Data Privacy Message

CORPORATE CARD DATA PROTECTION NOTICE – SINGAPORE

Last Updated: Mar 2025

1. Your personal data

Your personal data (such as information that identifies you or can be used to identify you, for example your name, date of birth and contact details) is protected by the Singapore Personal Data Protection Act 2012 (the PDPA). This Data Protection Notice explains how Bank of America, National Association - Singapore Branch (“we” or “us”), collect, use and disclose personal data online and offline in connection with your personal data. This includes personal data we obtain from you, your employer or other parties, as well as information about your use of the account and our Global Card Access website and mobile application, your card and any transactions made with your card (including the date and amount of such transactions) and our communications with you.

From time to time, it is necessary for you to supply us with personal data in connection with the issue or use of credit cards and the establishment or continuation of banking or credit facilities or provision of related banking or financial services or compliance with applicable laws and regulations. Failure to supply such personal data may result in us being unable to approve the issuing or use of credit cards or continue banking or credit facilities or provide related banking/financial services or comply with applicable laws or regulations.

We may request Sensitive Personal Data from you or receive such data from third party service providers and others in support of due diligence activities we undertake to satisfy various legal and regulatory requirements to which we are subject. Please do not send us any Personal Data which would be categorized as sensitive personal data under the PDPA or its implementing regulations (e.g., information related to racial or ethnic origin, political opinions, religious or other beliefs, health, biometrics or genetic characteristics, criminal background or trade union membership) (“Special Data”) through the Services or otherwise, unless we specifically request this information from you or make a due diligence enquiry of you where the response necessitates you disclosing Special Data to us. In such a case, please ensure you notify us that you are providing Sensitive Personal Data.

Event management and execution: At the time of registration participants may tell us about disabilities that may require accommodation, or special needs related to religious beliefs, and/or health characteristics, e.g. dietary requirements. This information will be used only to the extent necessary to facilitate any disability or special accommodations. Similarly, certain registration details may include sensitive Personal Data (e.g., dietary restrictions may indicate a particular religious belief). Such data will be used only to facilitate event participation.

2. How we use your personal data

We will collect, use or disclose your personal data:

• to administer your card and account and provide online and offline services to you;
• to facilitate transactions;
• to comply with the rules of any relevant card scheme;
• to carry out, monitor and analyze our business;
• as part of the sale, merger or similar change of our or any Bank of America Corporation business;
• to detect, prevent and investigate fraud and to protect the security of your card accounts, including “know your customer”, anti-money laundering, conflict and other necessary onboarding and ongoing client checks, due diligence and verification, and anti-corruption and bribery or anti-terrorism activities;
• to comply with any applicable laws, rules or regulations in any country, and to comply with other legal process and law enforcement requirements; and
• as otherwise permitted by applicable law, with your explicit consent or authorization.

In collecting, using or disclosing your personal data, we may transfer it outside Singapore to other countries. We are responsible for making sure that any such transfer is made in compliance with the PDPA.

This Data Protection Notice does not address, and we are not responsible for, the privacy information or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by BofA Affiliates.

Keeping Personal Data secure is one of our most important responsibilities. We maintain physical, technical, electronic, procedural and organizational safeguards and security measures to protect personal data against accidental, unlawful, or unauthorized destruction, loss, alteration, disclosure, or access, whether it is processed by us in Singapore or elsewhere. Appropriate employees are authorized to access personal data for legitimate and specified business purposes. Our employees are bound by a code of ethics and other internal policies that require confidential treatment of personal data and are subject to disciplinary action if they fail to follow such requirements.

We use reasonable organizational, technical and administrative measures to protect Personal Data within our organization. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us” section below.

3. Recipients of your personal data

We may disclose your personal data (including details of your transactions) to:

• any person or company working for us (including professional service organizations such as legal, audit and accounting service providers, technology and data processing companies and IT hosting providers);
• any of our group companies, offices or branches;
• any third party service providers including any person/entity that is a sub-contractor of such service providers;
• your employer or any group company of your employer;
• any person or company that provides products or services to you or your employer in connection your card or account (including but not limited to Mastercard);
• any person to whom we transfer or may transfer any of our rights or duties under the agreement we have with your employer;
• any payment system under which we issue your card or account; and
• any institution, court, agency or authority (including law enforcement authorities) to whom we are required to disclose it by law including, without limitation, anti-terrorism and anti-money laundering laws and regulations, and for the purpose of fighting crime and terrorism.

If you have given false or inaccurate information or we suspect fraud we will record this and may pass this information to fraud prevention and law enforcement agencies.

If any payment in relation to the account is processed through a worldwide payment system, information about you may be passed to certain authorities (including authorities outside Singapore) in order to detect and prevent terrorism.

4. Online information

How do we collect personal information online through cookies and similar tracking technologies?

We collect information about you through your computer, smartphone, tablet or other mobile device by the use of cookies and similar tracking technologies.

The type of information we collect from and about you online will depend on how you interact with us and may include: (not all of these may apply to your environment)

• Unique device identifiers (for example, Media Access Control (MAC) and Internet Protocol (IP) addresses);
• Browser type, version, language, and display/screen settings;
• Information about how you use and interact with our sites and mobile apps (for example, page visited or links clicked);
• Survey responses and similar information which reveals views and preferences, but which does not reveal a person’s specific identity;
• Responses to advertisements on the sites and mobile apps where we advertise;
• Log information such as your search and voice to text queries in the mobile app;
• Search engine referrals; and
• Geolocation information
   

How do we use the information collected online?

We collect this information through cookies and other tracking technologies for the following reasons:

• Because it is necessary to ensure the site works as intended, such as performing authentication within a secured site. Without this information, some services you have asked for cannot be provided; for example, without cookies or similar tracking technology, you will not be able to access a secured area within this site that requires authentication to assist in detecting and preventing fraud, identity theft and other risks to you or Bank of America.
• To remember choices you make (such as your username, language or region) and provide enhanced, more personal features. These cookies can be used to remember changes you have made to text size, fonts and other parts of web pages that you may have customized. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
• To improve how a website works and includes collecting information about how visitors use a website, for instance which pages visitors go to most often, or if they get error messages from web pages. This information can also be used to make collective inferences based on choices and browsing behavior for marketing and advertising research.
• To provide you with information you request such as the location of an office nearest to your location.
   

Uses and disclosures of other information

We may use and disclose Other Information for any purpose, except where we are required to do otherwise under applicable law. In some instances, we may combine Other Information with Personal Data. If we do, we will treat the combined information as Personal Data as long as it is combined.

See our Cookie Policy for additional details about cookies and tracking technologies including how you can manage cookies.

5. Whether we will transfer personal data internationally

Personal Data may be stored and processed in any country where we have facilities or in which we engage service providers, including the United States. In certain circumstances, courts, law enforcement agencies, regulatory agencies or security authorities in those other countries may be entitled to access Personal Data.

For transfers from Singapore to countries not considered adequate, we have put in place adequate measures, such as standard contractual clauses to protect Personal Data. Transfers may also be made pursuant to contracts in your interest or at your request. By providing us with your Personal Data, you recognize and understand that we may collect, use, transfer, or disclose your Personal Data to the third parties and for the purposes identified in this Data Protection Notice to reasonably provide you with the Services. If you do not provide us with the Personal Data described in this Data Protection Notice, we may no longer be able to provide you with the Services and your receipt of such Services may promptly be discontinued.

6. How long we will keep your personal data

We will retain Personal Data for as long as needed in accordance with our retention schedules or permitted in light of the purpose(s) for which it was obtained. The criteria used to determine our retention periods include: (i) the length of time we have an ongoing relationship with our client and provide the Services; (ii) whether there is a legal obligation to which we are subject; and (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

7. Your rights in respect of your personal data

You have certain rights under the PDPA, including the right to access, update or correct the personal data we hold about you or withdraw your consent to the use, collection and disclosure of your personal data (subject to certain exceptions). If you wish to access, update or correct your personal data or withdraw your consent to the use, collection and disclosure of your personal data in accordance with this Data Protection Notice, please email Global Card Services at asiacardsupport@bofa.com. The requested information shall be provided free of charge within the limit of one request per year.

For your protection, we may only implement requests with respect to the personal information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion. There may also be residual information that will remain within our databases and other records, which will not be removed, due to other legal obligations.

Please note that if you withdraw consent, we may still be permitted to hold, use or disclose some of your information as required or permitted by law. Additionally, upon your withdrawal of such consent, we will immediately terminate your card.

8. Updates to this data protection notice

We may change this Data Protection Notice, from time to time. The “LAST UPDATED” legend at the top of this Data Protection Notice indicates when this Data Protection Notice was last revised. Any changes will become effective when we post the revised Data Protection Notice. Use of the Services following these changes (or your continued provision of Personal Data to us) signifies acceptance of the revised Data Protection Notice.

If you have any questions about this Data Protection Notice, you may contact our Data Protection Officer on dpo@bofa.com. To help us to manage your query, please include your full name and corporate card number.