In this day and age, more and more information is being uploaded and
shared across the web. For you to be confident using our services we
want you to trust that not only are we providing you with the best
deal, we’re also committed to ensuring your privacy is protected.
When we ask you to provide certain information, or obtain certain
information by which you can be identified, rest assured that your
page. Where we make significant changes to it, for instance by adding
a new reason for processing your personal data, we will also notify
you of those changes via the email address that we hold for you.
12th July, 2018.
Who are Bought By Many?
We are your data controller for the purposes of the personal data we
will collect. Our details are as follows:
Bought By Many Ltd, a limited company registered in England with the
company registration number 07886430 and registered address at Unit 1b
Summers Street, London, England, EC1R 5BD.
If you wish to contact us in relation to this notice, or data
protection generally, please contact our Data Protection Officer by
email@example.com or by
post using the address above, marked for the attention of the Data
How do we process your data?
Many and this website (boughtbymany.com).
We will collect and process your personal data under some, if not all,
of the following lawful bases: contractual necessity, our legitimate
interests, consent, because it’s necessary for us to comply with a
legal obligation, the personal data has been manifestly made public
and where the processing is necessary for reasons of substantial
Contractual necessity is where we collect your personal data because
it is necessary for us to provide you with a quote or a contract of
insurance. Without this data, we wouldn’t be able to provide you with
a quote or arrange an insurance policy for you.
We need personal data for the following reasons in order to provide
our service to you:
To arrange and administer insurance on your behalf. This will
include several types of correspondence either via our website
including live chat, or by post, email or phone, for example:
non-marketing communications about obtaining a quote and
purchasing a policy, your welcome pack and policy documents,
payment reminders, arrears notifications, confirmation of your
cancellation, renewal documents, complaint communications, any
mid-term adjustments you may make to your policy, and any
communications in response to a query you have sent us.
To enable us to introduce you to an insurer that offers insurance
policies to meet your insurance needs.
Organisations can rely on “legitimate interests” to process personal
data where: (a) their reason for processing personal data is a
legitimate business interest (e.g. it is not illegal and it actually
receives a benefit from it); (b) the processing is a proportionate way
of achieving that interest; and (c) that legitimate business interest
is not outweighed by the impact on the individual. We have completed
that assessment and are satisfied with it for each of the purposes set
You do have a choice as to whether you provide us with your personal
information and you have the right to object to us using your data for
our legitimate interests, please see “
Section 12 – Right to object”. However, if
you decline to provide us with certain personal information this may
impact the services that we can offer to you.
We have a legitimate interest in each of the following:
Sending you promotional emails about products or groups we think
you may be interested in.
Customising our website according to your interests (e.g. we might
give pet insurance products more prominence on the page because
you have told us you have a dog).
Customising the marketing material we send you (e.g. we send
newsletters containing relevant articles based on your activity on
Targeting online advertising to you on other websites because we
believe it is relevant to you. For example, we might ask Google,
Facebook or Snapchat to either (a) show you adverts based on your
characteristics or interests, e.g. to only show our advert to
people interested in dogs; or (b) show you adverts based on your
visit to our website, e.g. where you have read an article about
specialist pet insurance, we might show you an advert for one of
our specialist pet insurance products.
Obtaining financial reports from insurers detailing purchases by
Bought By Many members on third-party insurer websites.
Improving our products, services and offers by emailing you asking
you to complete Feefo customer experience reviews, which enable
you to leave reviews of how you found the experience of dealing
with Bought By Many.
Monitoring website usage, including website usage statistics and
third-party hyperlink click tracking. We use google analytics to
do this and we do not have access to the underlying data, only
aggregated views of it (e.g. to see how many users visited our
website in a certain timeframe, which pages were most popular, and
which website visitors came from for instance directly, via
Google, or from Facebook).
Tracking if you have purchased a product from a cash-back site to
enable us to pay the correct third-party.
Creating Management Information to help us with pricing decisions.
- Bringing a legal claim or defend legal claims against us.
Using your comments on specific social media posts to inform the
development of new insurance products.
Where we rely on consent, we will only process your personal data in
that way if you have told us we can. Usually this will be by ticking a
box or agreeing over the phone. You have the right to withdraw consent
at any time (see the section titled “
Section 11 - How do you withdraw your consent for us to process your
personal data? ” below).
We rely on consent to:
Send you marketing communications that relate to medical
conditions, or our Urgent Medical Travel product; or
Process special categories of personal data (medical data) where
each to conduct research into potential new health and well-being
products aimed at persons with manageable medical conditions such as
diabetes or depression.
- using surveys and discussion groups; or
using private messages you have sent us via email or social
media in response to our request for input,
This is where we are required by a law or regulation to process your
data to fulfil our legal obligations.
We process your personal data to comply with our legal obligations
We are required by our regulator to analyse customer feedback on
the product to enable us to make product improvements.
We are required to complete a sanctions check prior to selling
insurance to a customer. A sanctions check is a search of an
individual against government sanction databases that identify
people who are prohibited from entering the financial services
environment, including buying insurance products.
We are required to confirm whether you have received and/or opened
policy related emails (e.g. your policy documents when you
purchase a policy from us).
Manifestly made public
Where you post a comment on our Facebook page, for instance where we
have asked for thoughts on living with a particular health condition,
we may use that comment (which may include medical data) to inform the
development of new insurance products.
Where we need to process special categories of data (e.g. data
relating to your health) in order to arrange or administer your
insurance policy, we do so because it is necessary for reasons of
substantial public interest (as set out in UK data protection law).
What personal data do we collect?
To enable us to process your data for the reasons set out in “
Section 3 – How we process your data”, we
collect the following personal data:
Personal information such as name, date of birth, email address,
postal address, telephone number.
- Details of your insurance needs and interests.
Information you submit when obtaining a quote or purchasing an
insurance policy including declarations (e.g. have you ever been
Policy adjustments made during the policy term, claims made during
your policy term.
- Your bank details and credit card information.
Information shared with us during a telephone call, which will be
Current and historical policies held and your policy renewal
- Membership of groups on our website.
Personal information such as name, date of birth, email address,
postal address, telephone number, to be able to send you our
membership services, such as marketing emails.
If Facebook login credentials were used to register on the Bought
By Many website, your Facebook profile. We will also have access
to your Facebook ‘likes’, Facebook friends who are members of
Bought By Many, and email address if you give us permission to
access this data during the registration process.
Your social media IDs and handles where they are linked to your
account if you used social media credentials to register with our
What products you have previously viewed or shown interest in.
We also collect website usage data, including:
- Your IP address.
- The browser you used to access our website.
- The website from which you came.
- The device used to access our website.
- The pages you visit on our website, and
- The hyperlinks to other websites which you click on.
Where you take part in our project to research potential new
health and well-being products for people suffering from
manageable medical conditions, by completing a survey, taking part
in a discussion group or by sending us a direct message, any
details you include about your current and historical medical
conditions and the daily challenges of living with these medical
Personal information such as name, date of birth, email address,
postal address, telephone number.
Manifestly made public
We obtain personal data from comments you have posted on our
Public Interest (for arranging and administering policies that require
special categories of data)
Details of any current and historical medical conditions, which you
have disclosed to us during the quote process.
Where do we obtain your personal data from?
We obtain your personal data in the following ways:
From you via web forms or telephone, for instance when signing up
for an account, joining a group or expressing an interest in a
Automatic recording, for instance interests based on the groups you
join, the articles you read (and how long you spend reading them),
the buttons you press to obtain a quote or share an offer, your
location through your IP address, your internet service provider and
the type of device or browser you are browsing with.
From the social media accounts you connect to your Bought By Many
account. Note: the personal data from social media accounts that we
have access to is determined by the permissions you give us when
registering with our website.
From you where you have disclosed this data to us through an online
survey, by leaving comments on one of our discussion forums or
Facebook pages, or by sending us a direct communication containing
this data (e.g. email or direct message).
How do we share your personal data?
In general, access to your personal data will be restricted to those
who have a need to access it to carry out their duties (for example
our employees such as our customer service team).
However, we will also share your personal data with the following
external third-parties in some circumstances:
Fraud prevention agencies or other third parties that assist us in
preventing fraud or other forms of risk (anti-money laundering
agencies and credit agencies).
Regulators such as the Financial Conduct Authority (FCA), and
government authorities such as Her Majesties Revenue Commission
(HMRC) or the police, if we are required to do so by law or if the
regulator or authority requests it and we regard that request as
Our insurers, legal advisers or other third parties who need access
to it in the context of managing, investigating or defending claims
Potential buyers of all or part of our business and/or their
Organisations that process your data on our behalf who are not
allowed to use your data for any other purpose, for instance our web
Other companies within our group, for instance where they provide us
Our referral scheme provider Mention Me (mention-me.com), if you
take up our referral rewards offer. Your details won’t be used for
anything other then to help you refer your friends and manage your
Our vet consultation service First Vet, we will give them your name,
your pets name, email address, policy number, mobile telephone
number and date of birth.
If you purchased your policy via Pets Corner UK Ltd we will pass
your name and email address to them via SFTP. We do this so that
Pets Corner UK Ltd can send you the insurance purchase incentive
advertised in their stores. You can find out more on how Pets Corner
can be found here
If you are introduced to us via another company such as a price
comparison website. We will inform them that you completed the
purchase of your policy on our website. We will securely send them
your name and email address. To find out how they process and store
your data, please go to their websites to view their privacy
Companies who provide marketing support services to us. We may share
your personal data with reputable third party service providers in
connection with automated marketing services provided by such third
parties to us.
We aim to share only anonymised data or aggregated data wherever
possible. We will use secure means to store and share data. We also
require third-parties to sign legally binding agreements not to use
any information for marketing purposes and not to share this data.
This may not be possible in all circumstances, for instance where we
are obliged to disclose data to a regulator.
Do we make solely automated decisions?
We use an automated insurance rating engine to evaluate insurance risk
based on the information you supply us during the quote process. We
use this information to automatically determine your potential risk,
and whether we are able to offer you a quote and, if we are able to
offer you a quote, what the value of the quote will be.
We also make solely automated decisions based on personal data in
order to screen you against government sanctions databases prior to
allowing you to buy a contract of insurance - we are required to do
this by law. Whilst this automated decision could result in us not
offering you a contract if insurance, this would only be automated
where the system determines a 100% match. Most of the time there isn’t
a 100% match, and one of our staff will therefore review the decision
You have the right to contest any decision produced by a solely
automated means and request for human intervention. If you do this we
must allow you to express your point of view, to obtain an explanation
of how we reached the decision, and allow you to challenge the
decision. To do this, please contact our Data Protection Officer using
the details in
Do we transfer your data outside of the EEA?
We store your personal data in cloud servers based in the European
Economic Area (EEA) and we may also store your personal data on
servers based in the US. In certain circumstances, we will also use
processing services based within the US.
We only transfer your personal information outside the EEA where we
have a legal basis for doing so and where we require that your
personal information is protected to the same standard as it would be
protected in the EEA. We do this by entering into data sharing
agreements with the recipients of your personal information based
outside the EEA which comply with the European Union’s Standard
Contractual Clauses (SCC) for the transfer of personal information.
If you would like further details about our transfer of your personal
information outside the EEA or details of the safeguards put in place
in relation to your personal information please contact our Data
Protection Officer by email at
How long we keep your information for?
If you are a customer, we will keep your personal information and all
telephone conversations for a period of 6 years after you cancel your
policy. We need to keep your information for this amount of time as
required by law (including FCA regulations) or in order to defend
potential legal claims.
Your bank and card details will be deleted at the point that you
cancel your policy.
Email communication that we have had with you will be deleted 6 months
after you cancel your policy.
As a member of Bought By Many that has never bought a policy through
us, we will keep your personal information until either:
- you cancel your membership, or
you have not obtained a quote or bought a policy from us in the last
two years, and you have not responded to the email we send asking
whether you still want to be a member (we typically send this one
month before your account is due to be deleted).
Where you provide us feedback about your experiences during the course
of one of our research projects and it has not already been
anonymised, for instance comments you make on our Facebook page about
living with a particular medical condition, we will either (a) delete
your personal data from our systems; or (b) anonymise it, at the end
of that project.
How can you opt out of receiving marketing communications?
If you do not wish to receive further marketing information about our
products and services, you can contact us via any channel detailed
within “Section 2 – Details”, you can manage your marketing
preferences within the “My Account” section of our website and we will
also include unsubscribe links within all of our marketing emails.
How do you withdraw your consent for us to process your personal data?
You have the right to withdraw your consent to how we process your
data in circumstances where we are using your data based on consent.
The type of processing that this includes is under
Section 4 "The Personal Data we collect – Consent". To withdraw your consent, you can do this on our website in your
“My account”, you can also call our customer services department on
0345 340 4090 or you can email our Data Protection Officer at
How can you object to us processing your personal data based on our
Where we process your personal data based on our legitimate interests
for direct marketing purposes, you always have the right to object to
that processing. To object to direct marketing either follow the
instructions for opting out of marketing in the section above, or
contact our Data Protection Officer using the details in
You have the right to object to other processing on the basis of our
legitimate interests, but we might not have to cease processing where
you do so if either:
We can demonstrate legitimate grounds for the processing which
override your interests; or
Where that legitimate interest is the establishment, exercise or
defence of legal claims.
To object to legitimate interests processing, please contact our Data
Protection Officer using the details in
Section 2 of this notice.
What are your rights concerning your personal data?
You have the right to obtain your personal data from us except in
limited circumstances. The first copy will be free of charge, but we
reserve the right to charge a small fee for additional requests if
they are disproportionate.
You have the right to require us to rectify any inaccurate personal
data we hold concerning you.
Considering the purposes of the processing, you may also have the
right to have incomplete personal data completed, by means of
providing a supplementary statement or otherwise.
You have the right to require us to erase your personal data on
certain limited grounds (including where they are no longer
necessary for the purpose for which they were collected or where we
rely on consent, which you withdraw, and there is no other legal
ground for the processing).
Where we process personal data, either on the basis of consent or
contractual necessity, that you provided to us, and we process that
personal data by automated means, you have the right to require us
to give you your data in a commonly used electronic format.
You have the right to object to our processing of personal data
which we process on the grounds of our legitimate interests, as
detailed in the paragraph titled “
objecting to our legitimate interest processing ” above.
You have the right to require us to restrict the processing of your
personal data on certain grounds, including where:
You contest the accuracy of the personal data and want us to
restrict processing of your personal data while we verify its
The processing is unlawful, but you request a restriction of the
processing rather than erasure;
We (as controller) no longer need the data for the purposes of
the processing, but you have told us you require us to retain
that personal data for you to establish, exercise or defend
legal claims; or
You have objected to us processing your personal data on grounds
of legitimate interests and want us to restrict processing of
your personal data while we consider your objection.
If you would like to exercise any of these rights, please contact our
Data Protection Officer using the details set out in
How can you make a complaint?
If we can’t remedy an issue you have, or you remain unhappy with how
we are handling your data, you can lodge a complaint with the
Information Commissioner’s Office (ico.org.uk).
usage and trends. A cookie is a small data file, typically of letters
and numbers, downloaded to a device when a user accesses certain
websites. You can remove or block cookies using settings in your
internet browser, but in some cases doing so may impact your ability
to use our website. For more information about cookies you can visit
All About Cookies.
The only cookies we use are ‘analytical cookies’. They allow us to
count the number of visitors and identify which pages are being
viewed, or used, with the sole purpose of analysing data about webpage
traffic and to improve our website in order to tailor it to our
customers’ needs. We do not store unencrypted personally identifiable
information in the cookies.
How do we use Google Analytics?
We use Google Analytics to help analyse use of our website. This
analytical tool collects standard internet log information and visitor
behaviour information in an anonymous form. The information generated
by the cookie about your use of our website (including your IP
address) is transmitted to Google. This information is then used to
evaluate visitors’ use of our Website and to compile statistical
reports on website activity for our website. To opt out of being
tracked by Google Analytics across all websites visit
We will not (and will not allow any third party) to use the analytics
tool to track, or to collect, any personally identifiable information
of visitors to our site. We will not associate any data gathered from
this site with any personally identifying information from any source
as part of our use of the Google Analytics tool. Google will not
associate your IP address with any other data held by Google. Neither
ourselves, nor Google, will link, or seek to link, an IP address with
the identity of a computer user.
What happens when you click a link to another website?
Our website contains links to third party websites, including those of
the insurance companies that we partner with.
Once you use these links to leave our website, you should note that we
do not have any control over those other websites. We, therefore,
cannot be responsible for the protection and privacy of any
information which you provide whilst visiting such sites and sites not