In this day and age, more and more information is being uploaded and shared across the web. For you to be confident using our services we want you to trust that not only are we providing you with the best deal, we’re also committed to ensuring your privacy is protected.
Who are Bought By Many?
We are your data controller for the purposes of the personal data we will collect. Our details are as follows:
Bought By Many Ltd, a limited company registered in England with the company registration number 07886430 and registered address at Unit 1b Summers Street, London, England, EC1R 5BD.
If you wish to contact us in relation to this notice, or data protection generally, please contact our Data Protection Officer by email on firstname.lastname@example.org or by post using the address above, marked for the attention of the Data Protection Officer.
How do we process your data?
We will collect and process your personal data under some, if not all, of the following lawful bases: contractual necessity, our legitimate interests, consent, because it’s necessary for us to comply with a legal obligation, the personal data has been manifestly made public and where the processing is necessary for reasons of substantial public interest.
Contractual necessity is where we collect your personal data because it is necessary for us to provide you with a quote or a contract of insurance. Without this data, we wouldn’t be able to provide you with a quote or arrange an insurance policy for you.
We need personal data for the following reasons in order to provide our service to you:
- To arrange and administer insurance on your behalf. This will include several types of correspondence either via our website including live chat, or by post, email or phone, for example: non-marketing communications about obtaining a quote and purchasing a policy, your welcome pack and policy documents, payment reminders, arrears notifications, confirmation of your cancellation, renewal documents, complaint communications, any mid-term adjustments you may make to your policy, and any communications in response to a query you have sent us.
- To enable us to introduce you to an insurer that offers insurance policies to meet your insurance needs.
Organisations can rely on “legitimate interests” to process personal data where: (a) their reason for processing personal data is a legitimate business interest (e.g. it is not illegal and it actually receives a benefit from it); (b) the processing is a proportionate way of achieving that interest; and (c) that legitimate business interest is not outweighed by the impact on the individual. We have completed that assessment and are satisfied with it for each of the purposes set out below.
You do have a choice as to whether you provide us with your personal information and you have the right to object to us using your data for our legitimate interests, please see “Section 12 – Right to object”. However, if you decline to provide us with certain personal information this may impact the services that we can offer to you.
We have a legitimate interest in each of the following:
- Sending you promotional emails about products or groups we think you may be interested in.
- Customising our website according to your interests (e.g. we might give pet insurance products more prominence on the page because you have told us you have a dog).
- Customising the marketing material we send you (e.g. we send newsletters containing relevant articles based on your activity on our website).
- Targeting online advertising to you on other websites because we believe it is relevant to you. For example, we might ask Google, Facebook or Snapchat to either (a) show you adverts based on your characteristics or interests, e.g. to only show our advert to people interested in dogs; or (b) show you adverts based on your visit to our website, e.g. where you have read an article about specialist pet insurance, we might show you an advert for one of our specialist pet insurance products.
- Obtaining financial reports from insurers detailing purchases by Bought By Many members on third-party insurer websites.
- Improving our products, services and offers by emailing you asking you to complete Feefo customer experience reviews, which enable you to leave reviews of how you found the experience of dealing with Bought By Many.
- Monitoring website usage, including website usage statistics and third-party hyperlink click tracking. We use google analytics to do this and we do not have access to the underlying data, only aggregated views of it (e.g. to see how many users visited our website in a certain timeframe, which pages were most popular, and which website visitors came from for instance directly, via Google, or from Facebook).
- Tracking if you have purchased a product from a cash-back site to enable us to pay the correct third-party.
- Creating Management Information to help us with pricing decisions.
- Bringing a legal claim or defend legal claims against us.
- Using your comments on specific social media posts to inform the development of new insurance products.
Where we rely on consent, we will only process your personal data in that way if you have told us we can. Usually this will be by ticking a box or agreeing over the phone. You have the right to withdraw consent at any time (see the section titled “Section 11 - How do you withdraw your consent for us to process your personal data?” below).
We rely on consent to:
- Send you marketing communications that relate to medical conditions, or our Urgent Medical Travel product; or
- Process special categories of personal data (medical data) where we are:
- using surveys and discussion groups; or
- using private messages you have sent us via email or social media in response to our request for input,
This is where we are required by a law or regulation to process your data to fulfil our legal obligations.
We process your personal data to comply with our legal obligations where:
- We are required by our regulator to analyse customer feedback on the product to enable us to make product improvements.
- We are required to complete a sanctions check prior to selling insurance to a customer. A sanctions check is a search of an individual against government sanction databases that identify people who are prohibited from entering the financial services environment, including buying insurance products.
- We are required to confirm whether you have received and/or opened policy related emails (e.g. your policy documents when you purchase a policy from us).
Manifestly made public
Where you post a comment on our Facebook page, for instance where we have asked for thoughts on living with a particular health condition, we may use that comment (which may include medical data) to inform the development of new insurance products.
Where we need to process special categories of data (e.g. data relating to your health) in order to arrange or administer your insurance policy, we do so because it is necessary for reasons of substantial public interest (as set out in UK data protection law).
What personal data do we collect?
To enable us to process your data for the reasons set out in “Section 3 – How we process your data”, we collect the following personal data:
- Personal information such as name, date of birth, email address, postal address, telephone number.
- Details of your insurance needs and interests.
- Information you submit when obtaining a quote or purchasing an insurance policy including declarations (e.g. have you ever been declined insurance).
- Policy adjustments made during the policy term, claims made during your policy term.
- Your bank details and credit card information.
- Information shared with us during a telephone call, which will be recorded.
- If purchasing our medical travel policies, this will include details of your medical condition to enable us to provide you with insurance.
- Current and historical policies held and your policy renewal dates.
- Membership of groups on our website.
- Personal information such as name, date of birth, email address, postal address, telephone number, to be able to send you our membership services, such as marketing emails.
- If Facebook login credentials were used to register on the Bought By Many website, your Facebook profile. We will also have access to your Facebook ‘likes’, Facebook friends who are members of Bought By Many, and email address if you give us permission to access this data during the registration process.
- Your social media IDs and handles where they are linked to your account if you used social media credentials to register with our website.
- What products you have previously viewed or shown interest in.
We also collect website usage data, including:
- Your IP address.
- The browser you used to access our website.
- The website from which you came.
- The device used to access our website.
- The pages you visit on our website, and
- The hyperlinks to other websites which you click on.
- Details of your current and historical medical conditions where they can be inferred from the groups you have joined.
- Where you take part in our project to research potential new health and well-being products for people suffering from manageable medical conditions, by completing a survey, taking part in a discussion group or by sending us a direct message, any details you include about your current and historical medical conditions and the daily challenges of living with these medical conditions.
- Personal information such as name, date of birth, email address, postal address, telephone number.
Manifestly made public
- We obtain personal data from comments you have posted on our Facebook page.
Public Interest (for arranging and administering policies that require special categories of data)
- Details of your current and historical medical conditions, which you have disclosed to us during the quote process.
Where do we obtain your personal data from?
We obtain your personal data in the following ways:
- From you via web forms or telephone, for instance when signing up for an account, joining a group or expressing an interest in a policy.
- Automatic recording, for instance interests based on the groups you join, the articles you read (and how long you spend reading them), the buttons you press to obtain a quote or share an offer, your location through your IP address, your internet service provider and the type of device or browser you are browsing with.
- From the social media accounts you connect to your Bought By Many account. Note: the personal data from social media accounts that we have access to is determined by the permissions you give us when registering with our website.
- From you where you have disclosed this data to us through an online survey, by leaving comments on one of our discussion forums or Facebook pages, or by sending us a direct communication containing this data (e.g. email or direct message).
How do we share your personal data?
In general, access to your personal data will be restricted to those who have a need to access it to carry out their duties (for example our employees such as our customer service team).
However, we will also share your personal data with the following external third-parties in some circumstances:
- Fraud prevention agencies or other third parties that assist us in preventing fraud or other forms of risk (anti-money laundering agencies and credit agencies).
- Regulators such as the Financial Conduct Authority (FCA), and government authorities such as Her Majesties Revenue Commission (HMRC) or the police, if we are required to do so by law or if the regulator or authority requests it and we regard that request as reasonable.
- Our insurers, legal advisers or other third parties who need access to it in the context of managing, investigating or defending claims or complaints.
- Potential buyers of all or part of our business and/or their advisors.
- Organisations that process your data on our behalf who are not allowed to use your data for any other purpose, for instance our web hosts.
- Other companies within our group, for instance where they provide us services.
- Our insurance partner, LV (www.lv.com), where we are completing joint research into potential new health and well-being products aimed at persons with manageable medical conditions such as diabetes, hypertension, depression, anxiety, asthma, COPD or kidney disease that join one of our specialist research groups.
We aim to share only anonymised data or aggregated data wherever possible. We will use secure means to store and share data. We also require third-parties to sign legally binding agreements not to use any information for marketing purposes and not to share this data. This may not be possible in all circumstances, for instance where we are obliged to disclose data to a regulator.
Do we make solely automated decisions?
We use an automated insurance rating engine to evaluate insurance risk based on the information you supply us during the quote process. We use this information to automatically determine your potential risk, and whether we are able to offer you a quote and, if we are able to offer you a quote, what the value of the quote will be.
We also make solely automated decisions based on personal data in order to screen you against government sanctions databases prior to allowing you to buy a contract of insurance - we are required to do this by law. Whilst this automated decision could result in us not offering you a contract if insurance, this would only be automated where the system determines a 100% match. Most of the time there isn’t a 100% match, and one of our staff will therefore review the decision manually.
Do we transfer your data outside of the EEA?
We store your personal data in cloud servers based in the European Economic Area (EEA). In certain limited circumstances, we may export personal data outside of the European Economic Area for processing, and we may use third party service providers who do the same. We only do that if there is a good reason to do it and where either:
- There are adequate safeguards in place (such as the appropriate contractual arrangements with suppliers, or adequacy decisions, depending on the destination country); or
- We are otherwise permitted by data protection law (for instance, where you consent or such transfer is necessary to provide our service to you).
How long we keep your information for?
If you are a customer, we will keep your personal information and all telephone conversations for a period of 6 years after you cancel your policy. We need to keep your information for this amount of time as required by law (including FCA regulations) or in order to defend potential legal claims.
Your bank and card details will be deleted at the point that you cancel your policy.
Email communication that we have had with you will be deleted 6 months after you cancel your policy.
As a member of Bought By Many that has never bought a policy through us, we will keep your personal information until either:
- you cancel your membership, or
- you have not obtained a quote or bought a policy from us in the last two years, and you have not responded to the email we send asking whether you still want to be a member (we typically send this one month before your account is due to be deleted).
Where you provide us feedback about your experiences during the course of one of our research projects and it has not already been anonymised, for instance comments you make on our Facebook page about living with a particular medical condition, we will either (a) delete your personal data from our systems; or (b) anonymise it, at the end of that project.
How can you opt out of receiving marketing communications?
If you do not wish to receive further marketing information about our products and services, you can contact us via any channel detailed within “Section 2 – Details”, you can manage your marketing preferences within the “My Account” section of our website and we will also include unsubscribe links within all of our marketing emails.
How do you withdraw your consent for us to process your personal data?
You have the right to withdraw your consent to how we process your data in circumstances where we are using your data based on consent. The type of processing that this includes is under Section 4 "The Personal Data we collect – Consent". To withdraw your consent, you can do this on our website in your “My account”, you can also call our customer services department on 0345 340 4090 or you can email our Data Protection Officer at email@example.com.
How can you object to us processing your personal data based on our legitimate interests?
You have the right to object to other processing on the basis of our legitimate interests, but we might not have to cease processing where you do so if either:
- We can demonstrate legitimate grounds for the processing which override your interests; or
- Where that legitimate interest is the establishment, exercise or defence of legal claims.
To object to legitimate interests processing, please contact our Data Protection Officer using the details in Section 2 of this notice.
What are your rights concerning your personal data?
- You have the right to obtain your personal data from us except in limited circumstances. The first copy will be free of charge, but we reserve the right to charge a small fee for additional requests if they are disproportionate.
- You have the right to require us to rectify any inaccurate personal data we hold concerning you.
- Considering the purposes of the processing, you may also have the right to have incomplete personal data completed, by means of providing a supplementary statement or otherwise.
- You have the right to require us to erase your personal data on certain limited grounds (including where they are no longer necessary for the purpose for which they were collected or where we rely on consent, which you withdraw, and there is no other legal ground for the processing).
- Where we process personal data, either on the basis of consent or contractual necessity, that you provided to us, and we process that personal data by automated means, you have the right to require us to give you your data in a commonly used electronic format.
- You have the right to object to our processing of personal data which we process on the grounds of our legitimate interests, as detailed in the paragraph titled “objecting to our legitimate interest processing” above.
You have the right to require us to restrict the processing of your personal data on certain grounds, including where:
- You contest the accuracy of the personal data and want us to restrict processing of your personal data while we verify its accuracy;
- The processing is unlawful, but you request a restriction of the processing rather than erasure;
- We (as controller) no longer need the data for the purposes of the processing, but you have told us you require us to retain that personal data for you to establish, exercise or defend legal claims; or
- You have objected to us processing your personal data on grounds of legitimate interests and want us to restrict processing of your personal data while we consider your objection.
How can you make a complaint?
If we can’t remedy an issue you have, or you remain unhappy with how we are handling your data, you can lodge a complaint with the Information Commissioner’s Office (ico.org.uk).
The only cookies we use are ‘analytical cookies’. They allow us to count the number of visitors and identify which pages are being viewed, or used, with the sole purpose of analysing data about webpage traffic and to improve our website in order to tailor it to our customers’ needs. We do not store unencrypted personally identifiable information in the cookies.
How do we use Google Analytics?
We use Google Analytics to help analyse use of our website. This analytical tool collects standard internet log information and visitor behaviour information in an anonymous form. The information generated by the cookie about your use of our website (including your IP address) is transmitted to Google. This information is then used to evaluate visitors’ use of our Website and to compile statistical reports on website activity for our website. To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.
We will not (and will not allow any third party) to use the analytics tool to track, or to collect, any personally identifiable information of visitors to our site. We will not associate any data gathered from this site with any personally identifying information from any source as part of our use of the Google Analytics tool. Google will not associate your IP address with any other data held by Google. Neither ourselves, nor Google, will link, or seek to link, an IP address with the identity of a computer user.
What happens when you click a link to another website?
Our website contains links to third party websites, including those of the insurance companies that we partner with.