Top of main content

HSBC Bank (China) Company Limited Personal Information and Privacy Protection Policy for Digital Banking Services

Issuance Date: 22Mar2023

Effective Date: 22Mar2023

HSBC Bank (China) Company Limited ("HSBC", "the Bank", "we" or "us") take personal information confidentiality and security very seriously, and strive at all times to protect personal information and privacy of our customers and other related information subject ("you" or "Personal Information Subject") according to law. We therefore formulate this Personal Information and Privacy Protection Policy for Digital Banking Services (this "Policy") to help you understand the purposes, methods, and scope of personal information we collect and use, our practices regarding personal information and privacy protection, your rights and interests with regard to personal information and privacy and how to assert your rights and interests. Please read through this Policy carefully and pay particular attention to the provisions that are bolded and/or underlined.

1. For your convenience to understand the purpose and category of personal information we collect when you sign up for our service, we therefore explain them under the particular service scenario.
2. When you sign up for some particular services, we will collect your sensitive personal information (for example, biometric information) after you give us clear, active consent. Refusal on providing consent might affect you use related service, but will not affect you use other services we provided.
3. To provide the service per you request, we might need to share your personal information to third party. We will carefully assess the legitimacy, propriety,, and necessity of the data sharing with third party. We will ask the relevant third party take all data protection measures required pursuant to Laws and Regulations. We will in accordance with the requirements of Laws and Regulations, ask for your consent or ask the relevant third party to demonstrate they have received your consent via confirmation agreement, page prompt and/or interactive process.
We fully understand how important your personal information means to you, and we will exert our effort to protect the security of your personal information. We have always been committed to maintain your trust and will stick to below principles to protect your personal information: Right and Responsibility Consistency, Explicit Purpose, Freely Given Consent, Minimum and Necessity, Assurance of information security, Participation, Fair and Transparency. We are also committed to take appropriate security measures to protect your information.
This Policy applies to your use of our personal digital banking services (including internet banking, mobile banking and WeChat Service Account).

The table of content of this Policy is set out as below:

I. How We Protect Your Personal Information

II. How We Collect Your Personal Information

III. How We Use Your Personal Information

IV. How We Store Your Personal Information

V.To Whom We Share, Transfer, Disclose Your Personal Information

VI.Special Circumstances for Information Processing

VII. How We Use Cookies

VIII. Your Rights Relating to Personal Information

IX. How to Contact Us

X. Protection of Minors' Personal Information

XI. Formulation, Effectiveness and Update of this Policy and Others

We shall collect, use, store, disclose, and protect your and related parties'personal information in accordance with this Policy.If there is any discrepancy between this Policy and the other agreements entered into or other terms and conditions agreed between you and us, such other agreements or terms and conditions shall prevail.

I. How We Protect Your Personal Information

  1. Information security is our top priority. We will endeavour at all times to safeguard your personal information against unauthorised or accidental access, processing or damage. We maintain this commitment to information security by implementing appropriate physical, electronic and managerial measures to secure your personal information. We will take responsibility in accordance with the law if your information suffers from unauthorised access, public disclosure, erasure or damage for a reason attributable to us and so impairs your lawful rights and interests.
  2. Our website supports advanced encryption technology - an existing industry standard for encryption over the Internet to protect data. When you provide personal sensitive information through our website, APP , it will be automatically converted into codes so as to ensure secure transmission afterwards. Our web servers are protected behind "firewalls" and our systems are monitored to prevent any unauthorized access. Our mobile banking application software has passed Union pay payment application software security test conducted by Bank Card Test Centre.
  3. We maintain strict security system to prevent unauthorized access to your personal information. We exercise strict management over our staff members who may have access to your personal information, including but not limited to access control applied to different positions, contractual obligation of confidentiality agreed with relevant staff members, formulation and implementation of information security related policies and procedures, and information security related training offered to staff.
  4. We will not disclose your personal information to any third party, unless the disclosure is made to comply with laws, regulations and regulatory requirements or according to this Policy or separate agreement between us, or based on your separate consent or authorisation. When we use services provided by external service providers (entities or individuals), we also impose strict confidentiality obligations on them and request them to abide by our personal information and privacy protection policy and security standards when processing personal information.
  5. For the security of your personal information, you take on the same responsibility as us. You shall properly take care of your personal information, such as your account information, identity verification information (e.g. user name, password, dynamic password, verification code, etc.), and all the documents, devices or other media that may record or otherwise relate to such information, and shall ensure your personal information and relevant documents, devices or other media are used only in a secured environment. You shall not, at any time, disclose to any other person or allow any other person to use such information and relevant documents, devices or other media. Once you think your personal information and/or relevant documents, devices or other media have been disclosed, lost or stolen, or may otherwise affect the security of your use of our digital banking services, you shall notify us immediately so that we may take appropriate measures to prevent further loss from occurring.
  6. We will organize regular staff training and drills on emergency response. If unfortunately personal information security incident occurs, we will adopt emergency plan and take relevant actions and remediation measures to mitigate the severity and losses in connection therewith. Meanwhile, we will, following the applicable requirements set out in law and regulation, inform you of the basic information of the security incident and its possible impact, the actions and measures we have taken or will take, suggestions for you to prevent and mitigate the risk, and applicable remediation measures. We will inform you about the security incident by email, mail, call, SMS, push notification or through other methods as appropriate in a timely manner. Where it's difficult to notify each Personal Information Subject, we will post public notice in a reasonable and effective way. Meanwhile, we will report such personal information security incident and our actions in accordance with applicable law, regulation and regulatory requirements.

II. How We Collect Your Personal Information

1. Personal information refers to any kind of information related to an identified or identifiable natural person as electronically or otherwise recorded, excluding information that has been anonymized. Personal information include name, birth date, ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, contact information, address, account information, property status, location and etc., Sensitive personal information refers to personal or property information that, once leaked or illegally provided or misused, may harm personal or property safety and will easily lead to infringement of the personal reputation, human dignity, physical or psychological health, or discriminatory treatment. Such information mainly includes ID certificate information (ID card, passport and etc.,), personal biometrics recognition information, credit information, property information, transaction information, medical and health information, specific identity, financial account, individual location tracking etc. as well as any personal information of a minor under the age of 14.

2. For the purpose to provide you with digital banking services and to ensure the safety of our digital banking services, you need to provide us, or allow us to collect from you or any third party as you agree, the following information necessary for the following purposes or functions:
Purposes or Functions Information We Need to Collect
Registering digital banking service account 

Your name, mobile phone number, ID document type and number, bank card number and password, phone banking number, phone banking PIN

If you hold a CAT II or CAT III account with us, you need to provide face feature information to register digital banking service account.

Logging onto digital banking service account or retrieving logon password
Your user name/logon name, security question and answer, any password, code, dynamic password, security code, verification code pre-set by you or created or sent via security device, mobile phone, email or other equipment or methods
Maintaining proper and secure operation of digital banking services, preventing and controlling digital banking related risk

Your device type, operating system, unique device identifier (such as Android ID, UUID, IMEI), software version, logon IP address, internet service provider (ISP), device accelerators (such as gravity sensing devices, etc.)
 

Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

2. For the purpose to provide you with digital banking services and to ensure the safety of our digital banking services, you need to provide us, or allow us to collect from you or any third party as you agree, the following information necessary for the following purposes or functions:
Purposes or Functions Registering digital banking service account 
Information We Need to Collect

Your name, mobile phone number, ID document type and number, bank card number and password, phone banking number, phone banking PIN

If you hold a CAT II or CAT III account with us, you need to provide face feature information to register digital banking service account.

Purposes or Functions Logging onto digital banking service account or retrieving logon password
Information We Need to Collect Your user name/logon name, security question and answer, any password, code, dynamic password, security code, verification code pre-set by you or created or sent via security device, mobile phone, email or other equipment or methods
Purposes or Functions Maintaining proper and secure operation of digital banking services, preventing and controlling digital banking related risk
Information We Need to Collect

Your device type, operating system, unique device identifier (such as Android ID, UUID, IMEI), software version, logon IP address, internet service provider (ISP), device accelerators (such as gravity sensing devices, etc.)
 

Technical information that may not be used to identify an individual’s identity will not be treated as personal information. But if the information alone or in combination with other information may be used to identify your identity, we will treat it as your personal information and have it properly protected.

If you refuse to provide these information, you will not be able to register or logon our digital banking service account, or will not be able to use our regular digital banking services in a safe and normal way.

3. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the following personal biometrics recognition information for the following purposes or functions:
Purposes or Functions
Personal Biometrics Recognition Information We Collect 
Logon verification

To provide you more safe and convenient Mobile Bank logon service, you can choose to logon mobile bank via fingerprint recognition. User of some mobile device models also can choose to logon mobile bank via facial (facial ID) recognition.

We will only receive equipment verifications results and will not collect your original fingerprint or face image. You can choose to logon via password if you have no desire to logon via fingerprint or facial ID.

Services require Facial Verification Functions

Your face feature

To provide you more safe and convenient Mobile Bank service experience, you can choose to use Facial Verification Function. We will collect your face feature only for the purpose of user identify verification and/or transaction instruction authentication. We will not collect your face image.

You have the right to choose whether to provide your face feature or not, but if you chose not, we will not be able to provide you with certain online products or services which are subject to face verification according to the nature of business and/or risk management purpose. Alternatively  you may handle the relevant business/service at our branches. 

Mobile APP services require facial verification functions:

Modify Personal Information>Modify Mobile Phone Number, Modify Identity Information;

Open CAT II/CAT III account online

Payment by Mobile Phone Number: Register/Unregister Mobile Phone Number, Adjust Default Account

Credit Card>Virtual Card Activation, Setup Enquiry Password, Enquiry CVV2

3. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the following personal biometrics recognition information for the following purposes or functions:
Purposes or Functions
Logon verification
Personal Biometrics Recognition Information We Collect 

To provide you more safe and convenient Mobile Bank logon service, you can choose to logon mobile bank via fingerprint recognition. User of some mobile device models also can choose to logon mobile bank via facial (facial ID) recognition.

We will only receive equipment verifications results and will not collect your original fingerprint or face image. You can choose to logon via password if you have no desire to logon via fingerprint or facial ID.

Purposes or Functions
Services require Facial Verification Functions
Personal Biometrics Recognition Information We Collect 

Your face feature

To provide you more safe and convenient Mobile Bank service experience, you can choose to use Facial Verification Function. We will collect your face feature only for the purpose of user identify verification and/or transaction instruction authentication. We will not collect your face image.

You have the right to choose whether to provide your face feature or not, but if you chose not, we will not be able to provide you with certain online products or services which are subject to face verification according to the nature of business and/or risk management purpose. Alternatively  you may handle the relevant business/service at our branches. 

Mobile APP services require facial verification functions:

Modify Personal Information>Modify Mobile Phone Number, Modify Identity Information;

Open CAT II/CAT III account online

Payment by Mobile Phone Number: Register/Unregister Mobile Phone Number, Adjust Default Account

Credit Card>Virtual Card Activation, Setup Enquiry Password, Enquiry CVV2

4. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the following information for the following purposes or functions:
Purposes or Functions
Information We Collect
WeChat Logon
Your WeChat ID, WeChat name and profile photo, Mobile phone number 

Appointment to Consultation
Your title, name, area code, mobile phone number, province, city, whether own a personal account in HSBC or not
Functions based on geographic location such as finding the nearest branches and designated merchants (e.g. in bank card promotion campaign)
Your geographic location information
Important notice for cross border sales and marketing
Your GPS location and logon IP address
To purchase investment, or other financial products

Your personal identity information, including name, sex, nationality, citizenship, registered residence (Hu Kou), type/number/validity period of ID certificate, occupation, contact information, age, family status.;

Your personal property information, including personal income, real property, movable property (e.g. financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

 

Your personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

Your personal financial transaction information, including personal information acquired, kept, recorded during any payment, settlement, wealth management, safe deposit box or other banking business, personal information generated from transactions made through us with any third party institution like securities company, fund house, futures company or payment agency, and etc.;

 

Your transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

 

For foreign exchange settlement and sale, may need to provide purpose of the transaction; if the payment amount exceeds the annual exchange allowance, supporting documents are required including proof of income, work information, letter of colleague admission, etc.

Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws and regulations and regulatory requirements, e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).  

Friends and Family Referral Programmes for opening banking account with the Bank
Referral's name, gender, contact information, province / city where referral plans to open banking account, product or services the referral may be interested in

HSBC Jade customers’ insurance related privileges Name, gender, ID document type and number of the insured
Appointment booking on WeChat for account opening
Your name, nationality, country/place of birth, country/place of residence, gender, mobile phone number, information of ID document, email address, occupation and salary information, tax resident status
Smart Mobile On Boarding
Your name (including former name and alias), gender, mobile phone number, photo of front side and back side of ID certificate, country/place of birth, residential address and the date of moving to the address,  mailing address, occupation information, tax resident status, email address, purpose of account opening , use plan of the account, capital source
Transfer and remittance

Domestic transfer and remittance: name of payee, information of beneficiary bank, beneficiary bank account number

When you preset the payees for domestic transfer and remittance, or make domestic transfer and remittance, we will, based on your choice, collect your face feature information or the security code generated by security device as you input to verify your identity.

If you make domestic transfer by “mobile phone number payment” function, you need to provide payee’s name, payee’s mobile phone number, information of beneficiary bank, and to complete identity verification by SMS OTP; if you logon mobile banking by using facial biometrics information or fingerprint biometrics information to complete identity verification, you need to use mobile banking logon password for a further verification; if you receive money by using “mobile phone payment” function, you need to firstly set mobile phone number receiving function and we need to obtain the information of all the accounts under your name and use your face feature information to verify your identity.

Overseas transfer and remittance: payee’s name, information of beneficiary bank, beneficiary account number, type of currency of beneficiary account, country/place where beneficiary bank is located or beneficiary bank’s address

IEPS transfer service will require to provide name of colleague/university, colleague/university bank account, student ID, tuition fee invoice, payment purpose, email address; if the payment amount exceeds the annual exchange allowance, supporting documents are required including ID, tuition fee invoice, admission letter, passport, VISA, registered residence (Hu Kou of direct relatives)

QR code payment and payment password setting
When you set payment password, you need to provide us with the transaction password of debit card or inquiry password of credit card, and the SMS OTP.
For each transaction made via QR code payment, we need to collect your device type, device identifier and device GPS location to ensure the safety of the transaction.
Application for credit card

Your name, gender, ID number, address, workplace address, contact information, age, date of birth, birth place, nationality, citizen ship, personal and marital status, occupation, income and asset information 

When you apply for credit card via digital channels, we will need to obtain card number of bank card you applied for with other bank and corresponding mobile phone number used for your application for that bank card; if the said mobile phone number is different from the mobile phone number you provide to us at the time of credit card application, we will need the SMS OTP sent to the said mobile phone number to verify your identity.

We may inquire your credit information and/or credit report with Basic Financial Credit Information Database and/or other credit reference agencies legally incorporated. 

Inquiry of credit card application status
ID number you provided at the time of application and SMS OTP
Activation of physical credit card
Credit card number, identity document type, ID number, date of birth, card expiry date, CVV2 and SMS OTP
Activation of virtual credit card and inquiry password setting
Your name, identity document type, ID number, date of birth, SMS OTP and your face feature information
Inquiry of virtual credit card information
Credit card inquiry password, SMS OTP and your face feature information
Credit Card Repayment and Repayment Setup

Credit Card Prompt Repayment: Repayment Bank Account, Repayment amount, Bank account of banks other than HSBC

Credit Card Bill Setup: Mail address, E-mail address

Application for CIP or ALOC

Bank card number and account information of the account to receive disbursement of CIP or ALOC

We may inquire your credit information and/or credit report with the Basic Financial Credit Information Database and/or other credit reference agencies legally incorporated.

We may also need to obtain invoice or other transaction voucher from you to verify the purpose for use of the fund.

Know Special Offers Nearby

Receive the special offer activities information and the coupon.

We may inquire your location information to provide you  promotion stores at your most convenience.

Logon to CVP platform
Last four digits of the card number (for credit card cardholders) or last four digits of your ID number (for debit card cardholders), your mobile phone number and SMS OTP
Redemption of reward points

Your name, mobile phone number, address information, credit card number, credit card status and credit card reward points balance.

We need to provide above information to third party vendor so as to deliver the goods you exchanged or purchased in the reward mall.

Opening CAT II and CAT III account

Photo of front side and back side of your ID certificate, mobile phone number, email address, residential address, tax information and occupation information

We need to obtain the card number of the debit card you applied for with other bank and the corresponding mobile phone number to verify your identity.

Appointment booking for home mortgage loan inquiry and inquiry of application status of home mortgage loan
Your name, identity document type, ID number and the city where you plan to purchase the real estate
Apply for retail business loan
Your business social credit number, your name, ID number, bank account information and linked phone number for online personal identification, pledger name and ID number(if applicable)
Enrolment in online or offline activities organized by us
Your name, area code, mobile phone number, province or area you are in, whether own personal account in HSBC or not
To improve service experience

Information you provide when raising your feedback, suggestion or complaint, information you input when participating in campaigns or surveys

Meanwhile, to assure the service quality, we may record the service call content. We will provide necessary hint before recording to protect your right to be informed and the right of choice.

Provide Marketing and Event Information

Information you provide to participate in our marketing campaigns, events or surveys. 

We will only contact you at your consent or on your own request, sending you information about products and services information you may be interested in, inviting you to participate in our events and surveys, or send you promotion information.

If at any time you would like change your choice on this part, you can exercise your right of choice by referring to the relevant sections in “IX. How to contact us” .

Provide Personalized Contents

The information you provide when you open an account at our bank, buy our products, use our services, and participate in our marketing activities.

We will collect and analyse this information to provide you with more accurate, convenient and personalized content display or information push / sending services. If at any time you would like change your choice on this part, you can exercise your right of choice by referring to the relevant sections in “VIII. Your Rights Relating to Personal Information”.

To keep your personal information up to date To ensure the accuracy and completeness of your information, you need to provide your ID number, mobile phone number, email address, mailing address, income information and job information, tax resident status, taxpayer identity number. 
Uploading from Document Center
To certify your eligibility of the investment products’ application and insurance, you need to upload documents as evidence, in which might include info like Name, Passport Number, Nationality, Birthday, Gender, National ID.
Fraud risk control when using mobile banking applications after login After you log in to your mobile banking application, to control the risk of fraud, we collect the GPS location of the device to you. You can manage location authorization in the feature rights page of your device, especially for Android phones with Google GMS (Google Mobile Service), you can set whether to enable Google Basic Services to get GPS location information in your phone rights management.
4. You may decide, at your free choice, to provide us, or allow us to collect from you or any third party as you agree, the following information for the following purposes or functions:
Purposes or Functions
WeChat Logon
Information We Collect
Your WeChat ID, WeChat name and profile photo, Mobile phone number 

Purposes or Functions
Appointment to Consultation
Information We Collect
Your title, name, area code, mobile phone number, province, city, whether own a personal account in HSBC or not
Purposes or Functions
Functions based on geographic location such as finding the nearest branches and designated merchants (e.g. in bank card promotion campaign)
Information We Collect
Your geographic location information
Purposes or Functions
Important notice for cross border sales and marketing
Information We Collect
Your GPS location and logon IP address
Purposes or Functions
To purchase investment, or other financial products
Information We Collect

Your personal identity information, including name, sex, nationality, citizenship, registered residence (Hu Kou), type/number/validity period of ID certificate, occupation, contact information, age, family status.;

Your personal property information, including personal income, real property, movable property (e.g. financial assets, etc.), indebtedness, investment, tax-paid amount, tax residence, taxpayer identification number, amount paid for the provident fund, etc.;

 

Your personal account information, including account number, time of account opening, institution with which the account is opened, account balance, account transaction information, etc.;

Your personal financial transaction information, including personal information acquired, kept, recorded during any payment, settlement, wealth management, safe deposit box or other banking business, personal information generated from transactions made through us with any third party institution like securities company, fund house, futures company or payment agency, and etc.;

 

Your transaction or risk preference, risk appetite, investment intention, investment goal, knowledge and experience;

 

For foreign exchange settlement and sale, may need to provide purpose of the transaction; if the payment amount exceeds the annual exchange allowance, supporting documents are required including proof of income, work information, letter of colleague admission, etc.

Any other personal information acquired during the establishment or maintenance of business relationship for the performance of contracts or for compliance with laws and regulations and regulatory requirements, e.g. time/location (including geographic location and network address) of service use, correspondence or other communication records (including video or audio records, call log and correspondence records and contents).  

Purposes or Functions
Friends and Family Referral Programmes for opening banking account with the Bank
Information We Collect
Referral's name, gender, contact information, province / city where referral plans to open banking account, product or services the referral may be interested in

Purposes or Functions
HSBC Jade customers’ insurance related privileges
Information We Collect
Name, gender, ID document type and number of the insured
Purposes or Functions
Appointment booking on WeChat for account opening
Information We Collect
Your name, nationality, country/place of birth, country/place of residence, gender, mobile phone number, information of ID document, email address, occupation and salary information, tax resident status
Purposes or Functions
Smart Mobile On Boarding
Information We Collect
Your name (including former name and alias), gender, mobile phone number, photo of front side and back side of ID certificate, country/place of birth, residential address and the date of moving to the address,  mailing address, occupation information, tax resident status, email address, purpose of account opening , use plan of the account, capital source
Purposes or Functions
Transfer and remittance
Information We Collect

Domestic transfer and remittance: name of payee, information of beneficiary bank, beneficiary bank account number

When you preset the payees for domestic transfer and remittance, or make domestic transfer and remittance, we will, based on your choice, collect your face feature information or the security code generated by security device as you input to verify your identity.

If you make domestic transfer by “mobile phone number payment” function, you need to provide payee’s name, payee’s mobile phone number, information of beneficiary bank, and to complete identity verification by SMS OTP; if you logon mobile banking by using facial biometrics information or fingerprint biometrics information to complete identity verification, you need to use mobile banking logon password for a further verification; if you receive money by using “mobile phone payment” function, you need to firstly set mobile phone number receiving function and we need to obtain the information of all the accounts under your name and use your face feature information to verify your identity.

Overseas transfer and remittance: payee’s name, information of beneficiary bank, beneficiary account number, type of currency of beneficiary account, country/place where beneficiary bank is located or beneficiary bank’s address

IEPS transfer service will require to provide name of colleague/university, colleague/university bank account, student ID, tuition fee invoice, payment purpose, email address; if the payment amount exceeds the annual exchange allowance, supporting documents are required including ID, tuition fee invoice, admission letter, passport, VISA, registered residence (Hu Kou of direct relatives)

Purposes or Functions
QR code payment and payment password setting
Information We Collect
When you set payment password, you need to provide us with the transaction password of debit card or inquiry password of credit card, and the SMS OTP.
For each transaction made via QR code payment, we need to collect your device type, device identifier and device GPS location to ensure the safety of the transaction.
Purposes or Functions
Application for credit card
Information We Collect

Your name, gender, ID number, address, workplace address, contact information, age, date of birth, birth place, nationality, citizen ship, personal and marital status, occupation, income and asset information 

When you apply for credit card via digital channels, we will need to obtain card number of bank card you applied for with other bank and corresponding mobile phone number used for your application for that bank card; if the said mobile phone number is different from the mobile phone number you provide to us at the time of credit card application, we will need the SMS OTP sent to the said mobile phone number to verify your identity.

We may inquire your credit information and/or credit report with Basic Financial Credit Information Database and/or other credit reference agencies legally incorporated. 

Purposes or Functions
Inquiry of credit card application status
Information We Collect
ID number you provided at the time of application and SMS OTP
Purposes or Functions
Activation of physical credit card
Information We Collect
Credit card number, identity document type, ID number, date of birth, card expiry date, CVV2 and SMS OTP
Purposes or Functions
Activation of virtual credit card and inquiry password setting
Information We Collect
Your name, identity document type, ID number, date of birth, SMS OTP and your face feature information
Purposes or Functions
Inquiry of virtual credit card information
Information We Collect
Credit card inquiry password, SMS OTP and your face feature information
Purposes or Functions
Credit Card Repayment and Repayment Setup
Information We Collect

Credit Card Prompt Repayment: Repayment Bank Account, Repayment amount, Bank account of banks other than HSBC

Credit Card Bill Setup: Mail address, E-mail address

Purposes or Functions
Application for CIP or ALOC
Information We Collect

Bank card number and account information of the account to receive disbursement of CIP or ALOC

We may inquire your credit information and/or credit report with the Basic Financial Credit Information Database and/or other credit reference agencies legally incorporated.

We may also need to obtain invoice or other transaction voucher from you to verify the purpose for use of the fund.

Purposes or Functions
Know Special Offers Nearby
Information We Collect

Receive the special offer activities information and the coupon.

We may inquire your location information to provide you  promotion stores at your most convenience.

Purposes or Functions
Logon to CVP platform
Information We Collect
Last four digits of the card number (for credit card cardholders) or last four digits of your ID number (for debit card cardholders), your mobile phone number and SMS OTP
Purposes or Functions
Redemption of reward points
Information We Collect

Your name, mobile phone number, address information, credit card number, credit card status and credit card reward points balance.

We need to provide above information to third party vendor so as to deliver the goods you exchanged or purchased in the reward mall.

Purposes or Functions
Opening CAT II and CAT III account
Information We Collect

Photo of front side and back side of your ID certificate, mobile phone number, email address, residential address, tax information and occupation information

We need to obtain the card number of the debit card you applied for with other bank and the corresponding mobile phone number to verify your identity.

Purposes or Functions
Appointment booking for home mortgage loan inquiry and inquiry of application status of home mortgage loan
Information We Collect
Your name, identity document type, ID number and the city where you plan to purchase the real estate
Purposes or Functions
Apply for retail business loan
Information We Collect
Your business social credit number, your name, ID number, bank account information and linked phone number for online personal identification, pledger name and ID number(if applicable)
Purposes or Functions
Enrolment in online or offline activities organized by us
Information We Collect
Your name, area code, mobile phone number, province or area you are in, whether own personal account in HSBC or not
Purposes or Functions
To improve service experience
Information We Collect

Information you provide when raising your feedback, suggestion or complaint, information you input when participating in campaigns or surveys

Meanwhile, to assure the service quality, we may record the service call content. We will provide necessary hint before recording to protect your right to be informed and the right of choice.

Purposes or Functions
Provide Marketing and Event Information
Information We Collect

Information you provide to participate in our marketing campaigns, events or surveys. 

We will only contact you at your consent or on your own request, sending you information about products and services information you may be interested in, inviting you to participate in our events and surveys, or send you promotion information.

If at any time you would like change your choice on this part, you can exercise your right of choice by referring to the relevant sections in “IX. How to contact us” .

Purposes or Functions
Provide Personalized Contents
Information We Collect

The information you provide when you open an account at our bank, buy our products, use our services, and participate in our marketing activities.

We will collect and analyse this information to provide you with more accurate, convenient and personalized content display or information push / sending services. If at any time you would like change your choice on this part, you can exercise your right of choice by referring to the relevant sections in “VIII. Your Rights Relating to Personal Information”.

Purposes or Functions
To keep your personal information up to date
Information We Collect
To ensure the accuracy and completeness of your information, you need to provide your ID number, mobile phone number, email address, mailing address, income information and job information, tax resident status, taxpayer identity number. 
Purposes or Functions
Uploading from Document Center
Information We Collect
To certify your eligibility of the investment products’ application and insurance, you need to upload documents as evidence, in which might include info like Name, Passport Number, Nationality, Birthday, Gender, National ID.
Purposes or Functions
Fraud risk control when using mobile banking applications after login
Information We Collect
After you log in to your mobile banking application, to control the risk of fraud, we collect the GPS location of the device to you. You can manage location authorization in the feature rights page of your device, especially for Android phones with Google GMS (Google Mobile Service), you can set whether to enable Google Basic Services to get GPS location information in your phone rights management.

If you refuse to provide the above information, you are not able to use or enjoy the relevant functions, but your use of other functions of our digital banking will not be adversely affected.

5. Our mobile banking applications may also invite your permissions for the following system functions relating to personal information and will collect and use the information for the permitted functions based on your permission:
Items
Permitted Functions
Fingerprint logon
Identity recognition, logon, and verification using fingerprint(s)
Face ID
Logon mobile banking via facial recognition on some type of device
Camera
QR code payment, upload of application materials for loan and other business/service, facial recognition, bank card identification, identity document identification
Photos
Upload of avatar, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and identity document identification
Location
To improve the information accuracy for retailers with credit card offers and to enhance marketing messages for customers who are currently located outside of mainland China, including information on account opening, loans, insurance and more, and the risk control of fraud after the mobile bank logs in.
Microphone
Voice input, voice verification and recognition services
Contacts

Fund transfer via mobile phone number, friends and family referral

We only obtain the contact information you select from your contacts and do encrypted transmission to prevent malicious interception.

Phone (applicable to Android system) Dial the phone number of branches to enquire about banking business by one-touch, access device status information. 
Message
SMS notification service
Notifications
Push messages with alerts, sounds, and icon tags
Memory (applicable to Android system)
Upload of avatar, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and identity document identification
Device Information (to read device call status, identifier, and network access in iOS system)
To maintain proper and secure operation of digital banking services, prevent and control fraud risk, dial the phone number by one-touch, and access to network
5. Our mobile banking applications may also invite your permissions for the following system functions relating to personal information and will collect and use the information for the permitted functions based on your permission:
Items
Fingerprint logon
Permitted Functions
Identity recognition, logon, and verification using fingerprint(s)
Items
Face ID
Permitted Functions
Logon mobile banking via facial recognition on some type of device
Items
Camera
Permitted Functions
QR code payment, upload of application materials for loan and other business/service, facial recognition, bank card identification, identity document identification
Items
Photos
Permitted Functions
Upload of avatar, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and identity document identification
Items
Location
Permitted Functions
To improve the information accuracy for retailers with credit card offers and to enhance marketing messages for customers who are currently located outside of mainland China, including information on account opening, loans, insurance and more, and the risk control of fraud after the mobile bank logs in.
Items
Microphone
Permitted Functions
Voice input, voice verification and recognition services
Items
Contacts
Permitted Functions

Fund transfer via mobile phone number, friends and family referral

We only obtain the contact information you select from your contacts and do encrypted transmission to prevent malicious interception.

Items
Phone (applicable to Android system)
Permitted Functions
Dial the phone number of branches to enquire about banking business by one-touch, access device status information. 
Items
Message
Permitted Functions
SMS notification service
Items
Notifications
Permitted Functions
Push messages with alerts, sounds, and icon tags
Items
Memory (applicable to Android system)
Permitted Functions
Upload of avatar, upload of application materials for loan and other business/service, electronic receipt storage, QR code scanning, bank card and identity document identification
Items
Device Information (to read device call status, identifier, and network access in iOS system)
Permitted Functions
To maintain proper and secure operation of digital banking services, prevent and control fraud risk, dial the phone number by one-touch, and access to network

For those functions that need your permission, you may, at your free choice, decide whether to additionally grant the permission for the said functions on mobile banking applications. If you refuse to grant permission for a specific function, you are not able to use that specific function, but your use of other functions in our mobile banking will not be adversely affected.

6. When you use our Mobile Banking Service, under certain particular scenarios, we will use the software service toolkit provided by third party(“SDK”) . To provide the service to you, third party SDK will collect your information:

Third Party SDK

Third Party SDK
Purpose and Scope of Collection
GAODE Positioning SDK
In order to provide you with location-based services, we will use the GAODE Positioning SDK from AutoNavi Limited, which requires access to unique device identifiers and latitude and longitude information for your mobile terminal. For more information, please see the Privacy Policy for the GAODE Open Platform link https://lbs.amap.com/pages/privacy/
Mobile Push TPNS SDK
To provide the service notification to you in timely manner, we use Mobile Push TPNS SDK, to collect the mobile manufacture, system language, mobile type, network type, notification bar status.
Yidao Boshi SDK
To auto access your ID number and bank card number, we use Yidao Boshi SDK to access to camera permission.
KofaxSDK
To ensure the qualification of the photos uploaded, we use KofaxSDK to access to camera and photo album permissions.
Face++ SDK
To quickly verify your ID, we use Face++ SDK to access to camera permission, so that we can recognize your face feature  and movements. But we will not store these feature or movements.
Tealium SDK
To do visit statistics survey and client behavior analysis, we use Tealium SDK to access to your mobile IP, mobile manufacturer, network type, browser type, browse behavior.
Wechat SDK
To provide you the service of logon Mobile Banking via Wechat, we use Wechat SDK to seek your consent on sharing your Wechat account (Wechat  head portrait, nickname, area, gender),and to bind your Wechat account with our Mobile Banking account. 

AppDynamics SDK
For statistical purposes like know App performance and utility rate, we use AppDynamics SDK to collect device manufacturer, mobile model, network type, telecom operator, system version, and App log information.
RASP SDK
To protect App’s security, we use RASP SDK to read your installed APP list, APPs in processing to detect App’s integrity, to detect potential security hole in your device, to prevent App operation on devices that have security issues.
VIVO Push SDK
To improve the message delivery, TPNS SDK includes VIVO Push SDK. When we use VIVO push message, the SDK will collect device info, application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the VIVO push message is temporarily inactive in our APP.
OPPO Push SDK
To improve the message delivery, TPNS SDK includes OPPO Push SDK. When we use OPPO push message, the SDK will collect device info, application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the OPPO push message is temporarily inactive in our APP.
XIAOMI Push SDK
To improve the message delivery, TPNS SDK includes XIAOMI Push SDK. When we use XIAOMI push message, the SDK will collect device info, device ID (OAID, encryption android ID), application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc.
MEIZU Push SDK
To improve the message delivery, TPNS SDK includes MEIZU Push SDK. When we use MEIZU push message, the SDK will collect device info, application info, logs, location and other info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the MEIZU push message is temporarily inactive in our APP.
HUAWEI Push SDK
To improve the message delivery, TPNS SDK includes HUAWEI Push SDK. When we use HUAWEI push message, the SDK will collect AAID, application token, Topic subscription, record of message delivery, token application records, display/click/close reporting records, cache info HMS Core openid.
Google FCM SDK
To improve the message delivery, TPNS SDK includes Google FCM SDK. When we use Google FCM push message, the SDK will collect IP address, IDFV, android ID, FireBase ID, application info, device info and push message info. the Google FCM push message is temporarily inactive in our APP.
APNS
To improve the message delivery, TPNS SDK includes APNS. When we use APNS push message, it will collect account info, device info, data used and location info. the APNS push message is temporarily inactive in our APP.
Tencent Big Data SDK
To fulfil local regulatory requirement, if you are HBCN new customer, we will collect your device type, location(GPS), IMEI, device operation system information, etc to form device fingerprint and use it for fraud monitoring purpose when you apply for HBCN Cat II, Cat III account on Wechat banking.
Ali mPaaS SDK In order to enable remote sales services, when using online video call functions via Ali mPass SDK, the SDK will collect permission for phone camera, microphone, network access, network status, Wi-Fi status, front end services, back end voice function to ensure smooth usage for remote sales function.
CFCA(China Financial Certification Authority) SDK In order to meet regulatory requirements and improve the security of App, we provide you with the CFCA digital signature service. For AOS system, the SDK will collect device, model, brand, ROM build user, ROM build host, manufacture, CPU manufacture. For IOS system, the SDK will collect IP address. All the mentioned collected information will be sent to the CFCA SDK service platform for digital certificate issuing, download and digital signing service.
ZhongAn SDK To meet the retrospective requirement from regulatory, when customer makes investment and insurance transactions (including subscription, fund sign, redemption, switch, regular investment, cancelation of orders, and insurance application) through mobile banking and online banking channels, after obtaining the client's consent, bank shall collect the customer's operating track through the Zhongan Retrospective SDK for retrospective inspection, verification and evidence collection.
Convertlab SDK To do visit statistics survey and client behavior analysis, we use Convertlab SDK to access to your mobile IP, mobile manufacturer, phone model, network type, browser type, browse behavior.

6. When you use our Mobile Banking Service, under certain particular scenarios, we will use the software service toolkit provided by third party(“SDK”) . To provide the service to you, third party SDK will collect your information:

Third Party SDK

Third Party SDK
GAODE Positioning SDK
Purpose and Scope of Collection
In order to provide you with location-based services, we will use the GAODE Positioning SDK from AutoNavi Limited, which requires access to unique device identifiers and latitude and longitude information for your mobile terminal. For more information, please see the Privacy Policy for the GAODE Open Platform link https://lbs.amap.com/pages/privacy/
Third Party SDK
Mobile Push TPNS SDK
Purpose and Scope of Collection
To provide the service notification to you in timely manner, we use Mobile Push TPNS SDK, to collect the mobile manufacture, system language, mobile type, network type, notification bar status.
Third Party SDK
Yidao Boshi SDK
Purpose and Scope of Collection
To auto access your ID number and bank card number, we use Yidao Boshi SDK to access to camera permission.
Third Party SDK
KofaxSDK
Purpose and Scope of Collection
To ensure the qualification of the photos uploaded, we use KofaxSDK to access to camera and photo album permissions.
Third Party SDK
Face++ SDK
Purpose and Scope of Collection
To quickly verify your ID, we use Face++ SDK to access to camera permission, so that we can recognize your face feature  and movements. But we will not store these feature or movements.
Third Party SDK
Tealium SDK
Purpose and Scope of Collection
To do visit statistics survey and client behavior analysis, we use Tealium SDK to access to your mobile IP, mobile manufacturer, network type, browser type, browse behavior.
Third Party SDK
Wechat SDK
Purpose and Scope of Collection
To provide you the service of logon Mobile Banking via Wechat, we use Wechat SDK to seek your consent on sharing your Wechat account (Wechat  head portrait, nickname, area, gender),and to bind your Wechat account with our Mobile Banking account. 

Third Party SDK
AppDynamics SDK
Purpose and Scope of Collection
For statistical purposes like know App performance and utility rate, we use AppDynamics SDK to collect device manufacturer, mobile model, network type, telecom operator, system version, and App log information.
Third Party SDK
RASP SDK
Purpose and Scope of Collection
To protect App’s security, we use RASP SDK to read your installed APP list, APPs in processing to detect App’s integrity, to detect potential security hole in your device, to prevent App operation on devices that have security issues.
Third Party SDK
VIVO Push SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes VIVO Push SDK. When we use VIVO push message, the SDK will collect device info, application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the VIVO push message is temporarily inactive in our APP.
Third Party SDK
OPPO Push SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes OPPO Push SDK. When we use OPPO push message, the SDK will collect device info, application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the OPPO push message is temporarily inactive in our APP.
Third Party SDK
XIAOMI Push SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes XIAOMI Push SDK. When we use XIAOMI push message, the SDK will collect device info, device ID (OAID, encryption android ID), application info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc.
Third Party SDK
MEIZU Push SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes MEIZU Push SDK. When we use MEIZU push message, the SDK will collect device info, application info, logs, location and other info, SDK version number, network info, result of message delivery, notification status, screen lock status, etc. the MEIZU push message is temporarily inactive in our APP.
Third Party SDK
HUAWEI Push SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes HUAWEI Push SDK. When we use HUAWEI push message, the SDK will collect AAID, application token, Topic subscription, record of message delivery, token application records, display/click/close reporting records, cache info HMS Core openid.
Third Party SDK
Google FCM SDK
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes Google FCM SDK. When we use Google FCM push message, the SDK will collect IP address, IDFV, android ID, FireBase ID, application info, device info and push message info. the Google FCM push message is temporarily inactive in our APP.
Third Party SDK
APNS
Purpose and Scope of Collection
To improve the message delivery, TPNS SDK includes APNS. When we use APNS push message, it will collect account info, device info, data used and location info. the APNS push message is temporarily inactive in our APP.
Third Party SDK
Tencent Big Data SDK
Purpose and Scope of Collection
To fulfil local regulatory requirement, if you are HBCN new customer, we will collect your device type, location(GPS), IMEI, device operation system information, etc to form device fingerprint and use it for fraud monitoring purpose when you apply for HBCN Cat II, Cat III account on Wechat banking.
Third Party SDK
Ali mPaaS SDK
Purpose and Scope of Collection
In order to enable remote sales services, when using online video call functions via Ali mPass SDK, the SDK will collect permission for phone camera, microphone, network access, network status, Wi-Fi status, front end services, back end voice function to ensure smooth usage for remote sales function.
Third Party SDK
CFCA(China Financial Certification Authority) SDK
Purpose and Scope of Collection
In order to meet regulatory requirements and improve the security of App, we provide you with the CFCA digital signature service. For AOS system, the SDK will collect device, model, brand, ROM build user, ROM build host, manufacture, CPU manufacture. For IOS system, the SDK will collect IP address. All the mentioned collected information will be sent to the CFCA SDK service platform for digital certificate issuing, download and digital signing service.
Third Party SDK
ZhongAn SDK
Purpose and Scope of Collection
To meet the retrospective requirement from regulatory, when customer makes investment and insurance transactions (including subscription, fund sign, redemption, switch, regular investment, cancelation of orders, and insurance application) through mobile banking and online banking channels, after obtaining the client's consent, bank shall collect the customer's operating track through the Zhongan Retrospective SDK for retrospective inspection, verification and evidence collection.
Third Party SDK
Convertlab SDK
Purpose and Scope of Collection
To do visit statistics survey and client behavior analysis, we use Convertlab SDK to access to your mobile IP, mobile manufacturer, phone model, network type, browser type, browse behavior.

If you refuse to agree on the listed SDK to collect your information, you may not be able to access these services, but you can still access to other functionality or services on digital banking.

7. Please understand that the digital banking services we provide to you are constantly evolving. If you choose to use any other service not listed above for which we have to collect your information, we will separately explain to you, the purposes, methods, and scope of personal information we collect, through reminders on pages, interaction with you or agreements entered into with you, and obtain your consent for that. We will collect, use, store, disclose, and protect your information in accordance with this Policy and other agreements (if any) between you and us. If you choose not to provide certain information, you may be unable to use certain or part of the service, but your use of other services we provide will not be affected.

III. How We Use Your Personal Information

  1. We will use your information in the following circumstances:
    (1) To realize the purposes and functions mentioned in above Article II of this Policy "How We Collect Your Personal Information"; to contact you, or to approve, process or execute your application or instruction for transactions; 
    (2) To ensure safe and stable financial services, we will use your information for identity verification, safety precaution, fraud detection, prevention or prohibition of illegal or incompliant activities, control or reduce of risks, recording or filing purposes; 
    (3) To report to relevant regulators or other authorities according to laws, regulations or regulatory requirements; 
    (4) To maintain and improve digital banking service or any function thereof, develop new service or function (if use of your personal information in the new service or function goes beyond your consent, we will obtain your additional consent before we use your information for such new service or function);
    (5) Subject to your authorization, to promote the Bank’s other products and services and to recommend to you the products or services that may interest you;
    (6) To make statistics and analysis of the use of our business, products, services or functions; we may share such statistics to the public or third parties to present overall trend of relevant business, products, services or functions. But such statistics will not contain any of your personally identifiable information.
    (7) Subject to your authorization, the Bank will estimate the people like me based on your demographic characteristics, mobile banking browser behavior, investment and transaction activities, transfer and transaction records, and then display the product information of “people like me” to you for your reference.
  2. The above content related to information collection and use in this Policy shall not impact our use of your information for the purposes as otherwise agreed between you and us separately.
  3. If we use your personal information for the purposes other than the scope and purposes of information collection and use as set forth in this Policy or in other agreement between you and us, we shall let you know how we use this information and obtain your consent before using your personal information for such additional purposes per applicable laws and regulations.

IV. How We Store Your Personal Information

We comply with Chinese laws and requirements on data storage. When we collect or process your information, we will, according to applicable laws and regulations, regulatory(Measures for the administration of customer identification and the preservation of customer identification material and transaction records of financial institutions, The administrative rules on Renminbi settlement accounts, etc.), archival, accounting, auditing or reporting requirements, and the purposes as set forth in this Policy, store your information for a period as minimum as necessary to fulfill the purposes of information collection. To provide you with the cross-border service (eg: cross-border remittance), it is necessary that your information may be transferred to abroad. Under this circumstance, we will adopt appropriate, necessary and effective security methods(encryption) to protect your information security.

Examples of personal information storage location and period:
Catetory
Processing Scenario
Server location
Storage time
Geolocation/IP Address
Mobile bank maket information display, nearby outlets and merchants inquiry
HBCN Shanghai data centre
At least 7 years after account closing
ID information
Open account, apply for credit card
HBCN Shanghai data centre
At least 10 years after business  closing
Personal property information
Bank account, deposit, bank transfer, bill installment
HBCN Shanghai data centre
At least 7 years after account closing
Examples of personal information storage location and period:
Catetory
Geolocation/IP Address
Processing Scenario
Mobile bank maket information display, nearby outlets and merchants inquiry
Server location
HBCN Shanghai data centre
Storage time
At least 7 years after account closing
Catetory
ID information
Processing Scenario
Open account, apply for credit card
Server location
HBCN Shanghai data centre
Storage time
At least 10 years after business  closing
Catetory
Personal property information
Processing Scenario
Bank account, deposit, bank transfer, bill installment
Server location
HBCN Shanghai data centre
Storage time
At least 7 years after account closing

After the retention period expires, we will destroy, delete or de-identify relevant information. Or we will store your personal information in a safe and segregation way when it is impossible to destruct, delete or de-identify your information. Except for the information that needs to be retained according to applicable laws and regulations, regulatory, archival, accounting, auditing or reporting requirements, special agreement between you and us, or for settlement of indebtedness between you and us, or for record check or enquiry from you, regulators or other authorities.

V.To Whom We Share, Transfer, Disclose Your Personal Information

  1. Entrusted Processing and Sharing

    For the purposes set out above in this Policy, we may provide or disclose all or part of your personal information to the following recipients under the preconditions that such provision or disclosure is necessary and is made with proper protective measures (please refer to Article I of this Policy "How We Protect Your Personal Information" for details): 
    (1)   any member of the HSBC Group;
    (2)   any contractor, subcontractor, agent, third party product or service provider, licensor, professional consultant, business partner, or associated person of the HSBC Group (including their employees, directors and officers);
    (3)   any regulator of the Bank or any member of the HSBC Group or any other authority, or any organisation or individual designated by such regulators or authorities;
    (4)   anyone acting on your behalf according to your authorisation or according to law, payment recipients, beneficiaries, account nominees, intermediary, correspondent and agent banks (e.g. for CHAPS, BACS, SWIFT), clearing houses, clearing or settlement systems, upstream withholding agents, swap or trade repositories, stock exchanges, companies in which you have an interest in securities (where such securities are held by us for you), or anyone making any payment to you;
    (5)   any person or related party who has the right or obligation, acquires an interest or assumes risk, in or in connection with any product or service you receive from the Bank, or any business you handle at the Bank or any transaction you make with the Bank (for example, the person who provides or intends to provide any mortgage or other security for any of your debt to the Bank, or the beneficiary of the insurance product that the Bank distributes to you);
    (6)   other financial institutions, industrial associations, bank card organisations, credit rating agencies, credit reference agencies (including without limitation, Basic Financial Credit Information Database or information service providers;
    (7)   any third party fund manager providing you with asset management services through us;
    (8)   any third party to whom we provide referral, agency or intermediary service;
    (9)   any party in connection with any business/asset transfer, restructure, disposal (including securitisation), merger, spin-off or acquisition transactions of the Bank. 
    Such provision or disclosure will involve cross border transmission of personal information, including information being transmitted to or being accessed from overseas only when the above recipient(s) is an overseas institution/person. 
    Whether it is processed domestically or overseas, in accordance with applicable data protection legislation, your personal information will be protected by a strict code of secrecy and security which, the Bank, other members of the HSBC Group, their staff and third parties are subject to.
    Subject to applicable laws and regulations, we will seek your separate consent and notify you of the data sharing/transferring, including the data receiver’s identity, contact information, purpose of processing, method of processing and the type of personal information (if cross-border transfer involved, we will also notify you the manner and method of exercise your right).
  2. Transfer
    Without your separate consent, we will not transfer your personal information to any other company, organization or individual, except in the case of business/asset transfer, restructure, disposal (including securitization), merger, spin-off or acquisition transactions where the transfer is necessary. Where any personal information is transferred, we will request the receiving company, organization or individual to comply with this Policy. Otherwise, they shall obtain separate consent from you.
  3.  Public Disclosure 
    We will not disclose your personal information to the public unless we have your separate consent.

VI.Special Circumstances for Information Processing

We will process your information(collection, storage, use, analysis, transfer, provide, disclosure) based on your consent. To the extent allowed by laws and regulations, we may process your personal information without your consent under the following circumstances:

(1) Where it is necessary for entering into a contract or the performance of a contract to which you are the party.

(2) Where it is necessary for compliance with a legal obligation to which we are subject.

(3) Where it is necessary in order to protect your vital interests in an emergency or respond to public health emergencies.

(4) Where it is within reasonable limits in order to carry out news coverage or media supervision for the public interest.

(5) Where it is within reasonable range according to law to process the information has been legally made public or publicized by yourself.

(6) Other circumstances stipulated by laws and regulations.

VII. How We Use Cookies

  1. Your visit, browse, use of any of our website or digital banking service related applications may be recorded for analysis on the number of visitors to the site and/or applications, general use patterns and your personal use patterns and improving your experience. Cookies can enable our website or applications to recognise your device and store information about your use of website and/or applications so to provide more useful features to you and to tailor the content of our website/applications to suit your interests and, where permitted by you, to provide you with promotional materials based on your use patterns. We will be able to access the information stored on the Cookies.

    The information collected by us via above methods is anonymous aggregated data, and contains no name or address information or any information that will enable anyone to contact you via telephone, email or any other means.
  2. Most local terminals are initially set to accept Cookies. You can manage or disable Cookies based on your own preference. Should you wish to disable the Cookies, you may do so by changing the setting on your local terminals. However, after changing the setting you may not be able to enjoy the convenience that Cookies bring, but your normal use of other functions of the local terminals will not be affected. 

VIII. Your Rights Relating to Personal Information

  1. You have the right to request us to protect and secure your personal information in accordance with the provisions of the law, regulation and this Policy. You have the right to exercise your rights of information granted by laws and regulations.
  2. You have the right to check with us whether we hold your personal formation and to check the personal information you have provided to us, and copy the information provided by you.
  3.  You have the right and obligation to update your personal information with us to ensure all information be accurate and up-to-date. You have the right to request us to provide convenience for you to update your personal information with us and to correct any of your information that is inaccurate.
  4. In relation to personal credit, you have the right to request to be informed of your personal information that is disclosed to credit reference agencies by us, so as to enable your request to the relevant credit reference agencies for access to and correction of your information.
  5. You have the right to request us to delete or otherwise properly dispose of your personal information that is beyond retention period in accordance with the applicable law and regulation, this Policy, and other agreement between you and us. If we terminate our operation, we will stop any data collection activity in a timely manner, delete or de-identify all the information, and inform you via courier on board or announcement, except as otherwise provided by laws and regulations. 
  6. You have the right to change the scope of authorization or withdraw your consent. Please note the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal. 
  7. You have the right to uninstall digital banking service related applications. Please note that to uninstall the applications will not close your digital banking account. You have the right to close your digital banking account (by closing your bank account or disabling the digital banking functions of your bank account, for the sake of account safety you should visit our branches or sub-branches in person for such closure) and request for deletion of your personal information in accordance with the applicable law and regulation, this Policy, and other agreement between you and us.  You can close your CAT II and CAT III account through Mobile Bank channel - Information centre - Bank information centre. You can find detailed bank account closing procedure via HBCN Wechat account – on line service. You can also raise the bank account closing request by visiting our branches or sub branches in person, and you need to provide ID card, personal online bank change/closing form to handle this business. It will take us three to five working days to handle your request and close your account. After you close your digital banking account, we will no longer collect your information through relevant channel. However, per Measures for the administration of customer identification and the preservation of customer identification material and transaction records of financial institutions, and the administrative rules on Renminbi settlement accounts, we need keep related information for certain period as listed in IV. How We Store Your Personal Information and will then delete relevant personal information in accordance with the applicable law and regulation, this Policy, and other agreement between you and us, except for those we keep according to the applicable laws and regulations, regulatory, archival, accounting, auditing and reporting requirements, agreement between you and us, or for settlement of any indebtedness between you and us, or for record check or enquiry from you, regulators or other authorities.
  8. This privacy policy will not restrain your right to exercise other rights you are granted by laws and regulations as the subject of information.
  9. For your safety, you might need to provide the above mentioned requests in written form or prove your identity via other measures. We might ask for ID verification before handing your request. We will reply to you within 15 working days or shorter period as prescribed by law and regulation (if any)
  10. You can update your personal information on mobile banking by going to 'Me' and selecting 'Personal information'. You can also do it with online banking by tapping your name on the page and selecting 'Update personal and contact information'. You’ll be able to update information such as your email address, landline number, fax number, mobile number, company phone number, company fax number, job information and correspondence address.
  11. You have the option of using the “Personalized recommendation” feature. The “Personalized recommendation” feature is designed to enhance your experience, and recommends contents for more relevant information based on your personal characteristics and preferences, data analysis or automated decision making. You have the right to decide and manage how to set up this feature. If you want to turn this feature on or off, you can use our mobile banking: HSBC CN APP > Me > Settings & Preferences; or HSBC China WeChat Applet > Help and Tools, to find the “Personalization and marketing preferences” menu, and make your adjustment on “Personalized content” page and the “Marketing preferences” page – “Personalized marketing information” section. Among them, the switch of the " Personalized content" page is used to control whether the products and marketing information displayed to you on our electronic channels use the "Personalized Recommendation" function. Turning off the switch, we will display general products and marketing information not based on your personal characteristics. The “Marketing preferences” page – “Personalized marketing information” section controls whether the “Personalized Recommendation” feature is used by our bank when proactively push products and marketing information to you by phone, text message, email, etc. Turning off this switch will not affect your access to that type of push information, but the push you receive will be general product and marketing information that is not based on your personal characteristics. In addition to the above self-help channels, you can also call +86 95366 for our contact center to adjust for you. We will complete the adjustment as soon as we receive your request (usually no later than 15 business days after your request is received).

IX.How to contact us

Requests for access to, correction or deletion of personal information, for withdrawal of authorisation or disposal of personal information beyond retention period, for a copy of this Policy, or enquiries about our practices regarding personal information and privacy protection, should be addressed to:

Chief Data Officer, WPB

HSBC Bank (China) Company Limited

31/F HSBC Building, Shanghai IFC, 8 Century Avenue, Pudong, Shanghai, 200120

E-mail: hsbcaoc@hsbc.com.cn

Tel: +86 95366 (8:30am - 5:30pm, Monday to Friday during the working days)

For the sake of security, you may need to raise your request in written form or prove your identity via other methods. Upon the receipt of your request, we may ask validate your identification before handling the request.

Upon the receipt of your request, we will reply to you within 15 working days or shorter period as prescribed by law and regulation (if any). 

We will not charge fees for the processing of your above-mentioned reasonable requests for checking, correcting or otherwise disposing of your personal information. 

Notwithstanding the foregoing, we may reject the request if it is illegal, noncompliant, unnecessarily repeated, unreasonable or technically impracticable, put other individual’s lawful right at risk, or excessive. Due to the requirements of law and regulation, we may not be able to respond to your request under any of the following circumstances:

(1)Where the request is in relation to our legal and financial compliance obligation under laws and regulations.

(2)where the request is in direct relation to state security or national defence security;

(3)where the request is in direct relation to public security, public sanitation, or major public interests;

(4)where the request is in direct relation to criminal investigations, prosecutions, trials, execution of rulings, etc.;

(5)where there is sufficient evidence that you are intentionally malicious or abuse your rights;

(6) where the purpose is to protect you or other individual’s life, property and other substantial legal interests but difficult to acquire your consent;

(7) where responses to your request will give rise to serious damage to your or any other individual or organisation’s legal rights and interests; or

(8)where the request involves any trade secret.

Unless we have your prior consent, we will not send you messages such as marketing, customer experience improvement and marketing survey. If at any time you would like us to cease using or providing to others your personal information for marketing, customer experience improvement and marketing survey purpose, you are entitled to notify us and exercise your right of choice, not to receive such messages any more. If you so choose to reject these messages, or you want to adjust the channels through which you receive these message, you can self-adjust on the “Marketing Preferences” page through our mobile banking APP > My > Settings & Preferences, or through the “Helps & Tools” in the HSBC China WeChat applet, you may also contact our contact center by calling +86 95366 to raise your request. After receipt of your request we will, as soon as practical (usually no later than 15 working days from your request), take actions to ensure no more such marketing, customer experience improvement and market survey messages should be sent to you.

You may supervise or make suggestions for our practices regarding personal information and privacy protection, and lodge complaints or demand compensation according to law against us or our staff for any infringement of your rights and interests in your personal information and privacy. 

If you have any query, complaint, feedback, comment or suggestion, or have problem with automated decision results, please Contact HSBC.  We will contact you within two working days after receiving your request, and will provide the results within five working days. If we can not provide results within above mentioned time, we will notify you with the updated time limits without undue delay. Generally speaking, we will provide result within fifteen working days. For the complicated or serious complaints, it might take us thirty working days to handle the case. For the extremely complex case, the ultimate handling time limits shall within sixty working days. You may contact us through the contact information listed in this Policy, by calling our hotline or visiting our branches or sub-branches. You may also visit our official website www.hsbc.com.cn or official WeChat account “汇丰中国客户服务” (WeChat ID: HSBCeBanking) to enquire the nearby branches or sub-branches, or other contact information of us suitable for you.

X. Protection of Minors' Personal Information

  1. We pay particular attention to protection of the minors' personal information. We have no intention to collect any minors' personal information, unless it is agreed by their parents or guardians and it is necessary for the products or services offered to the minors (for example, the minors may be the holders of the Junior Account offered by us, the holders of supplementary card of certain credit cards issued by us, the beneficiaries of the insurance products that we distribute, the heirs of our customers, etc.).
  2. If you are under 18 years of age, it is suggested that your parents or guardians should carefully read this Policy and any of your personal information should be provided only after seeking consent from them. Meanwhile, it is suggested that your use of our products and services should be under the guidance of your parents or guardians. If they do not agree you to provide your personal information or to use any of our products or services, you should immediately stop providing the information or stop using our products and services. Please notify us of such event as soon as possible, so as to allow us to take appropriate measures accordingly.
  3. If you are under 18 years of age, for those personal information we collect with the consent of your parents or guardians, we will only use or disclose such information to the extent allowed by law and regulation or expressly consented by your parents or guardians or necessary for protection of the minors’ interests.
  4. Special suggestion: If you are under 14 years of age, please make sure you are reading this policy with your guardian for company and guidance and you are using our product and service after obtaining your guardian’s consent. If you are guardian of youth under 14 years of age, please read this notice carefully, confirm if you agree with this policy and give your children the permission to use our product and service. 
  5. If you are guardian of youth under 14 years of age and have any enquiry, you can contact us through contact information listed in IX How to contact us. 

XI. Formulation, Effectiveness, Update of this Policy and Others

  1. The Policy is made by us and published at our digital banking service related websites or applications and takes effect on the date of issue. The Policy may be amended or updated from time to time, particularly in the events of major changes as follows:
    (1) Major changes in our service model, such as changes in the purpose of processing personal information, changes in the types of personal information being processed, the use methods of personal information, etc.;
    (2) Major changes in our ownership structure, organisational structure, etc., such as changes as result of business adjustments, bankruptcy, mergers, etc.;
    (3) Changes in the main objects of personal information sharing, transfer or public disclosure;
    (4) Significant changes in your rights relating to personal information or in the methods to exercise such rights;
    (5) Changes of our contacts for personal information related requests/enquiries, changes of our contacts for complaint or feedback;
    (6) Other major changes which may significantly impact your interests in personal information.
     We will post the changes to the Policy or the updated Policy through push notifications, pop-ups, announcements, etc. on our digital banking service related websites and/or applications. Changes to the Policy shall not diminish or limit the rights you should have as a Personal Information Subject under Chinese law.
    You can access to the Policy via "Mine – General – Legal Terms – Privacy and Security",HSBC Mobile Banking APP or via "My HSBC – Help and Tools – Privacy Policy", HSBC official Wechat account “汇丰中国客户服务”.
  2. Where you provide to us personal information about another person, you should ensure that person acknowledges this Policy and, in particular, tell him/her how we may use his/her information. You should remind that person to read this Policy in advance and may also give him/her a copy of this Policy.
  3. In case of discrepancy between the Chinese and English versions of this Policy, the Chinese version shall apply and prevail.