Privacy Policy

1. Data Controller

NexusBank Ltd ("NexusBank", "we", "us", "our") is the data controller responsible for your personal data. We are registered in England and Wales (Company No. 00000000) with our registered office at 1 Nexus Square, London, EC2A 1BB.

NexusBank is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 000000). We are registered with the Information Commissioner's Office (ICO) under registration number ZA000000.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use our banking services, website, mobile application, and other products. It is prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data We Collect

We may collect and process the following categories of personal data:

• Identity data: full name, date of birth, gender, nationality, photograph, government-issued identification numbers (passport, driving licence).
• Contact data: residential address, email address, telephone numbers.
• Financial data: bank account details, transaction history, credit history, income information, tax identification numbers.
• Technical data: IP address, browser type and version, device identifiers, operating system, time zone settings, login data, and pages visited on our website and App.
• Usage data: information about how you use our website, App, and services, including features accessed and frequency of access.
• Communications data: records of correspondence with us, including phone calls (which may be recorded for training and compliance purposes), emails, secure messages, and chat transcripts.
• Special category data: in limited circumstances we may collect health-related data where you disclose a vulnerability or request reasonable adjustments, processed only with your explicit consent or as necessary to protect your vital interests.

3. Legal Basis for Processing

We rely on the following lawful bases under Article 6 of UK GDPR to process your personal data:

• Performance of a contract: processing necessary to provide you with banking services, manage your accounts, execute transactions, and fulfil our contractual obligations to you.
• Legal obligation: processing necessary to comply with UK law and regulation, including anti-money laundering requirements under the Proceeds of Crime Act 2002, the Money Laundering Regulations 2017, sanctions screening, tax reporting obligations (including HMRC and CRS/FATCA), and regulatory reporting to the FCA and PRA.
• Legitimate interests: processing necessary for our legitimate business interests, including fraud detection and prevention, system security, improving our products and services, internal analytics, and direct marketing of similar products (subject to your right to opt out).
• Consent: where you have given us specific consent to process your data for a particular purpose, such as receiving marketing communications from third-party partners. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Vital interests: in exceptional circumstances, to protect your life or the life of another individual.

4. How We Use Your Data

We use your personal data for the following purposes:

1. Opening, administering, and closing your accounts, including identity verification and credit checks.
2. Processing payments, direct debits, standing orders, and other financial transactions.
3. Detecting, investigating, and preventing fraud, financial crime, and unauthorised account access.
4. Complying with regulatory requirements, including suspicious activity reporting to the National Crime Agency.
5. Communicating with you about your accounts, services, and any changes to our terms or policies.
6. Providing customer support and resolving complaints.
7. Improving and personalising our services, including through analytics, customer segmentation, and product development.
8. Sending you marketing communications about our products and services where permitted by law or where you have opted in.
9. Managing risk and conducting internal audits and stress testing as required by our regulators.

5. Data Sharing

We may share your personal data with the following categories of recipients:

• Regulatory and law enforcement bodies: the FCA, PRA, HMRC, the National Crime Agency, and other authorities where required by law.
• Credit reference agencies: Experian, Equifax, and TransUnion, for identity verification, credit assessments, and fraud prevention. Information shared with CRAs will be retained on your credit file.
• Fraud prevention agencies: including Cifas, to detect and prevent fraud and money laundering.
• Payment processors and card schemes: Visa, Mastercard, and Faster Payments, to execute your transactions.
• Service providers: third-party companies that provide IT infrastructure, cloud hosting, printing, and communication services on our behalf, all bound by contractual data processing agreements.
• Professional advisors: external auditors, lawyers, and consultants under obligations of confidentiality.
• Open Banking providers: where you have explicitly authorised a third-party provider to access your account information or initiate payments under the Payment Services Regulations 2017.

We do not sell your personal data to third parties. Where we transfer data outside the United Kingdom, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the ICO or transfers to countries with an adequacy decision.

6. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law and regulation. Key retention periods include:

• Account data: for the duration of your relationship with us and a minimum of six years after account closure, in line with the Limitation Act 1980 and FCA record-keeping requirements.
• Transaction records: a minimum of six years from the date of the transaction, as required by HMRC and anti-money laundering regulations.
• Marketing preferences: until you withdraw consent or opt out, after which we will suppress your data to ensure we respect your choice.
• Complaint records: a minimum of three years from the date of final resolution, as required by FCA DISP rules.

7. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact our Data Protection Officer using the details below.

• Right of access (Article 15): you have the right to request a copy of the personal data we hold about you. We will respond to your request within one calendar month.
• Right to rectification (Article 16): you have the right to request that we correct inaccurate or incomplete personal data.
• Right to erasure (Article 17): you have the right to request deletion of your personal data where there is no compelling reason for us to continue processing it. This right is subject to legal retention requirements.
• Right to data portability (Article 20): you have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
• Right to object (Article 21): you have the right to object to processing based on legitimate interests, including profiling, and to direct marketing at any time.
• Right to restrict processing (Article 18): you have the right to request that we restrict processing of your data in certain circumstances, for example where you contest the accuracy of the data.
• Rights related to automated decision-making (Article 22): you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Where we use automated credit scoring, you may request human intervention and challenge the decision.

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

Our website and App use cookies and similar tracking technologies to enhance your experience, analyse usage patterns, and deliver personalised content. For detailed information about the cookies we use, how to manage your preferences, and your choices, please refer to our Cookie Policy.

9. Contact the Data Protection Officer