Data Protection and Privacy Policy



1. Your personal information


Your personal information (such as information that identifies you or can be used to identify you, for example your name, date of birth and contact details) is protected by the Information Technology Act, 2000 (the IT Act) and Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (the Rules). This Data Protection Notice explains how Bank of America, National Association (“we” or “us”), collect, use and disclose personal information online and offline in connection with your personal information. For the purposes of this Data Protection Notice, personal information includes sensitive personal data or information as defined in the IT Act and Rules. This Data Protection Notice explains how we will use your personal information. This includes personal information we obtain from you, your employer or other parties, as well as information about your use of the account and our Global Card Access desktop and mobile application, your card and any transactions made with your card (including the date and amount of such transactions) and our communications with you.


For the purposes of the IT Act and Rules, Bank of America, National Association is the data controller in respect of your personal information and references to "we", "us" or "our" in this Data Protection Notice are references to Bank of America, National Association.


2. How we use your personal information


We will process and record your personal information:


  • to administer your card and account and provide online or offline services to you (including our Global Card Access desktop and mobile application);
  • to facilitate transactions;
  • to comply with the rules of any relevant card scheme;
  • to carry out, monitor and analyse our business;
  • as part of the sale, merger or similar change of our or any Bank of America Corporation business;
  • to detect, prevent and investigate fraud and to protect the security of your card accounts, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification, and anti-corruption and bribery or anti-terrorism activities;
  • to comply with any applicable laws, rules or regulations in any country and to comply with other legal process and law enforcement requirements; and
  • as otherwise permitted by applicable law, with your explicit consent or authorization.


In processing your personal information, we may transfer your personal information outside India to other countries, including countries which may not have equivalent data protection laws to those in India, including the United States of America. We are responsible for making sure that any such transfer is made in compliance with the IT Act and Rules.


Note: To comply with the Prevention of Money Laundering Rules 2005 (as amended), we must collect your Aadhaar information and carry out authentication in accordance with the Aadhaar (Authentication) Regulations 2016 which involves sharing of your Aadhaar and other identity information with the Unique Identification Authority of India (and its authorized representatives). Aadhaar information will be processed or disclosed only in relation to these purposes or any future use mandated by the relevant authority(ies) and/or law. Aadhaar information will be stored and protected in accordance with applicable regulations.


3. Recipients of your personal information


We may disclose your personal information (including details of your transactions) to:


  • any person or company working for us (including professional service organisations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
  • any of our group companies, offices or branches;
  • your employer or any group company of your employer;
  • any person or company that provides products or services to you or your employer in connection your card or account (including but not limited to Mastercard);
  • any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer;
  • any payment system under which we issue your card or account; and
  • any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism.


If you have given false or inaccurate information or we suspect fraud we will record this and may pass this information to fraud prevention and law enforcement agencies.


If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside India) in order to detect and prevent terrorism.


4. Collection of other information


“Other Information” is any information that does not reveal a person’s specific identity or does not directly relate to an identifiable individual, such as:


  • Browser and device information
  • App usage data
  • Information collected through cookies, pixel tags and other technologies
  • Demographic information and other information provided by you that does not reveal a person’s specific identity
  • Information that has been aggregated in a manner that it no longer reveals a person’s specific identity
  • Survey responses and similar information that reveals views and preferences, but which does not reveal a person’s specific identity.


If we are required to treat Other Information as Personal Information under applicable law, we may use and disclose it for the purposes for which we use and disclose Personal Information as detailed in this Data Protection Notice.


We and our service providers may collect Other Information in a variety of ways, including:


  • Through a browser or device: Certain information is collected by most browsers or automatically through devices, such as a Media Access Control (MAC) address, computer type (Windows or Mac), screen resolution, operating system name and version, device manufacturer and model, language, Internet browser type and version and the name and version of the Services (such as the App) being used. We use this information to ensure that the Services function properly.

  • Using cookies: Cookies are pieces of information stored directly on the computer being used. Cookies allow us to collect information such as browser type, time spent on the Services, pages visited, language preferences, and other anonymous traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalize the user’s experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. We do not currently respond to browser do-not-track signals.

    Most browsers allow individuals to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. Please refer to for more information. Declining cookies may cause certain parts of the Services to cease working.


  • Using pixel tags and other similar technologies: Pixel tags (also known as web beacons and clear GIFs) may be used to, among other things, track the actions of users of the Services (including email recipients), measure the success of our marketing campaigns and compile statistics about usage of the Services and response rates.

  • Analytics: We may use Google Analytics, which uses cookies and similar technologies to collect and analyze information about use of the Services and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to

  • We may use Flash LSOs and other technologies to, among other things, collect and store information about your use of the Services. If you do not want Flash LSOs stored on your computer, you can adjust the settings of your Flash player to block Flash LSO storage using the tools contained in the Website Storage Settings Panel, which can be found by going to You can also go to the Global Storage Settings Panel at and follow the instructions (which may explain, for example, how to delete existing Flash LSOs (referred to as “information”), how to prevent Flash LSOs from being placed on your computer without your being asked, and how to block Flash LSOs that are not being delivered by the operator of the page you are on at the time). Please note that setting the Flash Player to restrict or limit acceptance of Flash LSOs may reduce or impede the functionality of some Flash applications.

  • IP Address: An IP address is automatically assigned to a computer by an Internet Service Provider. An IP address may be identified and logged automatically in our server log files whenever a user accesses the Services, along with the time of the visit and the page(s) that were visited. Collecting IP addresses is standard practice and is done automatically by many websites, applications and other services. We use IP addresses for purposes such as calculating usage levels, diagnosing server problems and administering the Services. We may also derive approximate location from IP address.


Uses and Disclosures of Other Information


We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Information. If we do, we will treat the combined information as Personal Information as long as it is combined.


5. Whether we will transfer personal information internationally


Personal Information may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Information.


By providing us with your Personal Information, you recognize and understand that we may collect, use, transfer, or disclose your Personal Information to the third parties and for the purposes identified in this Data Protection Notice to reasonably provide you with the Services. If you do not provide us with the Personal Information described in this Data Protection Notice, we may no longer be able to provide you with the Services and your receipt of such Services may promptly be discontinued.


6. How long we will keep your personal information


We will retain Personal Information for as long as needed in accordance with our retention schedules or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).


7. Your rights in respect of your personal information


You have certain rights under the IT Act and Rules, including the right to request a copy of the personal information we hold about you and seek the correction of such information and the right to withdraw your consent to the processing of your personal information.


To request a copy of your personal information, please email Global Card Services at The requested information shall be provided free of charge within the limit of one request per year. If you wish to access, update or correct your personal information or withdraw your consent to the processing of your personal information in accordance with this Data Protection Notice, please email Global Card Services at Please note that if you withdraw consent, we may still be permitted to hold and process some of your information as required or permitted by law. Additionally, upon your withdrawal of such consent, we will immediately terminate your card.


For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.


Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed, due to other legal obligations.


8. Updates to this data protection notice


We may change this Data Protection Notice, from time to time. The “LAST UPDATED” legend at the top of this Data Protection Notice indicates when this Data Protection Notice was last revised. Any changes will become effective when we post the revised Privacy Notice. Use of the Services following these changes (or your continued provision of Personal Information to us) signifies acceptance of the revised Data Protection Notice.


If you have any questions about this Data Protection Notice, you may contact on To help us to manage your query, please include your full name and corporate card number.


DPN India (v6) January 2021