First Medical Protection Limited
WEBSITE PRIVACY POLICY
Effective date: 13 October 2025
This Privacy Policy explains how First Medical Protection Limited (“FMP“, “we“, “us“, “our“) collects, uses, shares and protects your personal data when you visit www.firstmedicalprotection.co.uk (the Website) or otherwise interact with us online or offline in relation to our products and services. It also sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We maintain a separate Cookie Policy describing our use of cookies and similar technologies here.
1) Who we are and how to contact us
First Medical Protection Limited is an Appointed Representative of Bridge International Specialty Insurance Brokers Limited (authorised and regulated by the Financial Conduct Authority).
✔ FMP operates as an MGA / Lloyd’s Coverholder. Insurance is placed at Lloyd’s with the lead underwriter: Carbon and a follow market including MS Amlin, AXIS, and Tokio Marine Kiln (together, the Insurers).
✔ Claims handling is conducted directly by Clyde & Co LLP (UK law firm).
✔ Policy and underwriting management is provided through Intech3 software.
✔ Premium financing is offered through Premium Credit Limited.
Controller: For the Website and for marketing, prospect, client onboarding and policy administration activities described in this notice, FMP acts as a data controller. In parts of the insurance lifecycle (e.g., underwriting, policy issuance, claims) the Insurers and Bridge International Specialty Insurance Brokers may act as separate and independent controllers of your data. Clyde & Co, Intech3, and Premium Credit each act as independent controllers for the services they provide.
Contact details
Registered office: 70 Mark Lane, London, EC3R 7NQ
Company number: 16393819
ICO registration no.: ZB908283
Email (privacy): [email protected]
Postal: Data Protection, First Medical Protection Limited, [70 Mark Lane, London, EC3R 7NQ
You can also raise concerns with the UK Information Commissioner’s Office (ICO); see section 13.
2) Scope of this notice
This notice applies to:
✔ visitors to our Website;
✔ prospective and existing customers and their authorised representatives;
✔ individuals associated with a proposal, policy or claim (e.g., private practice clinicians, practice staff, complainants, witnesses); and
✔ suppliers, partners and other professional contacts.
It does not cover our use of cookies and similar technologies (see our separate Cookie Policy) or the privacy notices of Insurers, legal advisers or other third parties who may process your data in their own right.
3) Personal data we collect
a) Data you provide to us
» Identification and contact details (e.g., name, title, address, email, phone).
» Professional information (e.g., speciality, GMC/GDC number, practising history, indemnity history, practice locations, employers).
» Proposal and risk details (e.g., procedures undertaken, case volumes, prior claims, complaints or incidents).
» Payment and billing information.
» Communications and preferences (e.g., enquiries, support requests, marketing consents).
b) Data we collect automatically (Website)
✔ Device and usage data (IP address, device identifiers, browser type/version, time zone, pages viewed, referral URLs).
✔ Interaction data from pixels/tags used for analytics and advertising (see section 9 and Cookie Policy).
c) Data we receive from third parties
✔ Insurance market participants (brokers, underwriters, coverholders).
✔ Claims handlers, adjusters and legal advisers (including Clyde & Co LLP).
✔ Intech3 for policy and underwriting management.
✔ Premium Credit Limited for premium financing.
✔ Professional bodies and regulators (where lawful).
✔ Screening, sanctions and fraud-prevention databases.
✔ Public sources (e.g., Companies House, professional registers).
d) Special category and criminal offence data (where necessary)
We may process health data and information relating to alleged or actual criminal offences (e.g., clinical incident details, regulatory findings) only where necessary for insurance purposes, legal claims or substantial public interest, and subject to appropriate safeguards.
4) Purposes and lawful bases
We only use your personal data where we have a lawful basis under UK GDPR. The main purposes and bases are:
| Purpose | Examples | Lawful basis |
|---|---|---|
| Precontract and onboarding | assessing proposals; sanctions/fraud checks; setting up accounts | Contract; legal obligation; legitimate interests (preventing fraud; ensuring appropriate cover) |
| Underwriting & policy administration | obtaining quotes; presenting to Insurers; issuing/servicing policies; premium collection | Contract; legitimate interests; legal obligation |
| Claims, incidents & complaints | notifying Insurers; instructing Clyde & Co; defending or pursuing claims | Contract; legal claims; substantial public interest; legitimate interests |
| Regulatory & compliance | FCA/Lloyd’s requirements; record keeping; audits | Legal obligation; public interest |
| Marketing & business development | newsletters, events, product updates, surveys | Legitimate interests (B2B direct marketing); consent where required under PECR |
| Marketing & business development | newsletters, events, product updates, surveys | Legitimate interests (B2B direct marketing); consent where required under PECR |
| Analytics & site security | usage analytics; troubleshooting; preventing misuse | Legitimate interests (service improvement, security) |
| Profiling for insurance purposes | risk and pricing models, antifraud checks | Legitimate interests; substantial public interest; legal claims |
Where we rely on consent (e.g., certain email marketing or cookies), you can withdraw it at any time.
5) Automated decision making
We may use automated tools during quoting and risk assessment in line with criteria set by Insurers. You have the right to request human review, to express your point of view and to contest the decision where legally required.
6) Who we share your data with
Depending on the context, we may share data with:
» Bridge Specialty International Limited (our principal and placing broker).
» Insurers at Lloyd’s of London (including Carbon as lead underwriter and MS Amlin, AXIS and Tokio Marine Kiln as following markets) and their reinsurers.
» Clyde & Co LLP and other legal advisers, adjusters and claims administrators.
» Intech3 for policy and underwriting management.
» Premium Credit Limited for premium financing and credit assessment.
Screening/fraud prevention, sanctions and credit reference agencies.
» Regulators, dispute resolution and law enforcement authorities (where required).
» Service providers/IT vendors, including:
‣ Pipedrive (CRM),
‣ Mailchimp (email marketing/list management),
‣ Outfunnel (marketing automation bridge), and
hosting, security, analytics and communications providers.
Professional advisers (auditors, accountants), and prospective buyers in the event of a business reorganisation.
Each party will act as controller or processor depending on their role. We require processors to provide appropriate contractual safeguards.
7) International transfers
Some recipients and service providers are located outside the UK/EEA (e.g., Mailchimp, LinkedIn, Google). Where we transfer personal data internationally, we implement appropriate UK GDPR safeguards, such as UK Addendum / EU SCCs, adequacy regulations or other lawful transfer mechanisms, together with technical and organisational measures.
8) How long we keep your data
We retain personal data only as long as necessary for the purposes set out in this notice, including to meet legal, accounting or reporting requirements. Typical periods are:
⦿ Prospects and website enquiries: up to 3 years from last contact.
⦿ Policy, underwriting and claims records: generally 7 years from policy end or claim closure; longer where claims may arise after expiry (e.g., for professional indemnity), regulatory requirements apply, or litigation is ongoing.
⦿ Marketing records: until you unsubscribe or object, plus a short period to maintain suppression lists.
9) Marketing, analytics and retargeting
We carry out digital marketing using LinkedIn retargeting, LinkedIn Ads, Google Search/Display Ads, Google retargeting and associated analytics/measurement tools. These use cookies, tags and similar technologies to:
✔ measure the effectiveness of our campaigns;
✔ build audience segments and deliver more relevant ads; and
✔ prevent ad fraud and improve our services.
You can control marketing communications at any time by unsubscribing in our emails or contacting us. Controls for online behavioural advertising are also available via your browser and platform adsettings. For details, see our Cookie Policy.
10) Security
We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit where appropriate, secure configuration and staff training. We assess vendors for security and privacy compliance commensurate with risk.
11) Your rights
You have rights under UK data protection law, including to:
✔ access your data and obtain a copy;
✔ rectify inaccurate or incomplete data;
✔ erase data (in certain circumstances);
✔ restrict processing (in certain circumstances);
✔ object to processing based on legitimate interests, including direct marketing;
✔ data portability (for data you provided to us); and
✔ not be subject to decisions based solely on automated processing which have legal or similarly significant effects, in certain cases.
To exercise your rights, contact us using the details in section 1. We may need to verify your identity and, where permitted, may refuse requests that are manifestly unfounded or excessive.
12) Children
Our services are intended for professional adult users and are not directed to children. We do not knowingly collect personal data from children.
13) Complaints
Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113 | www.ico.org.uk
14) Changes to this policy
We may update this Privacy Policy from time to time. The updated version will be posted on the Website with a new effective date.
15) Third party privacy notices
You may also need to review privacy notices of our partners who may process your data as controllers:
✲ Bridge Specialty International Limited (placing/market access);
✲ Insurers at Lloyd’s of London (including Carbon as lead and MS Amlin, AXIS, Tokio Marine Kiln as following markets);
✲ Clyde & Co LLP (claims/legal services);
✲ Intech3 (policy and underwriting management);
✲ Premium Credit Limited (premium financing);
✲ Pipedrive, Mailchimp, Outfunnel and other vendors used to provide our services.
Summary of key points (non exhaustive)
✔ We act as controller for Website, marketing and much of client onboarding; Insurers, the broker, software and claims partners may act as separate controllers.
✔ We collect data you give us, data we receive from insurance market participants and data generated by your use of our Website.
✔ We use data for quoting, underwriting, policy administration, claims, compliance, analytics and marketing (with appropriate legal bases).
✔ We share data with Insurers, our principal broker, claims handlers, service providers and regulators, including Intech3 and Premium Credit.
✔ Some transfers go outside the UK/EEA with appropriate safeguards.
✔ You have rights to access, correct, delete, restrict and object to certain uses.
If you need this notice in another format, please contact us.