Banking is personal and it involves data about you. Nearly everything you do with us or on our website or app will involve the collection, creation, use, or sharing of data. Data about you helps us provide you with the best customer experience, understand you better and anticipate your needs. This is true whether it’s data you give us, that we collect through your use of our services, receive from others, or create through data analytics and more. It also helps us secure your accounts, improve our app and product offerings, deliver relevant marketing and advertising, and meet our legal obligations.
Our objective with this policy is to explain how and why we collect, create, use, share, store, and delete data as well as to outline the controls we offer to help you take advantage of the important rights you have in regard to your data including privacy settings, notifications, marketing elections, website cookies management, and customer support.
This policy is provided by J.P. Morgan Europe Limited (25 Bank Street, Canary Wharf, London, E14 5JP, UK) as a so-called data controller under the UK Data Protection Act. This policy applies to all of our consumer banking and related services (referred to as the “Chase Services”). The terms that cover your accounts and actual use of the Chase Services can be found in our General Account Terms and Conditions.
Over time, we’ll improve our Chase Services. We also expect to develop new ones. If this materially changes how we collect, create, use, share, store, and delete your data, we’ll update this policy. If you ever have questions or concerns, please get in touch.
This policy applies to:
Your data is just that – your data. That’s why the UK Data Protection Act provides you with certain rights in regard to your data under certain circumstances, including the right to:
You can find out whether we process your data. You can also request a copy.
You can ask us to fix data we hold about you.
You can ask us to delete your data.
You can ask us to stop processing your data temporarily or permanently.
You can object to our processing of your data under certain circumstances.
You can ask us to share a copy of your data with a third party.
Where you gave your consent to process your data, you can withdraw it any time.
You can ask us to stop processing your data for marketing.
You have the right to human involvement in a decision that would have a legal (or similarly significant) effect on you.
These are the types of data we collect, create, use, and share:
Your full name, home address, email address, phone number, social media profile details and information that is used to verify your identity. This can be photo ID, passport number, national insurance number, driving license number, and nationality.
The data used to access the Chase Services. It includes your PIN number(s), password(s), security questions and answers. It also includes your unique account and user profile identifiers and biometric data used for identity verification.
Information used to assess your credit-worthiness. This includes your salary, employment status, credit rating, County Court Judgements or bankruptcy.
Details relating to any account that you hold with us. This includes your account number, sort code, cards, account balance, unique identifiers, alerts, language settings, statement preferences, contact preferences, and overdraft limit.
Events like payments made and received (including those via 3rd parties such as Apple Pay, Google Pay or PayPal), credits/debits, payees and payors, interest calculation and payments, and standing orders.
Data that you may provide to us relating to a disability or health which is relevant to your use of the Chase Services. This might include the accessibility of our website or app or a change in your health status that impacts your Chase Services.
Records and results of any communications between you and us. This includes by email, telephone, in-app chat, social media, and letter. This might include open rates and dates/times, whether it was forwarded, and your interaction with the communication.
Data such as unique device identifiers, IP addresses, device type and model, as well as operating system and version. This might also include network connection type, browser type, advertising ID and non-precise location data. We might infer that from other data such as IP address.
We create temporary facial recognition templates when we match your selfie to your photo ID as part of onboarding or when you reset your pin, unlock your account or change your device. We use behavioural biometric data such as typing patterns and movement data.
Your IP address and location data from your payment transactions. This might include location data from your device if you allow location sharing in the app.
Data generated from your website or in-app activity, such as what screens or product features you use and how long you spend using features within the app or on our site.
We collect information from your device, or store information on your device, in the form of cookies. We use this information to:
Our Cookie Notice is available in the legal section on our website and in our app.
We use automated processes to check your identity. This can be when you’re onboarding as a new customer, unlocking your account, resetting your PIN or changing your device.
To check it’s really you we use facial recognition technology. This technology checks that the person in a selfie and an accepted photo ID are actually the same person. The faces in both photos are compared by creating a mathematical template based on measurement of the various points on your face such as your chin, nose, and eyes.
The templates created through this matching process are temporary and are not accessible to us. The templates are created by a vendor on our behalf and deleted shortly after we have confirmed you are the same person in both photos. Where our process does not create a match, it will be reviewed by an agent. We do not store your details for any other purpose, and our vendors don’t either.
When you apply for new Chase Services, we screen your personal details against fraud and credit reference databases. The results could prevent you from using the requested Chase Service.
We also use automated decision making to help ensure transactions made on your account are correct and free from fraud. Your transactions (payments to and from your account) will be assessed to identify any unusual payments. Unusual payments include payments you would not normally make or haven’t yet made on our systems. We may stop or decline a payment that is likely to be fraudulent.
You can ask for information about any automated decision making that has a legal or similarly significant effect on you. We’ll explain the logic involved, how we use the decision and any potential consequences. You can also object, give us extra information or ask us to review a decision. In certain circumstances you also have the right not to be subject to a decision based solely on automated processing.
These are reasons we might use your data:
This includes setting up your account with us and fulfilling our regulatory compliance obligations, including ‘KYC’ checks. It also includes confirming and verifying your identity (including by using credit reference agencies). We authenticate your use of our services and check against sanctions lists and other legal restrictions. It also includes taking all other necessary steps to make Chase Services available to you.
This includes conducting credit reference checks and other financial due diligence. It also includes checking your credit score with credit reference agencies.
To provide you with customer service and help you manage your account. This includes assistance relating to Chase Services and to tell you about important details relating to your account. We will also review and respond to any queries, issues and complaints you may have.
This includes providing our app and website and our contact centre to you. It also includes sending service messaging, refining our processes and procedures, administering relationships and related services.
This includes detecting, preventing and investigating fraud throughout our relationship with you.
This includes the management of our communications systems, operation of IT security and IT security audits.
With your permission, providing Open Banking services with access to your account information.
For contacting you about Chase Services and new features. This might be via email, in app notification or online through social media ads or ads we place on websites you visit. Understanding how you interact with our app, our website, social media channels and our online ads through analysing activity and behaviour allows us to understand our customers. It also helps us understand people who are interested in becoming customers and build our marketing campaigns and Chase Services. It also includes understanding how you engage with our emails and the content we share via email.
This includes personalisation of Chase Services to you and creating new ways for you to personalise your in-app experience.
This includes internal and regulatory reporting and business oversight such as internal audits and to produce reports to analyse our performance and manage our finances.
This is includes speaking to you to collect your views and opinions on our brand, new Chase Services we are looking to develop or how we are doing in relation to our existing Chase Services and your experience with us as a customer. We will conduct our research directly with you or through a partnership with our research partners.
We will analyse your views and feedback to create insights that help us understand what people think about our brand and shape changes to our Chase Services and marketing campaigns.
This includes maintaining the security of our website and our app.
This includes understanding how you interact with and use our app, website and social media pages. It also includes understanding how you interact with our app or website allows us to improve on what works, what doesn’t and build new Chase Services for you.
This includes detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.
For compliance with our legal and regulatory obligations under applicable law and for us to establish, exercise and defend our legal rights.
We will disclose your data to certain third parties from time to time.
So they can help us provide you with Chase Services. Also to allow them to meet legal or regulatory obligations, or because you asked us to.
To process payments from or to your account(s).
If you authorise them, we’ll share data about your account so their services work for you.
So they can help us provide you with Chase Services. Examples include vendors who help us operate the system that manages account data or vendors who assist us with our marketing efforts.
We advertise our services on social media and search platforms and with our advertising partners. These advertising campaigns sometimes require sharing personal data to place advertisements.
The data we share is limited to one of the following data points:
We protect your data using a technical process called “hashing” when we transfer data to an ad platform.
Your data is used to check if you have an account with our search and social advertising platforms or advertising partners when we place adverts. If you don’t have an account, your data is deleted immediately. If you do, we will ask the social or search ad platform to take one of the following actions:
We may also advertise Chase services with our advertising partners and ad platforms without sharing personal data. Here our ads will be displayed on websites and in response to search requests where people are looking for banking services.
We may be required to share your data in relation to a legal filing or claim in the exercise or defence of legal rights or obligations.
We can be asked to share your data with these bodies on a regular or ad hoc basis. Examples include the UK Financial Conduct Authority, the UK Prudential Regulation Authority, the UK Financial Services Deposit Compensation Scheme, other deposit guarantee schemes and HM Revenue and Customs.
If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. The obligations can ask for us to share this information directly, or through the local tax authority. The relevant tax authorities can share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.
To check your creditworthiness and to prevent fraud and money laundering.
To help with the detection, prevention and investigation and prosecution of criminal activities, including fraud and money laundering.
So they can provide services to us. This includes accountants, financial advisors, lawyers and other outside professional advisors.
If our business, or part of it, is sold or reorganised.
If you want to know more about any of these third parties, please get in touch.
We may receive certain data about you from various third parties from time to time, including:
We share data with, search databases or receive data from fraud prevention and credit reference agencies, as part of our customer onboarding process and during your relationship with us as customer.
The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK use and share personal data. The CRAIN is available on the credit reference agencies’ websites as detailed below
www.experian.co.uk/legal/crain/
The privacy policies of each Credit Reference Agency will explain separately how they use the data they collect outside of the CRAIN notice.
Chase is part of a global banking business which uses shared technology. We also have governance and reporting obligations to the wider group as such, we will transfer your data within the J.P. Morgan group, and to third parties as set out above.
For this reason, we will transfer your data to other countries outside of the UK that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those enacted in the UK. These transfers will only take place for the purposes outlined in this policy.
Where we transfer your data to other countries outside of the UK, we will do so on the basis of:
To receive more information about the safeguards that we apply to international transfers of your data, please get in touch.
This is any information that does not reveal your specific identity or relate to anyone identifiable:
Sometimes Other Information is associated to you or combined with your personal data. When this happens, it becomes Personal Data. If that happens, we treat it as Personal Data. We will treat it as Personal Data as long as it is combined and identifies you.
We have a global security program designed and implemented through our policies, guidelines and controls to protect your data from misuse. Our security program is designed to protect your data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access. Our people can only access as little of your data as they absolutely must. Anyone who can access your data must keep it confidential and only use it for shortest period required.
We take reasonable steps designed to ensure that any data that we process are accurate and, where necessary, kept up-to-date. We also take reasonable steps to ensure that any of your data that we process that is inaccurate are erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.
We take reasonable steps designed to ensure that your data that we process are limited to the data reasonably required in connection with the purposes set out in this notice.
We will retain your data in line with our data retention policy and for the minimum period required. The duration of the retention period is determined by a number of criteria including the nature of our relationship with you, UK law, the type of data and the Chase Services that the data relates to.
Once we no longer need to retain your data in a form that identifies you, we will permanently delete or destroy it, archive and secure it so that it is beyond practical use; or anonymize it.
We will update this Policy from time to time for example when we change the data we collect or the ways in which we process it.
If you have any comments, questions or concerns about how we process your data, then please contact our privacy team at privacyteam.chaseuk@jpmorgan.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.
You can contact our Data Protection Officer at EMEA.Privacy.Office@jpmchase.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.
---
Your deposit is eligible for protection by the Financial Services Compensation Scheme (FSCS). The information sheet and exclusions list are available to view in the app. For further information about the compensation provided by the FSCS, refer to the FSCS website at https://www.FSCS.org.uk
Chase is a registered trademark and trading name of J.P. Morgan Europe Limited. J.P. Morgan Europe Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Financial Services Register number is 124579. Registered in England & Wales with company number 938937. Our registered office is 25 Bank Street, Canary Wharf, London, E14 5JP, United Kingdom.