Privacy Policy
Table of contents
1. Important information and who we are
1.1 Purpose of this Privacy Policy
1.2 What is Capital One’s role?
1.3 Changes to the Privacy Policy and your duty to inform us of any changes
2. The data we collect about you
2.1 What is personal data?
Identity Data such as title, names, employment status, occupation, username or similar identifiers, marital status, date of birth; Contact Data such as addresses, email addresses and telephone numbers; Credit File Data collected from credit reference agencies (CRAs) – see section 6; Financial Data such as your income, credit card details, payment card details or details about other financial accounts that you may have; Account Data such as details of your account, history of changes, financial summaries, statements and account/user/policy or reference numbers; Transaction Data such as purchases / other transactions made on your account and payments to and from you; Technical Data such as device information and identifiers, internet protocol (IP) addresses, your login data, browser type/usage and versioning data based on the devices you use to access our digital platforms; Profile Data such as passwords on your accounts, preferences, feedback; Survey and Research Data such as your responses to questionnaires, surveys, feedback requests and design or research activities; Usage Data such as information about when and how you use our products, services processes or platforms (e.g. how often you use our mobile applications or how you use your credit card with us); Marketing Data such as your preference on receiving marketing from us and information used in your interactions with us (or our partners) (e.g cookie data used for behavioural advertising); Communications Data such as details about any contact made between you and us (e.g. phone calls made or received) and/or the content of those communications (e.g. call recordings); Device Operations information about operations and behaviour performed on the device, such as mouse movements or key strokes (which can help distinguish humans from bots and between individuals); Special Categories of Personal Data this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, criminal convictions and offences and data concerning your health and genetic and biometric data. We will only collect and use these types of data where we have obtained your explicit consent or if the law allows us to do so; We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature or our mobile app. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.
2.2 If you fail to provide personal data
3. How is your personal data collected?
Direct interactions . This is data that we collect directly from you and includes personal data you may provide or we may obtain when you: apply or register for our products and services; use our products and services; use our website or mobile device applications; make contact with us (e.g. making a phone call); communicate with us (e.g. when you talk to us on the phone or send emails, letters or SMS); request marketing to be sent to you; enter a competition or promotion; give us feedback or take part in research or surveys.
Automated technologies or interactions . As you interact with our website, telephony systems or mobile applications, we may automatically collect data including Technical Data about your equipment, browsing actions and patterns; and the telephone number from which you called us. This personal data may be collected by using cookies, web beacons and other similar technologies as well as by other technical methods. Please see our Cookie Policy for further details in relation to Cookies and similar tracking technologies. Third parties or publicly available sources . We may receive personal data about you from various third parties (and public sources) as set out in ' Our third parties '. Other . We may receive personal data about you from individuals such as extra cardholders, people appointed to act on your behalf, family members, and others who are acting in your best interests or providing us with information in relation to your contact details.
4. How we use your personal data
Where it is necessary for us to perform the contract we are about to enter into or have entered into with you; Where it is necessary for our Legitimate Interests (or those of a third party) and your interests and fundamental rights do not override those interests; Where we need to comply with a legal or regulatory obligation; When you consent to it; In the case of Special Categories of Personal Data , where there is a Substantial Public Interest to process the data or we have obtained explicit consent to do so.
4.1 Purposes for which we will use your personal data
Purposes and Legal Grounds
We may process your information to: Understand how you use products, services, processes and related customer experiences provided by us and other organisations; Inform the way that we manage our products, services, processes and platforms; Develop, test and change our products, services, processes and platforms; Invite you to provide customer feedback through surveys and forums to help us understand and improve the effectiveness of our products, services, processes and platforms; Monitor usage and performance of our products, services, processes and platforms; perform analysis (e.g. statistical, market, product analysis), reporting, forecasting and accounting; Tell you about our products, services, events and activities that may be of interest to you; Understand how you interact with our marketing; develop, test or change our marketing activities; Communicate with our third parties to help them understand, improve and fulfil on marketing activities (including supporting behavioural advertising techniques e.g. use of cookie data); Promote our products and services.
When processing your information for these purposes, we are relying on our Legitimate Interest to help us understand, develop, improve and market our products and services. We may process your information to: Allow you to begin using or register for our products or services; Check your eligibility for our credit products; process your application and/or set up an account for you; Uphold our lending criteria by performing creditworthiness, affordability and other checks including, but not limited to, fraud checks, anti-money laundering checks, vulnerability assessments, identity checks; Report activities to credit reference agencies (CRAs), fraud prevention agencies (FPAs) and/or crime prevention agencies in line with our legal, regulatory or business requirements; Communicate with you to provide updates following a credit application or eligibility check; Communicate with you to provide updates and information while you are using, registering or continuing to use one of our products or services; Communicate with you for design or research purposes or to ask you about our current or potential products, services, processes and customer experiences; Provide targeted communications via social media platforms (for example Facebook), by sending to them a hashed version of your personal information (which may be your email address, phone number and/or first name and surname) to provide you with information in relation to our current service availability and other relevant service and support information.
When processing your information for these purposes, we rely on our Legitimate Interest to allow you to access our products and services. In addition, in relation to some of the purposes, it is necessary for us to process your information for the Performance of the Contract between us. We may process your information to: Enable you to access and use our online services and functionality; Understand how you use and navigate our online services; Tailor online experiences or develop and/or change these services; Service and fulfil on your products and services (e.g. processing transactions, managing account information and settings); Provide you with other suitable products, services or relevant information where we (or our partners) think you may be interested; Manage potential Payment Protection Insurance (PPI) related activities on your accounts including activities relating to the potential miss-sell of PPI; Keep our records up to date including updating preferences and making changes to your account; Manage requests from you where you are exercising your data privacy rights; Assess your personal circumstances while you are using our products and services and, potentially, taking actions on your account based on these circumstances (e.g. making changes to your account where you appear to be in financial difficulty); Communicate with you for any purpose relating to the servicing of your account; Manage your accounts, products or services effectively (e.g. applying credit limit increases and decreases, updating your product terms); Develop, improve or change the products and services that you are using; Offer you additional products, services and promotions; Assess, collect or recover outstanding debts from you; Transfer ownership of your account to a third party. This may include activities we carry out with third parties including the assessment, pricing and handover of the debt; Inform strategies around how we collect, recover or sell outstanding debts. This may involve sharing data with third parties to help inform this strategy including which third parties we work with; Monitor usage and performance of our products, services, processes and platforms; perform analysis (e.g. statistical, market, product analysis), reporting, forecasting and accounting.
When processing your information for these purposes, we rely on our Legitimate Interest to fulfil on our products and services. In addition, in relation to some of the purposes, it is necessary for us to process your information for the Performance of the Contract between us. We may process your information to: Perform checks to prevent, detect, investigate and report fraud, crime and/or terrorist activity; Carry out our obligations required by relevant laws and regulations including anti-money laundering (AML) checks, Her Majesty’s Treasury (HM Treasury) and Office of Foreign Assets Control (OFAC) sanctions list checks, Politically Exposed Persons (PEP’s) assessments and Transaction/Account monitoring and restriction; Protect the security and resilience of our networks/applications and respond to technical and security incidents; Devise defence strategies (e.g. in relation to fraud, crime, terrorist or cyber-attack risks) and develop, test or change our defences. Review and take appropriate action relating to threatening and abusive behaviour of customers to our agents whilst performing their day to day role. To ensure we are able to offer our services in a secure manner by authenticating our customers and reducing the risk of fraud.
When processing your information for these purposes, we rely on our Legitimate Interest to manage risk, security and crime prevention. In addition, in relation to some of the purposes, we may process your information to comply with a Legal Obligation. We may process your information to: Improve, test, investigate and remediate any issues with our internal processes and practices; Maintain your data and ensure the data that we hold about you is accurate and up to date.
When processing your information for these purposes, we rely on our Legitimate Interest to manage and improve our business processes. We may process your information to: Cooperate with (and respond to) requests from courts, regulators, law enforcement bodies and other institutions (e.g. fraud prevention agencies); Appropriately handle and process complaints or disputes – this may include contacting relevant parties; Exercise our rights in relation to complaints, disputes or litigation; Manage policy affairs, public relations issues, media enquiries or customer interactions with the media; Manage complaints with third parties; Manage disputes and charge backs; Manage litigation against third parties; Enable us to provide legal and/or regulatory advice in line with our business activities; Share your online account information with regulated third parties, known as Account Information Service Providers (AISPs) where you have asked them to access this information.
When processing your information for these purposes, we rely on our Legitimate Interest to satisfy our industry, regulatory and legal requirements and exercise our rights. In addition, in relation to some of the purposes, we may process your information to comply with a Legal Obligation or it may be necessary to assist in relation to a task performed in the Public Interest.
Loan customers and those supporting our customers
Health data
-
Processing personal data relating to your health enables us or someone else to better protect you against potential harm, such as: Taking out credit that is not appropriate; Falling behind on debt repayments; Falling prey to fraud or financial abuse; or Otherwise not being able to protect your economic well-being.
-
To ensure that we are able to send communications to you in an appropriate format or make other reasonable adjustments due to a condition. -
So that we can try and prevent fraud and/or where there may be suspicions of terrorist financing or money laundering;
Biometric Data
Use the Device Operations data to help us to understand whether you are the person using your device; Maintain the confidentiality and security of the information, including maintaining technical and physical safeguards that are designed to (a) protect the security and integrity of the information while it is within their systems and (b) guard against the accidental or unauthorised access, use, alteration or disclosure of information within their systems; Only retain the data for as long as is necessary to fulfil this purpose and delete once it is no longer needed for this purpose.
Share the information with any third parties. Use the information to append to other information to build profiles. Use the information to provide services to you.
4.2 Marketing
4.3 Cookies and Online Marketing
Online advertising through pixels
Data shared in other ways
Use the hashed data for matching purposes; and Maintain the confidentiality and security of the hashed data and the collection of Facebook User IDs that comprise the customer audience created from the hashed data, including maintaining technical and physical safeguards that are designed to (a) protect the security and integrity of data while it is within Facebook’s systems and (b) guard against the accidental or unauthorised access, use, alteration or disclosure of data within Facebook’s systems.
Share the hashed data with third parties or other advertisers and will delete the hashed data promptly after the match process is complete; Give access to or information about the custom audience(s) to third parties or other advertisers; Use custom audience(s) to append to the information it has about its users or build interest-based profiles; Use custom audience(s) to provide services to you.
4.4 Change of purpose
5. How we use your information to make automated decisions
Making Lending Decisions
Information you have provided; Information we may collect or already hold about you; and Information provided by third parties (including credit reference agencies)
Detecting Fraud
Information you have provided; Information we may collect or already hold about you; and Information provided by third parties (including fraud prevention agencies).
Providing you with access to products and services
Information you have provided; Information we may collect or already hold about you; and Information provided by third parties.
Checks to ensure you meet conditions for opening an account (e.g. checking your age and residence); Checks based on your existing products with us (e.g. checking whether you already have an account with us and how it is currently being managed); Checks to identify money laundering, criminal / terrorist activity or cyber security threats that may pose a risk to you and our business.
Managing, tailoring and marketing our products and services
Optimising and fulfilling on communications different communication approaches are suitable for different types of people so we use segmentation to provide you with the most appropriate communications for you; Sending marketing and offers different marketing approaches may be used with certain segments where we think our marketing will perform more effectively; Tailoring or managing products we may tailor your accounts, products or services based on a segment that you are grouped into (e.g. changing product terms such as APR). Deciding whether we need to help you certain details in your information may suggest that you are likely to become financially vulnerable and we may need to help you. For example, if we have information that shows you have moved from paying the full amount of your credit card to paying off only the minimum amount each month, this could be one sign that you may be having some financial difficulties and that we may be required to help you; To take action in relation to your account we may take action on your account such as restricting the use of your account or closing it due to inactivity.
Your rights in relation to automated decision making
reconsider the decision; or take a new decision that is not based solely on automated decision making and ask that a person review it.
6. Credit reference agencies (CRAs)
Assess your creditworthiness and whether you can afford to take the product; Verify the accuracy of the data you have provided to us; Confirm your identity and prevent criminal activity, fraud and money laundering; Manage your account; Trace and recover debts; Ensure any offers provided to you are appropriate to your circumstances; Provide you with access to your credit bureau data where you have asked us to; Ensure that you are aware of changes or offers which might be relevant to how you manage the product; Monitor your behaviour to inform our wider strategy.
7. Fraud prevention agencies (FPAs)
Consequences of Processing
Data Transfer
8. Credit card networks (Visa and Mastercard)
Billing purposes; Product enablement and build; Testing or product improvement purposes; To reply to requests from public authorities; Analysed by Visa and its partners for offers or promotional activities that cardholders have entered or agreed to be a part of; To support loyalty programs, promotional activities or other services offered by a network member, Visa or its partners including by determining eligibility and identifying qualifying transactions; Authentication, security, dispute resolution, managing risk and preventing fraud; Keeping Personal Data up-to-date; Data modelling, analytics, business intelligence and insights.
Whenever credit card networks transfer your personal data outside of the UK, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required by the UK.
9. Credit Brokers
10. Disclosures of your personal data
11. Our third parties
Third parties that enable us to understand, develop, improve and market our products and services: Product, marketing and industry monitoring services and tools; Market research, surveying, consultancy and benchmarking services; Product/service/communications design and development services; Marketing partners, affiliates and intermediaries; Analytics and incident management services; Regulated Open Banking entities.
Third parties that enable us to uphold our lending, usage or registration criteria by supporting creditworthiness, affordability and other checks – for example: Credit reference agencies (CRAs); Fraud detection and prevention tools, services, bodies or agencies; Cyber threat detection tools or services; Parties providing additional data or services for our credit underwriting; Regulated Open Banking entities; Third parties used to meet our legal and regulatory requirements (e.g. anti-money laundering (AML) checks, Her Majesty’s Treasury (HM Treasury) sanctions list checks).
Third parties that work with us to help us fulfil on and service your accounts, products or services: Communications fulfilment or development service providers; Customer account management services; Customer servicing (service agents, support and tools); Payment services, payment schemes and network services; Transaction enablement and dispute services; Payment Protection Insurance (PPI) services including the ongoing management and activities relating to the potential miss-sell of PPI.
Third parties that support the running of our business processes: Business process systems and support providers; Technical platforms, software and tools providers (e.g. tools that we use to optimise and test on our website or mobile applications); Platform management and support services; Data storage, transfer and processing services; Disaster recovery solution services; Public relations support and consultancy services.
Third parties that work with us to ensure we reach the best possible outcome: Regulators, advisory entities and consumer rights/advice bodies; Customer complaints and dispute resolution services.
Third parties that support with debt management, debt placement, debt collection, debt advice and potential purchasers (for assessment and transfer of accounts). Third parties that provide reporting, banking or tax management services and enable us to manage our business financials and performance. Other third parties, bodies or institutions where we are required by regulation, law, industry practices or to detect/prevent fraud, crime, terrorist activity or business risks e.g. regulators, law enforcement bodies, crime prevention bodies and sharing information with other institutions to help detect and prevent fraud.
12. International transfers
13. Data security
14. How long will you use my personal data for?
15. Your legal rights
No fee usually required
What we may need from you
Time limit to respond
Contact Us
16. Glossary