Sainsbury's Financial Services Privacy Policy
If you have a credit card, savings or personal loan account which has transferred to NatWest, please see the relevant privacy policy here.
Last updated July 2026.
We understand that your privacy and the security of your personal data is extremely important. This notice sets out what we do with your personal data, what we do to keep it secure, from where we collect it, and your rights in relation to the personal information we hold about you. A summary of key information within this policy can be found below:
- We are part of the Sainsbury’s Group and may share your information with other members of the Group where we have an appropriate reason to do so
- We work with trusted 3rd party suppliers who may process your information with us or on our behalf to provide you with our products and services
- We may use your personal data to show you online advertising on websites across the Sainsbury's Group, on other websites and online media channels. If you want us to stop using your data for this purpose, then see 'Digital Advertising' below.
- If you previously held a Sainsbury’s Bank or Argos Financial Services (Home Retail Group Card Services) product which did not transfer to another data controller, you may request copies of your information using this form.
- You have a number of rights over your personal data. How you can exercise these rights is set out in this notice.
Who are we?
This policy details how Sainsbury’s Financial Services Ltd. (registered no 03279730) whose registered office address is 33 Charterhouse Street, London, England, EC1M 6HA collects, uses, maintains and discloses personal data. Sainsbury’s Financial Services Ltd is authorised and regulated by the Financial Conduct Authority (FRN 184514).
For the purposes of data protection law, Sainsbury’s Financial Services operates as a “data controller” (which means the entity which determines the purposes and means of any processing of personal data which relates to you under this privacy policy) and a “joint data controller” (where two or more controllers jointly determine the purposes and means of the processing of the same personal data.
Sainsbury’s Financial Services is part of the Sainsbury’s Group. The Sainsbury’s Group Privacy Policy can be viewed here. To see the Nectar Privacy Policy click here).
Who are our partners?
Sainsbury’s Financial Services has trusted partners who work with us to provide you with the products and services you have purchased. These trusted and authorised partners process your personal information to do this and they must respect and protect your personal data to the same high standard we do.
Insurance Products
Sainsbury’s Financial Services offers a variety of insurance products to our customers. We work with a number of insurance partners (or ‘underwriters’) who provide these products to our customers. These are known as branded insurance products.
When you buy a Sainsbury’s Financial Services product, these will be underwritten by one of our insurance partners. These partners collect all the information about you that they need in order to provide you with the product – they are the ‘Data Controller’ of that information (i.e. they decide how the information is used) and you can ask them about how they use your information by contacting them using the details provided in your terms and conditions or on their website.
These partners pass certain necessary information about our customers back to us once they’ve bought an insurance product. This information helps us understand what products our customers have and how we can provide the best possible service for those customers across Sainsbury’s Group.
What sort of personal data do we process?
Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (e.g. anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
Account Information | Information that you provide to us such as your name, address, date of birth, telephone number, email address, bank account and payment card details. |
Transaction Information | Information about the goods and services that you buy from us (including for example, what they were, when and where you bought them, how much you paid, the way you use them, and so on). |
Credit Data | Information required to make decisions about your applications for products and services we offer (for example insurance, store cards, Travel Money services). |
Login Information | Your account login details for our websites and apps, including your username and chosen password. |
Preference Data | Information about whether or not you want to receive marketing communications from us. |
Identity Data | Identity documentation (including for example, your passport, driving licence and utility bills) to support our money laundering requirements under applicable law. |
Device Data | Information about any device you have used to access our services (such as your device’s make and model, browser or IP address) and also how you use our services. For example, we try to identify which of our apps you use and when and how you use them. If you use our websites, we try to identify when and how you use those websites too. |
Engagement Data | Details of the emails and other electronic communications you receive from us, and how you interact with them. For example, whether the communication has been opened, if you have clicked on any links within that communication and the device you used. |
Externally Obtained Data | Information from other sources such as specialist companies that provide customer information. For example credit reference agencies such as Experian; the Royal Mail, fraud prevention agencies, claims databases, marketing and research companies, social media providers, and the DVLA, as well as information that is publicly available. |
CCTV data | Information captured by our CCTV if you visit any of our premises. |
Correspondence | Records of your interactions with us such as call recordings, web chats and emails. |
We do not aim any of our products or services directly at children and we do not knowingly collect personal data about children under 18 in providing our services.
Our legal basis for processing your personal data
Whenever we process your personal data, we need something called a “legal basis” for what we do. The different legal bases we rely on are:
- Consent: You have told us you are happy for us to process your personal information for a specific purpose(s)
- Legitimate interests: The processing is necessary for us to conduct our business, but not where our interests are overridden by your interests or rights
- Performance of a contract: We must process your personal information in order to be able to provide you with one of our products or services
- Vital interests: The processing of your personal information is necessary to protect you or someone else’s life
- Legal obligation: We are required to process your personal information by law
In the limited circumstances that we process any “special category personal data,” in addition to one of the legal bases noted above, we also need that we have a further legal basis for such processing. This will most commonly be one of the following:
- Explicit Consent: where you have given us your explicit consent to the processing
- Vital Interests: the processing is necessary to protect your vital interests or those of another natural person where you are physically or legally incapable of giving consent
- Made public by the data subject: processing relates to personal information that you have made public
- Legal claims and judicial acts: the processing is necessary for the establishment, exercise or defence of legal claims; or
- Substantial public interest: the processing is necessary for reasons of substantial public interest (e.g. regulatory requirements, to protect customers’ economic wellbeing, preventing or detecting unlawful acts)
When we refer to “special category personal data” we mean personal data that reveals racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs or trade union membership, genetic data, biometric data (where used for identification purposes), data concerning health, sex life or sexual orientation of an individual.
How we process your personal information
We may use your information in the following ways:
| Purpose of processing and data types | Why do we process personal data? | What is our legal basis for processing personal data? |
|---|---|---|
To provide our products and services | We need to use your personal data to make our products and services available to you. This processing may include using your personal data to: • Deliver products or services to you; | Performance of a Contract: We process your personal data if we have a contract with you and we have to use your data as a necessary part of that contract. Legitimate Interests: Once you’ve purchased a product or stopped receiving a service from us, we keep your data for a period of time afterwards in line with our Retention Schedule. For example your information might be needed to deal with a complaint. |
To improve your experience | We try to understand our customers so we can provide you with a great experience, personalised offers, ideas and online advertising. Understanding how customers use our websites and apps, how they interact with Sainsbury’s Bank and the products and services that they buy all helps us to do this. | Legitimate Interests: This processing helps us to serve you better and to improve our service offerings. |
Analytics and Profiling | We use your personal data for statistical analysis and to help us understand more about our customers. These profiles also help us to send you offers that are more relevant to you and present you with marketing and digital advertising that is more tailored to your interests and preferences and to help our digital marketing platform partners to try to identify other individuals who share similar preferences. This may include using cookies and similar technologies on our website and apps to improve your customer experience. | Legitimate Interests: This processing helps us to serve you better and to find ways to improve our services, apps and websites. These profiles help us to send you offers that are more relevant to you. Consent: To use non-essential cookies we rely on consent. |
For safety, security and fraud prevention | We use your personal data to help provide safe and secure environments for our customers to shop in, our colleagues to work in and for our businesses to be conducted. To enable this we monitor behaviour on our premises, online behaviour and carry out checks to help us ensure that our customers are genuine to prevent fraud and to help customers use our services appropriately. | Legitimate Interests: To ensure that our premises and offices are secure and to protect our commercial and confidential information. Legal Obligation: We have certain legal obligations to protect our customers and staff. |
Contacting you | We use your personal data to contact you. This may be in relation to a service update, an issue you have raised with us, to conduct market research, to ask for your feedback or to send you regulatory communications | Performance of a Contract: We may contact you to ensure that we comply with the terms of our contract with you (e.g. if we update any contract terms so as to notify you of what has changed) or to send you regulatory statements and communications Legitimate Interests: We may contact you to conduct activities (e.g. obtain feedback on our performance) to support us in improving our products and/or services and to support the training of our employees. Consent: If you ask us to contact you or send you something |
Marketing | We use your personal data to provide relevant marketing communications (including by email, phone, SMS, coupon at till or post), relating to our products and services. We may also use information about how you interact with us to measure the effectiveness of these campaigns. | Consent: Depending on the marketing activity that we undertake, we may obtain your consent before undertaking marketing. Legitimate Interest: To promote our products and/or services to you and provide you with details of offers you may be interested in. |
Digital Advertising | When you browse our websites and apps, or certain other websites, apps, or social media platforms you may see advertising that is tailored to you. This may be informed by our use of your personal data as explained in the "Analytics and profiling" section above. These adverts may be presented to you by us, or by selected third parties that we think you might want to hear from. We also check how you and our other shoppers engage with these types of advertisement (for example, if you click on them, or subsequently make a purchase with us), so we can determine whether to show you more or fewer similar advertisements in future. More information about this is set out in our Cookie notice and banner. Importantly, we know that not everyone wants to see the kind of advertising described above, so you can always say no when presented with the Cookie banner or by managing your "cookie" preferences through our websites and apps by selecting "required only". | Consent: We gather this consent when presenting you with a banner when you visit our websites and apps. You can opt out at any time. |
Create Data Models | We combine personal data (including data that Nectar share with us) to enable the creation of data models for financial services purposes, such as data models designed to indicate a shopper’s credit worthiness and insurance risk. As part of this, we may need to share personal data with the third parties who provide the financial services products offered under the Sainsbury’s Bank name. These models are created by combining datasets of transactional information at Sainsbury’s, Argos, Habitat and Tu with datasets such as credit worthiness and credit performance data or insurance performance data. These data models are applied to personal data shared with us by Nectar to offer Nectar collectors a more convenient product (such as pre-approval for credit) or to give you a better deal on a financial product such as credit or insurance. The models will never result in an increase in price or a product being declined. | Legitimate Interests: This processing helps us to serve you better and to improve our service offerings. |
To trace and recover debt | We may access information from third parties such as Credit Reference Agencies to get up to date contact details where we need these to recover money owed to us. | Legitimate Interests: We need to recover payments that are due to us for services and/or products provided to you to operate our business. |
Customer Service | We record or keep a record of most communications between us. This could be in the form of call recordings, transcripts of calls, emails or web chat conversations. We do this to provide a great service to our customers, to develop our business, to prevent fraud, for staff training, and if something has gone wrong to manage customer complaints or claims. | Legitimate Interests: To protect and develop our business as call recordings and web chat transcripts help us to meet our responsibilities to combat fraud, provide good customer service and respond to complaints. To protect our business and interests against claims and/or to recover any monies that may be owed to us Legal Obligation: We have legal and regulatory obligations to respond to and deal with any complaints that you may raise in respect to our products and/or services. |
Data Retention | We retain historical Sainsbury’s Bank and Argos Financial Services product and application data to meet our legal and regulatory record keeping obligations. | Legal Obligation: We have legal and regulatory obligations to retain certain personal documentation Performance of a Contract: |
Cookies and similar technologies
We use cookies to help give you the best experience on our websites and to allow us and third parties to tailor ads you see on ours and other websites. For more information please see the cookie policy available here:
Who might we share your personal information with?
We may share your personal information with the following third parties as part of the purposes set out in ‘How do we use your personal information?’ above:
The Sainsbury's Group - we may share your personal information with companies within the Sainsbury's Group so that we can provide you with a high quality, personalised and tailored service (including relevant marketing) across the Sainsbury’s Group and for the purposes that are set out in this privacy policy and the Nectar Privacy Policy.
For example, the products that you purchase in one part of the Group are shared within the Group and with Nectar if you use your Nectar card and when shopping with us.
Our service providers - we work with different companies so that they can help us provide the products and services you require from us or we think you might be interested in. These third parties include:
- Advertising companies, partners and suppliers, or digital media platform partners like Meta and Google, who help us target Sainsbury’s Financial Services or selected third party partner adverts online and on other media
- Suppliers, if they will be delivering a product directly to you or providing a service on our behalf
- Social media providers – such as Facebook, Instagram and Twitter
- Market research partners, who help us analyse customer behaviour
- Companies that deploy our email campaigns because they need to know your email address to carry out these services;
- Companies that provide insights and analytics services so we can stock the right products, send the relevant marketing campaigns and understand our business and customers better
- Our agents, advisers or others involved in running accounts and services for you
- Third party vendors who help us manage and maintain the Sainsbury’s Financial Services IT infrastructure
- Insurance providers as more fully described in the relevant section of this policy
- Where relevant, our professional advisors, such as lawyers and consultants
- Security and fraud prevention companies to ensure the safety and security of our customers, colleagues and business
- Companies who administer competitions for us so they run smoothly
- Companies that enable us to collect your reviews and comments, both online and offline; and
- Companies that help us with our community and social goals
If you use the services provided by another company to interact with us, such as a virtual assistant or a social media platform, please be aware that your data is also subject to the privacy policies of these companies.
Other organisations and individuals - we may share your personal information in certain scenarios. For example:
- If we're discussing selling or transferring part or all of our business, we may share information about you to prospective purchasers and their advisers - but only so they can evaluate the relevant business; or
- If we are reorganised or sold to another organisation, we may transfer information we hold about you to them so they can continue to provide the Services to you.
- If we are required to by law, under any code of practice by which we are bound or where we are asked to do so by a public or regulatory authority.
- If we need to do so in order to exercise or protect our legal rights, users, systems and services; or
- In response to requests from individuals (or their representatives) seeking to protect their rights or the rights of others. We will only share your personal information in response to requests which do not override your privacy interests. For example, we will not share your personal information with individuals who are merely curious about you, but we will share your personal information to e.g. insurers, solicitors, employers etc. which have a legitimate interest in your personal information.
International transfers of personal information
From time to time we transfer your personal information to our, suppliers or service providers based outside of the United Kingdom for the purposes described in this privacy policy (please see the “Who might we share your personal information with?” section above for further details). When we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law. These might be the use of model contracts in a form approved by regulators, or having our suppliers sign up to an independent privacy scheme approved by regulators.
Your rights
You have a number of rights under data protection legislation which, in certain circumstances, you may be able to exercise in relation to the personal information we process about you.
Right of Access: | The right to request copies of your personal data held by Sainsbury’s Financial Services * |
Right to Rectification: | The right to ask for inaccurate or incomplete data to be corrected. |
Right to Erasure: | The right to request that your personal data be deleted in certain circumstances. |
Right to Restriction: | The right to limit how we use your data. |
Right to Object: | The right to object to the processing of your data, particularly for direct marketing. |
Data Portability: | The right to request that your data be transferred to another organization. |
Right to Withdraw Consent: | If processing is based on consent, you have the right to withdraw it at any time. |
* If you previously held a Sainsbury’s Bank or Argos Financial Services product which did not transfer to another provider, you can use this form to request copies of your data
Right to complain
You have a right to lodge a complaint. If you wish to raise a complaint on how we have handled your personal information, please use our complaints process which can be found here:
Alternatively, you can contact our Data Protection Team at Privacy.Bank@sainsburysbank.co.uk who will investigate the matter. We hope that we can address any concerns you may have, but you can always contact the Information Commissioner’s Office (ICO). For more information, visit ico.org.uk
If you are seeking to exercise any of these rights, please contact us using the details in the “Contact Us” section below. Please note that we will need to verify your identity before we can fulfil any of your rights under data protection law. This helps us to protect the personal information belonging to our customer against fraudulent requests.
How long will we keep your personal information for?
We will keep your personal information for the purposes set out in this privacy policy and in accordance with the law and relevant regulations. We will never retain your personal information for longer than is necessary. In most cases, our retention period will come to an end 7 years after the end of your relationship with us. However, in some instances we are required to hold your personal information for up to 13 years following the end of your relationship with us (e.g. for data relating to historic Sainsbury’s Bank mortgage products).
Security
We take protecting your personal information seriously and are continuously developing our security systems and processes. Some of the controls we have in place are:
- We limit physical access to our buildings and user access to our systems to only those that we believe are entitled to be there
- We use technology controls for our information systems, such as firewalls, user verification, strong data encryption, and separation of roles, systems & data
- Systems are proactively monitored through a “detect and respond” information security function
- We utilize industry “good practice” standards to support the maintenance of a robust information security management system; and
- We enforce a “need to know” policy, for access to any data or systems
Contact us
If you would like to exercise one of your rights as set out in the “Your rights” section above or you have a question or a complaint about this policy, or the way your personal information is processed, please contact us by one of the following means:
By email: Privacy.Bank@sainsburysbank.co.uk
By post: Data Protection Officer, Sainsbury’s Financial Services, 1 New Park Square, Edinburgh Park, Edinburgh, EH12 9GR
Policy change
This privacy policy was most recently updated in July 2026.