cards header

Privacy

Privacy Policy

This Privacy Policy outlines HDFC Bank Limited’s approach to processing of Data.

HDFC Bank is committed to treating data privacy seriously. It is important that you know exactly what we do with the personal data you and others provide to or for us, why it is processed and what it means to you. Please read this Privacy Policy carefully.

Definitions

The following capitalised terms shall have the meanings assigned to them as under:

Bank” or “HDFC Bank” shall have the meaning as ascribed to the term in the first paragraph of this Privacy Policy.

Covered Person(s)” or “You” shall have the meaning as ascribed to the term in the ‘Applicability’ section of this Privacy Policy.

Data” shall have the meaning as ascribed to the term in the ‘Data’ section of this Privacy Policy.

Derivation” shall have the meaning as ascribed to the term in the ‘Data’ section of this Privacy Policy.

Derivative Data” shall have the meaning as ascribed to the term in the ‘Data’ section of this Privacy Policy.

Processing Entity” shall have the meaning as ascribed to the term in the ‘Who we share your Data with?’ section of this Privacy Policy.

Product(s)” shall have the meaning as ascribed to the term in the ‘Applicability’ section of this Privacy Policy.

Specified Purposes” shall collectively mean, credit assessment, risk assessment, risk analysis, obtaining credit information reports, scores, scrubs, fraud checks, fraud detections, fraud prevention, detecting and preventing crime including crime/ terror funding, detecting malpractices or discrepant documents or information, prevention of misuse, assessment of credit worthiness, financial standing, due diligence, background check, physical and other inspections, verifications, obtaining any reports for any of the above, KYC/ AML checks, customer service, monitoring, collections, default detection, default prevention, default investigation, recovery, any legal proceedings, actions, enquiries, investigations, pursuing any remedies, enforcing rights, reporting including credit reporting, KYC reporting, default reporting, filing, perfections etc., whether any of these are undertaken internally or through any Processing Entity or through a combination of multiple options.

Applicability

This Privacy Policy applies to personal data of any natural person (“Covered Person(s)” or “You” or any cognate variations thereof) which is processed by or for HDFC Bank, whether in physical or electronic mode. This Privacy Policy applies in relation to all products, services and/or businesses [of our own/ of subsidiaries/ affiliates, or where we/ subsidiaries/ affiliates distribute, refer or act as agent or act as a sponsor bank or a Payment Service Provider (PSP) bank etc. in relation to any products or services, including any credit facilities, credit cards, debit cards, forex instruments, cheques, any other payment instruments, remittance services (both inward and outward), currency exchange services, prepaid payment instruments, loans, any other credit transactions or products or services, insurance products, investments, wealth management, estate management, credit assessment, financial products, advisory services, investment advisory services, capital markets, demat accounts, trading accounts, savings or current accounts, any other accounts, deposits, transfers, referrals, cash management, payment services and products, payment gateway, wallets, merchant acquiring, PSP services, Third Party Application Provider (TPAP) services, Unified Payments Interface (UPI), Point of Sale (POS) services, collections, distributions, agencies, trusts etc. (collectively “Product(s)” including where the initiation of any transaction is not directly with us but is with a relevant Processing Entity like in case of a UPI transfer through a TPAP where your account is not with us but we are a PSP bank)], intermediaries or consultants, Products as applicable to the Covered Persons, whether we are in direct relationship or indirect relationship through any other intermediary/ entity, vis-à-vis you, as also if you are an authorised signatory or authorised person or representative of a non-individual applicant/ customer/ user of any services, whether direct or indirect. Your Products’ terms and conditions will cover specific matters in addition to this Privacy Policy and this Privacy Policy does not limit any of those specific matters or any other consent that you may have given or may give to or for the benefit of HDFC Bank. Therefore, please also read such specific terms and conditions in relation to the Products and such other consents, wherever applicable.

Who we are

Throughout this document, “we”, “us”, “our” and “ours” or any cognate variations thereof refer to HDFC Bank.

HDFC Bank” or “Bank” means:

HDFC Bank Limited having its registered office at Senapati Bapat Marg, Lower Parel (West), Mumbai 400013, Mumbai, India.

Website: https://www.hdfcbank.com/

Our contact details are given at the end of this Privacy Policy.

Data

The personal data collected or received falls into various categories as under: 

  • Identity & contact information
    • Name, address, signatures, biometric data, date of birth, copies of identity cards (ID), contact details including email id and phone number, address, previous names, maiden names, marital status, relatives information, nomination, medical condition, domicile, origin, citizenship, nationality, residence, any legal or other identifiers like Permanent Account Number (PAN)/ Taxpayer Identification Number (TIN)/ Aadhaar/ National ID/ Social Security Number/ or its equivalent, Photograph and Gender.
    • Data that identifies (whether directly or indirectly) a particular individual, such as information you provide on any forms, surveys, online applications or similar online fields.
    • Demographic information that you provide and aggregated or de-identified Data.

  • Financial details/circumstances
    • Bank account details, investments history, credit/debit card details, prepaid payment instrument details, any other instrument/ modality/ function details, UPI handles, income details, history in relation to these.
    • Employment / occupational information.
    • Residential status under banking, general and tax laws.
    • Spending/saving/investing/payments/receipts/borrowing history.
    • Risk profile, financial objectives, financial knowledge and experience, preferences and any other information to assess the suitability of the Products to you.
    • Information collected when you make or receive payments.
    • Other information such as information relating to occupation and financial situation such as employer’s name and address, if self-employed, type of account, and nature and volume of anticipated business dealings, with the conventional bank licensee, income proof, bank statements, income tax returns, salary slip, contract of employment, passbook, expenditure, assets and liabilities, source of wealth and signature.
    • Data that is collected when you make financial and non-financial transactions. Data may include information associated with the transaction such as amount sent or requested, amount paid for Products or merchant information, including information about any funding instruments used to complete the transaction.

  • Information you provide about others or others provide about you
    • If you give information or data about someone else (for example, information or data about a spouse or financial associate provided during the course of a joint application with that person), or someone gives information about you, may be added to any Data that is already held about you and can be used in the ways described in this Privacy Policy.
    • Your Data from third party providers: In order to enhance our ability to provide relevant marketing, offers, and services to you, Data about you is obtained from other sources with your consent, such as email service providers, public databases, joint marketing partners, social media platforms, as well as from other third parties as appropriate.
    • Information including Data from credit information companies/ credit reference agencies, risk management and fraud prevention agencies, national and government databases.
    • Information including Data from other parties and entities where we are a part of a transaction in one or more roles even though we may not be directly interfacing you, for example during the course of remittances being initiated by you through your bank to a beneficiary whose bank account is with us.
    • Data of authorised signatories or authorised persons or representatives of non-individual applicants/ customers/ users of any services, whether direct or indirect.

  • Information from online activities.
    • Information about your internet activity is collected using technology known as cookies, which can often be controlled through internet browsers. For detailed information on the cookies used and the purposes for which they are used, see our Cookie Policy, which is available on our website.
    • Your digital and electronic devices where various checks are performed are designed to ascertain and verify your residency to ensure we meet our regulatory obligations. These checks include identifying and collecting your location (with your specific permission) and the IP address your device connects from and the collection of information about your use of the website or mobile app (including device type, operating system, screen resolution, and the way you interact with us). 
    • Information about your Internet browser, IP address, information collected through tracking technologies.
    • Unique device identifier such as International Mobile Equipment Identity (IMEI) number, technical usage data, contact lists (in some cases where specific permission is obtained), technical data about your computer and mobile device including details regarding applications and usage details.
    • Information such as your fingerprint, etc. that you choose to provide to us. We will not collect your biometric information without your explicit consent.
    • Generation and storing password or PIN in encrypted form.

  • Other personal information
    • Information in relation to data access, correction, restriction, deletion, porting requests and complaints.
    • CCTV images and Data at our Bank branches, offices and ATMs (but only for security reasons and to help prevent fraud or crime).
    • Conversations during meetings/calls/correspondences/discussions with bank staff.
    • Social relationships detail such as your father’s name, spouse’s name and mother’s name;
    • Behavioural details as to how to utilise our Products, offers etc., your browsing actions, patterns and online activity;
    • Records of correspondence and other communications with you, including email, telephone conversations, live chat, instant messages and social media communications containing information concerning your grievances, complaints and dispute.
    • Any other information, Data or records which you may consent to be collected or used.

Out of the aforesaid data points, the following are ‘sensitive personal data or information’:

  1. password
  2. financial information such as Bank Account or Credit Card or Debit Card or other payment instrument details;
  3. physical, physiological and mental health condition;
  4. sexual orientation;
  5. medical records and history;
  6. biometric information; and
  7. any detail relating to the above clauses as provided by you.

Provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as ‘sensitive personal data or information’.

Any of the aforesaid data (whether personal data or sensitive personal data or information), information, know your customer (KYC) related data, any derivative thereof ("Derivative Data”) like any credit scores or behavioural projections, profiling, analytical results, reports (prepared by us or others) including through any algorithms, analytics, software, automations, profiling etc., and whether such derivative is from the information collected from you or in combination with any other information sourced from any other person, database or source whether by us or others, shall collectively be referred to as “Data” and any part of the process relating to arriving at the Derivative Data as above, whether through internal or external sourcing, shall be referred to as “Derivation”.

When and how your Data is collected?

Your Data may be collected or processed through any of the following:

  • When you submit the Data to us including when you ask for certain Products.
  • When you use the Products.
  • During the course of transactions.
  • When you apply for the Products, make enquiries or engage with us or with any other person where we are involved for any other person in the transaction concerning you.
  • Data collected during credit assessment, risk assessment, fraud checks, fraud detections, processes undertaken for fraud prevention, detecting malpractices or discrepant documents or information, prevention of misuse, assessment of credit worthiness, evaluation of financial standing, due diligence, background check, physical and other inspections, verifications, KYC/ Anti Money Laundering (AML) checks, monitoring, collections, recovery, customer service etc.
  • When you use our website and online services provided by us (including mobile applications) and visit our branches or offices.
  • When you email or call or respond to our emails/phone calls or during meetings with our bank staff or its service providers or representatives.
  • When you or others give the Data verbally or in writing. This Data may be on application forms, in records of your transactions or if you make a complaint.
  • From information publicly available about you. When you make Data about yourself publicly available on your social media accounts or where you choose to make the Data available through your social media account, and where it is appropriate to be used.
  • During or as a result of Derivation, from any person possessing the same or sourcing any Data therefor.
  • From any persons involved in any payment system or infrastructure or architecture of which HDFC Bank is a part including National Automated Clearing House (NACH), UPI, Electronic Clearing Service (ECS), ATM portability, Immediate Payment Service (IMPS), Real Time Gross Settlement (RTGS), National Electronic Fund Transfer (NEFT) etc., or from any persons (including TPAP) to whom the Bank acts as a service provider, distributor, agent, referral entity, promoter, marketer, sponsor bank, PSP bank, trustee, etc., where you are part of any payment or withdrawal or transaction or purchase/ sale/ distribution of any Product, whether as payee, payer, beneficiary, intermediary, distributor etc. and whether your interface/ interaction is directly with us or not or with any such other person or any platform/app.
  • Data collected through cookies.

By accepting this Privacy Policy or by applying for or using any Product (including where the initiation of any transaction is not directly with us but is with a relevant Processing Entity like in case of a UPI transfer through a TPAP where your account is not with us but we are a PSP bank), you agree that any person who submits any Data or part thereof to us or from whom we source the same (including Derivation), shall be deemed to have been authorised by you to submit such Data to us and you hereby further authorise the processing of any such Data by us or for us, for any of the purposes mentioned in this Privacy Policy. 

How we process your Data?

Whether we’re using it to confirm your identity, to help in the processing of an application for any Products or to improve your experiences with us, your Data is always handled with care and the principles outlined in this Privacy Policy are always applied. 

Purposes of processing Data

The processing of the Data may be done by us or any of the Processing Entities for any of the following purposes, and you agree and consent to the same:

  • To provide you with Products.
  • To manage relationships with you.
  • For enabling your use of Products.
  • For processing or executing transactions.
  • For enabling any applications/ requests for any Products, for processing any such applications/ requests, for performing any contract pursuant thereto and for undertaking any Specified Purposes in relation to any of the above.
  • To perform activities such as data analysis, audits, usage trends to determine the effectiveness of our campaigns and as input into improving Products.
  • For credit scoring, credit analysis, risk analysis, obtaining any reports, credit scores, credit information, scrubs, for assessing and undertaking/ evaluating financial standing, fraud check, fraud probability, reference checks, due diligence, inspections, etc. including from or through any credit information companies, bureaus, fintech entities or service providers.
  • For enabling use of our website, platforms, and online services (including mobile or web applications) and visiting our branches or offices.
  • To contact you or to establish contact with you or your whereabouts.
  • To allow you to utilize features on platforms/ apps by granting us access to Data from your device.
  • For security, business continuity and risk management.
  • For system or product development and planning, audit and administrative purposes.
  • To personalize your platform/ app experience.
  • To improve customer/ user experience.
  • To inform you about important information regarding our Products, changes to terms, conditions, and policies and/or other administrative information; Where processing is necessary for the performance of a contract to which you are a party or in order to take steps prior to entering into a contract. To take actions that are necessary in order to provide you with the Products (performance of a contract), for example, to make and receive payments.
  • Where processing is necessary because of a legal or regulatory obligation that applies to us.
  • Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. Processing may be required to meet our legitimate interests, for example, to understand the customer behaviour, customer expectations, to build analytical models, or to understand how customers use or respond to the Products, or to develop new Products, as well as improve the Products we currently provide. This may also include sharing of your Data either as part of a sample or specifically or generally with any potential or actual service provider or consultant or vendor or third party or Processing Entity, for the purposes of testing of proof of concept, where the utility, workability, efficacy, authenticity of any solution or service proposed or being rendered by any such person may be tested, and any such person may process such Data along with any other data it may have or source externally, for the purpose of running or pilot running or testing of the proposed solution or service and to submit the results to us along with the Data and any other data which such person may have or source. You agree that such sharing of Data and processing thereof and testing of proof of concept is in our legitimate interest to improve our efficiency, customer service, product delivery, to prevent frauds, etc. and ultimately is a necessary part of developing the ecosystem where customers and potential customers including you, benefit. 
  • Where processing is necessary to protect your interests where we need to process your Data and you are not capable of providing consent (emergency situations).
  • Subject to a specific consent (obtained separately from this Privacy Policy), to allow you to participate in surveys and other forms of market research, contests and similar promotions and to administer these activities. Some of these activities have additional rules, which may contain additional information about how Data is used and shared.
  • To allow you to apply for Products (e.g., to prequalify for a loan, apply for a credit card, or to open an account, investment account, insurance or other financial product) including to pre-populate any Data during any application whether directly by us or through any service provider on any platform.
  • Subject to your specific consent in this regard, to sell, cross-sell, distribute or refer to you any Products (by us or through any of the Processing Entities) and for such purpose we may assess your credit worthiness or your eligibility through such means as feasible and for such activity we may also share the Data with/ receive from third parties.
  • Where we have your consent to do so.
  • We may also contact you or send you messages, notifications or alerts by post, telephone, text, email, WhatsApp, through social media, POS machines and other digital methods, including for example via our ATMs, mobile applications, push notifications, or online banking services (and new methods that may become available in the future).
  • For any purposes which are incidental or necessary to any of the aforesaid purposes.  

You agree that HDFC Bank may engage with any Processing Entity, for any of the aforesaid purposes or part thereof for any incidental or ancillary purposes, and may accordingly share Data with any of them and allow them to further process/ share the same, for the said purposes.

Automated processing

The way your personal information is analysed in relation to the Products including applications, credit decisions, determining your eligibility for the Products, may involve automated profiling and decision making, this means that your Data may be processed using software that is able to evaluate your personal aspects and predict risks or outcomes as also where the decision making may be automated. 

We may also carry out automated anti-money laundering and sanctions checks. This means that we may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity.

Who we share your Data with?

We may share the Data with the following persons and/or in the following circumstances:

  • With subsidiaries and/or affiliates in an effort to bring you improved services across our family of Products, when permissible under relevant laws and regulations or with consent.
  • With service providers, vendors, agents etc. who perform services for us or assist us/ our subsidiaries/ affiliates to operate the business or provide the Products or services (own or where we/ our subsidiaries/ affiliates distribute, refer or act as agent etc.), intermediaries or consultants.
  • Entities or persons with whom we have tie-ups for the co-branded services, products or programs, any rewards programs or loyalty programs, any benefits, offers, features or any similar arrangements.
  • With co-lenders, co-originators, collaborators, and persons with whom the Bank may have a tie-up for any Products.
  • Other third parties to comply with legal requirements such as the demands of applicable warrants, court orders; to verify or enforce our terms of use, our other rights, or other applicable policies; to address fraud, security or technical issues; to respond to an emergency; or otherwise to protect the rights, property or security of our customers or third parties.
  • We may share your Data, without obtaining your consent or without intimating you: (a) with governmental, statutory, regulatory, executive, law-enforcement, investigating or judicial/ quasi-judicial authorities, departments, instrumentalities, agencies, institutions, boards, commissions, courts, tribunals, who ask for such Data including by way of an order, direction, etc; or (b) with any person, where disclosure is necessary for compliance of any legal or regulatory obligation. Wherever the Data is shared as above, we will not have  control over how such Data is further processed by such authorities, persons, etc. (both under ‘a’ and ‘b’ above).
  • Credit information companies, bureaus, fintech entities, Central KYC Records Registry, or service providers for the purposes of obtaining any reports, credit scores, credit information, scrubs, financial standing, fraud check, fraud probability, reference checks, due diligence, inspections, risk analysis etc.
  • With any persons involved in Derivation.
  • With any persons involved in any payment system or infrastructure or architecture of which HDFC Bank is a part including NACH, UPI, ECS, ATM portability, IMPS, RTGS, NEFT etc. or with any persons (including TPAP) to whom the Bank acts as a service provider, distributor, agent, referral entity, promoter, marketer, sponsor bank, PSP bank, trustee, etc. where you are part of any payment or withdrawal or transaction or purchase/ sale/ distribution of any Product, whether as payee, payer, beneficiary, intermediary, distributor etc. and whether your interface/ interaction is directly with us or not or with any such other person or any platform/app.

The Data may also be shared by any of the aforesaid entities/ persons with their service providers, consultants, agents, subsidiaries, affiliates, co-brand entity/partner, distributors, selling/ marketing agents, any partners, fintech companies, other players/ intermediaries in any ecosystem of which we are a part, TPAPs (for whom we act as PSP bank), collaborators, co-lenders, co-originators, merchants, aggregators, lead generators, sourcing entities, clients, customers  or other persons with whom we have a tie-up or contract for any products or services etc. for any of the aforesaid purposes or any purposes incidental or necessary thereto. Any person or entity with whom the Data or any part thereof is shared by us or further shared by any of them, for any of purposes under this Privacy Policy, shall be referred to as a “Processing Entity”. [Wherever the Data is shared with any Processing Entity (with whom we have direct contract), we will through such contracts restrict the processing by them of such Data for the aforesaid purposes.]

For further information, please refer to the Products’ specific terms and conditions and application form.


Consent Withdrawal 

​​​​​​​In the event you wish to withdraw your consent to processing of your personal data, you may do so by using the link available https://applyonline.hdfcbank.com/consents/revocation.html. If you are unable to use the link, you also have the option to send us the duly filled ( Modified Date 4 April 2024 ) Consent Withdrawal Form  to – privacy@hdfcbank.com using your registered mail ID.​​​​​​​

Post successful verification of your consent withdrawal request, the Bank will process it promptly but no later than 30 business days. Please note that the Bank may continue to retain certain Data including personal data to comply with its legal and regulatory obligations. Withdrawal of consent may also impact certain Products or services being provided to you at the time.


Period of storage of the Data

We will keep the Data we collect on our systems or with third parties for as long as required for the purposes set out above or even beyond the expiry of transactional or account based relationship with you: (a) as required to comply with any legal and regulatory obligations to which we are subject, or (b) for establishment, exercise or defence of legal claims, or (c) as specified in this Privacy Policy, or (d) in accordance with specific consents.

Reasonable security practices and procedures

HDFC Bank is ISO 27001:13 compliant. We seek to use reasonable organizational, technical and administrative measures to protect Data within our organization. However, if you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the ‘How to contact us’ section.

Links/ Re-direction to Other Websites/ Platforms

From time to time, our website/ webpage/ platform/ apps may contain links or have a mechanism of re-direction to and from websites/ webpages/ platforms/ apps of other networks, advertisers, affiliates and Processing Entities. If you follow a link or such re-direction to any of these websites/ webpages/ platforms/ apps, please note that these websites/ webpages/ platforms/ apps may have their own privacy notices and that we do not accept any responsibility or liability for any such notices. Please check such notices, where available, before you submit any Data to these websites/ webpages/ platforms/ apps.

Right to review

Please note that the accuracy of the Data provided to us is essential, among others, for the provision of Products to you. It is therefore mandatory that you ensure the accuracy and completeness of all Data disclosed or shared. Without prejudice to any rights and remedies of the Bank under any contract in this regard, you shall be able to review the Data that you had provided and correct or amend as feasible any such Data which you find to be inaccurate or deficient. You may do this by following the process prescribed by HDFC Bank in this regard. For knowing the process you may contact HDFC Bank as per the section ‘How to contact us’ under this Privacy Policy.

Provided that HDFC Bank shall not be responsible for the authenticity of the Data supplied by you to Bank or any other person acting on behalf of the Bank.

Cookies

We may use cookies and similar technologies on our websites, mobile apps, and in our emails. Cookies are text files that get small amounts of information, which your computer or mobile device stores when you visit a website or use a mobile app. For more details in this regard you may please refer to our separate Cookie Policy available on our website.

How to contact us

You may contact our Privacy Contact at privacy@hdfcbank.com

Changes to this Privacy Policy

Our products, services, facilities, features, functionalities, and nuances thereof change constantly and our Privacy Policy will change also. You will be responsible for apprising yourself about the Privacy Policy and change, if any, on each use of our website or Apps, platforms or while applying for or making service requests for any Product or during usage of any Product or usage of any functionality. Without limiting your responsibility to keep yourself updated as above, we may update you that a change has been made through any channels of communication including in App notifications, general banner on website, sms, e-mail, social media messages, etc.  The changed Privacy Policy shall be effective as soon as it is published/posted/hosted on our website/respective Apps/platforms. If you use our website or Apps, platforms or make any application/request for any Product or use any Product or make any service requests for or during usage of any Product or if you use any functionality provided by or for us, such act of any of aforesaid uses shall by itself amount to your acceptance of the Privacy Policy with changes, if any.

This Privacy Policy shall be governed by the laws of India and any disputes arising out of or in relation to this Privacy Policy shall be subject to the jurisdiction of courts/ tribunals of Mumbai, India.

Privacy Policy for EU Customers

This Privacy Notice outlines HDFC Bank Limited’s (“HDFC Bank”) approach to data protection to fulfil its obligations under the EU General Data Protection Regulation 2016/679 ("GDPR"). This Privacy Notice applies to personal data of the Covered Person(s) which is processed by or for HDFC Bank as a controller, whether in physical or electronic mode. In this Privacy Notice, the expressions ‘personal data’, ‘data subject’, ‘controller’, ‘processor’ and ‘processing’ shall have the meanings given to them in the GDPR.

HDFC Bank is committed to treating data privacy seriously. It is important that you know exactly what we do with the personal data you and others provide to us, why we process it and what it means to you. Please read this Privacy Notice carefully to understand our views and practices regarding your personal data and how we will treat it.

Data Privacy Matters

This Privacy Notice applies in relation to all our products and services as applicable to the Covered Persons. Your product or service terms and conditions will specify which of our businesses is providing the relevant product or service to you. If you are a customer of one of these businesses, please also read the Data Privacy Notice applicable to such respective businesses. If you have any questions about how your personal data is processed, please contact our Privacy Contact.

Who we are

Throughout this document, “we”, “us”, “our” and “ours” refer to HDFC Bank.

HDFC Bank means: 

HDFC Bank Limited having its registered office at Senapati Bapat Marg, Lower Parel (West), Mumbai 400013, Mumbai, India and includes its branches in and outside India and subsidiary companies.

Website : https://www.hdfcbank.com/

Our contact details are given at the end of this Privacy Notice. Should you need further details about HDFC Bank, please visit the about us page in our website. 

Who is covered under this Notice (Covered Persons)?

Any natural person in relation to whose personal data (to the extent processed by or for HDFC Bank), the GDPR applies, shall be to the extent of such personal data and such processing be the "Covered Person(s)" or “You”.

The information we collect about you

The information we collect falls into various categories as under: 

  • Identity & contact information

    • Name, address, signatures, biometric data, date of birth, copies of identity cards (“ID”), contact details marital status, relatives information, nomination, medical condition, PAN/TIN/Aadhaar/National ID/Social Security Number/ or its equivalent, Photograph, Gender

  • Financial details/circumstances

    • Bank account details, investments history, credit/debit card details, income details, history in relation to these.
    • Employment / occupational information.
    • Residential status under banking, general and tax laws.
    • Spending/saving/investing/payments/receipts/borrowing history.
    • Risk profile, financial objectives, financial knowledge and experience, preferences and any other information to assess the suitability of our products to you.
    • Information collected when you make or receive payments.

  • Information you provide us about others or others provide us about you

    • If you give us information including personal data about someone else (for example, information about a spouse or financial associate provided during the course of a joint application with that person), or someone gives us information about you, we may add it to any personal data we already hold and we will use it in the ways described in this Data Privacy Notice.
    • Your personal data from third party providers: In order to enhance our ability to provide relevant marketing, offers, and services to you, we obtain personal data about you from other sources with your consent, such as email service providers, public databases, joint marketing partners, social media platforms, as well as from other third parties as appropriate.
    • Information including personal data from credit information companies/ credit reference agencies, risk management and fraud prevention agencies, national and government databases.
    • Information including personal data from other parties and entities where we are a part of a transaction in one or more roles even though we may not be directly interfacing you, for example during the course of remittances being initiated by you through your bank to a beneficiary whose bank account is with us.

  • Personal data which you have consented to us using

    • Your agreement to allow us to contact you through certain channels to offer you relevant products and services.

  • Information from online activities.

    • We collect information about your internet activity using technology known as cookies, which can often be controlled through internet browsers. For detailed information on the cookies we use and the purposes for which we use them, see our Cookie Policy, which is available on our website.
    • Your digital and electronic devices where we perform various checks designed to ascertain and verify your residency to ensure we meet our regulatory obligations. These checks include identifying the IP address your device connects from and the collection of information about your use of the website or mobile app (including device type, operating system, screen resolution, and the way you interact with us). 

  • Other personal information

    • Information in relation to data access, correction, restriction, deletion, porting requests and complaints.
    • CCTV images and data at our Bank branches, offices and ATMs (but only for security reasons and to help prevent fraud or crime).
    • Conversations during meetings/calls/correspondences/discussions with bank staff.

When and how we collect personal data about you?

Personal data about you is gathered or collected:

How we process your Personal Data?

Whether we’re using it to confirm your identity, to help in the processing of an application for a product or service or to improve your experiences with us, your personal data is always handled with care and the principles outlined in this Data Privacy Notice are always applied. 

Lawfulness and Purposes of the processing

The lawfulness and legal basis for obtaining, processing personal data about you will be one or more of the following:

The table below sets out the purposes for which we use your personal data and our legal basis for doing so. Where we are relying on a legitimate interest, these are also set out below

    • When you ask us to provide you with certain products and services.
    • When you use our services or products;
    • During the course of transactions;
    • When you apply for products, make enquiries or engage with us or with any other person where we are involved for any other person in the transaction concerning you
    • When you use our website and online services provided by us (including mobile applications) and visit our branches, offices.
    • When you email or call or respond to our emails/phone calls or during meetings with our bank staff or its service providers or representatives.
    • When you or others give us personal data verbally or in writing. This personal data may be on application forms, in records of your transactions with us or if you make a complaint.
    • From information publicly available about you. When you make information including personal data about yourself publicly available on your social media accounts or where you choose to make information available to us through your social media account, and where it is appropriate for us to use it

    • Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. To allow us to take actions that are necessary in order to provide you with the product / service (performance of a contract), for example, to make and receive payments
    • Processing is necessary because of a legal obligation that applies to us. It may be necessary to allow us to comply with our legal obligations, for example, obtaining proof of identity to enable us to meet our anti-money laundering obligations under applicable law.
    • Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party. Processing may be required to meet our legitimate interests, for example, to understand how customers use our services and to develop new services, as well as improve the service we currently provide.
    • Where we have your consent to do so.
    • Its processing is necessary to protect your “vital interests” where we need to process your personal data and you are not capable of providing consent (emergency situations).


What we use your personal data forThe legal basis for doing so (one of more under each sub-heading)
  • To provide our products and services to you and perform our contract with you

  • Establish your eligibility for our products and services.

  • Manage and administer your accounts, policies, benefits or other products and services

  • Process your applications for credit or financial services.

  • Process payments that are paid to you or by you. For example, if you hold a credit or debit card with us, we will share transaction details with our card scheme providers (e.g. Visa or MasterCard).

  • Run loyalty and reward programmes you have signed up to.

  • Contact you by post, phone, text message, email, social media, fax, using our online banking website or other means, but not in a way contrary to your instructions to us or contrary to law.

  • Monitor and record our conversations when we speak on the telephone (for example, to check your instructions to us, to analyse, to assess and improve customer service and for training and quality purposes).

  • Recover debts you may owe us.

  • Manage and respond to a complaint or appeal.

  • To undertake checks for the purposes of security, detecting and preventing fraud and money laundering, and to verify your identity before we provide services to you. These checks may reveal political opinions or information about criminal convictions or offences

  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where it is in our legitimate interests to ensure that our customer accounts are well-managed, so that our customers are provided with a high standard of service, to protect our business interests and the interests of our customers
  • Where it is in our legitimate interests to ensure that complaints are investigated, for example, so that our customers receive a high standard of service and so that we can prevent complaints from occurring in future
  • In case of sensitive information, such as medical information, where you have agreed
  • To manage our business for our legitimate interests
  • Carry out credit scoring, credit management
  • Provide service information, to improve our service quality and for training purposes
  • Conduct marketing activities, for example, running competitions, promotions and direct marketing (provided that you have not objected to us using your details in this way), and research, including customer surveys, analytics and related activities
  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where it is in our legitimate interests to develop and improve our products and services to ensure we can continue to provide products and services that our customers want to use and to ensure our business model remains competitive.
  • Where it's in our legitimate interests to provide you with information about our products and services that may be of interest.
  • Where we have your consent to do so.
  • To run our business on a day to day basis
  • Carry out strategic planning and business portfolio management.
  • Protect our business, reputation, resources and equipment, manage network and information security (for example, developing, testing and auditing our websites and other systems, dealing with accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services) and prevent and detect fraud, dishonesty and other crimes (for example, to prevent someone trying to steal your identity),
  • Manage and administer our Bank’s legal and compliance affairs, including complying with our obligations to credit card providers, compliance with regulatory guidance and voluntary codes of practice to which we have committed and to comply with directive/order of any law enforcement agencies


  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • To share your information with Indian or other relevant tax authorities, Reserve Bank of India and other government authorities, credit reference agencies, fraud prevention agencies, and India and overseas regulators and authorities
  • To perform certain credit checks so that we can make responsible business decisions.
  • To assist with the prevention and detection of fraud and other crime
  • To assist overseas regulators, who monitor banks to ensure that they comply the law and regulations


  • Where the law requires this
  • Where we have a legitimate interest in performing certain credit checks so that we can make responsible business decisions. As a responsible organisation, we need to ensure that we only provide certain products to companies and individuals where the products are appropriate, and that we continue to manage the services we provide, for example if we consider that you may have difficulties making a payment to us.
  • Where we have a legitimate interest in assisting with the prevention and detection of fraud and other crime
  • Where we have a legitimate interest in assisting overseas regulators, who monitor banks to ensure that they comply the law and regulations
  • More detail on our data sharing with these organisations is set out below



  • To send electronic messages to you about product and service offers from our Bank.
  • To use transaction history/account information from your HDFC Bank account or credit card to identify your spending and saving habits in order to personalise offers that are exclusive and individual to you, based on your account transactions.
  • To use cookies in accordance with our Cookie Policy.
  • To use information you have made public and combine with this with the activities outlined above. When we ask for your consent, we will provide you with more information on how we will use your data in reliance on that consent, including in relation to third parties we would like your consent to share your data with


  • Where necessary for the performance of our agreement or to take steps to enter into an agreement with you
  • Where the law requires this
  • Where we have your consent to do so.



When we process personal data to meet our legitimate interests, we put in place robust safeguards to ensure that your privacy is protected and before collecting, we ensure that our legitimate interests are not overridden by your interests or fundamental rights and freedoms.


We will send you messages by post, telephone, text, email and other digital methods, including for example via our ATMs, mobile applications, push notifications, or online banking services (and new methods that may become available in the future). These messages may be:

Automated processing

The way we analyse personal information in relation to our products and services including applications, credit decisions, determining your eligibility for the products or services, may involve automated profiling and decision making, this means that we may process your personal data using software that is able to evaluate your personal aspects and predict risks or outcomes as also where the decision making may be automated. 

We may also carry out automated anti-money laundering and sanctions checks. This means that we may automatically decide that you pose a fraud or money laundering risk if the processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. 

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk: 

You expressly acknowledge that the automated decision is necessary for entering into or performance of contract and/or you explicitly consent to such automated decision making, hence you subject to even the decisions which are solely based on automated processing. You have rights in relation to automated decision making: if you want to know more please contact us using the details set out in the Contact Us section.



Recipients: Who we share your personal data with:
​​​​​​​

We only share your personal data with the following persons and/or in the following circumstances,and only as may be necessary:

  • Your authorised representatives
  • Third parties we need to share your personal data with in order to facilitate payments you have requested (for example, SWIFT, credit card issuers and merchant banks) and those you ask us to share your personal data with.
  • We may also share your personal data with the following third parties to help us manage our business for our legitimate interests:  
    • Statutory and regulatory bodies and authorities (including central and local government) and law enforcement authorities, investigating agencies and entities or persons, to whom or before whom it is mandatory to disclose the personal data as per the applicable law, courts, judicial and quasi-judicial authorities and tribunals, arbitrators and arbitration tribunals.
    • Overseas regulators and authorities in connection with their duties (such as crime prevention).
    • Third parties bank may engage to provide services to you.
    • Processors and service providers of HDFC Bank engaged for its various activities and services.
    • Credit information companies or Credit reference entities, identity and address verification organizations who may record and use your information and disclose it to other lenders, financial services organizations and insurers. Your information may be used by those third parties to make assessments in relation to your creditworthiness for debt tracing
    • Other banks and financial institutions, quasi governmental institutions like clearing houses, network associations etc where required in terms of contract or legal requirements
    • Transferees and assignees and potential transferees and assignees of HDFC Bank
    • Courier or postal service providers for the purpose of sending or collecting of mails to you as a customer
    • Any other person or organization after a restructure, sale or acquisition, as long as that person uses your information for the same purposes as it was originally given to us or used by us (or both)
    • HDFC Bank’s branches in India or outside India, its subsidiaries, Affiliates and group entities.​​​​​​​

      For further information, please refer to our product specific terms and conditions and application form.

Period of storage of your personal data

We will keep the personal data we collect about you on our systems or with third parties for as long as required for the purposes set out above or even beyond the expiry of transactional or account based relationship with you: (a) as required to comply with any legal and regulatory obligations to which we are subject or (b) for establishment, exercise or defence of legal claims. 

Implications of not providing personal data or Withdrawing Consent

Sharing personal data with us is in both your interest and ours. 

We need your personal data in order to:

When we request personal data, we will inform you if providing it is a contractual requirement, a statutory requirement or not, and whether or not we need it to comply with our legal obligations. 

You may choose not to share personal data or withdraw consent, but doing so may limit the services we are able to provide to you (unless consent is not the only legal basis for processing and there are other legal basis as well), particularly as under.

However, if you withdraw your consent, it will not affect the lawfulness of processing based on your consent before its withdrawal or the other legal basis which we may have for such processing.

Processing your personal data outside the EEA

HDFC Bank is incorporated and regulated in India, its overseas branches are regulated by host country regulations and subsidiaries are governed under applicable laws. As such, your personal data is stored on secure systems within HDFC Bank premises within India and with providers of secure information storage in India. Further, we may transfer or allow the transfer of personal data about you and your products and services with us to our service providers and other organisations outside the European Economic Area (EEA), with adequate safeguards to ensure your personal data remains adequately protected.If you need copy of safeguards provided to transferred personal data, please notify us in accordance with the “How to contact us?” section below. These jurisdictions and countries outside EEA may have different and less stringent laws relating to the degree of confidentiality afforded to the personal data and that such information can become subject to the laws and disclosure requirements of such countries, including disclosure to governmental bodies, regulatory agencies and private persons, as a result of applicable governmental or regulatory inquiry, court order or other similar process. In addition, a number of countries have agreements with other countries providing for exchange of information for law enforcement, tax and other purposes. 

For example, we may process payments using third parties (including other financial institutions such as banks and the worldwide payments system operated by the SWIFT organisation) 

How do we secure your Personal data?

HDFC Bank is ISO 27001:13 compliant. We seek to use reasonable organizational, technical and administrative measures to protect Personal data within our organization. However, if you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “How to contact us?” section below.

How to exercise your information rights (including the right to object)?

You have the following rights, in accordance with and subject to the qualifications and provisions under GDPR:


Right to object

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which processing is based on necessity for the purposes of legitimate interests pursued by us or third party, including profiling. Upon such exercise of your right, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds: (a) for the processing which override your interests, rights and freedoms or (b) for the establishment, exercise or defence of legal claims. 
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. If you object to this use, we will stop using your information for direct marketing purposes.
If you exercise any of the aforesaid rights, in most instances, we will respond within one calendar month. If we are unable to deal with your request fully within a calendar month (due to the complexity or number of requests), we may extend this period by a further two calendar months. Should this be necessary, we will explain the reasons.However, where we have reasonable doubts concerning your identity, we may request the provisions of additional information necessary to confirm your identity. Ordinarily, we will not charge a fee for the exercise by you of any rights as above. However, we may charge a reasonable fee if your request for access is found to be excessive or unfounded. Alternatively, we may refuse to comply with the request in such circumstances. 
If you make your request electronically, we will, where possible, provide the relevant information electronically unless you ask us otherwise. 

Links to Other Websites

From time to time, our website may contain links to and from websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites may have their own privacy notices and that we do not accept any responsibility or liability for any such notices. Please check these notices, where available, before you submit any personal data to these websites


Children

If you are a parent of a child under 16 (or such age as applicable for GDPR purposes in the respective EU Member States), you give your consent or authorise the consent if you wish your child to access HDFC Bank Services.

In How to contact us

If you have any questions about how your personal data is gathered, stored, shared or used, or if you wish to exercise any of your information rights, please contact our Privacy Contact at privacy@hdfcbank.com 
Phone Banking: +91 22 67606161

Changes to this notice

We will update this Data Privacy Notice from time to time. Any changes will be communicated to you and made available on this page and, where appropriate, notified to you by SMS, e-mail or when you log onto website or start one of our mobile apps. 
Dated: 11 Oct-2022

Cookie Policy

Date of most recent update: 1st July 2022.

PLEASE READ THIS POLICY CAREFULLY BEFORE USING OUR WEBSITES

This policy explains how cookies are used on our websites.

This policy may be amended from time to time and the latest policy will be posted on this page.

By using our websites, you agree that we can place cookies on your device. Please be aware that some of our services will not function if your browser or device does not accept our cookies.

Please note that where we have another type of presence on a site owned by a third party, such as a page or handle on a social media site, that third party’s privacy policy and terms of use, rather than this Policy, will govern, unless specifically stated otherwise.


What are cookies?

Cookies are text files containing small amounts of information, which your computer or mobile device downloads when you visit a website. When you return to websites — or visit other websites that use the same cookies — they recognise these cookies and therefore your browsing device.

Cookies do lots of different jobs, like helping us understand how this website is being used, letting you navigate between pages efficiently, remembering your preferences, and generally improving your browsing experience. Cookies can also help ensure marketing you see online is more relevant to you and your interests.

You can learn about the cookies we use and how to manage them below.


What type of cookies Bank use?

The type of cookies used on most websites can generally be put into 1 of 4 categories: Strictly Necessary, Performance, Functionality and Targeting.

Strictly Necessary Cookies

These cookies are essential, as they enable you to move around the website and use its features, such as accessing secure areas. Without these cookies, services you've asked for can't be provided. These cookies don’t gather information about you that is used for marketing or remembering where you've been on the internet.

Performance Cookies

These cookies collect information about how you use a website, for example which pages you go to most often and if you get error messages from certain pages. These cookies don't gather information that identifies you. All information these cookies collect is anonymous and is only used to improve how a website works.

These cookies are not used to target you with online marketing. Without these cookies we can't learn how our website is performing and make relevant improvements that could better your browsing experience.

Functionality Cookies

These cookies allow a website to remember choices you make (such as your user name, language or the region you're in) and tailor the website to provide enhanced features and content for you.

Without these cookies, a website cannot remember choices you've previously made or personalise your browsing experience.

Targeting Cookies

These cookies are used to tailor marketing to you and your interests. They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They remember that you have visited a website and this information may be shared with other organisations such as advertisers. Although these cookies can track your visits to other websites, they don’t usually know who you are.

Without these cookies, online advertisements you encounter will be less relevant to you and your interests.


What happens if I disable cookies?

If cookies are disabled on your computer, tablet or mobile your experience on the website may be limited. For example, you may not be able to browse freely or use specific functions or features.


How do I disable/enable cookies?

To disable or enable cookies you will need to change some settings on your Internet browser.

We have provided step-by-step guides for the major desktop browsers below. 

For information on how to manage cookies on your tablet or mobile please consult your documentation or online help files.

Google Chrome

In the settings menu, select 'show advanced settings' at the bottom of the page

Select the 'content settings' button in the privacy section

In the page that appears tells you can manage and/or clear stored cookies.

Firefox

In the menu, select 'options'

Select the privacy tab in the options box

From the dropdown choose, 'use custom settings for history'. This will present the options for cookies and you can choose to enable or disable cookies.

Internet Explorer 6+

In the tools menu, select 'Internet options'

Click the privacy tab

You will see a privacy settings slider which has six settings that allow you to control the number of cookies that will be placed: Block All Cookies, High, Medium High, Medium (default level), Low, and Accept All Cookies.

Safari

In the settings menu, select the 'preferences' option

Open the privacy tab

Select the option you want from the 'block cookies' section

Any other browser

For information on how to manage cookies via other desktop browsers please consult your documentation or online help files.


What happens to cookies that have been downloaded in the past?

If you've disabled through your browser we may still use information collected from existing cookies, but we'll stop using the disabled cookies to gather any further information. For information on deleting stored cookies in your browser please visit the All About Cookies website.

SDK Policy

SDKs Information We Collect and Services We Provide


If you use our apps (e.g. mobile application which integrates with Advertising services), we may use SDK’s to gather non PII information. At no point will these SDKs capture any personally identifiable information. We refer to the information we collect from our SDKs as the ‘SDKInformation .” The SDK Information includes (or may include) the following:


1.   Information Collected About End Users by Our SDKs


  • Information about those visits on the websites where have implemented the SDK (e.g., session duration, time-stamp, referring URLs).
  • End User’s interactions information with apps and websites. (Session data which includes - First Launches, Upgrades, Daily Engaged Users, Monthly Engaged Users, Launches, Crashes, Previous Session Length, Average Page Depth, Average Time Spent on Page, Average Time Spent on Site, Bounce rate, Bounces, Daily Return Visits, Entries, Exits, Instances, Lifetime, Mobile Views, New Engagements, Occurrences, Page Depth, Page Events, Page Views, Path Views, Reloads, Return Visits, Searches, Single Access, Time Spent, Unique Customer, Unique Visitors, Visitors, App Visits)
  • IP address.
  • Email address, if provided to us.
  • End User’s browser and device information specifically (Browser language type; Operating system version (e.g., Android, iOS); Network provider; Language setting; time zone; browser Device height and width Pixel density; Screen height and width
  • A unique identifier, Advertising ID, which may uniquely identify an End User anonymously.
  • Location information ( Location information is only collected the user has granted permission to the App to collect this).
  • Channel source of App download


As noted above, we refer to all of the above collectively as the “SDKInformation .”


2. How We Use the SDK Information

We use the SDK Information to provide following Services to our users:

  1. To operate and improve the app

  • Enable you to use app feature
  • Communicate with you about the app, including by sending announcements, updates and security alerts which we may send through a push notification, and responding to your questions and feedback
  • Perform statistical analysis about use of the app
  • Measure and analyze effectiveness of marketing campaigns

  1. To send you marketing and promotional communication

  • We may send you marketing communications as permitted by law.
  • We might do the following analysis with aggregated data (no PII is stored or used at any given point in time)
  • Customer Journey Analysis: Conversion funnels such as from Home Page to Product Page to Lead Form
  • Traffic Analysis : Marketing channel categorized by visits, unique visitors, bounces etc.

3. How and Why We Share the SDK Information.

We share the SDK Information with service providers, to perform any of the activities set forth in Section 2. 
​​​​​​​

HDFC Bank does not share SDK information with third parties except those who process the data on behalf of HDFC Bank.