Privacy notice

We may collect your personal information in a number of ways. For example:

•    from the information you provide to us when you interact with us before becoming a customer of the bank, for example when you express your interest in our services

•    from the further information you provide to us when you become a customer of the bank and sign an agreement to receive products and services from us

•    from a third party who may have introduced you to the bank

•    from social media and publicly available information sources

•    from credit reference agencies and fraud prevention agencies

•    if you contact us by any means, including by email or via forms on our website, we will keep a record of that correspondence

•    if you speak to us on the telephone or via video conference, the call will be recorded, and a copy of the call will be retained, as well as a summary and/or transcript of the call

•    if you interact with our website or other bank tools and systems

•    if you visit our premises, your image may be recorded by our CCTV system.

We collect the following types of personal information about you (and other people, including members of your family, where relevant), depending on your relationship with the bank and/or with HTL:




 

Children’s data
The bank provides services to young customers in the form of a children’s savings account. This will require their data to be processed for anti- money-laundering (AML) purposes before accounts can be opened. For customers under the age of 13, account opening documents will be shared with a parent or guardian rather than with the child directly.

Vulnerable individuals
To best support customers or contacts with additional or particular needs, and to meet our regulatory obligations, we may assign a vulnerable status to individuals. In most instances, details of vulnerability will be shared with us proactively by you or a close contact, but this may also be inferred by the bank if we identify behaviours or patterns that suggest that a person may be vulnerable.

Vulnerability details may include sensitive and, potentially, special category data about you such as health details.
Whenever possible, we will talk to you about this and seek your explicit consent to record and share these details with those colleagues who need to support your relationship. When this is not possible, we will rely on our legitimate interests and reasons of substantial public interest (for example, for safeguarding vulnerable individuals and their economic well-being) to ensure we are supporting you as best we can and to protect you from harm.

Sensitive data
In some circumstances we may process sensitive and special categories of personal information about you (this includes data concerning your health, personal data revealing your racial or ethnic origin, political affiliations, opinions, religious or philosophical beliefs, biometric data, data relating to criminal convictions and offences, or data concerning sex life or sexual orientation).

This may include instances where you share information with us in conversation, for example disclosing health details or your background, which we will typically seek your consent to record. This may also include instances where data is inferred or becomes known through the background checks we perform (such as screening for politically exposed persons or adverse media checks). We will only record this data when it has been manifestly made public by you, or where our use of it is necessary:

•    for reasons of substantial public interest, such as for the protection of vulnerable individuals and their economic well-being
•    where we need to carry out our legal obligations, including to prevent fraud
•    for the establishment, exercise or defence of legal claims.

Biometric data
The bank has security features that use biometric data to verify your identity and to verify your documents. Some of these are included in fraud checks and undertaken by default, while others are available to use should you wish to opt in. These include the bank’s Voice Identification system (ibiometric information) which is used to verify callers on the telephone. This also includes biometric authentication to access mobile banking services and approve transactions, although in this instance this data is not processed by the bank but is kept on your personal device.

Location data
We do not actively collect geo-location data however when you log into our online banking or mobile app, the location (e.g. city, country) of your device will be made available to the bank for security and operational purposes. Certain location information may also be captured temporarily if you use guest WiFi when visiting the bank’s offices.

Fraud prevention data
To verify your identity and to prevent fraud and money laundering, personal information we collect from and about you will be shared with fraud prevention agencies.

Further details of how your information will be used by us and these fraud prevention agencies, and information about your data protection rights, can be found at https://www.cifas.org.uk/fpn.

Credit reference data
We will search via credit reference and fraud prevention agencies for information on all applicants for certain products and services. In so doing, we will provide the current and previous names, addresses and dates of birth of all applicants, so if you are providing information about others, on a joint application, you must inform them of the information contained in this notice and be sure that you have their agreement to disclose their details to us. If you give us false or inaccurate information and we identify fraud, details may be passed to credit reference and fraud prevention agencies.

We will use the information provided to us by credit reference and fraud prevention agencies to help make credit or credit related decisions about all applicants, to verify their identity, for the prevention and detection of fraud and/or money laundering, and to manage accounts.

Further information on how Credit Reference Agencies process your data can be found at Credit Reference Agency Information Notice (CRAIN) | Experian.

We use the information that we hold about you to identify events that we think you may wish to attend or products and services that we think may be of value to you.

The information we use to make these decisions includes both details you decide to share with us directly and details inferred from publicly available information and interactions with the bank such as your recent transactions or use of services and systems.

We will only contact you for marketing purposes if you have given us consent to do so.

We use online tracking technology to gather information on links clicked and emails opened; this does not store or access information on your device, but allows us to offer a tailored service to you.

We may share basic details (such as your name and title) with venues or hosts if you choose to attend an event, but we will never sell or transfer your data to a third party to use for direct marketing purposes.

You have the right to review your preferences or ask us not to send you marketing messages by post, telephone or email (or any combination of these) at any time. You can do this by:

•    contacting your relationship manager or our Data Protection Officer
•    checking certain boxes on the forms we use to collect your data
•    replying directly to the marketing message.

Whatever your preference, you will still receive statements and other service notifications that we may need to send you containing important information in relation to your accounts or the services we provide to you, and to help keep your accounts safe.

In the course of providing products and services to customers, we may use artificial intelligence (AI) and machine learning (ML) technologies, including generative AI and other advanced models and analytics techniques. This will include tools managed by us, as well as tools and services provided by third parties.

We will do this to:

•    gain better understanding of our customers’ circumstances and needs
•    identify unusual transactions or behaviours to help keep your accounts safe from potential fraud
•    help support lending decisions, including the assessment of credit and affordability factors
•    personalise conversations and offers to identify potential products and services or events that may be of value to you based on your feedback, expectations and preferences, or based on customers in a similar segment or with similar circumstances
•    perform data linkages with external data sets such as those provided by the Office for National Statistics (ONS) to increase our understanding of economic drivers and to improve our products and services
•    understand our customer and competitor base and support business planning, product development and business development
•    meet our regulatory obligations: for example, to support with AML and fraud checks.

In the course of doing so, we may also process your information in the development and training of such AI and ML models. We are committed to the responsible and ethical use of AI and have policies to support this. This means that we operate a ‘human-in-the-loop’ process to ensure our teams review and validate outputs of AI systems such that no fully automated decision-making takes place and outcomes are fair and in line with your interests.

Depending on the nature of your relationship with us, and the products and services you use, we may share your information with:

•    professional services providers (such as accountants, tax advisers, auditors, consultants and lawyers)
•    credit reference agencies, whose details are as follows:

TransUnion/CallCredit
Post: TransUnion, Consumer Services Team, PO Box 647, Unit 4, Hull HU9 9QZ Web Address: https://www.transunion.co.uk/consumer/consumer-enquiries Phone: 0330 024 7574
Information notice: https://www.transunion.co.uk/legal/privacy-centre/pc-credit-reference

Equifax Limited
Post: Equifax Limited, Customer Service Centre PO Box 10036, Leicester, LE3 4FS Web Address: https://www.equifax.co.uk/Contact-us/Contact_Us_Personal_Solutions Email: UKDPO@equifax.com
Phone: 0333 321 4043 or 0800 014 2955
Information notice: https://www.equifax.co.uk/privacy-hub/crain

 Experian Limited
Post: Experian, PO BOX 9000, Nottingham, NG80 7WF Web Address: https://ins.experian.co.uk/contact Information notice: http://www.experian.co.uk/crain

•    service providers (such as information technology, communications and information security providers; fraud and sanctions screening; identify verification services; and data sourcing and validation)
•    professional adviser who introduce you to us
•    professional advisers to whom we introduce you
•    government agencies, law enforcement agencies and regulators
•    fraud prevention agencies
•    UK Financial Services Compensation Scheme
•    third party payers (to confirm correct account details are being used)
•    any other financial institutions or third party payment service providers (‘TPPs’) you may choose to use for the purposes of open banking
•    event organisers, if you choose to attend an event
•    market research companies, if you choose to participate in a research study

In some circumstances we are under a duty to disclose or share your information with HM Revenue & Customs (‘HMRC’), who may transfer it to government agencies or tax authorities in another country where you may be subject to tax.

If the bank (or all or part of its assets) were to be acquired by a third party, personal data about you as one of our customers would be one of the transferred assets.

Our websites may, from time to time, contain links to and from third party websites. If you follow a link to any such websites, please check their privacy policies.

For some data processing activities, we transfer your personal information to recipients outside the UK and European Economic Area (‘EEA’). These transfers, to carefully selected third party service providers, support the bank’s provision of products and services to you, and help protect you from fraud.

While some countries’ data protection laws are deemed adequate by the UK Government and the European Commission, not all destination countries offer the same level of protection for personal information as the UK. When we transfer personal information to a country without a declaration of adequacy from the UK or the EEA, we put in place appropriate safeguards; we may, for example, enter into ‘standard contractual clauses’ with each recipient of your personal information.
 

We will retain your personal information for as long as we are providing you with the products and services referenced in any relevant contract between us, and for as long as is permitted or required for legal and regulatory purposes after the relationship between you and us has ended or your instructions for us to provide particular products or services are declined or abandoned.

The bank maintains a data retention policy which applies to different types of data we retain; however, some information may be retained for longer than defined in the policy if we need to retain it for the purposes of legal claims, or where your information is selected for archiving in our museum.

Transferring records to our museum

In certain cases, we will retain for our museum records we believe to be of particular historical interest. This includes bank statements, which form part of an unbroken record of the bank’s history since 1672. These records are kept secure and are not made available to researchers for a period of at least 100 years.

Unless your information is selected for preservation, it will be securely erased or destroyed once it is no longer needed.

In certain circumstances, under data protection law you have the right to:

•    object to processing of your personal information
•    request access to and copies of the personal information we hold about you
•    request correction of the personal information that we hold about you
•    request erasure of your personal information
•    request the restriction of processing of your personal data
•    request the transfer of your personal information to another party in a commonly used form.

Please note that these rights are not absolute, and each is subject to certain exceptions or qualifications. We may be entitled or required to refuse requests where exceptions apply. Where we cannot provide a full response to you, we will let you know about this in our reply to your request.

If you want to review your preferences, or exercise any of your privacy rights as set out above, please contact your relationship manager or our Data Protection Officer.

We may need to request specific information from you to help us confirm your identity and verify your right to access personal information processed by the bank (or to exercise any of your other rights). This security measure is to ensure that personal information is not disclosed to any person who has no right to receive it.

You do not have to pay a fee to access your personal information (or to exercise any of your other rights). In some cases, however, we may charge a reasonable fee if your request for access is clearly unfounded or excessive, or if you request multiple copies of the information. Alternatively, we may decide not to fulfil your request in such circumstances.

If you have any questions, comments or complaints about this notice or its contents, we will be happy to help. Please contact us at one of the addresses below:

•    By post: The Data Protection Officer, 37 Fleet Street, London EC4P 4DQ
•    By email: DPO@hoaresbank.co.uk

If you are based in the European Union, you can also contact the European Data Protection Office (EDPO); this is C. Hoare & Co.’s GDPR representative in the European Union:

•    By post: EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium
•    By email: privacy@edpo.brussels 
•    Via EDPO’s online request form at https://www.edpo.brussels/contact. 

If you are not satisfied with how we are processing your personal information, you can make a complaint to the UK Information Commissioner’s Office (‘ICO’) or to a data protection supervisory authority in the EU, including the data protection regulator in the EU country where you live. The ICO recommends that you raise any data protection-related complaints with us first so that we can attempt to resolve them. You can also make a complaint to the ICO, which can be contacted using the following details:

•    Online chat: https://ico.org.uk/make-a-complaint/  Telephone helpline: 0303 123 1113