Last updated: 30 June 2026
Company: Buji Technologies Limited
Company number: 16323036
Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT
Email: support@buji.health
Telephone: +44 7424 842825
Buji Technologies Limited provides a managed booking, coordination and support service for people considering or receiving elective medical treatment abroad.
Our company details are:
Buji Technologies Limited
Company number: 16323036
Registered office: 85 Great Portland Street, First Floor, London, W1W 7LT
Email: support@buji.health
Telephone: +44 7424 842825
In this Privacy Notice, Buji, we, us and our refer to Buji Technologies Limited.
For the personal information described in this Notice, Buji will usually act as the data controller. This means we decide why and how that information is used.
Clinics, healthcare professionals, insurers, insurance intermediaries, payment providers and other organisations may act as separate controllers for information they receive and use for their own professional, legal or regulatory purposes. Their own privacy notices may also apply.
This Privacy Notice explains how we collect and use personal information when you:
It also explains your rights and how to contact us.
The information we collect depends on how you interact with Buji.
This may include:
This may include:
Health information and some photographs are special category personal data and receive additional legal protection.
This may include:
This may include:
Card details are normally collected and processed directly by Stripe or another payment provider. Buji does not ordinarily receive or store your full card number or security code.
Full Outcomes Guarantee terms are published at /outcomes-guarantee. This section describes the information we may process in connection with BujiCover and the guarantee:
This may include:
This may include:
This may include:
We do not intentionally send medical questionnaire answers, detailed health information or clinical photographs to advertising platforms for advertising purposes.
We collect information:
Where another person provides information about you, they should have authority to do so.
We use personal information for the purposes below.
We use information to:
Our usual Article 6 basis is that the processing is necessary to take steps at your request before entering into a contract.
For health information, we usually rely on your explicit consent and, where applicable, another appropriate Article 9 condition described in section 6.
We use information to:
Our usual Article 6 basis is that the processing is necessary to perform our contract with you or take steps at your request before entering into that contract.
We use information to:
Buji does not make the final clinical decision. Clinics and healthcare professionals process information under their own professional obligations and privacy arrangements.
We use information to:
Depending on the activity, our Article 6 basis may be performance of a contract, legal obligation or legitimate interests.
Additional Article 9 conditions are described in section 6.
We use information to:
Our bases may include performance of a contract, compliance with legal obligations and our legitimate interests in preventing fraud and operating a secure business.
We use information to:
Our bases may include performance of a contract and our legitimate interests in providing effective customer service and maintaining appropriate records.
We use information to:
Our bases may include legal obligation, legitimate interests, legal claims and, in limited emergencies, vital interests.
We use information to:
Where non-essential cookies or similar technologies are involved, we rely on consent.
For other limited service analytics, we may rely on legitimate interests where this is lawful and your rights do not override those interests.
Where permitted, we may send information about:
We may contact you by email, SMS, WhatsApp, telephone or other channels.
We will rely on consent where required. In limited cases, we may rely on the electronic-mail “soft opt-in” for similar services offered to existing customers, where legally available and where an opt-out was offered when the information was collected.
You can opt out at any time by:
Opting out of marketing will not stop essential booking, treatment, safety or service communications.
Health information is special category personal data.
We only process special category information where we have:
Depending on the purpose, we may rely on:
We may ask for your explicit consent to:
Where we rely on consent, you may withdraw it at any time.
Withdrawal does not make earlier processing unlawful. It may mean we cannot continue an assessment, booking, guarantee review or other service that requires the information.
Where processing is carried out by, or under the responsibility of, a healthcare professional subject to a duty of confidentiality, the health or social care condition may apply.
The relevant Clinic or healthcare professional will usually be responsible for identifying its own lawful bases and Article 9 conditions.
Where permitted by the Data Protection Act 2018, special category information may be processed where necessary for insurance purposes and where the applicable statutory requirements are met.
This may apply to relevant insurers, intermediaries or other authorised parties involved in the medical travel insurance arrangement.
We may process relevant health information where necessary to establish, exercise or defend legal claims.
This may include complaints, contractual disputes, guarantee decisions, suspected fraud or litigation.
In a genuine emergency, relevant information may be used or shared where necessary to protect someone's life or physical safety and the person is incapable of giving consent.
We do not use health information for unrelated advertising or sell it to advertising companies.
Some information is optional.
However, we may be unable to provide an assessment, confirm a booking or deliver part of the service unless you provide information reasonably required for:
We will explain where information is required and, where practical, what happens if it is not provided.
We only share information where reasonably necessary and lawful.
We may share assessment information, photographs, medical information, identity details, treatment information and communications with:
Clinics and healthcare professionals generally act as independent controllers for their clinical records and professional responsibilities.
Where relevant, we may share information with:
They may act as independent controllers and will process information under their own privacy notices and regulatory obligations.
We may share limited information such as:
We do not share detailed health information with travel suppliers unless necessary, lawful and proportionate.
We may share information with:
These providers may act as independent controllers for their own regulatory, fraud and payment-processing activities.
We may use providers for:
These suppliers normally act as processors under written contracts.
Where you consent, information may be shared with or collected by providers such as:
The exact technologies in use are described through our cookie banner or tool.
Some advertising providers may act as independent or joint controllers for parts of their processing.
We may share information with:
We will do so where necessary, lawful and proportionate.
If Buji is involved in an investment, financing, restructuring, sale, merger or acquisition, relevant information may be disclosed to professional advisers and potential transaction parties under appropriate confidentiality arrangements.
Buji is based in the United Kingdom, but some Clinics, healthcare professionals and suppliers are located overseas.
In particular, treatment-related information may be transferred to Turkey where your proposed or confirmed Clinic is located.
Other technology or service providers may process information in the European Economic Area, the United States or other countries.
When personal information is transferred outside the United Kingdom, we use an appropriate transfer mechanism where required, such as:
Where required, we assess the legal and practical risks of the transfer and implement supplementary safeguards.
These may include:
You may contact us for more information about the safeguards used for a particular transfer.
We use cookies, pixels, local storage and similar technologies.
These are used to:
They may operate without consent where they are strictly necessary.
These help us understand:
We use non-essential analytics technologies only after obtaining the required consent.
Where you consent, advertising technologies may be used to:
You can accept, reject or change non-essential cookie choices through .
Rejecting non-essential technologies will not prevent you from using the core Buji service.
We may use limited automated tools to:
We do not intend to make a solely automated decision that produces legal or similarly significant effects concerning your clinical suitability or entitlement to treatment.
Final clinical suitability decisions are made by appropriately qualified healthcare professionals.
Material Outcomes Guarantee decisions will not be based solely on automated processing.
If this changes, we will provide the legally required information about the logic, significance and possible consequences of the processing.
We retain personal information only for as long as reasonably necessary for the purpose for which it was collected, including legal, tax, insurance, complaint and dispute requirements.
Our current general retention approach is:
Normally up to 12 months after the last meaningful contact.
Normally up to 18 months after the last activity, unless you ask us to delete the information sooner and no lawful reason requires retention.
Normally up to seven years after the booking is completed, cancelled or otherwise closed.
Normally up to seven years after the treatment pathway is completed or closed, unless a longer or shorter period is appropriate because of legal claims, clinical requirements or the nature of the record.
Clinics and healthcare professionals may retain their own clinical records for different periods under their professional and legal obligations.
Normally up to seven years after the concern or complaint is finally closed.
Retained for the period required by the relevant insurer, intermediary, regulatory requirement or legal limitation period.
Normally six years after the end of the relevant financial year, or longer where required by law.
Deleted when no longer required for the travel or booking purpose, normally within 90 days after the relevant trip, unless retention is necessary for a complaint, dispute, legal obligation or security reason.
Kept until you withdraw consent or object. We may retain a minimal suppression record after opt-out so that we can respect your preference.
Retained for the periods shown in Cookie Settings or the relevant provider information.
At the end of a retention period, information is deleted, anonymised or securely archived where continued retention is lawfully required.
We use proportionate technical and organisational measures designed to protect personal information.
These may include:
No online system can be guaranteed completely secure.
You should use a strong password, keep account information confidential and tell us promptly if you suspect unauthorised access.
Where a personal data breach occurs, we will:
Depending on the circumstances, you may have the right to:
Ask for confirmation that we process your information and receive a copy of it.
Ask us to correct inaccurate or incomplete information.
Ask us to delete information in certain circumstances.
This right is not absolute. We may retain information where necessary for legal obligations, legal claims, insurance, guarantee administration, complaints, fraud prevention or other lawful purposes.
Ask us to restrict how information is used in certain circumstances.
Object to processing based on legitimate interests.
You have an absolute right to object to direct marketing.
Receive certain information you provided in a structured, commonly used and machine-readable format where the legal conditions apply.
Withdraw consent at any time where we rely on consent.
Withdrawal does not affect processing already carried out before withdrawal.
Ask for appropriate safeguards where a qualifying solely automated decision is used.
Raise a concern with Buji or complain to the Information Commissioner's Office.
To exercise a right, email: support@buji.health
We may need to verify your identity before responding.
We normally respond within one month. The period may be extended where a request is complex or numerous, in which case we will tell you.
There is normally no fee, although a reasonable fee may be charged or a request refused where it is manifestly unfounded or excessive, as permitted by law.
You can change your marketing choices at any time.
You may:
We may retain limited information on a suppression list to make sure we do not send marketing after you opt out.
Service messages relating to an assessment, booking, payment, treatment, aftercare, safety, insurance or guarantee are not marketing and may still be sent where necessary.
Photographs supplied for assessment, treatment planning, aftercare or an Outcomes Guarantee review will not automatically be used in advertising.
We will obtain separate, specific permission before using identifiable:
for public marketing.
Refusing marketing permission will not affect your assessment, booking, treatment, aftercare or guarantee rights.
Where marketing permission is withdrawn, we will stop new uses where reasonably possible. Material already printed, published or distributed may not always be capable of immediate recall, but future use will cease in accordance with the consent terms and applicable law.
Buji services are intended only for people aged 18 or over.
We do not knowingly accept treatment assessments or bookings from children.
If we learn that we have collected a child's information in error, we will investigate and delete or restrict it as appropriate.
The Buji website may link to third-party websites, documents or services.
Those organisations control their own privacy practices.
You should review their privacy information before providing personal information directly to them.
We may update this Notice where:
The updated version will be published with a revised date.
Where a change is material, we may also notify you by email, within your account or through another appropriate channel.
We will not use personal information for a materially incompatible new purpose without providing appropriate information and identifying a lawful basis.
For privacy enquiries or requests, contact:
Buji Technologies Limited
85 Great Portland Street
First Floor
London
W1W 7LT
Email: support@buji.health
Telephone: +44 7424 842825
Our privacy contact is responsible for coordinating data-protection enquiries.
Buji does not currently represent that it has appointed a statutory Data Protection Officer unless and until such an appointment is formally made.
We would prefer the opportunity to address your concern first.
You may also complain to the UK Information Commissioner's Office.
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
You can find current contact and complaint information on the Information Commissioner's Office website.