American Express®
Online Privacy Statement

icon

Effective Date: 31 March 2025.

Online Privacy Statement

What is this document?

Throughout this Online Privacy Statement “American Express” refers to American Express Services Europe Ltd., American Express Payment Services Limited and American Express Europe LLC (also referred to as “we”, “us” or “our”). For our contact details and those of our Data Protection Officer please see the “Query or Complaint” section below.

This Online Privacy Statement explains how, as a data controller, American Express uses Personal Data collected online via our websites and mobile applications as well as services where we rely on third parties such as social media providers and Business Partners (described below), or when you interact or communicate with us (for example via the telephone). Please note that although this Online Privacy Statement describes the different processing activities that we carry out, it does not mean that your Personal Data is used for all these activities.

Scope of this Privacy Statement

This Online Privacy Statement does not relate to the Personal Data collected or used via our products or services, but it rather only applies when we collect information about you online and when you communicate with us as described above. This Online Privacy Statement will be supplemented by additional privacy statements relating to our specific products or services. We ask therefore that you also take time to consider the privacy statements applicable to each of American Express' products and services that you use.

If you’re ever unsure about which privacy statement applies to a particular activity, remember that the specific product or service privacy statement will take precedence over this Online Privacy Statement and will apply to the extent the activity relates to the processing of Personal Data related to your product or service.

In other words, the specific product or service privacy statement governs the general use of your Personal Data in connection with such product or service by American Express, while the Online Privacy Statement supplements our use of your Personal Data in connection with your use of digital services related to your American Express products and services and your communications with us.

This Online Privacy Statement does not apply to your use of any third-party services or sites, such as social media sites, that have terms and conditions or statements that explain how they handle your information. Please take a few moments to review the terms and conditions or statements of any other services you use.

Changes to this privacy statement

From time to time, we may change our Online Privacy Statement. If it’s a material change, we will need to tell you about it. We’ll either do that by contacting you in writing (to ask you to read the updated version – for example by mail or e-mail), by making it clear on your monthly statement, or by letting you know that it has been updated when you visit our website, www.americanexpress.com/en-gb/.

This version was last updated on the date set out above.

This privacy statement is provided in a layered format, so if you’re accessing the privacy statement online, you can click through to the specific areas set out below:

>Personal Data Collected

>Cookies and similar technologies

>Use of Personal Data

>Sensitive Personal Data

>Open Banking

>Automated Decision Making

>Digital Advertising

>Personal Data Sharing

>International Transfer of Personal Data

>Security

>Retention of Personal Data

>Accuracy of your Personal Data

>Your Rights

>Marketing Choices

>Query or Complaint

Personal Data is any information relating to you as an identified or identifiable natural person, such as your name, addresses, telephone number, email address, IP address, and other information specific to your online behaviour. If you do not provide us with Personal Data that we tell you is mandatory (for example, if we need to collect Personal Data by law or if it is necessary to enter into a contract with you), we may not be able to provide you with our products and services. We will notify you if this is the case at the time.

We collect and process various categories of Personal Data about you, depending on the type of online interaction you have with us (for example, when you merely browse through our website without purchasing any of our products or services, or if you access your online cardmember account or your Amex^® app) and beyond such an interaction, subject to appropriate retention periods as further explained below. Personal Data may include:

your personal details, including name and address, date of birth, contact details;
digital data originating from your online behaviour, such as your social media interactions;
IP address or whether you have previously visited us online (please see the "Cookies and similar technologies" section);
information about your device, operating system and web browser;
information about your online preferences set through the configuration you choose regarding cookies and similar technologies (please see the "Cookies and similar technologies" section);
information about your financial and credit history, including proof of income, employment details, outgoings and credit and borrowing history when you apply for an American Express product or service (some of this information is also collected on a regular basis when your account is active);
biometric data used for identification purposes (where applicable);
criminal data for collating evidence and investigate about a suspected crime;
health data including for certain insurance products.

We collect Personal Data directly from you, through the following means:

from your online browsing through American Express' websites and mobile applications;
from your online application form;
from your access to our online account services;
when you book or purchase products or services on our websites;
through the way you communicate with us and use your online account to manage your American Express products or services;
any online research, surveys or competitions you enter or respond to or any marketing offers for which you register; and
from other information you directly provide to us.

We also collect your Personal Data from different sources, such as:

Business Partners. These are third parties with whom we conduct business or have a contractual relationship, such as:
- technology companies that help us deliver to our customers exceptional digital experiences (e.g. tokenization technology used to protect sensitive data),
- co-brand, distribution or rewards partners or merchants that accept American Express cards as payment for the good or services they offer, if you have consented to them sharing your information with us for marketing purposes;
- service providers such as media monitoring or online reputation management companies.
Open banking providers. Information we receive from open banking providers you (or a third party properly authorised on your behalf) have authorised. Open banking providers provide payment-initiation or account-information services. You may also authorise open banking providers to collect account information from your bank, which is subsequently shared with American Express for the purpose of completing our underwriting verifications to issue you with a card or approve a service request.

Credit and Fraud Prevention Agencies. Information we receive from Credit and Fraud Prevention Agencies (for example, for the purpose of completing our underwriting verifications to approve a service request).

We sometimes process Personal Data so that it no longer identifies any individual. Once processed in this manner, it will no longer constitute Personal Data and will be aggregated and anonymized information. We process Personal Data to aggregate and anonymize it to:

analyse patterns among groups of people (for example, cardmembers, merchants and online users);
create business insights or statistical research reports; and/or
improve our advertising and our business.

We sometimes share aggregated and anonymized information with Business Partners or other trusted third parties, for many of the same reasons mentioned above.

We collect your Personal Data through cookies and similar technologies (for example, GIFs, web beacons, pixel tags) when you use our online services or access our content online. A cookie is a small data file that a website or application transfers to your technological device used to access such a website or application (for example, computer, smartphone, tablet).

We basically place cookies in your devices when you visit our websites or another company’s website where our ads appear or when you make purchases, request or personalise information, or register for certain services. The Personal Data we may collect through cookies and similar technologies relate, among other things, to: the device(s) you use, your IP address, how you use our websites and applications (for example, what you search for, the pages you view, how long you stay), which ads or online content from us and our business or commercial partners you view.

Please refer to our notice "About cookies and similar technologies" for more information about how we process your Personal Data through cookies.

We use your Personal Data either on its own or combined with other information as described in the above sections (for example, when you access your online account associated to your American Express card, where applicable). We need a “lawful reason” under data protection laws to process your Personal Data, which are as follows: (i) where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract with you; (ii) where necessary for our legitimate interests, such as to prevent fraud and/or enhance our products or services; (iii) where we have obtained your consent, such as for marketing purposes when you opt-in to receive marketing from us; or (iv) for compliance with legal obligations and where we are required by law to process your Personal Data.

The table below sets out what we use your Personal Data for and our legal basis for doing so. Please note that we consider and balance the potential impact on you and your rights before processing your Personal Data for our legitimate interests. The legitimate interest relied upon is also set out in the table below.

Please note that we may process your Personal Data for more than one legal basis depending on the specific purpose for which we are using your Personal Data. Please contact us if you need details about the specific legal basis we are relying upon to process your Personal Data where more than one basis has been set out in the table below.

What we use your information for	The legal basis for using your Personal Data
To process online applications for our products, including making decisions about whether to approve or pre-approve your application or give you a likelihood of approval, which sometimes are automated and involve profiling. See the "Automated Decision Making" section of this Online Privacy Statement.	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services
To maintain records of rejected applications for our products and services for audit, analysis, quality control and reporting purposes.	To comply with our legal obligations (if applicable) It is in our legitimate interests to ensure we manage and protect our business and interests and check the quality of our internal processes.
To comply with our regulatory obligations when reviewing your online application (such as performing due diligence on our merchants before approving their application to become an Amex Merchant). This sometimes involves automated decision making and profiling. See the "Automated Decision Making" section of this Online Privacy Statement.	Where required to comply with our legal obligations including with respect to anti-money laundering and any other laws and regulations relevant to and for payment institutions It is in our legitimate interests to perform due diligence to ensure our interests (as a business) are appropriately protected.
To administer and manage any online account and provide any online services to you, such as whether to process, approve and complete individual transactions or services through the apps.	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services It is in our legitimate interests to ensure you are provided with a high standard of customer care and service
To provide you with the location-based services you requested (if any).	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services (for example, to help you finding Amex-accepting merchants near you). It is in our legitimate interests to manage our business risks, such as operational and security risks and to detect, prevent and investigate fraud. We have your consent to do so (for example, where we use optional cookies).
To communicate with you through email, SMS or any other electronic methods, about your online accounts, products, and services for legal, regulatory or servicing purposes (such as updating you about features attached to your existing products or services).	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services To comply with our legal obligations including with respect to payment services and consumer protection and other complementary laws and other consumer regulations relevant for payment institutions It is in our legitimate interests to ensure we provide you with information you need to know about your existing products and services
To provide a more appropriate service and/or protecting your best interests by making reasonable adjustments, such as sending or providing you with information in an appropriate format (for example, if you have a visual disability), and to improve our websites and apps and make them more user-friendly.	It is in our legitimate interests to improve your customer experience and ensure our service meets and is appropriate for your needs To comply with our legal obligations, including with respect to equality and accessibility and other complementary laws relating for example to equal treatment and protection against discrimination as well as other equality and accessibility regulations.
When interacting with some of our Business Partners available in your American Express benefits programme online, to connect you to your rewards account or benefits (if applicable) and, depending on your product, enable you to use rewards points to pay for products or services with a Business Partner.	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services It is in our legitimate interests to improve your customer experience, to promote the use of the benefits we offer to you and to facilitate the use of your card benefits, with our Business Partners (as applicable)
To carry out checks for the purpose of keeping your online account and Personal Data secure, detecting and preventing fraud or criminal activity (including the review and approval of individual transactions) and to check your identity before providing services to you (including through “know your customer” screening and monitoring). This may include using the location and other technical features of your mobile device or browser.	To comply with our legal obligations including with respect to anti-money laundering and strong customer authentication, and any other laws and regulations relevant to and for payment institutions. It is in our legitimate interests to manage our business risks, such as operational and security risks and to detect, prevent and investigate fraud We have your consent to do so (for example, where use of your biometric data is optional).
To answer questions submitted to us by you, respond to your requests (customer service) and manage and deal with any complaints you may have.	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services It is in our legitimate interests to make sure complaints are investigated and you are provided with a high level of service To comply with our legal obligations including with respect to consumer protection and other complementary laws and other Consumer regulations
When you apply for a product or enter into a contract with us, including any guarantee, we may process consumer credit account data and credit performance data across all American Express financial products for which you are a signatory. This will allow us to protect our business interests, prevent over-commitment, support debt recovery and debtor tracing, with the aim of promoting responsible lending and/or exercise other rights we have under any contract(s) with you.	Where necessary to perform our contract with you (including any guarantee) or to take steps to enter into a contract with you It is in our legitimate interests to ensure we manage and protect our business, including recovering any debts owed to us
To manage mergers, acquisitions, sales of business assets and generally management of extraordinary corporate operations.	It is in our legitimate interests to manage our corporate operations.
To establish, exercise, or defend legal rights or claims and assist in dispute resolution.	It is in our legitimate interests to ensure we manage and protect our business and interests
To analyse our customers' needs, preferences and behaviours and create customer profiles according to such needs, preferences and behaviours in order to develop and improve our products and services and assess and analyse whether our ads, promotions and offers are effective. Profiles may be created in relation to a specific customer's needs, preferences and behaviours (individual customer profile), or in relation to the similar needs, preferences and behaviours of a group of customers (group customer profiles). Our profiling activities are performed through data analytics methods based on your customer behaviour and transactions.	It is in our legitimate interests to improve our products and services (for example, to make sure our products and services remain competitive and relevant for our customers)
To check we have carried out your instructions correctly, to develop and improve our services and for compliance, training and quality purposes (for example, we may monitor, record and transcribe any communications between you and us, including phone calls, for these purposes).	It is in our legitimate interests to improve our products and services and ensure we provide you with a consistently high standard of customer service. Compliance with our legal obligation (where applicable).
To provide you with open banking services (or more information, please see the “Open Banking” section).	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services To comply with our legal obligations including with respect to payment services and strong customer authentication and any other laws and regulations relevant to and for payment institutions
For the purpose of conducting testing (to ensure security and when we update our systems), website administration, information technology system support and development and to safeguard the security of your Personal Data.	It is in our legitimate interests to manage our business risks, such as compliance, regulatory, operational and security risks
To develop and refine our risk management policies, models and procedures for online applications and online customer accounts, relying upon information in your application	It is in our legitimate interests to manage our business risk, including credit, regulatory and fraud risks
To conduct research and analytics, including allowing you to give feedback by rating and reviewing our products and services and those of our Business Partners and to produce data analytics, statistical research and reports on an aggregated basis (i.e., metrics on participation in marketing campaigns or product subscription).	It is in our legitimate interest to conduct research and analytics, to improve and develop our business and the services and products we offer to customers as well as assist our Business Partners to do the same. For more information, see the “Personal Data Sharing” section of this Online Privacy Statement. Your consent to install cookies and similar technologies and to serve you tailored advertising or for direct marketing.
To anonymize Personal Data and produce aggregated and anonymized information that will be shared with Business Partners or other trusted third parties to analyze patterns among groups of people, such as cardmembers or merchants, create business insights or statistical research reports, and/or improve our advertising and our business and that of our Business Partners.	It is in our legitimate interest to conduct research and analytics, to improve and develop our business and the services and products we offer to customers as well as assist our Business Partners to do the same.
To respond to queries from regulators, law enforcement and other authorities and/or to cooperate with them.	To comply with our legal obligations pursuant to any laws that mandate us to cooperate with regulators, law enforcement and any other authorities It is in our legitimate interests to support and/or cooperate with regulators, law enforcement and other authorities in the detection and prevention of fraud and crime, particularly where it impacts our customers
To market products and services which we think you will be interested in based on your relationship with us (by email, SMS or other electronic means)	It is in our legitimate interests to market products and services which we think you will be interested in, based on your relationship with us, and related to products or services similar to those for which you previously contracted with us Your consent when we provide you with varied offers of our products and services, not only related to products or services similar to those previously contracted by you from us.
To advertise, market and send you promotions and offers about products and services for or from the American Express Group (i.e., any affiliate, subsidiary, joint venture, and any company owned or controlled by our parent company) and our Business Partners, including to present content that is personalised and tailored to your preferences and interests, including targeted advertising across multiple devices or showing you offers in your Manage Your Card Account (MYCA) environment.	Your consent when we provide you with varied offers of our products and services, not only related to products or services similar to those previously contracted by you from us.
To engage with influencers, to review influencers’ profiles and ensure our values are aligned.	It is in our legitimate interest to ensure that our values are aligned and evaluate potential partnership opportunities.
We may collect and process publicly available information and/or information you publicly post on social media platforms to identify and respond to (i) brand and reputation damage; (ii) security threats and fraud attempts; (iii) customer account servicing related issues; and (iv) litigation actions.	It is in our legitimate interest to identify threats to our brand, products and services and respond appropriately.
To install Cookies and similar technologies on your devices (for example, computer, smartphone, tablet) used to access such a website or application, whether from us or from third parties. This allows us to recognize you when you return to our websites, receive emails from us, or use our applications, including across multiple devices. This also allows us to create profiles in relation to a specific customer's needs, preferences and behaviours (individual customer profile), or in relation to the similar needs, preferences and behaviours of a group of customers (group customer profiles) to serve you tailored advertising. Our profiling activities are performed through data analytics methods based on your customer behaviour and transactions. You may object to us performing the said profiling activities in the terms explained in the "Your Rights" section of this Online Privacy Statement. For more information, please see the "Digital Advertising" section of this Online Privacy Statement and our “About Cookies & Similar Technologies” policy.	Your consent to install Cookies and similar technologies and to serve you tailored advertising.

Some of the Personal Data we collect is more sensitive in nature (also known as special categories of Personal Data). We will always collect this data in accordance with applicable laws. The below table explains what we use your sensitive Personal Data for and the legal basis for doing so.

What we use your Sensitive Personal Data for	The legal basis for doing so and the relevant condition allowing the processing
Biometric data for the purpose of identifying you, for security verification and to detect and prevent fraud (where applicable).	Your explicit consent - we have your permission for any optional use of biometrics (for example, to identify you by face recognition)
To support you in vulnerable circumstances, which may result in financial and administrative challenges (such as a serious illness or losing your job), we may add an indicator to your account to identify that you may need additional support from us. For example, if you tell us that you have lost your job, we may be able to help with the management of your payments.	We have your permission to do so It is in our legitimate interests to improve our products and services and ensure we provide you with a consistently high standard of customer service and meet our legal and regulatory obligations Where we use information such as medical information or other sensitive data (Special Category Data) we have your permission to do so, or it is in the public interest to ensure your economic wellbeing
To comply with relevant laws and regulations and to cooperate with regulators, law enforcement and any other authorities (for e.g., processing criminal data for the purpose of complying with a court order or subpoena).	To comply with our legal obligations that mandate us to cooperate with regulators, law enforcement and any other authorities Establishment, exercise or defence of legal claims
Criminal data for the purpose of collating evidence and investigate about a suspected crime to establish, exercise or defend Amex’s legal rights.	Where necessary to establish, exercise or defend legal rights
We may collect and process sensitive personal data (such as political opinions) that you have made public online (such as public social media posts) for brand engagement and to identify and respond to potential brand and reputation damage.	It is in our legitimate interest to identify threats to our brand, products and services and respond appropriately. The processing relates to personal data which are manifestly made public by you.
Health data to provide you with certain services and products (such as considering your dietary requirements for hospitality venues; when you provide information related to your health when purchasing insurance products); or to protect your vital interests (for example, when we need your Personal Data for emergency medical care).	Where necessary to perform our contract with you or to take steps to enter into a contract with you, related to our products or services Where necessary to protect your vital interests. Your explicit consent

When you use open banking services (when available), we process your Personal Data to enable activities such as:

our online American Express application processes or for the management of your account, for business or credit services, for affordability assessment and prevention of fraud purposes; or
(where applicable) serving a request made on your behalf by (i) an account information service provider, when they provide you with consolidated information on the payment account(s) that you hold with one or more bank(s) or payment institution(s) or (ii) a payment initiation services provider, when they initiate a payment to pay a merchant on your behalf.

In this context, we will process your Personal Data for above purposes as described in the “Use of Personal Data” section of this Online Privacy Statement.

We use fully automated processes to help us make certain decisions about you, including to evaluate certain attributes about you to provide our services. This may also involve profiling (for example, credit and risk fraud profiles). What this means is that we will use software and/or artificial intelligence to automatically evaluate your personal circumstances to identify or predict risks or certain outcomes. For example, we use automated processes to make decisions about you in relation to the following:

To detect, monitor and manage fraud;
to process online American Express applications (such as determining whether to approve or decline your application for a product or service);
to assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you an American Express service or product, or to assess if we need to take any responsible lending action in relation to your account (for example, to decrease your credit line).

This is known as “automated decision-making”. Some of those decisions are made solely by automated means and have legal effects or similar effects, which we explain further below. However, we will only perform such processing if it is:

- necessary for entering into or performing a contract between you and American Express. For example, we may decide that some of our products and/or services may not be suitable for you, based on your credit history and if you do not meet our eligibility criteria;

- authorized by a law to which American Express is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests (for example, to prevent fraud); or

- based on your explicit consent to such processing.

How we make decisions with automated processes

Application processes

We take several factors into account in determining whether to approve or decline an online application for one of our products or services, including information provided on your online application form, your income, and your outgoings. We will use this information to determine the likelihood of you (if approved) defaulting on your account. In order to manage our credit risk exposure, we may decline your application if we consider that there is a high likelihood you may default during this period. If your application is approved, we will also use this information to determine your credit limit.

Fraud

We will assess payments to and from your online account to identify any payments that are unusual. For example, if there is a payment you would not usually make (such as a payment of a significant sum, which is not in accordance with your transaction history), we may take action to stop yous from making a payment that is likely to be fraudulent.

We will also assess your spending behaviour and transaction history to identify if you are likely to be a fraud risk (for example, if a sudden change in your spending and repayment behaviour suggests you have no intention of paying any outstanding balances owed to American Express). This may mean that we take steps to mitigate the risk to us, including declining charges you make using your card.

We also review digital information (such as information about your device, your browser, or your online interaction patterns with American Express) to help us detect potential fraud.

Assessing credit risks

As part of managing our relationship with you, we will assess if we need to take any responsible lending actions (for example, to decrease your credit line). We take several factors into account to assess if there is a credit risk, or if you are getting into financial difficulties. This may include assessing the activity on your online account, your payment history (for example, if you’ve missed payments due and payable), information you provided on your online application form (for example, your income) and information we obtain from the Credit Reference Agencies (CRAs). We will use this information to decide whether to take any actions in relation to your American Express product or service to manage any credit risk. This may involve us decreasing your credit line if we reasonably consider that you are likely to default on future payments.

Our automated decision-making methods are regularly tested to ensure that they remain fair, effective and unbiased.

Where we use automated decision making for entering into or performing a contract with you as authorized by law or based on your explicit consent, you have the right to express your point of view, contest the decision made and request human intervention. Please see the section “Your Rights” for more information about your rights related to automated decision making.

We advertise through our websites and applications, and also on third-party platforms, such as websites and applications of our Business Partners and third-party platforms.

We may use your Personal Data to show you online marketing content tailored to your interests or general geographic location, across various devices that you use depending on your Marketing Choices as follows:

We analyse your needs, preferences and behaviours shown within our websites, mobile applications and the content we offer on third-party platforms (such as our electronic communications, social media pages, voice assistant applications, and digital ads) to create individual customer and group customer profiles. Please see the "Use of Personal Data" section for more details.
We serve you personalized ads based on your individual customer and group customer profiles and other information collected through cookies and similar technologies about your browsing behaviour, over time, and across different websites, via email or other electronic means, based on your Marketing Choices. Personalized advertising may extend to our products and services, those of the American Express Group and those of Business Partners. Please see the "Marketing Choices" and the "Cookies and similar technologies" sections for more details.
We also use your Personal Data to present advertising content or engage in personalized advertising campaigns on social media platforms. If you follow our social media pages or "like" our content on those platforms, we may use your Personal Data to improve the content we serve to you on social media and how we deliver it to you.

You can choose if and how we market ourselves to you as specified in the "Marketing Choices" section below.

We will only share your Personal Data with others where it is lawful for us to do so, and for a specific purpose (as set out in the above tables or below), including with:

the Credit Reference Agencies and similar institutions to report or ask about your financial circumstances, and to report debts you owe to us;

police, regulatory authorities, courts, governmental agencies, tax authorities and any other third party (for example, third parties specified in a court order) to comply with legal orders, legal or regulatory requirements, law enforcement requests and/or otherwise in connection with actual or suspected fraud or criminal activities, or investigation of the same, as well as regulatory investigations, and to protect the rights of American Express or others;

collection agencies and external legal counsel to collect debts on your online account;

our Service Providers (including their subcontractors) who perform services for us and help us manage our online services and/or operate our business (i.e., any vendor, third party and/or company that provides services such as printing, mailing, advertising and marketing, among others);

companies or other lines of products and services within the American Express Group. For example, where those companies share your Personal Data processed within the scope of the provision of their products and services with us to so that we can combine it with your Personal Data processed within the scope of this Online Privacy Statement;

Business Partners, such as parties that accept American Express branded cards for payments of goods/services purchased by you (i.e., merchants), distribution, travel, rewards and other loyalty partners and certain advertising partners with whom we offer or develop products and services, as well as other financial institutions to provide, deliver, offer, customise or develop products and services to you, and address or resolve claims. We will not share your contact information with Business Partners for them to independently market their own products or services to you without your consent. However, we may show you offers related to Business Partners products and services. Please note that if you take advantage of an offer provided by a Business Partner and become their customer, they may independently send communications to you. In this case, you will need to review their privacy statement and inform them separately if you wish to decline receiving future communications from them;

providers of insurance products or services that are included in your American Express card or account programme and that may be available to you as a benefit;

any party approved by you, such as third parties for the provision of open banking and related services upon your request, for example where you seek to connect your account information to another platform or to initiate payments from other accounts;

our loyalty partners to connect your membership rewards account (if applicable) and dependent on your product, with any partners available in your benefits programme;

your advisers (such as accountants, lawyers and other professional advisers) who you have authorized to represent you, or any other person you have told us is authorized to give instructions or use the account; or

anyone to whom we lawfully transfer or assign our contractual rights.

We transfer your Personal Data to organisations in other countries and to regulatory authorities in other countries. Some of these jurisdictions may not provide the same level of protection for Personal Data as provided in the United Kingdom (UK). Some countries will have different data protection laws. This includes transfers to countries outside of the UK, such as into the United States where our main operational data centres are located. We undertake these transfers to operate our business, administer your account and to provide our products and services to you.

Keep in mind, no matter where we process your Personal Data, we will always protect it in the manner described in our privacy statements and in accordance with applicable laws. When we transfer your Personal Data to certain countries outside of the UK:

If that country is covered by UK adequacy regulations (please see the list of countries here), we will rely on that decision to undertake our transfer; or

In the case of transfers of Personal Data to a third party in the United States, we may rely on that third party’s certification under the UK Extension to the EU-US Data Privacy Framework (see here) to transfer your Personal Data.

In other cases, we are required to put in place an “appropriate safeguard”. In particular:

When we share Personal Data with other companies within the American Express Group that are outside of the UK, we ensure an adequate level of protection through our UK Binding Corporate Rules, available here. Our Binding Corporate Rules ensure your Personal Data is protected by requiring all of our group participating companies to follow the same rules when processing your Personal Data.

When we share your Personal Data with third parties (or American Express Group non-participating Binding Corporate Rules companies) outside the UK in countries which are not covered by UK adequacy regulations, we include appropriate contractual protections (including the UK Addendum to the European Commission standard contractual clauses) in those agreements. In addition, we assess whether other technical and organizational measures are required for those transfers.

You can receive a copy of such contractual protections by contacting us, see the “Query or Complaint” section below.

We use organisational, administrative, technical and physical security measures to safeguard your Personal Data and to help ensure that your information is processed promptly, accurately and completely. In particular:

these measures include technological safeguards and adequate access controls to data and infrastructure;

we require Service Providers to safeguard your Personal Data and only use your Personal Data for the purposes we specify; and

we take all necessary steps to securely destroy or de-identify personal information, when we no longer need it.

If you simply browse through our websites and applications, we will keep your Personal Data only for as long as we keep cookies installed in your devices. If you have set up an account online within the scope of this Online Privacy Statement, we will keep your Personal Data for as long as your online account is active. Once our relationship with you has ended (for example, your account has closed), we will only keep your Personal Data for a period of time that is appropriate, taking into account the nature and the sensitivity of the data and what we continue to hold it for.

We will only keep Personal Data for specific purposes, including where it allows us to:

comply or evidence compliance with our legal and regulatory requirements (for example, laws relating to money laundering)
defend or take legal action
maintain business records for analysis or audit purposes
keep records of anyone who does not want to receive marketing from us

For example, your Personal Data will be stored by American Express for 7 years after your online account is closed. This is linked to the amount of time available to bring a legal claim. We will keep your Personal Data after this time if your American Express card account is in default and the balance remains unpaid or unsettled, or for legal or regulatory reasons or requirements.

When your Personal Data is no longer necessary for the above purposes, we will securely destroy such information or de-identify it. For more information about our data retention practices, you can contact us – please see the “Query or Complaint” section.

If you are an American Express customer interacting online with us, we encourage you to check regularly that all Personal Data held by us is accurate and up to date. If you believe that any information we hold about you is incorrect or incomplete, you may ask us to correct or remove this information from our records. We recommend that you go to www.americanexpress.com/en-gb/, log in and update your Personal Data. If you prefer, you can contact us – please see the “Query or Complaint” section. Any information which is found to be incorrect or incomplete will be corrected promptly.

You have the right to access, update, restrict, port, erase or object to the processing of your Personal Data. More specifically, you have the right to:

Withdraw your consent for our use of your Personal Data at any time, where our processing is based on your consent.This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Request restriction of the use of your Personal Data in certain cases.
You can ask us to restrict the processing of your Personal Data in the following scenarios:
- if you want us to establish the accuracy of the Personal Data;
- where our use of the Personal Data is unlawful, but you do not want us to erase it;
- where you need us to hold the Personal Data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your Personal Data but we need to verify whether we have overriding legitimate grounds to use it.
In certain cases, request the erasure of your Personal Data.
This enables you to ask us to delete or remove Personal Data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your Personal Data where you have revoked your consent or successfully exercised your right to object to processing and where there is no other legal ground for processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with applicable law. However, please note that we may not always be able to comply with your request for specific reasons set out in the law which will be notified to you, if applicable, at the time of your request.

Request a human review of automated decisions that impact your legal or contractual rights or that may have a similarly significant effect.
In certain circumstances, you have the right to request for an automated decision to be reviewed, to express your point of view and to contest the decision. This right only applies to fully automated decisions, so it won’t apply if there has already been input from us as part of the decision-making process.

Request the transfer of your Personal Data to you or to a third party.
We will provide to you, or (where technically feasible) a third party you have chosen, your Personal Data in a structured, commonly used and machine-readable format. Note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.

Request a copy of your Personal Data we have about you (often referred to as a “data subject access request” or a “DSAR”).
This enables you to receive a copy of the Personal Data we hold about you and to check that we are lawfully processing it.

Subject to applicable law you may establish guidelines regarding your Personal Data for when you become deceased in accordance with applicable law. In this regard, persons expressly designated by deceased data subjects or the public prosecutor in the case of minors or people with disabilities may request to access the Personal Data of the deceased data subject or the rectification of the Personal Data of the deceased data subject.

You can also object to our processing of your Personal Data:

on grounds relating to your particular situation when the applicable legal basis is legitimate interests. In some cases, we may demonstrate that we have compelling legitimate grounds to process your Personal Data, which override your rights and freedoms. If this is the case, we will let you know; and

when your Personal Data is processed for direct marketing purposes.

If we receive a request from you, we will respond as soon as possible but no later than one calendar month except as follows. If, due to the nature or circumstances of your request, we can’t meet that deadline, we may extend it by up to a further two months (for complex requests). In this case, we will send you an email or letter explaining the cause of the delay.

If you want to exercise any of your rights click here. If you have any questions about how we process your Personal Data, you can contact us – please see the “Query or Complaint” section.

You have the discretion to decide how American Express collects and uses Personal Data about you for marketing and advertising purposes.

You have the following choices regarding the Personal Data we collect about you:

Regarding cookies and similar technologies:
- If you do not want us to collect Personal Data about you through cookies or similar technologies for advertising and marketing purposes, you can choose to reject the installation of cookies through the banner that appears the first time you visit our websites, by clicking on "Configure Cookie Preferences" or through your browser settings, as explained in our “About cookies and similar technologies” policy.
- If you reject cookies, purchase a new device, access websites from another device, or change browsers, you will need to choose the option to accept or reject cookies again.
- If you choose to reject cookies, we will continue to show you advertising related to our products or services, but this will not be based on Personal Data about you.
Regarding marketing communications, if you have opted in to receive marketing communications from us but you no longer wish to receive these communications you can:
- Click the unsubscribe option at the bottom of an email and follow the instructions, or head here.
- Log in to your online account and click on Account Management/Alerts, Communications, Privacy/Contact Preferences.
You can also change the settings for how we collect your Personal Data in your device settings. For example, you can turn off location-based services and ad tracking for devices.

You can also sign up for the national sales and marketing telephone call opt-out list by going to https://www.tpsonline.org.uk/register or the direct mail opt-out list by going to https://www.mpsonline.org.uk/consumer/register.

Please remember that even if you have chosen not to accept direct marketing, we will still contact you to service your online account, respond to your requests, or administer any promotions or programs that you have chosen to be a part of. These communications, which are necessary to inform you about the services you expect to receive from us, are not considered direct marketing, but are classified as service messages. For example, they may be used to inform you of a benefit from your online account.

If you are a customer, you can choose how we should communicate with you. To update your communication preferences, you can:

Log in to your online account and click on Account Management/Alerts, Communications, Privacy/Contact Preferences, to update your choices about marketing and data being shared.

If you wish to manage your marketing and communication choices regarding an American Express Establishment (i.e., merchant), you can:

Log in to your online account by going to americanexpress.com/merchant and going into the settings to update your preferences in marketing communications.

Call 0800 032 7216.

If you have questions about this Online Privacy Statement or how your information is handled or wish to make a complaint or exercise your rights, please contact our Data Protection Officer at amexukdpo@aexp.com or by referring to the "Contact Us" page of our website. You may also write to the following address and specify the American Express entity you would like to submit your query to: American Express Services Europe Limited, Dept. 2007, Upper Ground Floor, 1 John Street, Brighton, East Sussex, BN88 1NH.

You also have the right to lodge a complaint with the Information Commissioner's Office directly at ico.org.uk or by telephone at 0303 123 113. If your request is not resolved to your satisfaction, you may also take your case to court.

American Express® Online Privacy Statement

Personal Data Collected

Cookies and similar technologies

Use of Personal Data

Sensitive Personal Data

Open Banking

Automated Decision Making

Digital Advertising

Personal Data Sharing

International Transfer of Personal Data

Security

Retention of Personal Data

Accuracy of your Personal Data

Your Rights

Marketing Choices

Query or Complaint

American Express®
Online Privacy Statement