Top of main content

HSBC Bank (China) Company Limited  Personal Information and Privacy Protection Policy for Personal Digital Banking Services 

Updated Date: 08 Oct 2025

Effective Date: 13 Oct 2025

HSBC Bank (China) Company Limited (“HSBC”, “the Bank”, “we” or “us”) take the confidentiality and security of personal information very seriously, and always strive to protect personal information and privacy of our customers and other related personal information subjects (“you” or “Personal Information Subject”) according to law. We therefore formulate this Personal Information and Privacy Protection Policy for Personal Digital Banking Services (this “Policy”) to help you understand the purposes, methods, and scope of personal information we process, our practices regarding personal information and privacy protection, your rights and interests about personal information and privacy and how to assert your rights and interests.

This Policy applies to your use of our personal digital banking services (including telephone banking, internet banking, mobile banking, WeChat official account, WeChat service account, WeChat mini programs and etc.)

The table of content of this Policy is set out as below:

I. How We Protect Your Personal Information

II. How We Collect Your Personal Information

III. How We Use Your Personal Information

IV. How We Store Your Personal Information

V. How We Share, Transfer and Publicly Disclose Your Personal Information

VI.Special Circumstances for Information Processing

VII. How We Use Cookies and Similar Technologies

VIII. Your Rights Relating to Personal Information

IX. How to Contact Us

X. Protection of Minors' Personal Information

XI. Formulation, Effectiveness and Update of this Policy and Others

 

Please read through this Policy carefully and pay particular attention to the provisions that are bolded and underlined which we think have material impacts on your interests and/or deal with your sensitive personal information. The key points of this Policy are summarized as below:

  1. For your convenience to understand the purpose and category of personal information we collect when you sign up for our service or use of our product, we therefore explain them under the particular service/product scenario.
  2. In some business scenarios, we will collect your sensitive personal information after you give us express consent if legally required. Refusal on providing consent might affect you use related service but will not affect you use other services we provided.
  3. If we need to share your personal information to a third party, we will carefully assess the legality, legitimacy and necessity of the data sharing with the third party. We will ask the relevant third party to take all data protection measures required pursuant to applicable laws and regulations.

We fully understand how important your personal information means to you, and we will exert our best effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of Information Security, Participation of Personal Information Subjects, Fairness and Transparency. We are also committed to take appropriate security measures to protect your information.

We shall collect, use, store, disclose and protect your and related parties’ personal information in accordance with this Policy. If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you and us, such other agreements or terms and conditions shall prevail.

I. How We Protect Your Personal Information

  1. Information security is our top priority. We will always endeavour to safeguard your personal information against unauthorised or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate security and managerial measures to secure your personal information safety. We will take responsibility in accordance with the law if your personal information suffers from unauthorised access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
  2. Our website supports advanced encryption technology - an existing industry standard for encryption over the internet to protect your personal information. When you provide sensitive personal information through our website or applications, it will be automatically converted into codes to ensure secure transmission afterwards. Our web servers are protected behind “firewalls” and our systems are monitored to prevent any unauthorized access. Our mobile banking application software has passed Union-pay payment application software security test conducted by Bank Card Test Centre and the software filing for financial client mobile application with National Internet Finance Association of China.
  3. We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
  4. We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or separate agreement between us or based on your separate consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and require them to take all data protection measures required pursuant to applicable laws and regulations when processing your personal information.
  5. For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your bank account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our digital banking services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
  6. We will organize regular staff training and drills on emergency response so as to let the relevant staff be familiar with their job duties and emergency procedures. If unfortunately, personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the requirements set out in applicable laws and regulations, inform you of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it is difficult to notify each Personal Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable laws, regulations and regulatory requirements.

II. How We Collect Your Personal Information

1. Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information include name, birth date, ID certificate information (ID card, passport etc.,), personal biometrics recognition information, contact information, address, account information, property status, location etc. Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport etc.,), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial account, individual location tracking etc. as well as any personal information of a minor under the age of 14 (i.e. child).

2. ubject to the compliance with the applicable laws and regulations, we collect personal information about you and your related parties from a range of sources, including:

(1) your and/or related parties’ personal information directly provided by yourself;

(2) your and/or related parties’ personal information which we collect, enquire, and verify by proper methods from/with members of the HSBC Group or other third parties (including but not limited to credit reference agencies, information service providers, relevant authorities, employers, counterparties, joint applicants, contact persons, close relatives and other entities/individuals). “HSBC Group” under this Policy means HSBC Holdings plc, and/or any of, its affiliates, subsidiaries, associated entities and any of their branches and offices (together or individually), and “member of the HSBC Group” has the same meaning;

(3) your and/or related parties’ personal information generated from any of our products or services you apply for, currently hold, or have held in the past or when you interact with us;

(4) publicly available sources, for example legitimate news reporting and public disclosure by the governments. 

3. The personal information we so collect may be recorded in paper, electronic means (including but not limited to the information we collect via our self-service machine, website, online banking, mobile banking, telephone banking, WeChat official account, WeChat service account, WeChat mini-programs or other mobile device applications, email, SMS or other channels) or any other means.

4. In order to provide you with digital banking services, fulfil the Bank’s legal obligations and to ensure the safety of our digital banking services, you need to provide us, or allow us to collect the following information necessary for the purposes or functions described in below table as well as under Article III of this Policy, "How We Use Your Personal Information ":
Purposes or Functions Information We Need to Collect
Registering digital banking service account

Your name, mobile phone number, ID certificate type and number, bank card number, card issuance number (digits from 0 to 9) and password, telephone banking number, telephone banking password

If you hold a CAT II or CAT III account with us, you need to provide face feature information to register digital banking service account.

Logging onto digital banking service account or retrieving logon password Your username/logon name, security question and answer, any password, code, dynamic password, security code, verification code pre-set by you or created or sent via security device, mobile phone, email or other equipment or methods
Maintaining proper and secure operation of digital banking services, preventing and controlling digital banking related risk

Your device type, operating system, unique device identifier (Android ID, UUID, IMEI, MAC address), software version, IP address, internet service provider (ISP), device accelerators, gravity sensing devices, installed App information, network status, system settings and properties information. After you log in to the mobile banking application, we will also collect the GPS location of your device from you, in addition to the abovementioned information. You can manage location authorization in the function permission page of your device. Especially for Android phones with Google GMS (Google Mobile Services), you can set whether to enable Google basic services in the phone permission management to collect GPS location information.


Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

Registration and use of telephone banking services Your ID certificate number, date of birth, debit card number, credit card number, savings account number, debit card password, credit card inquiry password,text message authentication code,  CVV2 code, telephone banking service number, telephone banking service password.
4. In order to provide you with digital banking services, fulfil the Bank’s legal obligations and to ensure the safety of our digital banking services, you need to provide us, or allow us to collect the following information necessary for the purposes or functions described in below table as well as under Article III of this Policy, "How We Use Your Personal Information ":
Purposes or Functions Registering digital banking service account
Information We Need to Collect

Your name, mobile phone number, ID certificate type and number, bank card number, card issuance number (digits from 0 to 9) and password, telephone banking number, telephone banking password

If you hold a CAT II or CAT III account with us, you need to provide face feature information to register digital banking service account.

Purposes or Functions Logging onto digital banking service account or retrieving logon password
Information We Need to Collect Your username/logon name, security question and answer, any password, code, dynamic password, security code, verification code pre-set by you or created or sent via security device, mobile phone, email or other equipment or methods
Purposes or Functions Maintaining proper and secure operation of digital banking services, preventing and controlling digital banking related risk
Information We Need to Collect

Your device type, operating system, unique device identifier (Android ID, UUID, IMEI, MAC address), software version, IP address, internet service provider (ISP), device accelerators, gravity sensing devices, installed App information, network status, system settings and properties information. After you log in to the mobile banking application, we will also collect the GPS location of your device from you, in addition to the abovementioned information. You can manage location authorization in the function permission page of your device. Especially for Android phones with Google GMS (Google Mobile Services), you can set whether to enable Google basic services in the phone permission management to collect GPS location information.


Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

Purposes or Functions Registration and use of telephone banking services
Information We Need to Collect Your ID certificate number, date of birth, debit card number, credit card number, savings account number, debit card password, credit card inquiry password,text message authentication code,  CVV2 code, telephone banking service number, telephone banking service password.

If you refuse to provide this information, you will not be able to register or logon our digital banking service account or will not be able to use our regular digital banking services in a safe and normal way.

5. You may decide, at your free choice, to provide us, or allow us to collect from you the following personal biometrics recognition information or relevant verification results for the following purposes or functions described in below table as well as under Article III of this Policy, " How We Use Your Personal Information":
Purposes or Functions
Personal Biometrics Recognition Information or Relevant Verification Results We Collect
Logon verification

To provide you more safe and convenient mobile banking logon service, you can choose to logon mobile banking via fingerprint recognition. User of some mobile device models also can choose to logon mobile banking via facial (facial ID) recognition.

We will only receive equipment verification results and will not collect your original fingerprint or face image. You can choose to logon via password if you have no desire to logon via fingerprint or facial ID.

Services require face verification functions

When you choose to use the following products or services in our digital banking channel, we will use face verification function to identify and verify your identity:

(1) Wealth Live Share Live Connect service;

(2) Apply for small business owner loan online;

(3) Modify Personal Information>Modify Mobile Phone Number, Modify Identity Information;

(4) Open CAT II/CAT III account online;

(5) Register/Unregister Mobile Phone Number, Adjust Default Account;

(6) Credit Card>Virtual Card Activation, Setup Enquiry Password, Enquiry CVV2.

For above item (1) (when you are using Wealth Live Share Live Connect service), we will only receive the results of whether the face verification is successful or not and will not collect your face information.

For above item (2) (when you are applying for small business owner loan online), we will collect your face image, send it to the China Ministry of Public Security system for your identity verification, receive and retain the verification results.

For above item (3) to (6), we will collect your face feature information but will not collect your face image. We may send your face information to online check system of citizens’ identity information co-established by the People’s Bank of China and the China Ministry of Public Security for your identity verification, receive and retain the verification results.

Above information is encrypted and may retain in the back-end database of the Bank's system and follows our data retention policy set out in Article IV of this Policy “How Do We Store Your Personal Information”. After the expiration of retention period, we will delete or anonymize your personal biometrics recognition information.

You have the right to choose whether to provide your face information or not, but if you chose not, we will not be able to provide you with certain online products or services which are subject to face verification according to the nature of business and/or risk management purpose. Alternatively, you may handle the relevant business/service other than small business owner loan online service at our branches. 

5. You may decide, at your free choice, to provide us, or allow us to collect from you the following personal biometrics recognition information or relevant verification results for the following purposes or functions described in below table as well as under Article III of this Policy, " How We Use Your Personal Information":
Purposes or Functions
Logon verification
Personal Biometrics Recognition Information or Relevant Verification Results We Collect

To provide you more safe and convenient mobile banking logon service, you can choose to logon mobile banking via fingerprint recognition. User of some mobile device models also can choose to logon mobile banking via facial (facial ID) recognition.

We will only receive equipment verification results and will not collect your original fingerprint or face image. You can choose to logon via password if you have no desire to logon via fingerprint or facial ID.

Purposes or Functions
Services require face verification functions
Personal Biometrics Recognition Information or Relevant Verification Results We Collect

When you choose to use the following products or services in our digital banking channel, we will use face verification function to identify and verify your identity:

(1) Wealth Live Share Live Connect service;

(2) Apply for small business owner loan online;

(3) Modify Personal Information>Modify Mobile Phone Number, Modify Identity Information;

(4) Open CAT II/CAT III account online;

(5) Register/Unregister Mobile Phone Number, Adjust Default Account;

(6) Credit Card>Virtual Card Activation, Setup Enquiry Password, Enquiry CVV2.

For above item (1) (when you are using Wealth Live Share Live Connect service), we will only receive the results of whether the face verification is successful or not and will not collect your face information.

For above item (2) (when you are applying for small business owner loan online), we will collect your face image, send it to the China Ministry of Public Security system for your identity verification, receive and retain the verification results.

For above item (3) to (6), we will collect your face feature information but will not collect your face image. We may send your face information to online check system of citizens’ identity information co-established by the People’s Bank of China and the China Ministry of Public Security for your identity verification, receive and retain the verification results.

Above information is encrypted and may retain in the back-end database of the Bank's system and follows our data retention policy set out in Article IV of this Policy “How Do We Store Your Personal Information”. After the expiration of retention period, we will delete or anonymize your personal biometrics recognition information.

You have the right to choose whether to provide your face information or not, but if you chose not, we will not be able to provide you with certain online products or services which are subject to face verification according to the nature of business and/or risk management purpose. Alternatively, you may handle the relevant business/service other than small business owner loan online service at our branches. 

6. You may decide, at your free choice, to provide us, or allow us to collect from you and your related parties the following information necessary for the following purposes or functions described in below table as well as under Article III of this Policy, " How We Use Your Personal Information ":
Purposes or Functions
Information We Collect
WeChat service account binding with digital banking service account

Your phone number, ID certificate type and number, and any one of the last 4 digits of your bank card number, the middle 6 digits of your bank account number or RMB Cat II/Cat Ⅲ account number, and your WeChat OPENID

WeChat logon Your WeChat ID, WeChat name and profile photo, mobile phone number
Appointment to consultation
Your title, name, area code, mobile phone number, province, city, whether own a personal account in HSBC or not
Functions based on geographic location such as finding the nearest branches and designated merchants (e.g. in bank card promotion campaign)
Your geographic location information
Important notice for cross border sales and marketing Your GPS location and logon IP address
To purchase investment, or other financial products

(1) Your personal identity information, including name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images),  tax resident status, residence address, contact information (including telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, job position, employer name and work address), marital status, information on family members, the relationship with the insured person;

(2) Your personal property information, including personal or family income status, personal or family expenditure status, personal or household liabilities, taxpayer identification number, non-resident tax-related information,real property, financial assets, investment, whether 6 months of emergency liquidity is reserved;

In case of cross-border wealth management connect, we may also collect your personal or family financial asset certificates, social security or tax payment records, and personal investment experience information;

(3) Your personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, account holdings;

(4) Your personal financial transaction information, including your transaction information retained in payment and settlement, investment or wealth management, safe box or other banking business, and your transaction information generated during your interaction with securities companies, fund companies, futures companies, payment institutions or other third-party institutions via us;

(5) Your personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.

When you are using Wealth Live Share Live Connect service, we will use face verification function to verify your identity. We will only receive the results of whether the face verification is successful or not and will not collect your face information.

Foreign exchange settlement and foreign exchange Swap services

Your name, nationality, ID certificate information (including certificate type, number, date of expiry, issuing country/region), account number and name of financial account, purpose of foreign exchange settlement, and source of funds;


When providing the foreign exchange settlement, we may collect additional materials, including income document, your employer’s name and job position, school admission information (normally is admission notice), overseas spending supporting documents, proof of the status of dependant relationship and other relevant materials as required by the State Administration of Foreign Exchange.

Friends and Family Referral Programmes for opening banking account with the Bank

Referral’s name, gender, contact information, province/city where referral plans to open banking account, product or services the referral may be interested in

Appointment booking on WeChat for account opening
Your name, nationality, country/place of birth, country/place of residence, gender, mobile phone number, number/validity period/place of issuing of ID identity certificate, email address, occupation and salary information, tax resident status
Smart mobile on boarding
Your name (including former name and alias), gender, mobile phone number, certificate images, country/place of birth, residence address and the date of moving to the residence address,  mailing address, occupation information, tax resident status, tax payer identification number, email address, purpose of account opening, use plan of the account, source of funds
Transfer and remittance

Domestic/cross-border transfers and remittances:

(1) your name, account number, type/number of ID certificate, and mobile number;

(2) your payer’s information, including the payer's name, account number, type/number of payer’s ID certificate, bank information of the remitting account, amount and currency of the remittance, and purpose of remittance;

(3) your payee's information, including the payee’s name, bank information/account number of the beneficiary account, the currency of the beneficiary account (only applicable to cross-border payment transfer), the address of the payee, the amount and currency of the remittance, and the purpose of remittance.

For the international education payment, you also need to provide the information of the school or college where the student is studying, the beneficiary account designated by the  school or college, the student identity certificate number, the payment notice number, the purpose of remittance, and the email address; the documents required for foreign exchange payment beyond annual quota shall include: the ID certificate, payment notice, admission notice, passport, visa, household registration information (Hu Kou)/birth certificate (payment by the next of kin) of the person studying abroad;

When you preset the payees for domestic transfer and remittance, or make domestic transfer and remittance, we will collect your security code generated by security device as you input or your login password to verify your identity;

If you make domestic transfer by “mobile phone number payment” function, you need to provide payee’s name, payee’s mobile phone number, name of beneficiary bank, and to complete identity verification by SMS OTP; if you logon mobile banking by using facial biometrics information or fingerprint biometrics information to complete identity verification, you need to use mobile banking logon password for a further verification; if you receive money by using “mobile phone payment” function, you need to firstly set mobile phone number receiving function and we need to obtain the bank name and account number set up by the same mobile phone number in another bank under your name and use your face feature information to verify your identity.

Application for credit card
Your name, gender, nationality, date of birth, ID certificate information (including: certificate type, number, date of expiry, issue country/region, certificate images), residence address, mobile phone number, email address,employment status (including: industry, occupation, job position, employer information and the work department, work address), working years, contact information (including: name, mobile phone number,telephone number (if any) and relationship), marital status, education level, after tax income
We may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database and/or other legally established credit reference agencies. 
Inquiry of credit card application status

ID certificate number you provided at the time of application and the SMS verification code sent to your mobile phone number provided by you during your credit card application process

Activation of physical credit card

Credit card number, ID certificate type and number, date of birth, credit card expiration date, CVV2 and the SMS verification code sent to your mobile phone number provided by you during your credit card application process

Activation of virtual credit card and inquiry password setting

Your name, ID certificate type and number, date of birth, SMS verification code sent to your mobile phone number provided by you during your credit card application process, and your face feature information

Inquiry of virtual credit card information
Credit card inquiry password, SMS verification code sent to your mobile phone number provided by you during your credit card application process, and your face feature information
Credit card repayment, repayment setup and transaction inquiry

Credit Card Prompt Repayment: repayment account, repayment amount, bank card number of other banks;

Credit Card Bill Setup: Mail address, email address;

Credit card bill and transaction information (including the number and amounts of installments, transaction records and transaction vouchers); Credit card arrears information;

Information on the personalized installment of the credit card repayment.

CVP platform

Last four digits of the credit card number (for credit card cardholders) or last four digits of your ID certificate number (for debit card cardholders), your mobile phone number and SMS verification code;

The insurance claim information contained in the benefits entitled by you (including, if occurred, the report number, type of insurance, time, claim status, claim and settlement amount).

Redemption of reward points

Your name, mobile phone number, ID certificate number and address information, credit card number, credit card status and credit card rewards information;

We need to provide above information to third party vendor so as to deliver the goods you exchanged or purchased in the reward mall.

Co-branded credit card

In the case of co-branded credit card, in addition to the personal information related to the credit card services mentioned above, we will obtain your co-branded membership information from the partner for the purpose of enabling your card usage and your entitlement to relevant benefits and privileges.

Opening CAT II and CAT III account

Your ID certificate images, name (including the former name), gender, ID certificate number and date of expiry, issue country/region, age, date of birth, place of birth, nationality, mobile phone number, email address, residence address, country and region of tax authority, taxpayer identification number, employer and occupation information;

We need to obtain the card number of the debit card you applied for with other bank and the corresponding mobile phone number to verify your identity.

We or our third-party suppliers will collect and use your face feature information for identity verification purpose only with your consent.

Home loan mortgage application

(1) Your personally identity information, including your name, gender, nationality, ethic group, date of birth, ID  certificate  information (including certificate type, number, date of expiry , issue country/region and certificate images), residential address and date of moving to the residence address, contact information (including telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, job position, employer name and work address), working years, marital status, and educational background;

(2) Your personal property information, including your personal or family income status, personal or household liabilities and contingent liabilities, the net assets and the premises status of the individual or households, and the collateral;

(3) Your personal credit information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loan and other credit transaction information, contingent liabilities, litigation, investigation, punishment information and other information that can reflect your personal credit profile;

(4) Other information relevant to the determination of the eligibility for purchasing the premises, including the number of premises the family (includingthe applicant himself or herself, spouse and minors ) currently owns, real estate transaction information, social security information, qualification certificate, and property donation status;

(5) Personal information of my connected individuals, including information of my spouse, minors, joint applicants/borrowers (and their spouse), authorized representative, and the transferor of property.

Small business owner loan

(1) Personal identity information, including your name, gender, nationality, ethic group , ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), face image , date of birth, marital status, next of kin, household registration information (Hu  Kou), residence address and date of moving to the residence address, contact information (including telephone number, mobile phone number, email address, mailing address, registered residence address), employment status (including industry, occupation, job position, employer name and work address);

(2) Personal account information (if applicable), including your loan account number, bank card number, account type, account opening date, account opening institution, account balance, account transaction status;

(3) Personal property information, including your personal income status, liabilities and contingent liabilities, as well as net asset information;

(4) Personal credit information, we may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) The personal information of your connected individuals, including the account information of the payee designated by you in your capacity as the borrower, connected individuals’ personal information of your business partners;

(6) Information of invested companies (i.e. the companies supported by the small business owner loan applied by the borrower), including basic company profile information, shareholder information, management personnel information, dishonest record, registered capital, paid-in capital, business status, business scope, industry code, shareholder capital contribution, legal representative’s information, image of the company’s business license;

(7) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks.

For small business owner loans applied through our financing system, we additionally collect the following information about the authorized persons:

(1) Loan application information, application amount, number of instalments, interest rate, purpose of loan, consumption scenario, comprehensive cost;

(2) Loan repayment information, including repayment amount, repayment status, repayment date, and number of repayments instalments.

Enrolment in online or offline activities organized by us
Your name, area code, mobile phone number, province or area you are in, whether own personal account in HSBC or not
Improving service experience

Information you provided to us when you contact us for service enquiry, submit service request, raise your feedback, suggestion or complaint;


Information you provided in surveys to improve our service experience;
 

Meanwhile, to assure the service quality, we may record the service call content. We will provide necessary hint before recording to protect your right to be informed and the right of choice.

Providing marketing and event information

Information you provide to participate in our marketing campaigns, events or surveys.


Only after obtaining your consent or on your own request, we will then contact you, send you information about products and services information you may be interested in, invite you to participate in our events and surveys, or send you promotion information.


If at any time you would like to change your choice on this part, you can exercise your right of choice by referring to the relevant section 10 in Article VIII of this Policy “Your Rights Relating to Personal Information”.

Providing Personalized Contents

The information you provide when you open an account at our bank, buy our products, use our services, and participate in our marketing activities.


We will collect and analyse this information to provide you with more accurate, convenient and personalized content display or information push / sending services. If at any time you would like to change your choice on this part, you can exercise your right of choice by referring to the relevant section 8 in Article VIII of this Policy “Your Rights Relating to Personal Information”.

Uploading from Document Center
To certify your eligibility of purchasing the investment and insurance products, you need to upload documents as evidence, in which might include info like name, passport number, nationality, date of birth, gender, ID certificate number.
Apply to all above purpose or functions Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).
6. You may decide, at your free choice, to provide us, or allow us to collect from you and your related parties the following information necessary for the following purposes or functions described in below table as well as under Article III of this Policy, " How We Use Your Personal Information ":
Purposes or Functions
WeChat service account binding with digital banking service account
Information We Collect

Your phone number, ID certificate type and number, and any one of the last 4 digits of your bank card number, the middle 6 digits of your bank account number or RMB Cat II/Cat Ⅲ account number, and your WeChat OPENID

Purposes or Functions
WeChat logon
Information We Collect
Your WeChat ID, WeChat name and profile photo, mobile phone number
Purposes or Functions
Appointment to consultation
Information We Collect
Your title, name, area code, mobile phone number, province, city, whether own a personal account in HSBC or not
Purposes or Functions
Functions based on geographic location such as finding the nearest branches and designated merchants (e.g. in bank card promotion campaign)
Information We Collect
Your geographic location information
Purposes or Functions
Important notice for cross border sales and marketing
Information We Collect
Your GPS location and logon IP address
Purposes or Functions
To purchase investment, or other financial products
Information We Collect

(1) Your personal identity information, including name, gender, nationality, place of birth, date of birth, ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images),  tax resident status, residence address, contact information (including telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, job position, employer name and work address), marital status, information on family members, the relationship with the insured person;

(2) Your personal property information, including personal or family income status, personal or family expenditure status, personal or household liabilities, taxpayer identification number, non-resident tax-related information,real property, financial assets, investment, whether 6 months of emergency liquidity is reserved;

In case of cross-border wealth management connect, we may also collect your personal or family financial asset certificates, social security or tax payment records, and personal investment experience information;

(3) Your personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, account holdings;

(4) Your personal financial transaction information, including your transaction information retained in payment and settlement, investment or wealth management, safe box or other banking business, and your transaction information generated during your interaction with securities companies, fund companies, futures companies, payment institutions or other third-party institutions via us;

(5) Your personal transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience.

When you are using Wealth Live Share Live Connect service, we will use face verification function to verify your identity. We will only receive the results of whether the face verification is successful or not and will not collect your face information.

Purposes or Functions
Foreign exchange settlement and foreign exchange Swap services
Information We Collect

Your name, nationality, ID certificate information (including certificate type, number, date of expiry, issuing country/region), account number and name of financial account, purpose of foreign exchange settlement, and source of funds;


When providing the foreign exchange settlement, we may collect additional materials, including income document, your employer’s name and job position, school admission information (normally is admission notice), overseas spending supporting documents, proof of the status of dependant relationship and other relevant materials as required by the State Administration of Foreign Exchange.

Purposes or Functions
Friends and Family Referral Programmes for opening banking account with the Bank
Information We Collect

Referral’s name, gender, contact information, province/city where referral plans to open banking account, product or services the referral may be interested in

Purposes or Functions
Appointment booking on WeChat for account opening
Information We Collect
Your name, nationality, country/place of birth, country/place of residence, gender, mobile phone number, number/validity period/place of issuing of ID identity certificate, email address, occupation and salary information, tax resident status
Purposes or Functions
Smart mobile on boarding
Information We Collect
Your name (including former name and alias), gender, mobile phone number, certificate images, country/place of birth, residence address and the date of moving to the residence address,  mailing address, occupation information, tax resident status, tax payer identification number, email address, purpose of account opening, use plan of the account, source of funds
Purposes or Functions
Transfer and remittance
Information We Collect

Domestic/cross-border transfers and remittances:

(1) your name, account number, type/number of ID certificate, and mobile number;

(2) your payer’s information, including the payer's name, account number, type/number of payer’s ID certificate, bank information of the remitting account, amount and currency of the remittance, and purpose of remittance;

(3) your payee's information, including the payee’s name, bank information/account number of the beneficiary account, the currency of the beneficiary account (only applicable to cross-border payment transfer), the address of the payee, the amount and currency of the remittance, and the purpose of remittance.

For the international education payment, you also need to provide the information of the school or college where the student is studying, the beneficiary account designated by the  school or college, the student identity certificate number, the payment notice number, the purpose of remittance, and the email address; the documents required for foreign exchange payment beyond annual quota shall include: the ID certificate, payment notice, admission notice, passport, visa, household registration information (Hu Kou)/birth certificate (payment by the next of kin) of the person studying abroad;

When you preset the payees for domestic transfer and remittance, or make domestic transfer and remittance, we will collect your security code generated by security device as you input or your login password to verify your identity;

If you make domestic transfer by “mobile phone number payment” function, you need to provide payee’s name, payee’s mobile phone number, name of beneficiary bank, and to complete identity verification by SMS OTP; if you logon mobile banking by using facial biometrics information or fingerprint biometrics information to complete identity verification, you need to use mobile banking logon password for a further verification; if you receive money by using “mobile phone payment” function, you need to firstly set mobile phone number receiving function and we need to obtain the bank name and account number set up by the same mobile phone number in another bank under your name and use your face feature information to verify your identity.

Purposes or Functions
Application for credit card
Information We Collect
Your name, gender, nationality, date of birth, ID certificate information (including: certificate type, number, date of expiry, issue country/region, certificate images), residence address, mobile phone number, email address,employment status (including: industry, occupation, job position, employer information and the work department, work address), working years, contact information (including: name, mobile phone number,telephone number (if any) and relationship), marital status, education level, after tax income
We may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database and/or other legally established credit reference agencies. 
Purposes or Functions
Inquiry of credit card application status
Information We Collect

ID certificate number you provided at the time of application and the SMS verification code sent to your mobile phone number provided by you during your credit card application process

Purposes or Functions
Activation of physical credit card
Information We Collect

Credit card number, ID certificate type and number, date of birth, credit card expiration date, CVV2 and the SMS verification code sent to your mobile phone number provided by you during your credit card application process

Purposes or Functions
Activation of virtual credit card and inquiry password setting
Information We Collect

Your name, ID certificate type and number, date of birth, SMS verification code sent to your mobile phone number provided by you during your credit card application process, and your face feature information

Purposes or Functions
Inquiry of virtual credit card information
Information We Collect
Credit card inquiry password, SMS verification code sent to your mobile phone number provided by you during your credit card application process, and your face feature information
Purposes or Functions
Credit card repayment, repayment setup and transaction inquiry
Information We Collect

Credit Card Prompt Repayment: repayment account, repayment amount, bank card number of other banks;

Credit Card Bill Setup: Mail address, email address;

Credit card bill and transaction information (including the number and amounts of installments, transaction records and transaction vouchers); Credit card arrears information;

Information on the personalized installment of the credit card repayment.

Purposes or Functions
CVP platform
Information We Collect

Last four digits of the credit card number (for credit card cardholders) or last four digits of your ID certificate number (for debit card cardholders), your mobile phone number and SMS verification code;

The insurance claim information contained in the benefits entitled by you (including, if occurred, the report number, type of insurance, time, claim status, claim and settlement amount).

Purposes or Functions
Redemption of reward points
Information We Collect

Your name, mobile phone number, ID certificate number and address information, credit card number, credit card status and credit card rewards information;

We need to provide above information to third party vendor so as to deliver the goods you exchanged or purchased in the reward mall.

Purposes or Functions
Co-branded credit card
Information We Collect

In the case of co-branded credit card, in addition to the personal information related to the credit card services mentioned above, we will obtain your co-branded membership information from the partner for the purpose of enabling your card usage and your entitlement to relevant benefits and privileges.

Purposes or Functions
Opening CAT II and CAT III account
Information We Collect

Your ID certificate images, name (including the former name), gender, ID certificate number and date of expiry, issue country/region, age, date of birth, place of birth, nationality, mobile phone number, email address, residence address, country and region of tax authority, taxpayer identification number, employer and occupation information;

We need to obtain the card number of the debit card you applied for with other bank and the corresponding mobile phone number to verify your identity.

We or our third-party suppliers will collect and use your face feature information for identity verification purpose only with your consent.

Purposes or Functions
Home loan mortgage application
Information We Collect

(1) Your personally identity information, including your name, gender, nationality, ethic group, date of birth, ID  certificate  information (including certificate type, number, date of expiry , issue country/region and certificate images), residential address and date of moving to the residence address, contact information (including telephone number, mobile phone number, email address, mailing address), employment status (including industry, occupation, job position, employer name and work address), working years, marital status, and educational background;

(2) Your personal property information, including your personal or family income status, personal or household liabilities and contingent liabilities, the net assets and the premises status of the individual or households, and the collateral;

(3) Your personal credit information, we may inquire about your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loan and other credit transaction information, contingent liabilities, litigation, investigation, punishment information and other information that can reflect your personal credit profile;

(4) Other information relevant to the determination of the eligibility for purchasing the premises, including the number of premises the family (includingthe applicant himself or herself, spouse and minors ) currently owns, real estate transaction information, social security information, qualification certificate, and property donation status;

(5) Personal information of my connected individuals, including information of my spouse, minors, joint applicants/borrowers (and their spouse), authorized representative, and the transferor of property.

Purposes or Functions
Small business owner loan
Information We Collect

(1) Personal identity information, including your name, gender, nationality, ethic group , ID certificate information (including certificate type, number, date of expiry, issue country/region, certificate images), face image , date of birth, marital status, next of kin, household registration information (Hu  Kou), residence address and date of moving to the residence address, contact information (including telephone number, mobile phone number, email address, mailing address, registered residence address), employment status (including industry, occupation, job position, employer name and work address);

(2) Personal account information (if applicable), including your loan account number, bank card number, account type, account opening date, account opening institution, account balance, account transaction status;

(3) Personal property information, including your personal income status, liabilities and contingent liabilities, as well as net asset information;

(4) Personal credit information, we may inquire your credit information and/or credit reports from the Basic Financial Credit Information Database, public sources and other legally established credit reference agencies, including your credit card, loans, and other credit transaction information, contingent liabilities, litigation, investigation, punishment information, and other information that reflects your personal credit profile;

(5) The personal information of your connected individuals, including the account information of the payee designated by you in your capacity as the borrower, connected individuals’ personal information of your business partners;

(6) Information of invested companies (i.e. the companies supported by the small business owner loan applied by the borrower), including basic company profile information, shareholder information, management personnel information, dishonest record, registered capital, paid-in capital, business status, business scope, industry code, shareholder capital contribution, legal representative’s information, image of the company’s business license;

(7) Other personal information arising from customer investigation, including personal information collected during customer due diligence, sanctions or anti-money laundering checks.

For small business owner loans applied through our financing system, we additionally collect the following information about the authorized persons:

(1) Loan application information, application amount, number of instalments, interest rate, purpose of loan, consumption scenario, comprehensive cost;

(2) Loan repayment information, including repayment amount, repayment status, repayment date, and number of repayments instalments.

Purposes or Functions
Enrolment in online or offline activities organized by us
Information We Collect
Your name, area code, mobile phone number, province or area you are in, whether own personal account in HSBC or not
Purposes or Functions
Improving service experience
Information We Collect

Information you provided to us when you contact us for service enquiry, submit service request, raise your feedback, suggestion or complaint;


Information you provided in surveys to improve our service experience;
 

Meanwhile, to assure the service quality, we may record the service call content. We will provide necessary hint before recording to protect your right to be informed and the right of choice.

Purposes or Functions
Providing marketing and event information
Information We Collect

Information you provide to participate in our marketing campaigns, events or surveys.


Only after obtaining your consent or on your own request, we will then contact you, send you information about products and services information you may be interested in, invite you to participate in our events and surveys, or send you promotion information.


If at any time you would like to change your choice on this part, you can exercise your right of choice by referring to the relevant section 10 in Article VIII of this Policy “Your Rights Relating to Personal Information”.

Purposes or Functions
Providing Personalized Contents
Information We Collect

The information you provide when you open an account at our bank, buy our products, use our services, and participate in our marketing activities.


We will collect and analyse this information to provide you with more accurate, convenient and personalized content display or information push / sending services. If at any time you would like to change your choice on this part, you can exercise your right of choice by referring to the relevant section 8 in Article VIII of this Policy “Your Rights Relating to Personal Information”.

Purposes or Functions
Uploading from Document Center
Information We Collect
To certify your eligibility of purchasing the investment and insurance products, you need to upload documents as evidence, in which might include info like name, passport number, nationality, date of birth, gender, ID certificate number.
Purposes or Functions
Apply to all above purpose or functions
Information We Collect
Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts, compliance with laws, regulations and regulatory requirements, proper and secure operation of banking business, or prevention  and controlling banking related risk , e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).

If you refuse to provide the above information, you are not able to use or enjoy the relevant functions, but your use of other functions of our digital banking will not be adversely affected.

7. Our mobile banking applications may also invite your permissions for the following system functions relating to personal information and will collect and use the information for the permitted functions based on your permission:
  • Items
Permitted Functions
  • Fingerprint logon
Identity recognition, logon, and verification using fingerprint(s)
  • Face ID
Logon mobile banking via facial recognition on some type of device
  • Camera
QR code payment, upload of application materials for loan and other business/service, facial recognition, bank card identification, ID certificate identification
  • Photos

Upload of profile photo, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and ID certificate identification

  • Location

To improve the information accuracy for retailers with credit card offers and to enhance marketing messages for customers who are currently located outside of mainland China, including information on account opening, loans, insurance and more, and the risk control of fraud after the mobile bank logs in.

  • Microphone
Voice input, voice verification and recognition services
  • Contacts

Fund transfer via mobile phone number, friends and family referral.

We only obtain the contact information you select from your contacts and do encrypted transmission to prevent malicious interception.

  • Message
SMS notification service
  • Notifications
Push messages with alerts, sounds and icon tags
  • Memory (applicable to Android system)
Upload of profile photo, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and ID certificate identification
  • Device Information (for Android OS)
To maintain proper and secure operation of digital banking services, prevent and control fraud risk, it is necessary to read device call status and identifier.
  • Retrieving  currently running applications (for Android OS)
For message push
  • Network Access (for iOS)

For accessing the network

7. Our mobile banking applications may also invite your permissions for the following system functions relating to personal information and will collect and use the information for the permitted functions based on your permission:
  • Items
  • Fingerprint logon
Permitted Functions
Identity recognition, logon, and verification using fingerprint(s)
  • Items
  • Face ID
Permitted Functions
Logon mobile banking via facial recognition on some type of device
  • Items
  • Camera
Permitted Functions
QR code payment, upload of application materials for loan and other business/service, facial recognition, bank card identification, ID certificate identification
  • Items
  • Photos
Permitted Functions

Upload of profile photo, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and ID certificate identification

  • Items
  • Location
Permitted Functions

To improve the information accuracy for retailers with credit card offers and to enhance marketing messages for customers who are currently located outside of mainland China, including information on account opening, loans, insurance and more, and the risk control of fraud after the mobile bank logs in.

  • Items
  • Microphone
Permitted Functions
Voice input, voice verification and recognition services
  • Items
  • Contacts
Permitted Functions

Fund transfer via mobile phone number, friends and family referral.

We only obtain the contact information you select from your contacts and do encrypted transmission to prevent malicious interception.

  • Items
  • Message
Permitted Functions
SMS notification service
  • Items
  • Notifications
Permitted Functions
Push messages with alerts, sounds and icon tags
  • Items
  • Memory (applicable to Android system)
Permitted Functions
Upload of profile photo, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and ID certificate identification
  • Items
  • Device Information (for Android OS)
Permitted Functions
To maintain proper and secure operation of digital banking services, prevent and control fraud risk, it is necessary to read device call status and identifier.
  • Items
  • Retrieving  currently running applications (for Android OS)
Permitted Functions
For message push
  • Items
  • Network Access (for iOS)
Permitted Functions

For accessing the network

For those functions that need your permission, you may, at your free choice, decide whether to additionally grant the permission for the said functions on mobile banking applications. If you refuse to grant permission for a specific function, you are not able to use that specific function, but your use of other functions in our mobile banking will not be adversely affected.

8. When you use our mobile banking service, under certain particular scenarios, we will use the software service toolkit provided by a third party(“SDK”). To provide the service to you, such third-party SDK will collect your information. For details, please refer to Annex I

If you refuse to agree on the SDK service providers listed under Annex I to collect your information, you may not be able to access these services, but you can still access to other functionality or services on digital banking.

9. Please understand that the digital banking services we provide to you are constantly evolving. If you choose to use any other services not listed above for which we have to collect your information, we will separately explain to you, the purposes, methods and scope of personal information we collect, through reminders on pages, interaction with you, agreements entered into with you or other appropriate method, and obtain your consent for that if legally required. We will use, store, disclose and protect your information in accordance with this Policy and other agreements (if any) between you and us. If you choose not to provide certain information, you may be unable to use certain or part of the service, but your use of our other services will not be affected.

III. How We Use Your Personal Information

1. We will use your information in the following circumstances:

(1)  To realize the purposes and functions mentioned in above Article II of this Policy “How We Collect Your Personal Information”; to contact you, or to approve, process, manage, execute or effect your application or instruction for transactions;

(2)  To ensure safe and stable financial services, we will use your information for identity verification, safety precaution, fraud detection, prevention or prohibition of illegal or incompliant activities, control or reduction of risks, recording or filing purposes;

(3)  To comply with the applicable laws and regulations or discharge of legal duties; to report to relevant regulators or other authorities according to laws, regulations or regulatory requirements;

(4)  To maintain and improve digital banking service or any function thereof, develop new service or function (if use of your personal information in the new service or function goes beyond your consent, we will obtain your additional consent before we use your information for such new service or function);

(5)  Subject to your authorization, to promote the Bank’s other products and services and to recommend to you the products or services that may interest you;

(6)  To make statistics and analysis of the use of our business, products, services or functions; we may share such statistics to the public or third parties to present overall trend of relevant business, products, services or functions. But such statistics will not contain any of your personal identifiable information.

2. The above content related to information collection and use in this Policy shall not impact our use of your information for the purposes as otherwise agreed between you and us separately.

3. If we use your personal information for the purposes other than the purposes as set forth in this Policy or in other agreement between you and us, we shall let you know how we use this information and obtain your consent before using your personal information for such additional purposes as per applicable laws and regulations.

IV. How We Store Your Personal Information

In principle, the personal information we collect and generate within the territory of the People's Republic of China will be stored in the territory of the People's Republic of China. Since we provide products or services through resources and servers across the world, which means that to the extent permitted by authorities and applicable laws and regulations, your personal information may be transferred to and/or stored in the foreign jurisdictions or be accessed from these jurisdictions. If we transfer your personal information overseas, we will comply with applicable laws and regulations related to cross border data sharing. Whether it is processed domestically or overseas, in accordance with applicable data protection legislation, your personal information will be protected by a strict code of secrecy and security which, the Bank, other members of the HSBC Group, their staff and third parties are subject to.

We comply with applicable laws and regulations on data storage and store your information for a period as minimum as necessary to fulfill the purposes of information collection. In this regard, we have data retention policies, under which the actual data retention period is defined accordingly as per the specific business scenario and business nature. After the retention period expires under relevant data retention policy, we will destroy, delete or anonymize relevant information, or where the destruction, deletion or anonymization is not technically possible, store your personal information securely and separate it from other data processing. The exception is when the information needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, special agreement between you and us, or for settlement of indebtedness between you and us, or for record check or enquiry from you or authorities.

V. How We Share, Transfer and Publicly Disclose Your Personal Information

1. Entrusted Processing and Sharing

For the purposes set out above in this Policy, we may share all or part of your personal information to the following recipients or entrust them to carry out entrusted processing activities under the preconditions that such sharing or entrusted processing is necessary and is made with proper protective measures (please refer to Article I of this Policy “How We Protect Your Personal Information” for details) and the recipients may also, for the aforesaid purposes, use, process or further disclose the information they receive provided that corresponding protective measures are adopted pursuant to the applicable laws or our requirements: 

(1) any member of the HSBC Group;

(2) any contractor, subcontractor, agent, third party product or service provider (for example, the third-party entrusted by the HSBC Group for the debt collection service), licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers);

(3)  any regulator of the Bank or any member of the HSBC Group or any other authority, or any organisation or individual designated by such regulators or authorities;

(4) anyone acting on your behalf according to your authorisation or according to law, payment recipients, beneficiaries, account agents, correspondent and agent banks (e.g. those for CHAPS, BACS, CNAPS and SWIFT), clearing houses, clearing or settlement systems, or anyone making any payment to you;

(5) any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you receive from the Bank, or any business you handle at the Bank or any transaction you make with the Bank (for example, the person who provides or intends to provide any mortgage or other security for any of your debt to the Bank, or the beneficiary of the insurance product that the Bank distributes to you);

(6) other financial institutions, industrial associations, bank card organisations, credit rating agencies, credit reference agencies (including without limitation, the Basic Financial Credit Information Database) or information service providers;

(7) any third-party fund manager providing you with asset management services through us;

(8) any third party to whom we provide referral, agency or intermediary service; and

(9) any party in connection with any business/asset transfer, restructuring, disposal, merger, spin-off or acquisition transactions of the Bank. 

Subject to applicable laws and regulations, we will notify you (if legally required) of the data sharing with the third parties, including the data recipient’s name, contact information, purpose of processing, method of processing and the type of personal information. We will give you such notification via one or several ways, such as the "List of Personal Information Shared with the Third Parties for Personal Digital Banking Services", product introduction or application page, terms and conditions or during the process of correlated activities. If legally required, we will also obtain your separate consent for said data sharing.

In case of cross border personal data sharing, we will also conclude a data protection agreement with the offshore personal information recipient, and if required, in the format of standard data protection clause issued by Cyberspace Administration of China as well as specify your relevant personal information subject’s right in your capacity as a third party beneficiary under said agreement pursuant to applicable laws and regulations, for example the manner and method of exercising your right towards the offshore personal information recipient. If you want to know more details about aforesaid data protection agreement, you may contact us to raise such request via the method listed in Article IX of this Policy “How to Contact Us”.

2. Transfer

Without your separate consent, we will not transfer your personal information to any other company, organization or individual, except in the case of business/asset transfer, restructuring, disposal, merger, spin-off or acquisition transactions where the transfer is necessary. In such cases, we will inform you of the identity and contact method of the personal information recipient as per applicable laws and regulations as well as to request said recipient to protect your personal information in accordance with the law. If the personal information recipient changes the purposes and methods of personal information processing activities under this Policy, it shall re-obtain the consent from you.

3. Public Disclosure

We will not disclose your personal information to the public unless we have your separate consent or we are mandatorily required to do so as per applicable laws and regulations, judicial or legal proceedings, or mandatory administrative enforcement by the authorities.

VI.Special Circumstances for Information Processing

We will process your personal information (such as information collection, storage, use, analysis, transfer, provision, disclosure) based on your consent. To the extent allowed by laws and regulations, we may process your personal information without your consent under the following circumstances:

1. where it is necessary for entering into a contract or the performance of a contract to which you are the party;

2. where it is necessary for compliance with a legal obligation to which we are subject;

3. where it is necessary in order to protect your or others’ vital interests related to life and property in an emergency or respond to public health emergencies;

4. where it is within reasonable limits in order to carry out news coverage or media supervision for the public interest;

5. where it is within reasonable range according to law to process the information which has been legally made public or publicized by yourself; or

6. other circumstances stipulated by laws and regulations.

VII. How We Use Cookies and Similar Technologies

1. Your visit, browse, use of any of our website or digital banking service-related applications may be recorded for analysis on the number of visitors to the site and/or applications, general use patterns and your personal use patterns and improving your experience. Some of this information will be gathered through the use of Cookies and similar technologies. Such technologies can enable our website or applications to recognise your device and store information about your use of website and/or applications so as to provide continuous services to you and to tailor the content of our website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to access the information stored on the Cookies and similar technologies for the aforesaid purposes.

The information collected by Cookies is anonymously aggregated data, and contains no personal information such as name, address, telephone number, email etc.

2. Most local terminals are initially set to accept Cookies. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected. 

VIII. Your Rights Relating to Personal Information

1. You have the right to request us to protect and secure your personal information in accordance with the laws, regulations and this Policy. You have the right to exercise your rights of individual granted by applicable laws and regulations.

2. Right of access to data/copies of data: you have the right to check with us whether we hold your personal information, to access and copy your personal information. You can log in to our mobile banking application and go to the Me > Personal Information page to see your basic profile. You can also inquire or make a request to copy your personal information, including obtaining a copy of your personal information, through the methods listed in "9. How to Contact Us" in this policy.

3. Right to rectification of errors: you have the right and obligation to update your personal information with us to ensure that all the information is accurate and up to date. You have the right to request us to provide convenience for you to update your personal information with us and to correct any of your information that is inaccurate. You can log in to our mobile banking application and go to Me > Personal Information, or you can log in to our online banking and click on your name > Update Personal Information and Contact Information in the upper right corner to update your personal information such as email, home phone number, fax number, mobile phone number, corporate phone number, corporate fax number, occupation information and mailing address.

4. Right to data portability: You have the right to request us to transfer the personal information you have provided to us to a third party designated by you. However, this right can only be exercised in specific circumstances as stipulated by Chinese law.

5. Right to change the scope of authorization or withdraw your consent: you have the right to change the scope of your authorized consent and to withdraw your consent. Please note the withdrawal of consent will not affect the lawfulness of processing based on consent given by you before its withdrawal. Specifically, you can change your choice related to "marketing preferences" through our mobile banking application and/or, our WeChat mini programs; turn on/off geographic location permissions, photo album permissions, camera permissions, fingerprint permissions etc., through "Settings->HSBC Mobile Banking" on your mobile device to change or withdraw your device's functional permissions to us.

6. Right to deletion: you have the right to request us to delete or otherwise properly dispose your personal information that is beyond retention period in accordance with applicable laws and regulations, this Policy and other agreement between you and us. You can raise such request via the method described in Article IX of this Policy “How to Contact Us”. If we cease our operation, we will stop collecting any personal data from you in a timely manner, delete or anonymize all your personal information, and inform you of such operation cessation via courier or public announcement, except as otherwise provided by laws and regulations or authorities or where the personal data deletion is technically not possible.

7. Right to cease online banking service: you have the right to uninstall digital banking service related applications. Please note that to uninstall the applications will not cease your online banking service. You have the right to cease your online banking service (by closing all your bank accounts or raising request of de-registering online banking service, for the sake of account safety we advise you to visit our branches or sub-branches in person for such closure) and request for deletion of your personal information in accordance with the applicable laws and regulations, this Policy, and other agreement between you and us. You can raise deregistration request of online banking service through Mobile Bank channel- Online Customer Service or contact our customer service hotline to raise the request. You can also raise the request by visiting our branches or sub-branches in person, and you need to provide ID certificate, personal online banking change/closing form for such deregistration purpose. It will take us three to five working days to handle your request and close your account. After you cease your online banking service, we will no longer collect your information through relevant channel. we will store and delete your personal information pursuant to Article IV of this Policy “How We Store Your Personal Information”.

8. Automated decision-making related: you have the option of using the “personalized recommendation” feature. The “personalized recommendation” feature is designed to enhance your experience and recommend contents for more relevant information based on your personal characteristics and preferences, data analysis or automated decision making. You have the right to decide and manage how to set up this feature. If you want to turn this feature on or off, you can use our mobile banking application Me > Settings & Preferences; or HSBC China WeChat Mini programs > Help and Tools, to find the “Personalization and Marketing Preferences” menu, and make your adjustment on “Personalized Content” page and the “Marketing Preferences” page – “Personalized Marketing Information” section. Among them, the switch of the " Personalized Content" page is used to control whether the products and marketing information displayed to you on our electronic channels use the "Personalized Recommendation" function. Turning off the switch, we will display general products and marketing information not based on your personal characteristics. The “Marketing Preferences” page – “Personalized Marketing Information” section controls whether the “Personalized Recommendation” feature is used by the Bank when proactively push products and marketing information to you by phone, text message, email, etc. Turning off this switch will not affect your access to that type of push information, but the push you receive will be general product and marketing information that is not based on your personal characteristics. 

On some occasions, we may make decisions only on the basis of automated decision-making mechanisms without human intervention such as information systems and algorithms. If these decisions significantly affect your legitimate rights and interests, you have the right to request an explanation from us and to ask for a decision to be made by a person instead of automated decision-making mechanisms.

9. Personal credit related: in cases related to personal credit, you have the right to request to be informed of your personal information that is disclosed to credit reference agencies by us, so as to enable your request to the relevant credit reference agencies for access to and correction of your information.

10. Marketing information related: unless we have your prior consent, we will not send you advertisement promotion message. If at any time you would like us to cease using or providing to others your personal information for advertisement promotion purpose, you are entitled to notify us and exercise your right of choice, not to receive such advertisement promotion anymore. If you so choose to reject advertisement promotion message, or you wish to adjust your channels of communication for receiving marketing information, you can access My > Settings and Preferences at our mobile banking application, or Help & Tools in the HSBC China WeChat mini programs, to the “Personalized and Marketing Preferences” menu, to self-adjust on the “Marketing Preferences” page, or you can also call 95366 to contact our Customer Service Center to adjust for you.

11. Responding to your request: in addition to the above-mentioned ways of exercising your rights, you may also make your request in the manner listed in Article IX of this Policy "How to Contact Us".

For security purpose, you may need to raise your request in written form or use other methods to prove your identity. We may request you to verify your identity before processing your request. We will complete the verification and processing within 15 working days upon receipt of your request or within a shorter period of time as prescribed by laws and regulations (if any).

We will not charge fees for the processing of your above-mentioned reasonable requests for checking, correcting or otherwise disposing of your personal information. 

Notwithstanding the foregoing, we may reject your request if it is illegal, noncompliant or unnecessarily repeated, needs excessive technical means (for example, the need to develop information systems or fundamentally change current practices), brings risks to the legitimate rights and interests of others, is unreasonable or technically impracticable. 

We may not be able to respond to your request under any of the following circumstances: 

(1) where the request is in relation to our legal and financial compliance obligation under laws and regulations.

(2) where the request is in direct relation to state security or national defence security;

(3) where the request is in direct relation to public security, public sanitation, or major public interests;

(4) where the request is in direct relation to criminal investigations, prosecutions, trials, execution of rulings, etc.;

(5) where there is sufficient evidence that you are intentionally malicious or abuse your rights;

(6) where the purpose is to protect you or other individual’s life, property and other substantial legal interests but difficult to acquire your consent;

(7) where responses to your request will give rise to serious damage to your or any other individual or organisation’s legal rights and interests; or

(8) where the request involves any trade secret.

IX.How to contact us

Requests for a copy of this Policy, or enquiries about our practices regarding personal information and privacy protection, as well as exercising other rights you are granted by laws and regulations can be raised via Contact HSBC and/or addressed to:

Data Privacy Officer (DPO)

HSBC Bank (China) Company Limited

36/F HSBC Building, Shanghai IFC, 8 Century Avenue, Pudong, Shanghai, 200120

E-mail: hsbcaoc@hsbc.com.cn

Tel: +86 95366 (24-hour, Mon-Sun)

Unless otherwise specified in other sections of this Policy, we will normally respond to you within 15 working days upon receipt of your questions, complaints, feedback, opinions or suggestions or within a shorter period of time as prescribed by laws or regulations (if any). Same as above, we may require you to verify your identity before processing your request and may under certain circumstances be unable to respond to your request (see Article VIII Section 11 of this Policy regarding the identity verification process and the exceptional circumstances that cannot be responded to).

You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or file a lawsuit with the competent Chinese court according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy. 

You may contact us through the contact information listed in this Policy, by calling our hotline or visiting our branches or sub-branches. You may also visit our official website www.hsbc.com.cn or WeChat service account “汇丰中国客户服务” (WeChat ID: HSBCeBanking) to enquire the nearby branches or sub-branches, or other contact information of us suitable for you.

X. Protection of Minors' Personal Information

1.We pay particular attention to protection of the minors’ personal information. We have no intention to collect any minors’ personal information, unless it is agreed by their parents or guardians and it is necessary for the products or services offered to the minors (for example, the minors may be the holders of the junior account offered by us, the holders of supplementary card of certain credit cards issued by us, the beneficiaries of the insurance products that we distribute, the heirs of our customers, etc.)

2.If you are under the age of 18 (including children under the age of 14), it is suggested that your parents or guardians should carefully read this Policy and any of your personal information should be provided only after seeking consent from them. Meanwhile, it is suggested that your use of our products and services should be under the guidance of your parents or guardians. If they do not agree you to provide your personal information or to use any of our products or services, you should immediately stop providing the information or stop using our products and services. Please notify us of such event as soon as possible, so as to allow us to take appropriate measures accordingly.

3. If you are under the age of 18 (including children under the age of 14), for those personal information we collect with the consent of your parents or guardians, we will only use or disclose such information to the extent allowed by applicable laws and regulations or expressly consented by your parents or guardians or necessary for protection of the minors’ interests.

XI. Formulation, Effectiveness, Update of this Policy and Others

1. The Policy is made by us and published at our digital banking service related websites or applications and takes effect on the effective date as indicated at the beginning of this Policy. The Policy may be amended or updated from time to time, particularly in the events of major changes as follows:

(1) Major changes in our service model, such as changes in the purpose of processing personal information, changes in the types of personal information being processed, the use methods of personal information, etc.;

(2) Major changes in our ownership structure, organisational structure, etc., such as changes as result of business adjustments, bankruptcy, mergers, etc.;

(3)Changes in the main objects of personal information sharing, transfer or public disclosure;

(4)Significant changes in your rights relating to personal information or in the methods to exercise such rights;

(5) Changes of our contacts for personal information related requests/enquiries, changes of our contacts for complaint or feedback;

(6) Other major changes which may significantly impact your interests in personal information.

We will post the changes to the Policy or the updated Policy through push notifications, pop-ups, announcements etc., on our digital banking service related websites and/or applications to keep you up to date on this Policy. Changes to the Policy shall not diminish or limit the rights you should have as a Personal Information Subject under applicable laws and regulations.

You can access to the Policy via “Me – General – Legal Terms – Privacy and Security”, HSBC Mobile Banking App or via ”My HSBC – Help and Tools – Privacy Policy”, HSBC WeChat service account “汇丰中国客户服务”. You shall pay attention to the changes of relevant announcements, reminders, agreements, rules, and so on from time to time. You acknowledge and confirm that if you do not agree to the updated content, you shall immediately cease the use of the relevant service and cancel the relevant account, and in this case, we will cease the collection of your relevant personal information. If you continue to use our digital banking service after this Policy amendment, it will be treated that you have fully read, understood and accepted this Policy amendment and agreed with us to collect, use, store and share your relevant information in accordance with the updated Policy.

2. Where you provide to us personal information about another person, you should ensure that person acknowledges this Policy and, in particular, tell him/her how we may collect and use his/her personal information and obtain the consent/authorization of such person. You should remind that person to read this Policy in advance and may also give him/her a copy of this Policy.

3. In case of discrepancy between the Chinese and English versions of this Policy, the Chinese version shall apply and prevail.

Annex I   List of Third-Party SDK
SDK Name Third-party Agency Name Business Scene SDK User Information Usage Purpose
Gaode Positioning SDK Gaode Software Co., Ltd Branch networks near you

Store permissions, device unique identifiers, latitude and longitude information,hardware serial number, IP address, MAC address, precise location information, Android ID, Wi-Fi list, SSID, BSSID, sensor information (vector, acceleration, pressure)

Location functions
Mobile Push TPNS SDK Shenzhen Tencent Computer System Co., Ltd

Pushing service notification on mobile terminal devices

Device vendor, system language, mobile phone model, network type and status notification bar status, running App process, installed application information, contents of SD card Performing message push
TPNS SDK contains the VIVO Push SDK Vivo Mobile Communications Co., Ltd When using VIVO vendor push (VIVO vendor push not enabled for this App)

Device identification information (IMEI, EmmCID, UFSID, GUID, GAID, OPENID, VAID, OAID, RegID, encrypted Android ID), application software information using push services (App package name, version number, App ID, installation, uninstall, recovery from factory settings, running status), device manufacturer, network type, country code, device type, timestamp for message creation/delivery and click, message content, push SDK version number, device model, operating system version, current network type, message sending result, notification bar status (e.g. notification bar permissions, user click behavior), lock screen status (e.g. lock screen notification, whether lock screen notification is allowed)

Improving message arrival rate
TPNS SDK contains the OPPO Push SDK Guangdong Huantai Technology Co., Ltd. When using OPPO vendor push (OPPO vendor push not enabled for this App)

Message content, device-related information (IMEI or OAID, serial number, IMSI, user ID, Android ID, Google advertising ID, mobile region settings, device model, phone power, mobile operating system version and language), application information using push services (App package name and version number, running status), push SDK version number, network-related information (e.g., current network type of IP or domain name connection result), message sending result, notification bar status (e.g. notification bar permissions, user click behavior), lock screen status (e.g., lock screen notification, whether lock screen notification is allowed), instructions from advertisers or developers to collect device identification codes (IMEI or OAID), IP addresses, client systems, client network (certain circumstances)

Improving message arrival rate
TPNS SDK contains the Xiaomi push SDK Beijing Xiaomi Mobile Software Co., Ltd When using the Xiaomi vendor push

(1) Android version: device identification (OAID and encrypted Android ID), and application information using push services such as App package name, version number, running status and running process;
iOS version: IDFV (not collected when IDFV is not collected), App package name, version number.

(2) Android version: Message creation, delivery, and click times and temporarily storage of message content obtained from and pushed to you from third-party applications;
iOS Version: Message creation, delivery time, and temporarily storage of message content obtained from and pushed to you from third-party applications.

(3) Android version: Device-related information such as device vendor, device model, device memory, operating system version, Xiaomi push SDK version, device home (country or region), SIM card operator name, current network type, SSID. The current network type and the SIM card operator name are only read locally by the device and will not be uploaded to the Xiaomi server;
iOS Version: device-related information such as device model, operating system version, Xiaomi push SDK version;
Android version: Notification bar setting information, including whether to screen the notification bar and whether to set a lock screen pop-up message.

Improving message arrival rate

TPNS SDK contains Meizu Push SDK

Zhuhai Meizu Communications Equipment Co., Ltd

When using Meizu vendor push (Meizu vendor push not enabled for this App)

Device information (phone model, IMEI number, UUID), application information, log information, other information, location information, push SDK version number, network related information, message sending result, notification bar status, lock screen status

Improving message arrival rate

TPNS SDK contains the Huawei Push SDK

Huawei Software Technology Co., Ltd

When using the Huawei vendor push

Application basic information (App ID, application version number and Application package name, Huawei push SDK version number, installed application list is used to obtain the push service application and HMS Core application version number), application device identifier (AAID, Push Token), device identifier (Android ID), device hardware information (device type, device model), system basic information (system type, system version), system setup information (country code), network information (BSSID)

Improving message arrival rate

TPNS SDK contains Google FCM SDK

Google LLC

When using FCM vendor push (FCM vendor push not enabled for this App)

IP Address, Mobile Ad IDFV, Android ID, FireBase Installation ID, Analytics Apps, Device Information, Push Message Related Information

Improving message arrival rate

Yidao Bo shi SDK

Beijing Yidao Bo shi Technology Co., Ltd

Registration and RMB transfer

Obtaining ID number and bank card number information through device scanning function

Scanning ID certificate to obtain ID card number and scanning bank card to obtain bank card number

The Face++ SDK

Beijing Kuangshi Technology Co., Ltd

Activation of virtual credit card, setting query passwords and enquiring CVV2, opening Cat II and Cat III account

Verifying your identity by identifying your face features and moving actions

Getting camera permissions for facial recognition

Sensors Data SDK

Sensors Data Network Technology (Beijing) Co., Ltd

Collecting usage data to improve App’s service efficiency

Obtaining  device information (including IMEI, Android ID, IDFA, IDFV, OAID, UUID, Mac address, IMSI information), log information (including IP address, URL for accessing services, browser type and language used), location information, unique application number.

User access behavior analytics

WeChat SDK

Shenzhen Tencent Computer Systems Co., Ltd.

Binding your WeChat account to our bank's mobile banking,allowing you to log in through your WeChat account and using our WeChat bank's products or services

WeChat account information (WeChat profile photo, WeChat name, region, gender), pictures or content shared by you to third parties as per your own choice, WeChat installation status on your phone, the user's device model, and the iOS clipboard

Logging in to our bank's mobile banking services via WeChat account

AppDynamics SDK

AppDynamics LLC

Improving availability of mobile App

Device vendor, phone model, network type, telecom operator, system version, App log information

Statistics of App performance and availability

RASP SDK

OneSpan

Detecting the integrity of the App and whether the customer's phone has a security vulnerability

Reading the list of installed Apps and running process lists

Preventing customers from running the App on a mobile phone with security issues

Tencent Big Data SDK

Shenzhen Tencent Computer Systems Co., Ltd

New to bank user applies for opening Cat II/Cat Ⅲ account through WeChat channel

Equipment models, GPS longitude and latitude, mobile phone serial number (IMEI), operating system information

Creating equipment fingerprints for risk management purpose

Ali mPaaS SDK and the included Ali cloud facial recognition SDK, Alipay payment SDK, Ali fastjson, Ali UC crash SDK, UC browser service SDK

Ali Cloud Computing Co., Ltd

Providing remote sales services

Using online video call capabilities provided by Ali mPaas SDK. Obtaining mobile phone cameras, microphones, network access and network access status, WI-FI access status, foreground services, background voice, writing to external storage file permissions, IMSI, IMEI, Android ID

Providing remote sales services to ensure that the remote sales functions are smooth

OAID SDK

China Academy of Information and Communications Technology

Vendors push

Device manufacturers, device models, device brands, device network operator names and App package names and signature information or the App ID of the corresponding store

The invention is used for generating device unique identifier, anonymous device identifier, developer anonymous device identifier and application anonymous device identifier, which is pushed to the manufacturer for use.

Yunzhengtong (China Financial Certification Center CFCA) SDK

China Financial Certification Center

Login and transaction authentication

For AOS system SDKs, device information, model number, brand name, system image compilation information, system image compilation sequence, vendors, and chip vendors will be collected. For IOS systems, the SDK collects IP addresses.

Electronic certificate issuance, download and electronic signature services

Zhong'an SDK

Zhong'an Information Technology Service Co., Ltd

When using our investment and insurance transactions (including application/subscription, contract signing, redemption, conversion, regular investment, cancelation of bills, and insurance purchase) through mobile banking and online banking channels

Record of customer operation behavior

Retrospective inspection and obtaining verification evidence

Convertlab SDK

Shanghai Xin Zhao Yang Information Technology Co., Ltd

During the use of the mobile phone App

Your mobile phone IP, device manufacturer, model of the mobile phone, network type, browser type and browsing behavior.

User access statistics and customer behavior analytics

Chromium SDK

Google

Using built-in browser to browse web

SSID, Wi-Fi information, sensors, application list information.

View webpage through browser 

okhttp/retrofit2.0/okio

The Apache Software Foundation

System development

Do not collect personal information

System development

Appache

The Apache Software Foundation

System development

Do not collect personal information

System development

bouncycastle

Legion of the Bouncy Castle Inc.

System development

Do not collect personal information

System development

injekt-coroutines-jvm

The Apache Software Foundation

System development

Android ID

System development

Tencent facial recognition SDK

Tencent Cloud Computing (Beijing) Co., Ltd

Opening Cat II account

Verifying your identity by identifying your face features and moving actions

Getting camera permissions for facial recognition
Annex I   List of Third-Party SDK
SDK Name Gaode Positioning SDK
Third-party Agency Name Gaode Software Co., Ltd
Business Scene Branch networks near you
SDK User Information

Store permissions, device unique identifiers, latitude and longitude information,hardware serial number, IP address, MAC address, precise location information, Android ID, Wi-Fi list, SSID, BSSID, sensor information (vector, acceleration, pressure)

Usage Purpose Location functions
SDK Name Mobile Push TPNS SDK
Third-party Agency Name Shenzhen Tencent Computer System Co., Ltd
Business Scene

Pushing service notification on mobile terminal devices

SDK User Information Device vendor, system language, mobile phone model, network type and status notification bar status, running App process, installed application information, contents of SD card
Usage Purpose Performing message push
SDK Name TPNS SDK contains the VIVO Push SDK
Third-party Agency Name Vivo Mobile Communications Co., Ltd
Business Scene When using VIVO vendor push (VIVO vendor push not enabled for this App)
SDK User Information

Device identification information (IMEI, EmmCID, UFSID, GUID, GAID, OPENID, VAID, OAID, RegID, encrypted Android ID), application software information using push services (App package name, version number, App ID, installation, uninstall, recovery from factory settings, running status), device manufacturer, network type, country code, device type, timestamp for message creation/delivery and click, message content, push SDK version number, device model, operating system version, current network type, message sending result, notification bar status (e.g. notification bar permissions, user click behavior), lock screen status (e.g. lock screen notification, whether lock screen notification is allowed)

Usage Purpose Improving message arrival rate
SDK Name TPNS SDK contains the OPPO Push SDK
Third-party Agency Name Guangdong Huantai Technology Co., Ltd.
Business Scene When using OPPO vendor push (OPPO vendor push not enabled for this App)
SDK User Information

Message content, device-related information (IMEI or OAID, serial number, IMSI, user ID, Android ID, Google advertising ID, mobile region settings, device model, phone power, mobile operating system version and language), application information using push services (App package name and version number, running status), push SDK version number, network-related information (e.g., current network type of IP or domain name connection result), message sending result, notification bar status (e.g. notification bar permissions, user click behavior), lock screen status (e.g., lock screen notification, whether lock screen notification is allowed), instructions from advertisers or developers to collect device identification codes (IMEI or OAID), IP addresses, client systems, client network (certain circumstances)

Usage Purpose Improving message arrival rate
SDK Name TPNS SDK contains the Xiaomi push SDK
Third-party Agency Name Beijing Xiaomi Mobile Software Co., Ltd
Business Scene When using the Xiaomi vendor push
SDK User Information

(1) Android version: device identification (OAID and encrypted Android ID), and application information using push services such as App package name, version number, running status and running process;
iOS version: IDFV (not collected when IDFV is not collected), App package name, version number.

(2) Android version: Message creation, delivery, and click times and temporarily storage of message content obtained from and pushed to you from third-party applications;
iOS Version: Message creation, delivery time, and temporarily storage of message content obtained from and pushed to you from third-party applications.

(3) Android version: Device-related information such as device vendor, device model, device memory, operating system version, Xiaomi push SDK version, device home (country or region), SIM card operator name, current network type, SSID. The current network type and the SIM card operator name are only read locally by the device and will not be uploaded to the Xiaomi server;
iOS Version: device-related information such as device model, operating system version, Xiaomi push SDK version;
Android version: Notification bar setting information, including whether to screen the notification bar and whether to set a lock screen pop-up message.

Usage Purpose

Improving message arrival rate

SDK Name TPNS SDK contains Meizu Push SDK
Third-party Agency Name

Zhuhai Meizu Communications Equipment Co., Ltd

Business Scene

When using Meizu vendor push (Meizu vendor push not enabled for this App)

SDK User Information

Device information (phone model, IMEI number, UUID), application information, log information, other information, location information, push SDK version number, network related information, message sending result, notification bar status, lock screen status

Usage Purpose

Improving message arrival rate

SDK Name

TPNS SDK contains the Huawei Push SDK

Third-party Agency Name

Huawei Software Technology Co., Ltd

Business Scene

When using the Huawei vendor push

SDK User Information

Application basic information (App ID, application version number and Application package name, Huawei push SDK version number, installed application list is used to obtain the push service application and HMS Core application version number), application device identifier (AAID, Push Token), device identifier (Android ID), device hardware information (device type, device model), system basic information (system type, system version), system setup information (country code), network information (BSSID)

Usage Purpose

Improving message arrival rate

SDK Name

TPNS SDK contains Google FCM SDK

Third-party Agency Name

Google LLC

Business Scene

When using FCM vendor push (FCM vendor push not enabled for this App)

SDK User Information

IP Address, Mobile Ad IDFV, Android ID, FireBase Installation ID, Analytics Apps, Device Information, Push Message Related Information

Usage Purpose

Improving message arrival rate

SDK Name

Yidao Bo shi SDK

Third-party Agency Name

Beijing Yidao Bo shi Technology Co., Ltd

Business Scene

Registration and RMB transfer

SDK User Information

Obtaining ID number and bank card number information through device scanning function

Usage Purpose

Scanning ID certificate to obtain ID card number and scanning bank card to obtain bank card number

SDK Name

The Face++ SDK

Third-party Agency Name

Beijing Kuangshi Technology Co., Ltd

Business Scene

Activation of virtual credit card, setting query passwords and enquiring CVV2, opening Cat II and Cat III account

SDK User Information

Verifying your identity by identifying your face features and moving actions

Usage Purpose

Getting camera permissions for facial recognition

SDK Name

Sensors Data SDK

Third-party Agency Name

Sensors Data Network Technology (Beijing) Co., Ltd

Business Scene

Collecting usage data to improve App’s service efficiency

SDK User Information

Obtaining  device information (including IMEI, Android ID, IDFA, IDFV, OAID, UUID, Mac address, IMSI information), log information (including IP address, URL for accessing services, browser type and language used), location information, unique application number.

Usage Purpose

User access behavior analytics

SDK Name WeChat SDK
Third-party Agency Name

Shenzhen Tencent Computer Systems Co., Ltd.

Business Scene

Binding your WeChat account to our bank's mobile banking,allowing you to log in through your WeChat account and using our WeChat bank's products or services

SDK User Information

WeChat account information (WeChat profile photo, WeChat name, region, gender), pictures or content shared by you to third parties as per your own choice, WeChat installation status on your phone, the user's device model, and the iOS clipboard

Usage Purpose

Logging in to our bank's mobile banking services via WeChat account

SDK Name

AppDynamics SDK

Third-party Agency Name

AppDynamics LLC

Business Scene

Improving availability of mobile App

SDK User Information

Device vendor, phone model, network type, telecom operator, system version, App log information

Usage Purpose

Statistics of App performance and availability

SDK Name

RASP SDK

Third-party Agency Name OneSpan
Business Scene

Detecting the integrity of the App and whether the customer's phone has a security vulnerability

SDK User Information

Reading the list of installed Apps and running process lists

Usage Purpose

Preventing customers from running the App on a mobile phone with security issues

SDK Name

Tencent Big Data SDK

Third-party Agency Name

Shenzhen Tencent Computer Systems Co., Ltd

Business Scene

New to bank user applies for opening Cat II/Cat Ⅲ account through WeChat channel

SDK User Information

Equipment models, GPS longitude and latitude, mobile phone serial number (IMEI), operating system information

Usage Purpose

Creating equipment fingerprints for risk management purpose

SDK Name

Ali mPaaS SDK and the included Ali cloud facial recognition SDK, Alipay payment SDK, Ali fastjson, Ali UC crash SDK, UC browser service SDK

Third-party Agency Name

Ali Cloud Computing Co., Ltd

Business Scene

Providing remote sales services

SDK User Information

Using online video call capabilities provided by Ali mPaas SDK. Obtaining mobile phone cameras, microphones, network access and network access status, WI-FI access status, foreground services, background voice, writing to external storage file permissions, IMSI, IMEI, Android ID

Usage Purpose

Providing remote sales services to ensure that the remote sales functions are smooth

SDK Name

OAID SDK

Third-party Agency Name

China Academy of Information and Communications Technology

Business Scene

Vendors push

SDK User Information

Device manufacturers, device models, device brands, device network operator names and App package names and signature information or the App ID of the corresponding store

Usage Purpose

The invention is used for generating device unique identifier, anonymous device identifier, developer anonymous device identifier and application anonymous device identifier, which is pushed to the manufacturer for use.

SDK Name

Yunzhengtong (China Financial Certification Center CFCA) SDK

Third-party Agency Name

China Financial Certification Center

Business Scene

Login and transaction authentication

SDK User Information

For AOS system SDKs, device information, model number, brand name, system image compilation information, system image compilation sequence, vendors, and chip vendors will be collected. For IOS systems, the SDK collects IP addresses.

Usage Purpose

Electronic certificate issuance, download and electronic signature services

SDK Name

Zhong'an SDK

Third-party Agency Name

Zhong'an Information Technology Service Co., Ltd

Business Scene

When using our investment and insurance transactions (including application/subscription, contract signing, redemption, conversion, regular investment, cancelation of bills, and insurance purchase) through mobile banking and online banking channels

SDK User Information

Record of customer operation behavior

Usage Purpose

Retrospective inspection and obtaining verification evidence

SDK Name Convertlab SDK
Third-party Agency Name

Shanghai Xin Zhao Yang Information Technology Co., Ltd

Business Scene

During the use of the mobile phone App

SDK User Information

Your mobile phone IP, device manufacturer, model of the mobile phone, network type, browser type and browsing behavior.

Usage Purpose

User access statistics and customer behavior analytics

SDK Name

Chromium SDK

Third-party Agency Name Google
Business Scene

Using built-in browser to browse web

SDK User Information

SSID, Wi-Fi information, sensors, application list information.

Usage Purpose

View webpage through browser 

SDK Name

okhttp/retrofit2.0/okio

Third-party Agency Name

The Apache Software Foundation

Business Scene

System development

SDK User Information

Do not collect personal information

Usage Purpose

System development

SDK Name Appache
Third-party Agency Name

The Apache Software Foundation

Business Scene

System development

SDK User Information

Do not collect personal information

Usage Purpose

System development

SDK Name

bouncycastle

Third-party Agency Name

Legion of the Bouncy Castle Inc.

Business Scene

System development

SDK User Information

Do not collect personal information

Usage Purpose

System development

SDK Name

injekt-coroutines-jvm

Third-party Agency Name

The Apache Software Foundation

Business Scene

System development

SDK User Information

Android ID

Usage Purpose

System development

SDK Name Tencent facial recognition SDK
Third-party Agency Name

Tencent Cloud Computing (Beijing) Co., Ltd

Business Scene

Opening Cat II account

SDK User Information

Verifying your identity by identifying your face features and moving actions

Usage Purpose Getting camera permissions for facial recognition