Banking Privacy Policy

At Tesco Bank, we’re working hard to serve Tesco customers a little better every day. Looking after the personal data you share with us is a hugely important part of this. We want you to be confident that your data is safe and secure with us and understand how we use it to offer you a better and more personalised experience.

What this policy covers

We are Tesco Personal Finance plc, trading as Tesco Bank and part of the Tesco Group. When we process your data, we act as a data controller. This means that we are responsible for looking after your data and deciding how it is used.

We are committed to doing the right thing when it comes to how we collect, use and protect your personal data. That’s why we’ve developed this privacy and cookies policy, which explains:

  • the types of personal data we collect;the types of personal data we collect;
  • the reasons we use the data we collect;the reasons we use the data we collect;
  • when we share personal data within the Tesco Group  and with other organisations, for example to help provide our services or to meet our regulatory responsibilities;when we share personal data within the Tesco Group and with other organisations, for example to help provide our services or to meet our regulatory responsibilities;
  • the rights and choices you have when it comes to your personal data.the rights and choices you have when it comes to your personal data.

This privacy policy explains how we use data in our banking products. We have created a separate insurance privacy policy which explains how we use data in our insurance products.

If you have other Tesco products or if you have a Clubcard account associated with your Tesco Bank product, Tesco Stores will collect and use personal data to provide you with their products and services. You can read the Tesco privacy policy here.

Our product partners help us to provide our travel money and international money transfer products. They act as data controllers when they process your personal data and they have their own privacy policies. You will find the names of our product partners and links to their privacy policies where you would purchase these products. Our product partners share your data with us to allow us to develop our products and understand our customers better.

    Personal data we collect

    Personal data is any information about you which can directly or indirectly identify you. This includes your name and address, the transactions on your account and your online browsing data.

    Most of the personal data we collect is essential for us to know so that we can provide our products to you. If we ask for personal data that is optional, we will explain this at the time.

      When you apply for a product, we will ask you to provide us with:

      • personal details, including your postal and billing addresses, email address, phone numbers, date of birth and title;personal details, including your postal and billing addresses, email address, phone numbers, date of birth and title;
      • Information we require to assess your application or keep your financial information up to date, such as your income or financial responsibilities;Information we require to assess your application or keep your financial information up to date, such as your income or financial responsibilities;
      • identification documents we require to open your account (for example, your passport or driving licence). identification documents we require to open your account (for example, your passport or driving licence).

      When you use our website or Mobile App or open our emails, we collect information to measure and improve our service. This includes:

      • your browsing behaviour, including which links you click;your browsing behaviour, including which links you click;
      • any devices you have used to access our website or app (including the make, model and operating system, IP address, browser type and mobile device identifiers);any devices you have used to access our website or app (including the make, model and operating system, IP address, browser type and mobile device identifiers);
      • whether you open our emails, how you engage with our emails, and your location at that time (using tracking pixels). We aggregate this data so it will not be used to make decisions about individuals.whether you open our emails, how you engage with our emails, and your location at that time (using tracking pixels). We aggregate this data so it will not be used to make decisions about individuals.

      When you contact us or take part in promotions or surveys about our products, we collect:

      • information you provide about yourself (for example, your name, username and contact details), including by phone, email, post or when you speak with us through our website or Community;information you provide about yourself (for example, your name, username and contact details), including by phone, email, post or when you speak with us through our website or Community;
      • your feedback and contributions to customer surveys or reviews;your feedback and contributions to customer surveys or reviews;
      • recordings of calls made to our customer service centre.recordings of calls made to our customer service centre.

      We collect personal data from other sources, such as:

      • the wider Tesco Groupthe wider Tesco Group;
      • credit reference agencies;credit reference agencies;
      • fraud prevention agencies;fraud prevention agencies;
      • publicly available resources, such as the electoral register and the internet. publicly available resources, such as the electoral register and the internet.

      Further information on how the credit references agencies and fraud prevention agencies that we work with use and share data can be found here.

      We use this data when we need to:

      • verify your identity and UK residency;verify your identity and UK residency;
      • assess your creditworthiness and if a product is suitable for you; assess your creditworthiness and if a product is suitable for you;
      • check what terms of cover we should offer; check what terms of cover we should offer;
      • trace and recover debts; trace and recover debts;
      • prevent criminal activity, such as fraud and financial crime.prevent criminal activity, such as fraud and financial crime.

      If you have existing products with Tesco Bank or you have a Clubcard, we sometimes use this information to pre-populate fields in our application forms online. You will be asked to check the information is up to date.

        If you give us information about other people who will be connected to your applications or products, we will keep a record of their data. You must make sure that you have their permission before you share their data with us or make decisions on their behalf about how we use their data, including credit checks. Please make them aware of this privacy policy.

        This includes:

        • joint applicants;joint applicants;
        • additional cardholders;additional cardholders;
        • anyone nominated to act on your behalf, including power of attorneys and others.anyone nominated to act on your behalf, including power of attorneys and others.

        Why we collect your data and our legal basis

        We carefully consider how we use personal data and have internal processes, such as our Data Protection Impact Assessments, which help us to decide how to act fairly and in our customers’ best interests. Where we say that using data is in our “legitimate interests”, we ensure that we are also acting in the general interests of all our customers. We only ever collect, use and share the minimum amount of data necessary to operate our business and serve our customers.

          To make our products available to you

            Why we collect data

            • working out financial risks by credit scoring;
            • verifying your identity and eligibility for products, and the identities of joint applicants;
            • assessing your creditworthiness;
            • managing your accounts, including contacting you by phone, post, email, SMS and via our apps through push notifications (messages that pop up on your device) to give you information about your account;
            • awarding Clubcard points.


            We use algorithms and computer programs to make decisions about whether you are eligible for a product and what terms we can offer you. You can find out more information here.

              Why we are using the data (legal basis)

              Because we have a contract with you, we have to use your data in this way as a necessary part of that contract.

              Once you no longer have the product, we keep your data for a period of time afterwards as part of our legitimate interests in case needed for a complaint or regulatory enquiry and to help us to lend responsibly.

              If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                To prevent fraud and financial crime

                  Why we collect data

                  We carry out fraud checks to protect our customers and prevent crime. We use algorithms and computer programs to analyse transactions and data in applications to check for fraud. You can read more about our fraud prevention checks here.

                    Why we are using the data (legal basis)

                      The law requires us to do this as we have responsibilities to prevent financial crime. We also act in our legitimate interests to protect our business and customers.

                      If you want to ask us to review a decision which we have made based on an algorithm, you can ask us any time.

                        Screening

                          Why we collect data

                          To keep to laws and regulations that apply to us and to co-operate with regulators, government bodies and law enforcement organisations.

                            Why are we using the data (legal basis)

                              In most cases, we do this because the law requires us to. We may also do this acting in our legitimate interests to protect our business and customers.

                                To trace and recover debt

                                  Why we collect data

                                  We may access information from third parties such as credit reference agencies to get up to date contact details where we need these to recover money owed to us. If you are ever concerned about paying your debts, please contact us.

                                    Why we are using the data (legal basis)

                                    We act in our legitimate interests as we need to recover money owed to us to enable us to operate our business.

                                      To record calls to our call centres

                                        Why we collect data

                                        We use call recordings to prevent fraud, for staff training and to manage customer complaints.

                                          Why we are using the data (legal basis)

                                          We act in our legitimate interests as call recordings help us to meet our responsibilities to combat fraud, provide good customer service and respond to complaints.

                                            To carry out analysis on our products and understand our customers’ needs

                                              Why we collect data

                                                We use algorithms and computer programs to analyse customer data by creating customer segments and scoring. We use customer data from our products, Clubcard data and data from declined applications. We sometimes combine your data with data from our partners to help us in our analysis. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way. When we analyse data as part of our product development, we don’t use it to identify individual customers.

                                                Analysing customer data allows us to understand our customers better and explore possibilities for how we might serve our customers better and improve our products.

                                                Our Tesco Group companies work together closely to make sure we serve our customers a little better each day. To help us do this, some information about you may be shared with other Tesco companies. This joint customer insight and analysis is done to help improve our customer understanding, and won’t negatively affect you.

                                                  Why we are using the data (legal basis)

                                                    We act in our legitimate interests as these activities allow us to improve our products and serve our customers better.

                                                      To operate our business

                                                        Why we collect data

                                                        We use customer data when carrying out internal audits and in financial analysis.

                                                          Why we are using the data (legal basis)

                                                            We act in our legitimate interests to monitor the performance of our business and make improvements.

                                                              To manage and improve our website and apps

                                                                Why we collect data

                                                                We use cookies and similar technologies on our website and apps to improve your customer experience. You can switch off non-essential cookies using the toggles. You can find more information in the Cookie Policy

                                                                  Why we are using the data (legal basis)

                                                                  Essential cookies: We act in our legitimate interests to enable our website to function securely.

                                                                  Non-essential cookies (measurement, experience and advertising): We obtain customer consent. You can change your preferences at any time by visiting manage my cookies.

                                                                    To provide you with marketing

                                                                      Why we collect data

                                                                      We want to ensure that the marketing we send you or show you online is relevant to you. To help us to do this, we:

                                                                      • use your data, including details of which Tesco products you hold, your Clubcard data, your transactional data from accounts you hold with us, data about how you manage your account, and your online browsing behaviour to help us better understand you as a customer and provide you with personalised offers and relevant marketing communications (including by email, post, online advertising, at the tills in store or in your online accounts). We use algorithms and computer programs to analyse data by creating customer segments and scores which we use to help us select which offers to send you.
                                                                      • use data about how you manage your account or policy, including your credit history, combined with your Clubcard data to provide you with pre-approved offers. We use algorithms and computer programs to assess whether we can make a pre-approved offer to you. When we make you a pre-approved offer, we do not do external credit checks. We will only ever use your personal data in this way so that we can offer you better deals than you would get if we didn’t use that information.
                                                                      • measure your responses to marketing communications, which also means we can offer you products and services that better meet your needs.
                                                                      • sometimes combine your data with data from our partners, such as price comparison websites and credit reference agencies. For example, we use credit reference agency data to try to ensure that we don’t advertise credit products to those who might be declined. When you log into your online accounts we use credit reference agency data to show you personalised offers. This will only happen where those partners have ensured that passing your personal data to us is permitted by data protection laws – this means that they must ensure that you have been informed that your data will be used in this way.
                                                                      • work closely together with our Tesco Group companies to make sure we serve our customers a little better each day. As a part of this, some information about you may be shared with other Tesco companies for joint marketing activities. You’ll only receive joint marketing that’s relevant to your Tesco Clubcard, and your marketing preferences for each Tesco Group company will apply.


                                                                      We use personal data to tailor the adverts we show to you online on Tesco websites, social media sites and other sites that sell advertising space. Personalised adverts show the AdChoices logo. You can find out more in the Cookie Policy.

                                                                        Why we are using the data (legal basis)

                                                                        We act in our legitimate interests. Looking at your browsing behaviour and purchases allows us to personalise our offers and services for you. This helps us give you better and more relevant offers.

                                                                        You can change your marketing choices for email, SMS, post and phone marketing when you register with us and at any time after that. To opt out, just let us know in one of these ways:

                                                                        On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                                        Online:

                                                                        • Credit cards customers: by logging in to your Tesco Bank Online Banking, selecting your credit card and going to ‘Manage account > Manage your account > Manage marketing and credit limit increase preferences’.
                                                                        • For customers who do not have a credit card: by logging in to your Tesco Bank Online Banking, selecting your account and going to ‘Manage account > Your preferences > Change marketing preferences’

                                                                        Via our unsubscribe site: Enter your email address here and click unsubscribe if you no longer wish to receive Marketing from Tesco Bank. Please note it might take up to ten working days for your preferences to be updated. When necessary Tesco Bank will send you non-marketing communications from time to time, about important updates to your account or services.

                                                                        By phone: by calling us on one of the numbers for your product(s) here and asking the customer service representative to opt you out of marketing.

                                                                        In our Mobile Banking App: you can opt out of personalised offers in our app by going to the settings menu, selecting ‘Personalised Offers’ and switching it off. If you choose to opt out you might still see some offers, but they won’t be personalised.

                                                                        You also have choices when it comes to online advertising. You can change your online advertising preferences at any time by visiting manage my cookies

                                                                          We use Clubcard data to give discounts and better offers

                                                                            Why we collect data

                                                                            Clubcard data includes your shopping habits and the types of purchases you or your household make.

                                                                            We use Clubcard data to try to bring you better terms, deals, offers or support than you would get if we didn’t use the data. We do this by looking at the data using algorithms and computer programs to create customer segments and scores. This includes how likely we think you are to pay back money we lend you, how often you use other Tesco products and services, and how you prefer to shop. This helps us to create a number of scores, which we can then use as one of the factors in our automated decision-making process. We also take into account whether or not you are a Clubcard customer or have an existing Tesco Bank product.

                                                                            Clubcard data enables us to improve the likelihood of us being able to accept a customer’s application for a loan or a credit card.

                                                                            Clubcard is a loyalty scheme and customers trust us to use their Clubcard data to reward them with offers. We only use Clubcard data to give better prices or offers and never to increase prices or decline an application.

                                                                            We use data that you provide, such as your name and address, to find any Clubcards that are linked to your surname and address. That might be your Clubcard, or that of a family member living in the same house as you. When we do this, we aim to use the Clubcard linked to your address which gives you the best terms, deals or offers.

                                                                              Why we are using the data (legal basis)

                                                                              This is in our legitimate interests as it allows us to offer better deals to our customers.

                                                                                Complaints and requests

                                                                                  Why we collect data

                                                                                  We process your data if we need to manage complaints, data subject access requests or legal claim. We also sometimes receive requests from regulators for information which might require us to process and share your data with regulators.

                                                                                    Why we are using the data (legal basis)

                                                                                    When we do this, it is because we are bringing or defending legal claims, or because the law requires us to do this, as we have regulatory responsibilities to manage complaints to support our customers and respond to data subject rights requests and regulatory requests for information.

                                                                                      Sensitive data – helping our vulnerable customers

                                                                                        Why we collect data

                                                                                        Sometimes we ask for sensitive or “special category personal data”, such as medical information, to allow us to help vulnerable customers. We only collect the minimum amount of information required.

                                                                                          Why we are using the data (legal basis)

                                                                                            Where possible, we will ask for your consent to use this data. Where we have asked for your consent, you can change your mind at any time by contacting us and asking us to stop processing this information.

                                                                                            Where it is not possible to get your consent (for example if you are not able to give consent), we will only use or share your information where we believe that it is in your best interests and there are substantial public interests in us helping our customers in this way.

                                                                                            We are also required by law to collect some sensitive data to help our customers as we have responsibilities to support our vulnerable customers.

                                                                                              Biometric data

                                                                                                Why we collect data

                                                                                                Biometric data is data which relates to physical or behavioural characteristics used to try to identify a person, for example facial recognition or fingerprint verification. We use biometric data where this helps us to meet our responsibilities to prevent or detect financial crime. For example, we use algorithms and computer programs to look at images to assess certain features to identify the individual in the image as part of some of our application processes.

                                                                                                  Why we are using the data (legal basis)

                                                                                                  Where possible, we will ask for your consent to use this data and offer an alternative way of carrying out our checks. If we have asked for your consent, you can change your mind at any time by contacting us.

                                                                                                  Where the use of biometric data forms an integral part of our financial crime and security checks which we must have in place to meet our regulatory responsibilities, we won’t offer a choice if there are substantial public interests in the use of biometrics and it is in our legitimate interests. We will explain on product applications or other screens if you have a choice as to the use of biometric data for that product or service.

                                                                                                    Behavioural biometrics

                                                                                                      Why we collect data

                                                                                                      When you shop online, you will occasionally be asked to authenticate your payment. If you don’t currently use our Mobile App to do this, we will use behavioural biometrics to help confirm it’s you making the payment. Within the payments (authentication) screen we will collect behavioural biometrics data. This looks at various behaviours such as how you move your mouse and keystroke analysis e.g. how you type and the speed at which you type. A profile is built up over time that enables us to identify you and provides a stronger way of checking it is you making the payment online.

                                                                                                        Why we are using the data (legal basis)

                                                                                                        Behavioural biometrics for card payments online is performed in the substantial public interest as it provides protection from social engineering (fraudsters tricking customers into giving their security details to them). Whilst passwords can be stolen from customers by fraudsters, the unique ways you interact with your devices cannot be duplicated. As our legal basis is substantial public interest to prevent and detect unlawful acts (in this case, fraud), you cannot opt out of this use as it is in place to protect you.

                                                                                                          Location data

                                                                                                            Why we collect data

                                                                                                            If you enable location services within our app, we will collect data which is used in our assessment of whether a transaction is unusual and may be fraudulent. We use algorithms and computer programs to make these assessments. This is done for your security and may be shared with fraud prevention agencies. We also collect location data for analysis purposes to help us to improve our service.

                                                                                                              Why we are using the data (legal basis)

                                                                                                              We ask for your consent. If you don’t want us to collect and use your location data, you can turn off the location service within our app. You can control access to location services at any time through your phone settings.

                                                                                                                Market research

                                                                                                                  Why we collect data

                                                                                                                  We like to hear your views to help us improve our services, so we may contact you for market research purposes. You will always have the choice about whether to take part in market research.

                                                                                                                    Why we are using the data (legal basis)

                                                                                                                    This is in our legitimate interests as market research helps us to improve our services to customers.

                                                                                                                      Electronic payment services

                                                                                                                        Why we collect data

                                                                                                                        If you request that your data is transferred to a third party payment initiation or account information service, we will share your information as requested by you. The third party will be responsible for your information once we have transferred it to them and we recommend that you check the privacy policy of the third party before asking for your information to be transferred to them.

                                                                                                                          Why we are using the data (legal basis)

                                                                                                                          The law requires us to do this.

                                                                                                                            Sharing data to ensure payments go to the correct accounts

                                                                                                                              Why we collect data

                                                                                                                              If a person or organisation pays you money by mistake, we will contact you to ask you to return the money. If you do not return the money, the law says we must give your name and address to the account providers of the person or organisation who sent you the money so they can recover the money from you.

                                                                                                                              When someone pays money into your account, we share your name with them if we need to confirm the payment is being made to the right account.

                                                                                                                                Why we are using the data (legal basis)

                                                                                                                                The law requires us to do this.

                                                                                                                                  Authenticating payments

                                                                                                                                    Why we collect data

                                                                                                                                    If you buy something online or over the phone, this is known as a Card Not Present transaction (CNP) which requires additional authentication for security reasons.

                                                                                                                                    If you make an CNP payment to someone else and we are your card issuer, the organisation you are making the payment to will send us some of your information so we can confirm it is you making the payment.

                                                                                                                                    Similarly, if you are making a CNP payment to us, we share some of your information with your card issuer so they can confirm that it is you making the payment.

                                                                                                                                      Why we are using the data (legal basis)

                                                                                                                                      This is in our legitimate interests as it enables us to detect and prevent fraud, for example if your card was stolen and a fraudster tried to buy something using incorrect details about you.

                                                                                                                                        Sharing personal data

                                                                                                                                        In order to provide our products to you, we have to share some of your data with partners we work with. Whenever we share data, we only share the minimum amount necessary to operate our business and provide our products. We don’t share data with others for their marketing purposes.

                                                                                                                                        In some cases, we need to share your data with our partners because they provide a service which we do not provide. In other cases, we have to share your data to prevent fraud and financial crime or to ensure that we are lending responsibly.

                                                                                                                                        We share the personal data we collect with other companies in the Tesco Group for customer services across Tesco. For example, we share some personal data with Tesco Stores in connection with the operation of Clubcard accounts so that Tesco Bank customers receive Clubcard points where these are collected as part of the Tesco Bank product. We don’t share all of your data with Tesco Stores and only share the minimum amount of data they need.

                                                                                                                                          We share data with:

                                                                                                                                          • our service providers and product partners to allow them to provide their services to you and us (including those who provide funding, debt management, administration, fraud and financial crime detection and professional services);our service providers and product partners to allow them to provide their services to you and us (including those who provide funding, debt management, administration, fraud and financial crime detection and professional services);
                                                                                                                                          • anyone you nominate to act on your behalf;anyone you nominate to act on your behalf;
                                                                                                                                          • regulatory bodies and authorities where we have to do this to meet our regulatory responsibilities, and agencies who act on their behalf, such as market research companies where the regulators are checking customer views. For example, we share customer data with the Financial Conduct Authority if they request it to perform analysis as part of their regulatory responsibilities;regulatory bodies and authorities where we have to do this to meet our regulatory responsibilities, and agencies who act on their behalf, such as market research companies where the regulators are checking customer views. For example, we share customer data with the Financial Conduct Authority if they request it to perform analysis as part of their regulatory responsibilities;
                                                                                                                                          • Credit reference agencies and fraud and financial crime prevention agencies for the reasons set out in this policy;credit reference agencies and fraud and financial crime prevention agencies for the reasons set out in this policy;
                                                                                                                                          • other companies if we are considering transferring the contract we have with you to them (for example, where we are selling accounts or debts). You will be informed if your contract is transferred;other companies if we are considering transferring the contract we have with you to them (for example, where we are selling accounts or debts). You will be informed if your contract is transferred;
                                                                                                                                          • our market research agencies to contact you with relevant surveys;our market research agencies to contact you with relevant surveys;
                                                                                                                                          • customer review platforms to help us improve our services. We share your personal data (including name and email address) with Trustpilot so they can contact you to give you the opportunity to review our products and services. You can view Trustpilot’s privacy policy on their website customer review platforms to help us improve our services. We share your personal data (including name and email address) with Trustpilot so they can contact you to give you the opportunity to review our products and services. You can view Trustpilot’s privacy policy on their website
                                                                                                                                          • other banks to detect and prevent fraud and financial crime and to meet our regulatory responsibilities;other banks to detect and prevent fraud and financial crime and to meet our regulatory responsibilities;
                                                                                                                                          • third party payment or account information service providers where you have asked for your data to be shared with them;third party payment or account information service providers where you have asked for your data to be shared with them;
                                                                                                                                          • third parties paying money into your account if we need to confirm the payment is being made to the right account.third parties paying money into your account if we need to confirm the payment is being made to the right account.

                                                                                                                                          We share card details with Visa and MasterCard to enable them to provide their services to you. If you get a replacement Visa card or MasterCard, they will share the new card details with retailers you have a known relationship with, so that the retailers can keep your card details up to date. This might happen where you have given a retailer permission to hold your card details for future payments. You can opt of out this by contacting the retailer. For Visa card holders, you can call us on 0345 835 3353 to let us know. However, this means you’ll need to contact any retailer you’ve set up a recurring payment with and update your new card details with them directly to ensure your payments continue and your service with them is uninterrupted.

                                                                                                                                            Sometimes we send your personal data to another country. For example, if one of our service providers has a data centre overseas. Before sending your personal data to an overseas country outside the UK or the European Economic Area, we check that the organisation we are sending the data to will be able to keep your data secure. Certain countries are listed by the Government as having adequate protection. We check if the country is listed. If it is not, we ask the organisation to sign standard contractual clauses. This means they must meet the same standards of data protection as we have in our country. A copy of this type of contract can be found here

                                                                                                                                            When your personal data is in another country, it could be accessed by law enforcement agencies in those countries. They do this to detect and prevent crime, or because the law says they must. For more information about sending your personal data overseas, you can contact our Data Protection Officer

                                                                                                                                              How long we use personal data for

                                                                                                                                              In most cases we keep your personal data for 7 years after the end of your relationship with us. We keep data in case of complaints and for analysis to help us develop our products. For example, looking at customer data helps us to understand how to make lending decisions in future. When we use data for analysis, we do not use it to identify individual customers.

                                                                                                                                              We keep banking application data for up to 7 years. We do this to develop our products and to protect you and us against fraud and financial crime. We use this data if you apply for a product again in the future, for example as part of our fraud checks.

                                                                                                                                              We keep marketing records for 3 years after your last activity with us.

                                                                                                                                              In some cases, we keep personal data for longer than 7 years, for example where it is needed for an ongoing investigation or legal proceedings. We only keep the data that we need, and we delete or anonymise it as soon as we can.

                                                                                                                                                Credit reference agencies and fraud prevention agencies

                                                                                                                                                  When someone borrows money from a bank, there is always a risk that they may not be able to pay it back. Credit decisioning, which involves credit scoring and checking if you are able to afford the lending, is a way of working out how likely we think it is that you will pay back the money we lend you. Your credit score, which is part of your assessment, is worked out automatically by a computer. It takes into account different factors, such as the amount of debt you currently have, how you have paid off debts in the past and data from your Clubcard if it can be used to improve your credit score. Credit decisioning and credit scoring are important steps in making sure we are lending responsibly.

                                                                                                                                                  We use three main sources of data when working out your credit score:

                                                                                                                                                  • the personal data you give us in your application; the personal data you give us in your application;
                                                                                                                                                  • data we get from third parties, such as credit reference agencies;data we get from third parties, such as credit reference agencies;
                                                                                                                                                  • data we already know about you in connection with other Tesco products, including Clubcard transactions. Clubcard transactions are only used to improve your score.data we already know about you in connection with other Tesco products, including Clubcard transactions. Clubcard transactions are only used to improve your score.

                                                                                                                                                  When we are processing your application for a credit product (a loan or credit card), we will perform a credit check with credit reference agencies. You will be told when this is about to happen and will be asked to agree. We will give your personal data to the credit reference agencies and they will give us data about you. This will include data from your application about your financial situation and financial history.

                                                                                                                                                  We don’t share data on other products, such as savings accounts, with credit reference agencies, but we access data from credit reference agencies to perform identity checks.

                                                                                                                                                  Credit reference agencies will give us data that is public, such as information from the electoral register, as well as specific information they know, such as shared credit, financial situation and financial history information, and fraud prevention information which other lenders have shared with them.

                                                                                                                                                    We use data from credit reference agencies to:

                                                                                                                                                    • assess your creditworthiness and whether we think you can afford to take the product; assess your creditworthiness and whether we think you can afford to take the product;
                                                                                                                                                    • check the personal data you have given us is accurate;check the personal data you have given us is accurate;
                                                                                                                                                    • prevent criminal activity, fraud and money laundering;prevent criminal activity, fraud and money laundering;
                                                                                                                                                    • help to manage and make decisions about your account(s);help to manage and make decisions about your account(s);
                                                                                                                                                    • trace and recover debts; trace and recover debts;
                                                                                                                                                    • make sure any offers we make to you are appropriate to your circumstances. make sure any offers we make to you are appropriate to your circumstances, including when showing you personalised offers when you log into your online accounts.

                                                                                                                                                    If you have a credit product (a loan, credit card or a current account overdraft), we will continue to exchange data about you with credit reference agencies while you have a relationship with us. This includes telling the credit reference agencies how you manage your debts; for example, how you repay your loans, credit card or manage your overdraft. If you do not pay back in full or on time, we will tell the credit reference agencies and they will record the outstanding debt. Other organisations will be able to see this information and may take it into account when making decisions about whether to offer you credit.

                                                                                                                                                      When we make a search request, the credit reference agencies make a note on your file that Tesco Bank has done a search. Other organisations will be able to see that Tesco Bank made a search of your data.

                                                                                                                                                      If you are making a joint application and tell us that you have a spouse or partner or anyone else that you are financially associated with, we will also search their data with the credit reference agencies and link your records together.

                                                                                                                                                      Credit reference agencies will also link your records together. Your records will stay linked until either you or the other person requests that the files are no longer linked (this is known as issuing a ‘notice of disassociation’). It is important that anybody you are making a joint application with, or any financial associate you tell us about, understands this before you make an application.

                                                                                                                                                      The three main credit reference agencies are TransUnion, Equifax and Experian.

                                                                                                                                                      To learn more about what they do, what data they hold, and what your rights are, go to www.transunion.co.uk/crain, www.equifax.co.uk/crain or www.experian.co.uk/crain

                                                                                                                                                        The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance or employment. Further details of how your information will be used by us and these fraud prevention agencies, and you data protection rights, can be found at www.cifas.org.uk/fpn

                                                                                                                                                          When you apply for certain products you will be notified that we can verify your identity using a partner called Onfido. We use Onfido to help us verify your identity to protect our customers and help us meet our regulatory responsibilities. If we ask you to provide a selfie video and photographic ID when applying for a product, we will explain to you that Onfido will process your photographic ID and selfie video using algorithms and computer programs to tell us whether they believe the ID and video are likely to be genuine. They check against databases they have access to. Onfido currently search the UK Metropolitan Police Amberhill Database to check if an identity document has been previously identified as lost, stolen, fraudulent or compromised. Onfido share compromised identity documents and they are kept on the database.

                                                                                                                                                          We keep records of the searches performed by Onfido as part of our application process. If Onfido is unable to verify your identity, we’ll explain this to you and ask you to provide additional information to verify your identity. Onfido keep copies of the documentation to help them train their computers to improve their identity services. Full details of how Onfido uses personal data can be found in their privacy policy

                                                                                                                                                          We will keep this data to evidence to our regulators that we authenticated your photo ID to meet our responsibilities to prevent financial crime. The law requires us to retain this evidence for at least 5 years after your relationship with Tesco Bank has ended.

                                                                                                                                                            Your rights and how to contact us

                                                                                                                                                            If you’d like to exercise your data subject rights, or have any questions or concerns about how we use your data, you can contact us:

                                                                                                                                                            By post: The Data Protection Officer, Tesco Bank, PO BOX 27009, Glasgow, G2 9EZ

                                                                                                                                                            By phone: by calling us on one of the numbers for your product(s) here

                                                                                                                                                            By email: DataSubjectRights_DPO@tescobank.com

                                                                                                                                                            Our Data Protection Officer supports us in answering any questions and acts as a point of escalation.

                                                                                                                                                            We’d like the chance to resolve any complaints you have, but you also have the right to complain to the Information Commissioner’s Office (the "ICO") about how we have used your personal data. Their website is https://ico.org.uk/your-data-matters/raising-concerns/

                                                                                                                                                            You have a number of data subject rights, which you can make at any time. In some cases, these rights have limitations, but we will always respond within one calendar month. If we cannot meet your request, we will explain why. We may get in touch sooner if we need extra information to help us find your personal data, or to verify your identity.

                                                                                                                                                              You have the right to see the personal data we hold about you. This is called a Subject Access Request. If you make a Subject Access Request, we will send you a copy of the personal data that you would like to see. There are a few exceptions where we might not be able to provide the information, such as where it includes personal data about others. Please use the subject access request form to make your request.

                                                                                                                                                                If you believe we hold inaccurate or missing data, please let us know and we will correct it.

                                                                                                                                                                  If you want us to stop or restrict us using your personal data, or you want us to erase it entirely, please let us know. There are times when we may not be able to do this – for example, if the data is related to a contract between us, or if the law says we need to keep your personal data for a certain amount of time.

                                                                                                                                                                  You can also ask us to stop using your personal data for direct marketing purposes and you can opt out of marketing at any time:

                                                                                                                                                                  On emails: by clicking ‘opt out’ or ‘unsubscribe’ (usually at the bottom of the email).

                                                                                                                                                                  Online:

                                                                                                                                                                  • Credit cards customers: by logging in to your Tesco Bank Online Banking, selecting your credit card and going to ‘Manage account > Manage your account > Manage marketing and credit limit increase preferences’.
                                                                                                                                                                  • For customers who do not have a credit card: by logging in to your Tesco Bank Online Banking, selecting your account and going to ‘Manage account > Your preferences > Change marketing preferences’

                                                                                                                                                                  By phone: by calling us on one of the numbers for your product(s) here and asking the customer service representative to opt you out of marketing.

                                                                                                                                                                    You can ask us to transfer your personal data in an electronic format to you, or to another organisation (for example, another bank or insurer).

                                                                                                                                                                      An automated decision is one that is made by our systems rather than by a person. The benefit of automated decision-making is that we can quickly make key decisions.

                                                                                                                                                                      We also use automated decision-making:

                                                                                                                                                                      • to make decisions about whether to lend you credit;to make decisions about whether to lend you credit;
                                                                                                                                                                      • in our financial crime checks.in our financial crime checks.

                                                                                                                                                                      Automated decision-making helps us to decide things like how likely it is that you will pay back the money we lend. It takes into account factors such as the amount of debt someone has, and how they have paid off debts in the past.

                                                                                                                                                                      You have the right to:

                                                                                                                                                                      • express your concerns and object to a decision taken by purely automated means;express your concerns and object to a decision taken by purely automated means;
                                                                                                                                                                      • request that a person reviews that decision.request that a person reviews that decision.

                                                                                                                                                                      If you would like us to review a decision we have made about you, such as declining an application, please let us know.

                                                                                                                                                                        You have the right to object to our use of your personal data. If you do, we'll consider your objection to decide if your rights outweigh our interests in using your personal data. You can then ask us to either restrict our use of your data or delete it. In almost all cases relating to marketing, we'll stop using that data at your request.

                                                                                                                                                                        To withdraw your consent to use your personal data, you can contact us at any time.

                                                                                                                                                                          Changes to this privacy policy

                                                                                                                                                                          This privacy policy will be reviewed and updated from time to time. We will contact you if there are any important changes which impact how we use your personal data. If we need to give you the opportunity to opt out, we will give you time to do this before we make any changes to the way we use your personal data.

                                                                                                                                                                          Last updated: January 2024