Right. The hash is anonymous to anyone without access to the internal database of hashes at HSBC. That's how tracking pixels usually work. Sniffing the HTTP connection isn't giving you any way to de-anonymize the recipient. It's a hash, not a long-term identifier.