Sainsbury's Bank Privacy Policy

If you have a credit card, savings or personal loan account which has transferred to NatWest, please see the relevant privacy policy here.

Last updated May 2025.

We understand that your privacy and the security of your personal data isextremely important. This notice sets out what we do with your personal data, what we do to keep it secure, from where we collect it and your rights in it.

This policy applies if you interact with us through our premises, over the phone, online, via email, through our mobile applications or otherwise by using any of our websites or interacting with us on social media.

Who are we?

When we say ‘we’ or ‘us’ in this policy, we are referring to the companies that make up the Sainsbury’s Bank. This privacy policy governs the manner in which:

Sainsbury’s Bank Plc.
Argos Financial Services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited).

(all with the registered office address 33 Charterhouse Street, London, EC1M 6HA)

These companies each collects, uses, maintains and discloses personal data collected from:

our customers, prospective customers and/or individuals who interact with us online, by email, by phone or through our social media channels or websites.
any persons forming part of, included or referenced in any application for products and/or services from us; and/or
visitors to our premises.

For the purposes of data protection law, the “data controller” (which means the entity which determines the purposes and means of any processing of personal data which relates to you under this privacy policy) may be Sainsbury’s Bank or Argos Financial Services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited).

Who are Sainsbury’s Group?

Sainsbury’s Bank are part of Sainsbury’s Group. When we say ‘Sainsbury’s Group’ in this policy, we are referring to all the companies that make up the Sainsbury’s Group:

Sainsbury’s Supermarkets Ltd;
Sainsbury’s Bank
Argos Limited
Habitat Retail Limited
Argos financial services (which includes Home Retail Group Card Services Limited, ARG Personal Loans Limited and Home Retail Group Insurance Services Limited).
Nectar 360 Limited; and
Argos Business Solutions Limited

(all with the registered office address 33 Charterhouse Street, London, EC1M 6HA)

What sorts of personal information do we hold?

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (e.g. anonymous data). Sainsbury’s Bank may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Information that you provide to us such as your name, address, date of birth, telephone number, email address, bank account and payment card details and any feedback you give to us, including by phone, email, post, or when you communicate with us via social media.
Information about the goods and services that you buy from us (including for example, what they were, when and where you bought them, how much you paid, the way you use them, and so on).
Information required to make decisions about your applications for products and services we offer (for example insurance, store cards, Travel Money services).
Your account login details for our websites and apps, including your username and chosen password.
Information about whether or not you want to receive marketing communications from us.
Identity information (including for example, your passport, driving licence and utility bills) to support our money laundering requirements under applicable law.
Information about any device you have used to access our services (such as your device’s make and model, browser or IP address) and also how you use our services. For example, we try to identify which of our apps you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too.
Details of the emails and other electronic communications you receive from us, and how you interact with them. For example, whether the communication has been opened, if you have clicked on any links within that communication and the device you used. We do this because we want to make sure that our communications are useful for you, so if you don’t open them or don’t click on any links in them, we know we need to improve our services.
Information from other sources such as specialist companies that provide customer information. For example credit reference agencies such as Experian; the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, and the DVLA, as well as information that is publicly available.
Information captured by our CCTV if you visit any of our premises.
Behavioural biometric information (e.g., your typing speed, device movement and swiping activity) as part of the Bank’s two factor authentication requirements under applicable laws (see here for further information); and
Records of your interactions with us such as call recordings, web chats and emails.
We do not aim any of our products or services directly at children and we do not knowingly collect personal data about children under 18 in providing our services.

Our legal basis for processing your personal information

Whenever we process your personal data, we need something called a “legal basis” for what we do. The different legal bases we rely on are

Consent: You have told us you are happy for us to process your personal information for a specific purpose(s).
Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights.
Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services.
Vital interests: The processing of your personal information is necessary to protect you or someone else’s life.
Legal obligation: We are required to process your personal information by law.

In the limited circumstances that we process any “special category personal data,” in addition to one of the legal bases noted above, we also need that we have a further legal basis for such processing. This will most commonly be one of the following:

Explicit Consent: where you have given us your explicit consent to the processing.
Vital Interests: the processing is necessary to protect your vital interests or those of another natural person where you are physically or legally incapable of giving consent.
Made public by the data subject: processing relates to personal information that you have made public.
Legal claims and judicial acts: the processing is necessary for the establishment, exercise or defence of legal claims; or
Substantial public interest: the processing is necessary for reasons of substantial public interest (e.g. regulatory requirements, to protect customers’ economic wellbeing, preventing or detecting unlawful acts).

When we refer to “special category personal data” we mean personal data that reveals racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, sex life or sexual orientation of an individual.

How we use your personal information and our legal basis for doing so

We may use your information in the following ways:

Purpose of processing	Why do we process personal data?	What is our legal basis for processing personal data?
To provide our products and services	We need to use your personal data to make our products and services available to you. This processing may include using your personal data to: deliver products or services to you. verify your identity and eligibility for products. take payments from you; and/or award you Nectar points.	Performance of a Contract: We process your personal data if we have a contract with you and we have to use your data as a necessary part of that contract. Legitimate Interests: Once you’ve purchased a product or stopped receiving a service from us, we keep your data for a period of time afterwards in line with our Retention Schedule. For example your information might be needed to deal with a complaint or claim against us.
To improve your experience	We try to understand our customers so we can provide you with a great shopping experience, personalised offers, shopping ideas and online advertising. Understanding how customers use our websites and apps, how they interact with Sainsbury’s Bank, where and when they shop and the products and services that they buy all helps us to do this.	Legitimate Interests: This processing helps us to serve you better and to improve our service offerings.
Analytics and Profiling	We use your personal data for statistical analysis and to help us understand more about our customers. These profiles also help us to send you offers that are more relevant to you and present you with marketing and digital advertising that is more tailored to your interests and preferences and to help our digital marketing platform partners to try to identify other individuals who share similar preferences. This may include using cookies and similar technologies on our website and apps to improve your customer experience. Please see Section 5 (Cookies and Similar Technologies) below for further information.	Legitimate Interests: This processing helps us to serve you better and to find ways to improve our services, apps and websites. These profiles help us to send you offers that are more relevant to you. Consent: To use non-essential cookies we rely on consent.
For safety, security and fraud prevention	We use your personal data to help provide safe and secure environments for our customers to shop in, our colleagues to work in and for our businesses to be conducted. To enable this we monitor behaviour on our premises, online behaviour and carry out checks to help us ensure that our customers are genuine to prevent fraud and to help customers use our services appropriately.	Legitimate Interests: To ensure that our premises and offices are secure and to protect our commercial and confidential information. Legal Obligation: We have certain legal obligations to protect our customers and staff.
Contacting you	We use your personal data to contact you. This may be in relation to a service update, an issue you have raised with us, to conduct market research, to ask for your feedback or to send you regulatory communications	Performance of a Contract: We may contact you to ensure that we comply with the terms of our contract with you (e.g. if we update any contract terms so as to notify you of what has changed) or to send you regulatory statements and communications Legitimate Interests: We may contact you to conduct activities (e.g. obtain feedback on our performance) to support us in improving our products and/or services and to support the training of our employees. Consent: If you ask us to contact you or send you something
Marketing	We use your personal data to provide relevant marketing communications (including by email, phone, SMS, coupon at till or post), relating to our products and services. We may also use information about how you interact with us to measure the effectiveness of these campaigns.	Consent: Depending on the marketing activity that we undertake, we may obtain your consent before undertaking marketing. Legitimate Interest: To promote our products and/or services to you and provide you with details of offers you may be interested in.
Create Data Models	We combine personal data and analyse it to look for patterns, trends and characteristics that align with a particular outcome – for example, items that are often purchased together. We use this analysis to create a framework that maps out these patterns, trends and characteristics on an anonymous basis - we call these frameworks “data models” and the process of making them “data modelling”.	Legitimate Interests: This processing helps us to serve you better and to improve our service offerings.
To trace and recover debt	We may access information from third parties such as Credit Reference Agencies to get up to date contact details where we need these to recover money owed to us.	Legitimate Interests: We need to recover payments that are due to us for services and/or products provided to you to operate our business.
Customer Service	We record or keep a record of most communications between us. This could be in the form of call recordings, transcripts of calls, emails or web chat conversations. We do this to provide a great service to our customers, to develop our business, to prevent fraud, for staff training, and if something has gone wrong to manage customer complaints or claims.	Legitimate Interests: To protect and develop our business as call recordings and web chat transcripts help us to meet our responsibilities to combat fraud, provide good customer service and respond to complaints. To protect our business and interests against claims and/or to recover any monies that may be owed to us Legal Obligation: We have legal and regulatory obligations to respond to and deal with any complaints that you may raise in respect to our products and/or services.

Cookies and similar technologies

We use cookies to help give you the best experience on our websites and to allow us and third parties to tailor ads you see on ours and other websites. For more information please see the cookie policy available here.

We may share your personal information with the following third parties as part of the purposes set out in ‘How do we use your personal information?’ above:

The Sainsbury's Group - we may share your personal information with companies within the Sainsbury's Group so that we can provide you with a high quality, personalised and tailored service (including relevant marketing) across the Sainsbury’s Group and for the purposes that are set out in this privacy policy and the Nectar Privacy Policy.

For example, the products that you purchase in one part of the Group are shared within the Group and with Nectar if you use your Nectar card and when shopping with us.

Our service providers - we work with different companies so that they can help us provide the products and services you require from us or we think you might be interested in. These third parties include:

Advertising companies, partners and suppliers, or digital media platform partners like Meta and Google, who help us target Sainsbury’s Bank or selected third party partner adverts online and on other media.
Suppliers, if they will be delivering a product directly to you or providing a service on our behalf.
Social media providers – such as Facebook, Instagram and Twitter(X).
Market research partners, who help us analyse customer behaviour.
Companies that deploy our email campaigns because they need to know your email address to carry out these services.
Companies that provide insights and analytics services so we can stock the right products, send the relevant marketing campaigns and understand our business and customers better.
Scheme providers and companies who provide payment solutions who process your information as controllers and processors – such as Visa, Mastercard and Checkout –in order to manage your account and for your payments to be processed.
Our agents, advisers or others involved in running accounts and services for you and your business or collecting what you or your business owe Sainsbury’s Bank companies.
Credit reference agencies.
Fraud prevention agencies and providers of fraud screening services.
Third party vendors who help us manage and maintain the Sainsbury’s Bank IT infrastructure.
Logistics and delivery providers who enable us to deliver products you order on our websites. Insurance providers as more fully described in the financial services section of this policy.
Where relevant, our professional advisors, such as lawyers and consultants.
Security and fraud prevention companies to ensure the safety and security of our customers, colleagues and business.
Companies which run our contact centres because they need your personal information to identify and contact you.
Companies who assess faults on our behalf.
Companies who administer competitions for us so they run smoothly.
Companies that enable us to collect your reviews and comments, both online and offline; and
Companies that help us with our community and social goals.

If you use the services provided by another company to interact with us, such as a virtual assistant or a social media platform, please be aware that your data is also subject to the privacy policies of these companies.

Other organisations and individuals - we may share your personal information in certain scenarios. For example:

If we're discussing selling or transferring part or all of a Sainsbury's Bank business, we may share information about you to prospective purchasers and their advisers - but only so they can evaluate the relevant business; or
If we are reorganised or sold to another organisation, we may transfer information we hold about you to them so they can continue to provide the Services to you.
If we are required to by law, under any code of practice by which we are bound or where we are asked to do so by a public or regulatory authority.
If we need to do so in order to exercise or protect our legal rights, users, systems and services; or
In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests. For example, we will not share your personal information with individuals who are merely curious about you, but we will share your personal information to e.g. insurers, solicitors, employers etc. which have a legitimate interest in your personal information.

Additional ways that we may process your personal information

In addition to the processing set out in the section ‘How do we use your personal information?’, we may process your personal information for the following purposes:

Purpose of processing	Why do we process personal data?	What is our legal basis for processing personal data?
Sainsbury’s Bank Customer Authentication/Two Factor Authentication	Sainsbury’s Bank is required to meet certain obligations under the secure customer authentication requirements of the Payment Services Directive 2 (“Directive”). Sainsbury’s Bank therefore processes behavioural biometric personal information to meet its obligations under this Directive. Please see the paragraph entitled “Bank Customer Authentication/Two Factor Authentication” below for further details.	Legal Obligation: To meet and comply with the requirements on Sainsbury’s Bank under the Directive. Substantial Public Interest: The processing is (i) necessary for the purposes of the prevention or detection of an unlawful act; and (ii) necessary for the purposes of complying with a regulatory requirement which involves Sainsbury’s Bank taking steps to establish whether a customer or someone pretending to be a customer has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct; and (iii) protecting the economic wellbeing of our customers
Financial Services, Credit Risk and Fraud Prevention	Your personal information is also used for credit and capital management purposes and other purposes as set out in the paragraphs below.	Legal Obligation: We have certain legal obligations to ensure we know our customers and their identity. Therefore, we may conduct checks on that basis using your personal information (e.g. anti-money laundering checks) and to validate the information that you provide to us. Legitimate Interests: To ensure that our business is protected and to analyse whether individuals are able to make repayments.
To provide our products and services	This processing may include using your personal information to: authenticate payments from you. facilitate payments in Sainsbury’s stores for your shopping. work out financial and insurance risks by credit scoring. verify your identity and eligibility for products, and the identities of joint applicants and other insured persons. determine your credit risk. take payments from you in respect of your premiums (e.g. insurance products) and/or credit card/loan repayments. provide you with insurance policy and related documentation. notify you of any changes to your terms and conditions and/or when renewals are due; and/or award you Nectar points.	Performance of a Contract: We process your personal information because we have a contract with you and we have to use your information in this way as a necessary part of that contract. Legitimate Interests: Once you no longer have the product or are receiving services from us, we keep your information for a period of time afterwards as part of our legitimate interests in case your information is needed for a complaint or regulatory enquiry, to help us to lend responsibly, and to work out the right price for our products. Legal Obligation: We have certain legal obligations to ensure we know our customers and their identity. Therefore, we may conduct checks on that basis using your personal information (e.g. anti-money laundering checks).

Sainsbury’s Bank Customer Authentication/Two Factor Authentication

Sainsbury’s Bank is required to meet certain obligations under the secure customer authentication requirements of the Payment Services Directive 2 (“Directive”).

Sainsbury’s Bank therefore processes behavioural biometric personal information to meet its obligations under this Directive.

Please see the paragraph entitled “Bank Customer Authentication/Two Factor Authentication” below for further details.

Legal Obligation: To meet and comply with the requirements on Sainsbury’s Bank under the Directive.

Substantial Public Interest: The processing is (i) necessary for the purposes of the prevention or detection of an unlawful act; and (ii) necessary for the purposes of complying with a regulatory requirement which involves Sainsbury’s Bank taking steps to establish whether a customer or someone pretending to be a customer has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct; and (iii) protecting the economic wellbeing of our customers

Financial Services, Credit Risk and Fraud Prevention

Your personal information is also used for credit and capital management purposes and other purposes as set out in the paragraphs below.

Legal Obligation: We have certain legal obligations to ensure we know our customers and their identity. Therefore, we may conduct checks on that basis using your personal information (e.g. anti-money laundering checks) and to validate the information that you provide to us.

Legitimate Interests: To ensure that our business is protected and to analyse whether individuals are able to make repayments.

To provide our products and services

This processing may include using your personal information to:

authenticate payments from you.
facilitate payments in Sainsbury’s stores for your shopping.
work out financial and insurance risks by credit scoring.
verify your identity and eligibility for products, and the identities of joint applicants and other insured persons.
determine your credit risk.
take payments from you in respect of your premiums (e.g. insurance products) and/or credit card/loan repayments.
provide you with insurance policy and related documentation.
notify you of any changes to your terms and conditions and/or when renewals are due; and/or
award you Nectar points.

Performance of a Contract: We process your personal information because we have a contract with you and we have to use your information in this way as a necessary part of that contract.

Legitimate Interests: Once you no longer have the product or are receiving services from us, we keep your information for a period of time afterwards as part of our legitimate interests in case your information is needed for a complaint or regulatory enquiry, to help us to lend responsibly, and to work out the right price for our products.

Credit Reference Agencies

When do we share data with Credit Reference Agencies?

When you apply for a credit product from Sainsbury’s Bank, we may perform credit and identity checks on you with one or more of the main credit reference agencies (the “Credit Reference Agencies”). We also run checks with the Credit Reference Agencies periodically to help us manage our relationship with you which may include for purposes of credit limit adjustments, spend evaluation and card reissue.

Why do we share data with Credit Reference Agencies?

The Credit Reference Agencies provide us with information about you which helps us to understand your credit-worthiness – how easily you will find it to repay credit to us. This may include information about your financial history, salary, current financial situation, and shared credit. These activities are essential in helping promote responsible lending, prevent people and businesses from getting into more debt than they can afford, and reduce the amount of unrecoverable debt and insolvencies.

We share your personal information to check the accuracy of the information you provide us, trace and recover debts; and to help prevent fraud, money laundering and criminal activity. We also periodically share information with the Credit Reference Agencies about how you are using your Sainsbury’s Bank or Argos Financial Services credit product so that they can keep the records they hold about you accurate and up to date. This information reveals how you pay back your loans, store card and credit card debts. If you fail to pay back your loan, store card or credit card in full or on time, we will inform the Credit Reference

Agencies who will record this as an outstanding debt. This can be viewed by other organisations.
If you fall into arrears with a Sainsbury’s Bank or Argos credit product (e.g. credit card, SB loan, store card, AFS Monthly Payment Plan), we may share your personal information with the following third parties to trace and recover the debt:

Contacting the Credit Reference Agencies

The three main Credit Reference Agencies that we use are TransUnion, Equifax and Experian.

Each of the Credit Reference Agencies have signed up to a joint policy (“CRAIN”) which explains how these agencies use and shares personal data they receive about you and/or your business that is part of or derived from or used in credit activity.

You can find out more about how these Credit Reference Agencies collect, use and share personal data they hold about you, and what your rights are in relation to that information at the websites below:

Fraud Prevention (incl. money laundering) and Law Enforcement

Fraud Prevention

Sainsbury’s Bank and Argos Financial Services have systems and controls in place that protect our customers and our businesses against fraud and other kinds of financial crime. This includes collecting device (e.g., location of device and IP address) and behavioural information (e.g., how you interact with our website) when you logon and transact with our websites and mobile apps.

In addition, during your application and time with us as a customer, we'll share your personal information with Fraud Prevention Agencies to help prevent, detect and investigate Fraud & Money Laundering, and verify your identity. If we or our partner agencies detect fraud and/or any unlawful conduct you could be refused certain services, finance or employment now and in the future.

Find out more information about how these agencies collect, use and share personal information they hold about you, and what your rights are in relation to that information at the websites below:

These agencies help financial institutions like banks (including Sainsbury’s Bank), insurance providers and investment companies fight financial crime. Our financial services companies may access and use the information held by the fraud prevention agencies to prevent fraud, ID theft and money laundering, for example, when:

we are deciding whether to provide credit (e.g. credit limit changes) or during an application for a Sainsbury’s Bank or Argos financial product (e.g. store card)
we manage credit and credit related accounts for our customers.
we are trying to recover debt.
we are checking details on proposals and claims for all types of insurance; and
we have been made aware of potentially fraudulent activities affecting our customers’ accounts

Anti-money laundering requirements

The financial services companies within our Group (Sainsbury’s Bank plc and Argos Financial Services) are obliged to collect certain information from you to satisfy our obligations under money laundering regulations. If you take out one of our financial products, we may ask you to provide us with copies of documents which confirm your identity, including:

Passport;
Driving licence; and
Bank statement or utility bill

This enables us to protect both our business and our customers from criminals. We have a legal obligation to obtain and hold this information about you. We cannot open a financial services product without obtaining copies of these documents for our records.

Sharing your information with Law Enforcement Agencies or public bodies

Law enforcement agencies (e.g., the police) may also ask us for access to information about our customers for the prevention and detection of crime. We will only provide personal information to these agencies where:

you have told us you are happy for us to do so;
there is a threat to your life or the life of another customer/individual;
the law enforcement agency or public body has been given authority by a Court to ask for this information.; or
legislation(s) mandates the sharing of the information (e.g., the Inland Revenue Department under the Tax Administration Act 1994)

Interaction with Insurance Providers

Sainsbury’s Bank offers a variety of insurance products to our customers, from Sainsbury’s Bank Travel Insurance to furniture and jewellery warranty cover to protect products purchased in Argos. We work with a number of insurance partners (or ‘underwriters’) to help us provide these products to our customers. These are known as branded insurance products.

When you buy a Sainsbury’s Bank or Argos-branded insurance product, these products will be underwritten by one of our insurance partners. These partners collect all the information about you that they need in order to provide you with the product – they are the ‘data controller’ of that information (i.e. they decide how the information is used) and you can ask them about how they use your information by contacting them using the details provided in your terms and conditions or on their website.

These partners pass certain necessary information about our customers back to us once they’ve bought an insurance product. This information helps us understand what products our customers have and how we can provide the best possible service for those customers across Sainsbury’s Group.

Automated decisioning for credit products

When you apply for a Sainsbury’s Bank credit product, we will decide whether we can lend to you by automatically comparing the information you provide to us against our lending criteria. This criteria includes:

credit score, credit history, employment status, existing credit products or previous applications and also an assessment of affordability.

Your information will be compared against this criteria and we will make a decision in the vast majority of cases automatically, using a credit decisioning system, about whether to offer you credit, and on what rate. A small number of cases will require a manual assessment and decision.

You do have the right to ask us to look at this manually, if you think we may have missed some relevant information during the decision-making process and would like this to be considered. Please contact us using the details in the “Contact Us” section below if you would like to discuss an application which has been completed using automated decision-making.

Bank Customer Authentication/Two Factor Authentication

Sainsbury’s Bank is required to meet certain obligations under the secure customer authentication requirements of the Payment Services Directive 2.

Sainsbury’s Bank therefore processes behavioural biometric personal data to meet its obligations under this Directive. The personal data processed is:

key stroke dynamics including: typing speed/pressure, mouse movement, device movement and swiping activity (plus BOT or remote access trojan detection) which is combined with other device intelligence such as location and device ID/ type of device.

The biometric personal data processed will provide the 2nd factor authentication (i.e., this will act as the ‘inherence’ something the customer is and will be combined with a one-time password (something that will be provided to you by the Bank)). The personal data captured builds up user profile and is layered against other device intelligence and fraud factors, screened by our third-party solution provider (Callsign) to provide a robust customer authentication / fraud prevention solution for card purchases.

International transfers of personal information

From time to time we transfer your personal information to our, suppliers or service providers based outside of the United Kingdom for the purposes described in this privacy policy (please see the “Who might we share your personal information with?” section above for further details). When we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.

Keeping you informed about our products and services

We would like to tell you (and joint account holders) about great offers, ideas, products and services from Sainsbury’s Bank and our suppliers that we think you might be interested in. Where we have consent or it is in our legitimate interests to do so, we may do this through the post, by email, text message, phone, through online advertising or by any other electronic means.

We won't send you marketing messages if you tell us not to, but if you receive a service from us, we will still need to send you occasional service-related messages and may still send you emails requesting feedback or surveys (you can always opt out of these via the survey email itself). If you wish to amend your marketing preferences, you can do so by logging into your Sainsbury’s Bank account and following the directions, or by logging into our Customer Preference Centre.

Please note that it can take a little while for all marketing to stop once you either withdraw your consent or tell us you’d like to opt out of marketing. This is because some marketing may have been identified as relevant to your interests and may already be in transit, it cannot therefore be immediately stopped.

If you don’t want to receive coupon at till based on your shopping then let us know by emailing privacy.bank@sainsburysbank.co.uk. You might still receive coupons but they won’t be based on your personal data.

Your rights

You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you

These include:

the right to access a copy of the personal information we hold about you.
the right to correction of inaccurate personal information we hold about you.
the right to restrict our use of your personal information.
the right to be forgotten.
the right of data portability; and
the right to object to our use of your personal information.

Where we rely on consent as the legal basis on which we process your personal information, you may also withdraw that consent at any time.

If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.

Automated decision making and profiling

We use automated decision making, including profiling, in certain circumstances, such as when it is in our legitimate interests to do so, or where we have a right to do so because it is necessary for us to enter into, and perform, a contract with you. We use profiling to enable us to give you the best service across the Sainsbury’s Bank, including specific marketing which we believe you will be interested in.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which has legal effects for you or affects you in any other significant way.

If you are seeking to exercise this right, please contact us using the details in the “Contact Us” section below.

How long will we keep your personal information for?

We will keep your personal information for the purposes set out in this privacy policy and in accordance with the law and relevant regulations. We will never retain your personal information for longer than is necessary. In most cases, our retention period will come to an end 7 years after the end of your relationship with us. However, in some instances we are required to hold your personal information for up to 13 years following the end of your relationship with us (e.g. for data relating to Sainsbury's Bank mortgage products).

Security

We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:

We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there.
We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data.
Systems are proactively monitored through a “detect and respond” information security function.
We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
We enforce a “need to know” policy, for access to any data or systems.

Contact us

If you would like to exercise one of your rights as set out in the “Your rights” or “Automated decision making and profiling” sections above, or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:

By email: privacy.bank@sainsburysbank.co.uk
By post: Data Protection Officer, Sainsbury’s Bank, 1 New Park Square, Edinburgh Park, Edinburgh, EH12 9GR

We hope that we will be able to resolve your query, but you also have the right to make a complaint to the Information Commissioner's Office. Visit https://ico.org.uk/make-a-complaint for more information.