At AMEX (Middle East) B.S.C. (c) (“AEME” or “we” or “us”) and AMEX (Middle East) B.S.C. (c) - Emirates (“AMEX Emirates”), we know that people care about their privacy and so do we. That’s why we have established a comprehensive data privacy program to help us protect your Personal Data and privacy rights, which are set out in this data privacy notice (the “Privacy Notice”).

AEME defines personal data as any information that identifies, or can be used in combination with other information available to the company to identify an individual, such as, but not limited to name, nationality, addresses, telephone number, email address, and other information specific to that individual such as demographic details (“Personal Data”).

In this Privacy Notice, we describe how AEME, in its capacity as the data controller, collects, uses, shares, and keeps information about you in accordance with all applicable laws and regulations. It applies to all Personal Data processed by our employees, contractors and partners doing business on behalf of AEME, as well as all legal entities and subsidiaries of AEME in the countries we operate in, including those where the legal framework for data privacy and protection is not yet fully developed.

To protect your privacy, AEME has put in place systems and controls to ensure all Personal Data is handled in a confidential and appropriate way and used only as outlined in the sections below. In this respect, AEME routinely provides all employees training and awareness on their responsibilities and obligations when accessing and handling Personal Data and reporting security and policy breaches. All employees are accountable for ensuring that Personal Data is protected in all processes and are required to acknowledge their understanding of, and commitment to following this Privacy Notice.

Collection of Personal Data by, and the disclosure to, governmental institutions and authorities will be carried out only on the basis of specific legal requirements. In all cases, this Privacy Notice imposes those restrictions that are necessary to meet the legal requirements of the applicable laws.

Please note that from time to time, we may change this Privacy Notice in accordance with any new or amended legal or regulatory requirement. Depending on the nature of the change, we will inform you through written communication by email or through our website.

1. PRINCIPLES OF DATA PROTECTION

There are a number of principles that we (as the controller of your Personal Data) adhere to, and rights that you have in relation to your data (as data subject). These include requirements that your Personal Data is:

a. processed lawfully, fairly and in a transparent manner;

b. collected only for specified, explicit and legitimate purposes;

c. adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;

d. accurate, and where necessary, kept up to date;

e. not kept in a form which permits identification of data subjects for longer than is necessary; and

f. processed in a way which ensures its security, using appropriate technical and organizational measures to protect against unauthorized or unlawful processing, and against accidental loss, destruction or damage.

Please refer to the “What are your Rights” section below for further information.

2. WHERE WE COLLECT PERSONAL DATA

We mainly collect Personal Data about you from:

a. the Card application form and other documents you provide to us, whether electronically or in writing;

b. when you request or utilize products, goods or services (e.g., use your Card to make transactions with merchants, ATM operators, use concierge services or book travel);

c. checks at credit information agencies and fraud prevention agencies including personal and business records (if relevant);

d. you, through the way you communicate with us and use your Card (e.g., telephone numbers provided during servicing calls);

e. any research, surveys or competitions you enter or respond to or any marketing offers for which you register; and

f. third parties, such as marketing lists which we lawfully obtain from Business Partners.

Please refer to the “IP Addresses and Cookies” section for information on how we collect data online.

3. WHAT PERSONAL DATA WE COLLECT

The types of Personal Data we capture and use will depend on what you are doing on the website or the Amex MENA App and/or if you have applied to become, or have already became a customer, in which case we may also use it to process your application and/or manage the Account or a service you’ve applied for. Examples of the Personal Data we collect may include:

a. full name and personal details including contact information (e.g. home address and address history, email address, home and mobile telephone numbers);

b. nationality, date of birth and/or age (e.g. to make sure that you are eligible to apply for a product or service);

c. financial details (e.g. salary, employment information, and details of other income);

d. billing information to maintain your Account with us;

e. your identification documentation provided during the course of your application (for example, your identity card, proof of address and any other information required to verify your identity or eligibility for an account with us);

f. details of any correspondence or communications between us;

g. your Account user credentials to set up and maintain your Account with us;

h. records of products and services you’ve obtained or applied for, how you use them and the relevant technology used to access or manage them (e.g. mobile phone location data, IP address, MAC address);

i. images and/or recordings of you taken during your application for an Account with us or shown on your identity documentation or through our front office CCTV for security reasons;

j. information from credit information agencies or fraud prevention agencies, electoral roll, court records of debt judgements and bankruptcies and other publicly available sources as well as information on any financial associates you may have if you apply for a product or service with us;

k. family, lifestyle or social circumstances if relevant to the product or service you apply for (e.g. the number of dependents you have);

l. education and employment details/employment status for credit and fraud prevention purposes if you apply for a product or service with us; and

m. Personal Data about other named individuals as required. When you provide the Personal Data of others you must have their authority to provide their Personal Data to us and share this Privacy Notice and any related data protection statement with them beforehand.

4. WHY WE COLLECT PERSONAL DATA

The legal basis for us processing or analyzing your Personal Data will depend on what we’re trying to achieve. In general, we use your Personal Data:

a. as necessary to perform the obligations under the contract entered into with you for the relevant Card Account, insurance policy or service, including the steps we need to take at your request prior to entering into such contracts;

b. for our legitimate interests, such as for good governance, risk management, and managing and auditing our business operations;

c. for compliance with legal and regulatory requirements and related disclosures, such as for activities relating to the prevention, detection and investigation of crimes, and reporting to credit bureaus/agencies; and

d. to send you marketing communications where we’ve obtained your explicit consent to do so.

More specifically, we use your Personal Data to do the following:

a. deliver products and services, including to communicate with you about your Accounts, products, and services and to update you about new features and benefits attached to the products or services that you requested;

b. process your application (using automated processes and/or manual reviews), including verifying your identity, make credit, fraud prevention and anti-money laundering checks;

c. provide and improve our services and features provided to you, including monitor and/or record your telephone calls with us or our service providers to ensure consistent servicing levels (including staff training) and account operations;

d. prevent potentially illegal activities and to enforce our terms and conditions. We also use a variety of automated processes and/or manual reviews and technological systems to detect and address anomalous activity;

e. to contact you with marketing-related announcements from time to time, You may opt out of all marketing-related communications except for essential updates and important notifications;

f. with your consent, communicate promotions and offers to you in relation to products and services that may interest you or which are similar to your existing American Express products and services and serve personalized advertisement to you; and

g. improve our products and services and conduct research and analysis.

We’ll tell you if providing some Personal Data is optional, including if we ask for your consent to process it. In all other cases, if you fail to provide the requested Personal Data, we may be unable to process or respond to your application, query or service.

5. IP ADDRESSES AND COOKIES

AEME’s web servers automatically record the Internet Protocol (“IP”) addresses of visitors. The IP address is a unique number assigned to every computer on the internet. Generally, an IP address changes each time you connect to the internet (it is a dynamic” address). Note, however, that if you have a broadband connection, depending on your individual circumstance, the IP address that we collect may contain information that could be deemed identifiable. This is because, with some broadband connections, your IP address doesn’t change (it is static) and could be associated with your personal computer.

We also record the Universally Unique Identifier (the “UUID”) of your mobile device when you use our Amex MENA App. This is used to help prevent fraudulent access to your Account.

As well as recording the IP addresses of users, we track the pages visited on AEME’s website, the amount of time spent on those pages, the types of searches done on them, and the products you have viewed. Your searches remain confidential and anonymous. AEME uses this information only for statistical purposes, to find out which page users find most useful and to improve our website.

We also collect information through cookies and similar technologies. Cookies are small text files which are placed on your computer (or mobile phone or other device used to access the internet) whenever you visit a website. We use cookies for different reasons, including enhancing your visit to our website. The cookies we place on your computer cannot be used to retrieve any other data from your hard drive, to pass viruses to your computer, or capture your e-mail address. Some of the functions that cookies perform can also be achieved using alternative technology, hence, we use the term “Cookies and Similar Technologies” in this notice. Cookies and Similar Technologies serve several functions. Most Cookies and Similar Technologies won’t collect information that identifies you, and will instead collect more general information such as how users arrive at a website or an app.

At AEME, we may use the following categories of cookies:

Essential cookies: These are used to authenticate your identity, prevent fraud and provide you with the services that you have requested.

Functional cookies: These are used to remember you and recall your settings or preferences (such as, the preferred language) when you return to our website. These cookies are not used to track your activities on other websites.

Performance cookies: These are used to measure the performance of our website and online services. We use the information gathered from these cookies to improve our sites, as well as the products and services we offer.

Marketing cookies: These are used to record the websites you have visited in order to deliver customized ads to you. You can control the placement of these cookies via your browser’s do not track (“DNT”) settings.

You can manage your Cookies and Similar Technologies preferences through the American Express website, and/or through adjusting your browser settings.

If you do not want a cookie placed on your computer as a result of using AEME’s website, you can disable cookies altogether by modifying the preferences section of your web browser. Note that if you do so, some aspects of AEME’s website may be unavailable to you. If you choose to accept cookies on your hard drive, but wish to be informed of their appearance, you may turn on a warning prompt by modifying the cookie-warning section also located in the preferences section of your web browser.

6. HOW WE PROTECT YOUR PERSONAL DATA

AEME implements commercially reasonable, technical and organizational security controls to protect your Personal Data against theft, loss or misuse. Your data will be stored in a secure operating environment that is not accessible without authorization.

We use encryption techniques to protect the confidentiality and integrity of your Personal Data and have robust and advanced technical protocols to secure access to physical locations and virtual systems where Personal Data is stored. We have put in place appropriate incident and risk response plans to manage, contain and minimize problems arising from unexpected events, including internal and external breaches. You will be promptly notified of a data breach affecting your Personal Data where this may reasonably pose a risk to your financial and personal security and/or cause you reputational harm. As a matter of policy, we will thoroughly investigate all breaches and, depending on the outcome of the investigation, all affected customers will be redressed accordingly. The relevant authorities will also be notified according to applicable laws and regulations.

Please note, for business continuity and disaster recovery purposes, AEME may store data in a location outside the jurisdiction(s) in which we normally operate (for more information, please see the “Cross-border Data Transfer” section below). Similarly, we require our service providers to safeguard your Personal Data and only use your Personal Data for the purposes we specify (for more information, please see the “Third Parties” section below).

7. THIRD PARTIES

We do not share your Personal Data with anyone except as described below. We will share your Personal Data only with your consent or as required or permitted by applicable law, such as with:

a. credit information agencies and similar institutions to report or ask about your financial circumstances, and to report debts you owe to us;

b. regulatory authorities, courts, and governmental agencies to comply with legal orders, legal or regulatory requirements, and law enforcement requests;

c. collection agencies and external legal counsel to collect debts on your Account;

d. our service providers, and third parties such as your bank, or other payment card issuers;

e. companies of the American Express Group of Companies;

f. business partners, including co-brand partners (“Business Partner”), to provide, deliver, offer, customize or develop products and services to you, either jointly or separately. We will not share your contact information with Business Partners for them to independently market their own products or services to you without your consent. However, we may send you offers on their behalf with your consent. Kindly note that if you take advantage of an offer provided by a Business Partner and become their customer, they may independently send communications to you. In this case, you will need to review their privacy statement and inform them separately if you wish to decline receiving future communications from them; and

g. any party approved by you, including loyalty partners that you connect to your Membership Rewards® account (if applicable), and depending on your Card product, any partners available in your Card benefits program with whom you choose to enroll.

We use encryption techniques and take measures for the secure transfer of Personal Data to third parties and have internal procedures for verifying the identity of cross-border processors, third parties and service providers when transferring data to them.

8. SUPPLEMENTARY CARDMEMBERS

The provisions of this Privacy Notice applies to any Supplementary Cardmember(s) who you have approved to use your Account. Prior to providing us with any Personal Data belonging to another person, you must ask that individual to review this Privacy Notice and obtain consent for sharing his/her data.

Where you have approved the issue of a Supplementary Card:

a. we will use the information of a Supplementary Cardmember to process their application, issue their Supplementary Card, manage the Account, and comply with our legal or regulatory obligations; and

b. the Supplementary Cardmember may need to provide us with your Personal Data for identity verification when they contact us about activating or using their Supplementary Card, register for online services and access new or updated services and benefits.

Supplementary Cardmembers will not be permitted to make any alteration to any of your Personal Data unless you have provided us with your consent for them to do so.

9. CROSS-BORDER DATA TRANSFER

We process, transfer and access your Personal Data through our systems in the Kingdom of Bahrain, where our primary operational data center is located. In some instances, your Personal Data may be transferred and stored outside the Kingdom of Bahrain, such as for business continuity and disaster recovery purposes. In such scenarios, we will implement all commercially reasonable measures to protect your Personal Data against theft, loss or misuse, including seeking authorization from the competent authorities if required by applicable laws and regulations.

10. HOW LONG WE USE AND RETAIN YOUR PERSONAL DATA

 Retention periods are set in accordance with applicable laws and regulations, to establish, exercise or defend our legal rights, and for archival purposes. If your Account is or has been in default, and/or the balance remains unpaid or unsettled, this information could be retained by us for longer periods of time and considered if you choose to apply for American Express products in the future. When your Personal Data is no longer necessary for legal or regulatory needs, to administer your Account or to deliver the products and services you have requested, we will take reasonable steps to securely destroy or anonymize such information.

For more information about our data retention practices, you can contact us – please see the “Query or Complaint” section.

11. WHAT ARE YOUR RIGHTS

Under certain circumstances, you have the following rights under applicable data protection laws in relation to your Personal Data:

a. request access to your Personal Data and information about how we process it;

b. have your Personal Data corrected if it’s inaccurate and to have incomplete Personal Data completed. We encourage you to check regularly that all Personal Data held by us is accurate and up to date. We recommend that you visit our website, log in, and update your Personal Data. If you prefer, you can contact us– please see the “Queries or Complaints” section.

c. object to processing of your Personal Data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which may override your request.

d. request to restrict the processing of your Personal Data;

e. request to have your Personal Data erased where there is no good reason for us continuing to process it. Note, however, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.

f. ask us to transfer your Personal Data to you or to a third party;

g. be promptly notified of a data breach affecting your Personal Data where this may reasonably pose a risk to your financial and personal security and/or cause you reputational harm; and

h. request a manual review of certain automated processing activities where your legal rights are affected. Please note that if we do automated decision making to assess lending risks, this will be performed on the basis of it being necessary to perform the contract with you or take steps to enter into that contract.

Please note, in case you object to or restrict the processing of your Personal Data we may not be able to continue providing the products and services you have with us. In addition, these rights may be limited, for example, if the processing is required by law or for any other compelling legitimate interest.

12. MARKETING CHOICE

We obtain your informed and expressed consent before using and sharing your Personal Data for direct marketing purposes. If you wish to opt out of receiving marketing communications from the American Express Group of Companies, we recommend that you contact us in order to update your privacy preferences – please see the “Queries or Complaints” section below.

If you choose not to receive marketing communications from us, we will honor your choice. Please be aware that if you choose not to receive such communications, certain offers attached to the products or services you have chosen could be affected. We may contact you to ensure that the information we hold about your marketing preferences is up to date. Additionally, we will still communicate with you in connection with servicing your Account, fulfilling your requests, or administering any promotion or program in which you have elected to participate.

13. EASY WAYS TO PROTECT YOUR PERSONAL DATA

There are some things you can do to protect your Personal Data. It is by no means exhaustive but will help make sure you do not become a victim of fraud:

a. avoid using simple passwords or numbers associated with personal dates;

b. never share a One Time Passcode (“OTP”), password or personal identification number (“PIN”) with another person, or leave them written down and accessible to others to observe;

c. change your passwords periodically;

d. do not log into your online services account using a public computer;

e. cautiously enter the PIN at an ATM or POS Terminal to ensure you are not being observed;

f. avoid entering your Online Account details after clicking on a link in an email or text message unless you are sure it has come from a reputable source;

g. do not send confidential information by email as it is not secure and there is always a risk it could be intercepted;

h. if you are logged into any online service, do not leave your computer unattended. Close your internet browser once you have logged off;

i. never download software or let anyone log on to your computer or devices remotely, during or after a cold call; and

j. you can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://. We also recommend that you check the certificates issued to the secured website. This can usually been done by clicking on the padlock symbol next to the address bar in most standard browsers.

14. QUERIES OR COMPLAINTS

If you have questions about this Privacy Notice, how your information is handled or wish to make a complaint or exercise your rights, please write to us at DPO Office, AMEX (Middle East) B.S.C. (c), P.O. Box 5990, Manama, Kingdom of Bahrain or through Make a Request or Contact Us section of your online account. Alternatively, you can use the following e-mail address: dpo@americanexpress.com.bh

This Card is issued by AMEX (Middle East) B.S.C. (c) pursuant to a license from American Express.

American Express is a registered trademark of American Express.

AMEX (Middle East) B.S.C. (c) is regulated and licensed by the Central Bank of Bahrain as a Financing Company.