Privacy Policy
What is Included in our Privacy Policy?
We aim to be transparent in our approach and make the relevant information available to you in a user friendly format. We have labelled the sections of the policy to make it easy to navigate. Please click on the subjects below to find out more details.
Who is collecting your Personal Data?
This privacy policy applies to the Healix Group of Companies, consisting of the following:
Healix International Ltd, Healix House, Esher Green, Esher, KT10 8AB, UK.
Healix International Group Ltd, Healix House, Esher Green, Esher, KT10 8AB, UK.
Healix Health Services Ltd, Healix House, Esher Green, Esher, KT10 8AB, UK.
Healix Medical Services Ltd, Healix House, Esher Green, Esher, KT10 8AB, UK.
Healix Insurance Services Ltd, Healix House, Esher Green, Esher, KT10 8AB, UK.
Healix New Zealand Ltd, Unit 3 Building D 63 Apollo Drive Rosedale 0632 Auckland, New Zealand.
Healix Assistance International Pte Ltd, 10 Anson Road, Floor Level 5, International Plaza, 079903, Singapore
HX Global Inc, 300 Wildwood Ave, Suite 250, Woburn, MA, 01801, USA.
Healix International (Pty) Ltd, Ground Floor Brookside Building, 11 Imam Haron Rd, Claremont, 7708, South Africa.
Healix International Corporation, Suite 200, United Kingdom Building, 409 Granville Street, Vancouver, BC, V6C 1T2, Canada.
For more information please visit Regulatory Info.
References in this Privacy Policy ‘we’, ‘our’, ‘us’ refers to Healix Group or where relevant its affiliates.
References to ‘you’ or ‘your’ in this Privacy Policy refers to anyone whose Personal Data we may collect.
For the purposes of the Data Protection laws that apply, such as the GDPR, we act both as a ‘Data Controller’ and a ‘Data Processor’ dependent on the services provided. This is our Master Privacy Policy that applies with respect to the Personal Data we process.
What service do we perform where we need to process your Personal Data?
Healix will process your Personal Data in order to provide the following services as applicable to you:
- International Medical Assistance;
- Travel Assistance, Travel Claims Management;
- Third Party Medical Claims;
- Medical Trust Administration;
- Medical Screening Services;
- Travel Risk Management
- Global Security and Assistance Services;
- Insurance Broking Services;
- Managing General Underwriting (MGU) insurance.
We will only process your Personal Data for the specific service relevant for you.
What Personal Data do we collect?
To enable us to provide the services we will collect information that is relevant for the services that you receive, enabling us to identify you as an eligible individual and the benefits you are eligible to receive.
This may include:
- Personal details and contact details: such as name, address, email address, telephone number, business email address and telephone number, date of birth, reference numbers, reasons for travelling; as required to identify you as eligible. Employment details (where the service delivery is related to your employer): employee ID, User ID, hire date, job title, termination date, work location and address, business unit and organisational information, etc.
- Benefit entitlement: such as policy reference number, scheme number or other reference information
- Banking details, where it is necessary to reimburse you
- Geo-location data: Location information such as flight details, hotel reservations, hospital or clinic as necessary to manage your case and GPS location where you have agreed to share these.
In order for us to provide the services we may need to collect the following special categories of Personal Data limited to the requirement of your individual circumstances:
- Health information, medical records, and patient data: Health information including medical history, vaccination history, any current conditions, any restrictions on travel, diagnosis and prognosis, and details of medical treatment received or recommended.
- Details of treating medical professionals and any relevant associated reports or information such as third party medical opinions or advice. Costs associated with medical treatment and repatriation.
- Photo/Video data (images, videos) where required for performing the service, such as dental images or scans.
- Religious or philosophical beliefs or political opinion: specific religious information as it pertains to appropriateness of treatments or to repatriation of mortal remains, cremation at point of death etc.
- Data concerning sex life, where it is relevant for the service provision.
Using Personal Data to improve our services
As part of our ongoing efforts to improve our services we may ask your opinion on our services and how well we did, by sending a short customer satisfaction survey. This will enable us to identify what part of the services works well for you and what areas can be improved so that we can develop systems, upskill staff, streamline processes and hopefully as a result improve customer satisfaction. The surveys are managed by our internal Quality Teams using Survey Monkey.
It is voluntary to complete customer surveys and we will only collect minimum personal data as needed for the purpose. This will include personal identifiable information such as your email address. Surveys will include free text options where you can be more specific in your answer but avoid including sensitive personal data. Data collected will only be used for improving our services.
When using the website or for marketing purposes
When you access our website we will collect certain information automatically from your device that is categorised as Personal Data. This includes information such as your IP address, unique device identity numbers, device type, browser type, geographic location, pages access and links clicked.
We collect this information to better understand how the website is used, how visitors arrive at our website and what content is of most interest. This information enables us to improve the relevance and the user experience on our website. We use cookies and tracking technology to collect and analyse this information. You can find more detailed information on our Cookies page. All data collection is subject to consent.
When you use the Contact Us option or subscribe to our mailing list we collect such Personal Data as your name, contact details and company details and country if you wish.
How do we collect and share Personal Data?
We will collect Personal Data directly from you where possible but will also collect from and share data with relevant third parties such as:
- Treating medical professionals and service providers such as doctors, hospitals, ambulances, air ambulances and non-medical support staff as required to provide the relevant service;
- Persons or organisations involved in providing you with services, or components of services such as airline medical clearance departments, occupational health providers, employees, agents, sub-contractors, professional advisors (and any other persons or bodies having a legal right or duty to have access to or knowledge of Personal Data);
- Relevant underwriter of the policy, their intermediaries, brokers and elected claims handlers as required;
- Local agents, providing for example, translation services, evaluation of the local medical facilities, security consultation or local ground support or cost containment companies managing the financial aspects of your case;
- Your GP where we need to understand previous medical conditions;
- Family members, friends or other third parties, including next of kin, where appropriate and agreed with you and where you have authorised us to deal with them on your behalf;
- Your employer where the service is related to your employment where the sharing of information is necessary and either based on your consent or to protect your vital interest;
- Companies within the Healix Group;
- Organisations providing the payment systems including financial institutions, merchants and payment organisations;
Healix may further be required to exchange Personal Data with the following third parties:
- Public authorities in order to comply with legal and regulatory obligations such as fraud and money laundering prevention and persons/organisations involved in provision of medical treatment, hospital accommodation, public health administration and disease control for the administration of public health. Information will be anonymised where possible.
- Organisations involved in maintaining, reviewing and developing our business systems, procedures and infrastructure including maintaining or upgrading our computer systems. Access is always limited by organisational and technical access controls.
When will we collect your Personal Data?
- We will collect Personal Data from you when you contact us to notify us of a claim, create an account or register for our services. We may collect Personal Data from a third party if they are managing the claim on your behalf (for example if you authorised the person to act on your behalf).
What will we use the Personal Data for?
We may use your Personal Data for the following activities:
- To set you up as a user/member/patient and open a case, a claim or an account.
- To provide the actual services referred to in the section: “What Service do we perform where we need to process your data?”
- To communicate with you about the services including responding to your enquiries, concerns and complaints;
- To comply with our legal and regulatory obligations;
- To defend or prosecute legal claims;
- To investigate or prosecute fraud; and/or
- When you sign up for marketing communications.
What is the legal basis for processing your Personal Data?
Healix only process Personal Data where necessary in order to:
- Comply with any applicable contractual obligations;
- Comply with a legal obligation;
- Process data as may be required in the public interest, such as detecting and preventing fraud;
- Pursue the legitimate interests we have as a business in a way which may reasonably be expected as part of running our business and which does not materially impact your rights (for example to improve our services). This may include using your Personal Data to send you marketing information and your cookie data to identify and analyse trends on our website.
Healix will also process special category data when:
- You have provided explicit consent;
- For the purpose of administration of a claim and is necessary for reasons of substantial public interest, such as management of an insurance policy;
- For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
- Processing is necessary to protect your vital interests or those of another individual and you are not physically or legally capable of giving consent;
- Processing is necessary for the establishment, exercise or defence of legal claims;
- Processing data may be required in the public interest, such as detection and prevention of fraud.
How your Personal Data is secured, stored and transfer of Personal Data overseas?
We take appropriate technical, organisational, administrative and physical precautions to secure your Personal Data and to prevent unauthorised access, loss, misuse or alteration and preserve data integrity.
Your Personal Data is stored on secure servers in the UK. We always aim to minimise the amount of data processed and have strict measures in place to protect your Personal Data at all times in compliance with our ISO27001 Certification, best practice information security, the General Data Protection Regulation and with regard to medical information, in accordance with Confidentiality: Good Practice in Handling Patient Information issued by the UK General Medical Council.
Access controls are applied to limit access to Personal Data to those with a “Need to Know” and for legitimate business requirements. We regularly monitor our system for possible vulnerabilities and attacks, carrying out penetration testing to identify methods to further strengthen the security of our systems.
Healix will transfer your Personal Data to the relevant third parties as needed in order to provide the required services. We have to share relevant Personal Data with the treating medical professional and other third party recipients in the location where you are receiving the service and as required. If you are located abroad when requesting our services, this will mean that we will transfer your Personal Data cross border to meet your requirements.
How long is Personal Data stored?
Our data protection and retention policies and procedures are designed to ensure we comply with our legal obligations. We will only retain your Personal Data for as long as is reasonably necessary for the purposes referred to in the section: “What will we use the Personal Data for?” There may be circumstances where we will have to retain your Personal Data for longer periods of time where for example we are required to do so to comply with legal and regulatory obligations including tax or accounting requirements.
We will always keep your Personal Data securely and will apply our data retention policy to ensure it is not kept for longer than is required.
Automated Decision Making
We do not use your Personal Data for any processing activities that may result in automated decisions being taken that legally affect you or can significantly affect you. Any decisions made about you will always require the involvement of a human being.
Children
Healix recognises the need to provide further privacy protection with respect to children under the age of 13. The services we provide are not directly aimed at children but children as a family member of an eligible individual may require the benefit of the services. Children under the age of 13 or equivalent minimum age in the relevant jurisdiction are not permitted to create accounts or provide Healix with their Personal Data without the permission of their parent or legal guardian. Healix does not knowingly collect Personal Data from anyone under the age of 13 without the knowledge and approval of the parent or legal guardian.
Applying for a job at Healix
When you apply for a role or provide your information for future consideration, Healix will process your personal data as described in this section.
Purpose and Legal Basis for processing
Purpose
- The Purpose for processing your information is to assess your suitability for the role you have applied for or any other related roles that may suit your capabilities/experience.
Legal basis
- The legal basis we rely on for this processing of your personal data is GDPR Art 6(1)(b); processing is necessary for the performance of a contract or to take steps at your request, before entering into a contract.
- The legal basis we rely on for the processing of special categories of personal data such as health, religious or ethnic information is GDPR Art 9(2)(b) processing is necessary for the purpose of carrying out our obligations in employment and safeguarding your fundamental rights and freedoms. The Data Protection Act 2018 Schedule 1 part 1(1) and (2)(a) and (b) relating to processing for employment, the assessment of your working capacity and preventative or occupational medicine applies.
What information do we ask you for?
We only collect the information needed to fulfil our stated purposes. You do not have to provide all the information we ask for but it may affect your application if you don’t.
Application information
This information will include;
- Contact and identification information; such as name, email and phone number.
- Experience; education, work experience, referees and role specific information.
This information will be shared with HR employees and hiring managers. Hiring managers will only have access to shortlisted applications.
Equal opportunities
We will also collect equal opportunities information (optional); such as age, sex, race, disability, religion or belief, sexual orientation and pregnancy/maternity. This information will only ever be accessed by HR employees and will be used to produce and monitor equal opportunities statistics.
Shortlisting
We may ask you to participate in telephone interviews or attend an interview in the office.
For some roles psychometric assessments may be required which include personality and aptitude assessments.
If you are not successful we will ask if you would like us to retain your information for consideration for other opportunities.
How will we use the information?
We will use all the information you provide during the recruitment process to assess your suitability for the role, progress your application with a view to offering you an employment contract with us, or to fulfil legal or regulatory requirements if necessary.
We will not share any of the information you provide with any third parties for marketing purposes.
How long do we keep it?
We will maintain a copy of your application and associated documents for a period of one year after you are registered on our recruitment portal. Any data held after this point will require your consent. For successful applicants relevant data will be transferred to your HR file. When you leave employment with us we will retain information in line with statutory requirements and best practice.
Text Message Disclaimer
Healix may send you a text message when you open a new claim or to provide information as part of an ongoing claim. It can also be part of the chat functionality or other case management services. It will always be in relation to situations where you would expect to hear from us.
You should be aware that message and data rates may apply.
If you do not wish for us to use this communication channel to contact you, please opt-out by replying ‘STOP’.
Text messages for marketing and promotional purposes will only be sent where explicit opt-in consent has been collected. No mobile information will be shared with third parties for marketing or promotional purposes.
Data will be handled securely in line with the rest of this data privacy notice.
Chat and WhatsApp Services
Healix is offering Chat and WhatsApp services as alternative communication channels to interact with Healix agents for various services. The Chat can be accessed from the Healix website.
What information will be collected via Chat or WhatsApp?
Healix will collect data when you contact Healix via Chat or WhatsApp. To direct your enquiry the Chatbot may request information as to whether you are a customer or a provider, identification information and claim reference information where this is relevant. Healix will use this information to direct you to the correct department and may link this information to any other information Healix may hold on you for the purpose of identification and dealing with your request.
Both communication channels enable free text so depending on the context for contacting Healix we may collect the following types of information:
- Contact data
- Identification data
- Location data
- Case specific information including sensitive personal data such as medical data where relevant.
All communication will be recorded and stored securely in the UK. All information you provide will be used for the purpose of assessing, directing, and assisting you, to enable speedy assistance. Where the enquiry is related to a new or ongoing case, the information will be linked to the relevant case and data will be processed in accordance with the relevant service’s privacy notice.
On the completion of the Chat, you have an option to download and retain a copy of the Chat by clicking on the options in the top right hand corner. For WhatsApp the data will be stored in your WhatsApp account in accordance with your settings. You can delete data on your account, but this will not delete the data collected by Healix.
Healix will use anonymised data only for statistics and to improve the Chat experience.
What are your Rights?
Under Data Protection legislation, you have rights in regards to your Personal Data. You can exercise your rights at any time by contacting the Healix Group Data Protection Officer (details are provided at the end of this policy). You have the right to:
- Withdraw consent. Where we are relying on your consent to process your Personal Data, you have the right to change your mind and withdraw that consent.
- Request access to your Personal Data and be informed and provided with clear, transparent and easily understandable information about how we process your Personal Data (please see “Subject Access Right” below). This Privacy Policy is provided for this purpose.
- Request rectification of your Personal Data held by us if it is inaccurate.
- Request that we erase the Personal Data if it has been collected without adherence to legal requirements or is no longer needed, in accordance with this policy.
- Request restrictions to the data processing activity in situations where you believe we no longer need to process your Personal Data.
- Complain if you consider we have breached our privacy obligations (see “Contacting Healix or making a complaint”, below).
Automated Decision Making
Healix uses technology to provide a quicker and more consistent service for certain processing activities including invoice processing. You have certain rights when an organisation is making a decision using technology, without a person being involved. You have the right:
- not to be subject to a decision that is based solely on automated processing if the decision affects your legal rights or other equally important matters (eg automatic refusal of an online credit application, and e-recruiting practices without human intervention);
- to understand the reasons behind decisions made about you by automated processing and the possible consequences of the decisions; and
- to object to profiling in certain situations, including for direct marketing.
You can exercise your rights by contacting Healix – please see the contact information in the section “Contacting Healix or make a complaint”.
Direct Marketing
You have the right to stop the use of your Personal Data for direct marketing activity. You can opt out of receiving promotional or marketing communication from us at any time by using the ‘Unsubscribe’ function provided in all promotional material sent to you.
Alternatively, you can contact us at privacy@healix.com with the word “UNSUBSCRIBE” in the subject field of the email. If you make such objection, we will cease to process your Personal Data for this purpose. Please allow 5 working days for the changes to take effect.
Subject Access Right
You have the right to access Personal Data held about you. To exercise this right we would prefer that you provide a written request to us including as much information as possible (dates, specific issue etc.) to enable us to comply with your request as quickly as possible. You can however also make a verbal request. In responding to your access request we will confirm what data we process and what we use it for, who we share it with, how we collected it and how long we keep it.
To make an access request please contact us using the contact details below under the section “Contacting Healix or make a complaint”.
Changes to our Privacy Policy
We may update this Privacy Policy from time to time by publishing a new version on our website. You should check our Privacy Policy occasionally to ensure you are happy with changes to our Privacy Policy (the ‘last updated’ reference in the introduction tells you when we last updated this Privacy Policy). If we make significant changes to the Policy that materially change our privacy practices, we may also notify you by other means, such posting a notice on the main website or via email if you have joined our mailing list.
Healix Insurance Services Limited
Healix Insurance Services Limited is regulated by the Financial Conduct Authority. Please look here for more information including the Healix Insurance Services Limited Privacy Notice.
Contacting Healix or make a complaint
Please contact us if you have any questions about anything in this document or think that your Personal Data has been misused or mishandled:
- Email: privacy@healix.com, or
- Letter: Healix Group Data Protection Officer, Healix House, Esher Green, Esher, Surrey, KT10 8AB, UK.
We will treat your requests or complaints confidentially and contact you within a reasonable time after receipt of your communication to address your concerns and outline options regarding how they may be resolved. We will aim to ensure that your complaint is resolved in a timely and appropriate manner.
If you do not believe your complaint is managed appropriately you have the right to escalate the complaint to your national data protection supervisory authority if you do not believe Healix has addressed your concerns. If you are located in the UK the independent regulator is the Information Commissioners Office: casework@ico.org.uk
California Consumer Privacy Act (CCPA) Statement
- Healix will only use personal data for the purposes of providing and improving the services and will never sell personal data.Healix will not discriminate against users who are California Residents and choose to exercise a right under the California Consumer Privacy Act.
Please see the ‘Contacting Healix or make a complaint’ section of this Privacy Policy if you would like to:
- Access/delete your personal information
- Request that Healix stops collecting your personal information.
Please see the ‘Children’ section of this Privacy Policy for information on how we process the data of minors
EU Representative
We have appointed EU Rep as our Representative under Article 27 of the EU General Data Protection Regulation (“GDPR”). All GDPR queries from EU Data Subjects or Data Protection authorities should be addressed to privacy@eurep.ie. BizLegal Limited trading as EU Rep have their registered office at 27 Cork Road, Middleton Co. Cork, Ireland. Company number 635921. You may also contact us directly at privacy@healix.com.
Website Traffic
In order to improve our website structure and functionality, we count the number of visitors and how visitors move around the website. More specifically, we are tracking the following fully anonymised information:
- Masked 2 byte(s) IPs - e.g. 192.168.xxx.xxx
- Date and time of a page request
- Title of the page being viewed (Page Title)
- URL of the page being viewed (Page URL)
- URL of the page that was viewed prior to the current page (Referrer URL)
- Screen resolution being used
- Time in local user’s timezone
- Files that were clicked and downloaded (Download)
- Links to an outside domain that were clicked (Outlink)
- Pages generation time/Page speed (the time it takes for webpages to be generated by the webserver and then downloaded by the user)
- Main Language of the browser being used (Accept-Language header)
- User Agent of the browser being used (User-Agent header)
We are not collecting personal data