ZA Bank Limited  

Privacy Policy 

See our  use of  your personal data and make your informed choices 

 

ZA Bank Limited (ZA Bank or “we), a licensed bank in Hong Kong, provides all-in-one banking services through ZA Bank App to customers.  ZA Bank is wholly-owned by ZhongAn Technologies International Group Limited.  For the purpose of this Privacy Policy, ZhongAn Groupmeans each of or collectively ZhongAn Technologies International Group Limited and its subsidiaries and affiliates. 

 

Thank you for paying attention to our Privacy Policy while experiencing more convenient banking services. If you have any questions, please contact our Data Protection Officer at bank_dpo@za.group. 

 

1. When and what types of personal data do we collect and protect? 

 

In this Privacy Policy, “personal data” means any data that we use to identify you (such as identity proof, facial recognition data), and also data that relates to you (such as your credit data, contact information, location data collected from your device with your consent).  We are committed to collecting and using your personal data in accordance with the requirements under the Personal Data (Privacy) Ordinance (the Ordinance”). The sources and types of personal data we collect include: 

  • You may provide us with information directly, such as the contact information you enter through ZA Bank App or website when opening an account with us or registering to use our services. 

  • We record the circumstances, status, interaction modes, and transaction activities regarding your application for and use of our products and services. 

  • When you use ZA Bank App or our website, we may access your device data, including data under your control on the Access Permissions page in ZA Bank App, and data collected through cookies or similar technologies (please refer to the cookie policy set out in our Conditions of Use of Website and Conditions of Use of App). If you accept cookies, your information will be collected, stored, accessed and used in accordance with the cookie policy. 

  • When you apply for a loan, we will obtain your credit report from credit reference agencies approved for participation in the Multiple Credit Reference Agencies Model in accordance with the Code of Practice on Consumer Credit Data issued by the Privacy Commissioner to assess your financial situation.  If you wish to access your credit report, we will provide you with the contact details of the relevant credit reference agency(ies). 

  • We may collect information from other individuals, companies (including ZhongAn Group) or public domains, such as criminal convictions, proceedings or charges related to the prevention of financial crime. 

  • We may also generate data related to you through integration and analysis of data (for example, your browsing behaviour on ZA Bank App), which may involve the use of big data analytics and artificial intelligence. 

  • When you apply for employment with us, we may collect from you information about your skills and abilities, bank account information, and details regarding your family members. 

 

2. How do we inform you and obtain your consent before collecting your personal data? 

 

We will let you make informed choices about the collection and use of your personal data by us in accordance with the Ordinance and industry practice.  When you provide data directly to us, you may ascertain the data scope and purposes through the relevant application forms or user interfaces. 

 

We are committed to using technology to conquer the limitations of traditional banks, bringing you better products and services, including launching new marketing campaigns and optimising the ZA Bank App functions from time to time.  If we request to collect or use your personal data or device data under these specific scenarios, in addition to the relevant terms and conditions (if applicable), we may provide you with supplementary privacy explanations through pop-up prompts, reminder checkboxes, or prominent links, and we will only collect your additional personal data with your consent. 

 

If you are our employee or applying for our position, in addition to the resume and application form submitted by you, we may collect job-related information about you from your employer and former employer(s) to assess whether you are a suitable candidate.  Under this circumstance, we will explain the purpose of collecting your personal data to you separately.  Please refer to the privacy statement in the relevant application form. 

 

If we have to collect personal data from a third party, we will take measures to ensure that the data transfer complies with the requirements under the Ordinance, including but not limited to ascertaining that the third party has obtained your consent.  In any event, we will not collect personal data with an unknown origin. 

 

3. What are the main purposes for which we use personal data? 

 

Like other licensed banks, we collect customers' personal data mainly for the purpose of providing banking products and services, including conducting Know-Your-Customer checks as required by regulatory requirements, managing risks and understanding customers needs.  Generally speaking, if a customer does not provide the personal data required for the application for relevant banking products and services, we may not be able to provide the services or process the transactions.  For our notice to customers on the purposes of use of data according to common industry practice, please refer to our Statement Personal Information Collection Statement. 

 

On the other hand, as an employer, we will handle personnel records in accordance with the Code of Practice on Human Resource Management issued by the Privacy Commissioner, including curriculum vitae, application forms, references, appraisal and disciplinary records, salary, pension and benefits details, results of medical, security and financial checks, sickness records,  personal contact details, bank account and tax details of employees (including potential employees, as applicable). 

 

4. Besides providing general banking products and services, will we collect and use customer data for other purposes? 

 

We would like our customers to receive updates on the latest activities and promotions through various channels, so we will use customers’ personal data for direct marketing with their  consents.  For details, please refer to paragraphs 7 and 8 of our Personal Information Collection Statement.  Individual customers may, without charge, update the channels for receiving direct marketing notifications under the Direct Marketing Notifications page in ZA Bank App, or contact our customer service hotline at 3665 3665 for assistance.  

In addition, we are committed to enhancing interactive customer experience through technology.  When you participate in our marketing campaigns, games, or use interactive functions in ZA Bank App, we may collect the following data from your device: 

 

Data 

Purpose 

Health or activity data, including step count data collected through third party services providers. 

For iOS device, when you log in to ZA Bank App, the data will be synced from your iOS Health app or Motion & Fitness to ZA Bank App. The data may be collected from your iPhone, Apple Watch, compatible fitness tracking device, wearables or apps that use the iOS Health app. 

For Android device, when you log in to ZA Bank App, the data will be synced from your selected app (such as Health Connect, Xiaomi Pedometer or HUAWEI Health etc). You may connect applicable fitness device or wearable to these apps for the data to work with ZA Bank App. 

This allows the customer to participate in the marketing campaign so that we may use the data to administer and facilitate the operations of the campaign, including awards mechanism subject to the terms and conditions of the campaign. 

 

 

Profile picture and nickname set in ZA Bank App 

A customer may change his/her profile picture and nickname (which do not necessarily have to be his real personal information) on My Profile page in ZA Bank App at any time as he/she sees fit. 

This allows the customer to choose whether to display his/her profile picture and nickname to other ZA Bank App users, making the interaction between the customers and other ZA Bank App users more intuitive. 

If we consider that displaying the profile picture and nickname may infringe on the rights of other people or it is not appropriate for use in ZA Bank App, we may delete the data. 

 

For personal data that is not necessary for the purpose of providing banking products and services (including complying with obligations to combat financial crimes in accordance with applicable regulatory requirements), we will first obtain your consent before collecting such data.  You may withdraw your consent at any time, and once consent is withdrawn, we will no longer continue to collect and use the data and we may not be able to provide you with the functions and  services corresponding to the consentHowever, the data collected prior to your withdrawal of consent will not be affected. 

 

5. Under what circumstances will we share your personal data with third parties? 

 

We will not provide, transfer or disclose your personal data to third parties unless the types of third parties and the purposes have been covered in the Personal Information Collection Statement.  In the case of any change of the purposes of use of your personal data, we will obtain your consent in advance. 

 

ZA Bank provides banking products and services in Hong Kong and is governed by the Ordinance.  We collect, process and store personal data in Hong KongBefore we entrust a third party to process personal data, we will evaluate the third party's ability to protect personal data and specify the obligations of both parties to safeguard personal data through contractual meansIf the third party is located in a jurisdiction outside Hong Kong where the local laws may not have data protection laws similar to those in Hong Kong, we will take all necessary and reasonable measures to ensure that your personal data is adequately protected. 

 

Except for the use or disclosure of personal data for complying with legal requirements or obligations (i.e. circumstances exempted under the Ordinance), we will only use or disclose personal data with the consent of the data subject. 

 

6. What is the retention period of personal data? 

 

In accordance with the requirements under the Ordinance, we  will only retain personal data for the period necessary for the fulfilment of the purpose for which the data is collected.   We will take the following considerations when evaluating the retention period of personal data 

 

  • To fulfil the purpose of providing you with products and services, maintain relevant transaction and business records for handling your possible enquiries or complaints. 

  • To ensure our service quality and meet customer expectations, for example, we retain application data for customers to facilitate them to continue the application process within the deadline.  

  • Regulatory or legal requirements regarding data retention, for example, we are required to assist in detecting or preventing financial crimes or respond to regulatory requests. 

  • According to the Guidance on the Proper Handling of Customers’ Personal Data for the Banking Industry issued by the Privacy Commissioner, banks may retain customers’ personal data for 7 years after the end of the business relationship for the purposes of complying with legal or regulatory requirements to keep accounting or customers’ records and for the handling of potential litigation.  

 

In most cases, for personal data collected for administering and facilitating the operations of related marketing campaigns, if the participant has not established a business relationship with us, such personal data will be deleted within 90 days from the date on which the campaign expires, subject to the relevant terms and conditions of the campaign, to ensure that the personal data will not be kept longer than necessary. 

 

7. How do we ensure data security? 

 

We will take all practicable steps to protect the personal data we hold in accordance with the requirements of the Ordinance.  Our information security protection capabilities cover technical aspects such as system protection, access control and physical security.  Among other technical measures, data loss prevention systems and endpoint security are in place.  We have also established strict data management systems and operating procedures, and adopt a “need-to-know” principle in system administration, granting employees minimal access rights to complete their work. 

 

8. How do we protect personal data privacy in respect of use of big data analytics and artificial intelligence (BDAI)? 

 

We are committed to using innovative technologies in a secure and responsible manner, including the use of BDAI to provide better services to our customers.  Artificial intelligence generally refers to a range of technologies that mimic human intelligence and involve the use of computer programmes and machines to perform or automate tasks, including problem solving, generating recommendations and predictions, decisions making and generating contents based on input data.  Further, generative artificial intelligence (GenAI) refers to the use of machine learning techniques to generate new data or contentWhile adhering to the principles of consumer protection, we may use BDAI in the following areas: 

 

  1. Enhancing customer online experience: for example, using facial recognition and Optical Character Recognition (OCR) technology in the account opening process to quickly verify the authenticity of the customer's identity document and photo, chatbots. 

  1. Strengthening risk management and compliance: for example, anti-money laundering monitoring, fraud prevention, identifying suspicious transactions, assessing credit risk and making credit decisions. 

  1. Improving operational efficiency: for example, automating administrative management, staff training, product and marketing design, and customer service procedures. 

  1. Deepening market research: for example, predicting economic trends, analysing market behaviour and classifying customers.  

 

Our fundamental principles for the use of BDAI are that we must ensure the benefits brought by the application of technology far outweigh the risks, and that our management team will be responsible for all the automated decisions made and contents generated.  We have implemented policies and procedures to address potential risks associated with the use of these technologies, including measures aim to prevent issues such as biased outcomes resulting from inadequate training data or accidental disclosure of personal information during data processing. 

 

To ensure the reliability and accuracy of automated decisions and generated contents, whether we build our own artificial intelligence models or fine-tune existing models with our specific data, the process requires a vast amount of data such as transaction and service records, which may include your personal data or non-personal dataData may also be transferred to vendors for model training or customisationWhere practicable, we will remove identifiable data from the training data 

 

If the decision made by GenAI is likely to have a significant impact on customers for their  application, use or understanding of our products and services, such as a system which assesses the credit worthiness of customers, or a chatbot generating direct responses to customer enquiries, we will adopt risk-based human oversight and provide customers with channel to provide feedback or seek explanations, as well as the option to opt out from using the GenAI system.  Unless the use of artificial intelligence systems in specific scenarios is obvious, we will disclose the use of artificial intelligence systems to customers in a prominent manner. 

 

9. What are my privacy rights? 

 

For the rights of data subjects, you can refer to paragraph 11 of our Personal Information Collection Statement.  Generally speaking, if we have collected your personal data, you have the right to access your personal data.  If you find that your personal data is inaccurate or incomplete, you have the right to request us to correct it. 

 

Before processing your request related to the exercise of your privacy rights, we will need to verify your identity. If we are unable to comply with your request, we will explain the reasons to you in accordance with the requirements under the Ordinance.  If necessary, you may contact the Office of the Privacy Commissioner for Personal Data (website: https://www.pcpd.org.hk) to further understand the relevant provisions of the Ordinance and the rights you are entitled to. 

 

---------------------------------------------------------------------------------------- 

 

Update: November 2024