CARDMEMBER PRIVACY STATEMENT | American Express

American Express® (American Express Services Europe Ltd.) is committed to protecting your privacy. For the contact details of our Data Protection Ocer

please see the “Query or Complaint” section.

In this Cardmember Privacy Statement we describe how American Express, in its capacity as controller, collects, uses, shares, and keeps Personal

Information about you in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation when you request our products or

services and we explain the choices that are available to you. This Cardmember Privacy Statement includes specic details about how we use information

tied to your card and related services.

If you interact with us online, there is a separate Online Privacy Statement available on the American Express Privacy Centre at americanexpress.co.uk

that describes how we collect, use, share and keep Personal Information about you in that context. It is not specic to our products or services. It applies

whenever we collect information online through: (a) services we operate such as our websites and mobile “apps”; (ii) services or content we oer on third

party platforms, such as our electronic communications, social media pages, voice assistant apps, and digital ads and (iii) for any other services or content

linked to or referenced in the Online Privacy Statement.

The information collected under this Cardmember Privacy Statement explains how we use your Personal Information to provide cards and for related

services. This Personal Information will be used with information we collect about you online. We therefore ask that you consider the Online Privacy

Statement alongside this Cardmember Privacy Statement.

From time to time, we may change this privacy statement. If it’s a material change we will need to tell you about it. We’ll either do that by contacting you in

writing (to ask you to read the updated version) or by making it clear when you visit our website, americanexpress.co.uk, that it’s been updated.

INFORMATION COLLECTED

Personal Information is any information relating to you as an identied or identiable natural person, such as your name, addresses, telephone number,

and email address and other information specic to you such as demographic details, employment details, your income and/or transaction information.

We will only collect Personal Information that is reasonably necessary for our business. The types of information we collect will depend on which product

or service you request or use.

We collect your Personal Information from dierent sources depending on which product or service you request or use. For instance, we collect Personal

Information about you from:

• the application form for a card account and other information you directly provide to us;

• when you request or utilise products, goods or services (such as when you use your card to make transactions with merchants, ATM operators, use

concierge services or book travel);

• publicly or commercially available records or databases;

• checks at credit reference agencies and fraud prevention organisations including personal and business records (if relevant) (for more information,

please see the “Credit Reference Agencies and Fraud Prevention” section);

• you, through the way you communicate with us and use your account (such as information provided during servicing calls);

• any research, surveys or competitions you enter or respond to or any marketing oers for which you register; and

CARDMEMBER PRIVACY STATEMENT

WHAT IS THIS DOCUMENT?

• third parties, such as marketing lists which we lawfully obtain from Business Partners (i.e., third parties with whom we conduct business or have

a contractual relationship, such as co-brand partners or merchants), or information we receive from open banking providers (such as account

information that you authorise such providers to collect from your bank, which is subsequently shared with American Express for the purpose of

completing our underwriting verications to issue you with a card).

In some limited instances and in accordance with applicable laws, we may also collect special categories of Personal Information, including information

regarding health (such as food allergies or details of a disability or condition which may aect your ability to travel or the way we manage your account), or

biometric data (such as your voice ID).

In addition, we also collect digital data, such as your IP address or other information about your online interactions, as described in the Online Privacy

Statement.

USE OF INFORMATION

We use your Personal Information either on its own or combined with other information. We need a “lawful reason” under data protection laws to process

your Personal Information, which are as follows: (i) where it is necessary for the performance of a contract (ii) where necessary for our legitimate interests,

such as to prevent fraud, enhance our products or services and for certain marketing communications (including when we give an opt-out opportunity); (iii)

where we have obtained your consent, such as for marketing purposes when you opt-in; or (iv) for compliance with legal obligations, such as for the due

diligence that nancial institutions are required to perform before approving card accounts. Please note that we consider and balance any potential impact

on you and your rights before processing your Personal Information for our legitimate interest.

More specically, we use your Personal Information:

(i) To administer our contractual relationship with you and deliver products and services, including to:

• process applications for our products, including making decisions about whether to approve your application;

• administer and manage your account, such as whether to process, approve and complete individual transactions;

• provide location-based services you may request;

• communicate with you through email, SMS or any other electronic methods, by post and/or phone about your accounts, products, and services;

• update you about new features and benets attached to the products or services that you requested;

• service and manage any benets and insurance programmes provided along with the products or services that you requested;

• answer questions submitted to us by you and respond to your requests; or

• provide you with open banking services (for more information, please see the “Open Banking” section).

(ii) For our legitimate interest or for the legitimate interests of a third party, to:

• market products and services which we think you will be interested in based on your relationship with us (by email, SMS or telephone (for example -

if you call us)), if you are an existing or potential customer. We would do this only where the law allows for this on the basis of opt-out;

• advertise and market products and services for the American Express Group (i.e., any aliate, subsidiary, joint venture, and any company owned or

controlled by American Express) and our Business Partners, including to present content that is personalised and tailored to your preferences and

interests, including targeted advertising across multiple devices or showing you oers in your Manage Your Card Account (MYCA) environment;

• improve your customer experience, for instance:

• when interacting with some of our partners available in your card benets programme, we may connect to your Membership Rewards account

(if applicable) and, depending on your card product, enable you to use Membership Rewards points to pay for products or services;

• when you set up a recurring payment with merchants accepting our cards, we may disclose your Personal Information (such as your card

expiration date, card number, changes, account updates including if your account is cancelled) to those merchants for them to update your

card/account details. This will allow your recurring payments to continue without disruption. If you do not want us to share such Personal

Information, you can contact us – please see the “Query or Complaint” section;

• by providing a more appropriate service and/or protecting your best interests by making reasonable adjustments, such as sending you

information in an appropriate format;

• improve our products and services, including to:

• better understand our customers, their needs, preferences and behaviours; place you in groups with similar customers to make predictions

about you, deliver more personalized services and help determine whether you may be interested in new products or services;

• help us better understand your nancial circumstances and behaviour so that we can make decisions about how we manage your existing

accounts and what other products or services can be extended to you;

• analyse whether our ads, promotions and oers are eective;

• monitor and/or record your telephone calls with us or our Service Providers to ensure consistent servicing levels (including sta training) and

account operations;

• conduct research and analysis, including to:

• allow you to give feedback by rating and reviewing our products and services and those of our Business Partners;

• produce data analytics, statistical research, and reports on an aggregated basis;

• manage our business risks such as fraud, credit, operational, regulatory, reputational and security risks (using automated processes and/or manual

reviews) including to:

• review and approve individual transactions including those you make through digital channels;

• conduct testing (to ensure security and when we update our systems), data processing, website administration and information technology

system support and development;

• detect and prevent fraud or criminal activity and complete Know Your Customer (KYC) screening and monitoring;

• safeguard the security of your information;

• develop and rene our risk management policies, models and procedures for

• applications and customer accounts, relying upon information in your application or relating to your creditworthiness and account history (if

applicable); and

• inform our collection practices and share information with credit-reference agencies and fraud-management agencies (for more information,

please see the “Credit Reference Agencies and Fraud Prevention” section).

(iii) With your consent (note you will always know when we are relying on your consent to use your personal data as we will ask you for opt-in permission

rst), to:

• market our products and services to you;

• send you ads, promotions, and oers by e-mail, SMS, or other electronic means about products and services from the American Express Group and

those of our Business Partners; or

• use special categories of information, such as your biometric data to identify you, your health data or life circumstances to provide a more

appropriate service and/or protect your best interests (though note sometimes we may process health data and other information about life

circumstances for substantial public interests reasons to protect economic wellbeing, in which case we won’t need to ask for your explicit consent).

(iv) To comply with applicable laws and regulations, including:

• to establish, exercise, or defend legal rights or claims and assist in dispute resolution;

• for reasons of substantial public interest for security verication and fraud prevention purposes (for example, using your biometric information such

as your voice print to verify you); or

• to comply with legal and regulatory obligations (such as performing due diligence on you before approving your application).

OPEN BANKING

We may use your Personal Information to provide our open banking services, such as:

• providing you with consolidated information on the payment account(s) that you hold with one or more bank(s) or payment institution(s); or

• contacting your bank to perform a credit transfer to a merchant, for example, when you use our Pay With Bank Transfer service (which may allow

you to pay for any purchase made on a participating website directly from your bank account, with your money being sent directly to the merchant’s

bank account).

In this context, we will process your Personal Information to provide you with the regulated open banking services or as otherwise described in the “Use of

Information” section.

AUTOMATED DECISION MAKING

We may use fully automated processes to help us make certain decisions, including to evaluate certain attributes about you to provide our services. For

example, we may use such processes to:

• assess security risks, detect and manage fraud;

• process card applications; or

• assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you a card.

This is known as “automated decision making”. These decisions are based on information that we lawfully obtain, such as information that you provided in

your application form (including your reported income), your payment history with American Express, and information we obtain from third parties, such as

credit bureaus. We also look at digital data (such as information about your device, browser, or patterns in your online interactions with American Express)

to help us detect fraud. These methods are regularly tested to ensure that they remain fair, eective and unbiased.

Some of those decisions that are made solely by automated means have legal eects or similar eects, such as the denial of credit or card applications or

receiving credit line approval. However, we will only perform such processing if it’s:

• necessary for entering into or performing a contract between you and American Express;

• authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and

legitimate interests; or

• based on your explicit consent to such processing.

Where we use automated decision making for entering into or performing a contract with you, or based on your consent, you have the right to contest the

decision made and request human intervention. Please see the section “Your Rights” for more information about your rights related to automated decision

making.

INFORMATION SHARING

We do not share your Personal Information with anyone except as described below. We will share your Personal Information only with your consent or as

required or permitted by applicable law, such as with:

• credit reference agencies and similar institutions to report or ask about your nancial circumstances, and to report debts you owe to us (for more

information, please see the “Credit Reference Agencies and Fraud Prevention” section below);

• police, regulatory authorities, courts, and governmental agencies to comply with legal orders, legal or regulatory requirements, and law enforcement

requests;

• collecting agencies and external legal counsel to collect debts on your account;

• our Service Providers (i.e. who perform services for us and help us manage your account and/or operate our business (i.e., any vendor, third

party and/or company that provides services or performs business operations on our behalf such as communications services, marketing, data

processing and outsourced technology, servicing, ad management, auditors, consultants and professional advisors such as external legal counsel

and accountants);

• companies or other lines of products and services within the American Express Group;

• Business Partners, such as parties that accept American Express branded cards for payments of goods/services purchased by you (i.e.,

merchants), your bank, building society or other payment card issuers to provide, deliver, oer, customise or develop products and services to you,

and address or resolve claims. We will not share your contact information with Business Partners for them to independently market their own

products or services to you without your consent. However, we may send you oers on their behalf with your consent. Please note that if you take

advantage of an oer provided by a Business Partner and become their customer, they may independently send communications to you. In this

case, you will need to review their privacy statement and inform them separately if you wish to decline receiving future communications from them;

• any party approved by you, such as third parties for the provision of open banking and related services upon your request, for example where you

seek to connect your account information to another platform or to initiate payments from other accounts;

• our loyalty partners to connect your Membership Rewards account (if applicable) and dependent on your card product, with any partners available

in your card benets programme; or

• anyone to whom we transfer or assign our contractual rights.

SUPPLEMENTARY CARDMEMBERS

Prior to providing us with any Personal Information belonging to another person, including Supplementary Cardmembers (i.e., other persons you have

authorised with additional cards on your account), please ask that individual to review this privacy statement and conrm their acknowledgement of the

processing of their information as described in this notice.

The provisions of this privacy statement apply to any Supplementary Cardmember(s) who you have approved to use your account. Where you have

approved the issue of a Supplementary Card:

• we will use the information of a Supplementary Cardmember to process their application, issue their card, manage the account, and comply with

our legal or regulatory obligations; and

• the Supplementary Cardmember may need to provide us with your Personal Information for identity verication when they contact us about

activating or using their card, register for on-line services and access new or updated services and benets.

Supplementary Cardmembers will not be permitted to make any alteration to any of your Personal Information unless you have provided us with your

consent for them to do so.

CREDIT REFERENCE AGENCIES AND FRAUD PREVENTION

We will exchange your Personal Information as part of customer due diligence and to prevent fraudulent conduct or behaviour that contravenes

international sanctions and to comply with regulations against money laundering, terrorism nancing and tax fraud with Credit Reference Agencies (CRAs)

and Fraud Prevention Agencies (FPAs). We may obtain Personal Information about you from these agencies including, where relevant, your household

(such as your spouse), and any business in which you are involved (including details of your co-directors or partners in business).

For these purposes you may be treated as nancially linked to such persons (“nancial associates”) and you will be assessed with reference to their

“associated records”. You must be sure that you have your nancial associates’ agreement to disclose information about them.

When you apply

If you are a director of a business, we will seek conrmation from CRAs that the residential address that you provide is the same as that shown on the

restricted register of directors’ usual addresses at Companies House. CRAs will record information about your business and its proprietors and may create

a record of the name and address of your business and its proprietors if there is not one already.

During the lifetime of your account

We will continue to make searches at CRAs to assist in managing your account and this will include looking at the associated records of your nancial

associates. These searches will not be seen or used by other organisations to assess your ability to obtain credit. We will also carry out further credit checks

whilst any money is owed by you on your account (including contacting your bank, building society or any referee approved by you).

We may tell CRAs the current balance on your account and we may tell them if you do not make payments when due.

They will record this information on your personal and business credit les (as applicable) and it may be shared with other organisations for the purpose

of assessing applications from you, and applications from any other party with a nancial association with you, for credit or other facilities, for other risk

management purposes and for preventing fraud and tracing debtors. Failure to make repayments may impair your credit rating. Records shared with CRAs

remain on le for 6 years after they are closed whether settled by you or defaulted.

We will analyse your Personal Information to assist in managing your account and to prevent fraud or any other unlawful activity. If fraud is detected, you

could be refused certain services, nance or employment. We and other organisations, including FPAs, may access and use your Personal Information to

prevent fraud and money laundering and to verify your identity, for example, when:

• verifying the information you provide on applications for insurance, credit and credit related or other facilities;

• managing credit, credit related accounts or facilities, and insurance policies;

• recovering debt; or

• checking details on applications, proposals and claims for all types of insurance.

We and other organisations may access and use from other countries the information recorded by FPAs.

For additional information about how CRAs gather and use your Personal Information, please review the Credit Reference Agency Information Notice

(CRAIN) at:

• https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference

• www.equifax.co.uk/crain

• www.experian.co.uk/crain

You are entitled to access your personal records held by credit and fraud prevention agencies. You can contact the CRAs currently operating in the UK; the

information they hold may not be the same so it is worth contacting them all.

• TransUnion, One Park Lane, Leeds, West Yorkshire, LS3 1EPor call 0330 024 7574 or email consumer@transunion.co.uk

• Equifax Limited, Customer Service Centre PO Box 10036, Leicester, LE3 4FSor call 0800 014 2955 or 0333 321 4043 or email 0333 321 4043

• Experian, PO BOX 9000, Nottingham, NG80 7WPor call 0344 481 0800 or 0800 013 8888 or email https://www.experian.co.uk/consumer/contact-

us/index.html

Further information about how your Personal Information may be used by CRAs and FPA is available upon request – please write to American Express

Services Europe Ltd, Dept. 2007, Upper Ground Floor, 1 John Street, Brighton BN88 1NH or review the Credit Industry Fraud System (CIFA)’s Fair Processing

Notice (FPN) at https://www.cifas.org.uk/fpn.

INTERNATIONAL TRANSFER OF DATA

Where necessary, and unless prohibited by applicable law, we’ll transfer your Personal Information to other countries and regulatory authorities in other

countries. Some of these jurisdictions may not provide the same level of protection for Personal Information as provided in the United Kingdom. Some

countries will have dierent data protection laws. This includes transfers to countries outside of the United Kingdom, such as to the United States where our

main operational data centres are located. We do so to operate our business, process transactions on foreign purchases, administer your account and to

provide our products and services to you.

Keep in mind, no matter where we process Personal Information about you, we’ll always protect it in the manner described in our privacy notices and in

accordance with applicable laws. When we transfer your Personal Information to certain countries outside the United Kingdom, we are required to put

in place an “appropriate safeguard”. For example, when we share Personal Information with other companies within the American Express group that are

outside the United Kingdom, we ensure an adequate level of protection through our Binding Corporate Rules This link is to where these are available within

the American Express Privacy Centre on our website. You can request further information on where to nd a copy of the other appropriate safeguards in

place by contacting our Data Protection Ocer.

When we share your Personal Information with third parties outside the United Kingdom we include appropriate contractual protections in those

agreements, where required by applicable law. If we are dealing with public authorities or regulators we won’t need to have contractual protections in place

but that doesn’t mean your data is not protected by appropriate security measures when it’s transferred.

In addition, we assess whether other additional technical and organizational measures are required for these transfers i.e. those which are to third parties

other than public authorities and regulators and which do require appropriate contractual protections.

SECURITY

We use organisational, administrative, technical and physical security measures to safeguard your Personal Information and to help ensure that your

information is processed promptly, accurately and completely. We require Service Providers to safeguard your Personal Information and only use your

Personal Information for the purposes we specify.

RETENTION OF INFORMATION

We will keep your Personal Information only as long as we need to deliver the products and services that you requested, unless we are required to keep it

for longer periods because of law, regulation, litigation or regulatory investigation purposes.

For example, your Personal Information will be stored by American Express for 7 years after you close your account, due to Inland Revenue requirements.

If your account is in default, and the balance remains unpaid or unsettled, in accordance with fair lending practices and our risk and debt recovery policies,

this information could be retained by us for longer periods of time and considered if you choose to apply for American Express products in the future.

When your Personal Information is no longer necessary for legal or regulatory needs, to administer your account or to deliver the products and services

you have requested, we will securely destroy such information or permanently de- identify it. For more information about our data retention practices, you

can contact us – please see the “Query or Complaint” section.

ACCURACY OF YOUR INFORMATION

We encourage you to check regularly that all Personal Information held by us is accurate and up to date. If you believe that any information we hold about

you is incorrect or incomplete, you may ask us to correct or remove this information from our records. We recommend that you go to americanexpress.

co.uk, log in, and update your Personal Information. If you prefer, you can contact us – please see the “Query or Complaint” section. Any information which

is found to be incorrect or incomplete will be corrected promptly.

YOUR RIGHTS

You have the right to access, update, restrict, port, erase or object to the processing of your Personal Information. More specically, you have the right to:

• withdraw your consent for our use of your Personal Information at any time, where our processing is based on your consent;

• in certain circumstances, erase, restrict and/or object to the use of your Personal Information;

• request a manual review of certain automated processing activities that may impact your legal or contractual rights or that may have a similarly

signicant eect;

• receive your Personal Information in a structured, commonly used and machine-readable format and/or transmit such data to another controller;

and

• request a copy of your Personal Information we have about you (often referred to as a “data subject access request” or “DSAR”).

If you want to exercise any of your rights, click here.

If we receive a request from you, we will respond as soon as possible but no later than one calendar month except as follows. If, due to the nature or

circumstances of your request, we can’t meet that deadline, we may extend it by up to a further two months (complex requests). In such case, we will send

you an email or letter explaining the cause of the delay. Please note that your request will be free of charge, except in certain circumstances if it incurs

additional cost to our company such as when it’s unfounded or excessive, i.e. when the law allows us to charge a fee (we’ll explain this at the time before

processing the request if this is the case).

If you have any questions about how we process your Personal Information, you can contact us – please see the “Query or Complaint” section.

MARKETING CHOICES

You can choose how you would like to receive marketing communications, including direct marketing - whether we send them to you through postal mail,

email, SMS and/or telephone. See above section for our lawful reasons which justify using your information to send you marketing communications. The

lawful reasons for sending direct marketing communications to you will dier depending on a number of factors, including the marketing channel used (e.g.

SMS, email, telephone), whether we have an existing relationship with you if you are an individual customer, or if you are a business customer.

If after making your preferences you wish to opt out of receiving marketing from the American Express Group, we recommend you go to americanexpress.

co.uk, log in, and update your privacy preferences. If you prefer, you can also contact us – please see the “Query or Complaint” section below. If you choose

to not receive marketing communications from us, we will honour your choice.

Please be aware that if you choose not to receive such communications, certain oers attached to the products or services you have chosen could be

aected.

We will still communicate with you in connection with servicing your account, fullling your requests, or administering any promotion or program in which

you have elected to participate. These communications are necessary to provide the service you expect to receive from us and you may not opt out of

receiving them.

QUERY OR COMPLAINT

If you have questions about this Cardmember Privacy Statement or how your information is handled or wish to make a complaint or exercise your rights,

call us at the free phone number on the back of your card, or please contact our Data Protection Ocer at amexukdpo@aexp.com. You may also write to

American Express Services Europe Limited, Dept. 2007, Upper Ground Floor, 1 John Street, Brighton, East Sussex, BN88 1NH.

You also have the right to lodge a complaint with the local Supervisory Authority, which in the UK is the Information Commissioner’s Oce (“ICO”). You can

contact the ICO directly at www.ico.org.uk. If your request is not resolved to your satisfaction, you may also take your case to the court where you live, work

or where there may have been an infringement.

American Express Services Europe Limited has its registered office at Belgrave House, 76 Buckingham Palace Road, London

SW1W 9AX, United Kingdom. It is registered in England and Wales with Company Number 1833139 and is authorised and

regulated by the Financial Conduct Authority. Where American Express Services Europe Limited Cards are issued in the UK

but obtained within the European Economic Area, local rules may apply to the way that it conducts its business which can be

enforced by that country's applicable regulatory authority.

05/23