LAST UPDATED: 4 January 2024

HSBC Innovation Bank Limited ("HSBC Innovation Banking," "we," or "us") wants you to be familiar with how we collect, use, and disclose data.

On 10 March 2023, HSBC Innovation Banking (previously known as Silicon Valley Bank UK Limited or “SVB UK”) was acquired by HSBC UK Bank plc under the Banking Act 2009. Prior to this, HSBC Innovation Banking was wholly owned by Silicon Valley Bank. On 27 March 2023, Silicon Valley Bridge Bank, N.A. was acquired by First Citizens Bank.

As HSBC Innovation Banking fully transitions to HSBC Group, further updates will be made to this Privacy Notice.

1. SCOPE AND APPLICATION

   This section sets out the applicability of this Privacy Notice and provides links to other applicable notices.

2. THE DATA WE COLLECT ABOUT YOU

   This section describes the type of data we collect about you.

3. HOW WE COLLECT YOUR PERSONAL DATA

   This section describes how we collect the Personal Data.

4. HOW WE USE YOUR PERSONAL DATA

   This section describes how we use your Personal Data.

5. HOW WE DISCLOSE YOUR PERSONAL DATA

   This section explains how we disclose your Personal Data.

6. SECURITY

   This section describes the measures we have in place to protect your Personal Data.

7. YOUR RIGHTS AND CHOICES

   This section describes the choices and individual rights that you may have with respect to your Personal Data.

8. RETENTION PERIOD

   This section addresses the measures we have in place for retaining Personal Data.

9. THIRD-PARTY SERVICES

   This section explains that we are not responsible for the information use, disclosure, security, and other practices of third parties.

10. USE OF THE SERVICES BY MINORS

    This section explains that our services are not directed to individuals under the age of sixteen (16).

11. JURISDICTION AND CROSS-BORDER TRANSFER

    This section addresses where Personal Data may be processed, and it identifies the measures in place for our transfer of Personal Data outside of the EEA and the UK.

12. UPDATES TO THIS PRIVACY NOTICE

    This section explains that we may update this Privacy Notice from time to time and directs our users to the "Last Updated" legend above to learn when the notice was last updated.

13. CONTACT US

    This section includes our contact details.

This Privacy Notice describes our practices in connection with data that we collect through:

• websites operated by us from which you are accessing this Privacy Notice;
• software applications made available by us for use on computers and mobile devices ("apps");
• our social media pages;
• email messages that we send to you that link to this Privacy Notice; and
• any communications and interactions we have with you.

"Personal Data" is data that identifies you as an individual or relates to you as an identifiable individual. We may collect the following kinds of Personal Data about you:

• Identity Data, including name, username or similar identifier, date of birth, gender, marital status, and title.
• Contact Data, including postal address, email address, and telephone numbers.
• Financial Data, including bank account and payment card details.
• Identification Data, such as National Insurance number, driver's licence or passport numbers.
• Transaction Data, including details about payments to and from your bank accounts and other details of products and services you have purchased from us.
• Device Data, including your Internet Protocol (IP) address, your login data, the domain and host from which you access the Internet, the date and time you access our online properties, browser and operating system data and the Internet address of the site from which you linked to our website.
• Profile Data, including your username and password and your transactions, interests, communications and other preferences, feedback, and survey responses.
• Usage Data, including data about how you use our websites and apps, products, and services.
• Biometric data, including fingerprints, voice recordings or keystroke patterns.
• Derived device geolocation information, such as approximate geographic location inferred from an IP address.
• Marketing and Communications Data, including correspondence and other communications for the purposes of providing client support and your communication preferences.

We may change your data in a way that makes it unrecognisable as your Personal Data, and it will no longer be considered Personal Data. To the extent that the data we collect is not considered Personal Data under applicable law, we may use and disclose it for other purposes.

Please do not send us any sensitive Personal Data if you are not a client. This includes National Insurance numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership.

If you disclose any Personal Data relating to other people (such as our clients' beneficial owners) to us, you represent that you have the authority to do so and to permit us to use the data in accordance with this Privacy Notice.

We collect Personal Data when you choose to provide it to us, such as when you apply to open an account with us and receive banking or other services for personal, family, or household purposes or on behalf of your employer. We also collect Personal Data when you sign up to use our services or receive our publications; request marketing material to be sent to you; complete a survey or questionnaire; contact customer service or otherwise communicate with us; or provide us with feedback.

We also collect certain Personal Data automatically from your interactions with our online properties, including:

• Through your browser or device. Certain data is collected by most browsers or automatically through your device, such as your Media Access Control (MAC) address, computer type, screen resolution, operating system name and version, device manufacturer and model, language, Internet Protocol (IP) address, and browser type and version. We use this data to ensure that our online services function properly. We may also derive your approximate location from your IP address.
• Through your use of our apps. When you download and use one of our apps, we may track and collect app usage data, such as the date and time the app on your device accesses our servers, in order to ensure that the app functions properly and to understand how it is used.
• Through the use of cookies and similar tracking technologies. If you interact with us online, you may encounter cookies. There will be a cookie notice you can read to learn how we use cookies and similar tracking technologies on our digital properties, including for analytics and advertising purposes. We do not currently respond to browser do-not-track signals.
• Physical Location. We may collect the physical location of your device by, for example, using satellite, cell phone tower, or Wi-Fi signals, for fraud prevention and in order to provide you with personalised location-based services and content. You may be able to manage the collection settings of your device's location.

In addition, we receive your Personal Data from other sources, such as third parties and publicly available sources, including, for example, social media platforms, publicly available databases, government agencies, credit reference agencies, fraud prevention agencies, and financial crime prevention agencies, third party providers that help us to prevent or detect fraud, consumer reporting agencies, specialist data and research companies, and event or joint marketing partners.

We may also receive your Personal Data from: (i) Silicon Valley Bridge Bank, N.A. (“SVBB”) and its affiliates; (ii) First Citizens BancShares, Inc. (“First Citizens Bank”) and its affiliates; and/or (iii) HSBC Holdings plc (“HSBC”) and its affiliates.

Most commonly, we will use your Personal Data in the following circumstances:

• Where we need to perform the contract we are about to enter into or have entered into with you.
• Where we need to comply with a legal or regulatory obligation.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

Generally, we do not rely on consent as a legal basis for processing your Personal Data. However, in relation to sending direct marketing communications to you, we may rely on legitimate interests or consent. If you do not want to receive marketing materials, you may opt out of those marketing communications at any time by following the opt-out instructions contained in the marketing messages or by contacting us.

We have set out in the table below a description of the ways we use your Personal Data and which of the legal bases we rely on to do so. We have also identified our legitimate interests, where appropriate.

We may process your Personal Data on more than one lawful ground, depending on the specific purpose for which we are using your data. Please contact us if you would like details about the specific legal basis on which we rely, if more than one is set out in the table below.

Purpose/Activity	Type of data	Legal basis for Processing
To register you or your employer as a new client	(a) Identity (b) Contact (c) Identification	Performance of a contract with you or your employer (our client)
To provide banking and other services to you or your employer (our client): (a) Manage payments, fees and charges (b) Collect and recover money owed to us	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications	(a) Performance of a contact with you or your employer (our client) (b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you or your employer (our client) which will include: (a) Notifying you about changes to our terms or privacy notice (b) Asking you to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you or your employer (our client) (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how clients use our products/services)
To enable you to partake in a competition or complete a survey	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications	(a) Performance of a contract with your employer (our client) (b) Necessary for our legitimate interests (to study how clients use our products/services, to develop them and grow our business)
To administer and protect our business and our online properties (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Device	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant online content and marketing to you and measure or understand the effectiveness of the marketing we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Device	(a) Necessary for our legitimate interests (to study how clients use our products/services, to develop them, to grow our business and to inform our marketing strategy) (b) With your consent, where required by applicable law
To use data analytics to improve our online properties, products/services, marketing, client relationships and experiences	(a) Device (b) Usage	Necessary for our legitimate interests (to define types of clients for our products and services, to keep our online properties updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about products/services that may be of interest to you	(a) Identity (b) Contact (c) Device (d) Usage (e) Profile	Necessary for our legitimate interests (to develop our products/services and grow our business)

Prevention and Detection of crime. In addition to the above, we may process your Personal Data (including but not limited to records of any conversations or communications you have with us) for the purpose of preventing and detecting crime including, for example, fraud, terrorist financing and money laundering. This will include monitoring, mitigation and risk management, carrying out customer due diligence, name screening, transaction screening and customer risk identification. We do this to comply with our legal obligations and because it’s in our legitimate interest. We may share your information with relevant agencies, law enforcement and other third parties where the law allows us to for the purpose of preventing or detecting crime. Also, we and other financial institutions may take steps to help prevent financial crime and manage risk. We’ll do this because we have a legitimate interest, a legal obligation to prevent or detect crime or it’s in the public interest. We may be required to use your information to do this, even if you’ve asked us to stop using your information. That could include (among other things):

• screening, intercepting and investigating any payments, instructions or communications you send or receive (including drawdown requests and application forms);
• investigating who you’re paying or who’s paying you, for example, checks on payments into and out of your account and other parties related to those payments;
• passing information to relevant agencies if we think you’ve given us false or inaccurate information, or we suspect criminal activity;
• combining the information we have about you with information from other HSBC companies to help us better understand any potential risk; and
• checking whether the people or organisations you’re paying or receiving payments from are who they say they are and aren’t subject to any sanctions.

Use of automated systems to help us make decisions about you

We may use automated systems to help us make some of our decisions, for example, when you apply for products and services, to make credit decisions and to carry out fraud and money laundering checks. We may also use technology to help us identify the level of risk involved in customer or account activity, for example, for credit, fraud or financial crime reasons, or to identify if someone else is using your card or account without your permission. You may have a right to certain information about how we make these decisions and to ask for a decision to be made by a person instead of a computer. Please see Section 7 (“Your Rights and Choices”) below for further information.

We disclose Personal Data:

• To third party organisations and public bodies, including law enforcement agencies, to help with preventing and detecting fraud, tax evasion and financial crime.
• To credit reference agencies who will carry out credit and identity checks (please see Section 11 below for further details).
• To fraud prevention agencies (including but not limited to CIFAS) who will also use your Personal Data to detect and prevent fraud and other financial crime and to confirm your identity (please see Section 11 below for further details).
• To our affiliated service providers, pre-acquisition affiliated service providers, and third party service providers, to facilitate services they provide to us in connection with the uses described in Section 4.
  • Our affiliated service providers within HSBC and its affiliates, our pre-acquisition affiliated service providers within SVBB and its affiliates and First Citizens Bank and its affiliates, and our third-party service providers are based in U.K. and overseas, and they may provide information technology, system administration, and other services to us.
  • Our service providers may also provide such services as website hosting, data analysis, customer service, email delivery, and auditing.
  • We may disclose Personal Data to our card processing suppliers to carry out credit, fraud, and risk checks, process your payments, issue and manage your card.
• To our affiliates within the wider HSBC Group, to permit them to (a) send you marketing communications and/or (b) use your Personal Data (i) to perform a contract that the relevant HSBC Group affiliate is about to enter into or has entered into with you, (ii) where the relevant HSBC Group affiliate needs to comply with a legal or regulatory obligation (including for, but not limited to, the purposes of meeting its legal, regulatory and/or policy requirements in respect of countering financial crime risks) or (iii) where it is necessary for the relevant HSBC Group affiliate’s legitimate interests, but only where your interests and fundamental rights do not override those interests . Where we share your Personal Data with an HSBC Group affiliate, the terms of the relevant HSBC Group affiliate’s Privacy Notice shall apply to any processing of your Personal Data that it carries out.

We also use and disclose your Personal Data as necessary or appropriate, in particular when we have a legal obligation or legitimate interest to do so:

• To comply with applicable law and regulations.
  • These may include laws outside your country of residence.
• To cooperate with law enforcement and government authorities.
  • To respond to a request or to provide information when we believe necessary or appropriate.
• For other legal reasons.
  • To enforce our terms and conditions or other agreements with our users and customers; and
  • To protect our rights, privacy, safety, or property, and/or that of our affiliates, you, or others.
• In connection with a sale or business transaction.
  • We have a legitimate interest in disclosing or transferring your Personal Data to a third party in connection with a reorganisation, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, assets, or stock (including in connection with any bankruptcy or similar proceedings). After the transfer is complete, if all or part of our assets are sold, then your Personal Data may be transferred to the new owner so services can continue to operate.

We use reasonable organisational, technical, and administrative measures to protect Personal Data within our organisation. Unfortunately, no data transmission or storage system can be guaranteed secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the "Contact Us" section below.

You may opt out from receiving marketing emails from us by following the instructions contained in each email or by contacting us in accordance with the "Contact Us" section below. Even if you opt out of marketing emails from us, we will continue to send you important administrative messages. You may opt out of receiving push notifications from us through the settings of your device.

Depending on your jurisdiction and our relationship with you, you may have certain privacy rights that you can exercise. These rights include the right to request to access, correct, modify, update, restrict processing, revoke consent, or delete Personal Data, to object to or opt out of the processing of Personal Data, or to receive a copy of your Personal Data for purposes of transmitting it to another company. To exercise these rights, you can contact us in accordance with the "Contact Us" section below. We will respond to your request consistent with applicable law.

You may make a privacy complaint with our Data Protection Officer (“DPO”) or with the UK data protection authority (the Information Commissioner’s Office (“ICO”)) or an EEA data protection authority for your country or region where you have your residence or place of work or where an alleged infringement of applicable data protection law has occurred. Information regarding the UK data protection authority is available here: https://ico.org.uk/. A list of EEA data protection authorities is available at https://edpb.europa.eu/about-edpb/board/members_en. We would, however, appreciate the chance to address your concerns before you approach a data protection authority, so please contact us first.

We retain Personal Data for as long as needed or permitted to fulfill the purpose(s) for which it was obtained, including to satisfy any legal, compliance, accounting, or reporting requirements, to help detect or prevent fraud and financial crime, and to answer requests from regulators, and consistent with applicable law. We consider the following when determining our retention periods:

• The length of time we have an ongoing relationship with you and provide our products and services to you (for example, for as long as you have an account with us or continue to use our digital services);
• Whether there is a legal obligation to which we are subject (for example, to keep records of your transactions for a certain period of time);
• Whether retention is advisable in light of our legal position, such as in regard to applicable statutes of limitations, litigation, or regulatory investigations; and
• Our records retention schedule tiers.

This Privacy Notice does not address the privacy, data, or other practices of any third parties, including any third party operating a website or service to which our online services link. The inclusion of a link on our online services does not imply endorsement of the linked site or service by us or our affiliates.

Our services are not directed to individuals under the age of sixteen (16), and we do not knowingly collect Personal Data from, or direct any of our products or service to, individuals under age 16.

Credit Reference Checks

If you apply for new products or services (including credit like a loan), we may carry out credit and identity checks on you with one or more credit reference agencies (“CRAs”). In addition, when you use our banking services, we may also make periodic searches at CRAs to manage your account with us. To do this, we will supply your Personal Data to CRAs and they will give us details about you. This will include information from your credit application and about your financial situation and financial history. CRAs will supply us with both public (including the electoral register) and shared credit information, financial situation, history, and fraud prevention information.

We may use this information to:

• verify your identity;
• assess if we can offer you credit and whether you can afford the product you applied for;
• verify the accuracy of the data you have given us;
• prevent criminal activity, fraud, and money laundering;
• manage your account(s);
• trace and recover debts; and/or
• ensure any offers provided to you are appropriate to your circumstances.

We will continue to exchange information about you with CRAs while you have a relationship with us. We will also inform the CRAs about your repayment history. If you borrow and do not repay in full and on time, CRAs will record the outstanding debt. This information may be supplied to other organisations by CRAs.

When CRAs receive a search request from us they will place a search footprint on your credit file that may be seen by other lenders. If you apply for a bank account or other credit (such as where you apply for a mortgage, loan or credit card) we will get details of your credit history from a CRA (and share information about you with the CRA) and use this information to work out how much you can afford to borrow or pay back. We may use your information to confirm the accuracy of the information you have provided to us, prevent criminal activity, fraud and money laundering, manage your accounts, trace and recover debts and ensure any offers provided to you are appropriate to your circumstances.

If you are making a joint application or tell us that you have a spouse or financial associate, we will link your records together. You should discuss this with them and share this information with them before submitting the application. CRAs will also link your records together and these links will remain on your and their files until you or your partner successfully files for a disassociation with the CRAs to break that link.

In respect of Experian (one of the three CRAs in the UK), it will retain a record of the verification and credit search(es) that has been carried out on our behalf, and will do so in accordance with the terms of its Privacy Notice.

The identities of the CRAs, their role also as fraud prevention agencies, the data they hold, the ways in which they use and share personal information, data retention periods and your data protection rights with the CRAs are explained in more detail on their websites. They have created a joint document called the Credit Reference Agency Information Notice (CRAIN) which is available from each of the three CRAs – going to any of these three links will also take you to the same CRAIN document:

Credit reference agencies:

• Transunion – transunion.co.uk/crain
• Equifax – equifax.co.uk/crain
• Experian – experian.co.uk/crain

To comply with the law and for our own legitimate interest to allow us to assess and manage risk, we can share details about your financial situation and financial history with CRAs, fraud prevention agencies, etc.

This includes your Identity Data, Contact Data and Identification Data for verification purposes, as well as any information on any bank accounts or credit you have with us, including:

• how you manage your accounts or credit;
• if you owe us money;
• if we have concerns about financial crime;
• if you have not kept up with your payments or paid off any amount you owe us (unless there is a genuine dispute over how much you owe us); or
• if you have agreed and stuck to a repayment plan.

The above provisions on credit reference checks will also apply to you if your employer has an account with us and you are listed as a connected person under your employer’s account. In these circumstances, if your employer undertakes any of the activities described above, we may carry out credit and identity checks on you with one or more CRAs, and we may also make periodic searches at CRAs for the purpose of managing your employer’s account.

Fraud Prevention Agencies

We will carry out checks with fraud prevention agencies (including but not limited to CIFAS) for the purposes of preventing fraud and money laundering, and to confirm your identity before we provide products and services to you. These checks require us to process Personal Data about you.

The Personal Data you provide or which we have collected from you, or received from third parties, will be used to carry out these checks in order to prevent fraud and money laundering, and to verify your identity. We will process Personal Data such as:

• your name;
• address;
• date of birth;
• contact details;
• financial information;
• employment details; and
• device identifiers, for example, IP address.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your Personal Data to detect, investigate and prevent crime.

We process your Personal Data on the basis that we have a legitimate interest in preventing fraud and money laundering and to verify your identity. This enables us to protect our business and to comply with laws that apply to us. This processing is also a contractual requirement of any of our products or services you use.

Fraud prevention agencies can hold your Personal Data for different periods of time. If they are concerned about a possible fraud or money laundering risk, your data can be held by them for up to six years.

As part of the processing of your Personal Data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

Consequences of Processing

If we, or a fraud prevention agency, have reason to believe there is a fraud or money laundering risk, we may refuse to provide the services and credit you have requested. We may also stop providing existing products and services to you. A record of any fraud or money laundering risk will be kept by the fraud prevention agencies. This may also be used to enhance fraud detection models and may also result in others refusing to provide services to you or employ you. The information we hold about you could make it easier or harder for you to get credit in the future.

To find out more about the relevant fraud prevention agencies and how they manage your information, please visit each agency directly:

• CIFAS – cifas.org.uk/fpn
• National Hunter – nhunter.co.uk/privacypolicy
• Synectics Solutions Ltd – synectics-solutions.com/privacy
• BioCatch – biocatch.com/privacy-policy
• LexisNexis (ThreatMetrix) – risk.lexisnexis.com/group/privacypolicy

Your Personal Data may be stored and processed in any country where we have affiliates or in which we engage service providers, including affiliated service providers, pre-acquisition affiliated service providers, and third party service providers. You understand that your data will be transferred to countries outside of your country of residence, including to the United States, which may have data protection rules that are different from those of your country. In certain circumstances, courts, law enforcement agencies, regulatory agencies, or security authorities in those other countries may be entitled to access your Personal Data.

ADDITIONAL INFORMATION REGARDING THE EEA AND THE UK: Some non-EEA countries are recognised by the European Commission as providing an adequate level of data protection according to EEA standards (the full list of these “specified” countries is available here.) The UK recognises the EEA and the specified countries as providing an adequate level of data protection according to UK standards. For transfers from the EEA or the UK to countries not considered adequate by the European Commission or the UK government, as applicable, we have put in place applicable measures where necessary, such as standard contractual clauses to protect your Personal Data. You may obtain a copy of these measures by contacting us in accordance with the "Contact Us" section below.

The "LAST UPDATED" legend at the top of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will become effective when we post the revised Privacy Notice on our online services.

HSBC Innovation Banking, located at Alphabeta, 14-18 Finsbury Square, London EC2A 1BR, is the controller responsible for collection, use, processing and disclosure of Personal Data under this Privacy Notice.

If you have questions about this Privacy Notice, please contact us at email address below. Because email communications are not always secure, please do not include sensitive data in your emails to us. Options to contact us:

By phone:
+44 207 367 7800

By postal mail:
Data Protection Officer (DPO)
HSBC Innovation Banking
Alphabeta
14-18 Finsbury Square
London EC2A 1BR

By email:
innv-dpo@hsbc.com