Privacy Addendum for mainland China

1.
Overview
If you are located in mainland China and submit personal information to Blue Insurance Limited (“we,” “us,” or “our”), this Privacy Addendum (“Addendum”) may apply to you. This Addendum forms part of our Personal Information Collection Statement (“PICS”). In the event of any conflict or inconsistency between this Addendum and the PICS, this Addendum shall prevail. Please carefully read and fully understand this Addendum, especially the clauses underlined for your special attention. You should only provide personal information to us after confirming that you fully understand and agree to this Addendum. If you do not agree to any terms in this Addendum, please immediately stop submitting personal information to us.
2.
Personal Information We Process
For the purposes outlined in the PICS (headed under “Purpose of Collection/Use of Personal Data” and “Direct Marketing”) and other legally permissible purposes:
 
2.1
Types of Personal Information
We may process the following categories of your personal information (sensitive personal information is identified below with underlining, but non-underlined personal information may also constitute or be considered sensitive personal information depending on the context):

  • Personal and contact details, such as title, name, contact information and communication records;

  • Travel document details;

  • Payment information, including but not limited to credit card and bank account details;

  • Date of birth, gender, and/or age;

  • Nationality, copies of identity documents and identity information (if relevant to the product or service);

  • Details of policyholders, joint policyholders, insured persons, beneficiaries (including minor beneficiaries), assignees, trustees, and claimants of our products or services;

  • Family member information (if relevant to the product or service);

  • Your communication records with us, such as phone calls with our customer service team. If you contact us via online services or our smartphone app, this includes data such as your mobile phone location and IP address;

  • Usage of our products and services, claims submitted, and whether such claims were paid (and related details);

  • Information about your health or medical records;

  • Residency or citizenship status;

  • Marital status, family, lifestyle, or social circumstances (if relevant to the product or service). For example, the number of dependents you have or whether you are a widow or widower.

 
We may not collect all your personal information in one go; instead, we collect it as necessary when you engage in different business activities.
 
When we receive personal information of a third party indirectly from you, you must confirm the legality of their sources and fully disclose the origins of the personal information. Additionally, you are required to have obtained all necessary consents from the data subjects for the processing activities, which include but are not limited to the use, transfer, sharing, disclosure or deletion of the personal information, and provide us with such consent upon request. If our intended processing activities exceed the scope of these consents, you are obliged to secure explicit additional consent from the data subjects before transferring the personal information to us or do so within a reasonable timeframe thereafter (unless this Addendum sets out otherwise).
 
2.2
Sensitive Personal Information
 
2.2.1 Processing of Sensitive Personal Information
 
2.2.1 We process the sensitive personal information only for specific purposes, such as assessing your application for the issuance of an insurance policy to you, investigation on any claims applications submitted to us, or when necessary to provide you with our products and services. We will obtain your separate consent before processing sensitive personal information. Sensitive personal information refers to the personal information that is likely to result in damage to the personal dignity of any natural person or damage to his or her personal or property safety once disclosed or illegally used, including such information as biometric identification, religious belief, specific identity, medical health, financial account and whereabouts and tracks, as well as the personal information of minors under the age of 14. The sensitive personal information we process is detailed in Clause 2.1. We may collect sensitive personal information of minors under 14 years old from the guardian of the child. We may not be able to provide you with the product or service you have requested or to comply with statutory or contractual requirements if we fail to process such personal information. Sensitive personal information is encrypted by us and protected through measures such as data encryption, access control, periodic audits and monitoring, data minimization, and permission settings.
 
2.3
Exceptions to Consent Requirements
 
You fully understand that we may process your personal information without obtaining your explicit consent under the following circumstances:
 

  • When it is necessary for the conclusion or performance of a contract to which you are a party, or for implementing human resource management in accordance with labor rules and regulations formulated according to the law or a collective contract signed according to the law;

  • When it is necessary to fulfil statutory duties or legal obligations;

  • When it is necessary to respond to public health emergencies, or to protect the life, health, or property safety of a natural person in an emergency;

  • When it is necessary to process personal information within a reasonable scope for public interest purposes such as news reporting or public opinion supervision;

  • When it is necessary to process personal information that you have voluntarily disclosed or that has been legally disclosed within a reasonable scope;

  • When it is directly related to national security or defense;

  • When it is directly related to public safety, public health, or significant public interests;

  • When it is directly related to criminal investigations, prosecutions, trials, or the enforcement of judgments;

  • When it is necessary to safeguard your or another individual’s life, property, or other significant legitimate rights and interests but obtaining your consent is difficult;

  • When it is necessary for ensuring the safe and stable operation of the products or services we provide, such as discovering and resolving faults in products or services;

  • Other circumstances as required by laws and administrative regulations.

3.
Sharing Your Personal Information with Third Parties
In addition to the “Classes of Transferees” stated in the PICS, we may share your personal information with third-party service providers to process it on our behalf in accordance with our instructions and applicable confidentiality and security measures, as outlined in the PICS and this Addendum. If we are unable to process personal information in this manner, we may not be able to provide the requested products or services or comply with legal or contractual obligations. The types of personal information we may share include, but are not limited to, personally identifiable information, medical information, past health records, and financial information. We may transfer your personal information electronically or by other means to the recipients listed in Exhibit 1. Before sharing your personal information with third parties, we will provide you with the recipient’s name, contact information, purpose and method of processing, and the types of personal information involved, and obtain your separate consent. We may share or publicly disclose your personal information as required by applicable laws, regulatory authorities, investigations, or advisory processes.
4.
Cross-Border Data Transfers
We may be considered an overseas recipient when processing your personal information. We will comply with relevant PRC laws and regulations, including those governing cross-border data transfers.
5.
Retention of Personal Information
 
We will retain your personal information only for as long as necessary to fulfil the purposes outlined in the PICS and this Addendum. Retention periods are determined based on one or more of the following criteria:
 

  • The duration of your relationship with us;

  • Legal obligations to which we are subject;

  • Our legal position, such as applicable statutes of limitation, litigation, audits, or regulatory investigations.

6.
Your Rights
 
6.1
Right to be informed and make decisions
You are entitled to be informed of, make decisions on, and restrict or decline our processing activities, unless otherwise specified by applicable law or administrative regulations.
 
6.2
Right to access your personal information
You have the right to access and obtain a copy of your personal information barring specific exceptions. We may reject your requests in cases involving state secrets, execution of state functions or other legally permissible grounds.
 
6.3
Right to portability
You can transfer your personal information to another personal information processor upon the satisfaction with the prescribed conditions or applicable laws.
 
6.4
Right to rectification
You can ask us to correct wrong or incomplete personal information. We will verify and update your personal information.
 
6.5
Right to be forgotten
You can request deletion of your personal information if:
 
(i) the processing purpose is achieved or no longer achievable, or is deemed unnecessary;
(ii) the service or product ends, or the retention period expires;
(iii) you revoke your consent;
(iv) we have violated applicable laws, regulations, or contractual obligations; or
(v) other legal provisions mandate the deletion.
 
If we agree to delete your personal information, we will also instruct any third parties who received your data from us to delete it, unless laws require otherwise, or they have your separate consent. Deleted information may persist in backups until the next update cycle.
 
Should deletion be impractical due to mandatory retention periods or technical constraints, we will restrict the processing of your personal information to storage only and ensure that your personal information continues to be protected and secure.
 
6.6
Right to modify or withdraw previously granted consent
You can modify or withdraw previously granted consent, although this will not impact the processing of your personal information that occurred prior to such modification or revocation. If you modify or withdraw your consent to our processing of your personal information, we may not be able to provide the relevant products and/or services to you.
 
6.7
Right of de-registration
You can cancel your previously registered account. After your account is canceled, we may have to cease to provide products or services to you and, upon your request, delete your personal information, except where otherwise required by law.
 
6.8
You also have the right to: (i) request an explanation of our processing rules; (ii) inquire about the rationale behind our automated decision-making that significantly affects you and opt-out of such decisions; and (iii) initiate legal action against us for non-compliance.
 
6.9
Response to your requests
We can require you to submit a written request or otherwise prove your identity. We aim to respond to your requests within 30 calendar days. No fee is typically charged for reasonable requests. Fees may apply for repetitive, excessive, or technically burdensome requests. We reserve the right to refuse such requests. We may not be able to fulfill your requests in certain cases, such as: our legal obligations; matters of national, defense or public security; issues concerning public health or the public interest; criminal investigations or legal proceedings; evidence of malicious intent or rights abuse by the data subject; situations where obtaining consent is difficult, yet vital interests are at stake; requests that could harm the rights of the data subject or others; and cases involving confidential trade secrets.
7.
Protecting Your Personal Information
We implement robust security measures to protect your personal information from unauthorized access, disclosure, use, modification, damage, or loss. In the event of a security incident, we will notify you as required by law through email, letter, phone calls, push notifications, or announcements. We will also report the incident to regulatory authorities as required.
8.
Updates to this Addendum
We may update this Addendum periodically and notify you of updates via email, our website, or application platforms. Previous versions of this Addendum will be archived for your reference. This Addendum is governed by the laws of mainland China; however, if certain provisions explicitly or implicitly indicate the application of another jurisdiction’s laws, such provisions shall be governed by the laws of the Hong Kong Special Administrative Region.
9.
Contact Us
If you wish to exercise any rights stipulated in this Addendum or have any questions or comments, please submit your requests, complaints, or suggestions to us through the following means:
 
Blue Insurance Limited
30/F, One Kowloon, 1 Wang Yuen Street, Kowloon Bay, Hong Kong
Attn: Data Protection Officer
Email: enquiry@blue.com.hk
This Addendum was last updated on 2 April 2025.
Previous Versions of this Addendum
 
Privacy Addendum for Mainland China (19 April 2024)