Privacy & Cookie Policy

At Tesco Bank, we’re working hard to serve Tesco’s shoppers a little better every day. Looking after the personal data you share with us is a hugely important part of this. We want you to be confident that your data is safe and secure with us and understand how we use it to offer you a better and more personalised experience.

What this policy covers

We are Tesco Personal Finance plc, trading as Tesco Bank and part of the Tesco Group. When we process your data, we act as a data controller. This means that we are responsible for looking after your data and deciding how it is used.

We are committed to doing the right thing when it comes to how we collect, use and protect your personal data. That’s why we’ve developed this privacy and cookies policy, which explains:

  • the types of personal data we collect;
  • the reasons we use the data we collect;
  • when we share personal data within the Tesco Group and with other organisations, for example to help provide our services or to meet our regulatory responsibilities;
  • the rights and choices you have when it comes to your personal data.

If you have other Tesco products or if you have a Clubcard account associated with your Tesco Bank product, Tesco Stores will collect and use personal data to provide you with their products and services. You can read the Tesco privacy policy here.

Our product partners help us to provide our insurance, travel money and international money transfer products. They act as data controllers when they process your personal data and they have their own privacy policies. You will find the names of our product partners and links to their privacy policies where you would purchase these products. Our product partners share your data with us to allow us to develop our products and understand our customers better.

    Personal data we collect

    Personal data is any information about you which can directly or indirectly identify you. This includes your name and address, the transactions on your account and your online browsing data.

    Most of the personal data we collect is essential for us to know so that we can provide our products to you. If we ask for personal data that is optional, we will explain this at the time.

      Data we collect from you

      When you apply for a product, we will ask you to provide us with:

      • personal details, including your postal and billing addresses, email address, phone numbers, date of birth and title;
      • Information we require to assess your application or keep your financial information up to date, such as your income or financial responsibilities;
      • identification documents we require to open your account (for example, your passport or driving licence).

      When you use our website or mobile app or open our emails, we collect:

      • information about your browsing behaviour, including which links you click on;
      • information about any devices you have used to access our website or apps (including the make, model and operating system, IP address, browser type and mobile device identifiers).

      When you contact us or take part in promotions or surveys about our products, we collect:

      • information you provide about yourself (for example, your name, username and contact details), including by phone, email or post or when you speak with us through social media or our website;
      • your feedback and contributions to customer surveys or reviews;
      • recordings of calls made to our customer service centre.
      Data we collect from others

      We collect personal data from other sources, such as:

      • the wider Tesco Group;
      • credit reference agencies;
      • fraud prevention agencies;
      • publicly available resources, such as the electoral register and the internet.

      Further information on how the credit references agencies and fraud prevention agencies that we work with use and share data can be found here.

      We use this data when we need to:

      • verify your identity and UK residency;
      • assess your creditworthiness and if a product is suitable for you;
      • check what terms of cover we should offer;
      • trace and recover debts;
      • prevent criminal activity, such as fraud and financial crime.

      If you have existing products with Tesco Bank or you have a Clubcard, we sometimes use this information to pre-populate fields in our application forms online. You will be asked to check the information is up to date.

        People connected to your products

        If you give us information about other people who will be connected to your applications or products, we will keep a record of their data. You must make sure that you have their permission before you share their data with us or make decisions on their behalf about how we use their data, including credit checks. Please make them aware of this privacy policy.

        This includes:

        • joint applicants;
        • additional cardholders;
        • anyone insured under your policy;
        • anyone paying your premiums;
        • anyone occupying your home;
        • anyone nominated to act on your behalf, including power of attorneys and others.

        Why we collect your data and our legal basis

        We carefully consider how we use personal data and have internal processes, such as our Data Protection Impact Assessments, which help us to decide how to act fairly and in our customers’ best interests. Where we say that using data is in our “legitimate interests”, we ensure that we are also acting in the general interests of all our customers. We only ever collect, use and share the minimum amount of data necessary to operate our business and serve our customers.

          To make our products available to you.

            Why we collect data

            • working out financial and insurance risks by credit scoring;
            • verifying your identity and eligibility for products, and the identities of joint applicants and other insured persons;
            • assessing your creditworthiness or insurance risk;
            • managing your accounts, including contacting you by phone, post, email, SMS and via our apps through push notifications (messages that pop up on your device) to give you information about your account;
            • if you have an insurance product, providing you with quotations and any additional terms of cover and maintaining and updating your policy;
            • awarding Clubcard points.

            We use algorithms and computer programs to make decisions about whether you are eligible for a product and what terms we can offer you. You can find out more information here.

              Why we are using the data (legal basis)

              Because we have a contract with you, we have to use your data in this way as a necessary part of that contract.

              Once you no longer have the product, we keep your data for a period of time afterwards as part of our legitimate interests in case needed for a complaint or regulatory enquiry and to help us to lend responsibly, and work out the right price for our insurance products.

              If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                To prevent fraud and financial crime.

                  Why we collect data

                  We carry out fraud checks to protect our customers and prevent crime. We use algorithms and computer programs to analyse transactions and data in applications to check for fraud. You can read more about our fraud prevention checks here.

                    Why we are using the data (legal basis)

                    The law requires us to do this as we have responsibilities to prevent financial crime. We also act in our legitimate interests to protect our business and customers.

                    If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                      To trace and recover debt.

                        Why we collect data

                        We may access information from third parties such as credit reference agencies to get up to date contact details where we need these to recover money owed to us. If you are ever concerned about paying your debts, please contact us.

                          Why we are using the data (legal basis)

                          We act in our legitimate interests as we need to recover money owed to us to enable us to operate our business.

                            To record calls to our call centres.

                              Why we collect data

                              We use call recordings to prevent fraud, for staff training and to manage customer complaints.

                                Why we are using the data (legal basis)

                                We act in our legitimate interests as call recordings help us to meet our responsibilities to combat fraud, provide good customer service and respond to complaints.

                                  To carry out analysis on our products and understand our customers’ needs.

                                    Why we collect data

                                    We use algorithms and computer programs to analyse customer data by creating customer segments and scoring. We use customer data from our products, Clubcard data and data from declined applications. We sometimes combine your data with data from our partners to help us in our analysis. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way. When we analyse data as part of our product development, we don’t use it to identify individual customers.

                                    Analysing customer data allows us to understand our customers better and explore possibilities for how we might serve our customers better and improve our products.

                                      Why we are using the data (legal basis)

                                      We act in our legitimate interests as these activities allow us to improve our products and serve our customers better.

                                        To manage and improve our website and apps.

                                          Why we collect data

                                          We use cookies and similar technologies on our website and apps to improve your customer experience. You can switch off non-essential cookies using the toggles. You can find more information in the cookie section.

                                            Why we are using the data (legal basis)

                                            Essential cookies: We act in our legitimate interests to enable our website to function securely.

                                            Non-essential cookies (measurement, experience and advertising): We obtain customer consent. You can change your preferences at any time by visiting manage my cookies.

                                              To provide you with marketing.

                                                Why we collect data

                                                We want to ensure that the marketing we send you or show you online is relevant to you. To help us to do this, we:

                                                • use your data, including details of which Tesco products you hold, your Clubcard data and your online browsing behaviour to help us better understand you as a customer and provide you with personalised offers and relevant marketing communications (including by email, post, online advertising or at the tills in store). We use algorithms and computer programs to analyse data by creating customer segments and scores which we use to help us select which offers to send you.
                                                • use data about how you manage your account or policy, including your credit history, combined with your Clubcard data to provide you with pre-approved offers. We use algorithms and computer programs to assess whether we can make a pre-approved offer to you. When we make you a pre-approved offer, we do not do external credit checks. We will only ever use your personal data in this way so that we can offer you better deals than you would get if we didn’t use that information.
                                                • measure your responses to marketing communications, which also means we can offer you products and services that better meet your needs.
                                                • sometimes combine your data with data from our partners, such as price comparison websites and credit reference agencies. For example, we sometimes get data which tells us when insurance policies are due for renewal and we use credit reference agency data to try to ensure that we don’t advertise credit products to those who might be declined. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way.

                                                We use personal data to tailor the adverts we show to you online on Tesco websites, social media sites and other sites that sell advertising space. Personalised adverts show the AdChoices logo. You can find out more in the cookies section

                                                  Why we are using the data (legal basis)

                                                  We act in our legitimate interests. Looking at your browsing behaviour and purchases allows us to personalise our offers and services for you. This helps us give you better and more relevant offers.

                                                  You can change your marketing choices for email, SMS, post and phone marketing when you register with us and at any time after that. To opt out, just let us know in one of these ways:

                                                  On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                  Online: by logging in to your Tesco Bank accounts and going to ‘Account Overview > Your marketing preferences’.

                                                  By phone: by calling us on 0345 1743155.

                                                  You also have choices when it comes to online advertising. You can change your online advertising preferences at any time by visiting manage my cookies.

                                                    We use Clubcard data to give discounts and better offers.

                                                      Why we collect data

                                                      Clubcard data includes your shopping habits and the types of purchases you or your household make.

                                                      We use Clubcard data to try to bring you better terms, deals, offers or support than you would get if we didn’t use the data. We do this by looking at the data using algorithms and computer programs to create customer segments and scores. This includes how likely we think you are to pay back money we lend you, how often you use other Tesco products and services, and how you prefer to shop. This helps us to create a number of scores, which we can then use as one of the factors in our automated decision-making process. We also take into account whether or not you are a Clubcard customer or have an existing Tesco Bank product.

                                                      Clubcard data allows us to give our customers better prices on our insurance products. Discounts and offers will vary from customer to customer, but all Clubcard customers will receive a discount within a range. Clubcard data also enables us to improve the likelihood of us being able to accept a customer’s application for a loan or a credit card.

                                                      Clubcard is a loyalty scheme and customers trust us to use their Clubcard data to reward them with offers. We only use Clubcard data to give better prices or offers and never to increase insurance prices or decline an application.

                                                      We use data that you provide, such as your name and address, to find any Clubcards that are linked to your surname and address. That might be your Clubcard, or that of a family member living in the same house as you. When we do this, we aim to use the Clubcard linked to your address which gives you the best terms, deals or offers.

                                                        Why we are using the data (legal basis)

                                                        This is in our legitimate interests as it allows us to offer better deals to our customers.

                                                          We use your banking product data to provide you with discounts and bring you better offers on insurance products.

                                                            Why we collect data

                                                            We use data about how you use your Tesco Bank products to try to bring you insurance discounts. We do this by using algorithms and computer programs to calculate scores to work out how much of a discount we can offer. This works in a similar way to how we use Clubcard data. We do not include transactional information from banking products in these algorithms.

                                                            We only use banking data within insurance to give our customers discounts and offers and never to increase prices.

                                                              Why we are using the data (legal basis)

                                                              This is in our legitimate interests as it allows us to offer better deals to our customers.

                                                                Complaints and claims

                                                                  Why we collect data

                                                                  We process your data if we need to manage complaints or legal claims.

                                                                    Why we are using the data (legal basis)

                                                                    When we do this, it is because we are bringing or defending legal claims, or because the law requires us to do this, as we have regulatory responsibilities to manage complaints to support our customers.

                                                                      Sensitive data – helping our vulnerable customers

                                                                        Why we collect data

                                                                        Sometimes we ask for sensitive or “special category personal data”, such as medical information, to allow us to help vulnerable customers. We only collect the minimum amount of information required.

                                                                          Why we are using the data (legal basis)

                                                                          Where possible, we will ask for your consent to use this data. Where we have asked for your consent, you can change your mind at any time by contacting us and asking us to stop processing this information.

                                                                          Where it is not possible to get your consent (for example if you are not able to give consent), we will only use or share your information where we believe that it is in your best interests and there are substantial public interests in us helping our customers in this way.

                                                                          We are also required by law to collect some sensitive data to help our customers as we have responsibilities to support our vulnerable customers.

                                                                            Biometric data

                                                                              Why we collect data

                                                                              Biometric data is data which relates to physical or behavioural characteristics used to try to identify a person, for example facial recognition, fingerprint verification and keystroke analysis. We use biometric data where this helps us to meet our responsibilities to prevent or detect financial crime. For example, we use algorithms and computer programs to look at images to assess certain features to identify the individual in the image as part of some of our application processes. We will explain when we are using biometric data.

                                                                                Why we are using the data (legal basis)

                                                                                Where possible, we will ask for your consent to use this data and offer an alternative way of carrying out our checks. If we have asked for your consent, you can change your mind at any time by contacting us.

                                                                                Where the use of biometric data forms an integral part of our financial crime and security checks which we must have in place to meet our regulatory responsibilities, we won’t offer a choice if there are substantial public interests in the use of biometrics and it is in our legitimate interests. We will explain as part of the application process when we are using biometric data and whether you have a choice.

                                                                                  Location data

                                                                                    Why we collect data

                                                                                    If you enable location services within our app, we will collect data which is used in our assessment of whether a transaction is unusual and may be fraudulent. We use algorithms and computer programs to make these assessments. This is done for your security and may be shared with fraud prevention agencies. We also collect location data for analysis purposes to help us to improve our service.

                                                                                      Why we are using the data (legal basis)

                                                                                      We ask for your consent. If you don’t want us to collect and use your location data, you can turn off the location service within our app. You can control access to location services at any time through your phone settings.

                                                                                        Market research

                                                                                          Why we collect data

                                                                                          We like to hear your views to help us improve our services, so we may contact you for market research purposes. You will always have the choice about whether to take part in market research.

                                                                                            Why we are using the data (legal basis)

                                                                                            This is in our legitimate interests as market research helps us to improve our services to customers.

                                                                                              Electronic payment services

                                                                                                Why we collect data

                                                                                                If you request that your data is transferred to a third party payment initiation or account information service, we will share your information as requested by you. The third party will be responsible for your information once we have transferred it to them and we recommend that you check the privacy policy of the third party before asking for your information to be transferred to them.

                                                                                                  Why we are using the data (legal basis)

                                                                                                  The law requires us to do this.

                                                                                                    Sharing data to ensure payments go to the correct accounts

                                                                                                      Why we collect data

                                                                                                      If a person or organisation pays you money by mistake, we will contact you to ask you to return the money. If you do not return the money, the law says we must give your name and address to the account providers of the person or organisation who sent you the money so they can recover the money from you.

                                                                                                      When someone pays money into your account, we share your name with them if we need to confirm the payment is being made to the right account.

                                                                                                        Why we are using the data (legal basis)

                                                                                                        The law requires us to do this.

                                                                                                          Authenticating payments

                                                                                                            Why we collect data

                                                                                                            If you buy something online or over the phone, this is known as a Card Not Present transaction (CNP) which requires additional authentication for security reasons.

                                                                                                            If you make an CNP payment to someone else and we are your card issuer, the organisation you are making the payment to will send us some of your information so we can confirm it is you making the payment.

                                                                                                            Similarly, if you are making a CNP payment to us, we share some of your information with your card issuer so they can confirm that it is you making the payment.

                                                                                                              Why we are using the data (legal basis)

                                                                                                              This is in our legitimate interests as it enables us to detect and prevent fraud, for example if your card was stolen and a fraudster tried to buy something using incorrect details about you.

                                                                                                                Sharing personal data

                                                                                                                In order to provide our products to you, we have to share some of your data with partners we work with. Whenever we share data, we only share the minimum amount necessary to operate our business and provide our products. We don’t share data with others for their marketing purposes.

                                                                                                                In some cases, we need to share your data with our partners because they provide a service which we do not provide. In other cases, we have to share your data to prevent fraud and financial crime or to ensure that we are lending responsibly.

                                                                                                                We share the personal data we collect with other companies in the Tesco Group for customer services across Tesco. For example, we share some personal data with Tesco Stores in connection with the operation of Clubcard accounts so that Tesco Bank customers receive Clubcard points where these are collected as part of the Tesco Bank product. We don’t share all of your banking or insurance data with Tesco Stores and only share the minimum amount of data they need.

                                                                                                                  Summary of data sharing

                                                                                                                  We share data with:

                                                                                                                  • our service providers and product partners to allow them to provide their services to you and us (including those who provide funding, debt management, administration, fraud and financial crime detection and professional services);
                                                                                                                  • anyone you nominate to act on your behalf;
                                                                                                                  • regulatory bodies and authorities where we have to do this to meet our regulatory responsibilities, and agencies who act on their behalf, such as market research companies where the regulators are checking customer views;
                                                                                                                  • credit reference agencies and fraud and financial crime prevention agencies for the reasons set out in this policy;
                                                                                                                  • other companies if we are considering transferring the contract we have with you to them (for example, where we are selling accounts or debts). You will be informed if your contract is transferred;
                                                                                                                  • our market research agencies to contact you with relevant surveys;
                                                                                                                  • other banks to detect and prevent fraud and financial crime and to meet our regulatory responsibilities;
                                                                                                                  • third party payment or account information service providers where you have asked for your data to be shared with them;
                                                                                                                  • third parties paying money into your account if we need to confirm the payment is being made to the right account.
                                                                                                                  Sharing data with Visa and MasterCard

                                                                                                                  We share card details with Visa and MasterCard to enable them to provide their services to you. If you get a replacement Visa card or MasterCard, they will share the new card details with retailers you have a known relationship with, so that the retailers can keep your card details up to date. This might happen where you have given a retailer permission to hold your card details for future payments. You can opt of out this by contacting the retailer. For Visa card holders, you can call us on 0345 835 3353 to let us know. However, this means you’ll need to contact any retailer you’ve set up a recurring payment with and update your new card details with them directly to ensure your payments continue and your service with them is uninterrupted.

                                                                                                                    Transferring data overseas

                                                                                                                    Sometimes we send your personal data to another country. For example, if one of our service providers has a data centre overseas. Before sending your personal data to an overseas country outside the European Economic Area, we check that the organisation we are sending the data to will be able to keep your data secure. The EU Commission has listed certain countries as having adequate protection. We check if the country is listed. If it is not, we ask the organisation to sign the EU Commission’s ‘model contract’. This means they must meet EU standards of data protection. A copy of this type of contract can be found here.

                                                                                                                    When your personal data is in another country, it could be accessed by law enforcement agencies in those countries. They do this to detect and prevent crime, or because the law says they must. For more information about sending your personal data overseas, you can contact our Data Protection Officer.

                                                                                                                      How long we use personal data for

                                                                                                                      In most cases we keep your personal data for 7 years after the end of your relationship with us. We keep data in case of complaints and for analysis to help us develop our products. For example, looking at customer data helps us to understand how to make lending decisions in future. When we use data for analysis, we do not use it to identify individual customers.

                                                                                                                      We keep banking application data for up to 7 years and insurance quote data for up to 3 years. We do this to develop our products and to protect you and us against fraud and financial crime. We use this data if you apply for a product again in the future, for example as part of our fraud checks.

                                                                                                                      We keep marketing records for 3 years after your last activity with us.

                                                                                                                      In some cases, we keep personal data for longer than 7 years, for example where it is needed for an ongoing investigation or legal proceedings. We only keep the data that we need, and we delete or anonymise it as soon as we can.

                                                                                                                        Credit reference agencies and fraud prevention agencies

                                                                                                                          What credit decisioning is, and how it works

                                                                                                                          When someone borrows money from a bank, there is always a risk that they may not be able to pay it back. Credit decisioning, which involves credit scoring and checking if you are able to afford the lending, is a way of working out how likely we think it is that you will pay back the money we lend you. Your credit score, which is part of your assessment, is worked out automatically by a computer. It takes into account different factors, such as the amount of debt you currently have, how you have paid off debts in the past and data from your Clubcard if it can be used to improve your credit score. Credit decisioning and credit scoring are important steps in making sure we are lending responsibly.

                                                                                                                          We use four main sources of data when working out your credit score:

                                                                                                                          • the personal data you give us in your application;
                                                                                                                          • data we get from third parties, such as credit reference agencies;
                                                                                                                          • data we already know about you in connection with other Tesco products, including Clubcard transactions. Clubcard transactions are only used to improve your score.
                                                                                                                          When we carry out credit checks

                                                                                                                          When we are processing your application for a credit product (a loan or credit card), we will perform a credit check with credit reference agencies. You will be told when this is about to happen and will be asked to agree. We will give your personal data to the credit reference agencies and they will give us data about you. This will include data from your application about your financial situation and financial history.

                                                                                                                          We don’t share data on other products, such as savings accounts, with credit reference agencies, but we access data from credit reference agencies to perform identity checks.

                                                                                                                          Credit reference agencies will give us data that is public, such as information from the electoral register, as well as specific information they know, such as shared credit, financial situation and financial history information, and fraud prevention information which other lenders have shared with them.

                                                                                                                            What we do with data from credit reference agencies

                                                                                                                            We use data from credit reference agencies to:

                                                                                                                            • assess your creditworthiness and whether we think you can afford to take the product;
                                                                                                                            • check the personal data you have given us is accurate;
                                                                                                                            • prevent criminal activity, fraud and money laundering;
                                                                                                                            • help to manage and make decisions about your account(s);
                                                                                                                            • trace and recover debts;
                                                                                                                            • make sure any offers we make to you are appropriate to your circumstances.

                                                                                                                            If you have a credit product (a loan, credit card or a current account overdraft), we will continue to exchange data about you with credit reference agencies while you have a relationship with us. This includes telling the credit reference agencies how you manage your debts; for example, how you repay your loans, credit card or manage your overdraft. If you do not pay back in full or on time, we will tell the credit reference agencies and they will record the outstanding debt. Other organisations will be able to see this information and make take it into account when making decisions about whether to offer you credit.

                                                                                                                              How credit reference agencies use your data

                                                                                                                              When we make a search request, the credit reference agencies make a note on your file that Tesco Bank has done a search. Other organisations will be able to see that Tesco Bank made a search of your data.

                                                                                                                              If you are making a joint application and tell us that you have a spouse or partner or anyone else that you are financially associated with, we will also search their data with the credit reference agencies and link your records together.

                                                                                                                              Credit reference agencies will also link your records together. Your records will stay linked until either you or the other person requests that the files are no longer linked (this is known as issuing a ‘notice of disassociation’). It is important that anybody you are making a joint application with, or any financial associate you tell us about, understands this before you make an application.

                                                                                                                              The three main credit reference agencies are TransUnion, Equifax and Experian.

                                                                                                                              To learn more about what they do, what data they hold, and what your rights are, go to www.transunion.co.uk/crain, www.equifax.co.uk/crain or www.experian.co.uk/crain.

                                                                                                                                Cifas and other fraud prevention agencies

                                                                                                                                Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

                                                                                                                                The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

                                                                                                                                Details of the personal data that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

                                                                                                                                We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

                                                                                                                                We process your personal data on the basis that we have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect our business and to comply with laws that apply to us. Such processing is also a contractual requirement of the services or financing you have requested. Cifas has published its assessment of the legitimate interests in relation to the National Fraud Database.

                                                                                                                                Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

                                                                                                                                As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making.

                                                                                                                                If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

                                                                                                                                A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us.

                                                                                                                                Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to "international frameworks" intended to enable secure data sharing. Cifas has published more information about data transfers.

                                                                                                                                  Onfido

                                                                                                                                  When you apply for certain products you will be notified that we can verify your identity using a partner called Onfido. We use Onfido to help us verify your identity to protect our customers and help us meet our regulatory responsibilities. If we ask you to provide a selfie video and photographic ID when applying for a product, we will explain to you that Onfido will process your photographic ID and selfie video using algorithms and computer programs to tell us whether they believe the ID and video are likely to be genuine. They check against databases they have access to. Onfido currently search the UK Metropolitan Police Amberhill Database to check if an identity document has been previously identified as lost, stolen, fraudulent or compromised. Onfido share compromised identity documents and they are kept on the database.

                                                                                                                                  We keep records of the searches performed by Onfido as part of our application process. If Onfido is unable to verify your identity, we’ll explain this to you and ask you to provide additional information to verify your identity. Onfido keep copies of the documentation to help them train their computers to improve their identity services. Full details of how Onfido uses personal data can be found in their privacy policy.

                                                                                                                                  We will keep this data to evidence to our regulators that we authenticated your photo ID to meet our responsibilities to prevent financial crime. The law requires us to retain this evidence for at least 5 years after your relationship with Tesco Bank has ended.

                                                                                                                                    Insurance products

                                                                                                                                    For information on how our insurance partners use your data, please look at their privacy policies which are made available as part of our product documentation.

                                                                                                                                    Our insurance partners perform checks on you, anyone named on your policy and anyone who is paying your premiums with organisations such as:

                                                                                                                                    Some of our insurance partners check your data with credit reference agencies to help detect and prevent crime. A record of the search will be left on your file at the credit reference agency. This record is visible to other lenders when they carry out checks in the future, but this type of search will not affect your credit rating.

                                                                                                                                    Our insurance partners share information to help detect and prevent crime, including fraud and money laundering. They may do this:

                                                                                                                                    • when you apply for insurance (or a variation to cover);
                                                                                                                                    • while maintaining your policy;
                                                                                                                                    • when renewing your policy;
                                                                                                                                    • when you make a claim.

                                                                                                                                    If you give inaccurate details, our insurance partners suspect fraud or other financial crime, or that you do not have the right to UK residency, they may share this information with other organisations through these registers and this information might be used by other organisations when making decisions about you and others in your household. This may include decisions about whether to lend you money, offer you insurance, as well as other decisions about tracing debt and detecting crime.

                                                                                                                                    Our insurance partners may research, collect and use data from publicly available sources. They do this to help detect and prevent fraud and other forms of financial crime. If you are not sure what information you have made available to the public on social media, we recommend that you visit the privacy settings on each of your social media accounts.

                                                                                                                                      Your choices when it comes to cookies

                                                                                                                                      Manage your cookie preferences

                                                                                                                                      All cookies, with the exception of essential cookies, can be switched on or off at any time.

                                                                                                                                      Please note:

                                                                                                                                      • Your Tesco Bank website cookie consent preferences are specific to the device and browser you are using at the time of consent.
                                                                                                                                      • So, if you visit using a different browser you will need to set your cookie consent preferences again.
                                                                                                                                      • Likewise, if you visit using a different device you will need to set your cookie consent preferences again.
                                                                                                                                      • If you clear your cookies you will need to set your cookie consent preferences again (as cookie consent preferences are stored in a cookie).
                                                                                                                                      • You can amend your cookie consent preferences at any time by visiting this page.
                                                                                                                                      • You can also amend your general cookie preferences via your browser settings.

                                                                                                                                      Want to change your cookie choices?

                                                                                                                                        How we use cookies

                                                                                                                                        We and our partners use cookies and similar technologies, such as tags and pixels (“Cookies”) to:

                                                                                                                                        • operate our website effectively and securely;
                                                                                                                                        • personalise and improve your customer experience as you use our websites and app;
                                                                                                                                        • provide you with relevant online advertising.

                                                                                                                                        Cookies are small text files containing a unique identifier, which are stored on your computer or mobile device so that your device can be recognised when you are using a particular website or mobile app. Cookies help to provide important features and functionality and to improve your customer experience. Cookies can also be used help us to detect fraudulent activity and prevent security breaches. We record data about your device within the cookie.

                                                                                                                                        We use both session and persistent cookies. Session cookies are placed onto your device for the duration of your visit to a website and are deleted when you close your browser. Persistent cookies are placed onto your device and remain in place after you leave our website until the cookie expires.

                                                                                                                                        Visit the All About Cookies website for more information about how cookies work

                                                                                                                                        Cookies used across the Tesco Bank website fall into the following categories:

                                                                                                                                          Essential

                                                                                                                                          Essential cookies are necessary for our website to work properly and to maintain security and privacy. For example, we use cookies as part of our security measures to protect our website, to remember cookie preferences, to manage site errors and log ins.

                                                                                                                                            Management

                                                                                                                                            These cookies are strictly necessary. We don’t allow you to turn off these cookies because we can’t provide our website services without them.

                                                                                                                                              What they are

                                                                                                                                              Tesco Bank
                                                                                                                                              Tesco Bank place cookies on your device to allow you to navigate around our website and ensure your data security is maintained when you browse, apply and service your accounts.

                                                                                                                                              Ensighten
                                                                                                                                              Ensighten provides our cookie consent solution and sets cookies to remember your preferences as you browse our website.

                                                                                                                                              Standing on Giants
                                                                                                                                              Standing On Giants host the Tesco Bank Your Community pages. To ensure this website works, Standing on Giants need to set cookies to allow you to navigate around this website.

                                                                                                                                                Advertising

                                                                                                                                                Advertising cookies are used to help show you more relevant adverts by personalising what you see. We advertise Tesco Bank products and offers when you visit other websites, using these cookies.

                                                                                                                                                Companies that we partner with may use the cookie data for their own advertising purposes.

                                                                                                                                                  Management

                                                                                                                                                  We will ask for your consent before setting these cookies. You can change your cookie preferences at any time by going to manage my cookies.

                                                                                                                                                    What they are

                                                                                                                                                    DoubleClick
                                                                                                                                                    DoubleClick is advertisement serving technology and used by us to track and optimise its digital marketing activities.

                                                                                                                                                    Google Analytics
                                                                                                                                                    Google Analytics allows us to measure Google Search usage and to analyse and optimise website landing pages and our visibility on search engines. It is also used to improve advertising by showing you the most relevant advertising content based on your interactions with our website.

                                                                                                                                                    Mediacom/Facebook
                                                                                                                                                    Mediacom are an agency that support us in display advertising via Facebook. Mediacom use Facebook cookies to show online advertising that is linked to your online browsing habits. View Facebook cookie policy

                                                                                                                                                    Mediacom/Twitter
                                                                                                                                                    Mediacom are an agency that support us in display advertising via Twitter. Mediacom use Twitter cookies to show online advertising that is linked to your online browsing habits. View Twitter cookie policy

                                                                                                                                                    YouTube
                                                                                                                                                    Certain pages on our website link to the Tesco Bank channel and YouTube cookies are deployed as part of the linking process. Please visit the YouTube website for details of their cookie policy. View YouTube cookie policy

                                                                                                                                                    Bing
                                                                                                                                                    Bing set cookies on certain pages of our website. These cookies are used for search engine optimisation purposes and to allow relevant pay per click advertising offers to be presented when using this search engine.

                                                                                                                                                      Measurement

                                                                                                                                                      Measurement cookies help us measure how our customers use our site. They tell us how different parts of our worksite are working and help us improve our service to you.

                                                                                                                                                        Management

                                                                                                                                                        We will ask for your consent before setting these cookies.

                                                                                                                                                          What they are

                                                                                                                                                          Adobe Analytics
                                                                                                                                                          We use Adobe Analytics technology to measure website traffic and performance. A copy of the Adobe Analytics data is hosted with our partner Aquila Insight. They help us run additional analysis on the performance of digital marketing. Aquila Insight retain this data for a maximum of 25 months.

                                                                                                                                                          Decibel
                                                                                                                                                          The Decibel technology is used to better understand how users interact with different aspects of our website. The purpose of the data collected is to help us make decisions about website design and technical improvements.

                                                                                                                                                          KPMG Nunwood
                                                                                                                                                          We partner with KPMG Nunwood to collect website user and customer experience feedback. The data collected is used to help us make decisions about improvements to our website and app.

                                                                                                                                                          Optimise
                                                                                                                                                          We use Optimise to measure sales through sites offering incentives such as discounts and cashback, to enable us to honour these.

                                                                                                                                                          Site Improve
                                                                                                                                                          Site Improve helps us to measure the content quality of our website.

                                                                                                                                                          IOvations
                                                                                                                                                          We use iOvations for fraud detection and prevention to protect us and our customers.

                                                                                                                                                            Experience

                                                                                                                                                            Experience cookies are used to support our website design tests and to give you a more personalised experience by enabling us to display content that is relevant to you.

                                                                                                                                                              Management

                                                                                                                                                              We will ask for your consent before setting these cookies.

                                                                                                                                                                What they are

                                                                                                                                                                Maxymiser
                                                                                                                                                                We use the Maxymiser technology to test web pages and designs and to serve personalised content to customers.

                                                                                                                                                                  Some of our products are operated by our partners and a new cookie notice will appear as you move onto our partner’s site. Please make sure you read their privacy and cookie policy as they might not use cookies in the same way as we do, and your cookie preferences recorded with us will not be passed over. Examples are Pet Insurance (operated by Royal Sun Alliance) and Travel Money (operated by Travelex).

                                                                                                                                                                    Your rights and how to contact us

                                                                                                                                                                    If you’d like to exercise your data subject rights, or have any questions or concerns about how we use your data, you can contact us:

                                                                                                                                                                    By post: The Data Protection Officer, Tesco Bank, PO BOX 27009, Glasgow, G2 9EZ

                                                                                                                                                                    By phone: 0345 1743155

                                                                                                                                                                    By email: DataProtectionOffice@tescobank.com

                                                                                                                                                                    Our Data Protection Officer supports us in answering any questions and acts as a point of escalation.

                                                                                                                                                                    We’d like the chance to resolve any complaints you have, but you also have the right to complain to the Information Commissioner’s Office (the "ICO") about how we have used your personal data. Their website is https://ico.org.uk/your-data-matters/raising-concerns/.

                                                                                                                                                                    You have a number of data subject rights, which you can make at any time. In some cases, these rights have limitations, but we will always respond within one calendar month. If we cannot meet your request, we will explain why. We may get in touch sooner if we need extra information to help us find your personal data, or to verify your identity.

                                                                                                                                                                      1. Right of access

                                                                                                                                                                      You have the right to see the personal data we hold about you. This is called a Subject Access Request. If you make a Subject Access Request, we will send you a copy of the personal data that you would like to see. There are a few exceptions where we might not be able to provide the information, such as where it includes personal data about others. Please use the subject access request form to make your request.

                                                                                                                                                                        2. Right to have inaccurate data corrected

                                                                                                                                                                        If you believe we hold inaccurate or missing data, please let us know and we will correct it.

                                                                                                                                                                          3. Right to restrict us using or request erasure of the personal data we hold about you

                                                                                                                                                                          If you want us to stop or restrict us using your personal data, or you want us to erase it entirely, please let us know. There are times when we may not be able to do this – for example, if the data is related to a contract between us, or if the law says we need to keep your personal data for a certain amount of time.

                                                                                                                                                                          You can also ask us to stop using your personal data for direct marketing purposes and you can opt out of marketing at any time:

                                                                                                                                                                          On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                                                                                                                                          Online: by logging in to your Tesco Bank accounts and going to ‘Account Overview > Your marketing preferences’.

                                                                                                                                                                          By phone: 0345 1743155

                                                                                                                                                                            4. Right to data portability

                                                                                                                                                                            You can ask us to transfer your personal data in an electronic format to you, or to another organisation (for example, another bank or insurer).

                                                                                                                                                                              5. Right to human intervention in automated decision making

                                                                                                                                                                              An automated decision is one that is made by our systems rather than by a person. The benefit of automated decision making is that we can quickly make key decisions.

                                                                                                                                                                              We also use automated decision making:

                                                                                                                                                                              • to make decisions about whether to lend you credit;
                                                                                                                                                                              • in our financial crime checks;
                                                                                                                                                                              • to calculate insurance prices.

                                                                                                                                                                              Automated decision-making helps us to decide things like how likely it is that you will pay back the money we lend. It takes into account factors such as the amount of debt someone has, and how they have paid off debts in the past. It also helps us and our insurance partners to work out how likely you might be to make a claim on an insurance policy and what insurance price we can therefore offer you.

                                                                                                                                                                              You have the right to:

                                                                                                                                                                              • express your concerns and object to a decision taken by purely automated means; and
                                                                                                                                                                              • request that a person reviews that decision.

                                                                                                                                                                              If you would like us to review a decision we have made about you, such as declining an application, please let us know.

                                                                                                                                                                                6. You have the right to withdraw your consent at any time

                                                                                                                                                                                Sometimes we need your consent to process your personal data. If you have given consent, you can change your mind and withdraw it by contacting us.

                                                                                                                                                                                  Changes to this privacy policy

                                                                                                                                                                                  This privacy policy will be reviewed and updated from time to time. We will contact you if there are any important changes which impact how we use your personal data. If we need to give you the opportunity to opt out, we will give you time to do this before we make any changes to the way we use your personal data.

                                                                                                                                                                                  Last updated: November 2020