American Express®
Online Privacy Statement

The type of Personal Information we collect depends on the product or service you use. We’ll only collect Personal Information about you where we have a lawful basis to do so. Please see “Use of Personal Information” below for details of the lawful basis we rely on.

In some cases, we collect Personal Information if you directly provide it to us. For example, we may collect Personal Information such as your name, account number, date of birth, address, phone number, and/or email address. When you interact online with the American Express website, we may also process digital data and other Personal Information originating from your online behaviour, such as your IP address or whether you have previously visited us online during the application process.

For instance, we collect Personal Information directly from you as well as from different sources depending on which product or service you request or use. For instance, we collect Personal Information about you when you:

• apply for an American Express product or service online;
• access our online account services;
• book a flight through American Express Travel or purchase something on our websites;
• enroll in an American Express offer, participate in a promotion or take one of our surveys.

We may collect Personal Information from third parties when you apply for a product or service or use our online services, for example from:

• credit reference agencies and fraud prevention organisations;
• our Business Partners (i.e., third parties with whom we conduct business or have a contractual relationship, such as co-brand partners or merchants), with whom you have consented to sharing information with us for marketing purposes or aggregated data for statistical analysis purposes.

If you apply for an American Express card account, we may collect more detailed Personal Information such as your employment details or your income. Please see our Cardmember Privacy Statement for more detail on the Personal Information collected for a card application. The information collected under our Cardmember Privacy Statement explains how we use your Personal Information to provide cards and for related services.

Please note that we may also collect special categories of Personal Information (such as information regarding health or biometric data). For example, we may collect biometric data for the purpose of identity authentication, or we may collect health data for certain insurance products. We’ll use this information only as permitted or required by law, or where provided by you with your explicit consent.

Cookies and similar technologies

We also collect Personal Information through cookies and similar technologies when you use our online services or access our content online. A cookie is a small data file that a website transfers to your computer.

We place cookies when you visit our website or another company’s website where our ads appear or when you make purchases, request or personalise information, or register for certain services. We use “essential cookies” for the running of our website. These cookies cannot be turned off, because our website would not work without them. We also would like to set other cookies to provide you with additional functionality, track the performance of our website to optimise your experience, and to provide you with marketing. We will only set these cookies with your consent. This includes sharing information with third parties to serve you ads on other websites. If you consent to these cookies used on our website by either clicking the “Accept All” button or customizing your preferences, websites that are “powered by” another company on our behalf, or websites where our ads appear, give us access to information about your interests. We use that information to personalise your experience.

Similar technologies include clear GIFs, web beacons, and pixel tags, which tend to be transparent images on websites. Our cookies and similar technologies collect information about your device, operating system and web browser. They also collect information about your use of the device, as described in more detail below.

Most cookies and similar technologies will only collect de-identified information such as how you arrive at our website or your general location. However, certain cookies and similar technologies do collect Personal Information. For example, if you click “remember me” when you log in to our website, a cookie will store your username.

Cookies and similar technologies may collect Personal Information that includes:

• the device(s) you use (for example, the operating system or type of device you use to open electronic communications from American Express);
• information related to your IP address, such as your domain information, internet provider and general geographic location;
• how you use our websites and apps, such as what you search for on our websites and apps, the pages you view, how long you stay and how often you visit them;
• how you search for our websites or apps, which website or app you came from, and which of our business or commercial partners’ websites you visit;
• which ads or online content from us and our business or commercial partners you view, access or click on;
• whether you open our electronic communications, which sections you click, or how often you open them

If you use your mobile device to access our products or services, we may collect information related to that device, such as your location to provide location-based content you request.

For more information about cookies and similar technologies, please refer to our policy “About Cookies and Similar Technologies”.

Other Sources of Information

We may obtain Personal Information about you from other sources and combine it with information we collect under this Statement. For example, we may obtain information about other American Express products and services you use, in accordance with those privacy notices. In accordance with your Cardmember Privacy Statement, we may collect information from your paper application form and your card transactions. We may also obtain Personal Information from publicly available records or databases or third-party sources, such as credit bureaus or business and commercial partners.

We use Personal Information about you either on its own or combined with other information. We need a “lawful reason” under data protection laws to process your Personal Information, which are as follows: (i) where it is necessary to administer our contractual relationship with you; (ii) for our own legitimate interests to provide you with better products and services (such as to reduce fraud); (iii) where we have obtained your consent, such as for certain marketing purposes; or (iv) for compliance with laws. Please note that we consider and balance any potential impact on you and your rights before processing your Personal Information for our legitimate interest.

(i)    More specifically, to administer our contractual relationship with you and deliver products and services, including, for instance, to:

• process your applications for our products, including making decisions about whether to approve your application;
• process and complete transactions;
• manage your accounts;
• update you about new features and benefits attached to the products or services that you requested;
• provide location-based services you may request;
• better communicate with you;
• provide you with open banking services (see the Open banking section for more information).

(ii)    For our legitimate interests or for the legitimate interests of others, we may use Personal Information about you to:

• conduct research and analysis to better understand our online visitors, customers and our business, including to:
  • request feedback or reviews about our products and services and those of our commercial and business partners;
  • determine the effectiveness of our advertising and marketing campaigns;
  • improve our websites or apps and make them easier to use;
  • place you in groups with similar customers to deliver products or services which may be more suitable for you or suit your preferences;
  • present tailored offers within your online cardmember account (where relevant)
• manage our business risks, such as fraud, credit and security risks, including to:
  • detect and prevent fraud or criminal activity and safeguard your accounts, including by using the location and other technical attributes of your mobile device or browser;
  • review and approve individual transactions you make through digital channels;
  • develop and refine our risk management policies, models and procedures for applications and customer accounts;
  • inform our collection practices and share Personal Information with credit reference agencies and fraud-management agencies (for more information, see the Credit Reference Agency Information Notice (CRAIN) at www.transunion.co.uk/crain, www.equifax.co.uk/crain and www.experian.co.uk/crain).
• advertise and market our products and services and those of our business and commercial partners, which we think you will be interested in based on your relationship with us (by email, SMS or telephone (for example - if you call us)), if you are an existing or potential customer, including to present content that is tailored to your interests, including targeted advertising across multiple devices (see the Digital Advertising section for more information). We would do this only where the law allows for this on the basis of legitimate interests and, where relevant, an opt-out.

(iii)   With your consent (note you will always know when we are relying on your consent to use your personal data as we will ask you for opt-in permission first), to:

• promote our products and services;
• send you ads, promotions, and offers about products and services for companies within the American Express group and those of our business and commercial partners;
• make predictions about you to deliver more personalized services and marketing specific products or services to you;
• recognise you when you return to our websites, receive our emails, or use our apps including across multiple devices (for example, to send you tailored ads, promotions, offers or content, including targeted advertising). Please refer to the “Cookies and Similar Technologies” section above for more information.

(iv)  To comply with applicable laws and regulation around the world, we may use Personal Information about you:

• to establish, exercise, or defend legal rights or claims and assist in dispute resolution;
• for reasons of substantial public interest (including for instance the use of your biometric information such as your ID voice print) for security verification and fraud prevention purposes;
• as required or permitted by law (such as performing due diligence on you before approving your application).

Open banking

We may use your Personal Information to provide our open banking services. Those services include:

• providing you with consolidated information on one or more payment account(s) that you hold with one or more bank(s) or payment institution(s); or
• contacting your bank to perform a credit transfer to a merchant, for example, when you use our Pay With Bank Transfer service (which allows you, for instance, to pay for any purchase made on a participating website directly from your bank account, with your money being sent directly to the merchant's bank account).

In this context, we will process your Personal Information to provide you with the regulated open banking services or as otherwise described in this “Use of Personal Information” section.

Automated decision making

We may use fully automated processes to help us make certain decisions, including to evaluate certain attributes about you to provide our services. For example, we may use such processes to:

• assess security risks, detect and manage fraud;
• process card applications; or
• assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you a card.

This is known as “automated decision making”, These decisions are based on Personal Information that we lawfully obtain, such as Personal Information that you provided in your application form (including your reported income), your payment history with American Express, and Personal Information we obtain from third parties, such as credit bureaus. We also look at digital data (such as information about your device, browser, or patterns in your online interactions with American Express) to help us detect fraud. These methods are regularly tested to ensure that they remain fair, effective and unbiased.

Some of those decisions that are made solely by automated means have legal effects or similar effects, such as the denial or approval of credit or card applications. However, we will only perform such processing if it’s:

• necessary for entering into or performing a contract between you and American Express;
• authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests;or
• based on your explicit consent to such processing.

Where we use automated decision making for entering into or performing a contract with you, or based on your consent, you have the right to contest the decision made and request human intervention. Please see the section “Your Rights” for more information about your rights related to automated decision making.

Digital Advertising

We advertise through our websites and apps, as well as third-party platforms. We may use Personal Information about you to display online marketing content tailored to your interests or general geographic location, across multiple devices you use. Here are some ways this works.

• We engage in targeted advertising, which involves the use of Personal Information, your email address and other information collected through cookies and similar technologies, regarding your browsing behaviour on our website. When needed we ask for your consent to market to you based on information collected through cookies and similar technologies.
• We also use Personal Information about you to present advertising content or participate in targeted advertising campaigns on social media platforms. If you follow our social media pages or “like” our content on these platforms, we may use Personal Information about you to improve what and how we serve content to you on social media.

Keep in mind, we don’t own these websites and apps, and we are required to use Personal Information about you only in ways that are consistent with the privacy policies and terms & conditions of these platforms.

You can choose how we market to you, as specified in the “Your Choices” section below.

In some circumstances, we may disclose Personal Information about you, including with:

• service providers, who perform services for us, such as printing, mail, advertising, marketing, etc. We require all of our service providers to protect Personal Information according to our standards and use it only for the purposes we allow;
• regulatory authorities, courts, governmental agencies and fraud prevention agencies, in order to comply with legal or regulatory requirements, assist in legal or regulatory investigations, and protect the rights of American Express or others;
• with credit reference agencies and similar institutions to report or inquire about your financial circumstances, and to report or collect debts you owe;
• companies or other lines of products and services within the American Express group;
• business or commercial partners such as other financial institutions, loyalty programs, travel partners, and certain advertising partners with whom we offer or develop products and services;
• third parties for the provision of open banking and related services upon your request, for example where you seek to connect your account information to another platform or to initiate payments from other accounts;
• necessary parties involved in the sale of all or part of a company in the American Express group, or its assets;
• other relevant third parties, as required or permitted by law or with your consent.

Please see our Cardmember Privacy Statement for further details of third parties we may share your Personal Information with where you are also a cardmember.

Cross-Border Transfers of Personal Information.
  

Where necessary, and unless prohibited by applicable law, we’ll transfer your Personal Information to other countries and regulatory authorities in other countries to provide you with our products or services. Some of these jurisdictions may not provide the same level of protection for Personal Information as provided in the United Kingdom. Some countries with have different data protection laws. This includes transfers to countries outside of the United Kingdom such as to the United States (where our main operational data centres are located).

Keep in mind, no matter where we process Personal Information about you, we’ll always protect it in the manner described in our privacy notices and in accordance with applicable laws. For example, when we share Personal Information with other companies within the American Express group that are outside the United Kingdom, we ensure an adequate level of protection though our Binding Corporate Rules. This link is to where these are available within the American Express Privacy Centre on our website. When we share Personal Information with other third parties outside the United Kingdom, in certain countries, who are not part of the American Express group, we include appropriate contractual protections in those agreements. You can request further information on where to find a copy of the other appropriate safeguards in place by contacting our Data Protection Officer. In addition, we assess whether other technical and organizational measures are required for those transfers i.e. those which are to third parties other than public authorities and regulators and which do require appropriate contractual protection.

We sometimes process Personal Information so that it no longer identifies any individual. Once processed, this is referred to as aggregated and anonymized information. We process Personal Information to aggregate and anonymize it to:

• analyze patterns among groups of people, such as cardmembers and online users;
• create business insights or statistical research reports;
• improve our advertising and our business.

We sometimes share aggregated and anonymized information with third parties, for many of the same reasons mentioned above.

We use administrative, organizational, technical and physical security measures to protect the confidentiality, integrity, and availability of Personal Information. Here’s what you should know:

• these measures include technological safeguards and appropriate access controls to data and facilities;
• we require service providers to safeguard Personal Information and only use it for the purposes we specify;
• we take reasonable steps to securely destroy or de-identify Personal Information when we no longer need it;

We keep Personal Information for only as long as necessary to provide you with products or services - unless we’re required or permitted to keep it for longer by law, regulation, or for litigation or regulatory investigations.
 

When your Personal Information is no longer necessary for legal or regulatory needs, to administer your account or to deliver the products and services you have requested, we will securely destroy such information or permanently de- identify it. For more information about our data retention practices, you can contact us – please see the “Contacting Us” section.

In certain instances, you have the right to access, update, restrict, object to, and erase your Personal Information. You are also entitled to exercise your right to data portability and/or to remove your consent. More specifically, you have the right to:

• request details on the Personal Information we have about you (often referred to as a “data subject access request” or “DSAR”);
• in certain circumstances, erase, restrict and/or object to the use of the Personal Information;
• request a manual review of certain automated processing activities that may impact your legal or contractual rights or that may have a similarly legal effect;
• receive your Personal Information in a structured, commonly used and machine-readable format and/or transmit such data to another data controller;
• withdraw the consent you have given for the processing of Personal Information at any time.

If you want to exercise any of your rights click here.

If you have any questions about how we process your Personal Information, please contact us.

If we receive a request from you, we’ll do our best to resolve it as soon as possible and no later than one calendar month except as follows.
If, due to the nature or circumstances of your request, we can’t meet that deadline, we may extend it by up to a further two months (complex requests). In such case, we will send you an email or letter explaining the cause of the delay. Please note that your request will be free of charge, except in certain circumstances if it incurs additional cost to our company such as when it’s unfounded or excessive, i.e. when the law allows us to charge a fee (we’ll explain this at the time before processing the request if this is the case).

You can also contact the United Kingdom Data Protection Authority directly. For further details, please visit the Information Commissioner Office’s website. You also have the option to take your case to the court where you live, work or where there may have been an infringement.

You have the power to make choices about how American Express collects and uses Personal Information about you for marketing and advertising purposes. See above section for our lawful reasons which justify using your information to send you marketing communications. The lawful reasons for sending direct marketing communications to you will differ depending on a number of factors, including the marketing channel used (e.g. SMS, email, telephone), whether we have an existing relationship with you and that includes if you are an individual customer, or if you are a business customer.

We work with a range of advertising partners including ad networks, ad servers, and social media platforms to present our ads online. Your choices may vary depending on whether we’re serving you ads through websites, email, apps or social media.

Choices About the Personal Information We Collect

• If you don’t want us to collect Personal Information about you through cookies for marketing and advertising purposes, you can decline cookies in the banner that appears the first time you visit our site by clicking on “Set Cookie Preferences” or through your browser settings as explained in the policy “About Cookies and Similar Technologies”.
• If you delete cookies, buy a new device, access websites from a different device, or change browsers, you’ll need to opt-out again.
• If you opt out of cookies, we’ll still show you advertising related to our products or services, but it won’t be based on Personal Information about you.
• You can adjust how we collect Personal Information about you through your mobile device settings - for example – you can turn off location-based services and device ad tracking.

Choices about Marketing Communications

• If you don’t want to receive direct marketing communications from us, you can opt out through:

-         Email: Click unsubscribe on the bottom of an e-mail and follow the instructions or go to https://global.americanexpress.com/privacy/uk/#/ipp

-         Your account online: Log in to your account and click on account management / alerts and preferences / manage your preferences.

-         Phone: Register for the National Do Not Call List at https://www.tpsonline.org.uk/tps/number_type.html

Keep in mind, even if you opt out of direct marketing, we’ll still communicate with you in order to service your account, fulfil your requests, or administer any promotion or program you’ve opted to be part of. These communications, which are necessary for us to inform you about the service you expect to receive from us, are not considered as direct marketing but are rather qualified as service message. For example, they can be used to inform you of a benefit on your account.

How to Access Your Customer Choices

If you are a customer, you can make choices about how we communicate with you.  To update your communication preferences, you can:

• Log into your account and click on account management> alerts and preferences> manage your preferences to update your marketing and data sharing choices.
• Call 0800 917 8054 or the number on the back of your Card

Merchants

• Login to your account at americanexpress.com/merchant and visit your settings to update your marketing communications preferences.
• Call 0800 032 7216 or visit our contact page here. 

If you have any questions about this Statement, feel free to get in touch at the number on the back of your card or visit the “Contact Us” page on our website. You may also contact our DPO at amexukdpo@aexp.com You may also write to American Express Services Europe Limited, Dept. 2007, Upper Ground Floor, 1 John Street, Brighton, East Sussex, BN88 1NH.

If you are a customer, you can update your Personal Information by logging into your account online or in your Amex® App anytime. We’re here for you 24/7.
You also have the right to lodge a complaint with the local Supervisory Authority, which in the UK is the Information Commissioner’s Office (“ICO”). You can contact the ICO directly at www.ico.org.uk. If your request is not resolved to your satisfaction, you may also take your case to the court where you live, work or where there may have been an infringement.

We may change this Statement when necessary. Depending on what we change (for example if it is a material change), we may let you know in advance either by contacting you in writing (to ask you to read the updated version) or by updating the “Effective Date” at the top of this page, or by making it clear when you visit our website, americanexpress.co.uk, that it’s been updated. Any changes to this Statement will become effective immediately when posted.