Yes Bank Limited (“Yes Bank”, “we”, “us” or “our”) and its group entities are committed to respecting your privacy and recognising your need for appropriate protection and management of any personal information you share with us. This Privacy Notice sets out how Yes Bank collects, uses and protects your personal information when it acts as a Data Fiduciary under the Digital Personal Data Protection Act, 2023, and the rights and choices available to you.
Why You Should Read this Notice
As a regulated banking institution, Yes Bank collects, uses and discloses personal information in the course of providing accounts, payments, credit, investment and other financial services. Where Yes Bank decides why and how your personal information is processed, it acts as a "Data Fiduciary" under the Digital Personal Data Protection Act, 2023. This Privacy Notice explains how we process your personal information in compliance with applicable data-protection, banking and consumer-protection laws, and the rights you have in relation to that information.
What does this Notice cover?
This Privacy Notice sets out how Yes Bank uses and protects personal information across India and, where applicable, outside India. If you live or work in a jurisdiction that grants additional rights to individuals, please refer to Section 7 of this Notice, which sets out region-specific information.
This Notice does not apply to personal information that Yes Bank processes on behalf of corporate clients in the course of providing banking services to their employees, customers or counterparties — in such cases Yes Bank acts as a "Data Processor" and the corporate client's privacy notice applies. It also does not apply to third-party websites you may visit through links from our channels; we encourage you to review the privacy notices of those websites.
Updates to this Notice
We may update this Privacy Notice from time to time. When we do, we will revise the "Last Updated" date at the top of this page and, where the change materially affects your rights, we will notify you through our website, mobile app, email or other appropriate channels. We encourage you to review this page periodically.
If you have any questions about this Privacy Notice or your personal information, please contact us at privacy@yesbank.in.
1. What Personal Data We Collect and How We Collect It
"Personal data" or "personal information" means any information about an individual from which that person can be identified or is identifiable. It does not include data that has been irreversibly anonymised or aggregated such that the individual can no longer be identified.
We collect personal data through three main sources: (a) personal data you provide to us directly — for example, through account-opening forms, loan applications, calls to our contact centre or correspondence with our branch staff; (b) personal data we collect automatically — for example, when you use www.yesbank.in, our mobile banking app or other digital channels; and (c) personal data from other sources — such as Credit Information Companies, the Central KYC Records Registry, payment networks, business partners and publicly available sources.
The categories of personal data we collect are set out below:
Identification Data
Name, date of birth, gender, nationality, photograph, signature, PAN, Aadhaar reference and other identifiers required for Know Your Customer (KYC) and customer-due-diligence purposes. We may collect this directly from you, from your employer or introducer, from the Central KYC Records Registry, or from publicly available sources.
Contact Data
Postal and registered addresses, email address, mobile and landline numbers, emergency contact details and, where you provide them, social-media handles. We may collect this directly from you, from your employer, or from authorised third-party partners who provide networking or KYC services.
Financial Data
Income, occupation, source of funds, transaction history, account and card balances, investment portfolio, credit information obtained from Credit Information Companies and loan-and-deposit history. We collect this in the course of providing banking products and services.
Payment Data
Card details (tokenised in line with RBI directions), UPI handles, NEFT, RTGS and IMPS instructions, beneficiary details, standing-instruction mandates and billing information. We collect this when you set up a payment instrument or carry out a transaction.
Professional Data
Employer name, designation, company address, employment history, areas of expertise and, for corporate banking and wealth customers, information about your role and authority within an organisation. We may collect this directly from you, from your employer, from publicly available sources or from third-party partners.
Communication Data
Recordings of contact-centre and tele-banking calls, branch and ATM CCTV footage, SMS, email, chatbot and in-app messages, social-media interactions with our official handles, and correspondence relating to grievances, queries and feedback.
Technical Data
IP address, operating system, browser information, user agent, identifiers such as cookie IDs (see our Cookie Policy), mobile-device identifiers, Wi-Fi data, authentication credentials, session logs and interactions with our digital channels. We may also collect data about your engagement with marketing communications, including whether you have opened a message or clicked a link.
Government Identifiers
Government or state-issued identification documents such as passport, driving licence, Voter ID and similar identifiers, collected during onboarding, identity verification and statutory reporting (including FATCA/CRS, where applicable).
Biometric and Audiovisual Data
Facial image and liveness data captured during Video KYC, voice biometrics for tele-banking authentication, photographs and audio or video recordings collected through CCTV at branches and ATMs or during Yes Bank events.
Inferred Data
Preferences and indicators of likely interest in our products or services, generated by combining the categories above with information obtained from third parties and publicly available sources. This data assists with credit decisions, fraud prevention, product personalisation and compliance with applicable laws.
Preference Data
Consents you have provided to us, communication and channel preferences, and other choices indicating how you would like Yes Bank to contact you or which products and services interest you.
Why and How We Use Your Personal Data
We use the personal data we collect for the following purposes:
1. To conduct our banking operations and provide our products and services
To communicate with you
We use your Contact Data and Communication Data to respond to queries, deliver transaction alerts and statements, send regulatory notices and reach out where we believe you may be interested in a Yes Bank product or service.
To provide you with our products and services
We use Identification Data, Contact Data, Financial Data, Payment Data, Technical Data, Communication Data and Professional Data — depending on the product — to verify your identity, fulfil our banking contract with you, deliver the products and services you have requested and provide access to our digital channels.
To process financial transactions
We use Contact Data, Communication Data, Payment Data and Financial Data to authenticate, route and settle payments and other banking transactions, and to provide post-transaction support.
To analyse activity on our digital channels and improve them
We use Technical Data and Communication Data to understand how you use our websites, mobile app and contact centre, to improve performance and security, and to enhance the experience we provide.
To ensure compliance with our obligations
We may access, preserve, process or disclose your information where required to comply with a court order or legal requirement, respond to governmental or regulatory requests, enforce our policies and contracts, recover amounts owed to us or assist with the investigation or prosecution of suspected illegal activity.
To protect rights, property, life, health, safety and security
We process your information where necessary to protect the rights, property, life, health, safety or security of Yes Bank, our employees, our customers (including you) or others.
To measure, develop and improve our products and services
We use Contact Data, Technical Data and Communication Data to develop new products and improve the performance and reliability of existing ones.
To create de-identified and aggregated information
We may use personal information to create de-identified or aggregated data — such as demographic insights or device statistics — for analysis, reporting and product development.
2. To enable our sales and marketing functions
To send sales and marketing communications
We use Contact Data, Professional Data, Technical Data, Communication Data, Financial Data, Inferred Data and Preference Data to send you information about Yes Bank products and services you have used or shown interest in, communications about new products we think may be relevant to you, invitations to events and targeted marketing campaigns on third-party platforms such as social media networks.
To understand who would be most interested in our products and personalise our communications
We use Contact Data, Communication Data, Professional Data, Technical Data, Financial Data, Inferred Data and Preference Data to identify the products and services most likely to be relevant to you and to personalise the communications we send.
To analyse the effectiveness of our communications
We use Contact Data, Communication Data and Technical Data to understand the impact of our marketing campaigns — for example, open and click rates — and to improve them over time.
To target advertising
We use Contact Data, Professional Data, Communication Data, Technical Data, Financial Data and Inferred Data to deliver targeted advertisements and messages, including through third-party advertising platforms such as search engines and social-media networks.
3. To manage your visit to a Yes Bank branch, ATM or event
To enable your visit to a Yes Bank space
Depending on how you engage with us, we process Contact Data, Communication Data, Professional Data, Technical Data and Audiovisual Data when you visit a Yes Bank branch, ATM, lounge or other designated space.
Event management
We process Contact Data, Professional Data, Communication Data, Audiovisual Data and Technical Data to enable your attendance at Yes Bank-hosted or co-hosted events such as customer roundtables, financial-literacy workshops, conferences and webinars, and to follow up with information that may be relevant to you.
To protect our premises, customers and staff
We process Contact Data, Professional Data, Financial Data, Technical Data, Audiovisual Data and Communication Data to monitor for and detect fraudulent, harmful or illegal activity at our premises and across our channels.
4. To comply with legal obligations and maintain the security of our products, services, employees and partners
To comply with legal obligations
Where necessary, we use Contact Data, Technical Data, Communication Data and Government Identifiers to comply with legal obligations such as KYC, anti-money-laundering, tax reporting, FATCA/CRS reporting and responses to lawful requests from statutory and judicial authorities.
To help you exercise your rights and control over your personal data
Where you contact us to exercise your rights as a data principal or to opt out of certain communications, we may process Contact Data, Communication Data and applicable Government Identifiers to verify your identity and respond to your request.
To protect Yes Bank, our group entities and others
We process Contact Data, Professional Data, Payment Data, Financial Data, Technical Data, Audiovisual Data and Communication Data to detect and prevent fraud, cyber-attacks and other harmful or illegal activity.
2. Lawful Basis for Processing Personal Data
Yes Bank processes the personal data described in this Notice on one or more of the following lawful bases recognised under the Digital Personal Data Protection Act, 2023, the Information Technology Act, 2000 and other applicable laws:
Consent
Where we process personal data based on consent, you have provided that consent by opting in to a specific use. You may withdraw your consent at any time by contacting us at privacy@yesbank.in or through the consent-management options in our digital channels. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
Performance of Contract
Where we need to enter into or perform a contract with you — for example, to open and operate an account, sanction and service a loan, or process a payment — we will process the personal data necessary for that purpose. If you do not provide that data, we may not be able to provide the relevant product or service.
Legal or Regulatory Obligation
We process personal data where necessary to comply with applicable legal and regulatory obligations, including records-keeping, KYC, anti-money-laundering and counter-terrorist-financing checks, tax and FATCA/CRS reporting, RBI directions, and responses to lawful requests from statutory and judicial authorities.
Legitimate Uses
Where permitted by law, we process personal data for legitimate uses such as conducting and developing our business, anticipating the needs of our customers, ensuring our processes and digital channels are secure and reliable, preventing and detecting fraud, and protecting information-technology security.
Third-Party Links
Our websites and mobile applications may include links to third-party websites and applications. These third-party properties may collect personal data about you for their own purposes. This Privacy Notice does not extend to those external sites. If you follow such a link, you will be leaving Yes Bank's digital channels. We encourage you to read the privacy notices of those third parties, as we are not responsible for their content, links or privacy practices.
5. How Long Do We Keep Your Personal Data
We collect and keep personal data only as needed or permitted for the purposes set out in this Notice, based on the reason we collected the data and what is required or permitted under applicable law.
We retain personal data in line with our internal data-retention policies for as long as you use our services and as long as is necessary to: (i) fulfil the purposes for which we collected the personal data; (ii) provide and secure our products and services to you; (iii) resolve disputes, establish legal defences, enforce our agreements and comply with applicable laws; (iv) conduct audits; and (v) comply with our internal policy requirements, including those designed to meet our obligations under the Banking Regulation Act, the Prevention of Money Laundering Act, the Reserve Bank of India's Master Direction – Know Your Customer and our Code of Conduct.
Once the relevant retention period ends, personal data is securely deleted, anonymised or archived in line with our data-lifecycle policy.
6. International and Group Company Transfers of Personal Data
Your personal data may be transferred to or from jurisdictions in which Yes Bank or its service providers conduct business activities. While Yes Bank primarily processes personal data within India, in limited circumstances — such as the use of global service providers, processing of cross-border remittances and supporting customers travelling or banking abroad — personal data may be transferred outside India.
If your personal data is transferred to a country that is not subject to a notification under the Digital Personal Data Protection Act, 2023, or other applicable Indian law, we will put in place suitable safeguards to ensure that any transfer is carried out in compliance with applicable data-protection rules. These safeguards may include contractual data-transfer agreements with the recipient, additional security measures, or, where required, your consent.
Transfers of payment-system data are carried out in compliance with the Reserve Bank of India's directions on storage of payment-system data.
You may request additional information about the safeguards we apply to cross-border transfers by contacting us using the details in Section 8.
7. Your Rights in Relation to Your Personal Data
Data-protection and consumer-privacy laws in certain countries and territories grant individuals rights in relation to the personal data processed by organisations. The rights below apply depending on where you live or where your relationship with Yes Bank is governed. To exercise any of these rights, please contact us using the details in Section 8.
Please note that these rights are not absolute and, in certain circumstances, may be balanced against other considerations — including legal obligations imposed on Yes Bank as a regulated banking institution and the privacy rights of other individuals.
Residents of India
If you are a resident of India, you have the following rights in relation to your personal data under the Digital Personal Data Protection Act, 2023, as those provisions come into force:
Right to access information about personal data
You have the right to obtain confirmation about whether Yes Bank is processing your personal data and, where it is, to receive a summary of the personal data being processed and the activities undertaken in respect of it.
Right to correction and erasure
You have the right to request correction of inaccurate or misleading personal data, completion of incomplete personal data, updating of out-of-date personal data and erasure of personal data that is no longer necessary for the purpose for which it was collected, subject to our retention obligations under applicable law.
Right to grievance redressal
You have the right to a readily available means of grievance redressal. Please write to our Grievance Officer using the details in Section 8. Yes Bank will respond within the timelines prescribed under applicable law.
Right to nominate
You have the right to nominate another individual to exercise your rights under the DPDP Act in the event of your death or incapacity.
Right to withdraw consent
Where processing is based on consent, you have the right to withdraw that consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint
If you believe Yes Bank has not addressed your grievance satisfactorily, you have the right to lodge a complaint with the Data Protection Board of India once it is constituted, or to escalate your complaint to the Banking Ombudsman under the Reserve Bank of India's Integrated Ombudsman Scheme, 2021.
Residents of the EU, UK or Switzerland
If you live or work in the EU, UK or Switzerland — for example, as a Non-Resident Indian customer banking with Yes Bank from those jurisdictions — you have the rights below in relation to the personal data processed by Yes Bank in connection with those services:
Right of access
You may have the right to receive confirmation about whether Yes Bank processes your personal data and, if so, to obtain access to it together with certain information about how it is processed.
Right to rectification
You may have the right to request correction of your personal data if it is inaccurate or incomplete.
Right to erasure
You may have the right to request the deletion of your personal data if certain grounds for erasure apply.
Right to restrict processing
In certain circumstances, you may have the right to restrict our ability to keep using your personal data. When processing is restricted, we may still store your personal data, but we may not use it unless we have your consent or need it in connection with a legal claim, an important public interest, or to protect the rights of others.
Right to object
In certain circumstances, you may have the right to object to our processing of your personal data — including processing based on legitimate interests, or processing for direct-marketing purposes (including profiling).
Right to data portability
In certain circumstances, you may have the right to obtain and reuse certain of your personal data in a structured, commonly used and machine-readable format, or to have that personal data transmitted directly to another controller.
Right to withdraw consent
Where Yes Bank relies on consent as the lawful basis for processing, you have the right to withdraw your consent at any time. Withdrawal will not affect the lawfulness of processing carried out before withdrawal.
Right to lodge a complaint
You have the right to lodge a complaint with the competent data-protection or consumer-privacy supervisory authority. In the UK, this is the Information Commissioner's Office; in the EU, this is the data-protection authority of your country of residence; in Switzerland, this is the Federal Data Protection and Information Commissioner.
8. Contact Us and Information Regarding Complaints
If you have any questions about this Privacy Notice or wish to exercise any of the rights described above, please contact us at privacy@yesbank.in or write to our Grievance Officer at the address below.
Grievance Officer Yes Bank Limited Yes Bank Tower, IFC 2, 15th Floor Senapati Bapat Marg, Elphinstone (West) Mumbai 400013 Email: grievance.officer@yesbank.in
If you are not satisfied with our response, you may escalate your complaint to the Banking Ombudsman under the Reserve Bank of India's Integrated Ombudsman Scheme, 2021, or, once it has been constituted under the Digital Personal Data Protection Act, 2023, to the Data Protection Board of India.
Yes Bank will respond to your request within the timelines required under applicable law. In certain circumstances, we may extend the response timeline where reasonably necessary, and will inform you of any such extension together with the reasons for it.