Personal data is any information that can be used to identify you. For Mox (Mox/we/us), your personal data is very important. What we can learn from or about you helps us to deliver smart banking to you.
1. What information of yours do we hold and who do we collect it from?
Information submitted by you:
Identity data means your personal information you give to us when you apply for our products or services, or enter a Mox competition or game, e.g. your name, date of birth, identity card number, correspondence address, phone number, email address, nationality, credit-related information or even other data such as selfies.
Communications data includes how you want us to contact you and your preferences for the marketing we send you.
Information we collect about you and your device:
Financial data includes your Mox Card number, transactions conducted through your Mox Account or any of your Goal accounts and any data on other Mox products and services you use.
Technical data means details such as your mobile network, operating system, IP address, and the settings and technology on your mobile phone.
Usage data includes information about how you use our website, the Mox app and products and services.
Information from you (or created by you) which you may give us permission to see, for the purposes of providing products or services to you:
Your contacts list, to facilitate payments and transactions between you and your contacts.
Your geolocation, to help you onboard as a Mox customer and for other security and compliance checks while using our products and services.
Your facial image data from your camera, to help you onboard as a Mox customer and so that we can confirm your identity.
Information that you may provide to us, including information that you may post on our website and social network sites, to enable us to communicate with you and to provide products and services to you.
Information from third parties which helps us deliver our products and services:
General due diligence includes data that the law requires us to process about you in relation to illegal activities involving money.
Financial due diligence includes data we receive from credit reference agencies to help with responsible lending decisions.
2. How do we protect your data?
Some of the security measures we use to protect your data include:
Firewalls – like a security guard whose job it is to decide who can access a building, firewalls proactively block certain information flows to our app by screening the flows based on a set of rules that Mox will set.
Intrusion detection systems (“IDS”) – like a security camera, IDS monitor information flows for patterns of activity that don’t look normal and might signal an attack on our app.
24/7 physical protection of facilities where your data is stored.
Background checks on people that need access to those physical facilities to do their job.
We also use digital signatures and encryption. Encryption changes your data into a code that can only be read by Mox and some of our trusted partners who need access to it. We always encrypt your data using the highest standards of security technology.
Encryption helps to ensure:
we can confirm the identity of the user;
we can prove that a transaction took place on the instruction of a specific person;
we can make sure that personal data is kept private by keeping the information hidden; and
we can ensure that the personal data was not changed during transfer or storage by someone without authority.
We always need your help to keep your data secure. Please let us know immediately if your data may have been lost or stolen, or if you think someone has used it without your permission.
3. Automated decisions and profiling
We may use algorithms when considering and processing your application for Mox products and services. The algorithms provide automatic assessments and decisions based on the personal data collected in accordance with our PICS. The parameters used in these assessments have been selected to provide a fair and objective assessment of your personal data and have been tested for reliability and fairness. If we are uncertain about the accuracy of the personal data that will be used in an algorithmic assessment, we may ask you to clarify any such personal data.
At Mox, we pride ourselves on putting the customer first. So, if you need any additional information about our privacy policies and practices or if you have a complaint then please give us a chance to put things right by messaging us through the Mox app, sending an email (email@example.com), giving us a call (Tel: 2888 8228) or reaching us by post (Address: Data Protection Officer, 39/F, Oxford House, Taikoo Place, 979 King’s Road, Quarry Bay, Hong Kong).
You can also refer your complaint to the Hong Kong Monetary Authority or the Office of the Privacy Commissioner for Personal Data.
5. Linked websites
This policy does not apply to third-party websites where our online advertisements are displayed or to linked third-party websites which we do not operate or control.
Last updated: 14 August 2020
Personal Information Collection Statement (“PICS”)
Mox (Mox/we/us) will collect your personal data to help us operate as a bank. Broadly, Mox will collect, process and store the personal data you provide to us (such as your name, date of birth, identity card number, correspondence address, phone number, email address, nationality, credit- related information or even “sensitive” data such as your facial image, and videos and voice recordings of you that you make while communicating with us) to keep you and Mox secure, meet our business obligations and comply with the law. This includes establishing, maintaining and operating your Mox Account or other accounts, Mox Card (and any other Mox product or service you use), also providing rewards and running competitions and games. The provisions of this PICS form part of the account terms and conditions (including the terms applicable to your use of our App) and any other agreement or arrangements you enter into with Mox.
We collect your data so we can provide the best possible service to you. If you do not provide us with the personal data we require from you, we may not be able to establish, maintain or provide our products and services to you.
We may also collect your data, directly or indirectly, from your transactions with or through Mox in the ordinary course of our business, including information received from third parties, the public domain, collected through your use of our App, websites, cookies, behavioral or location tracking tools, banking services, financial services or other services provided by Mox and the Standard Chartered Group and/or when you deposit money or execute transactions through your Mox Card. Understanding your spending and saving behaviour helps us make suggestions to you, to make informed financial decisions for you, and to help keep your account(s) and data secure.
Please note that we also collect data to help us comply with laws, regulations, guidelines and requests or investigations by the authorities.
In this PICS, “Standard Chartered Group” means each of or collectively Standard Chartered PLC and its subsidiaries and affiliates (including each branch or representative office). Mox is a member of the Standard Chartered Group.
1. Who we collect data from
We will collect personal data from our customers and other individuals in connection with the purposes set out in this PICS. These customers and other individuals may include the following, and we refer to them collectively as “you/your” in this PICS:
A. applicants or account-holders of Mox products or services;
B. customers; and
C. any third party transacting with or through us.
2. Use of your data
We may use your data for any of the following purposes:
A. considering and processing your application/s (including assessing the merits and/or suitability of your application/s) for Mox products and services;
B. operating, maintaining and informing you of Mox products and services, including to understand the overall picture of your relationship with the Standard Chartered Group by linking data in respect of all accounts you are connected to;
C. developing, improving and designing Mox products and services;
D. meeting our internal operational requirements or those of the Standard Chartered Group (including credit and risk management, system or product development and planning, carrying out testing and analysis and insurance, audit and administrative purposes);
E. conducting credit checks on you and obtaining your credit report from a credit reference agency (including upon your application for any Mox product or service and when we review credit which normally takes place once or more times each year);
F. creating and maintaining our credit and risk scoring models;
G. maintaining your credit history for present and future reference;
H. assisting other financial institutions and organisations to conduct credit checks and collect repayments owed to them;
I. ensuring your initial and ongoing creditworthiness;
J. determining the amount of indebtedness owed to or by you;
K. enforcing your obligations, to us or any other member of the Standard Chartered Group, including, but not limited to, collecting amounts outstanding from you (e.g. by contacting a debt collection agency);
L. in connection with matching against any data held by us or the Standard Chartered Group so that we can better improve the way we provide services to you, for example, credit checking and data verification. We may also need to match your data when we try to recover amounts you owe us;
M. marketing services, products and other subjects (see paragraph below, “Direct Marketing”);
N. meeting or complying with any obligations, requirements or arrangements for disclosing and using data that apply to us or any other member of the Standard Chartered Group, including those that we or any such member is expected to comply with according to:
(a) any present or future law or regulation within or outside Hong Kong (e.g. the Inland Revenue Ordinance and its provisions including those concerning automatic exchange of financial account information);
(b) any present or future guidelines or guidance issued by any legal, regulatory, governmental, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations of financial services providers within or outside Hong Kong (e.g. guidelines or guidance given or issued by the Inland Revenue Department including those concerning automatic exchange of financial account information);
(c) any present or future contractual or other commitment with local or foreign legal, regulatory, governmental, tax, law enforcement or other authorities, or self- regulatory or industry bodies or associations of financial services providers applicable to us or any member of the Standard Chartered Group by reason of its financial, commercial, business or other interests or activities in or related to the relevant jurisdiction (each an “Authority”); or
(d) any investigation, demand or request from an Authority;
O. meeting any obligations, policies, measures or arrangements for sharing data and information within the Standard Chartered Group and/or any other use of data and information pursuant to any group-wide programs for compliance with sanctions or prevention or detection of money laundering, terrorist financing, fraudulent activities or other unlawful activities;
P. enabling an actual or potential transferee, assignee of all or any part of our business and/or asset or participant or sub-participant of our rights in respect of you, to evaluate the transaction intended to be the subject of the transfer, assignment, participation or sub- participation;
Q. in connection with us or any member of the Standard Chartered Group defending or responding to any legal, governmental, or regulatory or quasi-governmental related matter, action or proceeding (including any prospective action or legal proceedings), including where it is in the legitimate interests of us or any member of the Standard Chartered Group to seek professional advice, for obtaining legal advice or for establishing, exercising or defending legal rights;
R. in connection with investigating an insurance-related matter (including matters related to any member of the Standard Chartered Group);
S. organising and delivering seminars to you;
T. managing, monitoring and assessing the performance of any agent, contractor or third party service provider who provides administrative, telecommunications, computer, payment or securities clearing or other services to us in connection with the establishment, operation or maintenance of any Mox product or service; and
U. any other purposes relating thereto.
3. Disclosure of your data
Data we hold is kept confidential but we may provide, transfer or disclose such data or information to other parties (whether within or outside Hong Kong*) if it will help with any of the uses we’ve listed in the “Use of your data” paragraph above. These other parties include:
A. any organisation, agent, contractor or third party service provider who provides administrative, telecommunications, identity verification/ know-your-customer, computer, payment/ transaction, cloud storage or services, data analytics, cybersecurity or securities clearing or other services to us in connection with the establishment, operation, maintenance or provision of any Mox product or service to you;
B. anyone who works for (or provides services to) us or the Standard Chartered Group (or any of the parties referred to in paragraph A);
C. any person who owes a duty of confidentiality to Mox (or any other member of the Standard Chartered Group);
D. credit reference agencies;
E. debt collection agencies if we need to collect a repayment;
F. any financial institution or merchant acquiring company which you would like to, or already have, dealings with;
G. any person or organisation that Mox (or another member of the Standard Chartered Group) owes an obligation to (which may exist now or in the future);
H. any actual or proposed assignee or transferee of all or any part of Mox’s business and/or assets or participant or sub-participant or transferee of Mox’s rights in respect of you;
I. any party giving or proposing to give a guarantee or third party security to guarantee or secure your obligations;
J. charitable or non-profit making organisations;
K. any external service provider that we engage to provide marketing services (including anyone who works for such a service provider);
L. any interface (such as an application programming interface) that links to, or in any way makes available information about, our products and/or services;
M. third party financial institutions, insurers, credit card companies, securities and investment service providers;
N. third party reward, loyalty, co-branding and privileges program providers;
O. our co-branding partners and/or co-branding partners of any member of the Standard Chartered Group (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be);
P. any person or company who has a direct or indirect shareholding in Mox and their affiliates (each, a “Shareholder”) (for example, to find out whether or not you are a customer of theirs or their affiliates and what products and services they provide or could provide to you), and anyone who works for (or provides services to) a Shareholder;
Q. any Authority;
R. any other Mox customers in connection with your use of Mox products and services; and
S. any other person (1) where the public interest requires or (2) with your express or implied consent.
*This may mean your data is disclosed, transferred, stored or processed outside of Hong Kong. If this happens, then we may need to comply with another country's laws and requirements on personal data. Such parties may be located in the following countries: Australia, Germany, Hong Kong, India, Ireland, Japan, Mainland China, Malaysia, Netherlands, Philippines, Singapore, United Arab Emirates, United Kingdom, United States of America.
4. Direct Marketing
We would like to use your data in direct marketing and we require your consent (which includes an indication of no objection) for that purpose. The data that we may use in direct marketing includes:
A. your name and contact details;
B. your demographic data;
C. the products and services provided to you by Mox, the Standard Chartered Group or any Shareholder;
D. your saving and spending patterns and behaviour; and
E. your financial background.
We may directly market the following classes of services, products, and subjects:
A. financial, insurance, fiduciary, investment services, credit card, securities, investment, banking and related services and products;
B. reward, loyalty or privileges programs and related services and products;
C. services and products offered by any Shareholder;
D. services and products offered by our co-branding partners (the names of such co-branding partners can be found in the application form(s) for the relevant services and products, as the case may be); and
E. donations and contributions for charitable and/or non-profit making purposes.
Along with us, the following persons may provide or solicit (in the case of donations and contributions) the above services, products and subjects:
A. any member of the Standard Chartered Group or any Shareholder;
B. third party financial institutions, insurers, credit card companies, securities and investment service providers;
C. third party reward, loyalty, co-branding or privileges program providers;
D. our co-branding partners and/or co-branding partners of any member of the Standard Chartered Group; and
E. charitable or non-profit making organisations.
We may also provide your data to any of these people for them to use in directly marketing the same services, products and subjects to you. Mox will always first obtain your consent (which includes an indication of no objection) for that purpose. We may receive money or other property in return for providing your data to these other persons, but we’ll tell you if this is the case when obtaining your consent.
You can change your mind about giving consent for us to use or provide to other persons your data for use in direct marketing, as set out above. Just let us know at any time.
5. Personal data of another person
Where you have provided us with another person’s personal data, you should provide him/her with a copy of this PICS and inform them of how we may use his/her data.
6. Access and correction of your personal data
You have the following rights according to the law:
A. to check what data of yours we hold and be provided with a copy of it;
B. to require us to make changes to any data that is inaccurate;
C. to withdraw any consent that you have previously given us with respect to our use of your personal data;
D. to know our policies and practices on data;
E. to be told what kind of data we hold and what you have access to;
F. to check what data we usually disclose to credit reference agencies and debt collection agencies;
G. to ask us for more information so you can approach a credit reference agency or debt collection agency yourself for a copy of your data or for the data to be corrected; and
H. to ask us to contact the credit reference agency about deleting any repayment data related to an account you close, as long as it hasn’t been closed for more than 5 years and there hasn’t been any repayment due for more than 60 days during this period. Account repayment data includes the amount last due, amount of payment(s) made during the last reporting period (being a period not exceeding 31 days immediately preceding the last contribution of account data by us to a credit reference agency), remaining available credit or outstanding balance and default data (being amount past due and number of days past due, date of settlement of amount past due, and date of final settlement of amount in default lasting in excess of 60 days (if any)). We also need to tell you that if you miss a repayment on any loan we give you:
(a) as long as you fully repay the loan or it is written off within 60 days, then your repayment data will not be kept by the credit reference agency for the standard period of 5 years; but
(b) if the loan is written off because of your bankruptcy, then the account repayment data will probably be kept for 5 years anyway, starting from when the outstanding amount was finally paid off or your bankruptcy status was lifted (whichever is earlier).
Also, we may from time to time access your personal and account information or records held by the credit reference agency for the purpose of reviewing any of the following matters in relation to the existing credit facilities granted to you or a third party whose obligations are guaranteed by you:
A. an increase in the credit amount;
B. the curtailing of credit (including the cancellation of credit or a decrease in the credit amount); and
C. the putting in place or the implementation of a scheme of arrangement with you or the third party.
If you want to exercise any of these rights, see the Privacy page on our website or let us know via the Mox app, by email to firstname.lastname@example.org, through the Contact Centre (Tel: 2888 8228) or send a letter to:
Data Protection Officer
39/F, Oxford House
Taikoo Place, 979 King’s Road
We have the right to charge a reasonable fee for the processing of any data access request you make. We will never charge a fee unless you are requesting a paper record to be sent to you.
Once we receive your data, we’ll do our best to protect it because the security of your personal data is important to us. We have technical and organisational security measures in place to safeguard your personal data (including personal data in transit and storage). These security measures ensure that the confidentiality and integrity of your personal data is not compromised. Multiple layers of protection have been put in place to protect against leakage of personal data to external parties. Personal data will be encrypted by strong data encryption algorithms using encryption keys unique to us and with proper key management. When using external service providers, we require that they adhere to certain security standards mandated by us or the Standard Chartered Group (as applicable). The Standard Chartered Group may do this through contractual provisions, including any such provisions approved by a privacy regulator, and oversight of the service provider. Regardless of where personal data is transferred, we take all steps reasonably necessary to ensure that personal data is kept securely.
You should also be aware that the Internet (including applications which use the Internet for data transfer) may not be a secure form of communication and sending us personal data over the Internet may carry with it risks including the risk of access and interference by unauthorised third parties. Information passing over the Internet may be transmitted internationally (even when the sender and recipient are located in the same country) via countries with weaker privacy and data protection laws than your country of residence.
Mox and the Standard Chartered Group retain personal data in line with applicable legal and regulatory obligations and for business and operational purposes. In the majority of cases, this will be for 7 years from the end of your relationship with us. You can ask us to permanently delete some or all of your data earlier than this but we can only do so if:
A. we have no legal or regulatory obligation to retain it; or
B. we don’t need it to provide a service that you would still like us to provide to you.
If we can’t permanently delete your data promptly after you ask us, please be sure that we’ll let you know.
We and other members of the Standard Chartered Group may record and monitor electronic communications with you to ensure compliance with legal and regulatory obligations and internal policies.