Privacy Policy

Privacy Policy

At HSF Health Plan, we understand the importance of protecting your privacy. This policy is designed to explain what information we may collect about you, how we may use it, and the steps we take to ensure that it is kept secure. It sets out the conditions under which we may process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information.

We are committed to transparency and take the protection of your privacy and confidentiality very seriously. You have the right to know how your personal data is used, and we are committed to using it only for the purposes you intended. We will never share your information with unauthorised third parties and will always maintain the confidentiality of the data you entrust to us.

Our policy complies with the EU General Data Protection Regulation (GDPR) and UK GDPR. The law requires us to tell you about your rights and our obligations to you regarding the processing and control of your personal data.

Who are we

This is the privacy notice of HSF Health Plan Limited. In this document, “we”, “our”, or “us” refers to HSF Health Plan Limited.

We are company number 30869 and our registered offices are at 24 Upper Ground, London, SE1 9PD. In Ireland, our company number is 904935 and the registered office is at 5 Westgate Business Park, Kilrush Road, Ennis, Co Clare Ireland.

We are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority in the UK. In Ireland, we are regulated by the Central Bank of Ireland for Code of Conduct business rules, with the Department of Health and Children and The Health Insurance Authority in Ireland. Founded 1873 Incorporated 1890. We are the trading company of The Hospital Saturday Fund, a Registered Charity in the UK No 1123381 and in Ireland Registered Charity No 20104528.

How is your personal data collected and the data we collect?

When you apply for a Health Cash Plan, we collect three types of information: your personal details (including those of your partner and any dependents), your medical details (including those of your partner and any dependents), and your payment details.

• Personal details The personal details we collect are your personal and contact details including title, name, address, date of birth, email address, telephone numbers, PPS number, employers name and payroll number (if applicable). We also collect the name and date of birth of your partner and any dependents (if applicable).
• Medical details The medical details we collect are any conditions or illnesses you, your partner and any dependants may have had (or have) and the date any of the symptoms began.
• Payment details The payment details we collect are Direct Debit or Credit Card information. Direct Debit or Credit Card information will be used for automatic payments to be made from the account you provide.

If you fail to provide personal data

If you do not provide information, we may not be able to:

• provide requested services to you;
• to continue to provide and/or renew existing products or services.

We will tell you when we ask for information which is not a contractual requirement or is not needed to comply with our legal obligations.

We may collect information from:

• The main policyholder if you are a dependant under a family policy. We may collect personal data about children when they are listed as dependents under a policy. In such cases, we require parental or guardian consent before processing their data. We ensure that children’s data is handled with additional safeguards in compliance with GDPR.
• Your employer, if you are covered by a policy your employer is funding.
• Brokers and other agents (this may be your broker if you have one, or your employer’s broker if they have one).

Sending a message to our support team: When you contact us, whether by telephone, through our website or by e-mail, we collect the data you have given to us in order to reply with the information you need. We record your request and our reply in order to increase the efficiency of our business.

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

When you make an application for a Health Cash Plan or otherwise agree to our terms and conditions, a contract is formed between you and us. In order to carry out our obligations under that contract we must process the information you give us. Some of this information may be personal information in order to:

• verify your identity for security purposes
• sell products to you
• provide you with our services
• provide you with suggestions and advice on products, services and how to obtain the most from using our website

We process this information on the basis there is a contract between us and where we have a legal obligation to do so such as processing medical information to support claim assessments in line with that policy contract, or that you have requested we use the information before we enter a legal contract.

Additionally, we rely on legitimate interest as the lawful basis for which we collect and use your personal data where it is necessary for our and your legitimate interests and fundamental rights do not override those interests. When we process your personal information for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection and any other relevant law. Our legitimate business interests do not automatically override your interests – we will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). Our legitimate interests arise as the processing of your personal data is necessary to enable us to set up and administer our products and services.

Where we have a legal or regulatory obligation to use your personal information, for example, when our regulators, the Prudential Regulatory Authority (PRA), the Financial Conduct Authority (FCA), the Information Commissioner’s Office, Central Bank of Ireland (CBI) or Data Protection Commission (DPC) ask us to maintain certain records of any dealings with you.

Where we need to use your personal information to establish, exercise or defend our legal rights, for example when we are faced with any legal claims, or where we want to make any claims ourselves.

Where we need to use your sensitive personal information such as health data because it is necessary for your vital interests, an example would be a life-or-death matter.

We may also aggregate your personal data in a general way and use it to provide class information, for example to monitor our performance with respect to a particular service we provide. If we use it for this purpose, you as an individual will not be personally identifiable.

The following are some examples of when and why we would use this approach:

• To improve and enhance our services When we do process your data, we will use it to benefit you and to make your experience better and to improve our products and services.
• Your best interest Processing your information to protect you against fraud when transacting on our website, and to ensure our websites and systems are secure.
• Personalisation Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communications for the benefit of our customers.
• Research To determine the effectiveness of promotional campaigns and advertising and to develop our products, services, systems and relationships with you.
• Due Diligence We may need to conduct investigations on existing customers, potential customers and business partners to determine if those companies and individuals have been involved or convicted of offences such as fraud, bribery and corruption.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Information Sharing

Third Parties and Group Organisations
In order to provide you with our services, we may share your data with third parties and other organisations within our group or other organisations to enable continuity of service, such as:

• Organisations that pay premiums on your behalf in line with the policy contract.
• Service providers and partners who provide IT and system administration services, and support services.
• Professional advisers including lawyers, bankers, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
• Organisations to provide the benefits and services for which you have applied and to assist with the continuity and provision of benefits.

Regulatory Bodies
We may also share your data with regulatory bodies when it is a legal requirement to do so for the purpose of monitoring and enforcing compliance, such as:

• HM Revenue & Customs UK or the Revenue Commissioners in Ireland, regulators, and other authorities who require reporting of processing activities in certain circumstances.
• Fraud detection agencies and other third parties who operate and maintain fraud detection registers.
• The Financial Ombudsman Service and regulatory authorities such as the Financial Conduct Authority, the Information Commissioner’s Office (UK), the Data Protection Commissioner’s Office (Ireland), and the Prudential Regulation Authority.

We have formal data sharing agreements in place with all third-party processors to ensure that personal data is handled securely and in compliance with GDPR requirements.

Security and Compliance
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Information Transfers

The disclosure of personal information to the affiliates and other third parties set out above may involve the transfer of data outside the EU, EEA or states that are considered ‘adequate’. Where we need to engage a third party which operates outside of Europe those considered ‘adequate’ for the provision of services, then we would ensure that an equivalent degree of protection is provided by implementing appropriate technical measures and legal safeguards and standard contractual clauses as required by the legislation.

Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We conduct Privacy Impact Assessments (PIAs) for any high-risk data processing activities to ensure compliance with GDPR and to mitigate potential risks to individuals’ privacy.

All staff members receive regular training on data protection principles and practices. We ensure that employees understand their responsibilities in safeguarding personal data.

Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In line with our current retention policy, we retain policyholders’ personal data for at least 6 years but no more than 7 years after the health plan policy has ceased.

Automated Decision Making

We do not currently use automated decision-making or profiling that has legal or similarly significant effects. If this changes, we will update this policy and inform affected individuals of their rights under Article 22 of GDPR.

Your Legal Rights

• Right to be informed We will always be transparent in the way we use your personal data. You will be fully informed about the processing through relevant privacy notices.
• Right to Access You have the right to request a copy of all information about you held by us.
  Please note that we are not obliged to take proactive steps to discover that a subject access has been made. If we cannot view a subject access request without paying a fee or signing up to a service, we will not respond to the request.
• ​Data Portability You have the right to receive your personal data in a structured, commonly used, and machine-readable format. This applies when the processing is based on consent or contract and is carried out by automated means. You may also request that we transfer your data directly to another controller where technically feasible.
• Right to Object or to Restrict Processing You have the right to object to our use of your personal information, or to ask us to delete, remove, or stop using your personal information if there is no need for us to keep it. Please note our policy is to only keep personal information for as long as is reasonably required for the purpose(s) for which it was collected. We are required to keep certain transactional records – which does include personal information – for more extended periods to meet legal, regulatory, tax or accounting needs. We are also required to retain an accurate record of dealings with us for at least six years after your last interaction with us, so we can respond to any complaints or challenges you or others might raise later.
• We may sometimes be able to restrict the use of your data. This means that it can only be used for certain things, if this is the case we would not use or share your information in other ways whilst it is restricted. You can ask us to restrict the use of your personal information if:
• It has been used unlawfully but you don’t want us to delete it.
• You have already asked us to stop using your data, but you are waiting for us to tell you if we can keep on using it.
• Right to Rectification We want to make sure that the personal data we hold about you is accurate and up to date. If any of your details are incorrect, please let us know and we will amend them. When we receive any request to access, edit or delete personal identifiable information we shall first take reasonable steps to verify your identity before granting you access or otherwise taking any action. This is important to safeguard your information.
• Right to Erasure You have the right to have your data ‘erased’ in the following situations:
• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed.
• When you withdraw consent.
• When you object to the processing and there is no overriding legitimate interest for continuing the processing.
• When the personal data was unlawfully processed.

Please note that each request will be reviewed on a case-by-case basis and where we have a lawful reason to retain the data or where exceptions exist within our retention policy, then it may not be erased.

If you wish to exercise any of your above right, you can do so by contacting the Data Protection Officer at DPO@hsf.eu.com.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limits to respond

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Right to Complain

Should you not be happy with the way we handle your personal data, you have the right to complain. You can do so by contacting the Data Protection Officer.

If your complaint reasonably requires us to contact a third party, we may decide to give to that third party some of the information contained in your complaint. We do this as infrequently as possible, but it is a matter for our sole discretion as to whether we do give information, and if we do, what that information is.

You also have a right to lodge a complaint with the supervisory authority: the Information Commissioner’s Office (UK) or the Data Protection Commissioner’s Office (Ireland).

Data Protection Contacts

Data Protection Officer contact details:

UK Address:

HSF Health Plan
24 Upper Ground
London SE1 9PD

Ireland Address:

HSF Health Plan
Westgate Business Park
5 Kilrush Rd
Ennis
Co. Clare
Ireland

Email: DPO@hsf.eu.com

Compliance with the Law

Our privacy policy has been compiled so as to comply with the law of every country or legal jurisdiction in which we aim to do business. If you think it fails to satisfy the law of your jurisdiction, we should like to hear from you. However, ultimately it is your choice as to whether you wish to use our website.

Review of this privacy policy

We may update this privacy notice from time to time as necessary. The terms that apply to you are those posted here on our website on the day you use our website. We advise you to print a copy for your records.

​If you have any questions regarding our privacy policy, please contact us.

Last updated September 2025