Privacy Policy
PDF Version
Download as PDF (Opens in new window)Introduction
Banking is personal and it involves data about you. Nearly everything you do with us or on our website or app will involve the collection, creation, use, or sharing of data. Data about you helps us provide you with the best customer experience, understand you better and anticipate your needs. This is true whether it’s data you give us, that we collect through your use of our services, receive from others, or create through data analytics and more. It also helps us secure your accounts, improve our app and product offerings, deliver relevant marketing and advertising, and meet our legal obligations.
Our objective with this policy is to explain how and why we collect, create, use, share, store, and delete data as well as to outline the controls we offer to help you take advantage of the important rights you have in regard to your data including privacy settings, notifications, marketing elections, website cookies management, and customer support.
About this Policy
This policy is provided by J.P. Morgan Europe Limited (25 Bank Street, Canary Wharf, London, E14 5JP, UK) as a so-called data controller under the UK Data Protection Act. This policy applies to all of our consumer banking and related services (referred to as the “Chase Services”). The terms that cover your accounts and actual use of the Chase Services can be found in our General Account Terms and Conditions.
Over time, we’ll improve our Chase Services. We also expect to develop new ones. If this materially changes how we collect, create, use, share, store, and delete your data, we’ll update this policy. If you ever have questions or concerns, please get in touch.
This policy applies to:
- Chase customers
- anyone who downloads our app
- anyone who browses our website or social media pages
- anyone who has specific permissions on accounts including power of attorney or appointed third parties
- applicants for a Chase account
- anyone who contacts us either online, by telephone, post or any other method
Your Rights, Choices and Control
Your data is just that – your data. That’s why the UK Data Protection Act provides you with certain rights in regard to your data under certain circumstances, including the right to:
Your right to access
You can find out whether we process your data. You can also request a copy.
Your right to rectification
You can ask us to fix data we hold about you.
Your right to erasure
You can ask us to delete your data.
Your right to restriction
You can ask us to stop processing your data temporarily or permanently.
Your right to objection
You can object to our processing of your data under certain circumstances.
Your right to transfer
You can ask us to share a copy of your data with a third party.
Your right to withdraw your consent
Where you gave your consent to process your data, you can withdraw it any time.
Your right to object to marketing
You can ask us to stop processing your data for marketing.
Your right not to be subjected to automated decision-making
You have the right to human involvement in a decision that would have a legal (or similarly significant) effect on you.
Personal Data We Collect and Create
These are the types of data we collect, create, use, and share:
Personal Details and Identifiers
Your full name, home address, email address, phone number, social media profile details and information that is used to verify your identity. This can be photo ID, passport number, national insurance number, driving license number, and nationality.
Authentication Data
The data used to access the Chase Services. It includes your PIN number(s), password(s), security questions and answers. It also includes your unique account and user profile identifiers and biometric data used for identity verification.
Financial Status
Information used to assess your credit-worthiness. This includes your salary, employment status, credit rating, County Court Judgements or bankruptcy.
Account Information
Details relating to any account that you hold with us. This includes your account number, sort code, cards, account balance, unique identifiers, alerts, language settings, statement preferences, contact preferences, and overdraft limit.
Transaction History
Events like payments made and received (including those via 3rd parties such as Apple Pay, Google Pay or PayPal), credits/debits, payees and payors, interest calculation and payments, and standing orders.
Health and Disability Data
Data that you may provide to us relating to a disability or health which is relevant to your use of the Chase Services. This might include the accessibility of our website or app or a change in your health status that impacts your Chase Services.
Communications Data
Records and results of any communications between you and us. This includes by email, telephone, in-app chat, social media, and letter. This might include open rates and dates/times, whether it was forwarded, and your interaction with the communication.
Device and Technical Data
Data such as unique device identifiers, IP addresses, device type and model, as well as operating system and version. This might also include network connection type, browser type, advertising ID and non-precise location data. We might infer that from other data such as IP address.
Biometric Data
We create temporary facial recognition templates when we match your selfie to your photo ID as part of onboarding or when you reset your pin, unlock your account or change your device. We use behavioural biometric data such as typing patterns and movement data.
Location Data
Your IP address and location data from your payment transactions. This might include location data from your device if you allow location sharing in the app.
Usage Data
Data generated from your website or in-app activity, such as what screens or product features you use and how long you spend using features within the app or on our site.
Cookies
We collect information from your device, or store information on your device, in the form of cookies. We use this information to:
- help maintain the security of the Chase Services
- help ensure that our website and app communicate correctly with our other services
- remember your choices and settings
- collect and compile anonymous, aggregated information for statistical and evaluation purposes to help us understand how users use our services and help us improve those services
Our Cookie Notice is available in the legal section on our website and in our app.
Automated Decisions
Identity Verification
We use automated processes to check your identity. This can be when you’re onboarding as a new customer, unlocking your account, resetting your PIN or changing your device.
To check it’s really you we use facial recognition technology. This technology checks that the person in a selfie and an accepted photo ID are actually the same person. The faces in both photos are compared by creating a mathematical template based on measurement of the various points on your face such as your chin, nose, and eyes.
The templates created through this matching process are temporary and are not accessible to us. The templates are created by a vendor on our behalf and deleted shortly after we have confirmed you are the same person in both photos. Where our process does not create a match, it will be reviewed by an agent. We do not store your details for any other purpose, and our vendors don’t either.
Onboarding Fraud
When you apply for new Chase Services, we screen your personal details against fraud and credit reference databases. The results could prevent you from using the requested Chase Service.
Transaction Fraud
We also use automated decision making to help ensure transactions made on your account are correct and free from fraud. Your transactions (payments to and from your account) will be assessed to identify any unusual payments. Unusual payments include payments you would not normally make or haven’t yet made on our systems. We may stop or decline a payment that is likely to be fraudulent.
You can ask for information about any automated decision making that has a legal or similarly significant effect on you. We’ll explain the logic involved, how we use the decision and any potential consequences. You can also object, give us extra information or ask us to review a decision. In certain circumstances you also have the right not to be subject to a decision based solely on automated processing.
How We Use Your Data
These are reasons we might use your data:
Customer onboarding
This includes setting up your account with us and fulfilling our regulatory compliance obligations, including ‘KYC’ checks. It also includes confirming and verifying your identity (including by using credit reference agencies). We authenticate your use of our services and check against sanctions lists and other legal restrictions. It also includes taking all other necessary steps to make Chase Services available to you.
What it is
- Personal Details and Identifiers
- Account information
- Authentication data
- Biometric data
- Device and technical data
Why we need to do it
- We use your data here to meet alegal obligation
- We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you
Creditworthiness
This includes conducting credit reference checks and other financial due diligence. It also includes checking your credit score with credit reference agencies.
What it is
- Personal Details and Identifiers
- Financial status
Why we need to do it
- We use your data here to meet a legal obligation
- We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you
Customer services and to communicate with you
To provide you with customer service and help you manage your account. This includes assistance relating to Chase Services and to tell you about important details relating to your account. We will also review and respond to any queries, issues and complaints you may have.
What it is
- Personal Details and Identifiers
- Authentication details
- Account data
- Transaction history
- Communication data
Why we need to do it
- We use your data here to meet a legal obligation
- We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you
Provision of Chase Services to you
This includes providing our app and website and our contact centre to you. It also includes sending service messaging, refining our processes and procedures, administering relationships and related services.
What it is
- Personal Details and Identifiers
- Authentication details
- Account information
- Communication data
Why we need to it
- We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you or
- We might use it if we have a legitimate interest in doing so to provide you with Chase Services. That interest isn’t overridden by your interests or fundamental rights and freedoms.
Fraud Prevention
This includes detecting, preventing and investigating fraud throughout our relationship with you.
What it is
- Personal Details and Identifiers
- Account Information
- Transaction history
- Location data
- Device and technical data
Why we need to do it
- We have a legitimate interest in using your data to detect and protect against fraud. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- We use your data here to meet a legal obligation or
- we might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us
IT Operations
This includes the management of our communications systems, operation of IT security and IT security audits.
What it is
- Communication data
- Device and technical data
- Personal Details and Identifiers
- Account data
Why we need to do it
- We have a legitimate interest in using your data to securely run our IT and communications systems. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- we use your data here to meeta legal obligation or
- we might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us
Facilitate your use of third-party services
With your permission, providing Open Banking services with access to your account information.
What it is
- Personal Details and Identifiers Account data
- Transaction history
Why we need to do it
- We use your data here when we have your consent to grant access or
- we have a legitimate interest using it to provide services to you.
Marketing
For contacting you about Chase Services and new features. This might be via email, in app notification or online through social media ads or ads we place on websites you visit. Understanding how you interact with our app, our website, social media channels and our online ads through analysing activity and behaviour allows us to understand our customers. It also helps us understand people who are interested in becoming customers and build our marketing campaigns and Chase Services. It also includes understanding how you engage with our emails and the content we share via email.
What it is
- Personal Details
- Identifiers Device and technical data
- Usage Data
Why we need to do it
- We have a legitimate interest in using your data for marketing and prospecting or
- we have your consent to market to you.
Personalisation of our Services
This includes personalisation of Chase Services to you and creating new ways for you to personalise your in-app experience.
What it is
- Usage Data
Why we need to do it
- We have a legitimate interest in using your data to provide services to you.
To meet our financial operating standards
This includes internal and regulatory reporting and business oversight such as internal audits and to produce reports to analyse our performance and manage our finances.
What it is
- Account data
- Transaction history
- Communication data
Why we need to do it
- We have a legitimate interest in using your data to manage and operate the financial affairs of our business. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- we use your data here to meet a legal obligation or
- we might also use it in connection with a contract you may enter into with us, including in preparation.
Research
This is includes speaking to you to collect your views and opinions on our brand, new Chase Services we are looking to develop or how we are doing in relation to our existing Chase Services and your experience with us as a customer. We will conduct our research directly with you or through a partnership with our research partners.
We will analyse your views and feedback to create insights that help us understand what people think about our brand and shape changes to our Chase Services and marketing campaigns.
What it is
- Personal Details and Identifiers Usage Data
- Communications Data
- Your feedback or opinions
Why we need to do it
- We have a legitimate interest in using your data to conduct research and produce analysis or
- We may also have obtained yourprior consent to using. This legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.
Security
This includes maintaining the security of our website and our app.
What it is
- Personal Details and Identifiers Usage Data
- Device and Technical Data
- Location Data
Why we need it
- We use your data here to meet a legal obligation or
- we have a legitimate interest in using your data to ensure the physical and electronic security of our business, premises and assets. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Improve Chase Services
This includes understanding how you interact with and use our app, website and social media pages. It also includes understanding how you interact with our app or website allows us to improve on what works, what doesn’t and build new Chase Services for you.
What it is
- Personal Details and Identifiers Device and Technical Data
- Usage Data
Why we need it
- We have a legitimate interest in using your data to improve Chase Services. We may also have your prior consent.
- We might also use it inconnection with a contract you may enter into with us, including in preparation. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Investigations
This includes detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.
What it is
- Transaction history
- Usage Data
- Social media and other public records and 3rd party data sources
Why we need it
- We use your data here to meet a legal obligation.
- We havea legitimate interest in using your data to detect and protect against breaches of our policies and the law. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Legal compliance and legal proceedings
For compliance with our legal and regulatory obligations under applicable law and for us to establish, exercise and defend our legal rights.
What is it
- Personal Details and Identifiers Account data
- Transaction history
Why we need to do it
- we use itinconnection with a contract you may enter into with us, including in preparation of your entering a contract with us
Sharing Data with Third Parties
We will disclose your data to certain third parties from time to time.
Members of the J.P. Morgan Group
So they can help us provide you with Chase Services. Also to allow them to meet legal or regulatory obligations, or because you asked us to.
Other Banks and Payees
To process payments from or to your account(s).
Open Banking Providers
If you authorise them, we’ll share data about your account so their services work for you.
Service Providers
So they can help us provide you with Chase Services. Examples include vendors who help us operate the system that manages account data or vendors who assist us with our marketing efforts.
Social and Search Advert platforms and Advertising Partners
We advertise our services on social media and search platforms and with our advertising partners. These advertising campaigns sometimes require sharing personal data to place advertisements.
The data we share is limited to one of the following data points:
- your email address
- your phone number
- your device ID
We protect your data using a technical process called “hashing” when we transfer data to an ad platform.
Your data is used to check if you have an account with our search and social advertising platforms or advertising partners when we place adverts. If you don’t have an account, your data is deleted immediately. If you do, we will ask the social or search ad platform to take one of the following actions:
- A Chase ad will be served to you where we believe you could be interested in our services
- Serve ads to people who have similar interests to you. Here we ask our social media and advertising partners to show our adverts to people who like you are interested in digital banking services.
- Exclude you from our online marketing campaigns because you already use the services we are advertising
We may also advertise Chase services with our advertising partners and ad platforms without sharing personal data. Here our ads will be displayed on websites and in response to search requests where people are looking for banking services.
Courts Service
We may be required to share your data in relation to a legal filing or claim in the exercise or defence of legal rights or obligations.
Government Bodies, Agencies, Regulators and Authorities
We can be asked to share your data with these bodies on a regular or ad hoc basis. Examples include the UK Financial Conduct Authority, the UK Prudential Regulation Authority, the UK Financial Services Deposit Compensation Scheme, other deposit guarantee schemes and HM Revenue and Customs.
If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. The obligations can ask for us to share this information directly, or through the local tax authority. The relevant tax authorities can share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.
Credit Reference and Fraud Prevention Agencies
To check your creditworthiness and to prevent fraud and money laundering.
Law Enforcement and Fraud Detection Agencies
To help with the detection, prevention and investigation and prosecution of criminal activities, including fraud and money laundering.
Professional Advisors
So they can provide services to us. This includes accountants, financial advisors, lawyers and other outside professional advisors.
Purchasers or Assignees of Our Business
If our business, or part of it, is sold or reorganised.
If you want to know more about any of these third parties, please get in touch.
Third Parties we receive your data from
We may receive certain data about you from various third parties from time to time, including:
- Members of the J.P. Morgan group
- Credit references agencies
- Central and local government
- Research and advertising agencies and data marketplaces
Third Party Data: Fraud Prevention and Credit Reference Agencies
We share data with, search databases or receive data from fraud prevention and credit reference agencies, as part of our customer onboarding process and during your relationship with us as customer.
- If fraud is detected, you could be refused certain Chase Services.
- Further details of how your information will be used by us the fraud prevention agencies, and your data protection rights in relation to this data, can be found at http://www.cifas.org.uk/fpn (Opens in new window)
- We run a credit check when you open an account with us and we will share data with the credit reference agencies for the duration of your relationship with us. This will include details of funds going into the account, and the account balance.
- The Credit Reference Agencies may share this information with other organisations that wish to check your financial status.
- The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK use and share personal data. The CRAIN is available on the credit reference agencies’ websites as detailed below
http://www.transunion.co.uk/crain (Opens in new window)
http://www.equifax.co.uk/crain (Opens in new window)
www.experian.co.uk/legal/crain/ (Opens in new window)
The privacy policies of each Credit Reference Agency will explain separately how they use the data they collect outside of the CRAIN notice.
- If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. We may be required to share this information directly, or through the local tax authority. They may then share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.
International Transfers of Data
Chase is part of a global banking business which uses shared technology. We also have governance and reporting obligations to the wider group as such, we will transfer your data within the J.P. Morgan group, and to third parties as set out above.
For this reason, we will transfer your data to other countries outside of the UK that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those enacted in the UK. These transfers will only take place for the purposes outlined in this policy.
Where we transfer your data to other countries outside of the UK, we will do so on the basis of:
- Adequacy decisions, where a country has been deemed to provide adequate protections to individual
- Binding Corporate Rules when transfers occur within the J.P. Morgan group;
- Standard contractual clauses; or
- Other valid transfer mechanisms or derogations.
To receive more information about the safeguards that we apply to international transfers of your data, please get in touch.
Other Information
This is any information that does not reveal your specific identity or relate to anyone identifiable:
- Browser and device information
- App usage data
- Information collected through cookies, pixel tags and other technologies
- Demographic information and other information provided by you that does not reveal your specific identity
- Information that has been aggregated in a manner such that it no longer reveals your specific identity
Sometimes Other Information is associated to you or combined with your personal data. When this happens, it becomes Personal Data. If that happens, we treat it as Personal Data. We will treat it as Personal Data as long as it is combined and identifies you.
Data Security
We have a global security program designed and implemented through our policies, guidelines and controls to protect your data from misuse. Our security program is designed to protect your data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access. Our people can only access as little of your data as they absolutely must. Anyone who can access your data must keep it confidential and only use it for shortest period required.
Data Accuracy
We take reasonable steps designed to ensure that any data that we process are accurate and, where necessary, kept up-to-date. We also take reasonable steps to ensure that any of your data that we process that is inaccurate are erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.
Data Minimization
We take reasonable steps designed to ensure that your data that we process are limited to the data reasonably required in connection with the purposes set out in this notice.
Data Retention
We will retain your data in line with our data retention policy and for the minimum period required. The duration of the retention period is determined by a number of criteria including the nature of our relationship with you, UK law, the type of data and the Chase Services that the data relates to.
Once we no longer need to retain your data in a form that identifies you, we will permanently delete or destroy it, archive and secure it so that it is beyond practical use; or anonymize it.
Updates to this Policy
We will update this Policy from time to time for example when we change the data we collect or the ways in which we process it.
Contact Details
If you have any comments, questions or concerns about how we process your data, then please contact our privacy team at privacyteam.chaseuk@jpmorgan.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.
You can contact our Data Protection Officer at EMEA.Privacy.Office@jpmchase.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.