Privacy Policy of Apex Arvest Bank

1. Introduction

This Privacy Policy explains how Apex Arvest Bank ("Apex Arvest Bank", "we", "us", or "our") collects, uses, discloses, and protects your personal data when you use our banking services, visit our branches, websites, or mobile applications, or otherwise interact with us in England. We are committed to safeguarding your privacy and handling your information lawfully, fairly, and transparently.

By using our products and services, including those branded or associated with "arvest", you acknowledge that you have read and understood this Privacy Policy.

2. Data Controller

Apex Arvest Bank acts as the data controller for the personal data we process about you. This means we determine the purposes and means of processing your personal data in accordance with applicable data protection laws in England, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Identification and contact data

• Full name, title, date of birth
• Residential and correspondence addresses
• Email address, telephone numbers
• National identifiers (such as National Insurance number, passport details, driving licence details) where legally required

3.2 Financial and account data

• Bank account numbers and sort codes
• Card numbers, expiry dates, and limited transaction-related card data
• Account balances and account history
• Payment history, direct debits, standing orders
• Loan, mortgage, savings, and investment details

3.3 Transaction and usage data

• Incoming and outgoing payments, including payee and payer details
• Merchant information and transaction locations
• Use of online banking, mobile apps, and related arvest digital services

3.4 KYC and compliance data

• Information gathered to satisfy Know Your Customer (KYC), Anti-Money Laundering (AML), and counter-terrorist financing obligations
• Sanctions screening results and politically exposed person (PEP) checks

3.5 Technical and usage data (online services)

• IP address, browser type, operating system, device identifiers
• Login details (username and securely stored, hashed authentication data)
• Cookies, beacons, and similar technologies related to our websites and online banking
• Log files showing how you use our digital services

3.6 Communications data

• Records of your communications with us (phone calls, emails, in-app messages, letters, chat logs)
• Feedback, complaints, and survey responses

3.7 Marketing and preferences data

• Your preferences regarding receiving marketing communications from us
• Records of marketing communications sent and your interactions with them

4. How We Collect Your Personal Data

We collect personal data in several ways:

4.1 Directly from you

• When you apply for or use our accounts, cards, loans, mortgages, or other banking products
• When you register for and use online or mobile banking services linked to arvest
• When you contact us by phone, email, post, or via our website or apps
• When you visit our branches or attend our events

4.2 From third parties

• Credit reference agencies
• Fraud prevention agencies
• Public authorities and regulators
• Other banks and payment service providers involved in your transactions
• Identity verification and KYC service providers
• Publicly available sources and registers

4.3 Automatically

• Through your use of our websites, online banking, and mobile apps
• Via cookies and similar technologies (see Section 11: Cookies and Similar Technologies)

5. Legal Bases for Processing

We process your personal data only when we have a lawful basis to do so. These include:

5.1 Performance of a contract To provide and manage the products and services you request, such as current accounts, savings accounts, cards, loans, mortgages, and arvest online and mobile banking.

5.2 Legal and regulatory obligations To comply with obligations under UK law and regulations, including those relating to banking, taxation, AML, sanctions, fraud prevention, and consumer protection.

5.3 Legitimate interests To pursue our legitimate business interests in a way that does not override your rights and freedoms; for example:

• Managing our relationship with you
• Preventing fraud and abuse of our services
• Improving our products, services, and security
• Performing analytics and reporting related to our banking operations

5.4 Consent Where we rely on your consent, such as for certain types of marketing or optional cookies. You can withdraw your consent at any time (see Section 10: Your Rights).

6. How We Use Your Personal Data

We use your personal data for the following purposes:

6.1 Providing banking services

• Opening, administering, and closing bank accounts
• Processing payments, transfers, direct debits, and standing orders
• Issuing and managing cards and digital wallets
• Providing loans, credit, mortgages, and related services
• Providing arvest online and mobile banking services and support

6.2 Customer service and relationship management

• Responding to your queries, requests, and complaints
• Communicating with you about your accounts, transactions, and changes to terms
• Sending service-related notifications and alerts

6.3 Risk management, security, and fraud prevention

• Verifying your identity and conducting KYC checks
• Detecting and preventing fraud, money laundering, and other criminal activity
• Monitoring and securing our systems, networks, and infrastructure

6.4 Legal and regulatory compliance

• Meeting reporting obligations to regulators and public authorities
• Responding to lawful requests for information from law enforcement or regulators
• Keeping records as required by applicable laws

6.5 Marketing and service improvement

• Providing you with information about our products and services that may be of interest (where permitted by law and your preferences)
• Conducting research, analysis, and statistical activities to improve our offerings
• Personalising content and customer experience within arvest-related platforms

7. Disclosure of Your Personal Data

We may share your personal data with the following recipients, only where necessary and in accordance with applicable law:

7.1 Group companies and service providers

• Companies within our corporate group, where relevant
• Third-party service providers who perform services on our behalf, such as IT providers, payment processors, cloud services, identity verification providers, and customer support.

7.2 Other financial institutions and partners

• Other banks, payment service providers, card schemes, and intermediaries involved in your transactions
• Business partners who help us deliver specific products or services (for example, insurance or investment products, where applicable)

7.3 Authorities and regulators

• Regulatory bodies, tax authorities, courts, law enforcement, and other public authorities when we are legally required to do so or when necessary to protect our rights, your rights, or the rights of third parties

7.4 Professional advisers

• Auditors, legal advisers, and other professional consultants, under appropriate confidentiality obligations

We require all third parties that process personal data on our behalf to implement appropriate security measures and to process personal data only in accordance with our instructions and applicable law.

8. International Transfers of Personal Data

Your personal data may be transferred to and processed in countries outside the United Kingdom. Where this occurs, we ensure that an adequate level of protection is in place, including by:

• Transferring data only to countries that have been deemed to provide an adequate level of protection by the UK government; or
• Using appropriate safeguards such as standard contractual clauses or equivalent mechanisms.

You may contact us for more information about the safeguards we use for international data transfers.

9. Data Retention

We retain your personal data only for as long as necessary for the purposes for which it was collected, including to:

• Provide banking services and maintain our relationship with you;
• Comply with legal, regulatory, accounting, and reporting obligations; and
• Resolve disputes and enforce our agreements.

In many cases, we are required by law to keep certain banking records for a specified period after your relationship with us ends. When personal data is no longer required, we will securely delete or anonymise it.

10. Your Rights

Subject to legal limitations and certain conditions, you have the following rights regarding your personal data:

• Right of access: To obtain confirmation of whether we process your personal data and to receive a copy of that data.
• Right to rectification: To have inaccurate or incomplete personal data corrected.
• Right to erasure: To request deletion of your personal data in certain circumstances.
• Right to restriction: To request that we restrict the processing of your personal data in certain cases.
• Right to data portability: To receive certain personal data in a structured, commonly used, and machine-readable format and to request that we transfer it to another controller where technically feasible.
• Right to object: To object to processing based on our legitimate interests or for direct marketing purposes.
• Right to withdraw consent: Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us using the contact details provided in Section 13.

11. Cookies and Similar Technologies

We use cookies and similar technologies on our websites and online banking platforms to:

• Enable essential site functions and secure login
• Remember your preferences and improve usability
• Analyse site usage for performance and service improvement

Where required by law, we will request your consent before placing non-essential cookies. You may manage your cookie preferences through your browser settings or our cookie management tools. Restricting certain cookies may impact the functionality of our online services.

12. Security of Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Encryption and secure transmission of sensitive data
• Access controls and authentication mechanisms
• Regular testing, assessment, and evaluation of security measures
• Staff training and confidentiality obligations

While we take reasonable steps to protect your information, no system is entirely secure. You are responsible for keeping your login details, passwords, and PINs confidential and for notifying us immediately if you suspect unauthorised access to your accounts.

13. Contact Information

If you have any questions, concerns, or requests relating to this Privacy Policy or our handling of your personal data, or if you wish to exercise your data protection rights, you may contact our data protection contact point:

Data Protection Contact Apex Arvest Bank [Insert postal address] [Insert email address] [Insert telephone number]

You also have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO), if you believe that your data protection rights have been infringed.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will revise the "Last updated" date at the top of the policy and, where appropriate, notify you through our website, online banking, or other communication channels.

We encourage you to review this Privacy Policy regularly to stay informed about how we protect your personal data in connection with Apex Arvest Bank and arvest-related services.