Privacy Policy of Arvest Continental Trust Bank

1. Introduction

This Privacy Policy describes how Arvest Continental Trust Bank ("Arvest", "we", "us", or "our") collects, uses, discloses, and protects your personal data when you use our banking and financial services, visit our branches, access our websites or mobile applications, or otherwise interact with us. We are committed to protecting your privacy and handling your personal data in a lawful, fair, and transparent manner.

Arvest Continental Trust Bank operates in England and is subject to applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using our services, you acknowledge that you have read and understood this Privacy Policy.

2. Who We Are and Contact Details

Data Controller: Arvest Continental Trust Bank Region of operation: England

If you have any questions about this Privacy Policy or our data protection practices, or if you wish to exercise your privacy rights, you may contact us using the contact details provided on our official website or at any Arvest branch.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

3.1 Identification and contact details

• Full name, title, date of birth, nationality
• Residential and correspondence address
• Email address, telephone numbers
• Government‑issued identification details (such as passport, national ID, driving licence numbers) where legally permitted
• Customer ID and account numbers

3.2 Financial and transactional information

• Bank account details, sort codes, IBANs
• Payment card details (stored and processed in accordance with security standards)
• Account balances, deposits, withdrawals, transfers
• Loan, mortgage, and credit details
• Investment and savings information
• Transaction histories and payee information

3.3 Regulatory and due‑diligence information

• Information required for Know Your Customer (KYC) and Anti‑Money Laundering (AML) checks
• Records related to sanctions screening and politically exposed persons (PEP) status
• Information obtained from public records, credit reference agencies, fraud prevention agencies, and other third‑party sources as permitted by law

3.4 Online and technical information

• IP address, device identifiers, browser type and version
• Time zone setting, browser plug‑in types and versions
• Operating system and platform
• Information about your visit and usage patterns (pages visited, clickstream data, access times, response times, download errors, length of visits, and interaction data)
• Cookies and similar technologies (as described in our separate Cookie Policy, where applicable)

3.5 Communication and interaction data

• Records of phone calls (where recorded and permitted by law)
• Email correspondence and secure messages
• Chat and messaging records on our digital channels
• In‑branch meeting notes and complaints/feedback records

3.6 Special category and sensitive data We generally avoid collecting special category personal data (e.g., health, biometric, or data concerning criminal convictions) unless it is strictly necessary and lawful for the provision of a service or to comply with legal obligations. Where such data is required, we will ensure that appropriate additional safeguards and legal bases are in place.

4. How We Collect Your Personal Data

We collect personal data from various sources, including:

• Directly from you: when you open an account, apply for a product, complete forms, correspond with us, use online banking or mobile apps, visit our branches, contact our customer service, or participate in surveys and promotions.
• Automatically: through your use of our websites, mobile applications, ATMs, and other digital services (including cookies and similar technologies).
• From third parties: such as credit reference agencies, fraud prevention agencies, payment service providers, professional advisers, publicly available sources, and other financial institutions, where lawful and necessary.
• From regulatory and law‑enforcement bodies: where we are required to obtain or confirm certain information.

5. Legal Bases for Processing Your Personal Data

We process your personal data only when we have a lawful basis to do so. Depending on the context, this may include:

5.1 Performance of a contract To take steps at your request before entering into a contract, and to perform a contract with you, such as:

• Opening, administering, and operating your accounts
• Providing payment services and processing transactions
• Issuing cards and managing card‑related services
• Providing loans, mortgages, overdrafts, and other credit facilities

5.2 Compliance with legal obligations To comply with applicable laws and regulatory requirements, including those related to:

• AML, KYC, sanctions, and fraud prevention
• Tax reporting and withholding
• Banking regulations, audits, and supervisory requirements
• Court orders, law‑enforcement requests, and other legal processes

5.3 Legitimate interests To pursue our legitimate interests, provided your interests and fundamental rights do not override those interests. This includes:

• Managing risk, securing our systems and premises, and preventing fraud
• Improving and developing our products, services, and customer experience
• Conducting internal analytics, reporting, and business planning
• Handling queries, complaints, and disputes
• Direct marketing of similar products and services to existing customers (where permitted by law and subject to your right to object)

5.4 Consent Where required by law, we will obtain your consent before processing your personal data, for example for certain types of electronic marketing. You may withdraw your consent at any time; this will not affect the lawfulness of processing carried out before withdrawal.

5.5 Vital interests and public interest In rare cases, we may process personal data to protect your vital interests or those of another person, or where it is necessary for reasons of substantial public interest, in compliance with applicable law.

6. How We Use Your Personal Data

We may use your personal data for the following purposes:

• To provide and manage banking and financial services you request from Arvest
• To assess your applications for products and services (including creditworthiness checks)
• To execute payments, transfers, and other transactions you authorise
• To manage our relationship with you, including customer support and service communications
• To verify your identity and help prevent and detect fraud, financial crime, and unauthorised access
• To comply with legal, regulatory, and compliance obligations
• To manage risk, auditing, and internal controls
• To improve the security, performance, and usability of our websites, apps, and other digital platforms
• To conduct market research, service development, and statistical analysis
• To inform you about changes to our services, terms, and policies
• To provide marketing communications and offers about our banking products and services, subject to your preferences and applicable law

7. Automated Decision‑Making and Profiling

We may use automated decision‑making and profiling for certain services, such as:

• Credit and affordability assessments
• Fraud and AML monitoring and alerts
• Transaction monitoring for unusual activity
• Tailoring offers and communications related to Arvest products

Where required by law, we will inform you when we use automated decision‑making that produces legal or similarly significant effects. In such cases, you may have the right to request human intervention, to express your point of view, and to contest the decision.

8. How We Share Your Personal Data

We may share your personal data with the following categories of recipients, only to the extent necessary and subject to appropriate safeguards:

8.1 Within Arvest Continental Trust Bank

• Our branches, departments, and group entities (if any) involved in the provision of services and internal operations.

8.2 Service providers and professional advisers

• IT and telecommunications providers
• Payment processors and card scheme providers
• Cloud, data hosting, and backup service providers
• Consultants, auditors, legal advisers, and other professional services firms

8.3 Other financial institutions and partners

• Correspondent banks and intermediary institutions
• Beneficiary banks and payers/payees involved in transactions you initiate or receive
• Credit reference agencies and fraud prevention agencies
• Insurers, brokers, and underwriters related to certain financial products

8.4 Regulators, law‑enforcement, and other authorities

• Supervisory authorities, regulatory bodies, tax authorities, courts, and law‑enforcement agencies, where we are required or permitted to do so by law.

8.5 Business transfers If we undergo a reorganisation, merger, acquisition, or sale of assets, your personal data may be transferred as part of that transaction, subject to appropriate protections.

We do not sell your personal data.

9. International Transfers of Personal Data

Arvest Continental Trust Bank is based in England, but some of our service providers, group entities, or counterparties may be located outside the United Kingdom.

Where we transfer your personal data outside the UK, we will ensure that an adequate level of protection is in place, for example by:

• Transferring to countries that have been deemed to provide an adequate level of data protection by the UK government; or
• Using standard contractual clauses or other appropriate safeguards approved under applicable data protection laws.

You may request further information about international transfers and the safeguards applied by contacting us.

10. Data Security

We implement technical and organisational measures designed to protect your personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures may include:

• Encryption and secure transmission technologies
• Access controls and authentication procedures
• Regular security assessments and system monitoring
• Staff training and confidentiality obligations

While we take reasonable steps to protect your personal data, no system can be fully secure. You are responsible for keeping your login details, passwords, and security credentials confidential and for notifying us promptly of any suspected unauthorised use of your accounts.

11. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, regulatory, accounting, or reporting requirements.

In determining appropriate retention periods, we consider:

• The nature and sensitivity of the data
• The purposes for which we process it
• Applicable legal and regulatory retention obligations (for example, those related to banking, AML, tax, and financial reporting)
• The time limits for potential complaints or legal claims

When personal data is no longer required, we will securely delete, anonymise, or otherwise render it unusable.

12. Your Data Protection Rights

Subject to certain conditions and applicable law, you may have the following rights regarding your personal data:

• Right of access: to obtain confirmation whether we process your personal data and to request a copy of that data.
• Right to rectification: to request correction of inaccurate or incomplete personal data.
• Right to erasure: to request deletion of your personal data in certain circumstances.
• Right to restriction: to request that we restrict the processing of your personal data in certain situations.
• Right to data portability: to receive personal data you have provided to us in a structured, commonly used, machine‑readable format, and to transmit it to another controller where technically feasible and lawful.
• Right to object: to object to processing based on our legitimate interests, including profiling, and to object to direct marketing at any time.
• Rights related to automated decision‑making: to request human review of certain automated decisions and to contest such decisions where required by law.

To exercise any of these rights, please contact us using the contact details available on our official Arvest website or at any branch. We may need to verify your identity before responding to your request.

13. Marketing Communications

We may use your contact details to send you information about Arvest Continental Trust Bank products and services that may be of interest to you.

Where required by law, we will obtain your consent before sending you electronic marketing communications. You can opt out of marketing at any time by:

• Following the unsubscribe instructions in our emails or messages; or
• Contacting us directly with your request.

Even if you opt out of marketing, we may still send you non‑marketing communications, such as service messages, security alerts, and important information about your accounts and our relationship with you.

14. Cookies and Similar Technologies

Our websites and mobile applications may use cookies and similar technologies to improve performance, enhance user experience, and provide tailored content and advertising related to Arvest services.

Where required, we will obtain your consent for non‑essential cookies. You can manage your cookie preferences through your browser or device settings and, where available, through our cookie management tools. For more detailed information, please refer to our separate Cookie Policy.

15. Third‑Party Websites and Services

Our websites, apps, or communications may contain links to third‑party websites, plug‑ins, or services. These third parties operate independently from Arvest and have their own privacy policies. We are not responsible for the content, security, or privacy practices of such third‑party sites or services. We encourage you to review their privacy policies before providing any personal data.

16. Children’s Privacy

Our banking services are generally not directed at children unless specifically designed products are offered for minors (for example, youth accounts) and administered in accordance with applicable laws and with appropriate consent from a parent or legal guardian where required.

If we become aware that we have collected personal data from a child without the necessary consent, we will take steps to delete such information or obtain appropriate authorisation.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or services. The most current version will always be available on our official website and may also be provided in our branches.

We encourage you to review this Privacy Policy periodically. If we make significant changes, we will take reasonable steps to notify you, such as by email, online notification, or in‑branch notices, where appropriate.

18. How to Contact Us and Lodge a Complaint

If you have any questions, concerns, or complaints about how we handle your personal data, or if you wish to exercise your rights, please contact us using the contact options provided on the official Arvest Continental Trust Bank website or at any of our branches in England.

You also have the right to lodge a complaint with the UK data protection supervisory authority:

Information Commissioner’s Office (ICO) For details on how to contact the ICO and about your rights, please visit the ICO’s official website.

---

This Privacy Policy applies to Arvest Continental Trust Bank customers and users of our services in England and is intended to provide clear and transparent information about how we process personal data under the name Arvest.