Legal information


Project Pulse Privacy Notice

Effective as of August 16th, 2019

The Pulse team’s mission is to help small businesses make better decisions. Pulse uses smart data and simple tools to show how a business is performing in real time and help owners and business decision makers manage the future. The Pulse app needs a lot of data to work so we need to collect your information and this Privacy Notice tells you what we collect and what we do with it.  We only use your information where we have a lawful basis for doing so.

The Pulse app is designed to be simple to use but inside it’s complicated so this notice gets techy in places. We have tried to explain things as clearly as we can but if you have questions then email us at

What this Privacy Notice does and who it applies to.

Wherever we’ve said ‘you’ or ‘your’, this means you the reader. It could be you the Pulse app account holder or someone using the Pulse app to access a Pulse account. It also applies to anyone who visits 

If you stop using the Pulse app, close your pulse account or delete the app from your device then this notice will still apply.

If you give us information about someone connected with your business, then you must have a legitimate interest or other lawful purpose to share that information with us.  You must also give that person a copy of this Privacy Notice so they understand how their information will be used by us.

Who controls the information?

The Data Controller is HSBC UK Bank plc (company no 09928412). Our address is 1 Centenary Square, Birmingham, B1 1HQ, UK and we are registered with the Information Commissioners Office (no ZA276331) and our VAT number is GB 365684514. HSBC UK Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority under registration number 765112. 

When you read ‘we’ or ‘us’ or ‘our’ in this notice it means HSBC UK Bank plc.

Our contact details.

You can write to our Data Protection Officer at P.O. Box 6201, Coventry CV3 9HW, addressed ‘for the attention of the DPO (CMB Project Pulse)’.

You can email the Pulse team at

The information we collect or generate about you.

We collect information when you visit,use the Pulse app or when you interact face to face, by telephone, email or direct messaging. We may also collect information from publically available sources such as Companies House or other electronic databases.

We will collect all the information that you give us voluntarily including your: names, contact details (addressee, telephone number, email addresses), position in the business and even a profile photo (if you want to). We will also collect any market research (such as how big your business is, who you do your accounting with and where you bank, and surveys to help us develop the Pulse app); comments or other information you communicate to us.

Whenever you use the Pulse app or visit information gets created and automatically sent to us unless you block it.  This information would include:

  • the browser you use and your IP address which means we can remember you when you visit us again;
  • your login information;
  • the date and times you used the Pulse app and what actions you took;
  • cookie data (our Cookie Policy explains more about cookies);
  • your device data including the type; OS, settings, unique identifier and if it’s a touch device then how you interact with the screen; 
  • location data.

Your mobile device may have privacy settings that you have changed from their factory defaults. This will change what information your browser/device sends to us.

We also get all the transactional, account limits and rates, and account identifier information from your bank account through the Open Banking feed and information from your accountancy software feed.  You must link the Pulse app to both of these information sources otherwise Pulse will not work.

How we use your information.

We use your information to identify you, access the correct open banking and accountancy software feed, provide the services of the Pulse app and interact with you if you want to speak to us. In other words, we need the information to provide the Pulse app’s services. We call this a legitimate business interest and it is one of the lawful purposes we rely on to use your information.

If you like details, then here are examples of other lawful purposes we rely on to collect and process your information:

  • to comply with a legal obligation;
  • using the information is in the public interest (e.g. for preventing crime);
  • we need to establish, exercise or defend our legal rights;
  • to carry out your instructions;
  • to prevent or detect crime including fraud and financial crime (e.g. financing for terrorism and human trafficking);
  • to investigate and resolve complaints;
  • to make the Pulse app better and understand how it is used as well as to fix things that go wrong;
  • for analysing data to better understand your circumstances and preferences so we can deliver services relevant to our customers; 
  • where we have a legitimate interest in collecting and processing your information to make the Pulse app work better for you.

When you contact us.

We might record and keep track of conversations you have with us including phone calls, face-to-face meetings, letters, emails, live chats, video chats and any other type of communication. We may also capture additional information about these interactions (e.g. telephone numbers that we are called from and information about devices or software that are used).

We may use these recordings and information to check your instructions and improve our service by changing the pulse app or to train our people. We may also use the recordings and information to meet our obligations to comply with the laws and regulations that apply to HSBC Group companies, including to help detect or prevent crime.

We use closed circuit television (CCTV) in and around our physical sites and these may collect photos videos or voice recordings of you and persons present in or around our physical sites.

Market Research.

We like to keep in touch with our customers and get your feedback on the Pulse app so we can make it better.  We will stop contacting you if you tell us to stop. In the meantime, we may give your contact details to Market Research Agencies who act for us so they can ask you about Pulse. These agencies will only get in touch with you by a method you have agreed to and your responses will be given back to us anonymously, unless agreed otherwise.  You can update your marketing preferences by following instructions at the bottom of any communications we send you. 

If you tell us to stop sending you marketing messages, then we will update our systems as quickly as we can but you may receive messages for short time after you tell us to stop.

If you tell us not to send marketing messages, we’ll continue to use your contact details to provide important information about how the Pulse app operates or changes to the Pulse App terms or if our regulator asks us to contact you.

Sharing your information.

Sometimes we have to share your information with other organisations.  This might be because you ask us to do something or because we are required to share your information.  We will only do this if it is lawful to do so. Examples would include where we have:

  • a public or legal duty to do so (e.g. to help detect and prevent fraud, tax evasion and financial crime);
  • a need to in connection with regulatory reporting, litigation or asserting or defending legal rights and interests;
  • a legitimate business reason for doing so (e.g. to manage risk, verify identity, enable another company to provide you with services you’ve requested, or assess your suitability for products and services);
  • asked you for permission to share it, and you have agreed.

Examples of other organisations we may share your information with include:

  • other HSBC Group Companies or other service providers who we engage including their employees, subcontractors, directors and officers;
  • law enforcement, government, courts, dispute resolution bodies, our regulators, auditors and any party appointed or requested by our regulators to carry out investigations or audits of our activities;
  • any trustees, beneficiaries, administrators or executors of your estate.

Sharing aggregated or anonymised information.

We may share aggregated or anonymised information inside and outside of the HSBC Group.  We might share this information with partners such as research groups, government departments, universities.  This information is anonymised so your identity will remain secret.

How long we’ll keep the information.

We’ll keep information in line with our data retention policy.

For example, we normally keep the data collected by the Pulse app for seven years after a Pulse account is closed. This is so we can comply with legal and regulatory obligations or use your information for our legitimate purposes such as defending legal claims or to respond to our regulators.

We may need to hold information for a longer than seven years where we need the information to comply with regulatory or legal obligations or where we may need it for our legitimate business purposes (e.g. to help us respond to queries or complaints, fighting fraud and financial crime, responding to requests from regulators, etc.).

If we don’t need to retain information we may destroy, delete or anonymise it sooner.

Sending your information overseas.

Your information may be transferred to and stored in locations outside the European Economic Area (EEA), including countries that may not have the same level of protection for personal information. 

We may need to transfer information in this way to carry out our contract with you, to fulfil a legal obligation, to protect the public interest and/or for your or our legitimate interests. In some countries the law might compel us to share certain information (e.g. with tax authorities). Even in these cases, we’ll only share information with people who have the right to see it. When we do this, we’ll ensure it has an appropriate level of protection and that the transfer is lawful. 

You can obtain more details of the protection given to your information (and information relating to individuals connected to your business) when it’s transferred outside the EEA by contacting our Data Protection Officer.

Your rights.

Individuals have rights when it comes to their information.  These include:

  • the right to access information we hold about them and to obtain information about how we process it;
  • in some circumstances, the right to withdraw their consent to our processing of their information, which they can do at any time. We may continue to process their information if we have another legitimate reason for doing so;
  • in some circumstances, the right to receive certain information they have provided to us in an electronic format and/or request that we transmit it to a third party;
  • the right to request that we rectify their information if it’s inaccurate or incomplete;
  • in some circumstances, the right to request that we erase their information. We may continue to retain their information if we’re entitled or required to retain it; 
  • the right to object to, and to request that we restrict, our processing of their information in some circumstances.

There may be situations where individuals object to, or ask us to restrict, our processing of their information but we’re entitled to continue processing their information and/or to refuse that request if we have grounds to do so.

Individuals (including individuals connected to your business) can exercise their rights by contacting our Data Protection Officer. 

Individuals also have a right to complain to the UK Information Commissioner’s Office by visiting, or to the data protection regulator in the country where they live or work.

How we keep information secure.

We use different methods to keep information safe and secure such as encryption and other forms of physical and electronic security. We require our staff and any third parties who work for us to comply with our standards including to protect all information and apply appropriate measures to the use and transfer of information.

©HSBC Group 2019. All Rights Reserved. Issued by HSBC UK Bank plc


Legal Information

 This site is owned and operated by HSBC UK Bank plc.

HSBC UK Bank plc is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority. It is listed with the registration number 765112.

HSBC UK Bank plc is a company incorporated under the laws of England and Wales with company registration number 09928412 and its registered office at 1 Centenary Square, Birmingham, B1 1HQ, United Kingdom. HSBC UK Bank plc’s registered VAT Number is GB 365684514 and it is registered with the Information Commissioner’s Office with the registration number ZA276331.

 Copyright HSBC Group 2019. All rights reserved.