Effective from 28 July 2022
GXS Bank is proud to be the first digital bank in Singapore to be awarded the Data Protection Trustmark ("DPTM") by the Infocomm Media Development Authority.
This demonstrates GXS Bank's commitment to putting data privacy at the heart of its business. We value your trust and are committed to ensuring your personal data is protected and used in a responsible way.
Privacy Mission Statement
Our mission is to deliver customer-centric banking services in a responsible way that respects your choice and safeguards your privacy.
This Policy applies to any individual whose personal data is in our possession or under our control (collectively “you”, “your” or “yours”).
“Personal Data” is any information (whether true or not) which identifies or relates to an individual.
We may, directly or indirectly, collect your Personal Data that you knowingly and voluntarily provide when you use or interact with us through our mobile application (“App”), our websites, social media platforms, customer hotlines, products, features and other services we make available to you, including information received from our business partners or from other sources.
Some examples of Personal Data that we may collect include:
- personal particulars (e.g. name, government-issued identification numbers, contact details, residential address, date of birth, gender, nationality, race, marital status);
- biometric data (e.g. facial image, fingerprint, voice);
- employment information (e.g. occupation, employment history, salary);
- financial, tax, insurance, investments, business interests or banking information (e.g. bank account numbers and transactions); and
- information relating to your preferences, activities, habits, interests or feedback relating to the use of our products or services and/or that of our business partners, including electronic data such as IP addresses, cookies, activity logs, cellular network and location data.
Some of the Personal Data that we collect may be sensitive in nature. This includes your government-issued identification number, financial information or bank account information. We collect this information in strict compliance with applicable laws.
We collect Personal Data in ways including the following:
- when you submit any form, including but not limited to application forms or other forms relating to any of our products or services;
- when you enter into any agreement or provide other documentation or information in respect of your interactions with us, or when you use our services;
- when you verify your identity through various means;
- when you use some of our services provided through online and other technology platforms, such as websites and Apps;
- when you interact with our staff such as via telephone calls (which may be recorded), emails, letters, fax or face-to-face meetings;
- when your images are captured by us via closed circuit television cameras (“CCTVs”) while you are within our premises or via photographs or videos taken by us or our representatives when you attend events organized by us;
- when you request that we contact you, or include you in an email or other mailing list; or when you respond to our request for additional Personal Data, our promotions and other initiatives;
- when you are contacted by, and respond to, our marketing representatives, agents and other service providers; and
- when you submit your Personal Data to us for any other reason.
When we collect Personal Data from other sources, we make sure that the Personal Data is obtained in accordance with applicable laws. Such sources may include:
- Authorised Persons (as defined in the Account Terms), your family members, friends, shareholders, beneficial owners, service providers (e.g. lawyers, accountants, contractors), representatives (e.g. employees, officers, directors, signatories), and other individuals;
- referral programmes;
- our business partners, such as Singtel and Grab;
- insurance and financial service providers;
- credit bureaus, alternative credit scoring agencies and any other credit reporting organisations;
- publicly available sources of data;
- government sources of data;
- users who add you as their emergency contact; and
- marketing service providers or partners.
In some situations, you may provide us with Personal Data of third parties, such as your family members or friends. For example, you may add them as your emergency contact or when you use the in-App chat. By submitting such information to us, you represent to us that you have obtained the consent of the third party to collect, use, process or disclose his/her Personal Data for the respective purposes.
Our services are not directed to children and we will not knowingly collect Personal Data from individuals under the age of 16. In the event that we need to, we will obtain verifiable parental consent. If you are under the age of 16, we request that you do not provide your Personal Data to us.
We may collect, use, process or disclose Personal Data for business or legal purposes, including as permitted under the Personal Data Protection Act 2012 (“PDPA”), the Banking Act 1970 (“BA”) and other applicable laws. By agreeing to this Policy, you consent to the collection, use, processing and disclosure of Personal Data for the following purposes:
- verifying your identity and conducting screenings, credit or due diligence checks in order to provide you with our products or services;
- ensuring that the information we have about you is up-to-date;
- assessing and processing applications, instructions, transactions or requests, including your registration of interest, and assessing your eligibility for our products or services;
- administering benefits or entitlements in connection with our banking relationship with you or arising from your interaction or participation in events, marketing campaigns and promotions by us or in conjunction with our partners (e.g. loyalty, rewards, lucky draws, gifts and awards);
- responding to queries, feedback or requests;
- addressing, investigating or resolving any complaints, claims, disputes, breaches of law or contract;
- developing our customer acquisition strategies;
- monitoring how well we are meeting our performance and service delivery;
- complying with our internal policies and procedures;
- creating and maintaining credit, fraud and risk models, assessing credit worthiness and managing risks to GXS Bank;
- facilitating wallet linking, payments and rewards for account linking between GXS Bank and business partners;
- research and analysis to understand customer needs and preferences, for developing or improving our banking facilities, products or services, and marketing strategies;
- requesting feedback or participation in surveys or conducting research and/or analysis for statistical or profiling to understand market trends, customer behaviour and preferences;
- managing the safety and security of our staff, premises and services;
- responding to an emergency that threatens the life, health or safety of a person;
- where it is necessary in the public interest (e.g. for contact tracing purposes, managing a public health crisis);
- preventing, detecting and prosecuting crime;
- monitoring compliance with our terms and conditions, policies and code of conduct;
- recovery or payment of debt owed;
- financial or regulatory reporting, management reporting, risk management (including monitoring credit exposures, audit and record keeping purposes);
- facilitating mergers, acquisitions, joint ventures, sale of company assets, consolidation, restructuring, financing, business asset transactions, or acquisition of all or part of our business by another company;
- exercising our rights to defend ourselves from any claims, actions, investigation or proceedings and/or protecting and enforcing our contractual and legal rights and obligations;
- complying with any applicable laws, regulations, rules, directives, codes of practice or guidelines, orders, instructions and requests from any local or foreign authorities, including regulatory, government, tax, law enforcement or other authorities, or self-regulatory or industry bodies or associations; and
- such purposes as you may agree to from time to time; and
- purposes related directly to the Purposes set out in this Policy.
We may collect, use, process or disclose your Personal Data without consent where required or authorised under the PDPA, the BA and other applicable laws, in accordance with their requirements. This may include:
- collection, use, processing or disclosure for the legitimate interests of GXS Bank or other persons;
- disclosure in connection with the bankruptcy of a customer;
- disclosure for the conduct of proceedings between the bank and the customer relating to the banking transaction of the customer, or between the bank and parties making adverse claims to money in the customer’s account where the bank seeks relief by way of interpleaders, or in respect of a right or interest conferred on the bank by the customer;
- disclosure to comply with an order or request made under any written law to provide information, of the purposes of an investigation or prosecution of an alleged or suspected offence committed under written law;
- disclosure for making of complaint or report under specified written law for an alleged or suspected offence under any written law;
- disclosure in compliance with a ganishee order served on the bank;
- disclosure in compliance with a court order;
- disclosure in compliance with the provisions of the BA, Deposit Insurance and Policy Owners’ Protection Schemes Act or any notice or directive issued by the Monetary Authority of Singapore (“MAS”);
- disclosure in the performance of duties as an officer of the bank, a professional advisor or an auditor appointed or engaged by the bank to make certain disclosures;
- disclosure for the conduct of internal audit of the bank or performance of risk management;
- disclosure in the performance of operational functions of the bank which have been outsourced;
- disclosure for the merger or proposed merger of the bank with another company, or any acquisition or issue, or proposed acquisition or issue, of any part of the share capital of the bank;
- disclosure for the transfer or proposed transfer of the business or shares of the bank to a company, or the restructuring or proposed restructuring of the share capital of the bank, or the restructure, transfer or sale, or proposed restructure, transfer or sale of credit facilities, in accordance with the BA or MAS Act where applicable;
- disclosure for the notification of the suspension or cancellation of a credit or charge card issued by the bank by reason of customer’s default in payment to the bank;
- disclosure for the creation of a credit report by a licensed credit bureau of which the bank is an approved member or to enable such a licensed credit bureau to make a disclosure under the Credit Bureau Act;
- disclosure for a purpose permitted in a written notice by MAS under the Credit Bureau Act;
- disclosure for the assessment of the credit-worthiness of the customer in connection with or relating to a bona fide commercial transaction or prospective commercial transaction; and
- disclosure for the payment of compensation under the Deposit Insurance and Policy Owners’ Protection Schemes Act to insured depositors or persons under that Act.
We may combine the collected Personal Data with other Personal Data in our possession. If you have or are a party to multiple relationships with us (e.g. if you use our products or services across our various business verticals like investments, lending, digital CASA banking etc), we may link your Personal Data collected across the various verticals to facilitate your use of our products or services and for the Purposes described above.
We may use your Personal Data to recommend you products or services, including special promotions, offers, contests, rewards or entitlements that may be of interest to you or for which you may be eligible. Such marketing messages may be sent to you via various modes including but not limited to electronic mail, direct mailers, short message service, telephone calls and other mobile messaging services and Apps. In doing so, we will comply with the PDPA and other applicable laws.
In sending telemarketing messages to your telephone number via short message service, voice calls and other mobile messaging services and Apps, we will only do so if you have provided clear and unambiguous consent in written or other recorded form, and you have not withdrawn such consent for the sending of telemarketing messages to your Singapore telephone number prior to the last 10 business days.
If you wish to withdraw your consent or change your consent preferences for marketing and promotions, you may update your preferences in your App settings. Alternatively, you may notify us by emailing us or calling our customer hotline (see the section “How to contact us” below).
Notwithstanding any withdrawal of consent for marketing, we may continue to send you messages relating to our ongoing relationship with you, including updates to our products or services and terms and conditions that you are entitled to receive under the terms that you have agreed to enter into with us and nothing in this section shall vary or supersede the terms and conditions that govern our relationship with you.
We may disclose Personal Data to various parties for the purposes set out in this Policy. These parties include:
- Authorised Persons, your legal representatives, family members or those who can validly act on your behalf or who may be empowered to act with the requisite power and authority (e.g. upon your death or mental incapacity);
- our Related Entities (as defined in the Account Terms);
- service providers who perform identity verification services and payment processing services (including payment processors, payment intermediaries, payment networks, card associations, banks, and other financial institutions etc);
- debt collectors;
- credit bureaus, alternative credit scoring agencies and any other credit reporting organisations;
- background check and anti-money laundering service providers;
- cloud storage providers;
- data analytics providers;
- marketing partners and marketing service providers;
- business partners;
- research partners, including those performing surveys or research projects in partnership with GXS Bank or on GXS Bank’s behalf;
- insurance and financing partners;
- other banks, correspondent banks, providers of credit protection, financial institutions, financial market infrastructure, third party digital wallet providers and other third party intermediaries involved in the managed investment of funds, such as brokers, asset managers, and custodians; and
- legal advisors, government authorities, regulators, enforcement agencies, tax authorities, courts, tribunals or judicial bodies; and
- other third parties to fulfill the legal purposes mentioned in this Policy.
We may share Personal Data with our business partners if you requested a service through GXS Bank’s or a business partner’s platform. Our business partners may include those whose Apps integrate with ours, and marketing partners that we collaborate with to deliver a promotion, competition or other specialised service.
Our business partners include Grab Holdings Inc. (“Grab”) and Singtel Mobile Singapore Pte Ltd (“Singtel”, and together with Grab, our “Shareholders”). Under our data sharing arrangement (“Data Sharing Arrangement”) with our Shareholders, your Personal Data may be shared between GXS Bank and Grab (where you are a customer of Grab), and between GXS Bank and Singtel (where you are a customer of Singtel), with your consent, for the following purposes:
- verifying your identity, onboarding you, and updating your records as a customer of Grab and/or Singtel (where applicable);
- enabling seamless customer service handling across GXS Bank, Grab and/or Singtel (where applicable); and
- understanding your preferences so that GXS Bank, Grab and/or Singtel (where applicable) may recommend you products or services, special promotions, offers, contests, rewards or entitlements of relevance to you.
Where you have given consent to the sharing of your Personal Data with our business partners, you also provide consent for us to send any correction of Personal Data that you may request to our business partners to update their records.
We may modify, update or amend this Policy to reflect any changes to the Data Sharing Arrangement at any time. You will be notified of any material changes to or addition of new purposes in the Data Sharing Arrangement before we collect, use, process or disclose your Personal Data for those purposes. You may withdraw your consent or change your preferences for the sharing of your Personal Data with business partners in our App, or by contacting us (see the section “How to contact us” below).
Our services are provided in Singapore. If you are located outside of Singapore, any Personal Data you provide to us will be transferred to Singapore. By interacting with our services and/or providing us with your Personal Data, you are deemed to consent to this transfer in order for us to provide you with the service you request.
Personal Data may also be transferred from Singapore to another country (“Alternate Country”) while using our services.
When we transfer your Personal Data from Singapore to any Alternate Country, we will comply with our legal and regulatory obligations in relation to your Personal Data, including having a lawful basis for transferring Personal Data and putting in place appropriate safeguards to ensure an adequate level of protection for the Personal Data transferred. We will also ensure that the recipient in the Alternate Country is obliged to protect your Personal Data at a standard of protection comparable to the protection under the PDPA.
Our lawful basis will be one of the safeguards permissible under applicable laws for the transfer of your Personal Data from Singapore to any Alternate Country.
Depending on the type of phone and operating software that you are using, you may have the option to disable our use of mobile identifiers (such as Apple’s IDFA). You may deactivate cookies by adjusting your internet browser settings to disable, block or deactivate cookies, deleting your browsing history and clearing the cache from your internet browser.
You may be able to limit our use of your Personal Data to display advertisements that may be of relevance to you, by adjusting your preference sharing of some of this Personal Data through our App. You will still see non-targeted advertisements.
We will take reasonable legal, organizational and technical measures to ensure that your Personal Data is protected. This includes measures to prevent Personal Data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. We limit access to your Personal Data to our employees and contractors on a need-to-know basis. Those processing your Personal Data will only do so where authorised and are required to treat your Personal Data with confidentiality.
Although we will do our best to protect your Personal Data, we cannot guarantee the security of your Personal Data transmitted through any online means, therefore, any transmission remains at your own risk.
We retain Personal Data for the period necessary to fulfill the purposes outlined in this Policy and until it is no longer necessary for any other legal or business purposes. Once your Personal Data is no longer necessary for the products or services, or we no longer have a legal or business purpose for retaining your Personal Data, we will take steps to erase, destroy or anonymize such Personal Data.
In accordance with applicable laws and regulations, you are entitled to:
- ask us what Personal Data we have of you, including to be provided with a copy of your Personal Data, and how your Personal Data has been used or disclosed in the last one (1) year;
- request the correction of your Personal Data; and
- withdraw your consent to the processing of your Personal Data for a purpose (where we are processing your Personal Data based on your consent).
Consent withdrawals or changes to your consent preferences done through your App settings will generally come into effect no later than 48 hours from your consent withdrawal or change in your consent preferences. Notice of consent withdrawals or changes to consent preferences sent to us by email or through our customer hotline may take up to 10 business days to come into effect.
Where you are given the option to provide your Personal Data to us for a purpose, you can always choose not to do so. If we have requested your consent to process your Personal Data for a purpose and you later choose to withdraw your consent, we will respect that choice in accordance with our legal obligations.
However, choosing not to provide your Personal Data or withdrawing your consent to a purpose could mean that we are unable to perform the actions necessary to achieve the purposes of processing described in the section “What we use personal data for”, or that you are unable to make use of our products or services. After you choose to withdraw your consent, we may be able to continue to process your Personal Data to the extent required or otherwise permitted by applicable laws and regulations.
If you wish to make a request to exercise your rights, you can contact us through our contact details set out in the section “How to contact us” below.
We will verify all requests for the exercise of your rights. In order to verify your authority to make the request, we may require you to provide supporting information or documentation to verify your identity and authority to make the request. Requests will be processed as soon as practicable, subject to available information to verify, assess and respond to your request and what is permitted under applicable laws. Once verified, we will give effect to your request within the timelines prescribed by applicable laws.
If you request for a copy of your personal data and we are able to accede to your request, a fee may be charged for providing the copy. In such an event, we will inform you of the fee to be charged for the requested copy.
By requesting to correct your personal data with GXS Bank, you consent for GXS Bank to disclose the corrected personal data to third party organisations for purposes outlined in this Policy.
We may from time to time modify, update or amend the terms in this Policy. Such amendments shall be notified to you through our App and/or other appropriate means before the effective date. It is your responsibility to review this Policy regularly. Your continued use of our Apps or services, or continuing to communicate with us following the modifications, updates or amendments to this Policy, whether or not reviewed by you, shall constitute your agreement to be bound by such amendments.
If you have any queries about this Policy or would like to exercise your rights as set out in this Policy, please visit our customer help center or contact our Data Privacy Officer at:
Data Privacy Officer