Back to home

Buji Privacy Notice

Last updated: 30 June 2026

Company: Buji Technologies Limited

Company number: 16323036

Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT

Email: support@buji.health

Telephone: +44 7424 842825

1. Who we are

Buji Technologies Limited provides a managed booking, coordination and support service for people considering or receiving elective medical treatment abroad.

Our company details are:

Buji Technologies Limited
Company number: 16323036
Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT
Email: support@buji.health
Telephone: +44 7424 842825

In this Privacy Notice, Buji, we, us and our refer to Buji Technologies Limited.

For the personal information described in this Notice, Buji will usually act as the data controller. This means we decide why and how that information is used.

Clinics, healthcare professionals, insurers, insurance intermediaries, payment providers and other organisations may act as separate controllers for information they receive and use for their own professional, legal or regulatory purposes. Their own privacy notices may also apply.

2. What this Notice covers

This Privacy Notice explains how we collect and use personal information when you:

  • visit the Buji website;
  • use our applications or online services;
  • complete an assessment;
  • upload photographs or medical information;
  • communicate with the Buji Care Team;
  • receive a proposed treatment plan;
  • make or manage a booking;
  • travel for treatment;
  • receive aftercare;
  • access BujiCover;
  • raise a concern under the Buji Outcomes Guarantee;
  • contact us for support;
  • respond to marketing;
  • interact with our advertisements or social-media pages.

It also explains your rights and how to contact us.

3. Information we collect

The information we collect depends on how you interact with Buji.

3.1 Identity and contact information

This may include:

  • full name;
  • date of birth;
  • age;
  • address;
  • country of residence;
  • email address;
  • telephone number;
  • account username or identifier;
  • emergency-contact details;
  • passport or identity-document information where required.

3.2 Assessment and health information

This may include:

  • medical history;
  • current and previous health conditions;
  • medication and supplements;
  • allergies;
  • previous procedures;
  • hair-loss history;
  • treatment objectives;
  • smoking, alcohol and lifestyle information;
  • suitability-questionnaire responses;
  • clinical notes or recommendations supplied by a healthcare professional;
  • photographs and videos of your hair, scalp, donor area, treatment area or recovery;
  • treatment records;
  • aftercare information;
  • symptoms, concerns or complications;
  • information used to administer the Outcomes Guarantee or support an insurance process.

Health information and some photographs are special category personal data and receive additional legal protection.

3.3 Booking and treatment information

This may include:

  • assessment status;
  • proposed and confirmed treatment;
  • Clinic and surgeon details;
  • Procedure Date;
  • proposed graft numbers or treatment technique;
  • booking reference;
  • treatment plan;
  • consent and preparation status;
  • travel dates;
  • hotel and transfer information;
  • aftercare schedule;
  • BujiCover eligibility;
  • Outcomes Guarantee information;
  • communications relating to your treatment and recovery.

3.4 Payment and transaction information

This may include:

  • payment status;
  • transaction reference;
  • amount paid;
  • deposit and balance information;
  • refund or cancellation information;
  • billing address;
  • payment-provider results;
  • fraud-screening indicators.

Card details are normally collected and processed directly by Stripe or another payment provider. Buji does not ordinarily receive or store your full card number or security code.

3.5 Insurance and guarantee information

Full Outcomes Guarantee terms are published at /outcomes-guarantee. This section describes the information we may process in connection with BujiCover and the guarantee:

  • eligibility information;
  • insured travel dates;
  • policy or beneficiary reference;
  • insurance documents provided to you;
  • communications relating to an insurance claim;
  • information supplied when you raise a concern;
  • clinical evidence;
  • guarantee review records;
  • decisions and approved remedies;
  • complaint and dispute records.

3.6 Communications

This may include:

  • emails;
  • telephone-call information;
  • WhatsApp and messaging communications;
  • chat history;
  • customer-support messages;
  • complaints;
  • survey responses;
  • call recordings, where recording is used and you have been appropriately informed.

3.7 Website, device and usage information

This may include:

  • IP address;
  • device type;
  • operating system;
  • browser;
  • approximate location derived from IP address;
  • pages viewed;
  • buttons clicked;
  • referral source;
  • session information;
  • cookie identifiers;
  • advertising identifiers;
  • error logs;
  • crash reports;
  • security and fraud signals.

3.8 Marketing and advertising information

This may include:

  • marketing preferences;
  • consent records;
  • advertisements viewed or clicked;
  • campaign source;
  • interactions with Google, Meta, TikTok or other advertising platforms;
  • audience and conversion-event information;
  • whether you started or completed an assessment.

We do not intentionally send medical questionnaire answers, detailed health information or clinical photographs to advertising platforms for advertising purposes.

4. How we obtain your information

We collect information:

  • directly from you;
  • from someone acting with your authority;
  • through the Buji website, application, forms and assessment journey;
  • through communications with the Buji Care Team;
  • from Clinics and healthcare professionals;
  • from insurers and authorised insurance intermediaries;
  • from payment and fraud-prevention providers;
  • from hotels, transfer providers and other Delivery Partners;
  • from analytics, cookie and advertising technologies where permitted;
  • from publicly available sources where appropriate;
  • from professional advisers, regulators or law-enforcement bodies where lawful.

Where another person provides information about you, they should have authority to do so.

5. Why we use your information

We use personal information for the purposes below.

5.1 Assessments and treatment enquiries

We use information to:

  • create and manage your assessment;
  • understand your treatment objectives;
  • collect the information needed for a preliminary review;
  • share relevant information with an appropriate Clinic or healthcare professional;
  • communicate a proposed treatment pathway;
  • decide whether Buji can offer a plan.

Our usual Article 6 basis is that the processing is necessary to take steps at your request before entering into a contract.

For health information, we usually rely on your explicit consent and, where applicable, another appropriate Article 9 condition described in section 6.

5.2 Booking and delivering your Buji Plan

We use information to:

  • prepare your Booking Confirmation;
  • reserve treatment capacity;
  • coordinate the Clinic and Clinical Team;
  • arrange accommodation and transfers;
  • process payments;
  • send documents and operational information;
  • manage changes, cancellations and refunds;
  • provide customer support;
  • coordinate aftercare.

Our usual Article 6 basis is that the processing is necessary to perform our contract with you or take steps at your request before entering into that contract.

5.3 Clinical coordination

We use information to:

  • pass relevant information to the Clinic or Clinical Team;
  • support clinical suitability review;
  • coordinate treatment planning;
  • communicate clinical instructions supplied by the Clinic;
  • support continuity between treatment and aftercare;
  • assist with non-emergency concerns.

Buji does not make the final clinical decision. Clinics and healthcare professionals process information under their own professional obligations and privacy arrangements.

5.4 BujiCover

We use information to:

  • determine whether a booking is eligible for BujiCover;
  • provide the required insurance information;
  • facilitate access to medical travel insurance;
  • support permitted insurance administration;
  • administer the Outcomes Guarantee;
  • review concerns;
  • obtain relevant clinical evidence;
  • decide whether the Outcomes Guarantee applies;
  • arrange an approved remedy;
  • manage complaints, disputes and legal claims.

Depending on the activity, our Article 6 basis may be performance of a contract, legal obligation or legitimate interests.

Additional Article 9 conditions are described in section 6.

5.5 Payments, accounting and fraud prevention

We use information to:

  • collect and reconcile payments;
  • issue receipts and refunds;
  • prevent fraudulent transactions;
  • maintain financial records;
  • meet accounting and tax requirements;
  • protect Buji, customers and Delivery Partners.

Our bases may include performance of a contract, compliance with legal obligations and our legitimate interests in preventing fraud and operating a secure business.

5.6 Customer service and communications

We use information to:

  • respond to enquiries;
  • provide service messages;
  • send booking and travel information;
  • answer questions;
  • manage complaints;
  • keep records of important communications;
  • improve service quality.

Our bases may include performance of a contract and our legitimate interests in providing effective customer service and maintaining appropriate records.

5.7 Safety, security and legal compliance

We use information to:

  • protect accounts and systems;
  • investigate misuse;
  • detect fraud and security incidents;
  • establish, exercise or defend legal claims;
  • comply with court orders and legal duties;
  • respond to regulators and lawful authority requests;
  • protect the vital interests of an individual where applicable.

Our bases may include legal obligation, legitimate interests, legal claims and, in limited emergencies, vital interests.

5.8 Service improvement and analytics

We use information to:

  • understand how the website and assessment journey perform;
  • identify technical problems;
  • improve usability;
  • assess conversion and campaign performance;
  • develop products and services;
  • produce aggregated business reporting.

Where non-essential cookies or similar technologies are involved, we rely on consent.

For other limited service analytics, we may rely on legitimate interests where this is lawful and your rights do not override those interests.

5.9 Marketing

Where permitted, we may send information about:

  • Buji services;
  • treatments;
  • guides and educational content;
  • offers;
  • assessment reminders;
  • relevant product updates.

We may contact you by email, SMS, WhatsApp, telephone or other channels.

We will rely on consent where required. In limited cases, we may rely on the electronic-mail “soft opt-in” for similar services offered to existing customers, where legally available and where an opt-out was offered when the information was collected.

You can opt out at any time by:

  • using the unsubscribe link;
  • replying STOP where available;
  • changing your preferences;
  • contacting support@buji.health.

Opting out of marketing will not stop essential booking, treatment, safety or service communications.

6. How we process health and other special category information

Health information is special category personal data.

We only process special category information where we have:

  1. an Article 6 lawful basis; and
  2. a separate condition under Article 9 of the UK GDPR.

Depending on the purpose, we may rely on:

6.1 Explicit consent

We may ask for your explicit consent to:

  • collect health information and clinical photographs through the assessment;
  • share this information with selected Clinics and healthcare professionals;
  • use it to coordinate treatment, aftercare and BujiCover;
  • obtain relevant information when reviewing a concern.

Where we rely on consent, you may withdraw it at any time.

Withdrawal does not make earlier processing unlawful. It may mean we cannot continue an assessment, booking, guarantee review or other service that requires the information.

6.2 Health or social care

Where processing is carried out by, or under the responsibility of, a healthcare professional subject to a duty of confidentiality, the health or social care condition may apply.

The relevant Clinic or healthcare professional will usually be responsible for identifying its own lawful bases and Article 9 conditions.

6.3 Insurance purposes

Where permitted by the Data Protection Act 2018, special category information may be processed where necessary for insurance purposes and where the applicable statutory requirements are met.

This may apply to relevant insurers, intermediaries or other authorised parties involved in the medical travel insurance arrangement.

6.4 Legal claims

We may process relevant health information where necessary to establish, exercise or defend legal claims.

This may include complaints, contractual disputes, guarantee decisions, suspected fraud or litigation.

6.5 Vital interests

In a genuine emergency, relevant information may be used or shared where necessary to protect someone's life or physical safety and the person is incapable of giving consent.

We do not use health information for unrelated advertising or sell it to advertising companies.

7. When providing information is required

Some information is optional.

However, we may be unable to provide an assessment, confirm a booking or deliver part of the service unless you provide information reasonably required for:

  • identity verification;
  • clinical review;
  • payment;
  • travel coordination;
  • insurance eligibility;
  • Outcomes Guarantee administration;
  • legal or regulatory compliance.

We will explain where information is required and, where practical, what happens if it is not provided.

8. Who we share information with

We only share information where reasonably necessary and lawful.

8.1 Clinics and healthcare professionals

We may share assessment information, photographs, medical information, identity details, treatment information and communications with:

  • the proposed Clinic;
  • the operating surgeon;
  • relevant Clinical Team members;
  • independent clinicians involved in assessment, review or aftercare;
  • approved UK clinicians involved in an Outcomes Guarantee remedy.

Clinics and healthcare professionals generally act as independent controllers for their clinical records and professional responsibilities.

8.2 Insurers and insurance intermediaries

Where relevant, we may share information with:

  • the medical travel insurer;
  • an authorised insurance intermediary or principal;
  • claims or assistance providers;
  • medical-assistance organisations;
  • insurance administrators.

They may act as independent controllers and will process information under their own privacy notices and regulatory obligations.

8.3 Accommodation and transfer providers

We may share limited information such as:

  • name;
  • contact details;
  • travel dates;
  • arrival details;
  • booking reference;
  • reasonable accessibility requirements.

We do not share detailed health information with travel suppliers unless necessary, lawful and proportionate.

8.4 Payment and finance providers

We may share information with:

  • Stripe;
  • banks;
  • payment processors;
  • fraud-screening providers;
  • chargeback and dispute-management providers;
  • finance providers where you choose a finance option.

These providers may act as independent controllers for their own regulatory, fraud and payment-processing activities.

8.5 Technology and operational suppliers

We may use providers for:

  • website and cloud hosting;
  • databases;
  • authentication;
  • file storage;
  • email and SMS;
  • WhatsApp and messaging;
  • customer support;
  • document signing;
  • analytics;
  • error and crash monitoring;
  • cybersecurity;
  • workflow automation;
  • data backup.

These suppliers normally act as processors under written contracts.

8.6 Analytics and advertising providers

Where you consent, information may be shared with or collected by providers such as:

  • Google;
  • Meta;
  • TikTok;
  • analytics platforms;
  • consent-management platforms;
  • advertising measurement providers.

The exact technologies in use are described through our cookie banner or tool.

Some advertising providers may act as independent or joint controllers for parts of their processing.

8.7 Professional advisers and authorities

We may share information with:

  • lawyers;
  • accountants;
  • auditors;
  • insurance advisers;
  • regulators;
  • courts;
  • law-enforcement bodies;
  • tax authorities;
  • government authorities.

We will do so where necessary, lawful and proportionate.

8.8 Business transactions

If Buji is involved in an investment, financing, restructuring, sale, merger or acquisition, relevant information may be disclosed to professional advisers and potential transaction parties under appropriate confidentiality arrangements.

9. International transfers

Buji is based in the United Kingdom, but some Clinics, healthcare professionals and suppliers are located overseas.

In particular, treatment-related information may be transferred to Turkey where your proposed or confirmed Clinic is located.

Other technology or service providers may process information in the European Economic Area, the United States or other countries.

When personal information is transferred outside the United Kingdom, we use an appropriate transfer mechanism where required, such as:

  • UK adequacy regulations;
  • the UK International Data Transfer Agreement;
  • the UK Addendum to the European Commission Standard Contractual Clauses;
  • another legally permitted safeguard;
  • a limited statutory exception where appropriate.

Where required, we assess the legal and practical risks of the transfer and implement supplementary safeguards.

These may include:

  • contractual controls;
  • access restrictions;
  • encryption;
  • data minimisation;
  • secure transfer systems;
  • supplier due diligence.

You may contact us for more information about the safeguards used for a particular transfer.

10. Cookies and similar technologies

We use cookies, pixels, local storage and similar technologies.

10.1 Essential technologies

These are used to:

  • operate the website;
  • maintain security;
  • remember privacy choices;
  • enable account and assessment functions;
  • prevent fraud;
  • balance traffic.

They may operate without consent where they are strictly necessary.

10.2 Analytics technologies

These help us understand:

  • visitor numbers;
  • page use;
  • assessment performance;
  • errors;
  • general website effectiveness.

We use non-essential analytics technologies only after obtaining the required consent.

10.3 Advertising technologies

Where you consent, advertising technologies may be used to:

  • measure advertisement performance;
  • attribute visits and conversions;
  • limit repetitive advertising;
  • build or use advertising audiences;
  • show more relevant advertisements.

You can accept, reject or change non-essential cookie choices through .

Rejecting non-essential technologies will not prevent you from using the core Buji service.

11. Automated decision-making and profiling

We may use limited automated tools to:

  • detect fraud or unusual activity;
  • prioritise enquiries;
  • measure campaign performance;
  • personalise website content;
  • support administrative workflows.

We do not intend to make a solely automated decision that produces legal or similarly significant effects concerning your clinical suitability or entitlement to treatment.

Final clinical suitability decisions are made by appropriately qualified healthcare professionals.

Material Outcomes Guarantee decisions will not be based solely on automated processing.

If this changes, we will provide the legally required information about the logic, significance and possible consequences of the processing.

12. How long we retain information

We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, including legal, tax, insurance, complaint and dispute requirements.

Our current general retention approach is:

General enquiries with no assessment or booking

Normally up to 12 months after the last meaningful contact.

Incomplete assessments with no booking

Normally up to 18 months after the last activity, unless you ask us to delete the information sooner and no lawful reason requires retention.

Assessment and booking records

Normally up to seven years after the booking is completed, cancelled or otherwise closed.

Health information, treatment photographs and aftercare records held by Buji

Normally up to seven years after the treatment pathway is completed or closed, unless a longer or shorter period is appropriate because of legal claims, clinical requirements or the nature of the record.

Clinics and healthcare professionals may retain their own clinical records for different periods under their professional and legal obligations.

Outcomes Guarantee and complaint records

Normally up to seven years after the concern or complaint is finally closed.

Insurance records

Retained for the period required by the relevant insurer, intermediary, regulatory requirement or legal limitation period.

Payment and accounting records

Normally six years after the end of the relevant financial year, or longer where required by law.

Passport and travel-document copies

Deleted when no longer required for the travel or booking purpose, normally within 90 days after the relevant trip, unless retention is necessary for a complaint, dispute, legal obligation or security reason.

Marketing records

Kept until you withdraw consent or object. We may retain a minimal suppression record after opt-out so that we can respect your preference.

Cookie and analytics information

Retained for the periods shown in Cookie Settings or the relevant provider information.

At the end of a retention period, information is deleted, anonymised or securely archived where continued retention is lawfully required.

13. Security

We use proportionate technical and organisational measures designed to protect personal information.

These may include:

  • encryption in transit;
  • encryption at rest where appropriate;
  • access controls;
  • role-based permissions;
  • multifactor authentication;
  • logging and monitoring;
  • secure cloud infrastructure;
  • backup and recovery controls;
  • supplier due diligence;
  • staff confidentiality requirements;
  • incident-response procedures;
  • vulnerability management;
  • secure development practices.

No online system can be guaranteed completely secure.

You should use a strong password, keep account information confidential and tell us promptly if you suspect unauthorised access.

14. Data breaches

Where a personal data breach occurs, we will:

  • investigate it;
  • take reasonable steps to contain and address it;
  • assess the risk to affected people;
  • notify the Information Commissioner's Office where legally required;
  • notify affected individuals where the law requires us to do so.

15. Your data-protection rights

Depending on the circumstances, you may have the right to:

Access

Ask for confirmation that we process your information and receive a copy of it.

Correction

Ask us to correct inaccurate or incomplete information.

Erasure

Ask us to delete information in certain circumstances.

This right is not absolute. We may retain information where necessary for legal obligations, legal claims, insurance, guarantee administration, complaints, fraud prevention or other lawful purposes.

Restriction

Ask us to restrict how information is used in certain circumstances.

Objection

Object to processing based on legitimate interests.

You have an absolute right to object to direct marketing.

Portability

Receive certain information you provided in a structured, commonly used and machine-readable format where the legal conditions apply.

Withdraw consent

Withdraw consent at any time where we rely on consent.

Withdrawal does not affect processing already carried out before withdrawal.

Automated decision-making

Ask for appropriate safeguards where a qualifying solely automated decision is used.

Complain

Raise a concern with Buji or complain to the Information Commissioner's Office.

To exercise a right, email: support@buji.health

We may need to verify your identity before responding.

We normally respond within one month. The period may be extended where a request is complex or numerous, in which case we will tell you.

There is normally no fee, although a reasonable fee may be charged or a request refused where it is manifestly unfounded or excessive, as permitted by law.

16. Marketing preferences

You can change your marketing choices at any time.

You may:

  • use an unsubscribe link;
  • reply STOP to an eligible message;
  • change Cookie Settings;
  • contact support@buji.health.

We may retain limited information on a suppression list to make sure we do not send marketing after you opt out.

Service messages relating to an assessment, booking, payment, treatment, aftercare, safety, insurance or guarantee are not marketing and may still be sent where necessary.

17. Photographs, testimonials and marketing content

Photographs supplied for assessment, treatment planning, aftercare or an Outcomes Guarantee review will not automatically be used in advertising.

We will obtain separate, specific permission before using identifiable:

  • before-and-after photographs;
  • treatment images;
  • videos;
  • testimonials;
  • personal stories

for public marketing.

Refusing marketing permission will not affect your assessment, booking, treatment, aftercare or guarantee rights.

Where marketing permission is withdrawn, we will stop new uses where reasonably possible. Material already printed, published or distributed may not always be capable of immediate recall, but future use will cease in accordance with the consent terms and applicable law.

18. Children

Buji services are intended only for people aged 18 or over.

We do not knowingly accept treatment assessments or bookings from children.

If we learn that we have collected a child's information in error, we will investigate and delete or restrict it as appropriate.

19. Links and third-party services

The Buji website may link to third-party websites, documents or services.

Those organisations control their own privacy practices.

You should review their privacy information before providing personal information directly to them.

20. Changes to this Privacy Notice

We may update this Notice where:

  • our services change;
  • our suppliers change;
  • the law changes;
  • our data practices change;
  • new products or features are introduced.

The updated version will be published with a revised date.

Where a change is material, we may also notify you by email, within your account or through another appropriate channel.

We will not use personal information for a materially incompatible new purpose without providing appropriate information and identifying a lawful basis.

21. Contacting us

For privacy enquiries or requests, contact:

Buji Technologies Limited
85 Great Portland Street
First Floor
London
W1W 7LT

Email: support@buji.health

Telephone: +44 7424 842825

Our privacy contact is responsible for coordinating data-protection enquiries.

Buji does not currently represent that it has appointed a statutory Data Protection Officer unless and until such an appointment is formally made.

22. Complaints to the Information Commissioner

We would prefer the opportunity to address your concern first.

You may also complain to the UK Information Commissioner's Office.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Telephone: 0303 123 1113

You can find current contact and complaint information on the Information Commissioner's Office website.