Why read this?

Data gives us the power to do incredible things – being able to provide fairer premiums is our favourite example. But handling it is a big responsibility, and one we take very seriously. This policy shows how we use your personal information, and what we do to keep it safe.

§1 What words mean

This Privacy notice (the “Notice”) describes how By Miles (“we”, “us”, “our” and “By Miles”) collects, stores and uses information about you in connection with By Miles insurance products and services, including your use of the By Miles websites (the “Sites”), the By Miles mobile application (the “App”) and the Miles Tracker or via an authorised connection to your vehicle so we can collect your vehicle data.

“Data Protection Law” means the Data Protection Act 2018, the UK General Data Protection Regulation (the UK GDPR), and the Privacy and Electronic Communications (sometimes shortened to EC Directive) Regulations 2003 (also known by the acronym PECR), as amended from time to time, and all other applicable privacy and data protection laws and regulations, as well as any guidance and/or codes of practice issued from time to time by the Information Commissioner.

For the purposes of Data Protection Law we, the insurer named on your insurance policy (if you are a By Miles policyholder) and any providers of add-ons to your policy (such as breakdown cover, legal cover or providers of any other optional cover add-on) are data controllers. This means that we control the processing of your personal information in accordance with Data Protection Law, and are each responsible for holding your personal information safely. See the section ‘information we may collect about you’ for further information.

§1.1 Who we are

By Miles is a company registered in England and Wales under company number 09498559 and our registered office is at By Miles Ltd, Churchill Westmoreland Road, Bromley, BR1 1DP. We are part of the Direct Line Group of companies. "You" refers to the individual (also known as the Data Subject) about whom we collect and process data and the purposes by which we do so.

We’re registered with the Information Commissioner's Office, with reference number ZA219758.

We’re also ISO 27001 certified by the British Assessment Bureau, with certificate number 214977. This means the way we process and safeguard your data is always at the forefront of everything we do. You can read more about this in our information security management policy.

You can contact us:

• By post: By Miles Customer Relations, By Miles Ltd, Churchill Court, Westmoreland Road, Bromley, BR1 1DP
• For general requests by email: hello@bymiles.co.uk
• By telephone: 0330 088 3838
• For data related requests by email: data@bymiles.co.uk
• Or to contact our Data Protection Officer (DPO), by email: DPO@bymiles.co.uk

As we try to be as paperless as possible, we’ll communicate with you using the email address you give us in your application form, so it’s important that you keep this accurate and up-to-date. If you wish to change the email address that we use to communicate with you, please let us know.

§2 Information we may collect about you

§2.1 Direct personal data

Most of the personal information we may collect about you is provided directly to us, by you, for the following reasons. This data is collected if you have:

• Requested an insurance quote with your details, and the details of any additional drivers, from us directly on our website or indirectly through one of our partner sites (for example, by using a price comparison website)
• Bought a policy from us and provided us with contact details, car information, driving history, claims information, payment information, motoring offences and convictions, additional drivers and their driving history and driving licence information
• Requested a quote renewal reminder
• Requested we notify you about your quote validity
• Applied for a job with us via our website or by using a recruitment partner - see our seperate Recruitment privacy notice
• Visited our website
• Taken part in a competition or survey we’ve been running
• Responded to an invitation from us (or via a carefully selected third-party provider) to write a review about our services
• Referred a friend as part of our refer a friend offer
• Made a claim
• Contacted us with a query via phone, email, social media or by using the live chat on our website or smartphone app, and provided either your details or the details of an additional driver

§2.1.1 Information about other people

If you give us information on behalf of a third party, including other drivers named on your policy, it’s your obligation to show this notice to them and to ask them to read it thoroughly. You should also make sure they acknowledge and agree to their personal data being processed in line with the requirements of this notice.

§2.2 Automatic/indirect data collection

We may also collect and store personal data automatically. Some of this will be worked out based on information you give us so we can provide the service to you, including but not limited to:

• We may monitor your use of the App and the Sites through cookies and similar tracking methods. The information helps us build a profile of our users to help us improve your experience. In some cases, we aggregate data, which means we can’t identify you individually. For further information on our use of cookies, please see the cookie policy.
• Information we use via third parties to check your identity, credit status, car and driving history. See ‘information from third parties’, below.
• We may track whether emails sent to you by us have been opened and/or whether hyperlinks contained within our emails have been clicked by you. This information helps us to monitor and improve the effectiveness of both our service and marketing communications. To unsubscribe from Marketing emails, see section ‘How to change marketing consent (‘object to processing’)’.
• We may also collect information about your device each time you use the App or Sites, including:
  • The operating system and browser type
  • The browser language
  • The IP address used to connect your computer or mobile device to the Internet
  • The URL of the website you visited before reaching our Sites
  • The URLs of the pages you visited on our Sites
  • The time you spent on each page you visited
  • The access times
  • Other information about your use of our Sites
  • The location of your device

§2.2.1 Information from third parties

We may get information about you from other sources, for example: the Driver and Vehicle Licensing Agency (DVLA), the Motor Insurance Database (MID), the Claims and Underwriting Exchange (CUE), MyLicence and credit checking agencies. Some of these third parties may record our enquiries. The information provided by third parties about you will add to the information we already hold to help us check your identity and get an idea of your credit score.

§2.3 Tracking your mileage

When you sign up to our telematics-based insurance, we’ll automatically collect some vehicle and driving-related information from the Miles Tracker installed in your vehicle, or by using our connection with your Connected Car (which you allow us to access when you sign up). This information may include:

• The location of your car and the roads you’ve driven on
• The date and time of the driving
• The distance driven, and the time taken to drive it
• The speed of the car
• Other information from your car, such as the Vehicle Identification Number (VIN), car battery health, the car’s mileometer and any engine fault warnings
• If the Miles Tracker has been unplugged (and when and where this happened), or whether our systems have become disconnected from your Connected Car
• When safety features in your car were activated

Using this data, we can understand where and when your car is driven, which helps us to manage your insurance policy and calculate how many miles you have driven.

We won’t use data about how you drive to change your policy or premium, however, we reserve the right to decide not to offer you a policy at renewal.

We may also use this information to help with the settling of claims. For example, to help track down your stolen car, or to prove you weren't to blame.

We may collect data about your driving after your policy ends if you keep the Miles Tracker plugged in, or if your Connected Car connection is live. If you sell your car, it is your responsibility to remove the Miles Tracker before the buyer takes ownership of your car, and to notify them if you forget.

§2.3.1 Connected Car policies

If you have a Connected Car policy instead of a plugged-in Miles Tracker, as part of the guided onboarding process, you’ll be asked to log in to your account with your car’s manufacturer and give permission for By Miles to access and use your vehicle data.

§3 What’s the legal basis for us processing your information?

We’ll process your personal data in one or more of the following circumstances:

• You’ve given us permission to do so. For example, to remind you when your insurance is due for renewal, to link your connected car so we can calculate your mileage, or because you’ve asked to receive marketing emails.
• When it’s necessary for you to enter into a contract with us, to provide you with the requested product or service, such as:
  • Managing quotes and renewals
  • Managing changes to your policy
  • Supporting your policy
  • Processing your payments
  • Registering and processing insurance and reinsurance claims made under your insurance policy
  • Responding to queries made by you
• To comply with our legal and regulatory obligations, including payment processing and financial account management, defending or prosecuting legal claims, and for investigating or prosecuting fraud.
• For legitimate business reasons, including:
  • Improving our products, services, communications, websites and app
  • To carry out research and development to improve our product and services for you
  • To carry out behavioural advertising
  • To investigate fraud or illegal activity
  • To facilitate feedback and determine the effectiveness of our advertising, communications, products and services
  • To better understand how people interact with our website and app
  • To improve our advertising targeting to make our marketing campaigns more relevant and useful
  • To enhance security

§4 How do we use (or process) your information?

We may process your information for the following reasons:

• To provide you with a quote (which includes credit checking, security vetting and vehicle checks).
• To manage your policy, including extras you’ve added, changes and renewals.
• To send marketing communications when you’ve asked us to (see ‘Your rights’ below).
• To send you a Miles Tracker.
• To connect to, and get vehicle data from, your Connected Car.
• To aid in fraud detection and prevention as part of our regulatory and legal obligations.
• To contact you and resolve queries about the products we provide.
• To review your information for a job application.
• To improve your browsing experience on our site.
• To monitor referrals and click-throughs from our partners.
• To request feedback and participation in surveys and post-purchase activities.
• If you’ve left us a public review or social media post about our services, we may use your comment in marketing materials, alongside your first name or username that you’ve posted the comment with.
• To improve our advertising reach, we may instruct marketing partners, such as social media companies, to use information about how you use our products and services. We may also exclude ads on this basis. We do this so we can make sure our marketing is useful. That includes instructing platforms to show or not show By Miles adverts to existing customers.
• We also check your details against databases of people under government financial sanctions, as required by law.
• We use third party service providers to carry out checks on our behalf that in some cases are required by law, and some that help us work out if we’re able to offer you a policy, which are:
  • Experian
  • LexisNexis
  • The Claims Underwriting Exchange (CUE)
  • The Insurance Fraud Bureau
  • If relevant, we also send these third party service providers information about your policy

If we need to use your personal information for an unrelated reason, we’ll notify you to explain the legal reason why we’re doing so.

Please note that if we need to process your personal information without your knowledge or consent, we’ll only do so in line with the above rules and as we are required or permitted to do so by law.

§4.1 Your rights

Under data protection law, you have the following rights (please note that some may only apply under certain circumstances):

• The right to be given a copy of the personal data we’ve collected about you (a Subject Access Request or Data Subject Access Request). See below ‘How to get a copy of the data we have about you’.
• The right to update or change the personal data we have collected about you if it’s inaccurate or incomplete (you can also make changes within the dashboard or app that you get with the policy).
• The right to erase the personal data we’ve collected about you.
• The right to restrict processing (which is usually a temporary measure) while we verify any changes made to your data or deal with a request or issue.
• The right to object to the processing of the personal data we have collected about you, including in respect of any data processed for direct marketing purposes (see below ‘how to object to processing’).
• The right to withdraw any consents you have provided in respect of our processing of your personal data.
• The right to lodge a complaint with the ICO (www.ico.org.uk).

§4.1.1 How to complain to us or the ICO

If you have any concerns about our use of your personal information, you can make a complaint to us at data@bymiles.co.uk.

You can also complain to the ICO if you’re unhappy with how we’ve used your data. The ICO’s address is:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk

§4.1.2 How to get a copy of the data we have about you (raise a ‘Subject Access Request or SAR’)

Under Article 15 of the UK GDPR you have a ‘right of access’ as the data subject. To exercise your right to be given a copy of your data, please write to us at data@bymiles.co.uk. In most cases we’ll respond to legitimate requests within one calendar month, free of charge, but we reserve the right to (in accordance with the guidelines set out by the ICO):

• Verify your identity before carrying out any rights request
• Charge a fee in exceptional, repetitive or unreasonable circumstances
• Refuse your request if we believe it’s unreasonable, excessive or repetitive
• Extend the time, if we need more information

§4.1.3 How to amend your personal data (the GDPR ‘right to rectification’)

Under Article 16 of the UK GDPR you have the right for your personal data to be accurate. If you want to amend your personal data, you can do do so via our Sites or App, or you can contact us to help you out.

§4.1.4 How to change marketing consent (‘object to processing’)

Depending on the permission you’ve given and the marketing preferences you’ve selected, we may get in touch by mail, telephone and email.

You have the right, at any time, to ask us to stop processing your information for direct marketing purposes. If you wish to exercise this right, you should contact us by sending an email to hello@bymiles.co.uk, giving us enough information to identify you and deal with your request. Alternatively, you can follow the unsubscribe instructions in emails you receive from us.

§4.1.5 How to request your data is deleted (‘right to erasure’)

Under Article 17 of the UK GDPR, you have the right to be forgotten or withdraw your consent for it to be processed, as long as your personal data is no longer required for processing. If your personal data is retained for legal reasons then we may keep it for legal reasons. See section 8 for more detail.

§4.1.6 Links to other websites or apps

The App and the Sites may contain links to the websites or apps of our partners or third parties. Please note that if you follow any of these links, the websites, apps and services provided through them will have their own privacy notices and terms of use.

We do not accept any responsibility or liability for their respective privacy notices and terms of use, or the collection and use of any personal data collected through these websites, apps or services.

You’ll need to make sure that you read the relevant privacy notices and terms of use before providing any personal data or using those websites, apps and services.

§5 Who do we share your personal data with?

We won’t sell or share your personal data with third parties for them to use for marketing purposes. Your information is securely stored and managed within our Information Security Management System (ISMS) and according to the requirements of the ISO 27001 Information Security standard.

We may share your personal information with other companies within the Direct Line Group for the purposes mentioned in Sections three (3) and four (4) above.

As part of your policy, we may disclose your information to:

• Insurers and reinsurers, who are providing the insurance for your policy (or reinsuring it)
• Any providers of third party products that you buy through us, for example, your breakdown cover, legal cover or temporary replacement vehicle
• Comparison websites (where you’ve used their services to get a By Miles quote), in order to verify the policies bought through them
• Third parties, where you’ve used a referral link, promotional link or promotional code to get a By Miles quote, in order to verify the policies bought through them
• Service providers assisting with our business activities and product offering, such as: our telematics providers, payment services providers, telematics distribution providers, IT hosting providers, providers of IT support, providers of cloud-based software or services used by us, providers of printed documentation, accounting, compliance and law firms
• Third parties who need your personal data to investigate claims made under your insurance policy, such as claims handling services, recovery agents, car hire companies, mechanics or garages, legal representatives, individuals involved in an accident, and other insurers
• The Motor Insurance Database (MID, run by the Motor Insurers' Bureau) including to establish:
  i) whether a named driver is insured to drive a vehicle
  ii) to prevent, detect and investigate fraud or illegal activity
  iii) to get hold of relevant information in case you’re involved in an accident
  
• The Claims and Underwriting Exchange (CUE, run by the Motor Insurer’s Bureau (MIB) and used by Experian LTD), the Motor Insurance Anti-Fraud and Theft Register (MIAFTR, run by Insurance Database Services Limited), other third parties providing similar services as well as fraud prevention agencies, in order to help us verify information provided about a named driver and to prevent, detect and investigate fraud or illegal activity
• Third parties in order to validate and update your No Claims Discount (NCD) entitlement in industry databases that may be made available to other insurers
• To the FCA and/or HMRC in connection with any investigation to help prevent unlawful activity
• Credit reference agents (see Credit Checking below)
• Selected third parties if you have specifically allowed us to do so
• Connected Car data providers

We’ll only disclose your data to law enforcement agencies if required by law, a court order or our regulators, or if we need to establish, exercise or defend our legal rights, or if we suspect fraud or attempted fraud.

Your data may also be disclosed to third parties in aggregated or anonymised form (i.e. information that you can’t be personally identified with, because it’s summarised or has had any information that could be used to identify you stripped out). This may include publishing aggregated or anonymised data in industry reports, press releases and advertisements.

Data from the Miles Tracker, or a Connected Car integration that we’ve authorised you to use, may be collected by our telematics partners who will process it and then pass it on to us. These partners may also be data controllers of that data. They will process personal data in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) as part of our agreement with them.

Our telematics partners may also process the data under their legitimate interests and on an anonymised basis for general research and development purposes, including improving the Miles Tracker and analysis of driving patterns and accidents.

If our business is sold or integrated with another business, your information may be disclosed to our advisers and any prospective purchasers and their advisers, and will be passed on to the new owners of the business.

We use advertising services and social media sites to help us market our services to you, and also to find other people who share similar characteristics to the demographic profile of our users. This helps us reach other people who may be interested in, or could potentially benefit from, pay-by-mile insurance. We don’t share any information about you with social media companies that isn’t already available on these platforms.

§5.1.1 Credit checking and fraud prevention

To enable us and your insurer to make credit decisions about you and members of your household, and for fraud prevention and money laundering purposes, we may search the files of credit reference and fraud prevention agencies (who will record the search).

We may disclose information about how you use your account to such agencies, and your information may be combined with records relating to other people that you’re financially linked with who are living at the same address.

Other credit providers may use this information to make credit decisions about you and the people with whom you are financially associated, as well as for fraud prevention, tracing any debts owed to us and for purposes relating to investigating potential money laundering activities. If you provide false or inaccurate information and we suspect fraud, we will record this. We may also report our suspicions to the appropriate law enforcement and regulatory agencies.

§6 Which countries do we transfer your personal data to?

Some of the third parties we work with (such as software and service providers) that we transfer your personal data to may be located in countries outside the UK, including the US. We put steps in place to ensure the security and protection of your information, which includes the following:

• Performing risk assessments (Data Protection Impact Assessments or DPIAs) on the data being shared, the supplier’s own security measures and methods of transfer (often referred to as ‘safeguards’)
• Requiring a Data Processing Addendum (DPA) that specifies how data will be processed throughout its lifecycle and the security measures we expect to be used to protect the data

In all cases, we’ll ensure that your personal data is protected in line with the UK GDPR (that’s the UK General Data Protection Regulation).

§7 How do we keep your data secure?

We’re committed to protecting information that we collect from you, including the data collected from the Miles Tracker or your Connected Car, and to keeping that information safe and confidential. In line with this, we limit access to your personal information to employees and certain third parties (see above) who need to process it in accordance with this Notice.

We’ll use technical and organisational physical, electronic and procedural safeguards in line with good industry practice to safeguard your information collected against unauthorised or unlawful processing and against accidental loss, damage, destruction, alteration or disclosure.

§8 How long do we keep your data for?

We’ll only keep your information for as long as we need to process it, including to comply with our legal and regulatory obligations. Motor insurance contracts are subject to the normal limitation period under the Limitation Act 1980, which ensures that a claim can be made up to a maximum of six (6) years after the date of an incident.

Regulatory and legal requirements and those from our insurance partners may require us to hold data for longer. When we no longer need to hold your data, it will be deleted or anonymised so we can use it for reporting.

Information you provide us with, and transcripts of the chat session via live chat, may be kept alongside your profile so we can identify you. If you’ve asked us to help resolve a query or issue, we may need to share that data in other systems to support our teams in finding the right resolution.

We may monitor and record communications with you (such as telephone conversations, live chat and emails) to provide services, quality assurance, training, fraud prevention and compliance.

§9 Profiling and automated decision-making

We rely on automated decision-making, including profiling, to work out whether we’re able to insure you, renew your insurance policy, give personalised insurance quotes and to calculate your premium. This will be based on factors that are needed for us to work out the insurance risk, like your credit score, the vehicle you drive, your address, and the data collected from your Miles Tracker or Connected Car, as detailed in section 3.3.

This means our systems could decide (without human intervention) that you don’t meet the acceptance criteria we use to offer you an insurance policy, or to offer you a renewal.

§10 Changes to this notice

We may change this notice from time to time. You should check it regularly to make sure you’re aware of the most recent version that applies when you use our Sites, the App, Connected Car or the Miles Tracker.