Privacy Notice Relating to the Personal Data (Privacy) Ordinance (the “Ordinance”)

1. Introduction
   1. Your privacy and security of your personal information is important to us. This Notice is prepared in accordance with the Ordinance and also operates as the Personal Information Collection Statement which we will provide, or make available, to you on or before the collection of your personal information by the Company. When you become our customer, you agree that we will handle your personal information as described in this Notice. Please be aware that this Notice replaces any notice or statement of similar nature that may have been provided to you previously.
   2. In this Notice, "we", "us", "our" and "Bupa" refers to, individually or collectively, any member and/or brand of the Group Companies in Hong Kong (each a "Company") including:
      · Bupa (Asia) Limited
      · Horizon Health and Care Limited
      · Blua (Asia) Services Limited
      · Bupa International Limited
      · Quality Healthcare Group, a list of the legal entities under Quality Healthcare Group is available here .
   3. Which business looks after and uses your information as a data user depends on which services you are using or interacting with. Where necessary or appropriate, we will tell you when you are dealing with a different Company of us in Hong Kong. The rights and obligations of each Company under this Notice are several and not joint. No Company shall be liable for any act or omission by another Company.
   4. For the purposes of this Notice, "Group Company" means the Company and its holding companies, branches, subsidiaries, representative offices and affiliates, wherever situated, and any one of them. Affiliates include branches, subsidiaries, representative offices and affiliates of the Compan's holding companies, wherever situated (collectively, the "Group").
2. Personal Information We Collect
   1. From time to time, it is necessary for you, or other persons covered by your policy, subscription plan, membership or any other service plan (each a "Member"), to supply the Company with certain personal information (including where relevant, credit information and claims history) when you interact with us, apply for and use our products and services.
   2. Failure to supply personal information requested by the Company may result in the Company being unable to process your application, request for information or services, enquiries and/or provide services or products to you, or the Member.
   3. The personal information we collect and/or hold from time to time may include your personal identification information, contact information, transaction records, financial background, medical and health records, biometric data and your location and activities when you access or browse our website(s) or use our mobile application(s) or portal(s) (including any diagnostic or health-monitoring tools thereon and the Bluetooth and/or wearable device that are used to collect data for the purposes of such tools).
   4. We will always try to collect your personal information from you through the course of your relationship with us and in a range of ways. However, there may be instances where we will need to collect your personal information from third parties or sources in certain circumstances, such as a family member or someone else acting on your behalf, your employers, medical personnel, business/asset acquisition transactions of the Company, business partners, or public databases. Data may also be generated or combined with other information, available to the Company or any member of the Group Company.
   5. If you are under the age of 18, you should obtain consent from your parent or guardian before you provide the Company with your personal information.
   6. Storage of personal information may be in various forms including, physical (paper) form, digital customer systems or applications, data management software or systems in the usual course of business practices, electronic medical record systems, clinical images taken for diagnostic or treatment purposes on some diagnostic equipment where you have undergone a diagnostic procedure using such equipment at facilities operated by the Company, depending on your engagement with the Company.
   7. Separate privacy notices apply for recruitment or employment purposes.
3. Purposes of Collection
   1. Your personal information collected may be used, stored, processed, transferred, disclosed or shared by the Company for the following purposes from time to time:
      1. processing, assessing and determining any applications for insurance products and services;
      2. verifying your identity before providing our products or services to you;
      3. offering and providing products and services to you, or the Member, and processing requests made by you, or the Member, from time to time, including but not limited to requests for addition, alteration, deletion, maintenance, management and operation of benefits or membership;
      4. registering you, or the Member, as a user or a member of services or information provided or to be provided by us on the website(s), mobile application(s) or portal(s) managed and/or operated by us;
      5. coordinating your care, or the Members’, within Group Companies to achieve better health management outcomes;
      6. any purposes in connection with any claims made by or against or otherwise involving you, or the Member, in respect of any products and/or services provided by the Company including, without limitation, making, defending, analysing, investigating, detecting and preventing fraud (whether or not relating to the policy issued in respect of any application or claim) processing, assessing, determining, settling or responding to such claims;
      7. performing any functions and activities related to the products and/or services provided by the Company including, without limitation, audit, reporting, market research, general servicing, maintenance of online and other services, identity verification, data matching, research, automated decision making processes (including profiling) and data analytics (please see further details in paragraph 8 below), statistical analysis, and reinsurance arrangements;
      8. providing you with personalised health information and information about our services or products, and personalised website, mobile application or portal interface;
      9. providing you with appropriate medical, health, product administration, wellness or other related services (including, without limitation, e-ticketing, appointment booking and clinic / medical professional search, service and product redemption functions on the website(s), mobile application(s) or portal(s)) managed and/or operated by us, and seminars, webinars, events, lucky draw, contest or any other similar activities you choose to register) or products;
      10. communicating with you regarding the administration, features and renewal of your policy, subscription plan, membership or any other service plan that you subscribe to;
      11. operating, maintaining, evaluating, improving, troubleshooting problems, and understanding your preference(s) with our website(s), mobile application(s) or portal(s);
      12. provision and design of products and services of the Company;
      13. exercising the Company’s rights in connection with provision of any products and services to you, or the Member, from time to time, for example, to determine any amount of indebtedness from you, and collecting and recovering owing from you or any person who has provided any security or undertaking for your liabilities;
      14. communication with you or the Member (or with you on behalf of the Member) in relation to any of the purposes set out in this Notice;
      15. with your consent, marketing services, products and other subjects by us, any member and/or brand of the Group Companies (such as Quality HealthCare Group and/or our affiliates) and/or other third parties (please see further details in paragraph 5 below);
      16. managing our relationship with you, our business and organisations who work with us in relation to providing our products or services to you, or the Member (including, with limitation, futures changes to this Notice);
      17. enabling an actual or proposed assignee, transferee, participant or sub-participant of all or a substantial part of the Company’s rights or business to evaluate the transaction intended to be the subject of the assignment, transfer, participation or sub-participation;
      18. making disclosure to satisfy the requirements of any laws, rules and regulations, codes of practice, guidance notes or guidelines binding on the Company;
      19. any other purposes which we notify you of at the time of obtaining your consent; and
      20. fulfilling any other purposes directly related to (a) to (s) above.
4. Transfer of Personal Information
   
   4.1 Personal information collected or held by the Company relating to you, or the Member, will be kept confidential but the Company may transfer such personal information inside or outside the Hong Kong Special Administrative Region of the People’s Republic of China, for the purposes specified in paragraph 3 to the following classes of transferees:
   a. any member and/or brand of the Group Companies;
   b. any insurance adjusters, agents and brokers;
   c. any re-insurance companies authorised by the Company;
   d. any relevant policyholders or main member of the subscription and/or service plan (including your employer and the relevant employee enrolling the dependent under a group and/or family plan);
   e. any funders who arrange products or services on your behalf;
   f. any payment recipients, or anyone whose data is provided for receiving benefits under the plan or otherwise;
   g. healthcare professionals and hospitals;
   h. any third parties engaged in connection with a member of the Group Company's business who provides medical, health, insurance, wellness or other related services or products; (i) any persons, bodies corporate or organisations who are clients of our nursing agency and indicated interest to engage you as an independent contractor to provide them with nursing care, care assistance or related services (for applicants and/or registered independent contractors to our nursing agency panel only);
   j. with your consent, eHealth (for registered participants under the Electronic Health Record Sharing System Ordinance (Cap 625). Please see our information statement in relation to the electronic health record sharing system here);
   k. any agent, contractor or third party service providers who provide administrative, telecommunications, computer, payment, data processing, storage of analytics, technology, cloud, printing, research, advertising, distribution or other services to the Company in connection with the operation of business, (including without limitation insurers; banks; lawyers; accountants; claims investigators; fraud prevention organisations; other insurance companies (whether directly or through fraud prevention organisations or other persons named in this paragraph); organisations that consolidate claims and underwriting information for the insurance industry (including the Hong Kong Federation of Insurers or any similar insurance industry bodies); the police and databases or registers (and their operators) used by the insurance industry to analyse and check information provided against existing information; debt collection agencies; data processing companies; research agencies and professional advisors);
   l. with your consent, third parties (within or outside the Group Companies) in relation to direct marketing (please see further details in paragraph 5 below);
   m. third party reward, loyalty, co-branding and privileges programme providers and co-branding partners of a member of the Group Companies;
   n. financial institutions engaged by the Company or you for billing and payment purposes;
   o. any actual or proposed assignee, transferee, participant or sub-participant of all or a substantial part of the Company’s rights or business;
   p. any party to whom you have consented the disclosure of your personal information; and
   q. any person to whom the Company is under an obligation to make disclosure under the requirements of any law, rules, regulations, codes of practice or guidelines binding on the Company including, without limitation, any applicable regulators, governmental bodies, industry recognised bodies, credit reference agencies, the Courts, and where otherwise required by law.
   
   4.2 We will only disclose personal information limited to that which is necessary to the above parties for the relevant purposes, who may process (including, without limitation, by recording, organising, structuring, storing, adapting, altering, retrieving, using, aligning, combining or erasing) your personal information for the relevant purposes set out in paragraph 3 above.
   
   4.3 In the event that we complete the acquisition of a new business or brand, we shall communicate with you through the communication channels you provided to us, and any personal information shall be treated in accordance with this Notice if it is practicable and permissible to do so.
   
   
5. Use of Personal Information in Direct Marketing
   1. Only with your consent (which includes an indication of no objection), the Company, any member and/or brand of the Group Companies and/or the third parties stated under paragraphs 3.1 (o) and 5.2 (b) to (e) may use your personal information (including your name, contact details, products and services portfolio, transaction pattern and behaviour) collected from time to time to provide you with marketing communications (including by email, SMS, mobile application, social media, instant messenger or other means that become available from time to time) relating to the following products and services:
      1. insurance, medical, dental, healthcare, wellness, personal development, beauty, sporting activities and membership, lifestyle, entertainment, financial, and related services and products;
      2. rewards, benefits, discounts, member activities, loyalty or privileges programmes and related services and products;
      3. services and products offered by the Company’s co-branding partners; and
      4. donations and contributions for charitable and/or non-profit making purposes.
   2. The above services, products and subjects may be provided or (in the case of donations and contributions) solicited by the Company and/or:
      1. any member and/or brand of the Group Companies;
      2. third party service providers;
      3. third party reward, loyalty, co-branding or privileges programme providers;
      4. co-branding partners of a member of the Group Companies; and
      5. charitable or non-profit making organisations.
   3. We will not use your personal information for direct marketing purposes unless we have received your consent. For the avoidance of doubt, the latest instruction (for example, consent or indication of no objection, or request for opt-out) received from you shall override any previous instruction given to the Company in this regard in relation to all of your personal information collected or held by the Company from time to time. If you agree to receive marketing communications but do not wish to receive them in the future, you may inform us by the following applicable means:
      a. unsubscribing by following the "Unsubscribe" instructions in our mobile applications;
      b. following the unsubscribe instructions or hyperlink in the email;
      c. unsubscribing by following the "Unsubscribe" instructions contained in the marketing text message;
      d. notifying us when you no longer wish to receive marketing communications when you receive our marketing calls; or
      e. contacting us by the communications stated in paragraph below to tell us that you no longer wish to receive marketing communication through any channel. 
   4. If you choose to personalise your services where such options are available, we will use personal information that we collect so that we can offer you those personalised services or communications. If you do not wish to accept those personalised services or communications, you can unsubscribe from those services at any time and we will cease to offer such services to you.
   5. For the avoidance of doubt, whether or not you consent to receive marketing communications of the type described in this paragraph 5, the Company may still communicate with you regarding the administration, features and renewal of your policy, subscription plan, membership or any other service plan that you subscribe to.
      
6. Security and Retention
   1. The Company retains your personal information for as long as necessary for the purposes set out in this Notice, or otherwise agreed between you and us, unless otherwise required or permitted under applicable law.
   2. Where the Company no longer requires your personal information for the purposes under this Notice, or otherwise required under law, we will take appropriate steps to securely delete or destroy your personal information.
   3. We will take all practicable steps to protect your personal information against unauthorised or accidental access, processing, erasure, loss or use. This includes implementing a range of digital and physical security measures. In addition, we will restrict access to your personal information to those properly authorised to have access.
   4. Our online portals may have links to other external websites over which we do not have control. You are advised to refer to the privacy policies of these websites for more information.
   5. Our websites, mobile applications or portals may incorporate the software development toolkit ("SDK") provided by technology partners. We conduct security assessments on these third parties and the deployed SDK to protect your personal information. If you choose not to agree to the SDK service providers, certain services may not be accessible, but you can still access other digital services. Where necessary or appropriate, we will provide the information of the relevant SDK when you register for the specific product or service. You can also visit our corporate website for the latest list of the SDK service providers from time to time. A list of our SDK can be found here); .
   
   
7. Use of Cookies
   
   7.1 When you use our sites, we and third-party companies collect information by using cookies and other technologies such as pixel tags (for simplicity we refer to all such technologies as "cookies"). The updated version of the Cookies Policy is available for review from our corporate website at here. You can also control, block, or delete cookies through your web browser settings, usually found under "settings" on your chosen browser.
   7.2 To find out more about cookies please visit aboutcookies.org or allaboutcookies.org.
   
8. Artificial Intelligence, Profiling and Automated Decision Making
   8.1 Like many businesses, we may use artificial intelligence (AI) and other automation technologies to provide products or services to you, which may involve the use of your personal information for the purposes described in this Notice. We evaluate information about you and use technology to give you automatic responses and decisions. This is known as profiling and automated decision making.
   
   8.2 Some of the ways for using these technologies include:
   a. Underwriting and claim management. Optical Character Recognition (OCR) technology may be used to automate data extraction from paper and electronic documents. This reduces waiting times for straightforward cases and improves our efficiency. We typically make sure an adviser reviews any problems with treatment approval to guarantee a fair outcome to our customers.
   b. Customer service. AI and machine learning can be used to improve customer service by providing personalised recommendations and assistance. For example, chatbots powered by AI can help customers claim or answer questions about their policies. This improves response times and our efficiency.
   c. Risk assessment and pricing. AI and software can be used to help us calculate the price of products and services based on what we know about you and other customers on a portfolio basis.
   d. AI-assisted clinical summary. AI may be used to assist medical secretaries in the preparation of clinical summary. This improves the accuracy of data entry and frees up healthcare professionals to spend more time to patient care. The AI-assisted process does not involve making final clinical decisions. All documentations are reviewed and validated by qualified clinicians.
   e. Fraud detection. AI and machine learning may be used to detect suspicious activity, enabling faster identification of potentially fraudulent transactions to protect our customers and security within our services.
   f. Training our model (the AI algorithm) that creates predictions for business activities to help us identify how our products and services can be improved.
   g. The use of AI via the SDKs to provide specific products or services with our technology partners. Please see details in paragraph 6.5 above.
   
   8.3 The data undergoes a de-identification process to perform the analysis. This means that we remove information from which you can be directly identified, e.g. your name and replace it with a pseudonym or unique identifier. We do this to maximise the security of your information.
9. Data Access and Correction
   
   1. Under and in accordance with the terms of the Ordinance, you have the following rights to:
      1. check whether the Company holds personal information relating to you or the Member and to access such personal information;
      2. require the Company to correct any personal information relating to you or the Member which is inaccurate;
      3. ascertain our policies and practices in relation to personal data and to be informed of the kind of personal data held by the Company;
      4. request the Company to cease using your personal information for direct marketing purposes; and
      5. change your preference in respect of our use of your personal information.
   2. Requests can be made in writing to the Company's Data Protection Officer at the following address:
      Data Privacy Officer/ Customer Service Manager 6/F, Tower 2, The Quayside, 77 Hoi Bun Road, Kwun Tong, Kowloon, Hong Kong
      Or, by email:
      a. customercare@bupa.com.hk
      b. cs@bluahealth.com.hk
      c. cs@bluahealth.com.hk
      d. info@qhms.com
10. In accordance with the terms of the Ordinance, the Company has the right to charge a reasonable fee for the processing of any personal information access or correction request.
11. Nothing in this Notice shall limit the rights of customers under the Ordinance.
12. In case of discrepancies between the English and Chinese versions of this Notice, the English version shall prevail. This Notice maybe amended by the Company from time to time. You may access and obtain a copy of this Notice, as amended from time to time, at www.bupa.com.hk.