Privacy notice

Our contact details

Post:

MAXIS GBN S.A.S., 1st Floor, The Monument Building, 11 Monument Street, London, EC3R 8AF, United Kingdom

Telephone:

+44 (0)20 3831 2626

Registered Office

313 Terrasses De L’Arche, 92727, Nanterre, Cedex

Company Number

803 461 482 RCS Nanterre

ICO Reference Number

ZA361728

Contact

Kirsty Knopp – Data Compliance Manager

Email:

[email protected]

Privacy notice

MAXIS GBN S.A.S. (MAXIS) respects your privacy and seeks to protect all your individual personal information (“personal information”) it collects in accordance with our data protection principles:

The amount of your individual personal information MAXIS GBN holds on you and how it uses it depends on your relationship with MAXIS GBN and on what service you use, so some of the sections below may not be relevant to you.

  1. Personal information is collected and processed in a fair, lawful and transparent manner.

  2. Personal information is only processed for a specific purpose and is limited to that purpose only.

  3. We only collect the minimum amount of personal information necessary for the processing activity. For MAXIS to process any of your personal information, we must have a lawful basis.

  4. Your personal information is kept accurate and up to date.

  5. We apply appropriate security mechanisms to protect your personal information.

  6. Your personal information is retained no longer than necessary for the purpose for which it was originally collected.

  7. We only share your personal information when necessary and lawful to do so.

What personal information we collect, use, and why?

1. Reinsurance:

Where we collect or use the following personal information to provide services which support reinsurance:

  • Claims information (including claim number, insurance product type, amount of benefits paid) and census data (including age, gender, and salary).

  • Our lawful basis for collecting and processing your personal information is Article 6(1)(a) of the General Data Protection Regulation (GDPR)the data subject has given consent to the processing of their personal data for one or more specific purposes.

This means we will only collect and process your personal information when you have freely given, specific, informed, and unambiguous consent for us to do so. You have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

We process your personal information with your consent in order to:

  • Provide the products or services you have requested.

  • Manage and administer our relationship with you, including responding to inquiries and service-related communications.

  • Send you updates, offers, or marketing communications (where you have opted in).

  • Comply with legal and regulatory obligations, where applicable.

2. Personal Information from Third Parties:

We may collect or use the following personal information from third parties including individuals relevant to a third party or potential third party, or any other third party with whom MAXIS is in a business relationship:

  • Name and contact details.

  • Account information, including registration and account details for our OneClient and OneMember portals.

  • Information used for security purposes.

  • Marketing preferences.

  • Website user information (including user journeys and cookie tracking).

  • Information relating to compliments or complaints.

  • Identification documents.

  • We log information, including IP addresses, about our customers, potential customers and third parties through SalesForce, or when they use our OneClient or OneMember portals.

Our lawful bases for collecting this personal information are Article 6(1)B and 6(1)F of the General Data Protection Regulation (GDPR) it is necessary for the purposes of contract, and to meet our legitimate interests respectively.

3. Marketing Contacts:

We collect or use the following personal information for service updates to our website or for marketing purposes:

  • Names and contact details.

  • Marketing preferences.

  • Location data.

  • IP addresses.

  • Website and app user journey information – we keep track of user activity in relation to the types of services our clients and members use, and metrics related to their use of the services.

  • Records of consent, where appropriate.

  • Cookies and other tracking technologies when you visit the MAXIS website or our OneClient and OneMember portals. Please see our Cookie Notice for more information.

  • User feedback, either in our portals directly, or after receiving help from our support team. Providing this feedback is entirely optional.

Our lawful basis for collecting this personal information is Article 6(1)F of the General Data Protection Regulation (GDPR)it is necessary to meet our legitimate interests.

4. Recruitment:

We collect or use the following personal information for recruitment purposes:

  • Contact details (e.g. name, address, telephone number or personal email address).

  • Date of birth.

  • National Insurance number.

  • Copies of passports or another valid photo ID.

  • Employment history (e.g. job application, employment references or secondary employment).

  • Education history (e.g. qualifications).

  • Right to work information.

  • Details of any criminal convictions (e.g. Disclosure Barring Service (DBS), Access NI or Disclosure Scotland checks).

  • Security clearance details (e.g. basic checks and higher security clearance).

  • Health information.

Our lawful bases for collecting this personal information are Articles 6(1)A, 6(1)B, 6(1)C and 9(a) of the General Data Protection Regulation (GDPR)where we rely on your consent for processing, necessary for the purposes of contract, and to meet our legitimate interests respectively.

How We Collect Personal Information

We collect information in the following ways:

  • Directly from You: When you provide personal information through our websites, applications, or other communication channels. This includes:

    • Filling out forms

    • Contacting customer support

  • Automatically: Through the use of cookies, and other tracking technologies when you interact with our website or applications. This includes:

    • Browsing history

    • IP address

    • Device information

  • From Third Parties: We may receive personal information from third-party sources such as:

    • Insurers

    • Marketing partners

    • Public databases

  • Through Analytics: We use analytics tools to understand how you use our services, which helps us improve your experience. This includes:

    • Usage patterns

    • Preferences

How long do we retain your personal information?

Your personal information will only be kept for as long as necessary to fulfil the original purposes set out in this Privacy Notice and then securely deleted.

Marketing personal information will only be held for the purposes of the campaign currently in progress. Where we collect personal information for direct marketing purposes we will securely delete personal information after two years in the event of no response. Where we collect personal information for recruitment purposes, we will securely delete personal information in respect of unsuccessful candidates after six months.

The period of retention will vary depending on what personal information we hold, why we hold it and what we are obliged to do by law.

Who we share information with?

All third-party data processors we use, including those who provide email and storage solutions used in our day-to-day work, are selected for, and monitored on, how they meet the requirements of current UK and EU data protection legislation and the requirements of UK and EU GDPR.

We maintain a comprehensive register of all active data processing activities concerning the use of any personal information in our business. This is maintained in accordance with Article 30 of the UK GDPR to provide a clear understanding of what information is held and where.

Others we share personal information with:

  • Professional advisors.

  • MAXIS members, insurers, re-insurers, shareholders, and affiliates in the context of the services that MAXIS provides

  • Regulatory authorities.

  • External auditors or inspectors.

  • Organisations we’re legally obliged to share personal information with.

  • Emergency services (where necessary).

  • Publicly on our website, social media or other marketing and information media (where appropriate).

Sharing information outside the UK

Where necessary:

  1. We may transfer your personal information outside of the UK.

  2. Our data processors may transfer your personal information outside of the UK.

When doing so, we comply both with the UK and EU GDPR, making sure appropriate safeguards are in place. Any of your personal information that is to be transferred outside the UK will only take place in situations where MAXIS has taken the required steps to ensure that your personal information will be adequately protected in accordance with applicable law.

We ensure that the third parties who receive your personal information will only act on our instructions and in accordance with applicable data protection laws and regulations. Punctual due diligence checks are regularly conducted to ensure compliance with the appropriate frameworks for any exchanges of personal information are in place, including where appropriate the use of Standard Contractual Clauses (SCCs) and UK Addendum.

For transfers of personal information from the United Kingdom to countries not covered by an adequacy decision, we incorporate the International Data Transfer Addendum (UK Addendum) issued by the UK Information Commissioner's Office (ICO). The UK Addendum modifies the European Commission's Standard Contractual Clauses to ensure compliance with the UK GDPR.

In the event of any conflict between the terms of the UK Addendum and the European Commission's Standard Contractual Clauses, the terms of the UK Addendum shall prevail to the extent necessary to comply with the UK GDPR.

Your data protection rights

Under the UK and EU GDPR, you have specific data subject rights including:

  • Your right to be informed – You have the right to be informed about the collection and use of your personal information. This includes details such as:

    • The purposes for processing your information

    • The retention periods

    • Who it will be shared with This information must be provided at the time your information is collected, or within a reasonable period if obtained from another source.

  • Your right of access - You have the right to ask us for copies of your personal information

  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

  • Rights related to automated decision-making including profiling – You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. If such processing occurs, you have the right to:

    • Obtain human intervention

    • Express your point of view

    • Contest the decision These rights apply unless the decision is necessary for a contract, authorised by law, or based on your explicit consent.

    • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.

You don’t usually need to pay a fee to exercise your rights. You will be notified if you are to be charged any fees.

If you make a request, we have one calendar month to respond to you which can be extended by a further two months in certain circumstances. We will always inform you if an extension is needed.

To make a data subject access rights request, please contact us using the contact details at the top of this Privacy Notice or alternatively you can access our request form here.

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us via the complaints form here.

If you remain unhappy with how we’ve used your personal information after raising a complaint with us, you can also complain to the ICO. The ICO’s address:

Alternatively, for a complete list of Data Protection Authorities in the EU, you can visit the European Data Protection Board (EDPB) website:

https://www.edpb.europa.eu/about-edpb/about-edpb/members_en

Changes to our Privacy Notice

We keep our Privacy Notice under regular review. See below for the date of the latest update. Any changes to this Notice will apply to you and your data immediately. If these changes affect how your personal information is processed, MAXIS will take reasonable steps to notify you of these changes.

Last updated: 26th August 2025