Privacy Policy

This Privacy Policy explains how Synovus Heritage Bank ("Synovus", "we", "us", or "our") collects, uses, discloses, and protects your personal information when you use our banking services and visit our websites or interact with us in any other way. Synovus Heritage Bank operates in England and is committed to complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are Synovus Heritage Bank is a financial institution providing retail, commercial, and digital banking services in England. As a data controller, we determine the purposes and means of processing your personal data.

2. Information We Collect We may collect and process the following categories of personal information:

2.1 Identification and Contact Details

• Full name, title
• Date of birth, nationality
• Home and correspondence addresses
• Email address and telephone numbers
• Identification documents (e.g., passport, driving licence) and ID numbers

2.2 Financial and Transaction Data

• Bank account numbers and sort codes
• Payment card details (stored and processed in accordance with security standards)
• Account balances and transaction histories
• Direct debit and standing order details
• Salary, income, and employment information
• Credit and debit information, including credit scores where applicable

2.3 Regulatory and Compliance Data

• Information required to comply with anti-money laundering (AML), know-your-customer (KYC), and sanctions screening obligations
• Records of suspicious activity reports and due diligence checks

2.4 Technical and Usage Data

• IP address, browser type, device identifiers, operating system
• Information about how you access and use our websites, mobile apps, and online banking services
• Log data, security logs, and diagnostic data

2.5 Communication and Interaction Data

• Records of communications with us (phone calls, emails, online chats, secure messages)
• Feedback, complaints, and queries

2.6 Marketing and Preference Data

• Your marketing and communication preferences
• Responses to surveys, market research, and promotions

3. How We Collect Your Information We collect personal information in several ways:

• Directly from you when you open an account, apply for a product or service, complete forms, communicate with us, or use our branches or online services
• Automatically when you use our websites, mobile apps, ATMs, and other digital platforms
• From third parties, such as credit reference agencies, fraud prevention agencies, public databases, business partners, and other financial institutions (where lawful)
• From publicly available sources, such as company registers and government publications

4. Legal Bases for Processing We process your personal information only when we have a lawful basis to do so. These bases include:

• Performance of a contract: To provide you with banking products and services you have requested, and to fulfil our contractual obligations to you
• Legal obligation: To comply with legal and regulatory requirements, including those related to banking, taxation, AML, fraud prevention, and reporting
• Legitimate interests: To manage our business, improve our services, ensure network and information security, and prevent abuse or misuse of our services, where such interests are not overridden by your rights and interests
• Consent: Where you have given explicit consent for specific processing activities, such as certain types of marketing communications; you may withdraw consent at any time

5. How We Use Your Information We use your personal information for the following purposes:

• To open, manage, and administer your accounts and banking relationships
• To process transactions, payments, transfers, and direct debits
• To provide online and mobile banking, including authentication and account access
• To assess applications for accounts, loans, credit facilities, and other banking products
• To verify your identity and carry out KYC and AML checks
• To monitor accounts for fraud, financial crime, and suspicious activity
• To comply with legal and regulatory obligations and respond to lawful requests from regulatory, tax, or law enforcement authorities
• To manage our relationship with you, including responding to your enquiries, complaints, and service requests
• To provide you with information about changes to our terms, services, or policies
• To improve, develop, and secure our products, services, systems, and websites
• To conduct internal reporting, analytics, and business planning
• To send you marketing communications, subject to your preferences and applicable laws

6. Marketing Communications We may use your contact and preference data to send you information about Synovus Heritage Bank products, services, offers, or events that may be of interest to you.

You can manage your marketing preferences or opt out of marketing at any time by following the instructions in the communications you receive or by contacting us using the details provided in this Privacy Policy. Even if you opt out of marketing, we may still send you non-marketing communications related to your accounts and services (such as statements, service notices, and legal updates).

7. Cookies and Similar Technologies Our websites and online services may use cookies and similar technologies to:

• Enable core site functionality and secure login
• Remember your preferences and improve your experience
• Analyse site usage and performance
• Support security and fraud prevention

Where required by law, we will ask for your consent before storing or accessing non-essential cookies on your device. You can manage your cookie preferences through your browser settings or our cookie management tools. For more details, please refer to our separate Cookie Policy if available.

8. Sharing Your Information We may share your personal information with the following categories of recipients, strictly for legitimate purposes and subject to appropriate safeguards:

• Group entities and affiliates of Synovus Heritage Bank (if applicable) involved in providing services or support
• Service providers and processors who perform services on our behalf (e.g., IT providers, cloud hosting, payment processors, card issuers, customer support providers, identification and verification services)
• Credit reference agencies and fraud prevention agencies
• Other banks, financial institutions, and payment schemes to process transactions and combat fraud
• Professional advisers, such as auditors, lawyers, and consultants
• Regulators, supervisory authorities, tax authorities, and law enforcement agencies when required or permitted by law
• Third parties involved in a corporate transaction, such as a merger, acquisition, or restructuring, subject to confidentiality obligations

We do not sell your personal information.

9. International Transfers Your personal information may be transferred to and processed in countries outside the United Kingdom, including countries that may not provide the same level of data protection as in the UK.

Where we transfer your data outside the UK, we will ensure that appropriate safeguards are in place in accordance with applicable data protection laws, such as:

• Using standard contractual clauses approved by the UK authorities
• Transferring data to countries deemed adequate by the UK government
• Implementing additional technical and organisational protections where necessary

You may contact us for more information about the safeguards we apply to international data transfers.

10. Data Security We use appropriate technical and organisational measures to protect your personal information against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures may include:

• Encryption, pseudonymisation, and secure storage
• Access controls based on roles and least privilege
• Regular monitoring, testing, and auditing of systems
• Staff training on data protection and information security

Despite our efforts, no system can be guaranteed to be completely secure. You are responsible for keeping your login credentials and security information confidential and for notifying us promptly of any suspected unauthorised access to your accounts.

11. Data Retention We retain your personal information only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, accounting, or reporting requirements.

Retention periods may vary depending on the type of data and the applicable legal obligations. In general:

• We retain customer and account records for a period required by banking and financial regulations after the end of the relationship
• We retain transaction and financial records for periods required by tax and regulatory law
• We retain marketing data until you withdraw consent or object, or until it is no longer needed

When personal information is no longer required, we will securely delete, anonymise, or otherwise dispose of it.

12. Your Data Protection Rights Subject to certain conditions and exceptions under UK data protection law, you have the following rights:

• Right of access: To obtain confirmation of whether we process your personal data and to receive a copy of that data
• Right to rectification: To have inaccurate or incomplete personal data corrected
• Right to erasure: To request deletion of your personal data in certain circumstances (the "right to be forgotten")
• Right to restriction: To request restriction of processing in certain circumstances
• Right to data portability: To receive personal data you have provided in a structured, commonly used, and machine-readable format and to transmit it to another controller where technically feasible
• Right to object: To object to processing based on our legitimate interests or for direct marketing purposes
• Rights related to automated decision-making and profiling: To request human intervention, express your point of view, and contest certain decisions that are based solely on automated processing and have legal or similarly significant effects on you

To exercise any of these rights, please contact us using the details provided in the "Contact Us" section below. We may need to verify your identity before responding to your request. We aim to respond within the time periods required by law.

13. Children’s Privacy Our services are generally not directed at children under the age at which they can lawfully open and manage bank accounts in England without parental or guardian involvement. Where we process personal data of minors (for example, through youth accounts or savings products), we do so in compliance with applicable laws and with appropriate safeguards.

14. Third-Party Websites and Services Our websites or services may contain links to third-party websites, applications, or services that are not operated by Synovus Heritage Bank. This Privacy Policy does not apply to those third parties, and we are not responsible for their privacy practices. We encourage you to review the privacy policies of any third-party sites or services you visit.

15. Changes to This Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or other factors. When we make material changes, we will take appropriate steps to inform you, such as updating the date at the top of the policy, posting a notice on our website, or contacting you directly where required.

Your continued use of our services after any changes to this Privacy Policy will constitute your acknowledgement of the updated policy.

16. Contact Us If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, or if you wish to exercise your data protection rights, you can contact us using the contact details provided on our official Synovus Heritage Bank website or through your local branch in England.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your data protection rights have been violated. We encourage you to contact us first so that we can attempt to resolve your concerns directly.