For customer service and all business enquiries, call +1 441 295 5566  |  For website support or to set up an online account, call +1 441 298 0301

Privacy policy


Privacy Policy 

This Privacy Policy (together with our website Terms of Use and our online services Transaction Terms and Conditions)  sets out how and why the BF&M Group collects and processes your Personal Data through your use of this website and/or when we provide our products or services.

At BF&M, we care about your privacy. We recognise that when you choose BF&M as your insurance or pension provider, you are trusting us to protect your personal data. We want to be open and transparent with you about how we collect, use and protect it.

Please read this Privacy Policy carefully as it contains important information about how we handle personal data, in accordance with applicable data protection laws. It sets out the circumstances in which we may disclose your personal data to others and the rights you have regarding our use of your personal data. 

We may provide you with information required by applicable data protection laws in a number of different ways. Where appropriate, we will refer you to this Privacy Policy and ask you to confirm your consent to us processing your personal data for the purposes specified here and in other documentation you receive. 

For further details about this Privacy Policy, please refer to the Contact us section below. 

You have the right to object to us processing your personal data.
This is discussed in further detail in the section Your rights.

Words in bold (and mentioned for the first time in this document) have a specific meaning set out in our Key Terms section at the end of this document.

Who are we?

BF&M Limited is a publicly traded holding company, listed on the Bermuda Stock Exchange.

Headquartered in Bermuda, we conduct business through the trading names BF&M, Island Heritage, and Insurance Corporation of Barbados.

BF&M’s Head Office is located at BF&M Insurance Building, 112 Pitts Bay Road, Pembroke HM08 Bermuda. 

For further details, read the Contact us section below.

To arrange insurance cover and handle insurance claims, we and other Insurance Market Participants are required to use and share personal data. 

Who is responsible for your personal data?

Where you took out an insurance policy or related product yourself:
The BF&M entity that originally collected information from you (and where applicable, any Insurance Market Participant from whom you purchased insurance) will primarily be responsible for processing your personal data in accordance with applicable data protection laws.
BF&M’s Head Office is responsible for any personal data the BF&M Group collects from you when using our websites.

Where another organisation took out an insurance policy or related product for your benefit:
Where your employer, a bank or another organization took out a policy for your benefit, you should contact your employer or that organisation and they should provide you with details of the Insurance Market Participants that they passed your personal data to.

Where you are not a policyholder or an insured:
Where you are not a policyholder or plan holder or an insured, you should contact the organisation which collected your personal data.

Collection of personal data

The types of personal data we collect will depend on the nature of the relationship you have with us.
We may collect and process different kinds of personal data about you, which we have grouped together below.

• Individual Data

includes your first name, maiden name, last name, address and other contact details including email and telephone numbers, username or similar identifier, marital status, title, date of birth, gender, nationality, employer, job title, employment history and family details;

• Identification Data

includes your identification numbers issued by government bodies or agencies, including insurance number, passport number and driving licence number;

• Financial Data

includes your bank account, payment card details, income or other financial information;

• Transaction Data

includes details about payments to and from you and other details of products and services you have purchased from us or provided by us;

• Risk Data

includes information about you which we need to collect in order to assess the risk to be insured and to provide a quote.  This may include (only to the extent it is relevant), Special Category Data including criminal record and health data;

• Policy Data

includes information about the quotes you receive and the policies you take out;

• Credit and Anti-Fraud Data

includes credit history, credit score, sanctions and criminal offences, and information received from any anti-fraud databases relating to you;

• Previous and Current Claims

which may include unrelated insurance policies, and (only to the extent relevant) special category data;

• Special Category Data as defined in the Key Terms
• Technical Data

includes your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website;

• Profile Data

includes your username and password, purchases or orders made by you, any preferences, feedback and application responses;

• Usage Data

includes information about how you use our website, products and services.

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide data when requested or object to the processing of that data, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with insurance or related services). In this case, we may have to cancel a service you have with us but we will notify you at the time if this is the case.

Family members and other parties

Most of the personal data we collect will be about the individual(s) taking out the insurance or related product. In certain circumstances we may need to ask for personal data concerning others, for example:

  • you ask us to provide insurance or a related product for other household or family members or as members of a group;

  • as an insured person, we ask you to provide information about other family members to the extent that it is relevant to the risk we are covering when arranging a policy; or

  • when handling claims we may ask for information about other individuals, such as injured parties.

Where you provide us with information about someone else, you must ensure, and we will assume that, you have their permission. We will process their personal data in accordance with our Privacy Policy so please encourage them to read it.

Where might we collect your personal data from?

We may collect your personal data from various different sources, both directly from you and indirectly through third parties (depending on the nature of the relationship you have with us). Some examples of where we may collect your personal data from include:

  • You, such as when you submit application forms and apply for our products or services, contact us in respect of your policies (including when you provide us with claims’ information), and when you create an account on our website and log in to such account and carry out actions in connection with your account such as making payments, creating quotes and buying and renewing policies online;

  • Your family members, employer or appointed representative;

  • Other insurance market participants to whom you provide personal data;

  • Our third-party service providers, such as healthcare service providers;

  • Anti-fraud databases, sanctions lists, court judgements and other applicable databases;

  • Government agencies;

  • Other publically available sources and material; and

  • In the event of a claim, third parties including the other party to the claim (claimant/defendant), witnesses, experts (including medical experts), loss adjustors, solicitors, claims handlers.

How we use and process personal data

We use your personal data for the provision and administration of our products and services.  We set out below the purposes for which we may process your personal data (including special category data and information about criminal convictions and offences).
We must have a lawful basis to process your personal data, further details of which are also below.

Quotation/Inception of policy
 Purpose/Activity  Lawful basis
  • Onboarding customers, including credit, fraud and criminal records checks;

  • Evaluating risks to match with appropriate policy and premiums; and

  • Payment of premium by insured/policyholder.

  • Performance of our contract with you.

  • Compliance with our legal obligations.

  • Our legitimate interests (to ensure that the customer is within our acceptable risk profile and to assist with the prevention of fraud and crime).

  • Consent (where applicable).

Policy administration
 Purpose/Activity  Lawful basis
  • General client-care and communicating with the insured/policyholder about the policy, including policy updates; and

  • Payment to and from individuals pursuant to a policy.

  • Performance of our contract with you.

  • Our legitimate interests (to communicate with customers, beneficiaries or claimants in order to facilitate the placing of, and claims under, a policy).

  • Consent (where applicable).

Processing claims
 Purpose/Activity  Lawful basis
  • Managing insurance and reinsurance claims;

  • Defending or prosecuting claims; and

  • Investigating or prosecuting fraud.

  • Performance of our contract with you.

  • Our legitimate interests (to test the veracity and quantum of claims).

  • Consent (where applicable).

Renewing policies
 Purpose/Activity  Lawful basis
  • Contacting insured/policyholder to renew the insurance policy;

  • Evaluating the risks to be covered and matching to appropriate policy/premium; and

  • Payment of premium where the insured/policyholder is an individual.

  • Performance of our contract with you.

  • Our legitimate interests (to communicate with customers to facilitate continuation of insurance coverage).

  • Consent (where applicable).

Pension and investment services
 Purpose/Activity  Lawful basis
  • Onboarding customers, including credit, fraud and criminal records checks;

  • Evaluating investments goals and matching to appropriate investment products; and

  • General client-care and communicating with the customer about pensions or investments; and

  • Payment to and from individuals related to pensions or investments.

  • Performance of our contract with you.

  • Our legitimate interests (to communicate with customers to facilitate continuation of insurance coverage).

  • Consent (where applicable).

Other purposes
 Purpose/Activity  Lawful basis
  • Direct marketing

  • Our legitimate interests (to develop our products/services and grow our business).

  • Consent (where applicable).

  • Complying with our legal and regulatory requirements

  • Our legitimate interests (to manage our business in an efficient and proper way).

  • Compliance with our legal obligations.

  • Consent (where applicable).

  • To trace debtors or beneficiaries, recover debt, prevent fraud and to manage payment, fees and charges in respect of your insurance policies with the BF&M Group.

  • Performance of our contract with you.

  • Our legitimate interests (to process payments or recover any debts due to us).

  • Consent (where applicable).

  • Managing our relationship with you including: to confirm, update and improve our records to make sure we have the correct information about you or if we require additional information in relation to the products or services that we are providing to you; or to tell you about changes to our services and products (including but not limited to confirming any updates to this Privacy Policy).

  • Performance of our contract with you.

  • Our legitimate interests (to manage our business in an efficient and proper way).

  • Consent (where applicable).

  • To exercise, defend and protect our legal rights to the rights of our clients or third parties.

  • Performance of our contract with you.

  • Our legitimate interests (to manage our business in an efficient and proper way).

  • Compliance with our legal obligations.

  • Consent (where applicable).

  • General risk modelling: to define our actuarial, pricing and underwriting strategies and customer profiling.

  • Our legitimate interests (to manage our business in an efficient and proper way).

  • Consent (where applicable).

  • Corporate finance exemptions under applicable data protection laws (where applicable).

  • Transferring books of business, company sales and business reorganisation.

  • Our legitimate interests (to structure our business appropriately).

  • Corporate finance exemptions under applicable data protection laws (where applicable).

  • To provide information to our service providers, auditors, agents and group companies that perform activities on our behalf.

  • Performance of our contract.

  • Our legitimate interests (ensuring we can provide services and manage our business efficiently).

  • Compliance with our legal or regulatory obligations.

  • Consent (where applicable).

Direct marketing

We may contact you about the services and products we think may be of interest to you, by post, telephone or e-mail.  We do so on the basis of our legitimate interests or consent where obtained.  You may opt-out of marketing at any time by getting in touch through the Contact us section.
We will not sell your personal data to third parties for them to market to you.

Our legitimate interests

In all cases, where we have relied on “our legitimate interests” to process your personal data, we have balanced those interests against your rights as an individual and make sure we only use personal data in a way that you would reasonably expect in accordance with this Privacy Policy.


In some circumstances, applicable data protection laws may require us to obtain your consent to the processing of your personal data and special category data. Where this is the case, we will ask you for consent in accordance with those laws. You may withdraw your consent at any time (see the Contact us section below).This will not affect the lawfulness of any processing based on consent before its withdrawal. However, if consent is withdrawn we may no longer be able to administer existing insurance policies or plans or pay insurance claims or plan benefits.

Profiling and automated decision making

When calculating insurance premiums, we may collect and compare your personal data (as an insured, beneficiary or claimant) against industry averages. Using your personal data in this way enables us to analyse and predict certain outcomes and to confirm that the premium amount reflects the associated risk.

This is profiling.

​Profiling of your personal data is also carried out to help identify and understand fraud patterns.

To the extent special category of data is relevant and necessary to the type of insurance, for example health data for life insurance, and previous criminal convictions for motor insurance, special category data may also be used for profiling.

In very limited circumstances, we may make some decisions based on profiling and without staff intervention. This is known as automated decision-making.  Where you use any of our Quote and Buy applications on any of our websites, the generation of insurance quotations and the decision by us to sell certain insurance products, will be based on profiling.

If during the Quote and Buy process, the personal data you enter does not meet our requirements (created by profiling), the quotation will not be processed and you will receive a message to contact a member of our underwriting team to consider your application further.

Should you request us to provide more information on automated decision-making, and to verify whether a decision has been made correctly, we will act in accordance with the applicable data protection law.

Disclosure of personal data

We consider your personal data to be private and confidential. We may sometimes disclose your personal data (including special category data and criminal conviction data) to third parties under the following circumstances:

  • BF&M Group companies. We operate as a global business, so we may share your personal data with group companies who may use this data for the purposes described in this Privacy Policy.

  • Insurance Market Participants, including financial institutions and business partners that use your personal data in the connection with the provision of insurance services or related products, and the processing of claims.

  • Service providers, contractors or agents appointed by us.  We may share personal data with service providers or agents that perform services and other business operations for us, for example, IT and analytics providers, medical specialists and hospitals, actuarial service entities, auditors and advisers.

  • Any law enforcement agency, court, regulator, government authority or professional body.  We may share your personal data with these parties where we believe this is necessary or advisable to comply with a legal or regulatory obligations, or otherwise to protect our rights or the property of the BF&M Group, including, without limitation the security and integrity of our network, or the rights of any third party.

  • Purchasers (potential and actual).  We may share your personal data with any third party that purchases, or to which we transfer, all or substantially all of our assets and business or with whom a restructuring transaction is contemplated.  In such circumstances, we will use our reasonable efforts to try and ensure that the entity receiving the personal data uses it in a way consistent with this Privacy Policy.

Protecting your personal data outside Bermuda

As we operate a global business, we may need to share your personal data within the BF&M Group. You should know that we require all our companies to adhere to the same data protection standards.

We may also need to share your personal data, on occasion (and when necessary or advisable in order to perform services to you or to comply with legal regulatory obligations), with third-party recipients in countries whose data protection laws may not always offer the same level of protection. In these cases, we apply contractual standards and seek commitments and assurances from the third-party recipients to ensure an equivalent level of protection.

Retention of your personal data

We will hold on to your personal data for as long as is necessary or advisable in relation to the purposes for which your data was collected and processed.

We do retain certain documents for extended periods, if necessary or advisable to comply with our legal, regulatory, tax or accounting requirements. Retention of documents allows either you or us to commence or defend legal claims in relation to the insurance or related product.

To support us in managing how long we hold your personal data and our data management, we have a Data Retention Policy which provides guidelines on data retention and deletion.

We may also retain personal data where we have identified a legal basis for doing so in an aggregated form which allows us to continue to develop/improve our products and services.

Technical and organisational measures

We implement technical and organisational measures to ensure a level of security appropriate to the risk to your personal data that we process.

We take into account the risks of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

However, it is not possible to guarantee complete information security, nor can we guarantee that information you supply won’t be intercepted while being transmitted to us over the internet.

Any transmission of personal data in this way, is at your own risk. 

We are not responsible for the circumvention of any privacy settings or security measures contained on the website.

We will continue to test, assess and evaluate the effectiveness of our technical and organisational measures.

In the event of a personal data breach, we act in accordance with all applicable data protection laws.

Software quality

We do not warrant that any information, software or other material accessible through this site is free of viruses, worms, Trojan horses or other harmful component.

The BF&M Group assumes no responsibility and shall not be liable for any direct, indirect, incidental or consequential damages that result from the use, access to, browsing in or downloading of any information, data, text, images or other material accessible through one of its web pages, this site or the website of any linked third party.


"Cookies" are small text files stored on your computer by websites that you visit. They are used by most websites in order to make them work efficiently, make controls respond properly and to provide information to the owners of websites.
We use cookies for the following purposes:

  • as part of the basic functioning of our website;

  • to collect and analyse anonymous statistical information about the way you use our website so we can improve the way the site works and the content we make available (for example, we collect information aboout the number of visitors to various parts of the site); and

  • to remember your browsing preferences when you visit the site so we can give you a better experience

The cookies we use are non-intrusive.

Disabling cookies
Most browsers allow you to control your cookie settings and to delete cookies already stored on your computer or other devices.
You can control the use of cookies on your device, including deleting and blocking the cookies we use, through the browser setting on your device; but please note that any changes you make may affect your ability to properly use our website
Your rights

If you have any questions in relation to the use of your personal data, or would like to exercise any of the following rights, you should contact us by the means set out under the Contact us section below.

Under certain conditions you may have the right to require us to:

  • provide you with access to the personal data you have provided to us;

  • correct and update any inaccuracies in the personal data we process;

  • delete or remove any special category data or personal data that we no longer have a lawful basis to process. Note that we may not always be able to comply with your request of deletion for specific legal reasons which will be communicated to you, if applicable, at the time of your request;

  • stop a particular type of processing, where processing of your personal data by us is based on your consent alone. We may not, as a consequence, be able to provide certain products, administer plans and policies and pay claims;

  • stop processing your personal data, where we are relying on our legitimate interests, unless our reasons for performing that processing outweigh any prejudice to your personal data protection rights;

  • provide your personal data in a usable electronic format so it may be transferred to a third party (where technically feasible) and, where the data is automated and which you initially provided consent for us to use or where we used the information to perform a contract with you;

  • restrict how we use your personal data where a complaint has been submitted and is being investigated; and

  • contest automated decision making, concerning special category data.  

There may be other circumstances in which your rights may be restricted in order to safeguard public interest or to preserve the establishment, exercise or defence of legal claims.

Contact us

Questions and complaints
If you have any questions or complaints about this Privacy Policy or would like to exercise any of the rights listed in Your rights, please contact our Privacy Officer, Gemma Rochelle, by the following means:

  • Write to: BF&M Insurance Building, 112 Pitts Bay Road, Pembroke HM 08 Bermuda

  • Email: [email protected]. 

You also have the right to complain to your local supervisory authority (i.e. the supervisory jurisdiction where you live or work or the supervisory authority of the jurisdiction where you believe that an infringement of data protection laws has occurred).

  • In Bermuda, the supervisory authority is the Privacy Commissioner.

We ask that you please attempt to resolve any issues with us before contacting your supervisory authority.

Changes to this privacy policy
We may change this Privacy Policy from time to time. When we do, we will also revise the 'last updated' date at the bottom of the Privacy Policy.

A copy of this Privacy Policy will be maintained on

We encourage you to periodically review this Privacy Policy to stay informed about how we are helping to protect the personal data we collect.
Key Terms
  • Insurance Market Participants include intermediaries, such as brokers and agents who help arrange and administer insurance policies, as well as other insurers and reinsurers.

  • Personal Data is any information or data from which you can be directly or indirectly identified.

  • Special Category Data includes data of racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, genetic data, biometric data, data concerning an individual’s sex life or sexual orientation, and criminal records data.

  • We, us, our, BF&M Group refers to BF&M Limited and its subsidiaries including BF&M General Insurance Company Limited, BF&M Life Insurance Company Limited, Island Heritage Insurance Company, Ltd., Island Heritage Retirement Trust Company Ltd., Island Heritage Insurance Company Ltd. N.V., BF&M Investment Services Limited, BF&M (Canada) Limited, BF&M Properties Limited, BF&M Brokers Limited.

  • You or your, refers to the individual whose personal information is being processed and may be the insured/policyholder or potential insured, beneficiary (someone who has an interest under the policy), claimant making a claim under the policy or other person involved in a claim or relevant to a policy.