Privacy Policy of Metropolitan Arvest Bank

This Privacy Policy explains how Metropolitan Arvest Bank ("Metropolitan Arvest Bank", "we", "us" or "our") collects, uses, shares and protects your personal data when you use our banking services, visit our premises, access our websites or otherwise interact with us in England.

1. Who We Are Metropolitan Arvest Bank is a banking institution operating in England. We act as a data controller in relation to the personal data we process about our customers, prospective customers, website visitors, and other individuals who interact with us.

2. Data We Collect We collect and process different types of personal data depending on your relationship with us and the products and services you use, including:

   • Identification data: name, title, date of birth, nationality, identification numbers, and copies of identification documents.
   • Contact details: postal address, email address, phone numbers.
   • Financial information: bank account details, transaction history, payment instructions, credit and debit card details, lending and credit data, income, assets, liabilities.
   • Employment and professional data: occupation, employer, business activities, tax status where required.
   • Regulatory and compliance data: information required to comply with anti‑money laundering (AML), counter‑terrorist financing, sanctions, fraud prevention and other legal obligations.
   • Online and technical data: IP address, device identifiers, login credentials, security logs, cookies and similar technologies, and usage data relating to our digital services.
   • Communication data: records of correspondence, phone calls (where legally permitted and notified), emails, messages, and feedback.

We may also collect data from public sources and trusted third‑party sources, such as credit reference agencies, fraud‑prevention agencies, business partners, and official registers.

3. How We Use Your Data We use your personal data only where we have a lawful basis to do so, including:

   • To provide banking products and services: opening and managing accounts, processing payments and transfers, issuing cards, providing credit and lending services, facilitating deposits, investments, and savings products (including any harvest‑branded or harvest‑themed savings or investment products we may offer), and handling customer support.
   • To comply with legal and regulatory obligations: AML and sanctions screening, fraud prevention, reporting to regulators and authorities, record‑keeping, tax and accounting obligations.
   • To manage our relationship with you: responding to your queries, notifying you about changes to our terms or policy, and maintaining accurate records.
   • To improve our services and security: monitoring performance, developing new products, conducting analytics, maintaining the security of our systems, preventing misuse of our services.
   • For marketing and service communications: sending information about products and services that may be of interest to you, subject to your marketing preferences and applicable law.

4. Legal Bases for Processing We rely on the following legal bases under applicable data protection laws:

   • Performance of a contract: where processing is necessary to provide you with our banking services or to take steps at your request before entering into a contract.
   • Legal obligation: where processing is required to comply with laws and regulations that apply to us.
   • Legitimate interests: where processing is necessary for our legitimate business interests (for example, to manage risk, maintain security and improve our services) and your interests and fundamental rights do not override those interests.
   • Consent: where we rely on your explicit consent for specific activities, such as certain types of electronic marketing; you may withdraw your consent at any time.

5. How We Share Your Data We may share your personal data with:

   • Group entities and affiliates: other entities within our corporate group, where relevant and lawful, for internal administration, risk management and service provision.
   • Service providers: trusted third parties that provide services to us, such as IT providers, payment processors, card issuers, cloud hosting, communication providers, and professional advisers (lawyers, auditors, consultants).
   • Credit and fraud‑prevention agencies: organisations that help us assess creditworthiness, prevent fraud, and reduce financial risk.
   • Regulatory and public authorities: regulators, courts, law‑enforcement agencies, tax authorities and other public bodies where required by law or to protect our rights or the rights of others.
   • Business partners: selected partners involved in providing or distributing our services, including partners in connection with specific savings, investment, or harvest‑branded offerings where applicable.

We require all third parties that process personal data on our behalf to implement appropriate security measures and to process such data only on our instructions and in accordance with applicable data protection law.

6. International Data Transfers Where we transfer your personal data outside the United Kingdom or the European Economic Area, we will ensure that appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms, and we will take steps to ensure your data remains protected.

7. Data Security We use a combination of technical and organisational measures to protect your personal data against unauthorised access, accidental loss, alteration, or disclosure. These measures include:

   • Encryption and secure transmission protocols.
   • Access controls and authentication.
   • Physical security of our premises and equipment.
   • Regular testing, assessment and evaluation of the effectiveness of our security measures.

Despite our efforts, no system is completely secure. We therefore cannot guarantee absolute security of your data but commit to taking all reasonable steps to safeguard it.

8. Data Retention We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to meet legal, regulatory, tax, accounting or reporting requirements. The retention period will depend on various factors, including:

   • The nature of the product or service.
   • The duration of our relationship with you.
   • Statutory retention periods under banking and financial regulations. When data is no longer required, we will securely delete or anonymise it.

9. Your Data Protection Rights Depending on applicable law, you may have the following rights in relation to your personal data:

   • Right of access: to obtain confirmation that we process your data and to receive a copy.
   • Right to rectification: to have inaccurate or incomplete data corrected.
   • Right to erasure: to request deletion of your data in certain circumstances.
   • Right to restriction: to request the restriction of processing in certain circumstances.
   • Right to data portability: to receive data you have provided to us in a structured, commonly used and machine‑readable format and to transmit it to another controller, where technically feasible.
   • Right to object: to object to processing based on our legitimate interests or for direct marketing.
   • Rights relating to consent: where processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

To exercise your rights, please contact us using the contact details provided in our customer documentation or on our official website. We may need to verify your identity before responding to your request.

10. Cookies and Online Tracking When you visit our websites or use our online and mobile services, we may use cookies and similar technologies to:

    • Enable the proper functioning of our websites and digital banking services.
    • Remember your preferences and improve user experience.
    • Perform analytics and measure performance. Where required by law, we will ask for your consent before placing non‑essential cookies. You can manage your cookie preferences through your browser or device settings, although some features of our services may not function properly without certain cookies.

11. Marketing Communications We may use your contact details to send you information about our banking products and services, including savings, investment or other harvest‑related offerings we may introduce, in accordance with your marketing preferences and applicable law. You can opt out of marketing communications at any time by following the unsubscribe instructions in the messages you receive or by contacting us directly. Even if you opt out of marketing, we may still send you service and transactional communications relating to your accounts and ongoing services.

12. Children’s Data Our services are generally not directed to children. Where we do process personal data relating to individuals under the age required by law for certain financial products, we will do so only as permitted by applicable law and with appropriate safeguards.

13. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. When we make material changes, we will take appropriate steps to inform you, such as posting an updated version on our website and updating the effective date.

14. Contact Us If you have any questions about this Privacy Policy, our use of your personal data, or if you wish to exercise your data protection rights, please contact us using the contact details provided on our official Metropolitan Arvest Bank website or through your usual banking channels.

This Privacy Policy applies to Metropolitan Arvest Bank’s activities in England and should be read together with any product‑specific terms and conditions that may also apply.