M&S Bank – Pay by bank – Privacy Notice

This Privacy Notice explains how we will use your information in order to provide you with the Pay by bank service. It covers:

• the types of information we collect about you;
• how we collect and use it;
• who we might share it with;
• the steps we'll take to make sure it stays private and secure; and
• your rights to your information.

Please take the time to read and understand this Privacy Notice.

When we say 'we', 'us', or 'our', we mean M&S Bank (a division of HSBC UK Bank plc), which acts as a data controller in respect of your personal data.

Although M&S Bank is part of the HSBC Group, this Privacy Notice does not apply to your relationship or services with other parts of the HSBC Group (e.g. HSBC UK, HSBC business banking, first direct, or HSBC in any other countries) – they'll provide you with information separately where required.

We'll only collect your information in line with relevant regulations and law. Some of it will come directly from you, e.g. when you interact with the Pay by bank service. We might also get some of it from third parties, or publicly available sources.

• your bank account provider that you are making the payment from.

• information about your device or the software you use, e.g. its IP address;
• cookies and similar technologies we use to recognise you and remember your preferences – our cookie policy contains more details about how we use cookies and can be found at marksandspencer.com/bankprivacynotice;
• information that we need to support our regulatory obligations, e.g. information about transaction details, consent and authorisation of payment initiation; and
• information identifying the payment you are requesting, your bank, payment value, reference number.

• information from your bank account provider that you are making the payment from, such as, your bank account and sort code, payment references and confirmation of payment initiation.

We'll only use your information where we have a lawful reason for doing so. These reasons include where we:

• need to process the information to enter into or carry out an agreement we have with you (e.g. initiate or refund a payment);
• need to process the information to comply with a legal obligation (e.g. detecting or preventing fraud);
• need to pursue our legitimate interests (e.g. troubleshooting of the Pay by bank service or resolving disputes); or
• believe the use of your information as described is in the public interest, e.g. for the purpose of preventing or detecting crime; or we need to establish, exercise or defend our legal rights.

The reasons we use your information include to:

• initiate payments so you can make payments to your M&S card account from your bank account;
• carry out your instructions;
• comply with our legal and regulatory obligations;
• resolve disputes; and
• troubleshoot and improve the Pay by bank service, including analysing how it is used.

We may share your information with others where lawful to do so, including where we or they:

• need to in order to provide you with the Pay by bank service you've requested, e.g. carrying out a payment request;
• have a public or legal duty to do so, e.g. to assist with detecting and preventing fraud;
• need to in connection with regulatory reporting;
• have a legitimate business reason for doing so, e.g. to verify your identity, to enable provision of the Pay by bank, or to assess your suitability for the Pay by bank service;
• help support operational processes such as dispute management; or
• have asked you for your permission to share it, and you've agreed.

We may share your information with others, including:

• any member of the HSBC Group;
• any sub-contractors, agents, advisers or service providers of the HSBC Group (including their employees, directors and officers);
• any regulatory authorities of the HSBC Group;
• third parties such as our vendor who supplies us with the technology for the service and the bank account provider you made the payment from;
• governments, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities; and
• other parties involved in any disputes, including disputed transactions.

We keep your information in line with our data retention policy. The retention period will depend on various factors, including the purpose we're using it for (as the information will need to be kept for as long as necessary for those purposes) and any regulatory or legal requirements (as we may need to keep your information for a longer period to comply with these). If we don't need to retain information, we may destroy, delete or anonymise it more promptly.

We use a range of measures to keep your information safe and secure which may include encryption and other forms of security. We require our staff and any third parties who carry out any work on our behalf to comply with appropriate compliance standards including obligations to protect any information and applying appropriate measures for the use and transfer of information.

Your information may be transferred to and stored in locations outside of the United Kingdom ("UK") or the European Economic Area ("EEA") including jurisdictions that may not have the same level of protection for personal information. We will only share your information with people who have a right to see it, and we'll ensure that any transfers are lawful and appropriately protected. For example, the jurisdiction to which your information is transferred may be approved by the UK Government, European Commission or a data regulator or the recipient may have agreed to standard contractual clauses approved by the UK Government, European Commission or a data regulator that oblige them to protect the information.

We may need to transfer your information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for our legitimate interests. In some countries the law might compel us to share certain information.

You can get more details on the protection given to your information when it is transferred outside of the UK or EEA, including a copy of any standard data protection clauses entered into with recipients of your information, by contacting us using the details in the "More information" section below.

You have a number of rights in relation to the information that we hold about you. These rights include:

• the right to access information we hold about you and to obtain information about how we process it;
• where we have asked for your consent to process your information, the right to withdraw that consent, which you can do at any time. We may continue to process your information if we have another legitimate reason for doing so;
• in some circumstances, the right to receive certain information you have provided to us in an electronic format and/or request that we transmit it to a third party;
• the right to request that we rectify your information if it's inaccurate or incomplete;
• in some circumstances, the right to request that we erase your information. Please note that we may continue to retain your information if we're entitled or required to retain it; and
• the right to object to, and to request that we restrict, our processing of your information in some circumstances. Again, there may be situations where you object to, or ask us to restrict, our processing of your information but we're entitled to continue processing your information and/or to refuse that request.

There are many ways you can contact us, including by phone, email, post, or by visiting us in branch in the event you wish to exercise your data subject rights. More details on how you can contact us are set out under the 'More information' section.

For further information on anything related to this app Privacy Notice, or to contact our Data Protection Officer (DPO), you can write to M&S Bank, PO Box 325, Wymondham, NR18 8GW or M&S Bank, Kings Meadow, Chester, CH99 9FB addressed ‘For the attention of Rights of Individuals Fulfilment (ROIF)’. Alternatively, you can contact us using the M&S Banking App where you can chat with us 24/7 or via telephone to talk to our customer support team (lines open 8am-8pm).

Last updated: 1 June 2026