND APPLICABLE LAW
    
    18.1 The English courts will have exclusive jurisdiction over any claim or dispute arising from, or related to, the Application.
    
    18.2 These terms and conditions and any dispute or claim arising out of or in connection with them or their subject matter or formation (including non contractual disputes or claims) shall be governed by and construed in accordance with the law of England and Wales.
    
    
19. ASSIGNMENT
    You may not sub-license, assign or transfer in any way any of your rights, liabilities and/or obligations under these terms and conditions on a temporary or permanent basis to any third party without our prior written consent.
    
    
20. SEVERABILITY
    If any provision of these terms and conditions (or part of any provision) is found by any court or other authority of competent jurisdiction to be invalid, unenforceable or illegal, the other provisions will remain unaffected and in force.
    
    
21. ENTIRE AGREEMENT
    
    21.1 These terms and conditions and any document expressly referred to in them constitute the whole agreement between us and supersede all previous discussions, correspondence, negotiations, previous arrangement, understanding or agreement between us relating to the subject matter of these terms and conditions.
    
    21.2 We each acknowledge that, in entering into these terms and conditions, neither of us relies on, or will have any remedies in respect of, any representation or warranty (whether made innocently or negligently) that is not set out in these terms and conditions or the documents referred to in them.
    
    21.3 Each of us agrees that our only liability in respect of those representations and warranties that are set out in these terms and conditions (whether made innocently or negligently) will be for breach of contract.
    
    21.4 Nothing in this clause limits or excludes any liability for fraud.

Thank you for using our Application.

Quote:

As a prospective customer you may request us to provide a quote for one or more of our products. We will assess your application for insurance, and if we can, the price and other teams we can offer. By submitting a quote, you acknowledged that we can contact you via phone, email or SMS regarding that quote. We will retain that information for 13 months.

If you do not take up the quote, we will contact you in 12 months to see if you are interested.

Renewal Dates:

Where applicable and with your agreement we will capture renewal dates to enable us to contact you a month before renewal to see if we can interest you in our products. We will retain that information for 13 months.

Telephone Calls:

If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud and to establish facts in the event of a complaints.

We may also use speech/text analytics to understand why you are calling to help direct your enquiry to the most appropriate contact area and to ensure compliance with internal standards.

Assessing your application:

Assessing your application for insurance, and if we can, the price and other terms we can offer.

When assessing your application your age and health status are the most important factors in determining insurability and the amount you pay for insurance coverage.

Your health status may be assessed through a physical exam, a health and medical history questionnaire, or a combination of both.

We will retain for 13 months if not proceeded with or 36 months if complaint received if no other Vitality relationship exists.

Business Lead Generation:

To help grow its business, Vitality engages third parties who provide telemarketing, lead generation, appointment setting and access to marketing databases. Use of such services involves the sharing of personal data. Vitality endeavours to only work with third parties who act with integrity and respect the privacy and security of personal data. Such contact is normally generated to you as the representative of your company not as an individual.

Back-Up purposes:

We retain a copy of all data to ensure that the information can be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.

The back-up data is not readily accessible to staff but held in isolation with additional controls. Retention: 5 years

Vitality is a United Kingdom-based company specialising in Life, Health and general insurance sold to the UK market.

We use a customer relationship management system (CRM) to support and to deliver an excellent service to our Members and business partners. This means that we keep the personal data you provide us with, so that we can see the history and relevant details of your relationship with Vitality.

We collect information about you when you:

• Obtain a quote
• Become a Member or dependent on a plan, or healthy workplace programme
• Participate in one of our events or a competition
• Are a beneficiary of a plan
• Are a contact for a Supplier or Partner of Vitality
• Are a contact for a professional advisor.

Members

When you sign up to become a Member, whether this is through an insurance or investment plan or through the Vitality at Work Enterprise programme (collectively referred to as ‘plan’) we will use the personal data you provide (name, contact details, payment details) for the following purposes:

• Quote:
  For existing Members, we will personalise and discount quotes, where appropriate, at and individual level based on Vitality Member data. By submitting a quote, you acknowledged that we could contact you via phone, email or SMS regarding that quote. We will retain this information for the life of the plan + 7 years.
• Renewal Dates:
  Where applicable and with your agreement we will capture renewal dates to enable us to contact you a month before renewal to see if we can interest you in our products. We will retain that information for 13 months.
• Telephone Calls: If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud and to establish facts in the event of a complaints. We may also use speech /text analytics to understand why you are calling to help direct your enquiry to the most appropriate contact area and to ensure compliance with internal standards.
• Assessing your application: Assessing your application for insurance, and if we can, the price and other terms we can offer. When assessing your application your age and health status are the most important factors in determining insurability and the amount you pay for insurance coverage.
  
  Your health status may be assessed through a physical exam, a health and medical history questionnaire, or a combination of both. We will retain for 13 months if not other Vitality relationship exists.
• Verifying your identity:
  To identify and verify (ID&V) Membership before we discuss a Members plan or perform a requested transaction. ID&V is available for IVR chat, web, and mobile channels. The service securely verifies individuals by asking them for a range of personal data such as their account number, postcode, data of birth and passwords. We will retain for seven years from end of the last active plan across Vitality Group as per standards.
  
  Retention: We will retain for seven years from end of the last active plan across Vitality Group as per standards To conduct credit reference check and to assess your application for credit. We will use your personal data to verify your identify and to make decisions about credit to check your ability to afford the finance you are purchasing. Retention: We will retain this information for 7 years from lapse of plan across Vitality Group as per standard.
• Administering and managing your plan:
  Administering the purchase of your plan, managing your plan, processing your premiums (insurance plans), processing payments, arranging the renewal, cancellation, or lapse of your plan, and managing your investments (Invest), rectifying point submission.
  
  Retention: We will retain for seven years from end of the last active plan across Vitality Group as per standards/
• Periodic reporting to our Regulator and HM Revenue & Customs.
  Maintaining tax privileged status of a plan (Invest) and complying with regulatory obligations such as the Financial Ombudsman’s Service, and the Information Commissioners Office.
• Handling claims made against your plan:
  Registering you claim, assessing your claim, processing payments for your claim, processing reinsurance recoveries. If you are an employee of a business or corporate plan, we will not disclose any health/medical information only aggregated data to the Group Secretary of the plan.
  
  If you are a beneficiary under the plan, we collect information about you when you make a claim under the plan.
  
  Retention: We will retain for seven years from end of the last active plan across Vitality Group as per standards. Car Claims involving minors will be retained for 21 years and 4 months.
• Resolving any complaints: Register your complaint and manage and resolve your complaint. Liaise with Regulatory bodies where applicable regarding your complaint. If your complaint relates to one of our third parties, we may pass on your details in order to resolve that issue of concern, particularly if that third party is a Data Controller
  
  Retention: We will retain for three years from end of the date of closure or 5 years of Investment complaint as per standards.
• Recovering debt that you owe to us: We will use your personal data for the recovery of unpaid debts or reimbursement of damages under a contract.
  
  Retention: We will retain for seven years from debt recover or end of plan whichever is longer as per standards.
• For the prevention and detection of fraud or money laundering:
  The investigating suspicions of fraud and money laundering and prosecuting fraud, this includes the investigation non-disclosure of existing pre-conditions.
  
  Retention: Civil cases and Criminal cases six year. On sentence 3 years after length of sentence.
• Management information purposes and internal analysis of products and services:
  Accounting and financial records, analysis, and reporting. Audit requirements, legal and professional advice, Research into market trends and customer demographics, pricing and underwriting analysis and systems security and effective operations.
  
  In our legitimate interests to understand our Members and provide improved communications and benefits to them, we will carry out demographic profiling and we may use depersonalised data for marketing, statistical, and analytical purposes.
  
  Retention: We will retain for seven years after which personal data will be deleted as per standards.
• Training purposes to improve your customer experience:
  Assessing customer experiences, identify staff training needs and to establish facts in the event of any complaints and to defend our legal position.
  
  Retention: Call recordings 3 years (where recorded).
• Age Calculator: Automated decision making:
  The simple tool helps you understand more about your health by calculating your Vitality Age, which you can compare to your actual age. This tool does not produce legal effect concerning you.
• Apps
  Vitality uses the Vitality App to enable Members to access their Member Zone through securely verifying individuals. Vitality is the Data Controller and lawful basis for data collection and use is set out in the Member section above.
  
  For detailed information on how the App collects and uses data see Vitality App section.
• Marketing:
  Where you consent, we will use your personal data to contact you about other products and service that Vitality may offer.
  
  To help us to provide the best level of service and offers to our Members, you can decide how you would prefer to be contacted or object to receiving these communications at any time through your Member Zone Account online or by contacting data.protection@Vitality.co.uk.
  
  Even where you opt out of marketing you will still receive information from us if it alters or amends the products, services and benefits that relate to your existing plan to meet our contractual obligations to you, and in our legitimate interests to keep you updated about activities at Vitality that affect your plan. This includes changes in existing offerings, and calls to action).
  
  Retention: life of an active plan, or upon changed by the individual or upon request.
  
  For full details please refer to your Terms and Conditions.
  
  We may share your information with third parties who we have commissioned to act on our behalf to fulfil certain business function to support our Members.
  
  All our third parties can be found at:
  Please click here to see the list of other companies who assist us in the provision of administration services, partners, and rewards.
• Surveys
  From time to time, we may undertake surveys using personal data, but we will only do this where you have consented, and you will be informed about the survey’s purpose and aims before participating. If the survey is undertaken by a third-party on our behalf, we will provide their details so you can make an informed decision on participation.
• Research
  We would like to deepen our connection with individuals who might wish to assist in our research. We are committed to nurturing collaborative relationships with our Members so that together we can grow and improve our products services in the future.
  
  There are some occasions where we participate in global research projects to better understand the social context of people’s health and fitness. Where we participate in such research in conjunction with academic research institutions the information provided by us de-personalised.
  
  Most of our research is internal and we use anonymised data to help develop products and services for the benefit of our Members.
  
  We may use anonymised data for analysis and to create profiles of characteristics. This allows us to ensure communications are relevant and timely, and to provide an improved experience for our Members. It also helps us understand our Members so that we can develop appropriate products and offers.
  
  From time to time, we may undertake internal research using personal data, but we will only do this where you have consented, and you will be informed about the research its purpose and aims before participating.
  
  Under data protection legislation, you have the right to object to your personal data being processed in this way. If you later decided, you wish to withdraw consent then you can contact data.protection@Vitality.co.uk with your request.
• Back-Up purposes:
  We retain a copy of all data to ensure that the information can be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.
  
  The back-up data is not readily accessible to staff but held in isolation with additional controls. Retention: 5 years

Between The Client; and Vitality Health Limited, the respective supplier engaged by the Client on the basis of the terms and condition of Service.

Both parties are Independent Data Controllers of the Shared Personal Data.

Vitality also receives personal and/or special category data of Employees and/or their Dependents directly from those Employees and/or their Dependents. This personal data and/or special category data is not Shared Personal Data. As such, this data falls outside of this Agreement and is governed by Vitality’s own Privacy Notice.

1. Interpretation

The following definitions and rules of interpretation apply in these terms and conditions (the “Agreement”).

1.1 Definitions

For the purposes of these this Agreement:

“Agreed Purposes” means the setting up, management and administration of private medical insurance pursuant to the Client’s Plan to the Client’s Employees and Employee Dependents;

“Client” shall mean the party which discloses Shared Personal Data to Vitality;

“Data Controller” means any party insofar as they are acting as a controller within the meaning of applied GDPR Art 4.7;

“Data Discloser” means the Client who agrees to share the Shared Personal Data with the Data Receiver;

“Data Receiver” means Vitality who agrees to use the Personal Data on the terms set out in this Agreement;

“Dependent” mean the husband, wife, partner or any dependent child of an Employee where added to the Plan by the Group Secretary;

“Employee” shall mean each individual with the benefit of private medical insurance cover under the Plan. “Personal data”, “Special Categories of data/Sensitive Data”,

“Group Secretary” means the person in control of the Client’s Plan;

“Plan” means the private medical insurance scheme underwritten by Vitality;

“Process/processing”, “Controller”, “Processor”, “Data Subject” and

“Supervisory Authority” shall have the same meaning as in the UK Data Protection Act 2018. For the purposes of this Agreement references to a “data subject” shall mean the Client’s Employees/Employee Dependents;

“Shared Personal Data” means the personal data to be shared between the parties, as further outlined at clause 2.4;

“UK Data Protection Laws”, all applicable data protection and privacy laws in force from time to time in the UK, including the UK General Data Protection Regulation, the Data Protection Act 2018; the Privacy and Electronic Communications Directive 2002/58/EC (as updated by Directive 2009/136/EC) and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended.

2. Purpose

2.1 This Agreement sets out the framework for the sharing of Shared Personal Data between the parties as independent Data Controllers.

2.2 The parties consider this data sharing initiative necessary as part of the provision of private medical insurance. The aim of the data sharing initiative is to make it easier for the Clients Employees and/or Dependents to get healthier and reward them when they do. It will serve to benefit the Client, Employees and/or Dependents of the Client’s Plan.

2.3 Each party acknowledges and agrees that:
   a. the Client will regularly disclose to Vitality the Shared Personal Data collected by the Client for the Agreed Purposes;
   b. Vitality provides private medical insurance directly to each of the Client’s individual Employees and any Employee Dependants who qualify for cover under the Client’s Plan. Accordingly Vitality determines the ways and means of its processing of the Shared Personal Data and does not act on the instructions of the Client in relation to the processing of the Shared Personal Data.

2.4 The following types of Shared Personal Data will be shared between the parties during the term of this agreement:
   a. Name
   b. Date of Birth
   c. Designation
   d. Email contact details
   e. Address
   f. Telephone number
Special categories of Personal Data will not be shared between the parties.

3. Lawful, fair and transparent processing

3.1 Each party shall ensure that it processes the Shared Personal Data fairly and lawfully in accordance with clause 3.2.

3.2 Each party shall ensure that it has legitimate grounds under the Data Protection Laws for the processing of Shared Personal Data.

3.3 The Data Discloser shall, in respect of Shared Personal Data, ensure that it provides clear and sufficient information to the data subjects, in accordance with the Data Protection laws, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 13 of the applied GDPR including:

   a. if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable     the data subject to understand the purpose and risks of such transfer; and

   b. if Shared Personal Data will be transferred outside the EEA pursuant to clause 0 of this Agreement, that fact and sufficient information about such transfer,       the purpose of such transfer and the safeguards put in place by the controller to enable the data subject to understand the purpose and risks of such transfer.]

3.4 The Data Receiver undertakes to inform the Data Subjects, in accordance with the Data Protection laws, of the purposes for which it will process their personal data, the legal basis for such purposes and such other information as is required by Article 14 of the applied GDPR including:

   a. if Shared Personal Data will be transferred to a third party, that fact and sufficient information about such transfer and the purpose of such transfer to enable     the data subject to understand the purpose and risks of such transfer; and

   b. if Shared Personal Data will be transferred outside the EEA pursuant to clause 0 of this Agreement, that fact and sufficient information about such transfer,       the purpose of such transfer and the safeguards put in place by the controller to enable the data subject to understand the purpose and risks of such transfer.

4. Rights of Data Subjects

4.1 Each party agrees to have processes in place to comply with requests from Data Subjects to exercise their rights under the Data Protection Laws within the time limits imposed by the Data Protection Laws.

5. Data Retention and Deletion

5.1 The Data Receiver shall not retain or process Shared Personal Data for longer than is necessary to carry out the Agreed Purposes.

5.2 Notwithstanding clause 5.1, the parties shall continue to retain Shared Personal Data in accordance with any statutory or professional retention periods applicable in their respective countries and / or industry.

5.3 The Data Receiver shall ensure that any Shared Personal Data are destroyed in accordance with its deletion procedure in the following circumstances:
   a. on termination of this Agreement;
   b. on expiry of the Term of this Agreement;
   c. once processing of the Shared Personal Data is no longer necessary for the
purposes it was originally shared for.

6. Transfers

6.1 For the purposes of this clause, transfers of personal data shall mean any sharing of Shared Personal Data by the Data Receiver with a third party, and shall include, but is not limited to, the following:
   a. subcontracting the processing of Shared Personal Data;
   b. granting a third party controller access to the Shared Personal Data.

6.2 If the Data Receiver appoints a third party processor to process the Shared
Personal Data it shall comply with Article 28 and Article 30 of the applied GDPR.

6.3 The Data Receiver may not transfer Shared Personal Data to a third party located outside the
EEA unless it:
   a. complies with the provisions of Articles 26 of the applied GDPR (in the event the third party is a joint controller); and
   b. ensures that:
      i. the transfer is to a country approved by the European Commission as providing adequate protection pursuant to Article 45 of the applied GDPR;
      ii. there are appropriate safeguards in place pursuant to Article 46 of the applied GDPR;
      or
      iii. one of the derogations for specific situations in Article 49 of the applied GDPR applies to the transfer.

6.4 The Data Receiver is part of the Discovery Group of companies and is owned by
Discovery Limited, a financial services firm based in South Africa. As part of this relationship, Discovery undertake a number of business processes on behalf of the Data Receiver. Such processes include underwriting and claims administration services. The delivery of such services requires the Data Receiver to share data relating to its customers with Discovery and is undertaken in accordance with Article 46 of the applied GDPR.

7. Security and training

7.1 The parties undertake to have in place appropriate technical and organisational security measures to:
   a)   prevent:
      i. unauthorised or unlawful processing of the Shared Personal Data; and
      ii. the accidental loss or destruction of, or damage to, the Shared Personal Data;
   b)   ensure a level of security appropriate to:
      i. the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage; and
      ii. the nature of the Shared Personal Data to be protected.

7.2 It is the responsibility of each party to ensure that
   i) its staff members are appropriately trained to handle and process the Shared Personal Data in accordance with the technical and organisational security of that party together with any other applicable national data protection laws and guidance and
   ii) have entered into confidentiality agreements relating to the processing of personal data.

8. Personal data Breaches and reporting procedures.

8.1 The parties shall each comply with its obligation to report a Personal Data Breach to the appropriate Supervisory Authority and (where applicable) data subjects in accordance with Article 33 of the applied GDPR.

8.2 Where appropriate Vitality will provide all reasonable information to the Client to enable them to manage their employee expectations, and will aim to do so within 72 hours, to ensure that any actions do not prejudice any internal investigations or those by the police/Regulator.

9. Resolution of disputes with data subjects or the Supervisory Authority.

9.1 In the event of a dispute or claim brought by a data subject or the Supervisory Authority concerning the processing of Shared Personal Data against either or both parties, the parties will inform each other about any such disputes or claims, where appropriate, and will cooperate with a view to settling them amicably in a timely fashion.

9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a data subject or by the Supervisory Authority. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or
other dispute resolution proceedings developed for data protection disputes.

9.3 Each party shall abide by a decision of a competent court of the Data Receiver's country  of establishment or of the Supervisory Authority.

10. Warranties

10.1 Each party warrants and undertakes that it will:
   a. Process the Shared Personal Data in compliance with all applicable laws,
enactments, regulations, orders, standards and other similar instruments that apply to its personal data processing operations.
   b. Make available on request to the data subjects who are third party beneficiaries a copy of this Agreement, unless the Agreement contains confidential information.
   c. Respond within a reasonable time and as far as reasonably possible to enquiries from the relevant Supervisory Authority in relation to the Shared Personal Data.
   d. Respond to Subject Access Requests in accordance with the Data Protection Law.
   e. Where applicable, pay the appropriate fees with all relevant Supervisory Authorities to process all Shared Personal Data for the Agreed Purpose.
   f. Take all appropriate steps to ensure compliance with the security measures set out in clause 0 above.

10.2 The Data Discloser warrants and undertakes that it is entitled to provide the Shared Personal Data to the Data Receiver and it will ensure that the Shared Personal Data are accurate.

10.3 The Data Receiver warrants and undertakes that it will not disclose or transfer Shared Personal Data outside the EEA unless it complies with the obligations set out in clause 6.

10.4 Except as expressly stated in this Agreement, all warranties, conditions and terms, whether express or implied by statute, common law or otherwise are hereby excluded to the extent permitted by law.

11. Indemnity

11.1 The Data Discloser and Data Receiver undertake to indemnify each other and hold each other harmless from any cost, charge, damages, expense or loss which they cause each other as a result of their breach of any of the provisions of this Agreement, except to the extent that any such liability is excluded under clause 12.2.

11.2 Indemnification hereunder is contingent upon:
   a. The party(ies) to be indemnified (the “indemnified party(ies)”) promptly notifying the
other party(ies) (the “indemnifying party(ies)”) of a claim,
   b. the indemnifying party(ies) having sole control of the defence and settlement of any such claim, and
   c. the indemnified party(ies) providing reasonable co-operation and assistance to the indemnifying party(ies) in defence of such claim.

12. Limitation of liability

12.1 Neither party excludes or limits liability to the other party for:    
   a. fraud or fraudulent misrepresentation;
   b. death or personal injury caused by negligence;
   c. a breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or section 2 of the Supply of Goods and Services Act 1982; or
   d. any matter for which it would be unlawful for the parties to exclude liability.

12.2 Subject to clause 12.1 neither party shall in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), and misrepresentation (whether innocent or negligent), restitution or otherwise, for:
   a. any loss (whether direct or indirect) of profits, business, business opportunities, revenue, turnover, reputation or goodwill;
   b. loss (whether direct or indirect) of anticipated savings or wasted expenditure
(including management time); or
   c. any loss or liability (whether direct or indirect) under or in relation to any other contract.

12.3 Clause 12.2 shall not prevent claims, for:
   a. direct financial loss that are not excluded under any of the categories set out in clause 12.2 (a); or
   b. tangible property or physical damage.

13. Third party rights

13.1 Except as expressly provided in clause 4 (data subjects rights) a person who is not a party to this Agreement shall not have any rights under the Contracts (Rights of Third Parties) Act 1999 to enforce any term of this Agreement.

13.2 The rights of the parties to terminate, rescind or agree any variation, waiver or settlement under this Agreement are not subject to the consent of any other person.

14. Direct marketing

14.2 If the Data Receiver processes the Shared Personal Data for the purposes of direct marketing, each party shall ensure that:
   a. the appropriate level consent has been obtained from the relevant data subjects to allow the Shared Personal Data to be used for the purposes of direct marketing in compliance with the Data Protection Law; and
   b. effective procedures are in place to allow the data subject to "opt-out" from having their Shared Personal Data used for such direct marketing purposes.

15. Variation

15.1 No variation of this Agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).

16. Waiver

16.1 No failure or delay by a party to exercise any right or remedy provided under this Agreement or by law shall constitute a waiver of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of such right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

17. Severance

17.1 If any provision or part-provision of this Agreement is or becomes invalid, illegal or unenforceable, it shall be deemed deleted, but that shall not affect the validity and enforceability of the rest of this agreement.

17.2 If any provision or part-provision of this agreement is deemed deleted under clause 17.1, the parties shall negotiate in good faith to agree a replacement provision that, to the greatest extent possible, achieves the intended commercial result of the original provision.

18. Changes to the applicable law

18.1 If during the duration of this Agreement the Data Protection Law changes in a way that this Agreement is no longer adequate for the purpose of governing lawful data sharing exercises, the parties agree that the parties will negotiate in good faith to review the Agreement in the light of the new laws.

19. No partnership or agency

19.1 Nothing in this Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, or authorise any party to make or enter into any commitments for or on behalf of any other party.

19.2 Each party confirms it is acting on its own behalf and not for the benefit of any other person.

20. Entire agreement

20.1 This Agreement constitutes the entire agreement between the parties and supersedes and extinguishes all previous agreements, promises, assurances, warranties, representations and understandings between them, whether written or oral, relating to its subject matter.

20.2 Each party acknowledges that in entering into this Agreement it does not rely on, and shall have no remedies in respect of any statement, representation, assurance or warranty (whether made innocently or negligently) that is not set out in this Agreement.

20.3 Each party agrees that it shall have no claim for innocent or negligent misrepresentation or negligent misrepresentation based on any statement in this Agreement.

21 Further assurance

21.1 At its own expense, each party shall, and shall use all reasonable endeavours to procure that any necessary third party shall, promptly execute and deliver such documents and perform such acts as may reasonably be required for the purpose of giving full effect to this Agreement.

Assessing your application
We collect information about you when you create a user account, log in to our recruitment system, or provide information in support of your application to work with Vitality. We will use the personal data you provide to administer your application throughout the recruitment process and to monitor Vitality’s equal opportunities policy and practices. 
By submitting your completed application form you are consenting to your personal data being used and held for the purposes described above.

All recruitment decisions are made in line with our Recruitment Framework. We do not use your information to make automated decisions regarding your suitability for a role but may use automated processes for assessments.

Application forms of successful candidates will be kept by Vitality and will form the basis of the employment contract and personnel record. Application forms of unsuccessful candidates will be kept for a minimum of 13 months (unless it is an Actuarial role in which case it is retained for 7 years with your consent and then securely destroyed. This is in accordance with our retention schedules. Not all records can be deleted immediately; Vitality has statutory, legal, business continuity and administrative requirements to hold on to certain records for specified periods. 

Vitality receives your application and personal data either directly or via our online recruitment solution provider [need their web address/privacy notices]. Your information will not be passed to any other third parties or organisations during the recruitment process.
Job applicants are responsible for ensuring that the information they provide to us is correct and should and let us know of any changes as soon as possible. You can manage the data you provide via the application gateway, a link to which will be emailed to you once you have started your application. The application gateway allows you to withdraw or delete your application at any time.

Back-Up purposes:
We retain a copy of all data to ensure that the information can be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.

The back-up data is not readily accessible to staff but held in isolation with additional controls. Retention: 5 years

Cookies
Cookies are small data files that a website can transfer to an individual’s computer hard drive for record keeping. Cookies can make websites easier to use by storing information about your preferences on a particular website. The information may remain on your computer after the Internet session finishes and you leave the website, but you can delete them using some browsers, manually or using system utilities. Most internet browsers are pre-set to accept cookies.

If you wish to restrict or block the cookies, which are set by Vitality websites, or any other website, you can do this through your browser settings. The Help function within your browser should tell you how.  For more information on cookies and their uses, visit the cookies page on the Information Commissioner’s Office website.

For more information on our Cookie policy please see https://www.vitality.co.uk/accessibility/cookies/ 

Other websites, web applications and third-party service providers
Our website may contain links to third party websites or applications. Our Privacy Notice does not govern these websites or applications. These applications are owned and operated by third parties and are governed by their own specific terms. We make all reasonable efforts to ensure any third parties Vitality uses will protect your information in line with DP Laws. However, we will not accept responsibility for third-party applications or for any loss or damage arising from your use of them.

Please click here to see the list of other companies who assist us in the provision of administration services, partners, and rewards.

Please note that when you make a booking with one of the service providers or sign up to receive a service or benefit, your personal data is being held and used by that organisation for the relevant purposes.

Google Analytics
We use Google Analytics to collect information about how our visitors use and navigate Vitality’s website. We use this information to report to analyse usage of the website so that we can continually work to improve the site and your experience of it. The cookies collect information such as the number of visitors to the site, which pages they visited and whereabouts they came to the site from. This information is anonymous and cannot be used to identify you personally.

Personalised advertising
If you browse Vitality’s website, you may receive personalised banner advertisements whilst browsing other reputable websites or social media platforms. Vitality has a legitimate interest in marketing our activities to those with an existing interest in Vitality to help raise our profile.  We are committed to providing you with information on products and offers which are relevant to you. The banner advertisements will relate to products or services which have been viewed whilst browsing Vitality’s website on your computer or other device. This service is provided by Vitality via reputable third-party specialist companies like google, Facebook and LinkedIn, using cookies placed on your computer or other device. These companies may choose to target you based on your IP host address and non-Personally Identifiable Information (Non-PII). This includes but is not limited to the date and time of activity online, the pages viewed, browser type, referring URL, Internet Service Provider, and operating system. These companies do not collect Personally Identifiable Information (PII) such as name, address, phone number, email address or credit card information.

You can visit these individual companies and read their privacy policies for more information on how to opt out. 

You may also opt out of receiving further personalised advertisements in the future by clicking on the bottom right-hand corner of any advertisement you receive and following the instructions.

User Accounts
We collect information about you when you create a user account and log in to the following website services:

• Membership access
• Online browsing 
• Applying for a job

We will keep your information for the necessary period for the above purposes in accordance with our retention schedules and legal compliance. For more information, please see the relevant section(s) of this Privacy Notice and find out more.

Once your personal information is no longer required, we will delete it from our records in a secure manner. Not all records can be deleted immediately; Vitality has statutory, legal, business continuity and administrative requirements to hold on to certain records for specified periods.

Surveys
We occasionally run surveys to improve our website and services. Cookies are used to allow the form or pop-up survey to be hidden on your return visits. This is to prevent you from being shown the survey again unnecessarily. Cookies are also used to record the overall number of answers to the survey questions and to link these to web statistics. They do not store your personal data.

Contacting Vitality
We collect information about you when you make an enquiry, provide feedback, or send us a message via the website or an email enquiry form. We will use the personal data you provide (name and contact details) to respond to you and take any necessary action. We use your information for these purposes as part of legitimate interest.

Your personal information you provide for these purposes will not be shared with external third parties or any other organisations.

We will keep your information in accordance with our retention schedule after your last meaningful contact with Vitality, and then your enquiry, complaint or feedback will be anonymised. This is in accordance with our retention schedules and legal compliance. 

Once your personal information is no longer required, we will delete it from our records in a secure manner. Not all records can be deleted immediately; Vitality has statutory, legal, business continuity and administrative requirements to hold on to certain records for specified periods.

Links to non-Vitality websites
Vitality accepts no responsibility or liability for content on third party websites. Users clicking on links to external sites should check the Terms and Conditions and Privacy Policy of the site they are visiting.

Brokers and Advisors
We will identify and verify you to ensure that you are the authorised representative of the Member before we are able to discuss a Members plan or perform a requested transaction. ID&V is available for IVR, chat, web, and mobile channels. The service securely verifies individuals to ensure that you are linked to that Member. 

Telephone Calls:
If you contact us by telephone, we may record calls for training and monitoring purposes to help improve our service and to detect and prevent fraud and to establish facts in the event of a complaints.  

We may also use speech /Text analytics to understand why you are calling to help direct your enquiry to the most appropriate contact area and to ensure compliance with internal standards. 

Vitality Academy/Training Service
If you sign up to the Vitality Academy or other Training Services, then we will process your data regarding your engagement with the training courses available on those platforms.  

We may notify you of new content, as well as recommending relevant content to you. 

For the purposes of our training services, we may share your information with your dedicated account manager/business consultation who may contact you to discuss your engagement with those service, to help drive improvements of our platform and library.

We may also share your personal data with your firm and your network such as courses taken  courses taken and we may also share your course engagement with a representative of your firm or network. 

We will retain this information for 6 years from when eligibility to those services ceases. This will enable you to change employer but retain access to the service if you remain eligible. You will remain eligible if you work for or are contracted to a financial adviser firm. 

Back-Up purposes:
We retain a copy of all data to ensure that the information can /be recovered in the event of a primary data failure. Primary data failures can be the result of hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (virus or malware), or accidental deletion of data.

The back-up data is not readily accessible to staff but held in isolation with additional controls. Retention: 5 years.

Competitions
From time-to-time Vitality run competitions. For this purpose, we collect information about you when you enter one of our competitions hosted by Vitality or one of our Third-party vendors.

We will use the personal data you provide for the purpose of administering your entry, keeping you informed about the judging results and to organise delivery and collection of your prize.

If you are selected as a winner and entitled to a prize, Vitality will process your personal data, including financial information, if relevant, for the purposes of issuing that prize to meet Vitality’s obligations under its contract with you. This information will be retained for 6 years form the end of the financial year.

To comply with our legal obligations, at the close of the competition we must either publish or make available information that indicates that a valid aware took place – ordinarily the initial and surname of major prize winners and, if applicable, their winning entries.

In addition, your name, contact details and data of birth will be kept for statistical purposes and to ensure future entries have not been submitted before. This is in accordance with our retention schedule and legal compliance.

Once your personal information is no longer required, we will delete it from our records in a secure manner. Not all records can be deleted immediately: Vitality has statutory, legal, business continuity and administrative requirements to hold onto certain records for specified periods. 

CCTV
CCTV may be used to monitor the building and the public areas to protect visitors and staff in those premises. Vitality does not operate CCTV at all premises as this may the responsibility of the Landlord. Where it is and in the event of a security incident, CCTV footage (which may include images of you) will be shared with the police and/or local authorities where it is our legal obligation and is appropriate to do so.

Unless it is required by police and/or local authorities for their investigations, CCTV footage is deleted in accordance with the business owner’s retention period. 

Onsite Third-Party Service Providers [Catering, cleaners & Security]
Some of Vitality’s onsite services are operated by third parties and are governed by their own specific terms. Our Privacy Notice does not govern these third parties. We make all reasonable efforts to ensure any third parties Vitality uses will protect your information in line with DP laws. However, we will not accept responsibility for third party applications or for any loss or damage arising from your use of them.

These include, but not limited to catering, cleaning, and physical security service.

Freedom of Information Act enquiries
The Freedom of Information Act does not apply to Vitality as it does not fall within the definition of a public authority. Any requests under the Freedom of Information Act will by necessity be declined. 

Administering your Request under these Rights
We will retain personal information regarding any request made under these rights to keep an accurate log of when a request was received, when clarification is requested and when a response is provided to ensure that the response deadlines are met and to provide evidence to the Regulator of our management of these rights. This means that even with a request under the Right to be forgotten (erasure) some personal data will be retained. 

All rights will be responded to within one month unless an exemption is applied, excluding the right to object to processing which is within 21 days. 

Using Portals
Several companies offer services to help manage people’s personal data, either for subject access requests, erasure, or rectification request. Whilst these are simple to use, and you can reach many organisations at once they rarely provide organisations with information, we need to identify you. One size does not fit all and in most cases, this results in use decline the request due to insufficient information to us to identify you. 

It is more effective to contact us directly using the contact details provided for each type of request. Please provide as much information as possible but at lease the following to assist us fulfilling your request. 

• Member/Ex-Members: then your name and address, your Membership / Entity number, and your email address. If you use, contact details than those we hold on record this will delay the process.
• If a non-Member: then your name and address, any unique reference number and relationship e.g., quote, job applicant.

Right to be informed
You have the right to be informed about the collection and use of their personal data. You may make a request for this information, but the information you are entitled to is set out in this Privacy Notice as it sets out Vitality’s purposes for processing your personal data, our retention periods for that personal data, and who it will be shared with. 

The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection. 

Your right of access (Making a Data Subject Access Request)

• You
  When you ask us whether we are using or storing your personal information, or for copies of your personal information, this is commonly known called as Data Subject Access Request (SAR). When you submit a DSAR or correspond with staff with respect to any request you have submitted, we will use the personal data you provide (name, contact details and any further information you choose to provide) for the purposes of recording and responding to your request. If you make a request using different contact details e.g., phone number, email address than the one we hold on to you we may request additional information to verify your identity. We use your information for these purposes as part of legal obligation to comply with DP Laws. 
  
  We will not share the personal information you provide when you submit a DSAR with external third parties or any other organisations when we respond to your request. In response to any enquiries from the Financial Ombudsman Service or the Information Commissioner Office enquiries, Vitality may be required to share personal data to fully assist the Regulators with the fulfilment of their functions. 
  
  Vitality retains case files for individual DSARs for two years from receipt, after which they will be destroyed, unless it is subject part of a complaint to us or the Information Commissioners Office in which case it will be retained for 3 years. Anonymised information relevant to your DSAR maybe kept permanently for statistical reasons only.
  
  Once your personal information is no longer required, we will delete it from our records in a secure manner. Not all records can be deleted immediately; Vitality has statutory, legal, business continuity and administrative requirements to hold on to certain records for specified periods.
  
  Please note that any ‘written’ disclosure will be in a commonly used format. Call recordings provided in audio format.  Machine readable formats are restricted to the Right to Portability (Art. 20) 
  
  
• Requests of behalf of Children: 
  Even if a child is too young to understand the implications of their rights, they are still their rights, rather than anyone else’s such as a parent or guardian.  At aged 13 or over they are generally of sufficient age and maturity to be able to make decisions and competent to provide their own consent. In this situation it is reasonable to assume they are also competent to exercise their own data protection rights. 
  
  They may authorise someone else to act on their behalf, which could be a parent, another adult or a representative but we still have an obligation to ensure that the consent is freely given and in the best interests of the child. 
  
  
• Requests for personal information of a Deceased: 
  The DP laws do not apply to a deceased person. However, as the information we hold was provided during the person’s life and in confidence we continue to honour those obligations. Unless the individual made it absolutely clear who could see their health/medical information you will not be able to see their record after death even if you are a family member / next of kin or beneficiary of the plan. 
  
  Outside of the DP Laws you may be entitled as a beneficiary to information about the plan and limited information if a claim is declined or adjusted but not the medical / health we hold.  A request to access a person’s ‘medical record’ must be addressed to their GP not Vitality.  
  
  The quickest way is to email DSAR@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to the DSAR team but see the two sections below on Children and Deceased persons

Right to Rectification.  
It is important that the information we hold about you is accurate, therefore please let us know of any changes to the personal information you give to us. 

If you think that the information, we hold have you is incorrect or out of date you can request that the information is updated. Whist you can write to us the quickest way to update your information is to contact our normal telephone lines and ask the adviser to amend those details. 

Alternatively, you can speak contact us via  email at data.protection@Vitality.co.uk.

Right of erasure
You have the right to request that we delete your personal data. However, this is not an absolute right and may not apply where it is necessary for us to continue to use the data for a lawful or legitimate reason or to fulfil our obligations under other regulations such as the Financial Conduct Authority rules). We have set out at a high level the circumstances where erasure is may occur.

• Quotes:
  In most circumstances if you submitted a quote and have no other relationship with Vitality, we can delete your personal data from the quote journey. 
• Applications:
  If the applicant has not proceeded beyond application form e.g., no underwriting decision and offer has been made it is likely we will positively consider deletion. However, if the application becomes an active plan, then we will retain for 7 years from the lapse of that plan and in certain circumstance such as failure to disclose pre-existing conditions we may retain the information for the purposes of fraud prevention even if the plan did not become active.
• Plan Holders/Dependents:
  If you are a Member or ex-Member of Vitality, we are required to retain your information for the life of that plan or 7years from your lapse from that plan to meet our regulatory obligations under the Financial Conduct Authority rules. 
• Complaints:
  If you have submitted a complaint or a complaint on any of the matters above then we will retain that data for 3 years from the closure of that complaint.  
  
  The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection

Right to restrict processing
You can ask to restrict or suppress your personal data. However, this is not an absolute right and only applies in certain circumstances. This may be because there are issues with the content of the information we hold or how we have processed your data. We will still hold that data whilst we investigate the issue, but it may prevent us from other processing activities such as progressing a claim during this time. 

The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection. 

Right to data portability
This right allows you to obtain and reuse your personal data for your own purposes across different services. The data must be supplied in a machine-readable format such as CSV, XML and JSON. 

This right does not provide a copy of the personal data we hold on to you but a small subset only as it is limited to information processed under consent or performance of contact and where that data is processed by automated means. Generally, this means you will only receive your personal contact details an any fitness data supplied via your devices to us. 

Please note that any ‘written’ disclosure will be in a commonly used format. Call recordings provided in audio format.  Machine readable formats are restricted to the Right to Portability (Art. 20) 

It will not provide claims, health data, or points data.  

The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection. 

Right to object.
You have an absolute right to object to processing for direct marketing purposes. If you are an existing Vitality Member you can update your preferences yourself via managing my preference, in Member Zone alternatively you can ask one of our advisors to amend the records. These changes are not immediate, and some ‘inflight’ activities such as our magazine may still be processed. As a rule, most changes can take up to a week to complete.

The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection.

If you are an Ex-Member your account will be closed so you will need to contact the above email address or speak to an advisor and ask them to forward the request to data protection.  

Rights in relation to automated decision making and profiling
This right only applies where the processing activity relates to solely automated decision-making that has legal or similarly significant effects on them. Automated decision which may have legal or similar effect are:

• On-line decisions to offer cover 
• Credit Reference Checks
• Recruitment Aptitude test which uses pre-programmed algorithms and criteria

We have processes which enable individual to request a review of those decision by an individual. 

Not all automated decision-making has legal or similar significant effect such as our:

• age calculator, or 
• machine learning that predicts Member’s health or the likelihood of a treatment being successful for individuals based on certain group characteristics. 

The quickest way to email data.protection@Vitality.co.uk. Alternatively, you can speak to an advisor and ask them for forward the request to data protection.