American Express®
Online Privacy Statement

Effective date: 31/07/2025

Online Privacy Statement

What is this document?

Throughout this Online Privacy Statement, "American Express" refers to American Express Europe, S.A; American Express Payments Europe S.L; Amex Asesores de Seguros, Sociedad de Agencia de Seguros Vinculada, S.A.U (also referred to as "we", "us" or "our"). For our contact details and those of our Data Protection Officer, please see the "Query or Complaint" section.

This Online Privacy Statement explains how, as a data controller, American Express uses Personal Data collected online through our websites and mobile applications, as well as those services where we rely on third party providers, such as social media providers and Business Partners (described below), or when you interact or communicate with us (for example, by phone). Please note that although this Online Privacy Statement describes the different processing activities we carry out, it does not mean that your Personal Data will be used for all of these activities.

Scope of Application of this Privacy Statement

This Online Privacy Statement does not apply to all Personal Data collected or used through our products or services but only applies when we collect information about you online and when you communicate with us as described above. This Online Privacy Statement will be supplemented by additional privacy statements or policies relating to our specific products or services. Therefore, we ask that you also take some time to review the privacy policies applicable to each of the American Express products and services you use. If you are unsure about which privacy policy applies to a particular activity, please remember that the privacy policy of the specific product or service will take precedence over this Online Privacy Statement and will apply to the extent that the activity relates to the processing of Personal Data linked to that product or service.
In other words, the privacy policy for the specific product or service governs American Express' general use of your Personal Data in connection with that product or service, while the Online Privacy Statement supplements our use of your Personal Data in connection with your use of digital services related to your American Express products and services and your communications with us.

This Online Privacy Statement does not apply to your use of third-party services or sites, such as social media sites, that have terms and conditions or statements explaining how they use your information. Please take a few minutes to review the terms and conditions or statements of any other service you use.

Changes to this privacy statement

From time to time, we may change our Online Privacy Statement. If it is a material change, we will notify this to you. We will do this by contacting you in writing (to ask you to read the updated version - for example, by mail or e-mail), by clearly indicating it on your monthly statement, or by informing you that it has been updated when you visit our website, https://www.americanexpress.com/en-iec/.

This version was last updated on the date set out above.

This privacy statement is provided in a layered format, so if you access the privacy statement online, you can click on the specific areas listed below:

Personal Data is any information relating to you as an identified or identifiable natural person, such as your name, addresses, telephone number, email address, IP address and other information specific to your online behavior. If you do not provide us with Personal Data that we tell you is mandatory (for example, if we need to collect Personal Data by law or if it is necessary to enter into a contract with you), we may not be able to offer you our products and services. We will notify you when this is the case.

We collect and process various categories of Personal Data about you, depending on the type of online interaction you have with us (for example, when you merely browse our website without purchasing any of our products or services, or if you access your cardmember account online or your Amex® application) and beyond such interaction, subject to the appropriate retention periods explained below. We will only collect Personal Data that is necessary to fulfill your online requests in connection with our business or to comply with our legal obligations. Personal Data may include:

your identification data, including name and address, date of birth and contact details
digital data from your online behavior, such as your interactions on social media, your IP address or whether you have visited us online before (see the "Cookies and Similar Technologies" section)
information about your device, operating system and web browser
information about your online preferences set through the settings you choose in relation to cookies and similar technologies (see the "Cookies and Similar Technologies" section)
information about your financial and credit history, including proof of income, employment data, expenses, and credit and loan history when you apply for an American Express product or service
biometric data used for identification purposes
health data for certain insurance products

We collect Personal Data directly from you through the following means:

your online browsing through American Express websites and mobile applications;
your online application form;
your access to our online account services;
when you book or purchase products or services on our websites;
through the way you communicate with us and use your online account to manage your American Express products or services;
any online study (for example, a statistical or market study), survey or contest in which you participate or to which you respond, or any offer in which you register; and
other information you provide directly to us.

We also collect your Personal Data through different sources, such as:

Business Partners. These are third-party suppliers with whom we maintain business or contractual relationships, such as:
- technology companies that help us offer our customers exceptional digital experiences (for example, tokenization technology used to protect sensitive data),
- co-brand partners, distribution partners or loyalty or benefits program partners or merchants that accept American Express cards as payment for the goods or services they offer and that are authorized to share information with us for marketing purposes;
- service providers, such as media monitoring or online reputation management companies;
- insurance and car rental service providers

Open Banking Providers. Information we receive from open banking providers that you (or a duly authorized third party on your behalf) have authorized. Open banking providers provide payment initiation or account information services. You may also authorize open banking providers to collect information from your bank account, which is then shared with American Express in order to complete our underwriting verifications to issue you a card or approve a service request.
Credit Reporting Systems and Fraud Prevention Agencies. Information we receive from credit reporting systems and Fraud Prevention Agencies (for example, in order to complete our underwriting checks to approve an application for a service).

We sometimes process Personal Data in such a way that it no longer identifies any individual. Once processed in this way, they will no longer constitute Personal Data and will be aggregated and anonymized information. We process Personal Data to aggregate and anonymize it for:

analyze trends among groups of people (for example, among cardmembers, merchants and online users);
create business analysis or statistical reports; and/or
improve our advertising and our business.

We sometimes share aggregated and anonymized information with Business Partners or other trusted third parties for one or more purposes mentioned above.

We collect your Personal Data through cookies and similar technologies (for example, GIFs, web beacons, pixel tags) when you use our online services or access our online content. A cookie is a small data file that a website or application transfers to your technological device used to access that website or application (for example, computer, cell phone, tablet).

Basically, we install cookies on your devices when you visit our websites or another company's website where our advertisements appear, or when you make purchases, request or customize information, or register for certain services. The Personal Data we may collect through cookies and similar technologies relates to, among other things: the device or devices you use, your IP address, how you use our websites and applications (for example, what you search for, the pages you view, how long you stay on the sites you visit), what advertisements or commercial online content (ours and our partners') you view.

Please refer to our "Information about cookies and similar technologies" policy for more information about how we process your Personal Data through cookies.

We use your Personal Data on its own or combined with other information as described in the previous sections (for example, when you access your online account associated with your American Express card, if applicable). Under data protection legislation, we need a "lawful basis" to process your Personal Data, which may be any of the following: (i) where it is necessary for the performance of a contract with you or to take steps at your request prior to entering into a contract with you; (ii) where it is necessary to pursue our legitimate interests, such as preventing fraud and/or improving our products or services; (iii) where we have obtained your consent, such as, for example, or (iv) for compliance with legal obligations where we are required by law to process your Personal Data.

The following table sets out what we use your Personal Data for and our legal basis for doing so. Please note that we consider and balance the potential impact on you and your rights before processing your Personal Data to pursue our legitimate interests. The legitimate interest relied upon in each case is also set out in the table below.

Please note that we may process your Personal Data under more than one legal basis, depending on the specific purpose for which we are using your Personal Data. Please contact us if you need detailed information about the specific legal basis on which we are relying to process your Personal Data where more than one basis has been set out in the table below.

What we use your information for	Legal basis for using your Personal Data
To process online applications for our products, including making decisions about whether to approve or pre-approve your application or give you an estimate of approval, which are sometimes automated and involve profiling. See the "Automated Decision Making" section of this Online Privacy Statement for more information.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services.
To maintain records of rejected applications for our products and services for audit, analysis, quality control and reporting purposes.	To comply with our legal obligations, for example, pursuant to Law 16/2011, dated June 24, 2011, on consumer credit contracts, and any other relevant for payment institutions. To pursue our legitimate interest in ensuring the management and protection of our business and interests and to check the quality of our internal processes. To pursue our legitimate interest in complying with the regulatory guidelines of the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses ("SEPBLAC").
To comply with our regulatory obligations when reviewing your online application (such as performing due diligence on our merchants before approving your application to become an Amex Merchant). This sometimes involves automated decision making and profiling. Please see the "Automated Decision Making" section of this Online Privacy Statement for more information.	To comply with our legal obligations, such as the anti-money laundering obligations set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and terrorist financing; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters; Law 44/2002, dated November 22, 2002, on Financial System Reform Measures, and any other relevant for payment institutions. To pursue our legitimate interest in conducting due diligence processes to ensure that our interests (as a company) are adequately protected.
To administer and manage any online account and provide any online services to you, such as processing, approving and completing individual transactions or services through mobile applications.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in ensuring a high level of customer care and service.
To provide you with the location-based services you have requested (if any).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services.
To communicate with you via email, SMS or any other electronic means, regarding your online accounts, products and services for legal, regulatory or service purposes (for example, to inform you about features associated with your contracted products or services).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To comply with our legal obligations, for example, under Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters. To pursue our legitimate interest in ensuring that we provide you with the information you need to know about your contracted products and services.
To provide you with a more appropriate service and/or to protect your interests by making reasonable accommodations, such as sending or providing you with information in an adequate format (for example, if you are visually impaired), and to improve our websites and applications and make them easier to use.	To pursue our legitimate interest in improving your customer experience and ensuring that our service meets your needs and is tailored to your needs. To comply with our legal obligations, such as those established in Royal Legislative Decree 1/2007, dated November 16, 2007, approving the revised text of the General Law for the Defense of Consumers and Users and other complementary laws; Royal Decree 193/2023, dated March 21, 2007, regulating the basic conditions of accessibility and non-discrimination of persons with disabilities for access to and use of goods and services available to the public and other accessibility standards.
When interacting with some of our Business Partners available in your American Express online benefits program, to connect you to your Membership Rewards account (where enrolled and applicable) and, depending on your product, allow you to use Membership Rewards points to pay for products or services with a Business Partner.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in enhancing your customer experience, promoting the use of the benefits we offer you and facilitating the use of these benefits with our Business Partners (as applicable).
To carry out checks for the purpose of keeping your account and Personal Data secure, detecting and preventing fraud or criminal activity (including reviewing and approving individual transactions) and verifying your identity before providing services to you (including by conducting and monitoring "know your customer" processes). This may include the use of location and other technical functionality of your mobile device or browser.	To comply with our legal obligations, such as those set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and the financing of terrorism; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters; Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication and any other relevant for payment institutions. To pursue our legitimate interest in managing our business risks, such as operational and security risks, and detecting, preventing and investigating fraud. We have your consent to do so (for example, when the use of your biometric data is optional).
To answer any questions you may have, to respond to your requests (customer service) and to manage and process any complaints you may have.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in having complaints investigated and in providing you with a high level of service. To comply with our legal obligations, for example, under Royal Decree-Law 19/2018, dated November 23, on payment services and other urgent measures in financial matters.
To protect our business interests, recover debts and exercise other rights we have under any contract with you.	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To pursue our legitimate interest in ensuring the management and protection of our business, including the collection of any debts owed to us.
To manage mergers, acquisitions, sales of business assets and, in general, the management of extraordinary corporate operations.	To pursue our legitimate interest in managing corporate operations.
To establish, exercise or defend legal rights or claims and to assist in dispute resolution.	To pursue our legitimate interest in ensuring the management and protection of our business and interests.
To analyze the needs, preferences and behaviors of our customers and create customer profiles based on those needs, preferences and behaviors to develop and improve our products and services and to evaluate and analyze whether our advertisements, promotions and offers are effective. Profiles may be created in relation to the needs, preferences and behaviors of a specific customer (individual customer profile), or in relation to the similar needs, preferences and behaviors of a group of customers (group customer profiles). Our profiling activities are conducted using data analysis methods based on your customer behavior and transactions.You may object to our conduct such profiling activities in the terms explained in the "Your Rights" section of this Online Privacy Statement.	To pursue our legitimate interest in improving our products and services (for example, to ensure that our products and services remain competitive and relevant to our customers).
To check that we have followed your instructions correctly, to develop and improve our services and for compliance, training and quality purposes (for example, we may monitor, transcribe or record any communications between you and us, including telephone calls, for these purposes).	To pursue our legitimate interest in improving our products and services and to ensure that we provide you with a high level of customer service.
To offer you open banking services (for more information, see the "Open Banking" section).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you, related to our products or services. To comply with our legal obligations, such as under Royal Decree-Law 19/2018 dated 23 November on payment services and other urgent financial measures; Commission Delegated Regulation (EU) 2018/389 of 27 November 2017 supplementing Directive (EU) 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication and any other relevant for payment institutions.
To perform tests and checks (to ensure security and when we upgrade our systems), to manage the administration of the website, to support and facilitate the development of the information technology system and to safeguard the security of your Personal Data.	To pursue our legitimate interest in managing our business risks, such as compliance, regulatory, operational and security risks.
To develop and refine our risk management policies, models and procedures for online applications and online customer accounts based on the information contained in your application.	To pursue our legitimate interest in managing our business risks, including credit, regulatory and fraud risks.
To conduct research and analysis, including allowing you to provide feedback by rating and reviewing our products and services and those of our Business Partners, and to produce data analysis, statistical studies and reports on an aggregate basis (that is, metrics on participation in product subscriptions).	To pursue our legitimate interest in conducting research and analysis, to improve and develop our business and the services and products we offer to our customers, and to help our Business Partners do the same.
To anonymize Personal Data and produce aggregated and anonymized information to be shared with Business Partners or other trusted third parties to analyze trends among groups of people, such as cardmembers or merchants, create business insights or statistical research reports, and/or improve our advertising and our business and that of our Business Partners.	To pursue our legitimate interest in conducting research and analysis, to improve and develop our business and the services and products we offer to our customers, and to help our Business Partners do the same.
To respond to inquiries from and/or cooperate with regulators, law enforcement and other authorities.	To comply with our legal obligations under any law that requires us to cooperate with regulators, law enforcement and any other authorities. To pursue our legitimate interest in supporting and/or cooperating with regulators, law enforcement and other authorities in the detection and prevention of fraud and crime, particularly as it affects our customers.
To collaborate with influencers, review their profiles and ensure that our values match.	To pursue our legitimate interest in ensuring that our values and those of the influencers with whom we collaborate match, and to evaluate potential collaboration opportunities.
We may collect and process publicly available information and/or information you post on social media platforms to identify and respond to (i) brand and reputational damage; (ii) security threats and large-scale fraud attempts; (iii) customer account service issues; and (iv) legal actions.	To pursue our legitimate interest in identifying threats to our brand, products and services and to be able to respond appropriately.
Install cookies and similar technologies on the technological devices used to access websites or applications (for example, computer, cell phone, tablet), whether ours or those of third parties. This allows us to recognize you when you return to our websites, receive emails from us or use our applications, including across multiple devices. This also allows us to create profiles in relation to the needs, preferences and behaviors of a specific customer (individual customer profile), or in relation to the similar needs, preferences and behaviors of a group of customers (group customer profiles) in order to provide you with personalized advertising. Our profiling activities are carried out using data analysis methods based on your customer behavior and transactions. You may object to our performance of such profiling activities in the terms explained in the "Your Rights" section of this Online Privacy Statement. For more information, please see the "Digital Advertising" section.	Your consent to install cookies and similar technologies and to serve you personalized advertising.
To share your Personal Data with other entities within the American Express Group so that they can provide us with back-office services and assist us in meeting our regulatory obligations (for example, conducting and monitoring "know your customer" processes).	To comply with our legal obligations, such as the anti-money laundering obligations set forth in Law 10/2010, dated April 28, 2010, on the prevention of money laundering and terrorist financing; Royal Decree-Law 19/2018, dated November 23, 2018, on payment services and other urgent measures in financial matters. To pursue our legitimate interest in managing our business risks, such as operational and security risks, and detecting, preventing and investigating fraud. To pursue our legitimate interest in transmitting Personal Data within the American Express Group for internal administrative purposes.

Some of the Personal Data we collect is of a more sensitive nature (also known as special categories of Personal Data). We will always collect these data in accordance with applicable law. In particular, we may process sensitive Personal Data relating to your health (in order to provide you with a more appropriate service), or biometric data. The following table explains what we use your sensitive Personal Data for and the legal basis for doing so.

What we use your Sensitive Data for	The legal basis for doing so and the condition allowing the processing
Biometric data in order to identify you, verify your security and detect and prevent fraud.	Your express consent: we have your permission for any optional use of biometric data (for example, to identify you by facial recognition).
To comply with relevant laws and regulations and to cooperate with regulators, law enforcement and any other authorities (for example, in connection with the processing of criminal convictions and offences data to comply with a court order or subpoena).	To comply with our legal obligations to cooperate with regulators, law enforcement and other authorities. When necessary for the establishment, exercise or defence of legal claims.
Criminal conviction and offense data for the purpose of gathering evidence and investigating an alleged crime in order to prosecute, bring an action or defend the legal rights of American Express.	To pursue our legitimate interest in investigating suspected crimes related to the provision of our card products and services to protect our business, interests and rights, as well as those of affected individuals. To comply with our legal obligations to report crimes that come to our attention, such as, for example, under the obligations set forth in the Royal Decree dated September 14, 1882, approving the Criminal Procedure Act and Law 2/2023 dated February 20, regulating the protection of persons who report regulatory violations and the fight against corruption. When necessary for the establishment, exercise or defence of legal claims.
We may collect and process sensitive Personal Data (such as political opinions) that you have made public online (for example, public posts on social media) to assess engagement and interaction with our brand and to identify and respond to potential reputational and image damage.	To pursue our legitimate interest in identifying threats to our brand, products and services and to be able to respond appropriately. The processing refers to Personal Data that you have made manifestly public.
Health data to provide you with certain insurance products tailored to your needs (for example, in case you have an allergy or disability).	When necessary for the performance of our contract with you or to take steps to enter into a contract with you relating to our products or services. Your express consent.

When you use open banking services (where available), we will process your Personal Data to enable activities such as:

our American Express online application processes for corporate or credit services, for the purposes of income verification and fraud prevention; or
(if any) to comply with a request made on your behalf by (i) an account information service provider, when they provide you with consolidated information on the account(s) that you hold with one or more bank(s) or payment institution(s) or (ii) a payment initiation services provider, when they initiate a payment to pay a merchant on your behalf.

In this context, we will process your Personal Data for the above purposes as described in the section "Use of Personal Data".

We use fully automated processes to help us make certain decisions about you, including to asses certain attributes about you in order to provide our services to you. This may also involve profiling (for example, credit and risk fraud profiles). This means that we will use software and/or artificial intelligence to automatically assess your personal circumstances in order to identify or predict risks or certain outcomes. For example, we use automated processes to make decisions about you in relation to the following:

detect, monitor and manage fraud;
process online requests from American Express (for example, determining whether to approve or deny your request for a product or service); and
assess credit risks, for example, to check whether you meet our eligibility criteria and decide whether we can offer you an American Express service or product, or to assess whether we need to take any responsible credit action in connection with your account (for example, reduce your credit line).

This is known as "automated decision making". Some of these decisions are made solely by automated means and have legal or similar effects , as we explain below. However, we will only carry out such processing if it is:

- necessary to enter into or perform a contract between you and American Express. For example, we may decide that some of our products and/or services may not be suitable for you based on your credit history and if you do not meet our eligibility criteria;

- authorized by a law to which American Express is subject and which also provides for appropriate measures to safeguard your rights and freedoms and legitimate interests (for example, to prevent fraud); or

- carried out on the basis of your explicit consent to such processing.

How automated processes make decisions

Application process

We consider several factors when approving or declining an online application for one of our products or services, including the information provided on your online application form, your income and your expenses. We will use this information to determine the likelihood that you (if your application is approved) will default on your account within a certain period of time. In order to manage our exposure to credit risk, we may decline your application if we believe there is a high probability that you will default during this period. If your application is approved, we will also use this information to determine your credit limit.

Fraud

We will evaluate payments made to and from your online account to identify any payments that are unusual. For example, if there is a payment that you would not normally make (such as a payment of a significant sum, which does not match your transaction history), we may take steps to prevent us from making a payment that is likely to be fraudulent.

We will also evaluate your spending behavior and transaction history to identify whether it is likely to constitute a fraud risk (for example, if a sudden change in your spending and repayment behavior suggests that you do not intend to pay outstanding balances owed to American Express). This may result in us taking steps to mitigate the risk to us, including declining charges you make on your card.

We also review digital information (such as information about your device, your browser, or your online interaction patterns with American Express) to help us detect potential fraud.

Assessing credit risks

As part of managing our relationship with you, we will assess whether we need to take any responsible lending action (for example, reduce your credit line). We take into account several factors to assess whether a credit risk exists, or whether you are experiencing financial difficulties. This may include assessing the activity on your online account, your payment history (for example, whether you have missed payments that are due and payable), the information you provided to us on your online application form (for example, your income) and information we obtain from the Bank of Spain and credit information systems. We will use this information to decide whether to take any action in relation to your American Express product or service to manage any credit risk. This may involve us reducing your credit line if we reasonably believe that you are likely to default on your payments in the future.

Our automated decision-making methods are regularly tested to ensure that they remain fair, effective and unbiased.

When we use automated decision making to enter into or perform a contract with you, as authorized by law or based on your explicit consent, you have the right to express your point of view, challenge the decision made, and request human intervention. See the "Your Rights" section for more information about your rights related to automated decision making.

We display advertising through our websites and applications, and also on third-party platforms, such as the websites and applications of our Business Partners and third-party platforms.

We may use your Personal Data to show you online advertising content tailored to your interests or general geographic location, across the different devices you use based on your Marketing Choices, as set forth below:

We analyze your needs, preferences and behaviors displayed within our websites, mobile applications and the content we provide on third party platforms (such as our electronic communications, social media pages, voice assistant applications and digital advertisements) to create individual customer and customer group profiles. Please see the "Use of Personal Data" section for more details.
We show you personalized advertisements based on your individual customer and customer group profiles and other information collected through cookies and similar technologies about your browsing behavior, over time and across different websites, based on your Marketing Choices. Personalized advertising may extend to our products and services, those of the American Express Group and those of our Business Partners. For more information, please see the "Marketing and Communications Choices" and "Cookies and Similar Technologies" sections.
We also use your Personal Data to display advertising content or participate in personalized advertising campaigns on social media platforms. If you follow our social media pages or "like" our content on social media platforms, we may use your Personal Data to improve the content we provide to you on social media and the way we provide it to you. Please remember that we do not own such websites and social media applications, and we are obligated to use information about you only in accordance with the privacy policies and terms and conditions of such websites and applications.

You can choose how we target advertising to you as specified in the "Marketing and Communications Choices" section below.

We will only share your Personal Data with third parties when it is lawful for us to do so and for a specific purpose (as set out in the tables above or as described below), including with:

the Bank of Spain and credit information systems to inquire about your financial circumstances, and to report financial risks and, where applicable, debts that you have with us; if you are a sole trader acting within your professional activity, we will inform that risks are reported in respect of that professional status;
police, regulators, courts, government agencies, tax authorities and any other third parties (for example, third parties specified in a court order) to comply with legal or regulatory requirements, law enforcement and/or other requests in connection with actual or suspected fraud or criminal activity, or the investigation thereof, as well as regulatory investigations, and to protect the rights of American Express or others;
collection agencies and external legal counsel to collect debts on your online account;
our Service Providers (including their subcontractors) who perform services on our behalf and help us manage our online services and/or operate our business (that is, any vendor, third party and/or company that provides services such as printing, mailing, advertising, among others);
companies or other product and service lines within the American Express Group. For example, when such companies provide services to us and/or when it is necessary for us to lawfully conduct our business and comply with regulatory obligations;
Business Partners, such as entities that accept American Express branded cards for payment for goods/services purchased by you (that is, merchants), distribution, travel, benefits and other loyalty partners and certain advertising partners with whom we offer or develop products and services, as well as other financial institutions to provide, deliver, offer, customize or develop products and services to you, and address or resolve complaints. We will not share your contact information with Business Partners to independently promote their own products or services to you without your consent. However, we may send you offers about their products or services. Please note that if you take advantage of an offer from a Business Partner and become their customer, they may send you communications independently. In this case, you should review their privacy statement and inform them separately if you wish to opt out of receiving future communications from them;
providers of insurance products or services included in your American Express card or account program that may be available to you as a benefit;
any third party authorized by you, such as third parties providing open banking and related services at your request, for example when you intend to connect your account information to another platform or initiate payments from other accounts;
our loyalty partners to connect you to your Membership Rewards account (where enrolled and applicable) and, depending on your product, to the partners available in your benefits program;
your advisors (such as accountants, lawyers and other professional advisors) whom you have authorized to represent you, or any other person you have told us that you have authorized to give instructions or to use the account;
third parties that participate in the same digital advertising network as us, so that they may also use Personal Data collected by us on our websites, applications and digital spaces for their own legitimate advertising purposes; or
any person to whom we transfer or assign our contractual rights.

We transfer your Personal Data to organizations located in other countries and to regulatory authorities in other countries in certain circumstances in connection with the provision of our products and services. Some of these jurisdictions may not offer the same level of protection for Personal Data as that offered in the European Economic Area (EEA). Some countries will have different data protection laws. This includes transfers to countries outside the EEA, such as the United States, where our main operational data centers are located. We carry out these transfers to operate our business, administer your account and provide our products and services to you.

Please note that no matter where we process your Personal Data, we will always protect it in the manner described in our privacy policies or statements and in accordance with applicable law. When we transfer your Personal Data to certain countries outside the EEA:

If that country has been the subject of an adequacy decision by the European Commission (see the list of countries here), we will rely on that decision to conduct our transfer; or

In the case of transfers of Personal Data to a third party in the United States, we may rely on that third party's certification under the EU-US Data Privacy Framework to transfer your Personal Data.

In other cases, we are obliged to establish an "adequate guarantee". In particular:

When we share Personal Data with other entities in the American Express Group covered by our Binding Corporate Rules and outside the EEA, we ensure an adequate level of protection through our Binding Corporate Rules, available here. Our Binding Corporate Rules ensure the protection of your Personal Data by requiring all entities in our group to follow the same standards when processing your Personal Data.

When we share your Personal Data with other entities outside the EEA located in countries that have not been the subject of an European Commission adequacy decision, we include appropriate contractual protections (including European Commission standard contractual clauses) in those agreements. In addition, we assess whether additional technical and organizational measures are required for such transfers. If we deal with public or regulatory authorities, we will not need to have contractual protections, but that does not mean that your data is not protected by adequate security measures when it is transferred.

You can receive a copy of these contractual protections by contacting us. For more information, please see the "Query or Complaint" section below.

We use organizational, administrative, technical and physical security measures to safeguard your Personal Data and help ensure that your information is processed properly, accurately and completely. In particular:

these measures include technological safeguards and appropriate access controls to data and infrastructure;

we require Service Providers to safeguard your Personal Data and only use it for the purposes we specify; and

we take all necessary steps to securely destroy or de-identify personal information when it is no longer needed.

If you simply browse our websites and applications, we will retain your Personal Data only for as long as we keep cookies installed on your devices. If you have created an online account within the scope of this Online Privacy Statement, we will retain your Personal Data for as long as your online account is active. After our relationship with you ends (for example, when your account is closed), we will only retain your Personal Data for an appropriate period of time, taking into account the nature and sensitivity of the data and the purposes for which we continue to retain it.

We will only retain Personal Data for specific purposes, including those that allow us to:

comply or demonstrate compliance with our legal and regulatory requirements (for example, laws relating to money laundering);
defend ourselves or initiate legal action;
maintaining business records for analysis or audit purposes; and
keep a record of people who do not wish to receive advertising from us

For example, your Personal Data will be stored by American Express for 5 years after the closure of your online account. This is related to the time available to take legal action. Personal Data necessary to fight money laundering will be stored for 10 years after the closure of your account, in accordance with applicable anti-money laundering legislation. We will retain your Personal Data after this period if your American Express Card account is in default and the balance remains unpaid or unsettled, or for legal or regulatory reasons or requirements.

We will block your Personal Data whenever it must be rectified or deleted in accordance with Article 32 of Organic Law 3/2018, dated December 5, on Personal Data Protection and guarantee of digital rights for the enforcement of possible liabilities arising from the processing during the applicable statute of limitations period.

On the other hand, we will retain the Personal Data of potential customers for 6 months when we need to keep a record of rejected applications.

When your Personal Data is no longer needed for the above purposes, we will securely destroy it or convert it into information that can no longer be associated with you. If you would like more information about our data retention practices, you may contact us; please see the "Query or Complaint" section for more information.

If you are an American Express customer who interacts online with us, we encourage you to periodically check that all Personal Data we hold about you is accurate and up to date. If you believe that any information we have about you is incorrect or incomplete, you may ask us to correct or delete it from our records. We encourage you to visit www.americanexpress.com/en-iec/, log in and update your Personal Data. If you prefer, you may contact us; see the "Query or Complaint" section for more information. Any information found to be incorrect or incomplete will be corrected promptly.

You have the right to access, update, limit, apply for portability, delete or object to the processing of your Personal Data. More specifically, you have the right to:

Withdraw your consent for us to use your Personal Data at any time, when our processing is based on your consent.

This will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to offer you certain products or services. We will inform you of this at the time you withdraw your consent.
Request the limitation of the use of your Personal Data in certain cases.

You can ask us to limit the processing of your Personal Data in the following cases:
- if you want us to check the accuracy of the Personal Data;
- when our use of the Personal Data is unlawful, but you do not want us to delete it (for example, for the enforcement of any liabilities arising from the processing during the applicable statute of limitations period for legal action);
- when you need us to keep the Personal Data even though we no longer need it, because you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your Personal Data, but we need to verify whether we have overriding legitimate grounds to use it.

In certain cases, request the deletion of your Personal Data.

This allows you to ask us to erase or delete your Personal Data where there is no good reason for us to continue to process it. You also have the right to ask us to erase or delete your Personal Data where you have successfully exercised your right to object to the processing (see below), where we may have processed your information unlawfully or where we are required to erase your Personal Data to comply with applicable law. Please note, however, that in some circumstances we may not be able to comply with your request for specific reasons set out in applicable law, which will be notified to you, if applicable, at the time of your request.
Request a human review of automated decisions that affect your legal or contractual rights or that could have a similar significant effect.

In certain circumstances, you have the right to request a review of an automated decision, to express your views and to challenge the decision. This right only applies to fully automated decisions and will not apply if there has already been human intervention by us as part of the decision-making process.
Request the portability or transfer of your Personal Data to yourself or to a third party.

We will provide to you, or (where technically possible) to a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Please note that this right only applies to automated information for which you initially provided consent for us to use or where we used the information to perform a contract with you.
Request a copy of the Personal Data we hold about you (often referred to as a "data subject access request" or "DSAR").

This allows you to receive a copy of the Personal Data we hold about you and to check that we are processing it lawfully.
Establish guidelines regarding your Personal Data upon your death in accordance with the applicable legislation. In this regard, the persons expressly designated by the deceased data subjects, or the Public Prosecutor's Office in the case of minors or persons with disabilities, may request access to the Personal Data of the deceased data subject or the rectification of the Personal Data of the deceased data subject.

You may also object to our processing of your Personal Data:

for reasons related to your particular situation, where the applicable legal basis is legitimate interests. In some cases, we may demonstrate that we have legitimate grounds to process your Personal Data, which override your rights and freedoms. In such a case, we will inform you; and

when your Personal Data is processed for direct marketing purposes.

If we receive a request from you to exercise your rights, we will respond as soon as possible and at the latest within one calendar month, except in the following case: If, due to the nature or circumstances of your request, we are unable to meet that deadline, we may extend it by up to two additional months (complex requests). In this case, we will send you an e-mail or a letter explaining the reason for the delay.

If you wish to exercise any of your rights, please click here . If you have any questions about how we handle your Personal Data, you can contact us - see the "Query or Complaint" section for more information.

You can choose how American Express collects and uses your Personal Data for advertising purposes. We work with a number of advertising partners, including ad networks, ad-servers, and social media platforms, to display our online advertisements. Your choices will vary depending on whether we show you ads through websites, apps, or social media.

You have the following choices regarding the Personal Data we collect about you:

In connection with cookies and similar technologies:
- If you do not want us to collect Personal Data about you through cookies or similar technologies for advertising purposes, you can choose to reject the installation of cookies through the banner that appears when you first visit our websites, by clicking on "Set Cookie Preferences" or through your browser settings, as explained in the "Information about cookies and similar technologies" policy. To reject the installation of cookies on third-party websites or applications, you should consult the applicable privacy policies and terms and conditions.
- If you reject cookies, purchase a new device, access websites from another device, or change your browser, you will need to choose the option to reject cookies again.
- If you choose to reject cookies, we will continue to show you advertising related to our products or services, but it will not be based on your Personal Data.
You can also change the settings of how we collect your Personal Data in your device settings. For example, you can disable location services and ad-tracking on devices.

If you have any questions about this Corporate Cardmember Privacy Statement or how your information is handled or wish to file a complaint or exercise your rights, please call us at the toll-free number on the back of your corporate card or at the number posted on our website in the "Contact Us" section. You may also contact our Data Protection Officer at DPO-Europe@aexp.com. You can also write to American Express Europe, S.A; with address at Avenida Partenón 12-14. 28042 Madrid.

You also have the right to contact the Spanish Data Protection Authority directly at https://www.aepd.es/ or other competent supervisory authorities. If you are not satisfied with the resolution given to your request, you may also bring your case before the court in the place where you live, work or where an infringement may have occurred.

More Features, Benefits and Information

AMERICAN EXPRESS

American Express® Online Privacy Statement

Personal Data Collected

Cookies and Similar Technologies

Use of Personal Data

Sensitive Personal Data

Open Banking

Automated Decision Making

Digital Advertising

Personal Data Sharing

International Transfer of Personal Data

Security

Retention of Personal Data

Accuracy of your Personal Data

Your Rights

Marketing and Communications Choices

Query or Complaint

More Features, Benefits and Information

American Express®
Online Privacy Statement