Bó Privacy Notice

1. Who are we

This privacy notice (the “Privacy Notice”) applies to all personal information Bó uses. Bó is part of the National Westminster Bank Plc (“NatWest”), which is part of The NatWest Group plc (“NatWest group”) and our principal address is 250 Bishopsgate, London EC2M 4AA. We’re a companion bank account here to help you spend smarter, save more and manage your money better. This Privacy Notice explains how we collect and use your personal information to provide you with our products and services.

Keeping your personal information secure and safeguarding your privacy are really important to us. So is making sure you understand what personal information we use, and how we use it, where we get it from, who we share it with and what rights you have to control how we use it.

From time to time we may need to update this Privacy Notice. When we do, we’ll let you know and publish the updated version in the Bó app and website. It’s a good idea to read the Privacy Notice every time we make changes to it so you know exactly how we use your data and what your rights are.

2. How we use your personal information

We use your personal information in three ways:

  1. To provide our products and services to you
  2. To meet our legal obligations
  3. To run our business

We have described these in greater detail in Schedule A - What we use your information for

3. The information we use and where it comes from

We collect and use various categories of personal information but only to the extent we need to achieve one or more of the purposes listed above. This personal information includes:

  • Personal information you supply through the Bó app or website (for example, when you signed up to Bó or when you use your account, or get in touch with us). This includes your name, contact details, ID and visual images (such as selfie or copy of passport photo).
  • Transactional and other information we learn from how you use the Bó app, your card, your account, any NatWest group accounts you hold, and any other third party bank accounts you’ve allowed us to access through account aggregation / Open Banking.
  • Information we receive from third parties, such as those providing services to us or you e.g. ID verification services, credit reference agencies, fraud prevention or government agencies, and other banks.
  • Device information including your location, mobile phone network, IP address and telephone number and how you use your mobile to access Bó
  • Information about your family, lifestyle and social circumstances (such as dependents, marital status, next of kin and their contact details);
  • Information about your financial circumstances, including personal wealth, assets and liabilities, proof of income and expenditure, credit and borrowing history and needs and goals
  • Online profile and social media information and activity, based on your interaction with us and our websites and app, including for example, yourbanking profile and login information, Internet Protocol (IP) address, smart device information, location coordinates, online and mobile bankingsecurity authentication, mobile phone network information, searches, sitevisits and spending patterns.
  • Information from publicly available sources including social media profiles, the electoral register, the media and online search engines.

We may also use certain special categories of information for specific and limited purposes, such as detecting and preventing financial crime or to make our services accessible to customers. We will only use special categories of information where we’ve obtained your explicit consent or are otherwise lawfully permitted (and then only for the particular purposes and activities set out in Schedule A for which the information is provided). This may include:

  • information about racial or ethnic origin,
  • religious or philosophical beliefs;
  • trade union membership;
  • physical or psychological health details or medical conditions; and biometric information, relating to the physical, physiological or behavioural characteristics of a person, including, for example, using voice recognitionor similar technologies to help us prevent fraud and money laundering.

Where permitted by law, we may use information about criminal convictions or offences and alleged offences for specific and limited activities and purposes, such as to perform checks to prevent and detect crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. It may involve investigating and gathering intelligence on suspected financial crimes, fraud and threats and sharing data between banks and with law enforcement and regulatory bodies.

Your transaction history and account information may also contain special categories of personal data. For example, if you have a payment for a membership to a particular political party, this could reveal your political beliefs. We will not profile you on the basis of this data or otherwise use this data for any other purposes other than providing our services.

4. Your rights

Your rights in relation to the personal information we hold on you are set out in the table below. If you wish to exercise any of these rights, or if you have any queries about how we use your personal information which is not answered here, you can contact us at BoSupport@natwest.com

Please note that in some cases, if you don’t agree with how we use your information, it may not be possible for us to continue to operate your Bó account and/or provide certain products and services to you.

Rights Description
Access You have the right to a copy of the personal information we hold on you and can request it by contacting us at BoSupport@natwest.com
Erasure You have the right to request we delete your personal information if you believe that:
  • we no longer need to use it for the purposes for which it was provided;
  • you wish to withdraw your consent and we have no other lawful basis touse the data; or
  • we are not using your information in a lawful manner.
Restriction You have the right to request use to restrict how we use your information if you believe that:
  • the information that we hold about you is inaccurate;
  • we no longer need to use your information for the purposes for whichit was provided, but you require the information to establish, exercise or defend legal claims; or
  • we are not using your information in a lawful manner.
Portability You have a right to receive any personal information you provided to us directly in an electronically and/or request that we send it to a third party, if technically feasible and secure. If you would like to do this please contact our support team at BoSupport@natwest.com
Objection You have the right to object to how we are using your information for the purposes described in Schedule A, table (C), (which can be found at the end of this document), unless we can demonstrate overriding compelling and legitimate grounds for the processing or where we need to use your information to investigate and protect us or others from legal claims.
Marketing You have a right to object to us using your personal information for direct marketing purposes, including profiling you for direct marketing. For more information see section 10.
Lodge complaints

If you want to make a complaint about how we have handled your personal information, you can contact our Data Protection Officer who will investigate the matter. Please contact us at 03457 242424 Overseas Number +44 131549 8888 Minicom 0800 404 6160.

We hope that we can address any concerns you may have, but if you are not satisfied, you can always contact the Information Commissioner’s Office (ICO). For more information, visit https://ico.org.uk/.

5. Changing how we use your information

From time to time, we may change the way we use your information. Where we believe you may not reasonably expect such a change, we will give you at least 30 days notice to raise any objections before the change is made. However, in some cases, if you do not agree to such changes it may not be possible for us to continue to service your Bó account and/or provide certain products and services to you.

6. Who we share your information with

We will only use and share your information where it is necessary for us to lawfully carry out our business activities. Your information will be shared with other NatWest group companies and there are some circumstances where we will also share your personal information with third parties outside of the NatWest group including fraud prevention agencies, government entities and other third parties who we are required or permitted by law to disclose to. We will not share your information with anyone outside the NatWest group except:

  1. Where we have your permission;
  2. Where required for your product or service;
  3. Where we are required by law and by law enforcement agencies, judicial bodies, government entities, tax authorities or regulatory bodies around the world;
  4. With other banks, individuals or organisations so that we can help recover funds that have entered your account as a result of a payment sent in error by one of the above;
  5. With companies providing services to us, such as market analysis and benchmarking, correspondent banking, and agents and sub-contractors acting on our behalf, such as ID verification services;
  6. When you agree to receive marketing from us, we may use social media companies or other third party advertisers to display relevant messages to you about our products and services. Third party advertisers may also use information about your previous web activity to tailor adverts which are displayed to you;
  7. With other banks to help trace funds where you are a victim of suspected financial crime and you have agreed for us to do so, or where we suspect funds have entered your account as a result of a financial crime;
  8. With debt collection agencies;
  9. With credit reference and fraud prevention agencies;
  10. With external guarantors or other companies that provide you with benefits or services (such as insurance cover) associated with your product or service;
  11. Where required for a proposed sale, reorganisation, transfer, financial arrangement, asset disposal or other transaction relating to our business and/or assets held by our business;
  12. In anonymised form as part of statistics or other aggregated data shared with third parties; or
  13. Where necessary for our legitimate interests (e.g. to help us provide and improve our products and services to make them better for you) or those of a third party, and it is not inconsistent with the purposes listed above.

If you ask us to, we will share information with any third party that provides you with account information or payment services. If you ask a third party provider to provide you with account information or payment services, you’re allowing that third party to access information relating to your account. We’re not responsible for any such third party’s use of your account information, which will be governed by their agreement with you and any privacy statement they provide to you.

In the event that any additional authorised users are added to your account, we may share information about the use of the account by any authorised user with all other authorised users.

Bó will not share your information with third parties for their own marketing purposes without your permission.

7. Transferring information overseas

We may transfer your information to organisations in other countries (including to other NatWest group companies) on the basis that anyone to whom we pass it protects it in the same way we would and in accordance with applicable laws.

In the event that we transfer information to countries outside of the European Economic Area (which includes countries in the European Union as well as Iceland, Liechtenstein and Norway), we will only do so where we are satisfied your information is adequately protected based on the European Commission’s assessment of the countries in question, the transfer has been authorised by the relevant data protection authority or a suitable contract with the organisation weare sharing your information with. You can contact us at BoSupport@natwest.comto get a copy of the relevant data protection clauses in the contract.

8. Marketing

When you have told us that you want to hear from us via the app, we may contact you from time to time about new products and services that we think could be of interest to you via email, text and other forms of communication. You can adjust your marketing preferences anytime you want in the app.

9. Communicating with you about your account

When we contact you we will mainly do so via the Bó app, but sometimes we may use email, text message, post and/or telephone. To help us get in touch with you please keep your contact details in the app up to date.

We may monitor or record our communications with you in accordance with applicable laws for the purposes outlined in Schedule A.

10. Credit reference, fraud prevention and identification and verification partners

We may access and use information from credit reference and fraud prevention agencies when you open your account and periodically to:

  1. manage and take decisions about your accounts, including assessing your credit worthiness and checks to avoid you becoming over-indebted;
  2. prevent criminal activity, fraud and money laundering;
  3. check your identity and verify the accuracy of the information you provide to us; and
  4. trace debtors and recover debts.

The decision to provide you with a Bó account may be taken based solely onautomated checks of information from credit reference and fraud prevention agencies and internal NatWest group records. To help us make decisions on when togive you credit, we use a system called credit scoring to assess your application. To work out your credit score, we look at information you give us when you apply; information from credit reference agencies that will show us whether you’ve kept up to date with payments on any credit accounts (that could be any mortgages, loans, credit cards or overdrafts), or if you’ve had any court action such as judgments or bankruptcy; your history with us such as maximum level of borrowing; and affordability, by looking at your available net income and existingdebts. You have rights in relation to automated decision making, including a right to appeal the decision.

We will continue to share information with credit reference agencies about how you manage your account including your account balance, payments into your account, the regularity of payments being made, credit limits and any arrears ordefault in making payments, while you have an account with us. This information will be made available to other organisations (including fraud preventionagencies and other financial institutions) so that they can take decisions about you, your associates and members of your household.

If false or inaccurate information is provided and/or fraud is identified or suspected, details will be passed to fraud prevention agencies. Law enforcement agencies and other organisations may access and use this information. If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we and others may refuse to provide the services and financing you have requested, to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. Fraud prevention agencies can hold your information for different periods of time, and if you are considered to pose afraud or money laundering risk, your data can be held for up to six years.

Please also be aware that, to make verifying your identity as part of the account opening process easy as possible, we will send required identification that you provide to us to a third party ID verification service provider.

When the credit reference and fraud prevention agencies, and our identity and verification provider use your information, they do so, on the basis that they have a legitimate interest in preventing fraud and money laundering, and to verify identity, in order to protect their business and to comply with laws that apply to them. Further, they are independent controllers of your data when they use your personal information. If you want further details of how your information will be used, you can contact them using the relevant details below.

Credit reference agency Contact details
Equifax Limited www.experian.co.uk

Post: Equifax Ltd, Customer Service Centre PO Box 10036, Leicester, LE3 4FS.

Website: www.equifax.co.uk

Email: www.equifax.co.uk/ask

Phone: 0333 321 4043 or 0800 014 2955

Experian Limited www.experian.co.uk

Post: Experian, PO BOX 9000, Nottingham, NG807WF

Website: www.experian.co.uk

Email: consumer.helpservice

Phone: 0344 481 0800 or 0800 013 8888

Fraud prevention agency Contact details
Cifas https://www.cifas.org.uk

Post: Consumer Affairs, Cifas, 6th Floor, Lynton House, 7-12 Tavistock Square, London WC1H 9LT

Phone: 0330 100 0180

Identity & Verification Contact details
HooYu Limited

Post: Quayside Lodge, William Morris Way, Fulham, London, SW6 2UZ

Website: https://www.hooyu.com/

Email: support@hooyu.com

Phone: 0207 909 2172

11. How long we keep your information for

By providing you with products or services, we create records that contain your information, such as customer account records, activity records, tax records and lending and credit account records. Records can be held on a variety of media (physical or electronic) and formats.

We manage our records to help us to serve our customers well (for example to help us deal with any queries you may have about your account) and to comply with legal and regulatory requirements. Records help us demonstrate that we are meeting our responsibilities and to keep as evidence of our business activities.

How long we keep records depends on the type of record, the nature of the activity, product or service and the applicable local legal or regulatory requirements. We (and other NatWest group companies) normally keep customer account records for up to six years after you close your account, whilst other records are retained for shorter periods. How long we retain your information for may change based on business or legal and regulatory requirements.

We may in certain circumstances retain your information for longer periods, particularly where we need to withhold destruction or disposal based on an orderfrom the courts or an investigation by law enforcement agencies or our regulators. This is to make sure that we will be able to produce records as evidence, if they're needed.

If you would like more information about how long we keep your information, please contact us at BoSupport@natwest.com

12. Security

At Bó, making sure that we and any third parties who act on our behalf keep your personal information secure is really important to us.

We will only use and share your information where it is necessary for us to carry out our lawful business activities. Your information may be shared with and used by other NatWest group companies. We want to ensure that you fully understand how your information may be used. We have described what we may use your information for below:

We may use your information where it is necessary to enter into a contract with you to provide you with our products or services or to perform our obligations under that contract. Without this information, we may not be able to continue to operate your Bó account and/or provide products and services to you. This may include processing to:

A. Contractual necessity
  1. Assess and process applications for products or services;
  2. Provide and administer those products and services throughout your relationship with Bó, including opening, setting up or closing your account or products, collecting and issuing all necessary documentation, following your instructions, processing transactions, including transferring money between accounts, making payments to third parties, resolving any queries or discrepancies and administering any changes, including in relation to Aggregated Accounts
  3. Manage and maintain our relationships with you and for ongoing customer service. This may involve sharing your information with other NatWest group companies to improvethe availability of our services;
  4. Administer any credit facilities or debts, including agreeing repayment options; and
  5. Communicate with you about your account(s) or the products and services you receive from us. Calls with our support team and online communications may be recorded and monitored for these purposes..
B. Legal obligation

When you apply for a product or service (and throughout your relationship with us), we are required by law to collect and use certain personal information about you. Without this information we may not be able to continue to operate your account and/or provide products and services to you. This may include processing to:

  1. confirm your identity, including using face-recognition technology and other identification procedures, for example fingerprint verification;
  2. perform checks and monitor transactions and location data for the purpose of preventing and detecting crime and to comply with laws relating to money laundering, fraud, terrorist financing, bribery and corruption, and international sanctions. This may require us to use information about criminal convictions and offences, to investigate and gather intelligence on suspected financial crimes, fraud and threats and to share data with law enforcement and regulatory bodies;
  3. assess affordability and suitability of credit for initial credit applications and throughout the duration of the relationship, including analysing customer credit data for regulatory reporting;
  4. share data with other banks and third parties to help recover funds that have entered your account as a result of a misdirected payment by such a third party;
  5. share data with police, law enforcement, tax authorities or other government and fraud prevention agencies where we have a legal obligation, including reporting suspicious activity and complying with production and court orders;
  6. deliver mandatory communications to customers or communicating updates to productand service terms and conditions;
  7. investigate and resolve complaints;
  8. conduct investigations into breaches of conduct and corporate policies by our employees;
  9. manage contentious regulatory matters, investigations and litigation;
  10. perform assessments and analyse customer data for the purposes of managing, improving and fixing data quality;
  11. provide assurance that the bank has effective processes to identify, manage, monitor and report the risks it is or might be exposed to;
  12. investigate and report on incidents or emergencies on bank’s properties and premises; and
  13. coordinate responses to business disrupting incidents and to ensure facilities, systems and people are available to continue providing services.
C. Legitimate interests of the bank

We may use your information where it is in our legitimate interests do so as an organisation and without prejudicing your interests or fundamental rights and freedoms.

a) We may use your information in the day to day running of our business, to manage our business and financial affairs and to protect our customers and employees. It is in our interests to ensure that our processes and systems operate effectively and that we can continue operating as a business. This may include processing your information to:

  1. monitor, maintain and improve internal business processes, information and data,technology and communications solutions and services;
  2. ensure business continuity and disaster recovery and responding to information technology and business incidents and emergencies;
  3. ensure network and information security, including monitoring authorised users’ access to our information technology for the purpose of preventing cyber-attacks, unauthorised use of our telecommunications systems and websites, prevention or detection of crime and protection of your personal data;
  4. provide assurance on our material risks and reporting to internal management and supervisory authorities on whether we are managing them effectively;
  5. perform general, financial and regulatory accounting and reporting;
  6. protect our legal rights and interests; and
  7. enable a sale, reorganisation, transfer or other transaction relating to our business.

b) It is in our interest as a business to ensure that we provide you with the most appropriate products and services and that we continually develop and improve as an organisation. This may require processing your information to enable us to:

  1. identify new business opportunities and to develop enquiries and leads into applications or proposals for new business and to develop our relationship with you;
  2. send you relevant marketing information (including details of other products or services provided by us or other NatWest group companies which we believe may be of interest to you). We may show or send you marketing material online (on our own and other websites including social media platforms), in our app, or by email,sms or post;
  3. understand your actions, behaviour, preferences, expectations, feedback and financial history in order to improve our products and services, offer you insights into your spending and potential actions you could take and to develop new products and services and to improve the relevance of offers of products and services by NatWest group companies;
  4. monitor the performance and effectiveness of products and services;
  5. assess the quality of our customer services and to provide staff training. For these purposes we may record and monitor our interactions with you;
  6. perform analysis on customer complaints for the purposes of preventing errors and process failures and rectifying negative impacts on customers;
  7. compensate customers for loss, inconvenience or distress as a result of services, process or regulatory failures;
  8. identify our customers’ use of third party products and services in order to facilitate the uses of customer information detailed above; and
  9. combine your information with third party data, such as economic data in order to understand customers’ needs better and improve our services.

We may perform data analysis, data matching and profiling to support decision making with regards to the activities mentioned above. It may also involve sharing information with third parties who provide a service to us.

c) It is in our interest as a business to manage our risk and to determine what products and services we can offer and the terms of those products and services. It is also in our interest to protect our business by preventing financial crime. This may include processing your information to:

  1. carry out financial, credit and insurance risk assessments;
  2. manage and take decisions about your accounts;
  3. carry out checks (in addition to statutory requirements) on customers and potential customers, business partners and associated persons, including performing adverse media checks, screening against external databases and sanctions lists and establishing connections to politically exposed persons;
  4. share data with credit reference agencies, fraud prevention agencies, law enforcement agencies and identification verification service providers;
  5. trace debtors and recovering outstanding debt; and for risk reporting and risk management.