Private health insurance for expats in Spain| 📞 ES +34 868 290 730 · UK +44 203 925 8884 · US +1 646 222 5288| 💬 WhatsApp| ✉️ info@247expatinsurance.com

Privacy Policy

Last updated: 24 June 2026 — Última actualización: 24 de junio de 2026

This Privacy Policy explains how personal and health data submitted through spanishhealthinsurance.es is collected, used, stored and protected, in compliance with EU GDPR, Spanish LOPDGDD and insurance-sector regulation.

1. Introduction

Spanish Health Insurance ("we", "our", "us") operates spanishhealthinsurance.es, an independent, English-language information and comparison website about private health insurance in Spain. The site does not underwrite insurance or sell policies directly. Enquiries you submit are arranged through one of the regulated insurance distributors we work with, and the regulated Spanish insurers they work with (see section 2).

This Policy explains how we collect, use, store and protect your personal data when you visit the website, request a quote, correspond with us, or otherwise interact with our services. It complies with:

  • Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR);
  • Spanish Organic Law 3/2018 on Personal Data Protection and Digital Rights (LOPDGDD);
  • Law 34/2002 on Information Society Services and Electronic Commerce (LSSICE);
  • Law 20/2015 on the Regulation, Supervision and Solvency of Insurance Undertakings (LOSSEAR) and Royal Decree-Law 3/2020 transposing the EU Insurance Distribution Directive.

2. Data controllers

Depending on the cover you enquire about, your data is arranged through one of the following regulated insurance distributors, each registered with the Dirección General de Seguros y Fondos de Pensiones (DGSFP) in the Administrative Register of Insurance and Reinsurance Distributors. The relevant distributor acts as data controller for the personal data used to arrange your cover, with the website operator acting as publisher and lead-source.

DistributorDetails
247 Expat InsuranceNeil Peter Osborne, insurance distributor · NIE Y0339267P · DGSFP register no. C0031Y0339267P · C. Alcalde Clemente García, 19, 5 — 30169 San Ginés, Murcia, Spain · info@247expatinsurance.com
Spanish Health InsuranceStephen Paul Gregory, Exclusive Insurance Agent of Sanitas S.A. de Seguros · NIE Y2155969D · DGSFP register no. C0320Y2155969D · C/ Alcalde Clemente García, 19, 5 — 30169 San Ginés, Murcia, Spain · info@spanish-healthinsurance.com

Where a quote is issued or a policy is contracted, the relevant insurer acts as an independent data controller in its capacity as insurer (see section 8). These are Caser (Caja de Seguros Reunidos, Compañía de Seguros y Reaseguros, S.A., part of the Helvetia Group) and Sanitas S.A. de Seguros (Calle Ribera del Loira 52, 28042 Madrid). Each insurer's privacy practices are described in its own privacy policy, available on its respective website.

3. Data we collect

Depending on your interaction with us, we may collect the following categories of personal data:

  • Contact information: full name, email address, phone number, postal address, country of origin.
  • Identification data: date of birth, nationality, NIE/NIF, passport number (where required to issue a policy or visa-compliance certificate).
  • Family & dependants data: names, dates of birth and relationships of any family members you wish to include on a policy.
  • Health data: medical history, pre-existing conditions, current treatments and medications, height/weight, lifestyle factors — collected only where necessary to calculate premiums, assess insurability or issue a policy. See section 4.
  • Visa & residency data: visa type (NLV, DNV, Golden, Student, etc.), intended move-date, residency status in Spain.
  • Transaction data: policy number, premium amounts, payment method, billing history.
  • Communication data: records of emails, phone calls, WhatsApp messages, contact-form submissions and chat sessions.
  • Website usage data: IP address, browser type, device information, pages viewed, referral source — collected via cookies and similar technologies.
  • Marketing preferences: consent status for newsletters, guides and commercial communications.

You guarantee that the data you provide is true, accurate, complete and up-to-date. Where you provide data about third parties (e.g. family members to be insured), you confirm you have a legal basis to do so and have informed them of this Privacy Policy.

4. Health data & sensitive categories

Why we need health data. Spanish health insurance cannot be quoted, underwritten or issued without information about each applicant's medical history. Premiums, waiting periods and acceptance decisions all depend on this information. Providing it is therefore a necessary condition for us to deliver the service you have requested.

Health data is a "special category" of personal data under Article 9 GDPR and receives enhanced protection. We process it under the following combined legal bases:

  • Art. 9(2)(a) — Your explicit consent, given when you submit a quote form, health declaration or application.
  • Art. 6(1)(b) — Pre-contractual measures and performance of a contract — to provide you with a quote and, where accepted, issue a policy.
  • Art. 9(2)(h) — Provision of health or social care / management of health systems, together with the safeguards set out in Spanish insurance and health regulation.
  • Art. 6(1)(c) — Compliance with a legal obligation under LOSSEAR, RDL 3/2020 and anti-money-laundering law.

Health data you provide is transmitted to the relevant insurer (Caser or Sanitas) for underwriting. We apply strict access controls, encryption in transit and at rest, and do not use health data for any marketing purpose.

5. How we use your data

We use your personal data for the following purposes:

  • To calculate insurance quotes and compare available products for your profile.
  • To respond to enquiries, provide product guidance and support the application process.
  • To submit applications to the relevant insurer and manage communications between you and the insurer.
  • To issue visa-compliance certificates and other documentation required for residency applications.
  • To manage policy renewals, amendments, cancellations and claim assistance.
  • To send marketing communications about insurance products and related expat services — only where you have consented.
  • To handle pre-sales enquiries and provide real-time support via our live chat widget.
  • To improve our website, content and services.
  • To comply with legal, regulatory and tax obligations, including anti-money-laundering due diligence.

6. Legal bases for processing

We rely on one or more of the following legal bases under GDPR Art. 6 (and Art. 9 for health data, as described in section 4):

PurposeLegal basis
Quote calculation and policy issuancePre-contractual measures / performance of a contract (Art. 6(1)(b)); explicit consent for health data (Art. 9(2)(a))
Enquiry handling and customer supportLegitimate interest in responding to your request (Art. 6(1)(f))
Marketing emails and newslettersConsent (Art. 6(1)(a))
Legal, tax and AML complianceLegal obligation (Art. 6(1)(c))
Website security, fraud preventionLegitimate interest (Art. 6(1)(f))
Analytics and advertising cookiesConsent (Art. 6(1)(a)) — see Cookie Policy
Live chat supportLegitimate interest in providing real-time pre-sales support (Art. 6(1)(f)); pre-contractual measures where chat relates to a pending quote (Art. 6(1)(b))

7. Sharing & disclosure of data

We share your personal data only where necessary and only with the following categories of recipients:

  • Insurance distributors — 247 Expat Insurance and Spanish Health Insurance (see section 2), as the distributors who arrange your cover.
  • InsurersCaser (part of the Helvetia Group) and Sanitas S.A. de Seguros, and other DGSFP-registered Spanish insurers, as the insurers to whom applications are submitted. Each acts as an independent data controller for data processed in connection with a quote, policy or claim.
  • Trusted service providers (processors) — including HubSpot (CRM, form submission, email marketing and live chat), website hosting (Hostinger), analytics and cloud-storage providers. All are bound by written data-processing agreements meeting Art. 28 GDPR requirements.
  • Advertising and remarketing platforms — Meta (Facebook & Instagram), TikTok and Google Ads receive data via tracking pixels and tags (such as page-visit events and quote-form completion signals) solely to measure campaign effectiveness, build custom audiences and show relevant ads. This sharing occurs only with your explicit consent and is governed by Standard Contractual Clauses. You can withdraw consent at any time via our cookie preferences panel.
  • Spanish tax authorities and other public bodies where required by law (e.g. AEAT, DGSFP, anti-money-laundering supervisors).
  • Courts, regulators and law-enforcement authorities where legally compelled.

We do not sell your personal data. Pixel-based data shared with advertising platforms is used solely for measurement and targeting as described above and does not constitute a sale of personal data.

8. Insurers as independent controllers

Once your application is submitted to an insurer, that insurer becomes an independent data controller for the data processed within its systems. Each insurer's own privacy practices, retention periods and rights-exercise procedures are governed by its own privacy policy, available on its respective website. For Sanitas, the privacy policy is published at sanitas.es/RGPD and the Data Protection Officer can be contacted at dpo@sanitas.es. For Caser (part of the Helvetia Group), the Data Protection Officer can be contacted via the channels published on caser.es.

9. International data transfers

Your data is primarily stored and processed within the European Economic Area (EEA). Where a service provider is located outside the EEA (for example, email or analytics platforms in the United States), we rely on one of the following safeguards:

  • European Commission adequacy decisions (including the EU–US Data Privacy Framework, where applicable);
  • Standard Contractual Clauses (SCCs) approved by the European Commission;
  • Supplementary technical and organisational measures where required by case law.

10. Storage & retention

We retain personal data only as long as necessary for the purposes described, or as required by law:

  • Quote requests with no policy issued: up to 12 months from last interaction, unless you withdraw consent earlier.
  • Active policies: for the duration of the policy plus the statutory limitation period.
  • Tax and accounting records: 6 years (Spanish Commercial Code & General Tax Law).
  • AML/KYC records: 10 years (Law 10/2010).
  • Marketing consent records: until you withdraw consent.
  • Cookies: see the Cookie Policy for specific durations.

11. Data security

We apply appropriate technical and organisational measures to protect your data against loss, unauthorised access, alteration or disclosure. Measures include TLS encryption in transit, encrypted storage, access controls, staff training and regular review of processors' security standards. No internet-based service is entirely risk-free; we cannot guarantee absolute security but we will promptly notify you and the supervisory authority of any data breach that meets the notification thresholds in Art. 33–34 GDPR.

12. Cookies & tracking technologies

Our website uses cookies and similar technologies to ensure essential functionality, measure usage, and — where you consent — personalise content and advertising. Full details, including how to manage your preferences, are set out in our Cookie Policy.

13. Social media & public interactions

We may maintain profiles on social-media platforms including Facebook, Instagram, LinkedIn, YouTube, TikTok and Google Business Profile. Interactions on these platforms are governed by each platform's own terms and privacy practices, in addition to the following rules:

  • Content we publish on social media is for general information only and does not constitute personalised insurance advice.
  • Following, liking, commenting or messaging us through social media does not create a client relationship. A client relationship is only formed once a policy application has been submitted and accepted.
  • Information you post publicly (comments, reviews) is visible to other users and is not confidential. Do not share health details, passport numbers, NIE numbers or financial information in public comments. Use our contact form, email or phone for any sensitive discussion.
  • We moderate comments that are abusive, defamatory, misleading, unlawful, spam, or that disclose third-party personal data, and reserve the right to remove such content and block repeat offenders.
  • Direct messages are handled in accordance with this Privacy Policy.

14. Your data-protection rights

Under GDPR and LOPDGDD you have the following rights:

  • Access — obtain a copy of the personal data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations.
  • Restriction — limit processing under certain conditions.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — to processing based on legitimate interests, and to direct marketing at any time.
  • Withdraw consent — at any time, without affecting the lawfulness of processing carried out beforehand.
  • Lodge a complaint — with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, www.aepd.es).

To exercise any of these rights, email the relevant data controller (see section 2) with proof of identity. We will respond within one month of receiving your request, as required by Art. 12 GDPR.

Our website may contain links to third-party websites (including insurer websites such as caser.es and sanitas.es, visa-information sites and payment gateways). We are not responsible for the privacy practices or content of those sites. We encourage you to read their privacy policies before providing any personal data.

16. Children

Our website and marketing services are not directed at children under 14. We process children's data only where a parent or legal guardian includes a minor as a dependant on a family health-insurance policy. In that case, processing is conducted on the parent's or guardian's instruction and under the legal bases described in sections 4 and 6.

17. Updates to this Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or in applicable law. The "Last updated" date at the top of this page reflects the most recent revision. Material changes affecting you will be notified by email or by a prominent notice on the website. Continued use of the website after updates constitutes acceptance of the revised policy.

18. Contact information

For questions or to exercise a data-protection right, contact the relevant data controller:

  • 247 Expat Insurance — Neil Peter Osborne (insurance distributor), C. Alcalde Clemente García, 19, 5 — 30169 San Ginés, Murcia, Spain · info@247expatinsurance.com · DGSFP register no. C0031Y0339267P
  • Spanish Health Insurance — Stephen Paul Gregory (Exclusive Agent of Sanitas), C/ Alcalde Clemente García, 19, 5 — 30169 San Ginés, Murcia, Spain · info@spanish-healthinsurance.com · DGSFP register no. C0320Y2155969D · Sanitas DPO: dpo@sanitas.es

Email the relevant controller with proof of identity and we'll respond within one month, as required by GDPR Article 12. You may also lodge a complaint with the AEPD at www.aepd.es.

Get a quoteWhatsAppCall