Privacy Policy

Version 1.0 - 10 March 2021

Introduction

Banking is personal and it involves data about you - nearly every interaction and transaction you will have with us or perform using our app or banking products will involve the collection, creation, use, or sharing of  data.  Data about you - whether you give it to us, we collect it through your use of our services, receive it from others, or we create it such as through data analytics - helps us provide you with the best possible customer experience, understand you better, and anticipate your needs.  It also helps us secure your accounts, improve our app and product offerings, create relevant marketing and advertising, and meet our legal obligations.

Our objective with this policy is to explain how and why collect, create, use, share, store, and delete data as well as to outline the controls we offer to help you take advantage of the important rights you have in regard to your data including privacy settings, notifications, marketing elections, cookies management, and customer support.

About this Policy

This policy is provided by J.P. Morgan Europe Limited (25 Bank Street, Canary Wharf, London, E14 5JP, UK) as data controller and applies to all of our consumer banking and related services (referred to as the “Chase Services”).  The terms governing your use of the Chase Services are set forth in the General Account Terms and Conditions.

Over time we expect to develop new products and services and improve the ones we already offer. If these developments materially change our practices in regard to how we collect, create, use, share, store, and delete your data we will update this policy.  If you ever have questions or concerns – please contact us in accordance with the 'Contact details' section below.

This policy is applies to:

  • Chase customers;
  • anyone who downloads our app;
  • anyone who browses our website or social media pages;
  • anyone who has specific permissions on accounts including power of attorney or appointed third parties;
  • applicants for a Chase account; and
  • anyone who contacts us either online, by telephone, post or any other method.

Your Rights, Choices and Control

Your data is just that – your data. That’s why the Data Protection Act provides you with certain rights in regard to your data, including these rights.

Your right to access

You can confirm the data we process about you and request a copy of your data and information relating to how it is processed

Your right to rectification

You can request that any inaccuracies in the data we hold about you be corrected.

Your right to erasure

You can request that we delete your data

Your right to restriction

You can request that we stop processing your data temporarily or permanently.

Your right to objection

You can object to our processing of your data under certain circumstances.

Your right to transfer

You can request a copy of your data is shared with a third party.

Your right to withdraw your consent

Where we are relying on your consent to process your data, then you can withdraw your consent at any time.

Your right to object to marketing

You may object to our processing of your data for marketing at any time. If you do object we will stop processing your data to market to you.

 

Personal Data We Collect and Create

This section shows the categories of data we collect, create, use, and share along with a description of each category. The sources of your data varies – there is data you give to us, data we collect through your use of Chase Services, data we receive from others, data that is publicly available, and data we create such as through analytics.

Personal details and identifiers

Your full name, home address, email address, phone number, social media profile details and information that is used to verify your identity such as photo ID,  passport number, national insurance number, driving licence number, and nationality.

Authentication data

The data used to access the Chase Services and including your pin number password, security questions and answers, PIN numbers and biometric data (as further explained below).

Financial status

Information used to assess your credit worthiness, including: your salary, employment status, credit rating, CCJs or bankruptcy.

Core banking profile

Details relating to any account that you hold with us, including account number, sort code, debit card information, account balance and overdraft limit.

Transaction history

Records of payments made and received, including the identities of payees and payers; interest payments, direct debits and standing orders.

Account preferences and analytics

Information regarding your stated preferences and relating to your use of our services, including analysis of your spending habits, spending limits that you set, your budgets and stacks and insights into your spending and saving activity.

Health and disability data

Data that you may provide to us relating to a disability or health which is relevant to your use of the Chase Services such as accessibility of our app or a change in your health status.

Communications data

Records of any communications between you and us, including via email, telephone, inapp chat, social media, and letter.

Device Data

Details we collect from your devices, such as cookies, activity logs, use of our website and mobile application, online and unique device identifiers.

Biometric Data

We create temporary facial recognition templates when we match your selfie to your photo ID as part onboarding or when you reset your pin, unlock your account or change your device.

Location Data

Your IP address, location data from your payment transactions, from your device as part of our security and fraud prevention checks and from you directly if you turn on/allow location sharing within the app.

Insights and Analytics

Your in app activity, such as what screens you click on or how long you spend in the app using certain features, your IP address or location, device identifier, device type, your activity on our website or social media pages, transaction and spending history.

 

Automated decisions

We use automated decision making in the following scenarios:

  • Facial recognition is used as part of our onboarding process to verify your ID, and also unlock your account, reset your pin or change your device.
  • We use facial recognition technology to verify that the person in the selfie and the photo ID are actually the same person. The faces in both photos are compared by creating a template based on measurement of the various points on your face such as your chin, nose and eyes.  
  • Once we have a positive template match you will move to the next step of your journey. If the templates don’t match, don’t worry you can call our service center who will help you out to comparing the selfie and photo.
  • The templates created through this photo matching process are temporary and are not accessible to us.  The templates are created by a vendor on our behalf and deleted within a short period once we have confirmed you are the same person in both photos. 

You have the right to request information about the existence of and an explanation of the logic involved in, the significance of and any envisaged consequences of, any automated decision making using your data that has a legal effect or a similar effect on you.

You also have the right to object to automated-processing, provide additional information or ask us to review a decision which may result in us ceasing to carry out that processing or correcting the decision made. In certain circumstances you also have the right not to be subject to a decision based solely on automated processing.

 

How We Use Your Data

The purposes for which we may use your data are as follows:

Customer on-boarding

Setting up your account with us; fulfilling our regulatory compliance obligations, including ‘KYC’ checks; confirming and verifying your identity (including by using credit reference agencies); authenticating your use of our services; screening against government, supranational bodies and/or law enforcement agency sanctions lists as well as internal sanctions lists and other legal restrictions.

Categories of data used

  • Contact details
  • Account information
  • Authentication details
  • Biometric data
  • Identification information

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us.

 

Creditworthiness

Conducting credit reference checks and other financial due diligence.

Categories of data used

  • Contact details
  • Financial status

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us.

 

Customer services and to communicate with you

Provide you with customer service; helping you manage your account; assistance relating to Chase Services; to inform you about important details relating to your account; review and respond to any queries, issues and complaints you may have.

Categories of data used

  • Contact details
  • Authentication details
  • Account information
  • Transaction history
  • Communication records

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us.

 

Provision of Chase Services to you

Providing our core banking/account services to you via our app and service centre; sending service messaging in relation to our services, refining our processes and procedures, administering relationships and related service; performance of tasks necessary for the provision of the requested services and communicating with you in relation to those services.

Categories of data used

  • Contact details
  • Authentication details
  • Account information
  • Communication records

Legal basis for processing

  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of providing Chase Services to you (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Fraud Prevention

Detecting, preventing and investigating fraud on your device, transactions and payments and detecting applicant fraud as part of our onboarding process.

Categories of data used

  • Contact details
  • Account Information
  • Transaction history

Legal basis for processing

  • We have a legitimate interest in carrying out the processing for the purpose of detecting, and protecting against, fraud (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms);
  • The processing is necessary for compliance with a legal obligation; or
  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us.

 

IT Operations

Management of our communications systems; operation of IT security; IT security audits.

Categories of data used

  • Communication records
  • Device ID
  • Contact details
  • Account profile

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation;
  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of managing and operating our IT systems and ensuring the security of those systems (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Facilitate your use of third party services

With your permission, provide Open Banking services with access to your account information.

Categories of data used

  • Contact details
  • Account information
  • Transaction history

Legal basis for processing

  • We have your consent to grant such access; or
  • We have a legitimate interest in carrying out the processing for the purpose of providing services to you.

 

Marketing

Contacting you about Chase Services, new features via email, in app notification or online through social media ads or ads we place on websites you visit. Understanding how you interact with our app, our website, social media channels and our online ads allows us to understand our customers, people who are interested in becoming customers and helps us build our marketing campaigns and understand the people we are building ads and campaigns for.

Categories of data used

  • Contact details
  • Chase Services preferences
  • Device ID

Legal basis for processing

  • We have a legitimate interest in carrying out the processing for the purpose of conducting marketing and prospecting; or
  • We have your consent to market to you.

 

Personalise our services

Personalisation of Chase Services to you and how you can personalise your in app experience.

Categories of data used

  • Your in app activity and preferences you have set for marketing communications

Legal basis for processing

  • We have a legitimate interest in carrying out the processing for the purpose of providing services to you.

 

To meet our financial operating standards

Internal and regulatory reporting and business oversight such as internal audits and to produce reports to analyse our performance and manage our finances.

Categories of data used

  • Account information
  • Transaction history
  • Communication records

Legal basis for processing

  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us; or
  • We have a legitimate interest in carrying out the processing for the purpose of managing and operating the financial affairs of our business (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Research

Speaking to you to collect feedback on both new products and services we are looking to develop or how we are doing in relation to our existing products and your experience with us as a customer. We will collect this information directly through our brand communication channels or through specific research groups we create.

Categories of data used

  • Contact Details
  • Your feedback or opinions

Legal basis for processing

  • We have a legitimate interest in carrying out the processing for the purpose of conducting research and producing analysis (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

 

Security

Maintaining the security of the app as downloaded onto your device.

Categories of data used

  • Login records
  • Device Type
  • Device ID
  • Location

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the processing for the purpose of ensuring the physical and electronic security of our business, premises, and assets (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Improve Our Products /Chase Services

Understanding how you as our users interact and use our app, website and social media pages; understanding how you interact allows us to improve on what works, what doesn’t and build new products and features for you.

Categories of data used

  • User Profile
  • Device ID
  • In-app or website browsing activity

Legal basis for processing

  • The processing is necessary in connection with any contract that you may enter into with us, or to take steps prior to entering into a contract with us;
  • We have a legitimate interest in carrying out the processing for the purpose of improving Chase Services (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms); or
  • We have obtained your prior consent to the processing (this legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way).

 

Investigations

Detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

Categories of data used

  • Transaction history
  • Access records

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the processing for the purpose of detecting, and protecting against, breaches of our policies and applicable laws (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Legal compliance and legal proceedings

Compliance with our legal and regulatory obligations under applicable law and for us to establish, exercise and defend our legal rights.

Categories of data used

  • Contact details
  • Account information
  • Transaction history

Legal basis for processing

  • The processing is necessary for compliance with a legal obligation; or
  • We have a legitimate interest in carrying out the processing for the purpose of establishing, exercising or defending our legal rights (to the extent that such legitimate interest is not overridden by your interests or fundamental rights and freedoms).

 

Sharing data with third parties

We will disclose your data to certain third parties from time to time. These include:

Members of J.P. Morgan Europe Limited

To help us run our business via sharing infrastructure or where we need to share information for reporting and business management purposes for our internal purposes, for example in connection with our anti-money laundering obligations.

Other banks and payees

To provide you with our services, such as processing payments that you make.

Open Banking providers

That you authorise to receive information relating to your account.

Service providers

To assist us in providinge you with our services, such as our cloud service provider.

Social media and third party plug-in providers

If you choose to interact any such plugins or content, your data will be shared with the third party provider of the relevant social media platform.

Central government

If they require us to share your data, if we are required to report any actual or suspected breaches of applicable law or regulation.

Regulator and authorities

Including the UK Financial Conduct Authority, the UK Prudential Regulation Authority, the UK Financial Services Deposit Compensation Scheme and other deposit guarantee schemes and  HMRC.

Credit reference agencies

To check your creditworthiness.

Law enforcement and fraud detection agencies

In relation to the detection and prevention of criminal activities, including fraud and money laundering.

Professional Advisors

Including accountants, financial advisors, lawyers and other outside professional advisors for purposes of providing services to us.

Purchasers or assignees of our Business

If our business, or part of it, is sold or reorganised.

To receive more information about the third parties that we may share your data with, you can contact us through the information provided in the 'Contact details' section below.

 

Third Parties we receive your data from

We may receive certain data about you from various third parties from time to time, including:

  • Members of J.P. Morgan Europe Limited
  • Credit references agencies
  • Central and local government
  • Research and advertising agencies and data marketplaces  

 

Third Party Data

  • Where we receive­­­­­­ data from third parties, please be aware of the following:If fraud is detected, you could be refused certain services, finance, or employment. Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights, can be found by www.cifas.org.uk/fpn.
  • TransUnion’s privacy notice as listed at https://www.transunion.co.uk/legal/privacy-centre.

 

International Transfers of Data

We are part of a global banking business and we rely on shared infrastructure and systems and also have governance and reporting obligations as such, we will transfer your data within J.P. Morgan Europe Limited, and to third parties as set out above.

For this reason, we will transfer your data to other countries outside of the UK that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those enacted in the UK. These transfers will only take place for the purposes outlined in this Policy.

Where we transfer your data to other countries outside of the European Economic Area, we will do so on the basis of:

  • Adequacy decisions, where a country has been deemed adequate by the European Union;
  • Binding Corporate Rules when transfers occur within J.P. Morgan Europe Limited;
  • Standard contractual clauses as approved by the European Union; or
  • Other valid transfer mechanisms.

To receive more information about the safeguards that we apply to international transfers of your data, please contact us through the information provided in the 'Contact details' section below.

 

Data Security

We have implemented appropriate technical and organizational measures designed to protect your data. We work hard to protect your information. We protect your data in line with our global security program built on our core principles of only using the data required for the processing in question, controlling access to systems and datasets to those who need to use the data, and using an encryption and other techniques to secure the data that we hold in our systems.

 

Data Accuracy

We take reasonable steps designed to ensure that any data that we process are accurate and, where necessary, kept up to date and that any of your data that we process that is inaccurate (having regard to the purposes for which they are processed) are erased or rectified without delay. From time to time we may ask you to confirm the accuracy of your data.

 

Data Minimisation

We take reasonable steps designed to ensure that your data that we process are limited to the data reasonably required in connection with the purposes set out in this notice.

 

Data Retention

We will retain your data in line with our data retention policy and for the minimum period required. The duration of the retention period is determined by a number of criteria including the nature of our relationship with you, UK law, the type of data and the Chase Services that the data relates to.

Once we no longer need to retain your data, we will either: permanently delete or destroy the relevant data; archive your data so that it is beyond use; or anonymize the relevant data.

 

Updates to this Policy

We will update this Policy from time to time for example when we change the data we collect or the ways in which we process it.

Whenever there are significant changes to the policy then we will reach out and let you know.

 

---

 

Your deposit is eligible for protection by the Financial Services Compensation Scheme (FSCS). The information sheet and exclusions list are available to view in the app. For further information about the compensation provided by the FSCS, refer to the FSCS website at https://www.FSCS.org.uk

Chase is a registered trademark and trading name of J.P. Morgan Europe Limited. J.P. Morgan Europe Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Financial Services Register number is 124579. Registered in England & Wales with company number 938937. Our registered office is 25 Bank Street, Canary Wharf, London, E14 5JP, United Kingdom.