Our Commitment to Privacy

The privacy of individuals, including our customers and clients, is of utmost importance to American Express. We are committed to adhering to the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (the "Indian Privacy Rules").

American Express and its businesses in India adhere to various management policies and practices as part of a global commitment to protecting Personal Information. This document is intended to give you clear and accessible information about those policies and practices. In particular it explains the way American Express and its employees, partners and vendors will collect, use, store, share, transmit, delete or otherwise process (collectively "process") Personal Information in India in accordance with its Data Protection & Privacy Principles.

Who is covered by this Policy?

This Policy covers Personal Information that we collect in India directly from:

1. Customers and Employees of all American Express entities in India

We use the term "you" and "your" to refer to individuals who are covered by this Policy. We use the term "we", "us" and "our" to refer to all American Express entities in India.

What Information is covered by this Policy?

We collect both Personal Information and Sensitive Personal Information in India.

In this Policy, the term "Personal Information" means any information that relates to a natural person, which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person.

In this Policy, the term "Sensitive Personal Information" means Personal Information that also consists of information relating to:

1. Passwords
2. Financial information such as Bank account or credit card or debit card or other payment instrument details
3. Physical, physiological and mental health condition
4. Sexual orientation
5. Medical records and history
6. Biometric information

Sensitive Personal Information does not include information that is freely available or accessible in the public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force.

OUR DATA PROTECTION & PRIVACY PRINCPLES

Principle 1 - Collection: We will only collect Personal Information that is needed and by lawful and fair means.

What Personal Information do we collect?

We collect various types of Personal Information from you such as your name, address, telephone number, mobile number and email address. Collecting this Personal Information enables us to offer you services and online experiences that help you with your financial and payment needs. Depending on the type of service or account you apply for, we also collect information necessary to set up and maintain that service or account such as your date of birth, employment details, tax file number, etc.

What Sensitive Personal Information do we collect?

Depending on the account or service you have with us, we may collect some limited Sensitive Personal Information such as information about your credit history, bank account details, financial information, your account number, passwords, etc.

We will only collect Sensitive Personal Information with your consent. You can always withdraw your consent (see Principle 8 - Choice for details).

We do not generally collect information about your health, medical condition, sexual orientation, religion, ethnic origin or political associations.

How do we collect Personal Information?

Generally, we collect Personal Information directly from you. However, we may also collect Personal Information about you from third parties such as:

1. credit bureaus and agencies;
2. merchants (when you make purchases with your card or account);
3. referees; and
4. publicly available information sources (such as social networking sites, etc)

Marketing

We record information about your transactions and how you interact with third parties like a utility or phone company. We use this information in combination with other information we may have in order to better tailor and personalize our services and for marketing purposes. For example, we may use marketing segments developed by us or other companies to customize certain services to your local area and provide relevant offers tailored to you.

Information We Collect Online

For details about information we collect while you are using American Express' online sites and services, and our use of Cookies, please see our Online Privacy Statement at http://www.americanexpress.com/india/legal/privacy_cookies.shtml

More information about collection

If you would like to know the name and address of agencies collecting and retaining your Personal Information, please contact our Data Privacy and Grievance officer (see Principle 9 - Accountability for details).

Principle 2 - Notice and Processing: Where it is not apparent from the products or services you require or the nature of your relationship with us, we will tell you how your Personal Information and Sensitive Personal Information will be processed and which partners or vendors are responsible for that processing. We will process your data fairly and only for those purposes we have told you, for purposes permitted by you or as permitted by applicable law. In addition, you may object to certain types of processing as expressly permitted by applicable law.

Generally, we collect and process Personal Information for the following purposes:

1. To process your application for an account or service
2. To manage and service your account
3. To research and develop new products and services
4. For training, quality control purposes
5. To manage competitions, offers or promotional campaigns you have entered
6. To authenticate your identity
7. To communicate with you and to contact you with offers from time to time
8. To meet our legal and regulatory obligations
9. To process your job application

In providing your email address, telephone and facsimile numbers you are agreeing that we may contact you by email, telephone or facsimile.

Principle 3 - Data Quality: We use appropriate technology and well-defined employee practices to process your data promptly and accurately. We will not keep your Personal Information longer than is necessary, except as otherwise required by applicable law.

We destroy all Personal Information that is no longer needed for the purposes for which we collected it, unless its retention is required to satisfy legal, regulatory or accounting requirements or to protect our interests.

Principle 4 - Security & Confidentiality: We will keep your Personal Information confidential and limit access to those who specifically need it to conduct their business activities, except as otherwise permitted by applicable law. We refer to industry standards and use reasonable administrative, technical and physical security measures to protect your Personal Information from unauthorized access, destruction, use, modification or disclosure.

We use 128-bit digital certificate from Verisign for encryption of the Secure Sockets Layer (SSL) session which is an industry standard for encryption over the internet to protect the data of users. 128bit-SSL is the highest level of commercially available security for encrypted communication. When you type in Sensitive Personal Information such as credit card details, it will be automatically converted into codes before being securely dispatched over the internet. We require industry standard data security measures from those third parties who are authorized by us to process your Personal Information on our behalf.

Principle 5 - Data Sharing: We only share your Personal Information with third parties where it is necessary to provide you with products or services or as part of the nature of our relationship with you, where we have previously informed or been authorized by you, in connection with efforts to reduce fraud or criminal activity or as permitted by law.

Generally, we share your Personal Information with the following:

1. Regulators;
2. Lawyers;
3. Auditors;
4. Any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services in connection with the operation of its business;
5. Any other person under a duty of confidentiality to us
6. The drawee bank providing a copy of a paid cheque (which may contain information about the payee) to the drawer;
7. Credit reference agencies and, in the event of default, debt collection agencies;
8. Any actual or proposed assignee of or participant or sub-participant or transferee of our rights in respect of the data subject.
9. Our business alliance partners.

You agree that, subject to the Privacy Rules, we and our agents may share Personal Information as follows:

Information shared with	Nature of information and purpose
American Express entities in India	Exchange Personal Information about you within American Express entities in India (including any regulated entities), and its and their processors, in connection with the issuance of a Card.
Co-brand partners	Provide Personal Information to any organization whose name, logo or trademark appears on your application for the Card or on the Card issued to you for marketing, planning, product development, research and management information purposes.
Marketing lists	Use Personal Information for marketing purposes. This includes putting your name and contact details on marketing lists for the purposes of customer research and offering you goods or services of us or of any third party, by mail or email or having our related companies do so directly. Please call us on our helpline numbers if you wish us to remove your name from our marketing lists.
Our service providers	Transfer Personal Information confidentially to our related companies and other organizations which issue or service American Express Cards or provide services to us. This includes transferring Personal Information to the United States or other countries for data processing and servicing.
Call monitoring	Monitor and record your telephone conversations with us from time to time for training, quality control or verification purposes.
Information from credit reporting agencies	Obtain credit reports about you from credit reporting agencies to assess your application or to collect overdue payments from you, and obtain Personal Information from a business that provides commercial credit worthiness information.
Disclose to credit reporting agencies	Disclose Personal Information to credit reporting agencies before, during or after providing credit to you as per the Credit Information Companies (Regulation) Act 2005. This includes, but is not limited to: • that you applied for a Card and the credit limit, and that we are a credit provider to you; • report about your Card payments on an ongoing basis and which are overdue and which are in collection (and advice that payments are no longer overdue);
Credit providers	Exchange Personal Information with credit providers named in your application or in a credit report issued by a credit reporting agency. This is for purposes including but not limited to: • assessing your credit worthiness, your application for the Card and for any subsequent application you make for credit; • notifying other credit providers of your default or failure to comply with these conditions; • exchanging information about your Card account where you are in default with other credit providers; • approving or declining a transaction you wish to make with the Card; and – our administration of your account.
Persons you tell us about	Exchange Personal Information with any person whose name you give us from time to time. This includes, for example, for the purpose of confirming your employment and income details with any employer, landlord/mortgagee, accountant, financial adviser or tax agent details of whom are received by us along with your application for the Card.
Collection agent	If you are in default under the Card account, notify and exchange Personal Information with our collection agent.

We will only share Sensitive Personal Information where you have given us your prior permission or where it's part of our contractual arrangements with you. In certain circumstances though, we will not seek your permission to share your Sensitive Personal Information. But this will only be where it is requested:

1. By a Government agency; or
2. By an order under Law.

Principle 6 - Openness and Data Access: If you ask, we will inform you about how your Personal Information is processed and the rights and remedies you have under these Principles. You may inquire as to the nature of the data stored or processed about you. In accordance with the Information Technology (Reasonable security practices and procedures and sensitive Personal Information or information) Rules 2011, you will be provided access to Personal Information about you held by us. If any data is inaccurate or incomplete, you may request that the data be amended.

You can access and/or change certain Personal Information in connection with your account or application by logging on to your account online or telephoning customer service.

Principle 7 - International Transfer: Where it is not apparent from the international products or services you require or the nature of your relationship with us, or as otherwise provided herein, we will inform you if your Personal Information may be transferred outside of India and ensure that such transfer is only performed in accordance with applicable law. Regardless of where your Personal Information is transferred, your Personal Information is protected by these Privacy Principles.

Where it is necessary to send Sensitive Personal Information overseas, we will only do this with your consent and will always ensure that your Sensitive Personal Information is afforded the same level of data protection as under the Indian Privacy Rules.

Principle 8 - Choice: We give customers the option of having their Personal Information included or removed from lists used for marketing as required by applicable law. This includes product and service offers from us and those made in conjunction with our business partners. Of course, each of our businesses will continue to send customers information about the products or services they receive from that business.

You also have the option to withdraw your consent to us using your Personal Information altogether. In that case you may also approach the Data Privacy and Grievance Officer. However, in such cases we may not be able to provide you with the services for which the Personal Information was provided. In some instances, this may mean we need to cancel your card account.

Principle 9 - Accountability: If you feel that we have breached these Privacy Principles you are entitled to bring a complaint to our Data Privacy and Grievance officer (see details below). If we fail to resolve your complaint within one month, then you may enforce these Privacy Principles against us by taking your complaint to your local data protection authority.

If the data protection authority finds that we have breached these Privacy Principles, we will abide by the findings of the data protection authority, but we reserve the right to challenge or appeal such findings. These Privacy Principles do not affect any rights you have under applicable law, the requirements of any applicable regulatory data protection authority, or any other type of agreement that you may have with us.