Privacy Policy

Introduction

Banking is personal and it involves data about you. Nearly everything you do with us or on our website or app will involve the collection, creation, use, or sharing of data. Data about you helps us provide you with the best customer experience, understand you better and anticipate your needs. This is true whether it’s data you give us, that we collect through your use of our services, receive from others, or create through data analytics and more. It also helps us secure your accounts, improve our app and product offerings, deliver relevant marketing and advertising, and meet our legal obligations.

Our objective with this policy is to explain how and why we collect, create, use, share, store, and delete data as well as to outline the controls we offer to help you take advantage of the important rights you have in regard to your data including privacy settings, notifications, marketing elections, website cookies management, and customer support.

About this Policy

This policy is provided by J.P. Morgan Europe Limited (25 Bank Street, Canary Wharf, London, E14 5JP, UK) as a so-called data controller under the UK Data Protection Act. This policy applies to all of our consumer banking and related services (referred to as the “Chase Services”). The terms that cover your accounts and actual use of the Chase Services can be found in our General Account Terms and Conditions.

Over time, we’ll improve our Chase Services. We also expect to develop new ones. If this materially changes how we collect, create, use, share, store, and delete your data, we’ll update this policy. If you ever have questions or concerns, please get in touch.

This policy applies to:

  • Chase customers
  • anyone who downloads our app
  • anyone who browses our website or social media pages
  • anyone who has specific permissions on accounts including power of attorney or appointed third parties
  • applicants for a Chase account
  • anyone who contacts us either online, by telephone, post or any other method

Your Rights, Choices and Control

Your data is just that – your data. That’s why the UK Data Protection Act provides you with certain rights in regard to your data under certain circumstances, including the right to: 

Your right to access

You can find out whether we process your data. You can also request a copy.

Your right to rectification

You can ask us to fix data we hold about you.

Your right to erasure

You can ask us to delete your data.

Your right to restriction

You can ask us to stop processing your data temporarily or permanently.

Your right to objection

You can object to our processing of your data under certain circumstances.

Your right to transfer

You can ask us to share a copy of your data with a third party.

Your right to withdraw your consent

Where you gave your consent to process your data, you can withdraw it any time.

Your right to object to marketing

You can ask us to stop processing your data for marketing.

Your right not to be subjected to automated decision-making

You have the right to human involvement in a decision that would have a legal (or similarly significant) effect on you.

Personal Data We Collect and Create

These are the types of data we collect, create, use, and share:

Personal Details and Identifiers

Your full name, home address, email address, phone number, social media profile details and information that is used to verify your identity. This can be photo ID, passport number, national insurance number, driving license number, and nationality.

Authentication Data

The data used to access the Chase Services. It includes your PIN number(s), password(s), security questions and answers. It also includes your unique account and user profile identifiers and biometric data used for identity verification.

Financial Status

Information used to assess your credit-worthiness. This includes your salary, employment status, credit rating, County Court Judgements or bankruptcy.

Account Information

Details relating to any account that you hold with us. This includes your account number, sort code, cards, account balance, unique identifiers, alerts, language settings, statement preferences, contact preferences, and overdraft limit.

Transaction History

Events like payments made and received (including those via 3rd parties such as Apple Pay, Google Pay or PayPal), credits/debits, payees and payors, interest calculation and payments, and standing orders.

Health and Disability Data

Data that you may provide to us relating to a disability or health which is relevant to your use of the Chase Services. This might include the accessibility of our website or app or a change in your health status that impacts your Chase Services.

Communications Data

Records and results of any communications between you and us. This includes by email, telephone, in-app chat, social media, and letter. This might include open rates and dates/times, whether it was forwarded, and your interaction with the communication.

Device and Technical Data

Data such as unique device identifiers, IP addresses, device type and model, as well as operating system and version. This might also include network connection type, browser type, advertising ID and non-precise location data. We might infer that from other data such as IP address.

Biometric Data

We create temporary facial recognition templates when we match your selfie to your photo ID as part of onboarding or when you reset your pin, unlock your account or change your device. We use behavioural biometric data such as typing patterns and movement data.

Location Data

Your IP address and location data from your payment transactions. This might include location data from your device if you allow location sharing in the app.

Usage Data

Data generated from your website or in-app activity, such as what screens or product features you use and how long you spend using features within the app or on our site.

Cookies

We collect information from your device, or store information on your device, in the form of cookies. We use this information to:

  • help maintain the security of the Chase Services
  • help ensure that our website and app communicate correctly with our other services
  • remember your choices and settings
  • collect and compile anonymous, aggregated information for statistical and evaluation purposes to help us understand how users use our services and help us improve those services

Our Cookie Notice is available in the legal section on our website and in our app.

Automated Decisions

Identity Verification

We use automated processes to check your identity. This can be when you’re onboarding as a new customer, unlocking your account, resetting your PIN or changing your device.

To check it’s really you we use facial recognition technology. This technology checks that the person in a  selfie and an accepted  photo ID are actually the same person. The faces in both photos are compared by creating a mathematical template based on measurement of the various points on your face such as your chin, nose, and eyes.  

The templates created through this matching process are temporary and are not accessible to us. The templates are created by a vendor on our behalf and deleted shortly after we have confirmed you are the same person in both photos. Where our process does not create a match, it will be reviewed by an agent. We do not store your details for any other purpose, and our vendors don’t either.

Onboarding Fraud

When you apply for new Chase Services, we screen your personal details against fraud and credit reference databases. The results could prevent you from using the requested Chase Service.

Transaction Fraud

We also use automated decision making to help ensure transactions made on your account are correct and free from fraud. Your transactions (payments to and from your account) will be assessed to identify any unusual payments. Unusual payments include payments you would not normally make or haven’t yet made on our systems. We may stop or decline a payment that is likely to be fraudulent.

You can ask for information about any automated decision making that has a legal or similarly significant effect on you. We’ll explain the logic involved, how we use the decision and any potential consequences. You can also object, give us extra information or ask us to review a decision. In certain circumstances you also have the right not to be subject to a decision based solely on automated processing.

How We Use Your Data

These are reasons we might use your data:

Customer onboarding

This includes setting up your account with us and fulfilling our regulatory compliance obligations, including ‘KYC’ checks. It also includes confirming and verifying your identity (including by using credit reference agencies). We authenticate your use of our services and check against sanctions lists and other legal restrictions. It also includes taking all other necessary steps to make Chase Services available to you.

What it is

  • Personal Details and Identifiers
  • Account information
  • Authentication data
  • Biometric data
  • Device and technical data

Why we need to do it

  • We use your data here to meet alegal obligation
  • We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
  • We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you

Creditworthiness

This includes conducting credit reference checks and other financial due diligence. It also includes checking your credit score with credit reference agencies.

What it is

  • Personal Details and Identifiers
  • Financial status

Why we need to do it

  • We use your data here to meet a legal obligation
  • We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
  • We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you

Customer services and to communicate with you

To provide you with customer service and help you manage your account. This includes assistance relating to Chase Services and to tell you about important details relating to your account. We will also review and respond to any queries, issues and complaints you may have.

What it is

  • Personal Details and Identifiers
  • Authentication details
  • Account data
  • Transaction history
  • Communication data

Why we need to do it

  • We use your data here to meet a legal obligation
  • We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
  • We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you

Provision of Chase Services to you

This includes providing our app and website and our contact centre to you. It also includes sending service messaging, refining our processes and procedures, administering relationships and related services.

What it is

  • Personal Details and Identifiers
  • Authentication details
  • Account information
  • Communication data

Why we need to it

  • We might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us or
  • We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you or
  • We might use it if we have a legitimate interest in doing so to provide you with Chase Services. That interest isn’t overridden by your interests or fundamental rights and freedoms.

Fraud Prevention

This includes detecting, preventing and investigating fraud throughout our relationship with you.

What it is

  • Personal Details and Identifiers
  • Account Information
  • Transaction history
  • Location data
  • Device and technical data

Why we need to do it

  • We have a legitimate interest in using your data to detect and protect against fraud. These interests aren’t overridden by your interests or fundamental rights and freedoms or
  • We use your data here to meet a legal obligation or
  • we might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us

IT Operations

This includes the management of our communications systems, operation of IT security and IT security audits.

What it is

  • Communication data
  • Device and technical data
  • Personal Details and Identifiers
  • Account data

Why we need to do it

  • We have a legitimate interest in using your data to securely run our IT and communications systems. These interests aren’t overridden by your interests or fundamental rights and freedoms or
  • we use your data here to meeta legal obligation or
  • we might also use it inconnection with a contract you may enter into with us, including in preparation of your entering a contract with us

Facilitate your use of third-party services

With your permission, providing Open Banking services with access to your account information.

What it is

  • Personal Details and Identifiers Account data
  • Transaction history

Why we need to do it

  • We use your data here when we have your consent to grant access or
  • we have a legitimate interest using it to provide services to you.

Marketing

For contacting you about Chase Services and new features. This might be via email, in app notification or online through social media ads or ads we place on websites you visit. Understanding how you interact with our app, our website, social media channels and our online ads through analysing activity and behaviour allows us to understand our customers. It also helps us understand people who are interested in becoming customers and build our marketing campaigns and Chase Services. It also includes understanding how you engage with our emails and the content we share via email.

What it is

  • Personal Details
  • Identifiers Device and technical data
  • Usage Data

Why we need to do it

  • We have a legitimate interest in using your data for marketing and prospecting or
  • we have your consent to market to you.

Personalisation of our Services

This includes personalisation of Chase Services to you and creating new ways for you to personalise your in-app experience.

What it is

  • Usage Data

Why we need to do it

  • We have a legitimate interest in using your data to provide services to you.

To meet our financial operating standards

This includes internal and regulatory reporting and business oversight such as internal audits and to produce reports to analyse our performance and manage our finances.

What it is

  • Account data
  • Transaction history
  • Communication data

Why we need to do it

  • We have a legitimate interest in using your data to manage and operate the financial affairs of our business. These interests aren’t overridden by your interests or fundamental rights and freedoms or
  • we use your data here to meet a legal obligation or
  • we might also use it in connection with a contract you may enter into with us, including in preparation.

Research

This is includes speaking to you to collect your views and opinions on our brand, new Chase Services we are looking to develop or how we are doing in relation to our existing Chase Services and your experience with us as a customer. We will conduct our research directly with you or through a partnership with our research partners. 

We will analyse your views and feedback to create insights that help us understand what people think about our brand and shape changes to our Chase Services and  marketing campaigns.

What it is

  • Personal Details and Identifiers Usage Data
  • Communications Data
  • Your feedback or opinions

Why we need to do it

  • We have a legitimate interest in using your data to conduct research and produce analysis or
  • We may also have obtained yourprior consent to using. This legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.

Security

This includes maintaining the security of our website and our app.

What it is

  • Personal Details and Identifiers Usage Data
  • Device and Technical Data
  • Location Data

Why we need it

  • We use your data here to meet a legal obligation or
  • we have a legitimate interest in using your data to ensure the physical and electronic security of our business, premises and assets. These interests aren’t overridden by your interests or fundamental rights and freedoms.

Improve Chase Services

This includes understanding how you interact with and use our app, website and social media pages. It also includes understanding how you interact with our app or website allows us to improve on what works, what doesn’t and build new Chase Services for you.

What it is

  • Personal Details and Identifiers Device and Technical Data
  • Usage Data

Why we need it

  • We have a legitimate interest in using your data to improve Chase Services. We may also have your prior consent.
  • We might also use it inconnection with a contract you may enter into with us, including in preparation. These interests aren’t overridden by your interests or fundamental rights and freedoms.

Investigations

This includes detecting, investigating and preventing breaches of policy, and criminal offences, in accordance with applicable law.

What it is

  • Transaction history
  • Usage Data
  • Social media and other public records and 3rd party data sources

Why we need it

  • We use your data here to meet a legal obligation.
  • We havea legitimate interest in using your data to detect and protect against breaches of our policies and the law. These interests aren’t overridden by your interests or fundamental rights and freedoms.

Legal compliance and legal proceedings

For compliance with our legal and regulatory obligations under applicable law and for us to establish, exercise and defend our legal rights.

What is it

  • Personal Details and Identifiers Account data
  • Transaction history

Why we need to do it

  • we use itinconnection with a contract you may enter into with us, including in preparation of your entering a contract with us

Sharing Data with Third Parties

We will disclose your data to certain third parties from time to time.

Members of the J.P. Morgan Group

So they can help us provide you with Chase Services. Also to allow them to meet legal or regulatory obligations, or because you asked us to.

Other Banks and Payees

To process payments from or to your account(s).

Open Banking Providers

If you authorise them, we’ll share data about your account so their services work for you.

Service Providers

So they can help us provide you with Chase Services. Examples include vendors who help us operate the system that manages account data or vendors who assist us with our marketing efforts.

Social and Search Advert platforms and Advertising Partners

We advertise our services on social media and search platforms and with our advertising partners. These advertising campaigns sometimes require sharing personal data to place advertisements.

The data we share is limited to one of the following data points:

  • your email address
  • your phone number
  • your device ID

We protect your data using a technical process called “hashing” when we transfer data to an ad platform.  

Your data is used to check if you have an account with our search and social advertising platforms or advertising partners when we place adverts. If you don’t have an account, your data is deleted immediately. If you do, we will ask the social or search ad platform to take one of the following actions:

  • A Chase ad will be served to you where we believe you could be interested in our services
  • Serve ads to people who have similar interests to you. Here we ask our social media and advertising partners to show our adverts to people who like you are interested in digital banking services.
  • Exclude you from our online marketing campaigns because you already use the services we are advertising

We may also advertise Chase services with our advertising partners and ad platforms without sharing personal data. Here our ads will be displayed on websites and in response to search requests where people are looking for banking services.

Courts Service

We may be required to share your data in relation to a legal filing or claim in the exercise or defence of legal rights or obligations.

Government Bodies, Agencies, Regulators and Authorities

We can be asked to share your data with these bodies on a regular or ad hoc basis. Examples include the UK Financial Conduct Authority, the UK Prudential Regulation Authority, the UK Financial Services Deposit Compensation Scheme, other deposit guarantee schemes and HM Revenue and Customs.

If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. The obligations can ask for us to  share this information directly, or through the local tax authority. The relevant tax authorities can share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.

Credit Reference and Fraud Prevention Agencies

To check your creditworthiness and to prevent fraud and money laundering.

Law Enforcement and Fraud Detection Agencies

To help with the detection, prevention and investigation and prosecution of criminal activities, including fraud and money laundering.

Professional Advisors

So they can provide services to us. This includes accountants, financial advisors, lawyers and other outside professional advisors.

Purchasers or Assignees of Our Business

If our business, or part of it, is sold or reorganised.

If you want to know more about any of these third parties, please get in touch.

Third Parties we receive your data from

We may receive certain data about you from various third parties from time to time, including:

  • Members of the J.P. Morgan group
  • Credit references agencies
  • Central and local government
  • Research and advertising agencies and data marketplaces 

Third Party Data: Fraud Prevention and Credit Reference Agencies

We share data with, search databases or receive data from fraud prevention and credit reference agencies, as part of our customer onboarding process and during your relationship with us as customer.

  • If fraud is detected, you could be refused certain Chase Services.
  • Further details of how your information will be used by us the fraud prevention agencies, and your data protection rights in relation to this data, can be found at http://www.cifas.org.uk/fpn (Opens in new window)
  • We run a credit check when you open an account with us and we will share data with the credit reference agencies for the duration of your relationship with us. This will include details of funds going into the account, and the account balance.
  • The Credit Reference Agencies may share this information with other organisations that wish to check your financial status.
  • The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK use and share personal data. The CRAIN is available on the credit reference agencies’ websites as detailed below

http://www.transunion.co.uk/crain (Opens in new window)

http://www.equifax.co.uk/crain (Opens in new window)

www.experian.co.uk/legal/crain/ (Opens in new window)

The privacy policies of each Credit Reference Agency will explain separately how they use the data they collect outside of the CRAIN notice.

  • If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. We may be required to share this information directly, or through the local tax authority. They may then share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.

International Transfers of Data

Chase is part of a global banking business which uses shared technology. We also have governance and reporting obligations to the wider group as such, we will transfer your data within the J.P. Morgan group, and to third parties as set out above.

For this reason, we will transfer your data to other countries outside of the UK that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those enacted in the UK. These transfers will only take place for the purposes outlined in this policy.

Where we transfer your data to other countries outside of the UK, we will do so on the basis of:

  • Adequacy decisions, where a country has been deemed to provide adequate protections to individual
  • Binding Corporate Rules when transfers occur within the J.P. Morgan group;
  • Standard contractual clauses; or
  • Other valid transfer mechanisms or derogations.

To receive more information about the safeguards that we apply to international transfers of your data, please get in touch.

Other Information

This is any information that does not reveal your specific identity or relate to anyone identifiable:

  • Browser and device information
  • App usage data
  • Information collected through cookies, pixel tags and other technologies
  • Demographic information and other information provided by you that does not reveal your specific identity
  • Information that has been aggregated in a manner such that it no longer reveals your specific identity

Sometimes Other Information is associated to you or combined with your personal data. When this happens, it becomes Personal Data. If that happens, we treat it as Personal Data. We will treat it as Personal Data as long as it is combined and identifies you.

Data Security

We have a global security program designed and implemented through our policies, guidelines and controls to protect your data from misuse. Our security program is designed to protect your data from misuse or accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access. Our people can only access as little of your data as they absolutely must. Anyone who can access your data must keep it confidential and only use it for shortest period required.

Data Accuracy

We take reasonable steps designed to ensure that any data that we process are accurate and, where necessary, kept up-to-date. We also take reasonable steps to ensure  that any of your data that we process that is inaccurate are erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.

Data Minimization

We take reasonable steps designed to ensure that your data that we process are limited to the data reasonably required in connection with the purposes set out in this notice.

Data Retention

We will retain your data in line with our data retention policy and for the minimum period required. The duration of the retention period is determined by a number of criteria including the nature of our relationship with you, UK law, the type of data and the Chase Services that the data relates to.

Once we no longer need to retain your data in a form that identifies you, we will permanently delete or destroy it, archive and secure it so that it is beyond practical use; or anonymize it.

Updates to this Policy

We will update this Policy from time to time for example when we change the data we collect or the ways in which we process it.

Contact Details

If you have any comments, questions or concerns about how we process your data, then please contact our privacy team at privacyteam.chaseuk@jpmorgan.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.

You can contact our Data Protection Officer at EMEA.Privacy.Office@jpmchase.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.