Privacy Policy of Union Arvest Bank

1. Introduction

This Privacy Policy explains how Union Arvest Bank ("Union Arvest Bank", "we", "us", or "our"), a bank established and operating in England, collects, uses, discloses, and protects your personal data when you use our services, visit our branches, access our websites, mobile applications, or communicate with us in any way.

We are committed to safeguarding your privacy and handling your personal data in a lawful, fair, and transparent manner, in accordance with applicable data protection laws in England, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By engaging with Union Arvest Bank, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are and Contact Details

Union Arvest Bank is a financial institution providing banking and related financial services in England.

If you have any questions about this Privacy Policy or our data protection practices, you may contact us at:

Data Protection Officer Union Arvest Bank [Insert postal address] [Insert email address] [Insert telephone number]

3. Personal Data We Collect

We may collect and process the following categories of personal data about you:

3.1 Identification and Contact Data

• Full name, title, date of birth, and place of birth
• Residential and correspondence addresses
• Email address and telephone numbers
• Nationality and, where required, immigration status
• Identification documents (e.g., passport, identity card, driving licence) and identification numbers

3.2 Financial and Transaction Data

• Bank account numbers and sort codes
• Payment card details (processed in accordance with industry standards)
• Account balances, deposits, withdrawals, loans, mortgages, savings, investment products, and harvest-related financial products where applicable
• Transaction records, including payees, payers, transaction amounts, dates, locations, and descriptions
• Credit history and credit reference information from credit reference agencies

3.3 Regulatory and Compliance Data

• Information collected to comply with anti-money laundering (AML), counter-terrorist financing (CTF), sanctions, anti-fraud and other regulatory obligations
• Information relating to source of funds and source of wealth, including where funds or income may be derived from agricultural, seasonal, or harvest-based activities
• Records of checks against politically exposed person (PEP) lists and sanctions lists

3.4 Technical and Usage Data

• IP address, browser type, operating system, device identifiers
• Login credentials (stored in encrypted form), security questions and answers
• Usage information relating to internet banking, mobile applications, and other digital services, including pages viewed, features used, and interaction times
• Cookies and similar technologies used on our websites and online services

3.5 Communication Data

• Records of communications with us by phone, email, post, online chat, secure messages, or in person at our branches
• Call recordings and CCTV images at our branches and ATMs, where legally permitted and appropriately signposted

3.6 Special Category Data We generally avoid collecting special category data (such as health data, biometric data for identification, or data revealing racial or ethnic origin, religious beliefs, or trade union membership). Where we do so, it will only be with your explicit consent or where permitted or required by law, for example, in relation to enhanced security authentication or vulnerability assessments.

4. How We Collect Your Personal Data

We collect personal data in the following ways:

• Directly from you: when you open an account, apply for a product or service, use our online or mobile banking, fill in forms, communicate with us, or participate in surveys or promotional activities.
• Automatically: when you access our digital services, through cookies and similar technologies, transaction monitoring systems, and security tools.
• From third parties: credit reference agencies, fraud prevention agencies, public databases, intermediaries, brokers, business partners, and other banks or financial institutions involved in your transactions.
• From publicly available sources: public registers, company registries, the electoral roll, and other open data sources.

5. Legal Bases for Processing Your Personal Data

We process your personal data only where we have a lawful basis under the UK GDPR. These bases may include:

5.1 Contractual Necessity To take steps at your request prior to entering into a contract and to perform a contract with you, including:

• Opening and maintaining current, savings, or deposit accounts
• Providing loans, mortgages, credit facilities, or other financial products
• Executing and managing payments, transfers, standing orders, and direct debits
• Providing online and mobile banking services

5.2 Legal and Regulatory Obligations To comply with obligations under UK and applicable international laws and regulations, including:

• Anti-money laundering and counter-terrorist financing laws
• Sanctions and embargo regulations
• Tax reporting and record-keeping obligations
• Consumer protection and banking regulations

5.3 Legitimate Interests Where necessary for our legitimate business interests, provided those interests are not overridden by your fundamental rights and freedoms, including:

• Managing our relationship with you and keeping our records accurate and up to date
• Preventing, detecting, and investigating fraud, financial crimes, and security incidents
• Developing and improving our products, services, systems, and security measures
• Performing analytics and segmentation, including analysis of harvest-related income patterns where relevant to your financial profile
• Ensuring the effective operation of our business and IT systems

5.4 Consent Where you have given consent for specific purposes, for example:

• Receiving direct marketing communications by email, SMS, or push notifications about our products, services, and offers
• Using certain types of cookies and similar technologies for analytics and personalised content You may withdraw your consent at any time as described in section 11.

6. How We Use Your Personal Data

We may use your personal data for the following purposes:

6.1 Providing and Managing Banking Services

• Setting up and administering your accounts and profiles
• Processing deposits, withdrawals, transfers, and card transactions
• Assessing and managing credit risk in relation to loans, overdrafts, and other credit facilities
• Handling payments and receipts relating to employment, business, agricultural, or harvest-based activities

6.2 Customer Support and Communication

• Responding to your enquiries, requests, and complaints
• Providing notifications about changes to your accounts, security alerts, and service updates
• Sending information regarding changes to our terms, fees, and policies

6.3 Risk Management, Security, and Fraud Prevention

• Monitoring transactions and usage patterns to identify and prevent fraud, money laundering, and other financial crime
• Authenticating your identity and managing access to accounts, including the use of one-time passwords and similar security controls
• Operating CCTV at branches and ATMs to ensure safety and security

6.4 Compliance and Reporting

• Complying with legal and regulatory reporting obligations to regulatory authorities, law enforcement, tax authorities, and courts
• Conducting due diligence, audits, and internal compliance reviews

6.5 Product Development and Marketing

• Analysing data to understand customer needs and improve our products and services, including those tailored to seasonal or harvest-related income streams
• Conducting market research and statistical analysis (where possible using anonymised or aggregated data)
• Providing you with information about products, services, and offers that may be of interest to you, in accordance with your marketing preferences and applicable laws

7. Cookies and Similar Technologies

We use cookies and similar technologies on our websites and digital platforms to:

• Enable core functionalities (such as secure login and navigation)
• Enhance user experience and remember your preferences
• Perform analytics on website traffic, usage patterns, and performance

Where required by law, we will obtain your consent before placing non-essential cookies on your device. You may manage your cookie preferences through your browser settings or our cookie management tool, although disabling certain cookies may affect the functionality of our services.

8. Sharing Your Personal Data

We may share your personal data with:

8.1 Within Union Arvest Bank

• Departments and staff within Union Arvest Bank who require access to your data for the performance of their duties, subject to confidentiality obligations.

8.2 Service Providers and Professional Advisers

• Third-party service providers who perform services on our behalf, such as IT and cloud service providers, card and payment processors, document storage providers, credit reference agencies, debt collection agencies, analytics and marketing service providers (subject to your marketing preferences), and security service providers.
• Professional advisers such as auditors, lawyers, and consultants, where necessary for business operations or legal advice.

8.3 Other Financial Institutions and Third Parties

• Other banks and payment service providers involved in processing your transactions
• Credit reference agencies, fraud prevention agencies, and similar organisations
• Third parties involved in potential or actual business transfers, mergers, acquisitions, or restructuring, subject to appropriate safeguards

8.4 Authorities and Regulators

• Law enforcement agencies, courts, regulators, tax authorities, and other public bodies where we are required or permitted to do so by law, regulation, or legal process.

We require all third parties to respect the security of your personal data and to process it only in accordance with our instructions and applicable law.

9. International Transfers of Personal Data

Your personal data may be transferred to and processed in countries outside the United Kingdom (UK) and the European Economic Area (EEA). Where we transfer your personal data internationally, we will ensure that appropriate safeguards are in place, such as:

• An adequacy decision issued by the UK government for the destination country; or
• Standard contractual clauses and additional safeguards where necessary; or
• Other lawful transfer mechanisms permitted under the UK GDPR.

You may contact us for more information about the safeguards in place for international transfers relevant to your personal data.

10. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements.

When determining the appropriate retention period, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process it, and whether we can achieve those purposes through other means.

In general:

• We retain account and transactional records for a period required under financial services regulations and anti-money laundering laws, which may be several years after the end of your banking relationship with us.
• Call recordings, CCTV footage, and system logs are kept for shorter periods unless required for investigations, legal proceedings, or compliance purposes.

After the expiry of the relevant retention periods, personal data will be securely deleted, anonymised, or archived in accordance with our data retention and destruction policies.

11. Your Rights

Subject to certain conditions and exceptions under applicable law, you have the following rights regarding your personal data:

11.1 Right of Access You have the right to obtain confirmation as to whether we process your personal data and to request a copy of that data, along with information about how and why we process it.

11.2 Right to Rectification You have the right to request correction of inaccurate or incomplete personal data.

11.3 Right to Erasure You may request the deletion of your personal data where, for example, it is no longer necessary for the purposes for which it was collected, or where you have withdrawn your consent and there is no other legal basis for processing. This right is subject to our legal and regulatory obligations to retain certain data.

11.4 Right to Restrict Processing You may request that we restrict the processing of your personal data in certain circumstances, such as where you contest its accuracy or object to its processing.

11.5 Right to Data Portability Where processing is based on your consent or on a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller, where technically feasible.

11.6 Right to Object You have the right to object to processing of your personal data based on our legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.

You also have the right to object at any time to our processing of your personal data for direct marketing purposes, including profiling related to such marketing, in which case we will stop marketing to you.

11.7 Rights in Relation to Automated Decision-Making and Profiling If we use automated decision-making, including profiling, that produces legal effects or similarly significant effects for you (for example, certain credit or risk assessment processes), you have the right to obtain human intervention, to express your point of view, and to contest the decision.

11.8 Right to Withdraw Consent Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the withdrawal.

12. How to Exercise Your Rights

To exercise any of your rights, please contact us using the details provided in section 2. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data or exercise other rights. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

We aim to respond to all legitimate requests within one month. If your request is particularly complex or you have made multiple requests, we may extend this period, but we will inform you of any such extension and the reasons for it.

In general, you will not have to pay a fee to exercise your data protection rights. However, we may charge a reasonable fee or refuse to comply with your request if it is manifestly unfounded or excessive.

13. Direct Marketing

We may use your personal data to send you information about products, services, and offers that we believe may be of interest to you, including services related to savings, investments, loans, and financial solutions tailored to seasonal income or harvest-related cash flows.

We will do this only in accordance with your marketing preferences and applicable laws. You may opt out of receiving marketing communications at any time by following the unsubscribe instructions in our messages or by contacting us using the details provided in section 2.

Even if you opt out of marketing communications, we may still send you non-marketing communications relating to your accounts, transactions, security alerts, and other service-related matters.

14. Security of Your Personal Data

We implement appropriate technical and organisational measures to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include:

• Encryption, pseudonymisation, and access controls
• Secure data centres and network security measures
• Regular security testing, monitoring, and staff training

While we strive to protect your personal data, no system can be completely secure. You are also responsible for protecting your login credentials, choosing strong passwords, and not sharing your security information with others.

15. Third-Party Links

Our websites, applications, or communications may contain links to third-party websites, plug-ins, or services. We are not responsible for the privacy or security practices of such third parties. We encourage you to read the privacy policies of any third-party services you access.

16. Children’s Privacy

Our services are not directed at children under 18, and we do not knowingly collect personal data from children under 18 without appropriate consent or legal basis. If you believe that a child has provided personal data to us without the necessary permissions, please contact us so that we can take appropriate steps.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance. The updated version will be posted on our website with an updated “last updated” date. In the event of significant changes, we may also notify you by email, secure message, or other appropriate means.

You are encouraged to review this Privacy Policy periodically to stay informed about how we handle your personal data.

18. Complaints

If you have concerns about how we handle your personal data, please contact us using the details provided in section 2. We will endeavour to address your concerns promptly and fairly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters:

Information Commissioner’s Office [Insert ICO contact details]

This Privacy Policy applies to Union Arvest Bank and all services we offer in England, unless a more specific privacy notice is provided for a particular product, service, or channel.