Personal Data is any information relating to you as an identified or identifiable person, such as your name, addresses, telephone number, and email address and other information specific to you such as demographic details, employment details, your income and/or transaction information.

We will only collect Personal Data that is reasonably necessary for our business which will be processed in a manner consistent with the reason for collection. The types of information we collect will depend on which product or service you request or use.

We collect your Personal Data from different sources depending on which product or service you request or use. For instance, we collect Personal Data about you from:

• the application form for a card, and other information you directly provide to us;
• when you request or utilize products, goods or services (such as when you use your card to make transactions with merchants, ATM operators, use concierge services or book travel arrangements);
• publicly or commercially available records or databases;
• checks at credit bureaus (if applicable) such as SIMAH and Bayan or checks with other agencies authorized/licensed by the Saudi Central Bank (SAMA); and
• fraud prevention organizations including personal and business records (if relevant)
• through the way you communicate with us and use your account (such as information provided during servicing calls)
• any research, surveys or competitions you enter or respond to or any marketing offers for which you register; and
• third parties, such as marketing lists, which we lawfully obtain from business partners (i.e., third parties with whom we conduct business or have a contractual relationship, such as co-brand partners or merchants), or information we receive from our open banking provider (such as account information that you provide consent to such provider to collect from your bank, which is subsequently shared with American Express Saudi Arabia for the purpose of completing our verifications.

We use your Personal Data either on its own or combined with other information. We need a lawful reason under Data Protection Laws to process your Personal Data, which are as follows:

• where we have obtained your consent, such as certain marketing purposes or;
• where necessary for our legitimate interests, such as to prevent fraud and to protect network and information security or;
• where we have a legal or regulatory obligation pursuant to another law, such as Know Your Customer (KYC) and due diligence checks or;
• in implementation and performance of a contract to which you are party to or;
• where processing serves an actual interest to you, but communicating with you is impossible or difficult.

Please note that we consider and balance any potential impact on you and your rights before processing your Personal Data for our legitimate interest.

More specifically, we use your personal information:

With your consent (note you will always know when we are relying on your consent to use your Personal Data as we will ask you for consent first), to:

• market our products and services to you;
• send you ads, promotions, and offers by e-mail, SMS, or other electronic means about products and services from the American Express Group and those of our business partners;
• process credit data and sensitive categories of information, where required, such as your health data to provide you with a tailored service

For our legitimate interest, to:

Conduct research and analysis, including to:

• produce data analytics, statistical research, and reports on an aggregated basis;
• manage our business risks such as fraud, credit, operational, regulatory, reputational and security risks (using automated processes and/or manual reviews) including but not limited to: detect and prevent fraud or criminal activity
• conduct testing (to ensure security and when we update our systems), data processing, website administration and information technology system support and development;
• safeguard the security of your information;
• develop and refine our risk management policies, models and procedures for:
  • applications and customer accounts
• improve our products and services, including to:
  • better understand our customers, their needs, preferences and behaviors; place you in groups with similar customers to make predictions about you, deliver more personalized services and help determine whether you may be interested in new products or services;
• analyze whether our ads, promotions and offers are effective;
• monitor and/or record your telephone calls with us or our service providers to ensure consistent servicing levels (including staff training) and account operations;
• for images and/or CCTV recordings of you taken during your application or visit at our offices for security reasons

Where we have a legal obligation pursuant to another law:

• to comply with legal and regulatory obligations (such as performing credit checks before approving your application, due diligence and to prevent fraudulent conduct or behavior that contravenes international sanctions, and to comply with regulations against money laundering, and terrorism financing);
• to establish, exercise, or defend legal rights or claims and assist in dispute resolution;
• to comply with any rules, principles, or circulars issued by Saudi Central Bank or other applicable government bodies and regulators.

To administer our contractual relationship with you and deliver products and services, including to:

• process applications for our products, including making decisions about whether to approve your application;
• administer and manage your account, such as whether to process, approve and complete individual transactions;
• service and manage any benefits and insurance programs provided along with the products or services that you requested;
• communicate with you through email, SMS or any other electronic methods, by post and/or phone about your accounts, products, and services;
• update you about new features and benefits attached to the products or services that you requested;
• answer questions submitted to us by you and respond to your requests; or
• provide you with open banking services (for more information, please see the “Open Banking” section).

We may use your Personal Data (subject to your authorization) to provide our open banking services, or avail other financial institutions’ open banking services, such as:

• providing you with consolidated information on the payment account(s) that you hold with one or more bank(s) or payment institution(s)
• using your bank(s) or payment institution(s) information to make credit decisions

Any use of an Open Banking service provider will be carried out in accordance with regulatory requirements.

We may use fully automated processes to help us make certain decisions, including to evaluate certain attributes about you to provide our services or products. For example, we may use such processes to:

• assess security risks, detect and manage fraud; or
• process card applications; or
• assess credit risks, including to check if you meet our eligibility criteria and decide whether we can issue you a card; or
• manage credit limits as well as access to your limit facility

This is known as “automated decision making”. These decisions are based on information that we lawfully obtain, such as information that you provided in your application form (including your reported income), your payment history with American Express Saudi Arabia, and information we obtain from third parties, such as credit bureaus and other agencies licensed and authorized by the Saudi Central Bank.

Some of those decisions that are made solely by automated means have effects, such as the denial or approval of credit or card applications. However, we will only perform such processing if it’s:

• based on your explicit consent;
• authorized by a law to which American Express Saudi Arabia is subject.

In some circumstances, we may disclose Personal Information about you, including with:

• service providers, who perform services for us, such as: printing, mail, advertising, marketing, etc. We require all of our service providers to protect your data according to our standards and use it only for the purposes we allow;
• regulatory authorities, courts, governmental agencies and fraud prevention agencies, in order to comply with legal or regulatory requirements, assist in legal or regulatory investigations, and protect the rights of American Express Saudi Arabia or others;
• with credit reference agencies and similar agencies licensed and authorized by Saudi Central Bank to report or inquire about your financial circumstances, and to report or collect debts you owe;
• companies or other lines of products and services within the American Express group;
• business or commercial partners such as other financial institutions, loyalty programs, travel partners, and certain advertising partners with whom we offer or develop products and services;
• third parties for the provision of open banking and related services upon your authorization, for example where you seek to connect your account information to another platform
• other relevant third parties, as required or permitted by law or with your consent.
• police, regulatory authorities, courts, and governmental agencies to comply with legal orders, legal or regulatory requirements, and law enforcement requests;
• collection agencies and external legal counsel to collect debts on your account;
• business partners, such as parties that accept American Express branded cards for payments of goods and services purchased by you (i.e., merchants), your bank, or other payment card issuers to provide, deliver, offer, customize or develop products and services to you, and address or resolve claims. We will not share your contact information with business partners for them to independently market their own products or services to you without your consent. However, we may send you offers on their behalf with your consent. Please note that if you take advantage of an offer provided by a business partner and become their customer, they may independently send communications to you. In this case, you will need to review their privacy statement and inform them separately if you wish to decline receiving future communications from them;
• anyone to whom we transfer or assign our contractual rights.

Where necessary, and unless prohibited by applicable law, we’ll transfer your Personal Data to other countries. Some of these jurisdictions may not provide the same level of protection for Personal Data as provided in the Kingdom of Saudi Arabia. Some countries will have different Data Protection Laws. This includes transfers to countries outside the Kingdom of Saudi Arabia, such as to the United States where our main operational data centers are located. We do so to operate our business, process transactions on foreign purchases, administer your account, and to provide our products and services to you.

Keep in mind, no matter where we process personal information about you, we’ll always protect it in the manner described in our Privacy Statement and in accordance with applicable laws.

When we share your personal information with third parties outside the Kingdom of Saudi Arabia, we ensure that it is done so in a manner compatible with the Personal Data Protection Law.

Prior to providing us with any Personal Data belonging to another person, including Supplementary Cardmembers (i.e., other persons you have authorized with additional cards on your account), please ask that individual to review this Privacy Statement and confirm their acknowledgement of the processing of their Personal Data as described in this statement. Where you are the legal guardian of the Supplementary Cardmember, you agree to the collection of his or her personal information.

The provisions of this Privacy Statement apply to any Supplementary Cardmember(s) who you have approved to use your account. Where you have approved the issue of a Supplementary Card:

• we will use the information of a Supplementary Cardmember to process their application, issue their card, manage the account, and comply with our legal or regulatory obligations

Supplementary Cardmembers will not be permitted to make any alteration to any of your personal information unless you have provided us with your consent for them to do so.

We are committed to protecting the confidentiality and security of the information provided to us and have invested in robust technical, physical, and organizational security controls to protect information against unauthorized access, damage, disclosure, or loss.

To build a robust and compliant information security framework, AESA has adopted ISO/IEC 27001:2022, SAMA Cybersecurity Framework, National Cybersecurity Authority and PCI DSS 3.2.1 frameworks. These frameworks serve as a foundation for identifying, assessing and mitigating information security risks guaranteeing comprehensive protection for all information assets.

If you would like more information about the safeguards we have put in place, please contact us using the information provided herein, under “Queries or Complaints.”

We will keep your Personal Data only as long as we need to deliver the products and services that you requested, unless we are required to keep it for longer periods because of law, regulation, litigation or regulatory investigation purposes.

When your Personal Data is no longer necessary for legal or regulatory needs, to administer your account or to deliver the products and services you have requested, we will securely destroy such information in line with our internal policies or permanently de-identify it.

Under the PDPL, you have the following rights in respect of your Personal Data:

• You have the right to be informed in regards to how AESA handles your Personal Data;
• You have the right to request access to your Personal Data held by AESA;
• You have the right to request correction, completion, or update to your Personal Data held by AESA;
• You have the right to request destruction of your Personal Data in certain cases;
• You have the right to withdraw consent, if consent was the sole lawful grounds relied upon for processing.

Any requests to exercise these rights should directed to the Data Privacy Team. Please see “Queries or Complaints” for more information.

We obtain your informed and expressed consent before using and sharing your personal information for direct marketing purposes. If you wish to opt out of receiving marketing communications from American Express Saudi Arabia, we recommend that you opt out by using the opt out option provided. For example, you can unsubscribe from receiving marketing communication via email.

Alternatively, you can contact us in order to update your privacy preferences - please see the “Queries or Complaints” section below.

If you choose not to receive marketing communications from us, we will honor your choice. Please be aware that if you choose not to receive such communications, certain offers attached to the products or services you have chosen could be affected. We may contact you to ensure that the information we hold about your marketing preferences is up to date. Additionally, we will still communicate with you in connection with servicing your account, fulfilling your requests, or administering any promotion or program in which you have elected to participate. If you have more than one card with us, we will take your marketing preferences from the most recent card issued.

If you have questions about this Privacy Statement, wish to make a complaint or exercise your rights, please email our Data Privacy Team at Dataprotection@americanexpress.com.sa or call our customer service telephone number Toll-free within the Kingdom of Saudi Arabia on 8001242229 or call +966 11 292 6666 from telephones outside the Kingdom of Saudi Arabia. You may also write to: American Express Saudi Arabia, Data Protection Officer, P.O Box 6624, Riyadh, 11452, Saudi Arabia.