This Privacy Policy tells you what data we collect, why we collect it and what we do with it. You can also find information on the controls you have to manage your data within these pages.
We are committed to ensuring your privacy and personal information is protected.
AXA PPP Healthcare Administration Services Limited is the data controller of your personal information and is responsible for complying with data protection laws.
By providing your personal data, you acknowledge that we may use it only in the ways set out in this Privacy Policy. We may provide you with further notices highlighting certain uses we wish to make of your personal data.
From time to time we may need to make changes to this Privacy Policy, for example, as the result of government regulation, new technologies, or other developments in data protection laws or privacy generally. You should check this policy periodically to view the most up to date version.
When you use our Digital Wellbeing Services platforms, we understand that you are sharing data with us which is highly sensitive and personal. We are clear that this data is yours and you can decide what data you want to share. We comply with every aspect of data protection regulation.
The AXA UK Group includes insurance companies, insurance brokers, health and wellbeing companies as well as an online health shop. We may share your data within the AXA UK and AXA Group to create a single customer view to enhance your experience of the services received from us but we will not use any of the personal information that you share via this app for insurance underwriting or claims handling purposes. For the purposes of this Privacy Policy, references to “AXA”, "we" or "us" shall also refer to AXA UK Group companies.
When we collect and use your personal information, we ensure we look after it properly and use it in accordance with our privacy principles set out below.
We only collect personal health data from you for the purpose of providing you a digital wellbeing service. Health data is classed as sensitive personal data and is now known as ‘Special Category Personal Data’. We will not collect any more Special Category Personal Data than is required, and is limited to:
We collect your personal information directly from you when you use our digital wellbeing service platforms. Before you create an account, we will collect anonymous information on users who download our mobile application. If you then create an account, we will initially collect your name and contact details to enable the creation of that account.
Once your account has been created, we will collect further information from you in the following ways:
We may collect your personal information from a number of different sources including:
We mainly use your personal data (including Special Category Personal Data) to provide you with digital wellbeing services via our digital platform. However, there are a number of other reasons that your personal information may be used. Please see below for a more detailed list of how we use your personal information.
Under data protection laws we can only process your information where we have one or more legal bases or conditions for doing so, as set out in the law. We have set out below the main reasons for processing your personal data and the applicable circumstances when we will do so. When the personal information we process about you is classed as Special Category Personal Data we must have an additional legal basis for such processing:
We share certain aggregated data (i.e. anonymous data) with your employer(s): for instance, they will be able to see the overall level of services being accessed and how that changes over time. Your employer(s) will not have access to any personal information or Special Category Personal Data that you submit through your use of our digital platform (in particular health data you provide to us) as a direct consequence of your use of our digital platform. This exclusion does not apply to any employer-provided data or any personal information that your employer may already possess in their course of employing you independently (such as Identity and Contact Data).
We may also disclose aggregated data to a prospective purchaser of our business or any part of it.
We also use such aggregated data to understand our end-users. To do so, we may take your anonymised data from your use of the app and combine it with other anonymised data we hold. This is to develop our service offering, to publish white papers and to share the aggregated data with health professionals and researchers. We may also use it to demonstrate the value of our offering to others.
We might share your personal information with two types of organisation – companies inside the AXA Group, and other third parties outside the AXA Group. For further details of disclosures, please see below. We won’t share any of your personal information other than for the purposes described in this Privacy Policy.
Who might we disclose your personal information to:
In order to provide our services your personal information is shared with other companies in the AXA Group including but not limited to AXA Business Services in India (see section 7.3 below) AXA ICAS Occupational Health Services Limited and AXA ICAS Limited. Your personal information might be shared for our general business administration, efficiency and accuracy purposes.
We also disclose your information to the types of third parties listed below for the purposes described in this Privacy Policy. This might include:
1. Your relatives, guardians or someone else acting on your behalf where you are incapacitated or unable, or other people or organisations connected to you such as your lawyer;Your current, past or prospective employers if you have been part of a group scheme but only ever in an aggregate/anonymised manner. Your personal details will not be identifiable in this sharing;
2. Our third-party services providers such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, research specialists, document management providers and contractors and their sub-contractors;
3. We may also share your information with businesses that we partner with to provide goods or services that we make available to you. They may only market their own products or services to you if you consent that they can do so.
4. Our partners include:
5. Central and local Government (for example if they are investigating fraud or because we need to contact them regarding international sanctions);
6. NHS fraud teams, the General Medical Council, the police, National Crime Agency, other law enforcement agencies and organisations that maintain anti-fraud or other crime databases where reasonably necessary for the prevention or detection of crime;
7. Selected third parties in connection with the sale, transfer or disposal of our business.
Disclosure of your personal information to a third party outside of the AXA Group with exception of law enforcement agencies or other bodies exercising their official authority will only be made where the third party has agreed to keep your information strictly confidential and shall only be used for the specific purpose for which we provide it to them.
We may also disclose your personal information to other third parties where:
8. we are required or permitted to do so by law or by regulatory bodies such as where there is a court order, statutory obligation or Prudential Regulatory Authority / Financial Conduct Authority or Information Commissioners Office request;
9. we believe that such disclosure is necessary in order to assist in the prevention or detection of any criminal action (including fraud) or is otherwise in the overriding public interest; or
10. where exemptions under the data protection legislation allow us to do so.
Some of the recipients and technical solutions set out above may be in countries outside of the EEA (European Economic Area), notably in i) Switzerland, where AXA has a European Data Centre, and ii) India, where some administration is undertaken. Where we make a transfer of your personal information outside of the EEA and to a country which is deemed not to have the same standards of data protection as the UK, in all cases we will ensure that appropriate safeguards have been implemented to ensure that your personal information is protected. Such steps may include entering into contractual obligations with the third party to protect your personal information to adequate standards.
In most cases, we will keep your information for between three and ten years after our relationship with you ends but it will vary depending on what data we hold, why we hold it and what we’re obliged to do by the regulator or the law.
We keep your personal information for as long as reasonably necessary to fulfil the relevant purposes set out in this Privacy Policy and in order to comply or demonstrate compliance with our legal and regulatory obligations. Where we can, and it is appropriate, we will minimise personal information or de-personalise data to use for statistical or analytical purposes.
The time period we retain your personal information for will differ depending on the nature of the personal information and what we do with it. We typically keep payment information for up to 7 years to comply with financial reporting requirements. Beyond seven years we will keep minimised information for statistical analysis, for example for pricing and service delivery improvement purposes.
You can ask us to do various things with your personal information. For example, at any time you can ask us for a copy of your personal information, ask us to correct mistakes, change the way we use your information, or even delete it. We’ll either do what you’ve asked or explain why we are unable to - usually because of a legal or regulatory issue.
For further details about your rights please see below.
You have the following rights in relation to our use of your personal information.
You are entitled to a copy of the personal information we hold about you which you can request directly from the Privacy Centre within the digital application. From the application you are able to download a .CSV file that contains all the information that we hold about you. If you are unable to access the digital application for any reason you can make a direct request for a copy of your data by emailing data.protection@axa-ppp.co.uk.
We take reasonable steps to ensure that the personal information we hold about you is accurate and, to the extent necessary, complete. However, if you do not believe this is the case, please contact us by emailing data.protection@axa-ppp.co.uk.
You can request an account deletion directly from the Privacy Centre within the digital application. When you request a deletion, we will delete your account and all the data that we hold about you with the exception of any payments you have made. We have a legal obligation to hold financial records for 7 years of which the data will be limited to a simple identifier and payment amounts, which will be securely deleted at the end of the legal retention period. If you are unable to access the digital application for any reason you can make a direct erasure request by emailing data.protection@axa-ppp.co.uk. There may be some other legal and regulatory reasons which mean we cannot comply with your request.
In certain circumstances, you are entitled to ask us to suspend using your personal information for a period, for example where you think that the personal information we hold about you may be inaccurate, to allow us to verify the accuracy, or where you think that we no longer need to process your personal information, but you need us to keep it for legal reasons. You can request processing to be restricted (i.e. your account will be suspended) by emailing data.protection@axa-ppp.co.uk.
In certain circumstances, you have the right to ask that we transfer any personal information that you have provided to us to another third party of your choice. You can request a file of your data directly from the Privacy Centre within the digital application. From the application you are able to download a .CSV file that contains all the information that we hold about you. If you are unable to access the digital application for any reason you can make a direct request for a copy of your data by emailing data.protection@axa-ppp.co.uk.
You can ask us to stop sending you marketing messages at any time by amending your consent in the Privacy Centre in the app.
Some of our decisions are made automatically where you input your personal information into our app and the content you are directed to is determined using certain automatic processes rather than our employees directly making those decisions. We make automated decisions in the following situations:
For certain uses of your personal information, we will ask for your explicit consent. Where we do this, you have the right to withdraw your consent to further use of your personal information. Please note that where you withdraw all consent to process your special category (health) data we will need to delete all of your data which will require that we delete your entire account. You can do this at any time by requesting an account deletion directly from the Privacy Centre within the digital application.
You have a right to complain to the ICO at any time if you believe that we have not met the requirements of data protection law. The ICO will usually expect that you have given us the opportunity to resolve your complaint before they will take up your enquiry, so please do tell us first if you think we have not complied with these laws. More information can be found on the Information Commissioner’s Office website: https://ico.org.uk/.
In some circumstances exercising some of these rights will mean we are unable to continue providing you with services. This may therefore result in the cancellation of your subscription and the suspension of your account. Our terms and conditions set out what will happen in the event your subscription is cancelled.
You’re in control of whether we may use your information for marketing purposes. If you are an existing customer, we will only contact you if you’ve agreed it’s okay. Then, we might use your information to tell you about products and services that could interest you.
We may use pixels and similar technologies within our marketing emails to enable us to see whether the email was delivered and accessed, and to provide us with insights into the performance of our campaigns so we can provide you with more relevant content at optimum times.
If you wish to unsubscribe from emails sent by us, you may do so at any time by following the unsubscribe instructions that appear in all emails. Otherwise you can amend your consents in the Privacy Centre on our digital app. In such circumstances, we will continue to send you service related (non-marketing) communications where necessary.
We would like to keep you informed, from time to time about relevant products and services. We may do this by mail, email, telephone or other electronic methods such as text message. In order to help us get to know you and identify what products and services may interest you we obtain information about you from other sources inside and outside the AXA Group for example, companies who provide consumer classification, market segmentation and lifestyle data for marketing purposes. Examples of these organisations are Experian or LexisNexis.
We may run specific marketing campaigns through social media and digital advertising that you may see which are based on general demographics and interests. We do this by creating generic customer characteristics which are viewed in social media. If you do not want to see any campaigns then you will need to adjust your preferences within social media settings and your browser cookie settings.
From time to time we may share your data with social media platform providers who aggregate elements of your personal information and match this data against other sources to find similar profile individuals. If you do not want us to use your personal information in this way, you can opt out of profiling at any time by visiting the Preference page in the app and opt out of ‘Help us to find new customers’
Business to business marketing (that is, commercial marketing) may rely on legitimate business interests when contacting the organisation rather than marketing choices made by an individual.
The Data Protection Officer:
AXA PPP healthcare
Jubilee House
Vale Road,
Tunbridge Wells
TN1 1BJ
Email address: data.protection@axa-ppp.co.uk
Alternatively you can contact our Group Data Protection Officer at our head office:
The Data Protection Officer:
AXA UK Plc
20 Gracechurch Street,
London,
EC3V 0BG
Email address: ukgroupprivacy@axa-uk.co.uk
If you would like to contact the UK’s Information Commissioner’s Officer direct; please write to the Information Commissioner's Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF
Telephone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national number.