HSF health plan privacy policy

This is the privacy notice of HSF health plan Limited. In this document, “we”, “our”, or “us” refers to HSF health plan Limited.
We are company number 30869 and our registered offices are at 24 Upper Ground, London, SE1 9PD. In Ireland our company number is 904935 and the registered office is at 5 Westgate Business Park, Kilrush Road, Ennis, Co Clare Ireland.

We are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority in the UK. In Ireland we are regulated by the Central Bank of Ireland for Code of Conduct business rules, with the Department of Health and Children and The Health Insurance Authority in Ireland. Founded 1873 Incorporated 1890.We are the trading company of The Hospital Saturday Fund, a Registered Charity in the UK No 1123381 and in Ireland Registered Charity No 20104528.


This is a notice to inform you of our policy about all information that we record about you. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.

We take seriously the protection of your privacy and confidentiality. We understand that all visitors to our website are entitled to know that their personal data will not be used for any purpose unintended by them and will not inadvertently fall into the hands of a third party.

We undertake to preserve the confidentiality of all information you provide to us and hope that you reciprocate.

Our policy complies with the EU General Data Protection Regulation (GDPR). The law requires us to tell you about your rights and our obligations to you regarding the processing and control of your personal data.

Data Privacy Policy

What information do we collect?

If you make an application for a Health Cash Plan. We collect three types of information: your personal details (including those of your partner and any dependants), your medical details (including those of your partner and any dependants) and payment details.

Personal details

The personal details we collect are: your personal and contact details including name, address, date of birth, company name and address (if applicable), email address and telephone numbers. We also collect the name and date of birth of your partner (if applicable) and any dependants (if applicable).

Medical details

The medical details we collect are: any conditions or illness you, your partner and any dependants may have had (or have) and the date any of the symptoms began.
A copy of this information is kept securely by us and our technology suppliers.

Payment details

The payment details we collect are Direct Debit or Credit Card information. Direct Debit or Credit Card information will be used for automatic payments to be made from the account you provide. A copy of this information is kept securely by us (and temporarily by our technology suppliers).

Information about your Direct Debit

When you agree to set up a Direct Debit arrangement, the information you give to us is passed to our own bank for processing according to our instructions. We do keep a copy.

Sending a message to our support team

When you contact us, whether by telephone, through our website or by e-mail, we collect the data you have given to us in order to reply with the information you need.
We record your request and our reply in order to increase the efficiency of our business.

How we use your information and the legal basis

When you make an application for a Health Cash Plan or otherwise agree to our terms and conditions, a contract is formed between you and us.In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information.

  • verify your identity for security purposes
  • sell products to you
  • provide you with our services
  • provide you with suggestions and advice on products, services and how to obtain the most from using our website

We process this information on the basis there is a contract between us, or that you have requested we use the information before we enter a legal contract.Additionally, we may aggregate this information in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide. If we use it for this purpose, we would have a genuine and legitimate reason and we are not harming any of your rights and interests.

The following are some examples of when and why we would use this approach:

  • To improve and enhance our services: When we do process your data, we will use it to benefit you and to make your experience better and to improve our products and services.
  • Your best interest: Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
  • Personalisation: Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our customers.
  • Research: To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
  • Due Diligence: We may need to conduct investigations on existing customers, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.

When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law).

Who we share your information with?

In order to provide you with our services, we may share your data with third parties and other organisations within our group or other organisations to enable continuity of service, such as;

  • Organisations that pay premiums on your behalf in line with the policy contract
  • Technical Support
  • To provide the benefits and service for which you have applied for and to assist with the continuity and provision of benefits

We may also share your data with regulatory bodies when it is a legal requirement to do so for the purpose of monitoring and enforcing compliances such as;

  • Financial Ombudsman Services
  • Information Commissioners Office – UK
  • Data Protection Commissioners – Ireland
  • Fraud Prevention Agencies

Your data outside Europe

The disclosure of personal information to the affiliates and other third parties set out above may involve the transfer of data outside the EEA. We have put in place the Standard Contractual Clauses approved by the European Union Commission for such transfers of personal data’. To find out more about how your personal data is protected when it is transferred outside the EEA, please contact our Data Protection Officer.

How long we hold your data for?

Except as otherwise mentioned in this privacy notice, we keep your personal information only for as long as required by us:

  • to provide you with the services you have requested;
  • to comply with other law, including for the period demanded by our tax authorities;
  • to support a claim or defence in court.
  • In line with our current retention policy we retain your personal data for at least 6 years but no more than 7 years after the health plan policy has ceased.

Implications of not providing data

If you do not provide information, we may not be able to:

  • provide requested services to you;
  • to continue to provide and/or renew existing products or services

We will tell you when we ask for information which is not a contractual requirement or is not needed to comply with our legal obligations.

Your rights

Right to be informed:

We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.

Right to Access

You have the right to request a copy of all information about you held by us.
Please note that we are not obliged to take proactive steps to discover that a subject access has been made. If we cannot view a subject access request without paying a fee or signing up to a service, we will not respond to the request.

Data Portability

You have the right to exercise your right to data portability in certain circumstances.

Right to Object or to Restrict Processing

You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. Please note our policy is to only keep personal information for as long as is reasonably required for the purpose(s) for which it was collected. We are required to keep certain transactional records – which does include personal information – for more extended periods to meet legal, regulatory, tax or accounting needs. We are also required to retain an accurate record of dealings with us for at least six years after your last interaction with us, so we can respond to any complaints or challenges you or others might raise later.

We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, if this is the case we would not use or share your information in other ways whilst it is restricted. You can ask us to restrict the use of your personal information if:

  • It has been used unlawfully but you don’t want us to delete it.
  • You have already asked us to stop using your data, but you are waiting for us to tell you if we can keep on using it.

Right to Rectification

We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them.

When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.

Right to Erasure

You have the right to have your data ‘erased’ in the following situations:

  • Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
  • When you withdraw consent.
  • When you object to the processing and there is no overriding legitimate interest for continuing the processing.
  • When the personal data was unlawfully processed.

Please note that each request will be reviewed on a case by case basis and where we have a lawful reason to retain the data or where exceptions exist within our retention policy, then it may not be erased.
If you wish to exercise any of your above right, you can do so by contacting the Data Protection Officer.

Right to Complain.

Should you not be happy with the way we handle your personal data, you have the right to complain. You can do so by contacting the Data Protection Officer.

If your complaint reasonably requires us to contact a third party, we may decide to give to that third party some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.

You also have a right to lodge a complaint with the supervisory:

Ireland: Data Protection Commissioner

UK: Information Commissioner Office

Data Protection Officer contact details

HSF health plan.
24 Upper Ground,
London SE1 9PD.


Other Information:

Information we obtain from third parties

Although we do not disclose your personal information to any third party (except as set out in this notice), we sometimes receive data that is indirectly made up from your personal information from third parties whose services we use.

No such information is personally identifiable to you.

Compliance with the law

Our privacy policy has been compiled so as to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you.

However, ultimately it is your choice as to whether you wish to use our website.

Review of this privacy policy

We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records.

If you have any questions regarding our privacy policy, please contact us.

Last updated December 2020.