Privacy Policy

This Privacy Policy (together with our website Terms of Use, and our online services Transaction Terms and Conditions) sets out how and why the BF&M Group collects and processes your Personal Data through your use of this website and/or when we provide our services as an insurance business.

Please read this Privacy Policy carefully as it contains important information about how we handle personal data, in accordance with applicable data protection laws. It sets out the circumstances in which we may disclose your personal data to others and the rights you have regarding our use of your personal data.

You have the right to object to us processing your personal data. This is discussed in further detail in the section Your legal rights in relation to your personal data.

Words in bold (and mentioned for the first time in this document) have a specific meaning set out in our Key Terms section at the end of this document.

Who are we?

Island Heritage Insurance Company Limited is a part of the BF&M Group.

Island Heritage Insurance Company Limited Head Office is located at Island Heritage House, 128 Lawrence Boulevard, Grand Cayman, Cayman Islands. BF&M’s Head Office is located at BF&M Insurance Building, 112 Pitts Bay Road, Pembroke HM08 Bermuda. For further details, read the section Contact Us.

To arrange insurance cover and handle insurance claims, we and other Insurance Market Participants are required to use and share personal data.

Who is responsible for your personal data?


Where you took out an insurance policy or related product yourself:

The BF&M Group entity that originally collected information from you (and where applicable, an intermediary from whom you purchased insurance) will primarily be responsible for processing your personal data in accordance with applicable data protection laws.

BF&M’s Head Office is responsible for any personal data the BF&M Group collects from you when using our websites.


Where another organisation took out an insurance policy or related product for your benefit:

Where your employer, a bank or another organisation took out a policy for your benefit, you should contact your employer or that organisation if you have any questions about your personal data and they should provide you with details of the insurer or the intermediary that they passed your personal data to.


Where you are not a policyholder or an insured:

Where you are not a policyholder or plan holder or an insured, you should contact the organisation which collected your personal data if you have any questions.

We will provide you with information required by applicable data protection laws in a number of different formats and documents, such as when you submit an application, claim or related documentation to us. Where appropriate, we will refer you to this Privacy Policy and ask you to confirm your consent to us processing your personal data for the purposes specified here and in other documentation you receive.

For further details about this Privacy Policy, please refer to the Contact us section below.

Collection of personal data

The types of personal data we collect will depend on the nature of the relationship you have with us.

We may collect and process different kinds of personal data about you, which we have grouped together below.

  • Individual Data includes your first name, maiden name, last name, address and other contact details including email and telephone numbers, username or similar identifier, marital status, title, date of birth, gender, nationality, employer, job title, employment history and family details;

  • Identification Data includes your identification numbers issued by government bodies or agencies, including insurance number, passport number and driving licence number;

  • Financial Data includes your bank account, payment card details, income or other financial information;

  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us;

  • Risk Data includes information about you which we need to collect in order to assess the risk to be insured and to provide a quote. This may include (only to the extent it is relevant), Special Category Data including criminal record and health data;

  • Policy Data includes information about the quotes you receive and the policies you take out;

  • Credit and Anti-Fraud Data includes credit history, credit score, sanctions and criminal offences, and information received from any anti-fraud databases relating to you;

  • Previous and Current Claims which may include unrelated insurance policies, and (only to the extent relevant) special category data;

  • Special Categories of Personal data as defined in the Key Terms

  • Technical Data includes your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website;

  • Profile Data includes your username and password, purchases or orders made by you, your interests, any preferences, feedback and application responses; and

  • Usage Data includes information about how you use our website, products and services.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide data when requested or object to the processing of that data, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with insurance or related services). In this case, we may have to cancel a service you have with us but we will notify youat the time if this is the case.

Family members and other parties

Most of the personal data we collect will be about the individual(s) taking out the insurance or related product. In certain circumstances we may need to ask for personal data concerning others, for example:

  • you ask us to provide insurance or a related product for other household or family members or as members of a group;

  • as an insured person, we ask you to provide information about other family members to the extent that it is relevant to the risk we are covering when arranging a policy; or

  • when handling claims we may ask for information about other individuals, such as injured parties.

Where you provide us with information about someone else, you must ensure, and we will assume that, you have their permission. We will process their personal data in accordance with our Privacy Policy so please encourage them to read it.

Where might we collect your personal data from?

We may collect your personal data from various different sources, both directly from you and indirectly through third parties (depending on the nature of the relationship you have with us). Some examples of where we may collect your personal data from include:

  • You, such as when you submit application forms and apply for our products or services, contact us in respect of your policies (including when you provide us with claims' information), and when you create an account on our website and log in to such account and carry out actions in connection with your account, such as making payments, creating quotes and buying and renewing policies online;

  • Your family members, employer or appointed representative;

  • Other insurance market participants to whom you provide personal data;

  • Our third party service providers, such as healthcare service providers;

  • Anti-fraud databases, sanctions lists, court judgements and other applicable databases;

  • Government agencies;

  • Other publically available sources and material; and

  • In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, claims handlers.

How we use and process personal data

We use your personal data for the provision and administration of insurance products and related services we provide. We set out below the purposes for which we may process your personal data (including special category data and information about criminal convictions and offences).

We must have a lawful basis to process your personal data, further details of which are also below.



Lawful basis


Quotation/Inception of policyholder

  • Onboarding customers, including credit, fraud and criminal records checks

  • Evaluating risks to match with appropriate policy and premiums; and

  • Payment of premium by insured/policyholder.

Performance of our contract with you.

Compliance with our legal obligations

Our legitimate interests (to ensure that the customer is within our acceptable risk profile and to assist with the prevention of fraud and crime).

Consent (where applicable).


Policy Administration

General client-care and communicating with the insured/policyholder about the policy, including policy updates; and

Payment to and from individuals pursuant to a policy.

Performance of our contract with you.

Our legitimate interests (to correspond with customers, beneficiaries, claimants in order to facilitate placing of and claims under polices)

Consent (where applicable)


Claims processing

  • Managing insurance and reinsurance claims

  • Defending or prosecuting claims

  • Investigating or prosecuting fraud

Performance of our contract with you.

Our legitimate interests (test veracity and quantum of claims).

Consent (where applicable)


Renewals of policies

  • Contacting insured/policyholder to renew the insurance policy

  • Evaluating the risks to be covered and matching to appropriate policy/premium

  • Payment of premium where the insured/policyholder is an individual


Performance of our contract with you.

Our legitimate interests (to correspond with the customers to facilitate continuation of insurance cover)

Consent (where applicable)

Other purposes

Direct marketing


Our legitimate interests (to develop our products/services and grow our business)

Complying with our legal and regulatory requirements

Our legitimate interests (to manage our business in an efficient and proper way)

Necessary to comply with our legal obligations

To trace debtors or beneficiaries, recover debt, prevent fraud and to manage payment, fees and charges in respect of your insurance policies with the BF&M Group.


Performance of our contract with you.

Our legitimate interests (to process payments or recover any debts due to us)

Managing our relationship with you- including to confirm update and improve our records to make sure we have the correct information about you or if we require additional information in relation to the products or services that we are providing to you; to tell you about changes to our services and products (including but not limited to confirming any updates to this Privacy Policy).


Performance of our contract with you.

Our legitimate interests (to manage our business in an efficient and proper way)

Consent (where applicable)

To exercise, defend and protect our legal rights to the rights of our clients or third parties.

Performance of our contract with you.

Our legitimate interests (to manage our business in an efficient and proper way)

Necessary to comply with our legal obligations

General risk modelling- to define our actuarial, pricing and underwriting strategies, customer profiling (explained below).


Our legitimate interests (to manage our business in an efficient and proper way)

Transferring books of business, company sales and reorganisations


Our legitimate interests (to structure our business appropriately)

To provide information to our service providers, auditors, agents and group companies that perform activities on our behalf


Performance of our contract.

Our legitimate interests (ensuring we can provide services and manage our business efficiently).

Necessary to comply with our legal or regulatory obligations.



Legitimate Interests

In all cases, where we have relied on our legitimate interests to process your personal data, we have balanced those interests against your rights as an individual and make sure we only use personal data in a way that you would reasonably expect in accordance with this Privacy Policy.


In some circumstances, applicable data protection laws may require us to obtain your consent to the processing of your personal data and special category data. Where this is the case, we will ask you for consent in accordance with those laws. You may withdraw your consent at any time (see the section below Contact Us). This will not affect the lawfulness of any processing based on consent before its withdrawal. However, if consent is withdrawn we may no longer be able to administer existing insurance policies or pay insurance claims.

Profiling and Automated Decision-Making

When calculating insurance premiums, we may collect and compare your personal data (as an insured, beneficiary or claimant) against industry averages. Using your personal data in this way enables us to analyse and predict certain outcomes and to confirm that the premium amount reflects the associated risk. This is profiling.

Profiling of your personal data is also carried out to help identify and understand fraud patterns.

To the extent special categories of data are relevant and necessary to the type of insurance, for example health data for life insurance, and previous criminal convictions for motor insurance, special categories of data may also be used for profiling.

Our staff make decisions based on profiling.

We may make some decisions based on profiling and without staff intervention. This is known as automated decision-making. Where you use any of our Quote and Buy applications on any of our websites, the generation of insurance quotations and the decision by us to sell certain insurance products, will be based on profiling.

If during the Quote and Buy process, the personal data you enter does not meet our requirements (created by profiling), the quotation will not be processed and you will receive a referral message to a team with underwriting authority to consider your application further.

Should you request us to provide more information on automated decision-making, and to verify whether a decision has been made correctly, we will act in accordance with the applicable data protection law.


Direct Marketing

We may contact you about the services and products we think may be of interest to you, by post, telephone or e-mail. We do so on the basis of our legitimate interests. You may opt-out of marketing at any time by getting in touch through the Contact Us section.

We will not sell your data to third parties for them to market to you.

Disclosure of personal data

We consider your personal data to be private and confidential. We may sometimes disclose your personal data (including special category data and criminal conviction data) to third parties under the following circumstances:

  • BF&M Group companies. We operate as a global business, so we may share your personal data with group companies who may use this data for the purposes described in this Privacy Policy.

  • Insurance Market Participants, including financial institutions and business partners that use your personal data in the connection with the provision of insurance services or related products, and the processing of claims.

  • Service providers, contractors or agents appointed by us. We may share personal data with service providers or agents that perform services and other business operations for us, for example, IT and analytics providers, medical specialists and hospitals, actuarial service entities, auditors and advisers.

  • Any law enforcement agency, court, regulator, government authority or professional body. We may share your personal data with these parties where we believe this is necessary to comply with legal or regulatory obligations, or otherwise to protect our rights or the property of the BF&M Group, including, without limitation the security and integrity of our network, or the rights of any third party.

  • Purchasers (potential and actual). We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business or with whom a restructuring transaction is contemplated. In such circumstances, we will use our reasonable efforts to try and ensure that the entity receiving the personal data uses it in a way consistent with this Privacy Policy.

International transfer of your personal data

As we operate as a global business, we may need to share your personal data within the BF&M Group. You should know that we require all our companies to adhere to the same data protection standards.

We may also need to share your personal data, on occasion (and when necessary in order to perform services to you or to comply with legal regulatory obligations), with third-party recipients in countries whose data protection laws may not always offer the same level of protection. In these cases, we apply contractual standards and seek commitments and assurances from the third-party recipients to ensure an equivalent level of protection.

Retention of your personal data

We will hold on to your personal data for as long as is necessary in relation to the purposes for which your data was collected and processed.

We do retain certain documents for extended periods, if necessary to comply with our legal, regulatory, tax or accounting requirements. Retention of documents allows either you or us to commence or defend legal claims in relation to the insurance or related product.

To support us in managing how long we hold your personal data and our data management, we have a Data Retention Policy which provides guidelines on data retention and deletion.

We may also retain personal data where we have identified a legal basis for doing so in an aggregated form which allows us to continue to develop/improve our products and services.

Technical and organisational measures

We implement technical and organisational measures to ensure a level of security appropriate to the risk to your personal data that we process. We take into account the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

However, it is not possible to guarantee complete information security, nor can we guarantee that information you supply won’t be intercepted while being transmitted to us over the internet. Any transmission of personal data in this way, is at your own risk. We are not responsible for the circumvention of any privacy settings or security measures contained on the website.

We will continue to test, assess and evaluate the effectiveness of our technical and organisational measures.

In the event of a personal data breach, we act in accordance with all applicable data protection laws.

Software Quality

We do not warrant that any information, software or other material accessible through this site is free of viruses, worms, Trojan horses or other harmful component. The BF&M Group assumes no responsibility and shall not be liable for any direct, indirect, incidental or consequential damages that result from the use, access to, browsing in or downloading of any information, data, text, images or other material accessible through one of its web pages, this site or the website of any linked third party.


"Cookies" are small text files stored on your computer by websites that you visit. They are used by most websites in order to make them work efficiently, make controls respond properly and to provide information to the owners of websites.

We use cookies for the following purposes:

  • as part of the basic functioning of our website;

  • to collect and analyse anonymous statistical information about the way you use our website so we can improve the way the site works and the content we make available (for example, we collect information about the number of visitors to various parts of the site); andn

  • to remember your browsing preferences when you visit the site so we can give you a better experience.

  • The cookies we use are non-intrusive.

Disabling cookies

Most browsers allow you to control your cookie settings and to delete cookies already stored on your computer or other devices. You can control the use of cookies on your device, including deleting and blocking the cookies we use, through the browser settings on your device; but please note that any changes you make may affect your ability to properly use our website. If you want to know more on how to disable the use of cookies on your device, visit aboutcookies.org

Your rights

If you have any questions in relation to the use of your personal data, or would like to exercise any of the following rights, you should contact us by the means set out under the Contact us section below.

Under certain conditions you may have the right to require us to:

  • provide you with access to the personal data you have provided to us;

  • correct and update any inaccuracies in the personal data we process;

  • delete or remove any special category or personal data that we no longer have a lawful basis to process. Note that we may not always be able to comply with your request of deletion for specific legal reasons which will be communicated to you, if applicable, at the time of your request;

  • stop a particular type of processing, where processing of your personal data by us is based on your consent alone. We may not, as a consequence, be able to provide certain products, administer plans and policies and pay claims;

  • stop processing your personal data, where we are relying on our legitimate interests, unless our reasons for performing that processing outweigh any prejudice to your personal data protection rights;

  • provide your personal data in a usable electronic format so it may be transferred to a third party (where technically feasible) and, where the data is automated and which you initially provided consent for us to use or where we used the information to perform a contract with you;

  • restrict how we use your personal data where a complaint has been submitted and is being investigated; and

  • contest automated decision making, concerning special categories of data.

There may be other circumstances in which your rights may be restricted in order to safeguard public interest or to preserve the establishment, exercise or defence of legal claims.

Contact us


Questions and complaints

If you have any questions or complaints about this Privacy Policy or would like to exercise any of the rights listed in Your rights, please contact our Data Protection Officer by the following means:

Post: BF&M Insurance Building, 112 Pitts Bay Road, Pembroke HM08 Bermuda

Email at: privacy@bfm.bm.



If you have any concerns or complaints about how we have handled your personal data, please contact us on the details above.

You also have the right to complain to your local supervisory authority (i.e. the supervisory jurisdiction where you live or work or the supervisory authority of the jurisdiction where you believe that an infringement of data protection laws has occurred).

If you are unsure who your local supervisory authority is, please contact us.


Changes to this Privacy Policy

We may change this Privacy Policy from time to time. When we do, we will also revise the 'last updated' date at the bottom of the Privacy Policy. A copy of this Privacy Policy will be maintained on (www.bfm.bm) and (www.islandheritageinsurance.com). We encourage you to periodically review this Privacy Policy to stay informed about how we are helping to protect the personal data we collect.


Key Terms

Insurance Market Participants intermediaries, such as brokers who help arrange and administer insurance policies, as well as other insurers and reinsurers.

Personal Data is any information or data from which you can be directly or indirectly identified.

Special Category Data includes data of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation, and criminal records data

We, us, our, BF&M Group BF&M Limited and its subsidiaries including BF&M General Insurance Company Limited, BF&M Life Insurance Company Limited, Island Heritage Insurance Company Ltd, BF&M Investment Services Limited, BF&M (Canada) Limited, BF&M Properties Limited, BF&M Brokers Limited, Island Heritage Insurance Company N.V. A list of our subsidiaries and corporate structure is available on our website at: https://www.bfm.bm/about/media-investors/corporate-structure.aspx.

You or your, refers to the individual whose personal information is being processed and may be the insured/policyholder or potential insured, beneficiary (someone who has an interest under the policy), claimant making a claim under the policy or other person involved in a claim or relevant to a policy.


Last updated: September 2019