Personal Information Protection Policy

Personal Information Protection Policy

Learn more about our Personal Information Protection Policy

The Personal Information Protection Policy ("This Policy") applies only to retail banking products or services of Citibank (China) Limited (including each and all the branches) ("Citi" or "we").

Last Updated: April 10, 2024

Effective on: April 10, 2024

Please carefully read this Policy and ensure you understand that we will handle your personal information in accordance to the principles of clear purpose, consistency of rights and responsibilities, minimization & necessity and security. If you have any questions, please contact our customer service team for further assistance (customer service hotline: 400-821-1880/95038).

This Policy will help you understand the following:

1. How we collect and use your personal information

2. How we use cookies and similar technologies

3. How we do entrusted processing of, share, transfer, and publicly disclose your personal information

4. How we store and protect your personal information

5. Your rights

6. How we protect the information of children or minors

7. How your personal information is transferred globally

8. How we update this Policy

9. How to contact us

10. Miscellaneous

We understand the importance of personal information to you and will do our utmost to protect your personal information. We are committed to abide by the following principles to protect your personal information: the principle of consistency of rights and responsibilities, the principle of clear purpose, the principle of minimization & necessity, the principle of security, the principle of subject participation, the principle of openness and transparency, etc. At the same time, we promise that we will take appropriate security measures to protect your personal information in accordance with the industry's mature security standards.
Please read and understand this Policy carefully before using our products (or service). For the clauses and personal sensitive information in this policy that we consider to be materially related to your rights and interests, we’ve marked them in bold to draw your special attention.

The terms listed below shall have the meaning designated:

1. Personal information refers to various information recorded electronically or otherwise that can identify a specific natural person or reflect the activity of a particular natural person, either alone or in combination with other information. The personal information involved in this Policy includes: basic information (including personal name, address, family relationship, personal phone number, e-mail address); personal identification information (including ID card, military ID, passport, driving license, etc.); personal biological identification information (facial recognition features, facial images, fingerprints); network identification information (including Citi APP login account number, IP address, email address and related passwords, passwords, and password protection answers); personal property information (bank Account, password, password, transaction and consumption records, flow records, payment and collection records); address book; personal Internet records (including website browsing records, software usage records, and click records); personal common equipment information (including hardware models, equipment MAC address, operating system type, software list, unique device identification code (such as IMEI/android ID/IDFA/OPENUDID/GUID, SIM card IMSI information, etc., including information describing the basic situation of personal commonly used devices); precise positioning information.

2. Personal sensitive information refers to personal information that, once leaked, illegally provided or abused, may endanger personal and property safety, and easily lead to personal reputation, physical and mental health damage, or discriminatory treatment, etc., Personal sensitive information involved in this Policy includes: Your personal identification information (including ID card, military ID, passport, driver's license, etc.); personal biological identification information (facial recognition features, facial images, fingerprints); network identification information (including Citi APP login account, IP Address, email address and the aforementioned passwords, passwords, and password protection answers); personal property information (bank card number, password, password, transaction and consumption records, flow records, payment and collection records); address book; website browsing records; precise positioning information.

1. How we collect and use your personal information

1.1 How we collect your personal information

When you apply to use our services or products, for the purpose of providing you with more precise, personalized and convenient services (including but not limited to, for the purpose of transactions, data processing, statistical studies, taxation, risk analysis, credibility monitoring, risk management and debt collection), and to improve your experience with our services, we will collect varied personal information based on your authorizations.

1.1.1 When you open a bank account with us, apply for a bank card of Citi, use our service to make deposits, process money collection, payment or transfers, apply for the service of credit cards, loans, make purchase of investment product, wealth management product, insurance and other financial products of us, or make an application for appointment with us, you are required to provide us with the following information:

a) Personal identity information, including name, gender, nationality, identity certificate information, telephone number, e-mail, date of birth, address, occupation and marital status. Further information such as your educational background, diplomas, work experience, health status, family member information, U.S. Social Security Number may also be required.
b) Personal property information, including personal income status (e.g., source of income / wealth and etc.), tax residency, taxpayer identification number. Further information such as real properties ownership and investment status (including financial assets and etc.) may also be required.

In addition, when you apply for a loan with us, per the regulatory requirement, we would need to (based on your authorization) collect your following information:

a) Personal credit information, including credit card, loan and other credit transaction information, debt status, relevant information on debt repayment liabilities, civil judgment, compulsory enforcement, administrative penalty and other non-credit transaction information, as well as other information that could reflect personal credit status.
b) Other information relating to the determination of the qualifications for real estate purchases: real estate transaction information, qualification/qualification certificate, property donation record.

1.1.2 When you apply for a credit card (including the face-to-face signing process) with us, we would need to collect your following information based on your authorization:

a) Personal identity information, including name, gender, nationality, ethnicity, identity certificate information, telephone number, email address, date of birth, marital status, address, occupation, diplomas and years of working.
b) Personal property information, including personal income status.
c) Personal biometric information, such as photos and videos.
d) Personal credit information, including the information of credit card, loan and other credit transaction information, debt status, litigation, investigation, penalties and other information that can reflect personal credit status.
e) Other information acquired in establishing or maintaining a business relationship in order to fulfill contractual, legal and/or regulatory compliance obligations, such as: the time and location (including geographic location and internet address) of transaction and service usage, records of correspondence and other types of communications with Citi (including audio and video recordings, call records, communication records and the contents thereof), the IP address used by the customer.

When you use our credit card services (credit card event & points redemption), in order to provide you with credit card events & points redemption related information and/or address amendment service for gift receiving, introduce to you our credit card installment plan and for such other purposes, you are required to further provide us with the following information:

a) The number of your airline or hotel membership card, and the new mailing address designated by you (this address will be conveyed to the third party supplier for shipping purposes).
b) The name and account number of your designated lending bank.
c) The scanned copy of your updated identity certificate and the validity period of the certificate

1.1.3 In order to provide you with mobile banking services and to ensure the security of your account and the service, during the course of your use of the mobile banking services, we will collect information entered by you or generated from your use of the services.

When you activate our mobile banking services through the online self-service channel, per the requirements of laws & regulations and the regulatory bodies, we will collect your basic personal information, identity information, account information, correspondence information, and biometric information, to assist you with the mobile banking registration. If you decline to provide these information, you may not be able to activate the mobile banking services or use the services we provide.

1.1.4 When you use a mobile banking function or service, for example, in the following cases, you would need to provide us with or authorize us to collect the user information required for the service.

a) When you log on to the mobile banking app, we will verify the validity of your online banking user name and password. If you forget your login password and need to reset it, we will need to verify your identity information, including your mobile phone number, identity certificate information, bank card number, ATM cash withdrawal/transaction password. We will also collect device information for hardware binding and login security strengthening. If you do not provide the above information, you will not be able to log in or retrieve your password, but your normal use of functions or services that are available to general visitors (where login is not required) will not be affected.
For mobile phone devices of certain brands or models, you may choose fingerprint/facial recognition and verification method based on biometric information stored locally in your device. Such information is processed by the mobile phone terminals. We do not keep the biometric information stored in your mobile phone terminals. You can turn on/off the fingerprint/facial recognition function through the “my - settings” sector in the mobile banking app.
b) If you bind your mobile phone number for the mobile money transfer function, you would need to go through facial recognition process for identity verification, provide us with your facial image information and authorize us to verify your identity with the public security department. If you do not provide the above information, we will not be able to provide you with products or services where facial recognition is required.
c) When you use your mobile phone number to transfer funds and thus for the first time trigger the address book function, we will seek your consent and we will only retrieve the information of the contact person you have chosen from the address book. The content thereby retrieved will only be used for one-time operation and confined to the local use of mobile phone, which will not be kept by us in the background. The above information is personal sensitive information. If you do not want to use the above-mentioned functions, you may choose not to provide these information, which will not affect your normal use of other mobile banking functions. You may enter the contact’s mobile phone number manually in lieu of using the address book function.
d) When you make money transfers & remittance, you are required to provide information such as the payee's name, bank card number/account number, account-opening bank information and the intended use of transferred funds. In addition, we will also collect relevant transaction records (both collection and payment) for your ease of reference. Where you use the cross-border remittance services, your personal information including the sender’s user name, detailed address, phone number, postal code as well as the payee's name, country and detailed address will be transferred overseas as part of the transaction information. The above information is personal sensitive information, and your refusal to provide such information will only affect your ability to use the above-mentioned functions, but your normal use of other mobile banking functions will not be affected.
In order to simplify your transfers, we will also collect your payee’s name, bank card number/account number and account-opening bank information to form a payees list. You may choose to remove relevant payees from the list.
e) When you use SMS notification and/or message push services, we will collect your mobile number, device information, account information and transaction information so as to promptly notify you of account balance change and relevant transactions. If you do not provide the above information, you will not be able to use such notification and message services.
f) When you open a category II account (also known as Hui-cun account) or a category III account (also known as Hui-hua account), we will verify the mobile phone number registered with us and designated by you to receive SMS verification codes, online banking user name and user password. In accordance with the real-name authentication requirements prescribed by the laws and regulations of the state, we would need to collect information such as your name, certificate number, gender, ethnicity, date of birth, address, validity period of the certificate, photos of both sides of the certificate, portrait information, information of debit card account (under the same name) with other banks, and provide your name, bank account information, certification number and portrait information to the public security department to check and verify your identity against/through the online citizen identity information verification system and the inter-bank information authentication service platform of PBOC.
g) When you apply for a digital certificate, we would need to collect your name, certificate number and your authorization that allows us to send the same to the China Financial Certification Authority for review, information registration and digital certificate downloading.
h) When you use the personal information update service, we will require you to provide e-mail address, mobile number, home number, office number and communication address.
i) To fulfill our legal obligations and regulatory requirements for due diligence and sanctions/anti-money laundering/anti-terrorist financing, during our provision of the account opening and banking services to you, we may need to collect the personal information of your associated Spouse/Parent/Partner/Other third parties (including but not limited to name, birthday, nationality/area, residence, contact number, company name, work experience and source of wealth, etc.) from time to time. Please ensure that the information is true and valid, and is collected, processed and transferred in accordance with applicable laws , and ensure you have obtained the consent of such third parties.

1.1.5 When you use the mobile banking service, to maintain normal operation of the service and ensure transaction security, we will collect your geographic information, electronic device information (including device type, operating system, unique device identifier, log-in IP address, network accessing method/type/status, network quality data, etc.) and operation log information. These information are the basic information required for us to provide service to you and to ensure your normal and secure use of our service.

1.1.6 In order to provide you with better products and services, we would need to collect the following information. If you decline to provide the following information, your normal use of the above basic service will not be affected, but we will not be able to provide you with certain extended functions and services.

a) Advertising and marketing functions

When you participate in promoting activities, we will collect your name, identity certificate number, mobile phone number and communication address for prize distribution. If you decline to provide these information, you will not be able to use the above functions, but your normal use of other mobile banking functions will not be affected.

b) Feedback function

In order to improve user experience, enhance service quality and mitigate risks, we will provide you with safer, more convenient and more personalized services and will therefor collect your feedback/suggestions and information provided thereby, as well as relevant questionnaire feedback.

c) Personalized service

In order to provide you with more precise, personalized and convenient services, improve user experience and enhance service quality, we will collect your feedback and suggestions, the type & mode of the mobile banking functions or services you use and operation information generate thereby, as well as your user information. We will use these information to conduct analysis and profile your user portrait, and provide you with relevant services and products accordingly.

1.1.7 When you use the functions and services of this app, under certain circumstances, we may need to use the software development toolkit or code ("SDK") provided by a qualified third-party service provider to render services to you, where the third-party service provider may need to collect certain information of you, in particular:

SDK Scenario Personal Information Collected Data Receiver
CFCA SDK E-signature for authentication System version number, device type, device name, system manufacturer, hardware name, hardware manufacturer, serial number, Android ID China Financial Certification Authority
CFCA SDK Identity verification for mobile number payment activation Face photo, mobile number, IMEI number, IMSI, device serial number, device ID, call status, device status information China Financial Certification Authority
TMXProfiling
TMXProfilingConnections
TMXDeviceSecurityHealth
Anti-Fraud 1. When you use the mobile banking or online banking services, we need to collect the type of the computer operating system, the type of the mobile operating system, login date/time, mobile network IP address and location information, the model and manufacturer information of your mobile phone, whether connected to the mobile network ID, whether connected to the Wi-Fi network ID, the network model, the carrier's name, the mobile network country code, the mobile network code, the width of the device screen, the length of the device screen and whether the device has jailbreaking sign.
2. Transaction Date/Time/Amount (not include customer name, only include customer number internally used in bank)
Citibank (China) Co., Ltd.’s Parent and Affiliates

If you choose not to provide the above information, you may not be able to use certain or certain part(s) of service(s), but this will not affect your use of other services provided by us.

1.1.8 In the course of our services, you may need to provide certain device permissions to ensure normal use of our services and for us to maintain the normal operation of our services, improve and optimize service experience and protect your account security. In particular, following device permissions may be required:

a) Location – for fraud detection and information security purpose.
b) Phone Number – to read communication status and internet status of the mobile you are using, for risk control and information security purpose.
c) Facial ID or fingerprint ID verification– for verification and log-in to Citi mobile banking app.
d) Notification –to provide message push service.
e) Address book – help quickly choose the phone number of the payee when using the mobile money transfer function.
f) Camera –help access camera to complete the facial verification process for mobile money transfer.
g) Storage access- to store electronic account statement.

Please note that when you grant these permissions, you authorize us to collect and use the above information to achieve the above functions. You can also choose to disable some or all of the permissions at any time in the device settings. If you cancel the authorization, we will no longer continue to collect your corresponding information, nor will we be able to provide you with the corresponding functions. In different devices, the permission display method and withdrawal method may be different. For details, please refer to the instructions or guidelines of the device and system developer.

For the above services, we may collect your sensitive personal information. The collection of such sensitive information is carried out based on the minimum necessity principle and is necessary for us to provide you with the service. If you refuse to provide such sensitive information, you may not be able to use the corresponding services. We will, in accordance with the requirements of applicable laws, inform you of the processing purpose and method and other contents that need to be informed according to the law,regarding your sensitive personal information collected by us, and seek your separate consent thereof. This Policy has informed you about the processing of sensitive personal information, and your consent to this Policy is deemed as your separate consent to such processing.

1.2 How we use your personal information

1.2.1 We will use the collected personal information in accordance with the provisions of this Policy and to provide or improve the functions of our financial products and/or services.

1.2.2 During the period of services, you authorize us to continuously collect and use your information. When you deregister the services, we will stop collecting personal information related to you, but we may continue to use collected personal information under certain circumstances such as business filing, auditing, regulatory assistance, and fulfilling anti-money laundering and sanctions requirements.

1.2.3 We may use your personal information to provide you with Citi products and services that may be of interest to you.

1.2.4 In order to enhance your experience with our products or services, or for risk prevention purpose, we will summarize, analyze and process the usage statistics of services. However, such information will not contain any personal identifying information about you.

1.2.5 If we use the information for other purposes which are not stated in this Policy, we will seek your consent in advance.

1.2.6 If we use the information collected for a specific purpose for other purposes, we will seek your consent in advance.

1.2.7 After collecting your personal information, we will use technical means to de-identify or anonymize your information so that your identity will not be recognized through such information.

1.3 Exceptions

In accordance with the relevant laws, regulatory requirements and national standards, we may process (including collecting, storing, using, processing , transmitting , providing, disclosing, deleting, etc.) your personal information without seeking your separate consent or consent in any of the following circumstances:

1.3.1 Necessary for the Bank to perform its statutory duties or obligations;

1.3.2 Directly related to national security or national defense security;

1.3.3 Necessary to respond to public health emergencies, or to protect the life, health and property safety of natural persons in emergencies;

1.3.4 Directly related to criminal investigation, prosecution, judicial trial, enforcement of judgment and etc.;

1.3.5 Collect or use personal information that has been willingly disclosed to the public by you;

1.3.6 Collect or use personal information received & generated from legally and publicly disclosed information, such as legitimate news reports, government information publication or other channels;

1.3.7 Necessary for entering into and performing contract(s) according to your instructions;

1.3.8 Necessary for maintaining secure and stable operation of our products or services, such as to detect, handle fraud in or misappropriation of the products and services.

2. How we use cookies and similar technologies

2.1 Cookie

To ensure the proper operation of online banking and mobile banking, we store pieces of information called Cookie in your computer or mobile device. Cookies usually contain an identifier, a site name, and some numbers and characters. With the help of cookies, data such as your preferences could be stored.

We do not use cookies for any purpose other than those stated in this Policy. You can manage or delete cookies based on your preferences. Please refer to the link http://optout.networkadvertising.org/ for more information. However, if you decide to delete certain cookies stored on your computer or mobile device, your site experience may be degraded and you may not be able to use some of online features, especially the security and fraud monitoring features of cookies.

2.2 Website beacons and pixel tags

In addition to cookies, we may use similar technology as beacons and pixel tags in online banking or mobile banking to collect your browser, mobile devices and other information such as web browsing time, pages visited, language preferences, and other interacting data from Citigroup sites. This part of data may be associated with your terminal device information (e.g. IP address, installation fonts, language and browser settings, time zone, and etc.) to facilitate our understanding on your preference of Citi products or services and improve our customer service.

2.3 Do Not Track

Many website browsers provide a Do Not Track function that can send a signal to the websites you visit to indicate you do not wish to be tracked. Up to now, major Internet standardization organizations have not established policies to specify how websites should handle these requests. However, if you enable Do Not Track in your browser, all our websites will respect your selection.

3. How we do entrusted processing of, share, transfer, and publicly disclose your personal information.

3.1 Entrusted processing

Certain modules or functions in our business function are provided by third-party suppliers. For example, we may engage service providers to assist us in providing customer support. The entrusted activity will not exceed the scope of the agreed processing purpose or method.

For the third party entrusted by our bank, we will carry out the personal information security impact assessment and sign a contract with the third party, requiring the third party to process your personal information in accordance with laws and regulations, this policy and other confidentiality and security requirements of our bank, and supervise the third party. Once it is found that the third party fails to process personal information in accordance with the entrusted requirements, or fails to effectively fulfill the responsibility of personal information security protection, we will take or request the third party to take effective remedial measures to control or eliminate the security risks faced by personal information. When necessary, we will terminate the business relationship with the third party and require the third party to delete the personal information obtained from us in a timely manner.

When required by applicable laws and regulations, regarding our provision of your personal information to third parties, we will inform you of the relevant matters including the name and contact information of the personal information recipient, the processing purpose, processing method and type of personal information, and obtain your separate consent thereof.

3.2 Sharing

We do not share your personal information with any company, organization or individuals, with the following exceptions:

3.2.1 Share upon your explicit consent: We will share your personal information with other parties after obtaining your explicit consent.

3.2.2 We may share your personal information to comply with laws and regulations or mandatory requirements from governmental authorities.

3.2.3 We may share your personal information with third-party for the following purposes:

a) Sharing with our affiliates.

However, we will only share necessary personal information and the related parties will be bound by the stated purpose in this Policy. If our affiliates want to change the purpose of processing personal information, they will again seek your authorization and consent.

b) Sharing with our partners and third parties.

We may disclose your personal information to suppliers and other partners who support our business to ensure the smooth completion of the services provided to you. However, we will only share your personal information for legal, legitimate, necessary, specific, and clear purposes, and will only share personal information necessary to provide services. Our partners have no right to use the shared personal information for any other purpose.

Our authorized partners mainly include:

Our suppliers, service providers and other partners. We will be required to disclose your login, account or transaction information (including name, ID number, personal image, geographic location, mobile phone number, bank card number, sender’s name, payee’s name, remittance account number, name of the remitting bank, business office of the remitting bank, receiving account number, the name of the receiving bank, business office of the receiving bank, transfer method, transferred amount, transfer time, agreed transfer intervals, transaction notes, processing status and transfer date) to those suppliers, service providers and other partners that support our business, such as providing us with technical infrastructure services, risk control services, identity verification services, customer services, transfer services, payment convenience, joint promotion activities, etc.

If we share your personal information with above third-party(ies), we will, in the form of a written agreement, request them to process the above information in accordance with applicable laws, regulations, personal information protection or privacy policy(ies) and other confidentiality and security requirements to safeguard your information security.

3.3 Transfer

We will not transfer your personal information to any company, organization or individuals except in the following cases:

3.3.1 After obtaining your consent.

3.3.2 In the case of mergers, acquisitions or bankruptcy liquidation, if it involves transfer of personal information, we will request the new company or organization, which holds your personal information, to be bound by this Policy. Otherwise we will ask the new company or organization to resolicit your authorization.

3.4 Public disclosure

We will only publicly disclose your personal information under the following circumstances:

3.4.1 Obtain your separate consent in advance;

3.4.2 Disclosure based on law: We may publicly disclose your personal information in the event of mandatory requirement of legal, legal procedure, litigation or governmental agencies.

4. How we store and protect your personal information

4.1 Storage

We will only retain your personal information within the minimum period required by laws and regulations or for the implementation of the anti-money laundering and sanction rules, and within the minimum period necessary for achieving the aim stated in this Policy. Upon expiration of the retention period, we will delete or anonymize your information.

4.2 Protection

4.2.1 We have used industry-standard security measures to protect the personal information you provide to prevent unauthorized access, public disclosure, use, modification, damage or loss of data. We will take all reasonable and feasible action to protect your personal information. For example, when you exchange data (such as credit card information) between your browser and the "service", you are protected by SSL encryption; in the meantime, we also provide https secure browsing for Citi website; we use encryption to ensure data confidentiality; we will use trusted protection mechanisms to protect against malicious attacks; we deploy access control mechanisms to ensure that only authorized personnel have access to personal information; and we conduct security and privacy protection training courses to enhance employee awareness of the importance of protecting personal information.

4.2.2 We have established special management systems, procedures and organizations to ensure the security of information. We strictly limit the scope of persons who can access the information, require them to undertake confidentiality obligations, and. conduct audits.

4.2.3 The Internet is not an absolutely secure environment. Besides, email, instant message, and communication with other Citi users are not encrypted. We strongly recommend you not to send personal information in this way. Please use complex passwords to help us keep your account secure.

4.2.4 The Internet environment is not 100% secure, and we will do our best to ensure or guarantee the security of any information you send to us. If our physical, technical, or administrative protection is damaged, which results in unauthorized access, public disclosure, alteration, or destruction of information and further impairs your legitimate right, we would undertake corresponding legal liabilities.

4.2.5 In accordance with the requirements of laws and regulations, in the occurrence of any personal information security incident (including information loss, damage, leakage, tampering and etc.), we will promptly notify you of the following in accordance with laws and regulations: basic information about the security incident and its potential impact, treatment measures we have taken or will take, suggestions about proactive defense and risk mitigation, remedial measures and etc. We will promptly let you know relevant situations of the incident by means of mail, letter, phone call, push notification and etc. We will issue announcement in a reasonable and effective manner when having difficulty in reaching out to each personal information subject.

Meanwhile, we will also report the handling status of personal information security incidents as required by regulatory authorities.

5. Your rights

In accordance with China's relevant laws, regulations, standards, and the common practice of other countries and regions, we guarantee you the following rights of your personal information:

5.1 Access or obtain your personal information

You are authorized to access or obtain your personal information, except for some circumstances stipulated by law and regulations. You could, after identity verification, exercise your right of data access or obtainment through the following methods:

Account Information - If you want to access, obtain or edit your profile information and payment information, change your password, add security information or close your account, you can visit Citibank Online Banking at www.citibank.com.cn; Citi Mobile Banking to perform such actions.

If you are unable to access or obtain your personal information via the link above, you can always contact us by using the “Contact Us” web form on Citi’s official website at www.citibank.com.cn, or call us at our customer service hotline 400-821-1880/95038, or sending an email to consumer.china@citi.com. We will respond to your request within 15 business days.

We will provide you with other personal information generated during the course of your use of our products and services so long as it is within our scope of services.

5.2 Correct your personal information

When you identify any error in your personal information by our process, you are entitled to require us to make the correction. You can raise a correction application by using the methods listed in "(1) Access to your personal information". If you are unable to correct your personal information through the link above, you can always contact us by using the “Contact Us” web form on Citi’s official website at www.citibank.com.cn or sending an email to consumer.china@citi.com. We will respond to your request within 15 business days.

5.3 Delete your personal information

Under the following circumstances, you can request us to delete your personal information:

5.3.1 If our processing of personal information violates any law or regulation

5.3.2 If we collect or use your personal information without your consent, or if you withdraw your consent

5.3.3 If our processing of personal information breaches our agreement with you.

5.3.4 If you no longer use our products or services, or you cancel your account

5.3.5 If we no longer provide products or services to you

Where the storage period stipulated by law or administrative regulation has not expired, or deletion of personal information is technically hard to accomplish, we will cease the processing of personal information other than storing and taking necessary security protection measures for such information. We will respond to your request of deletion in accordance with applicable laws or regulations, we will also notify the entity(ies) which obtained your personal information from us and request them to delete such information in a timely manner, unless otherwise stipulated under laws or regulations, or if these entity(ies) has(have) obtained your separate authorization.

5.4 Change your authorization scope

Each business function requires certain basic personal information to be provided (please refer to "Part 1" of this Policy). You could grant or withdraw your authorization & consent at any time for the collection and use of the additionally collected personal information.

You can change the authorization scope by yourself in the following ways:

Citi Service Hotlines: Domestic customers please call 400-821-1880/95038. Overseas customers please call (+86)-(20)-3880-1267 (Retail Banking Customer) or (+86)-(21)-3896-9500 (Credit Card Customer).

When you withdraw your consent, we will no longer process your corresponding personal information. However, this decision to withdraw your authorization will not affect personal information processing upon your previous authorization.

If you do not wish to receive commercial advertisements we deliver, you can cancel at any time by:

SMS: Replying with TD

Mail: Replying directly to this message and change the subject to "Unsubscribe". We will process your request within 10 business days. Please understand that you are still likely to receive emails from us during this period. Please kindly note that you could not send new emails to this email address as this type of request cannot be processed.

5.5 Account Cancellatione

How Citibank China app features can be discontinued:

All the Citibank China app feature enrollments can only be enabled on a single device at any given time for your security.

Theses settings are automatically transferred to the new device, when you install & authenticate yourself on Citibank China app on new device.

To discontinue usage of the app, you can uninstall the app and continue accessing Citibank Online Via our website. (Learn more on Citibank China app features)

You can cancel your previously registered accounts at any time, you can do it by yourself in the following ways:

For debit card customers who wish to cancel online banking and mobile banking, they should visit branch/sub-branch in person and fill out the Debit Card Business Application Form. For credit card customers, they can call Citi Service Hotline to cancel online banking and mobile banking.

After account cancellation, we will stop providing you our products or services, and will delete your personal information per your requirements, unless otherwise stipulated by laws and regulations.

5.6 Constraints of automatic decision making from information systems

In certain business functions, we may make decisions solely based on non-manual automatic decision mechanisms including information systems and algorithms. If these decisions significantly affect your legitimate interests, you have the right to ask for explanation and we will provide appropriate remedies.

5.7 Transfer your personal information

According to the provisions of relevant laws and regulations, you can request our bank to transfer your personal information to your designated third party. If the transfer meets the conditions set by the State cybersecurity department, we will provide you with the channel for such transfer.

5.8 Responding to your above request

In order to ensure the security, you may need to provide a written request or other supporting to verify your identity. We may ask you to verify your identity before processing your request. We will respond to you within 15 business days.

If you are unsatisfied with services, you can also make complaints through the following channels.

Calling 400-821-1880/95038 or consumer.china@citi.com or filling out and submitting the "Email Us" form online.

In principle, we do not charge for your reasonable request, however, for those repetitive, beyond reasonable requests, we may charge a fee as the case may be. For those unreasonably repetitive requests which need too excessive technical means (for example, need to develop new systems or fundamentally change existing practices), pose risks to others’ legal rights, or are very impractical (for example, involving information stored on backup tapes), we may reject such requests.

In the following situations, we will not be able to respond to your request as required by law or regulation:

5.8.1 Directly related to national security and national defense security.

5.8.2 Directly related to public safety, public health, or significant public interests.

5.8.3 Directly related to criminal investigation, prosecution, judicial trial, enforcement of judgment and etc.

5.8.4 There is sufficient evidence that you have subjective malice or abuse of rights.

5.8.5 Respond to your request which may result in serious damage to the legitimate rights and interests of you or other individuals or organizations.

5.8.6 Involve our trade secrets.

5.8.7 For compliance with the regulations of anti-money laundering or sanctions.

This policy does not limit your other rights as an information subject under applicable laws and regulations.

6. How we protect the information of children or minors

Our products, services and websites are primarily for adults. Children and minors cannot create their own accounts without the consent of their parents or guardians.

If you are a child/minor, please read these terms carefully and only use our services or provide information to us upon your guardian's consent. If you are guardian of child/minor, please read these terms carefully and confirm whether you agree to use our services or provide information to us. You shall confirm that your child uses our services with your consent and knowledge. We will only collect, use, retain and disclose your information to the extent allowed by laws & regulations and regulatory requirements, explicitly consented by your guardians or necessary for the protection of the interests of children/minors.

Besides, we are well aware of the importance of personal information to children/minors and their guardians, and thank children/minors and their guardians for their trust in us.

In Chapter '1. How we collect and use your personal information' of this Policy, in combination with specific services, we explain in detail that user need to agree with the type and the use of the information we collect and the consequences of refusing consent. These information may involve information about children/minors, we will collect corresponding personal information of the children/minors in accordance with the following agreement, and obtain the consent of the guardians:

1、When we provide insurance service to you and the insured is a child/minor, we need you to authorize us (an insurance agency) to collect the following personal information of the child/minor for the purpose of providing insurance service, and agree us to disclose it to insurance companies for underwriting. If you do not agree to provide the following information, we may not be able to provide the insurance service to you. Due to differences in the type of insurance, amount of products, etc., information collected by authorization includes but is not limited to the following information:

• Children/Minors personally identifiable information, relationship information, etc.
• Children/Minors health information
• Other relevant information required by the insurance company that insures this type of insurance, such as past insurance application, refusal of insurance, extension of underwriting information, etc.

2、When we provide home loan service to you and there are children/minors in your family, we need to collect personal identification information of the children/minors (including personal name, identity certificate information), information in respect of house-purchase eligibility recognition (e.g. number of real estate units under the name, property donation, etc.), if you do not agree to provide the aforementioned information, we may not be able to provide the home loan application service to you.

When we want to use the information of children/minors for other purposes not specified in this chapter, we will obtain the consent of the guardians again in accordance with the requirements of laws, regulations and regulatory requirements.

We will store, use and protect the information of children/minors in accordance with the stipulations of this Policy. We have designated a special-assigned person to be responsible for the protection of children's/minors' information, strictly set information access rights, and adopted the principle of least-sufficient authorization for staff who may have access to children’s/minors’ information.

We promise to keep children's/minors' information strictly confidential, and only provide these information to external parties under the stipulations of ‘Chapter 3. How we do entrusted processing of, share, transfer, and publicly disclose your personal information’ in this Policy. If it is necessary to share children’s/minors’ information with a third party in order to provide services to you, we will evaluate the legality, legitimacy and necessity of the third party's collection of children’s/minors’ information. We will request third parties to take protective measures for the information of children/minors and strictly abide by relevant laws, regulations and regulatory requirements. In addition, we will obtain the consent of the guardian of the child/minor in accordance with the requirements of laws, regulations and national standards, or confirm that the third party has obtained the consent of the guardian of the child/minor.

For the purposes of this Policy, "children" in this chapter refers to natural persons under the age of fourteen, and "minors" refer to natural persons over the age of 14 but under the age of 18.

7. How your personal information is transferred globally

In principle, the personal information we collect and generate within the territory of the People's Republic of China will be stored in the territory of the People's Republic of China.

Since we provide products or services through resources and servers across the world, which means that to the extent permitted by regulatory rules and applicable laws, and upon your authorization and consent, your personal information may be transferred to the foreign jurisdiction of the country in which you use the product or service, or be accessed from these jurisdictions. In order to process cross-border business, upon your consent, your personal information including the sender's user name, detailed address information, phone number, postal code, as well as the payee's name, country, and detailed address information, will be transferred overseas as part of the transaction information.

Please refer to the ‘Personal Information Cross-Border Transfer List’ attached herein for the names and, contact information of the overseas receipts, the type of the outbound transferred data and the processing, methods and purposes.

Such jurisdictions may have different data protection laws or even don’t have relevant laws. In such cases, we will ensure that your personal information is adequately protected within the territory of the People's Republic of China. For example, we will ask you for permission to transfer personal information across borders or to implement security measures such as data de-identification before cross-border data transfers.Regarding the exercise of your relevant rights, please contact us through the methods listed in the Personal Information Cross-Border Transfer List.

8. How we update this Policy

We may change this Policy from time to time.

We will not undermine your rights entitled under this Policy without your explicit consent. We will post any changes and revisions of this Policy on this page.

For significant changes, we also provide more noticeable notices (including for certain services, we will send a notification via email stating the specific changes to this Policy).

Significant changes referred hereunder include but not limited to:

(1) Major changes in our service model, such as changes in relations to the purpose of processing personal information, the type of personal information processed, the way in which personal information is used, etc.

(2) Changes in the main objects of personal information sharing, transfer or public disclosure.

(3) Major changes in your rights to participate in the processing of personal information and the way of you exercising such rights.

(4) Changes in the department, contact information and complaint channels responsible for personal information security.

(5) Personal information security impact assessment report indicates that there is a high risk.

We will also archive the previous versions of this Policy for your reference.

Whenever this Policy is updated, we will notify you to review and confirm it when you log in to Citi Mobile Banking app. If you do not agree to the new terms and conditions, please stop using our services and products.

If you only use the online banking services, if there is any update to this Policy, the updated content will be publicized through our bank’s official website (www.citibank.com.cn), and will become effective upon publication and supersede the previous relevant content. Please pay attention to changes in relevant announcements, reminders, agreements, rules and other related content from time to time. Please be aware and confirm that, if you do not agree with the updated terms and conditions, please stop using our services and products; if you continue to use our services and products, it is deemed that you agree to accept the updated terms and conditions.

9. How to contact us

If you have any questions, comments or suggestions about this Policy, or require to access, update, rectify, delete or withdraw your personal information, please contact us by the following means:

Company name:Citibank (China) Co., Ltd.

Location:30F, Citigroup Tower, No.33 Hua Yuan Shi Qiao Road, Lu Jia Zui Finance and Trade Area, Shanghai, China

Postcode: 200120

Email Address: consumer.china@citi.com

Phone number: Domestic customers please call 400-821-1880/ 95038. Overseas customers please call (+86)-(20)-3880-1267 (Retail Banking Customer) or (+86)-(21)-3896-9500 (Credit Card Customer).Customers may need to pay communication charges to telecom carriers for such calls (charges are as set by respective telecom carriers). All customers can visit the branch to make specific requirements.

We will reply within about 15 working days after receiving your request, up to 30 days or a shorter period (if any) stipulated by laws and regulations. For your aforementioned reasonable request for personal information, we will not charge you in principle. However, for repeated requests that exceed reasonable limits, we will charge a certain cost according to the circumstances within the scope permitted by laws and regulations.

If you believe that our personal information processing behavior damage your legitimate rights and interests, you have the right to seek solution through the people's court or regulatory agencies.

10. Miscellaneous

If you are, or will be, a resident of the U.S. State of California, you have certain rights with respect to your Personal Information under the California Privacy Rights Act ("CPRA") as of January 1, 2023. For more information about what this means to you, please click here https://www.citigroup.com/citi/privacy.html.

To access your rights under CPRA, please call U.S. +1-833-981-0270 or click here CPRA non-US Request to print a form and mail to us.

The laws of the P.R.C. shall apply to the establishment, effectiveness, performance, interpretation and dispute resolution of these terms and conditions.

Matters not covered in this Policy shall be handled in accordance with applicable laws and regulations, our relevant business rules and prevailing financial business practices.

These terms and conditions are written in both Chinese and English. In case of discrepancies, the Chinese version shall prevail.


Personal Information Cross-Border Transfer List

Information Recipient Contact Information (Data) Processing Purpose (Data) Processing Method Type of Personal Information Method and Procedure to Exercise Rights
Citibank (China) Co., Ltd.’s Parent and Affiliates

consumer.china@citi.com

process and risk control management of the cross-border transaction business collection, storage, use, processing, transmission, provision, and deletion customer’s basic information, contact details and transaction information

If you need the specific names of the Recipients or have any questions, please contact us at consumer.china@citi.com

process and risk control management of the Credit Risk Management collection, storage, use, processing, transmission, provision, and deletion customer’s basic information, contact details and transaction information
credit card points redemption collection, storage, use, transmission, provision, and deletion customer’s name, customer airline/hotel membership number
internal management of event marketing collection, storage, use, transmission, provision and deletion customer’s name
management of customer experience collection, storage, provision, and deletion customer’s basic information and transaction information
provision of custodian services collection, storage, use, processing, transmission, provision, and deletion customer’s basic information and transaction information
provision of e CitiAlerts services collection, storage, use, transmission, provision, and deletion customer’s contact details and transaction information
conducting due diligence collection, storage, use, processing, transmission, provision, and deletion customer’s basic information, contact details and transaction information
E-banking business risk management collection, storage, use, transmission, provision, and deletion customer’s device information, login information and transaction information
technical support collection, storage, and deletion information listed in this chart
disaster recovery collection, storage, and deletion information listed in this chart