Introduction
Banking is personal and it involves data about you. Nearly everything you do with us or on our website or app will involve the collection, creation, use, or sharing of data. Data about you helps us provide you with the best customer experience, understand you better and anticipate your needs. This is true whether it’s data you give us, that we collect through your use of our services, receive from others, or create through data analytics and more. It also helps us secure your accounts, improve our app and product offerings, deliver relevant marketing and advertising, and meet our legal obligations.
Our objective with this policy is to explain how and why we collect, create, use, share, store, and delete data. We’ll also outline the controls we offer to help you take advantage of the important rights you have with regards to your data, including privacy settings, notifications, marketing elections, website cookies management, and customer support.
About this Policy
This policy is provided by J.P. Morgan Europe Limited (25 Bank Street, Canary Wharf, London, E14 5JP, UK) as a so-called data controller under the UK Data Protection Act. This policy applies to all of our consumer banking and related services (referred to as the “Chase Services”). The terms that cover your accounts and actual use of the Chase Services can be found in our General Account Terms and Conditions.
Over time, we’ll improve our Chase Services. We also expect to develop new ones. If this materially changes how we collect, create, use, share, store, and delete your data, we’ll update this policy. If you ever have questions or concerns, please get in touch.
This policy applies to:
- Chase customers
- anyone who downloads our app
- anyone who browses our website or social media pages
- anyone who has specific permissions on accounts including power of attorney or appointed third parties
- applicants for a Chase account
- anyone who contacts us either online, by telephone, post, or any other method
Your Rights, Choices and Control
Your data is just that – your data. That’s why the UK Data Protection Act provides you with certain rights in regard to your data under certain circumstances, including:
Your right to access
You can find out whether we process your data. You can also request a copy.
Your right to rectification
You can ask us to fix data we hold about you.
Your right to erasure
You can ask us to delete your data.
Your right to restriction
You can ask us to stop processing your data temporarily or permanently.
Your right to objection
You can object to our processing of your data under certain circumstances.
Your right to transfer
You can ask us to share a copy of your data with a third party.
Your right to withdraw your consent
Where you gave your consent to process your data, you can withdraw it at any time.
Your right to object to marketing
You can ask us to stop processing your data for marketing.
Your right not to be subjected to automated decision-making
You have the right to human involvement in a decision that would have a legal (or similarly significant) effect on you.
Personal Data We Collect and Create
These are the types of data we collect, create, use, and share:
Personal Details and Identifiers
Your full name, home address, email address, phone number, social media profile details and information that is used to verify your identity. This can be photo ID, passport number, national insurance number, driving license number, and nationality.
Authentication Data
The data used to access the Chase Services. It includes your PIN number(s), password(s), security questions and answers. It also includes your unique account and user profile identifiers and biometric data used for identity verification.
Financial Information
Information used to assess your financial situation, and whether you’re suitable to receive financial credit. This includes your income, residential status, employment information, credit rating, and publicly available information (such as County Court Judgements or bankruptcy).
Account Information
Details relating to any account that you hold with us. This includes your account number, sort code, cards, account balance, unique identifiers, alerts, language settings, statement preferences, contact preferences, and overdraft limit.
Transaction History
Events like payments made and received (including those via third parties such as Apple Pay, Google Pay or PayPal), credits/debits, payees and payors, interest calculation and payments, and standing orders.
Health and Disability Data
Data that you may provide to us relating to a disability or health issue(s) which is relevant to your use of Chase Services. We will use the health data you provide to us to support your use of Chase services where needed. This might include the accessibility of our website or app, or a change in your health status that impacts your use of Chase Services.
Communications Data
Records and results of any communications between you and us. This includes by email, telephone, in-app chat, social media, and letter. This might include open rates and dates/times, whether it was forwarded, and your interaction with the communication.
Device and Technical Data
Data such as unique device identifiers, IP addresses, device type and model, as well as operating system and version. This might also include network connection type, browser type, advertising ID and non-precise location data. We might infer that from other data such as IP address.
Biometric Data
We create temporary facial recognition templates when we match your selfie to your photo ID as part of onboarding or when you reset your pin, unlock your account, or change your device. We also use behavioural biometric data, such as typing patterns and movement data.
Location Data
Your postcode, IP address and location data from your payment transactions. This might include location data from your device if you allow location sharing in the app.
Usage Data
Data generated from your website or in-app activity, such as what screens or product features you use and how long you spend using features within the app or on our site.
Cookies
We collect information from your device, or store information on your device, in the form of cookies. We use this information to:
- help maintain the security of the Chase Services
- help ensure that our website and app communicate correctly with our other services
- remember your choices and settings
- collect and compile anonymous, aggregated information for statistical and evaluation purposes – to help us understand how users use our services and help us improve them
Our Cookie Notice is available on our website and in our app.
Your Feedback or Opinions
If you choose to take part in our research initiatives, we’ll analyse your views and feedback to create insights that help us understand what people think about our brand. This will also help shape changes to our Chase Services and marketing campaigns.
Automated Decisions
Identity Verification
We use automated processes to check your identity. This can be when you’re onboarding as a new customer, unlocking your account, resetting your PIN, or changing your device.
To check it’s really you, we use facial recognition technology. This technology checks that the person in a selfie and an accepted photo ID are actually the same person. The faces in both photos are compared by creating a mathematical template based on measurement of the various points on your face – such as your chin, nose, and eyes.
The templates created through this matching process are temporary and not accessible to us. The templates are created by a vendor on our behalf, and deleted shortly after we have confirmed you are the same person in both photos. When this process does not create a match, it will be reviewed by an agent. We do not store your details for any other purpose, and our vendors don’t either.
Onboarding Fraud
When you apply for new Chase Services, we screen your personal details against fraud and credit reference databases. The results could prevent you from using the requested Chase Service.
Transaction Fraud
We also use automated decision making to help ensure transactions made on your account are correct and free from fraud. Your transactions (payments to and from your account) will be assessed to identify any unusual payments. Unusual payments include payments you would not normally make or haven’t yet made on our systems. We may stop or decline a payment that is likely to be fraudulent.
You can ask for information about any automated decision making that has a legal or similarly significant effect on you. We’ll explain the logic involved, how we use the decision and any potential consequences. You can also object, give us extra information or ask us to review a decision. In certain circumstances, you also have the right not to be subject to a decision based solely on automated processing.
How We Use Your Data
These are reasons we might use your data:
Customer onboarding
This includes setting up an account with us and fulfilling our regulatory compliance obligations, including Know Your Customer (‘KYC’) checks. It also includes confirming and verifying your identity (including by using credit reference agencies). We authenticate your use of our services and check against sanctions lists and other legal restrictions. It also includes taking all other necessary steps to make Chase Services available to you.
What it is
- Personal Details and Identifiers
- Account information
- Authentication data
- Biometric data
- Device and technical data
- Financial information
Why we need to do it
- We use your data here to meet a legal obligation
- We might also use it in connection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you
Creditworthiness
This includes conducting credit reference checks and other financial due diligence on your financial standing. It also includes checking your credit score with credit reference agencies.
We may look at data from credit reference agencies to better understand how consumers use credit products. This helps us design and build products that are more relevant for our customers.
What it is
- Personal Details and Identifiers
- Financial information
- Chase current account data, such as information about negative balances, how much money comes into your account and when you opened and closed your account
- Credit Profile Data
Why we need to do it
- We use your data here to meet a legal obligation
- We might also use it in connection with a contract you may enter into with us, including in preparation of you entering into a contract with us
- We might also use your data as part of our fraud pre-checks (during our onboarding process and before entering into a banking services arrangement with you)
- We may also use it when we have a legitimate interest in using your data to build new products. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Customer services and to communicate with you
To provide you with customer service and help you manage your account. This includes assistance relating to Chase Services and to tell you about important details relating to your account. We will also review and respond to any queries, issues, and complaints you may have.
What it is
- Personal Details and Identifiers
- Authentication details
- Account data
- Transaction history
- Communication data
- Location data
Why we need to do it
- We use your data here to meet a legal obligation
- We might also use it in connection with a contract you may enter into with us, including in preparation of you entering into a contract with us
- We might also use your data as part of our pre-checks (during our onboarding process and before entering into a banking services arrangement with you)
Provision of Chase Services to you
This includes providing our app, website and contact centre to you. It also includes things such as:
- Sending service messaging
- Refining our processes and procedures
- Administering relationships, including any health issues you’ve asked us to be aware of
- Related services
What it is
- Personal Details and Identifiers
- Authentication details
- Account information
- Communication data
- Location data
Why we need to it
- We might also use it in connection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We might also use your data as part of our pre-checks as part of our onboarding process where we are entering into a banking services agreement with you or
- We might use it if we have a legitimate interest in doing so to provide you with Chase Services. That interest isn’t overridden by your interests or fundamental rights and freedoms.
- It is in the wider public interest to protect customers economic well being
Fraud Prevention
This includes detecting, preventing, and investigating fraud throughout our relationship with you.
What it is
- Personal Details and Identifiers
- Account Information
- Transaction history
- Location data
- Device and technical data
- Financial information
Why we need to do it
- We have a legitimate interest in using your data to detect and protect against fraud. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- We use your data here to meet a legal obligation or
- We might also use it in connection with a contract you may enter into with us, including in preparation of your entering a contract with us
IT Operations
This includes the management of our communications systems, operation of IT security and IT security audits.
What it is
- Communication data
- Device and technical data
- Personal Details and Identifiers
- Account data
Why we need to do it
- We have a legitimate interest in using your data to securely run our IT and communications systems. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- we use your data here to meet a legal obligation or
- we might also use it in connection with a contract you may enter into with us, including in preparation of your entering a contract with us
Facilitate your use of third-party services
With your permission, providing Open Banking services with access to your account information.
What it is
- Personal Details and Identifiers
- Account data
- Transaction history
Why we need to do it
- We use your data here when we have your consent to grant access or
- we have a legitimate interest using it to provide services to you. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Marketing
We contact you about new features and Chase Services. We might contact you by email, phone calls, in-app notifications, through social media ads, or the ads we place on websites you visit. We’ll analyse your activity and behaviour, then use this information to help understand how you interact with our app, website, social media channels and online ads. It also helps us understand:
- People who are interested in becoming our customers
- How to build our marketing campaigns and Chase Services
- How you engage with our emails, and the content we share within them
In line with the appropriate controls, we might also use this information to check whether you might be interested in the products and services of any of our affiliates. This means we may send you information about them – unless you specifically tell us not to.
What it is
- Personal Details and Identifiers
- Device and Technical Data
- Usage Data
- Location data
- Account information
- Transaction History
Why we need to do it
- We have a legitimate interest in using your data for marketing and prospecting or
- We have your consent to market to you.
Personalisation of our Services
This includes personalisation of Chase Services to you and creating new ways for you to personalise your in-app experience.
What it is
- Usage Data
Why we need to do it
- We have a legitimate interest in using your data to provide services to you.
To meet our financial operating standards
This includes internal and regulatory reporting and business oversight such as internal audits and to produce reports to analyse our performance and manage our finances.
What it is
- Account data
- Transaction history
- Communication data
Why we need to do it
- We have a legitimate interest in using your data to manage and operate the financial affairs of our business. These interests aren’t overridden by your interests or fundamental rights and freedoms or
- we use your data here to meet a legal obligation or
- we might also use it in connection with a contract you may enter into with us, including in preparation.
Research
This includes speaking to you to collect your views and opinions on our brand, new Chase Services we are looking to develop or how we are doing in relation to our existing Chase Services and your experience with us as a customer. We will conduct our research directly with you or through a partnership with our research partners.
What it is
- Personal Details and Identifiers
- Usage Data
- Communications Data
- Your feedback or opinions
- Health and Disability Data*
*Our research effort will only consider any information you choose to share with us as part of our surveys. We’ll analyse your views and feedback to build aggregated insights, which help us understand what people think about our brand. This will help shape changes to our Chase Services and marketing campaigns.
Why we need to do it
- We have a legitimate interest in using your data to conduct research and produce analysis or
- We may also have obtained your prior consent. This legal basis is only used in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.
Security
This includes maintaining the security of our website and our app.
What it is
- Personal Details and Identifiers
- Usage Data
- Device and Technical Data
- Location Data
Why we need it
- We use your data here to meet a legal obligation or
- we have a legitimate interest in using your data to ensure the physical and electronic security of our business, premises, and assets. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Improve Chase Services
This includes understanding how you interact with and use our app, website, and social media pages. It also includes understanding how you interact with our app or website allows us to improve on what works, what doesn’t and build new Chase Services for you.
What it is
- Personal Details and Identifiers
- Device and Technical Data
- Financial Information
- Account Information
- Transaction History
- Usage Data
Why we need it
- We have a legitimate interest in using your data to improve Chase Services.
- We may also have your prior consent.
- We might also use it in connection with a contract you may enter into with us, including in preparation. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Investigations
This includes detecting, investigating, and preventing breaches of policy, and criminal offences, in accordance with applicable law.
What it is
- Transaction history
- Usage Data
- Social media and other public records and 3rd party data sources
- Financial information
Why we need it
- We use your data here to meet a legal obligation.
- We have a legitimate interest in using your data to detect and protect against breaches of our policies and the law. These interests aren’t overridden by your interests or fundamental rights and freedoms.
Legal compliance and legal proceedings
For compliance with our legal and regulatory obligations under applicable law and for us to establish, exercise and defend our legal rights.
What is it
- Personal Details and Identifiers
- Account data
- Transaction history
- Financial information
Why we need to do it
- We use it in connection with a contract you may enter into with us, including in preparation of your entering a contract with us or
- We use your data here to meet a legal obligation.
Chase features
Your ID
‘Your ID’ is an additional feature in the Chase app. If you opt into ‘Your ID’, we’ll set it up using some of the data you’ve already given us.
When you joined Chase, you used either your passport or driver’s licence as proof of ID. ‘Your ID’ stores and presents a digital copy of the identity document you used, and related identity document data, in the Chase app – so you can access it, share it, or use it to complete forms.
You can opt into ‘Your ID’ from the Chase app. If you do so, we’ll automatically set it up using the following data from your passport or driver’s licence:
- Identification document reference number
- ‘Your ID’ identifier
- Personal details
- Issue date, expiry date and document number
- Date of birth
- The image of your UK passport, if you supplied it when you joined Chase
Why we need to use your data
- We need to use your data to provide ‘Your ID’ to you
- We have a legitimate interest in using your data to build new products. These interests aren’t overridden by your interests or fundamental rights and freedoms
- We use your data in connection with a contract you may enter into with us
Sharing Data with Third Parties
We will disclose your data to certain third parties from time to time.
Members of the J.P. Morgan Group
- If you are an existing or a prospective customer of Chase UK, we share your information with other members of the J.P. Morgan Group. This is so we can provide you with our relevant products and services, and also comply with our legal and regulatory obligations. For example, in connection with our anti-money laundering obligations, we may share your personal data for the purposes of ‘Know Your Customer’ (KYC) checks if you wish to purchase products and services from another J.P. Morgan company
- In limited circumstances and subject to appropriate controls, we may share your personal data with our affiliates, to market products and services to you. This is subject to us ensuring that any communications provided to you are in compliance with applicable law.
- If you are an existing or prospective customer of both Nutmeg and Chase UK, we share your information to comply with our legal and regulatory obligations, for operational business reason. For example, we’ll do so to facilitate account linking through the Chase UK app, provide you with support, or because you asked us to.
- If you have opted into marketing and are an existing or prospective customer of both Nutmeg and Chase UK, we share your data to market to you through various channels, such as email and calls.
Other Banks and Payees
To process payments from or to your account(s).
Open Banking Providers
If you authorise them, we’ll share data about your account so their services work for you.
Business Partners
If you have a debit card with us, we will share transaction details with companies that help us to provide this service (such as Mastercard). We may enroll your renewed card with the business partner’s automatic updater service, which updates your previous card details saved with a merchant, so that you don’t need to update the card details yourself.
Service Providers
To help us provide you with Chase Services. We may share details with your mobile network provider to help prevent fraud and money laundering, and other vendors who help us operate the system that manages your account data or assist us with our marketing efforts.
Social and Search Advert platforms and Advertising Partners
We advertise our services on social media and search platforms and with our advertising partners. These advertising campaigns sometimes require sharing personal data to place advertisements.
The data we share is limited to one of the following data points:
- Your email address
- Your phone number
- Your device ID
We protect your data using a technical process called “hashing” when we transfer data to an ad platform.
Your data is used to check if you have an account with our search and social advertising platforms or advertising partners when we place adverts. If you don’t have an account, your data is deleted immediately. If you do, we will ask the social or search ad platform to take one of the following actions:
- A Chase ad will be served to you where we believe you could be interested in our services
- Serve ads to people who have similar interests to you. Here we ask our social media and advertising partners to show our adverts to people who like you are interested in digital banking services.
- Exclude you from our online marketing campaigns because you already use the services we are advertising
- We may also advertise Chase services with our advertising partners and ad platforms without sharing personal data. Here our ads will be displayed on websites and in response to search requests where people are looking for banking services.
Courts Service
We may be required to share your data in relation to a legal filing or claim in the exercise or defence of legal rights or obligations.
Government Bodies, Agencies, Regulators and Authorities
We can be asked to share your data with these bodies on a regular or ad hoc basis. Examples include the UK Financial Conduct Authority, the UK Prudential Regulation Authority, the UK Financial Services Deposit Compensation Scheme, other deposit guarantee schemes, HM Home Office and HM Revenue and Customs.
If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. The obligations can ask for us to share this information directly, or through the local tax authority. The relevant tax authorities can share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.
UK immigration law requires us to check the residency status of our customers from time to time. We do so by reviewing customer details against information held by the Home Office. This helps us make sure customers have the correct immigration status to bank with us. These reviews will not affect individuals who are applying for, appealing, or holding asylum or refugee status.
Credit Reference and Fraud Prevention Agencies
To check your creditworthiness and to prevent fraud and money laundering.
We may also share our customer data with Credit Reference Agencies to help us improve our product offering, but with no impact to your credit score. This information we process and share is never attributed to you, and you will not be identified from it.
Law Enforcement and Fraud Detection Agencies
To help with the detection, prevention and investigation and prosecution of criminal activities, including fraud and money laundering.
Professional Advisors
So they can provide services to us. This includes accountants, financial advisors, lawyers, and other outside professional advisors.
Purchasers or Assignees of Our Business
If our business, or part of it, is sold or reorganised.
If you want to know more about any of these third parties, please get in touch.
Third Parties we receive your data from
We may receive certain data about you from various third parties from time to time, including:
- Members of the J.P. Morgan group
- Credit references agencies
- Central and local government
- Research and advertising agencies and data marketplaces
Third Party Data: Fraud Prevention and Credit Reference Agencies
Fraud Prevention Agencies
As part of our customer onboarding process, we check databases, and share and receive data from fraud prevention agencies. These checks help us to confirm your identity and prevent fraud and money laundering. We also carry out these checks from time to time, after you join Chase.
We share some of your data with fraud prevention agencies in line with our Privacy Policy. If your account is involved in fraud, we may refuse or stop providing you with certain services. Any record of fraud or money laundering risks on your account may mean you’re refused other services, such as mortgages and loans, and impact future employment.
You can find more information about your data protection rights and how fraud prevention agencies use your data on the Cifas website: www.cifas.org.uk/fpn.
Credit Reference Agencies
We run a check against the Credit Reference Agencies database when you open an account with us, and for the duration of your relationship with us. This is to make sure your account is not involved in fraud. These are soft checks that do not leave a footprint on your credit file or impact your credit score.
We also share details of your Chase current account with Credit Reference Agencies. This will include details of funds going into your account, and your account balance. The Credit Reference Agencies may share this information with other organisations that wish to check your financial status. This is to help them build a more complete picture of your finances.
We may receive anonymous statistical information about products and services that our customers may be interested in to help us improve our product offerings.
The Credit Reference Agency Information Notice (CRAIN) describes how the three main credit reference agencies in the UK use and share personal data. The CRAIN is available on the credit reference agencies’ websites as detailed below
www.experian.co.uk/legal/crain/
The privacy policies of each Credit Reference Agency will explain separately how they use the data they collect outside of the CRAIN notice.
If you’re a tax resident of a country other than the UK, we may be required to share information about you and your accounts with the relevant tax authorities. We may be required to share this information directly, or through the local tax authority. They may then share that information with other appropriate tax authorities or government bodies. We may ask you to provide us with extra information or to fill in tax forms to help us with this.
Transfers of Data
Chase is part of a global banking business which uses shared technology. We also have governance and reporting obligations to the wider group as such, we will transfer your data within the J.P. Morgan group, and to third parties as set out above.
For this reason, we will transfer your data to other countries outside of the UK that may have different laws and data protection compliance requirements, including data protection laws of a lower standard to those enacted in the UK. These transfers will only take place for the purposes outlined in this policy.
Where we transfer your data to other countries outside of the UK, we will do so on the basis of:
- Adequacy decisions, where a country has been deemed to provide adequate protections to individuals
- Binding Corporate Rules when transfers occur within the J.P. Morgan group;
- Standard contractual clauses; or
- Other valid transfer mechanisms or derogations.
To receive more information about the safeguards that we apply to international transfers of your data, please get in touch.
Other Information
This is any information that does not reveal your specific identity or relate to anyone identifiable:
- Browser and device information
- App usage data
- Information collected through cookies, pixel tags and other technologies
- Demographic information and other information provided by you that does not reveal your specific identity
- Information that has been aggregated in a manner such that it no longer reveals your specific identity
Sometimes Other Information is associated to you or combined with your personal data. When this happens, it becomes Personal Data. If that happens, we treat it as Personal Data. We will treat it as Personal Data as long as it is combined and identifies you.
Data Security
We have a global security program designed and implemented through our policies, guidelines, and controls to protect your data from misuse. Our security program is designed to protect your data from misuse or accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, acquisition, or access. Our people can only access as little of your data as they absolutely must. Anyone who can access your data must keep it confidential and only use it for shortest period required.
Data Accuracy
We take reasonable steps designed to ensure that any data that we process are accurate and, where necessary, kept up-to-date. We also take reasonable steps to ensure that any of your data that we process that is inaccurate are erased or rectified without delay. From time to time, we may ask you to confirm the accuracy of your data.
Data Minimization
We take reasonable steps designed to ensure that your data that we process are limited to the data reasonably required in connection with the purposes set out in this notice.
Data Retention
We will retain your data in line with our data retention policy and for the minimum period required. The duration of the retention period is determined by a number of criteria including the nature of our relationship with you, UK law, the type of data and the Chase Services that the data relates to.
Once we no longer need to retain your data in a form that identifies you, we will permanently delete or destroy it, archive, and secure it so that it is beyond practical use; or anonymize it.
Updates to this Policy
We will update this Policy from time to time for example when we change the data we collect or the ways in which we process it.
Contact Details
If you have any comments, questions, or concerns about how we process your data, then please contact our privacy team at privacyteam.chaseuk@jpmorgan.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.
You can contact our Data Protection Officer at EMEA.Privacy.Office@jpmchase.com or via post at JPMC EMEA Privacy, J.P. Morgan Europe Limited, 25 Bank Street, London E14 5JP, UK.
Chase is a registered trademark and trading name of J.P. Morgan Europe Limited. J.P. Morgan Europe Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. Our Financial Services Register number is 124579. Registered in England & Wales with company number 938937. Our registered office is 25 Bank Street, Canary Wharf, London, E14 5JP, United Kingdom.