Privacy Policy of Empire Arvest Bank

1. Introduction Empire Arvest Bank ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and protect your information when you use our banking products and services in England, visit our branches, websites, or mobile applications (collectively, the "Services").

By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy and applicable data protection laws in England, including the UK GDPR and the Data Protection Act 2018.

2. Who We Are Empire Arvest Bank is a bank operating in England, providing retail, commercial, and digital banking services. We act as a data controller in relation to the personal data we collect and process about you.

3. Personal Data We Collect We may collect and process the following categories of personal data:

3.1 Identification and Contact Data

• Full name, title, date of birth
• Residential and correspondence addresses
• Email address and telephone numbers
• Nationality and place of birth
• Government-issued identifiers where permitted or required by law (e.g. passport number, national insurance number, driving licence details)

3.2 Financial and Transaction Data

• Bank account numbers and sort codes
• Card numbers (in accordance with industry security standards)
• Account balances and transaction histories
• Payment instructions, direct debits, standing orders
• Loan, mortgage, savings, and investment details

3.3 Regulatory and Compliance Data

• Information collected for anti–money laundering (AML), know your customer (KYC), sanctions, and fraud-prevention checks
• Information from identity verification agencies and credit reference agencies
• Records of suspicious activity reports where applicable

3.4 Technical and Usage Data

• IP address, browser type and version, device identifiers
• Operating system, time zone setting and location (where enabled)
• Information about how you use our websites, mobile apps, and online banking (clickstreams, page response times, errors)

3.5 Communication and Profile Data

• Records of your communications with us (calls, emails, chats, messages, in-branch interactions)
• Preferences for marketing and communications
• Feedback, complaints, and survey responses

4. How We Collect Your Data We collect personal data in various ways, including:

   • Directly from you when you open an account, apply for a product, or communicate with us
   • Through your use of our Services, such as transactions, online banking, and mobile apps
   • From third parties, such as credit reference agencies, fraud prevention agencies, identity verification providers, and public databases
   • From your devices via cookies and similar technologies when you visit our websites or use our digital channels

5. Legal Bases for Processing We process your personal data only when we have a lawful basis to do so, including:

   • Performance of a contract: to provide and manage your accounts, process payments, and deliver banking services
   • Legal obligations: to comply with banking, tax, AML, KYC, sanctions, and other regulatory requirements in England and other relevant jurisdictions
   • Legitimate interests: to operate, improve, and secure our business, prevent fraud and misuse, manage risk, and conduct internal analytics, provided your rights and freedoms do not override these interests
   • Consent: where required for specific purposes, such as certain forms of electronic marketing. You may withdraw your consent at any time where consent is the legal basis.

6. How We Use Your Personal Data We use your personal data for the following purposes:

6.1 To Provide and Manage Banking Services

• Opening, administering, and servicing accounts
• Processing payments, transfers, deposits, withdrawals, and card transactions
• Assessing and managing credit, including loans, overdrafts, and mortgages
• Providing online and mobile banking, including secure login and authentication

6.2 To Comply with Legal and Regulatory Obligations

• Performing identity and eligibility checks
• Conducting AML, KYC, sanctions, and fraud-prevention screenings
• Meeting obligations under banking, financial services, and consumer protection laws
• Responding to lawful requests from law enforcement, regulators, and courts

6.3 To Manage Risk, Security, and Fraud Prevention

• Monitoring transactions for suspicious or unusual activities
• Detecting, investigating, and preventing fraud, money laundering, and other criminal activities
• Ensuring the security of our systems, networks, branches, and digital platforms

6.4 To Communicate with You

• Sending statements, notices, alerts, and updates about your accounts and transactions
• Responding to your inquiries, requests, and complaints
• Providing service announcements, changes to terms, and other important information

6.5 To Improve Our Products and Services

• Analysing how customers use our Services to improve usability and functionality
• Developing new products and features, including savings and investment solutions designed to help you grow and “harvest” long-term financial value
• Conducting market research, surveys, and customer satisfaction analysis

6.6 Marketing and Promotions

• Informing you about products, services, offers, and events that may be of interest, including specialised savings and investment products with “harvest” themes or benefits
• Tailoring marketing based on your profile and preferences where permitted by law You can opt out of marketing communications at any time (see Section 11).

7. Cookies and Similar Technologies We use cookies and similar technologies on our websites and digital platforms to:
   • Enable core site functionality and secure access
   • Remember your preferences and improve your online experience
   • Analyse site traffic, usage patterns, and performance

Where required by law, we will ask for your consent before placing non-essential cookies. You can manage your cookie preferences through your browser or device settings, though some features of our Services may not function properly if you disable certain cookies.

8. How We Share Your Personal Data We may share your personal data with:

8.1 Group Companies and Service Providers

• Companies within our corporate group, where necessary for internal administration and to provide Services
• Trusted third-party service providers who perform services on our behalf (e.g. IT and cloud services, payment processors, card issuers, communication and mailing providers, identity verification services, analytics providers) These parties are required to handle your data in accordance with our instructions, this Privacy Policy, and applicable data protection laws.

8.2 Credit Reference and Fraud Prevention Agencies

• Credit reference agencies to assess your creditworthiness and verify your identity
• Fraud prevention and law enforcement agencies to prevent and detect fraud, financial crime, and other unlawful activities

8.3 Regulators, Authorities, and Legal Obligations

• Regulators, supervisory authorities, tax authorities, and law enforcement bodies where required by law or where necessary to protect our rights, customers, or the public
• Courts, tribunals, and legal advisers in connection with legal proceedings or regulatory investigations

8.4 Business Transfers In the event of a merger, acquisition, reorganisation, or sale of some or all of our business or assets, customer information may be transferred as part of that transaction, in compliance with applicable laws.

We do not sell your personal data to third parties.

9. International Data Transfers Your personal data may be transferred and processed in countries outside the UK and the European Economic Area (EEA). Where we transfer personal data internationally, we ensure that appropriate safeguards are in place, such as:

   • Adequacy regulations issued for certain countries
   • Standard contractual clauses approved by relevant authorities
   • Other lawful transfer mechanisms recognised under the UK GDPR

10. Data Retention We retain your personal data only for as long as necessary to fulfil the purposes described in this Privacy Policy and to meet legal, regulatory, accounting, and reporting requirements. In determining appropriate retention periods, we consider:

    • The nature and sensitivity of the personal data
    • The potential risk of harm from unauthorised use or disclosure
    • The purposes for which we process your data and whether we can achieve those purposes through other means
    • Legal and regulatory retention requirements applicable to banks in England

Once retention periods expire, we will securely delete, anonymise, or aggregate your data where feasible.

11. Your Rights Subject to legal and regulatory limitations, you have the following rights regarding your personal data:
    • Right of access: to obtain confirmation that we process your data and to receive a copy of the personal data we hold about you
    • Right to rectification: to have inaccurate or incomplete personal data corrected
    • Right to erasure: to request deletion of your personal data where there is no lawful reason for us to continue processing it
    • Right to restriction: to request that we limit the processing of your personal data in certain circumstances
    • Right to data portability: to receive certain personal data in a structured, commonly used, machine-readable format and to have that data transferred to another controller where technically feasible
    • Right to object: to object to processing based on legitimate interests or for direct marketing purposes
    • Right to withdraw consent: where processing is based on your consent, to withdraw that consent at any time

To exercise your rights, please contact us using the details in Section 14. We may need to verify your identity before responding to your request.

12. Security of Your Data We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
    • Encryption and secure transmission of data
    • Access controls and authentication mechanisms
    • Network monitoring, intrusion detection, and regular security testing
    • Staff training and confidentiality obligations

While we strive to protect your data, no system is completely secure. You also play an important role in safeguarding your information by keeping your login details, passwords, and PINs confidential and notifying us immediately of any suspected unauthorised access.

13. Children’s Privacy Our Services are not directed to children under 18, and we do not knowingly collect personal data from children without appropriate parental or guardian consent as required by law. If you believe that we have collected personal data from a child without such consent, please contact us so that we can take appropriate action.

14. Contact and Complaints If you have any questions, requests, or concerns about this Privacy Policy or our handling of your personal data, you may contact our data protection representative at Empire Arvest Bank using the contact details provided on our official website or at your local branch.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you are not satisfied with our response or believe that your data protection rights have been infringed.

15. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or the Services we offer. When we make material changes, we will update the "last updated" date and, where appropriate, provide you with additional notice.

We encourage you to review this Privacy Policy periodically to stay informed about how Empire Arvest Bank protects your privacy and personal data.