Mastercard - Global Privacy Notice
Effective Date: 6/6/2019
Mastercard International Incorporated and its affiliates (collectively, “Mastercard”) respect your privacy.
This Global Privacy Notice describes the types of Personal Information we collect, the purposes for which we collect that Personal Information, the other parties with whom we may share it and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your Personal Information, and how you can contact us about our privacy practices.
Please note that we also act on behalf of and under the instructions of financial institutions, merchants and other partners which act as data controllers, including for processing payment transactions. Please refer to their respective privacy policies for more information regarding the processing of your Personal Information in these contexts.
Our privacy practices may vary among the countries in which we operate to reflect local practices and legal requirements. Specific privacy notices may apply to some of our products and services. Please visit the webpage or digital asset of the specific product or service to learn more about our privacy and information practices in relation to that product or service.
1. Personal Information We May Collect
“Personal Information” means any information relating to an identified or identifiable individual. Examples of Personal Information include: name, email address, IP address, personal account number and phone number. We may collect the following Personal Information:
- Transaction information, such as personal account number, the merchant’s name and location, the date and the total amount of transaction, and other information provided by financial institutions or merchants when we act on their behalf.
- Product and service information, such as registration and payment information, and program-specific information, when you request products or services directly from us, or participate in marketing programs.
- Website, device and mobile app usage, and similar information collected via automated means, such as cookies and similar technologies.
- Job applications and related information when you apply for a job with us.
- Business contact information when you work for one of our business partners.
For the purpose of this Global Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual. Examples of Personal Information include: name, email address, IP address, personal account number and phone number. We may obtain different types of Personal Information relating to you in the situations described below.
Personal Information We Receive from Financial Institutions, Merchants, and Other Partners in Connection with Mastercard’s Products or Services
As a processor of payment transactions and provider of related services, we obtain a limited amount of information in connection with your payment transactions such as the personal account number, the merchant’s name and location, the date and the total amount of transaction. Importantly, we generally do not need or collect the cardholder’s name or other contact information to process payment transactions.
In addition, for certain products and services, your financial institutions, the merchants where you make a transaction or other partners may provide us with more information about you, or we may collect it directly from you to provide you with those products and services on their behalf, support their business or perform processing activities on their behalf.
Personal Information We Collect when Providing Mastercard’s Products and Services Directly to You
Mastercard may provide you directly with products and services such as marketing programs, rewards programs, eWallets, prepaid services, location alert programs, and biometric authentication tools. To benefit from one or more of these products and services, you can submit information to us directly via various means including: (i) on our websites and digital assets, (ii) in response to marketing or other communications, (iii) by signing up for a Mastercard product or service, or (iv) through your participation in an offer, program or promotion. We may also obtain Personal Information about you through your use of our products or services, from companies that use or facilitate our products or services, from publicly available sources, or from third party partners. Your Personal Information may also be passed on to us by your financial institution, merchant or other business partners.
Below is an overview of the types of Personal Information we may collect in relation to programs we offer directly to you. Each program differs, so where applicable, please refer to the relevant program-specific privacy notice for more information on the use of your Personal Information for that specific program.
- Registration and payment information: We may collect your contact information (such as name, email address, phone number, billing or shipping address), username and password, age, date of birth, gender and family status, language preferences, personal account number, merchant’s name and location, date and total amount of the transactions, card expiration date and card verification code.
- Information we process to provide you with the program: We may collect different types of Personal Information depending on the program. For example, programs designed to offer you location-based services will typically require the collection of your address or location. Similarly, programs designed to allow you to authenticate for example, via facial or fingerprint recognition may require the processing of your photograph and/or biometric data. All these programs are voluntary, and your Personal Information is only collected if you subscribe to such programs.
- Other information you choose to provide: You may choose to provide other information, such as different types of content (e.g., photographs, articles, comments), contact information of friends or other people you would like us to contact, content you make available through social media accounts or memberships with third parties, or any other information you want to share with us.
In addition, we may collect or use Personal Information for fraud prevention and monitoring, risk management, dispute resolution and other related purposes. Such information may include the personal account number, merchant’s name and location, date and total amount of the transactions, IP address, fraud score, location data, merchant details, items purchased and information about the dispute. For more information, please click here.
Personal Information We Obtain from Your Interaction with Mastercard’s Ads, Websites, Apps or Other Digital Assets
We, our service providers and partners may collect certain information about you via automated means such as cookies and web beacons when you interact with our ads, mobile apps, or visit our websites, pages or other digital assets. The information we collect in this manner may include: IP address, browser type, operating system, mobile device identifier, geographical area, referring URLs and information on actions taken or interaction with our digital assets. A “cookie” is a text file placed on a computer’s hard drive by a web server. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, is a technology that helps us identify when content has been accessed or visited.
We use this information to improve our online products and services by assessing how many users access or use our online products and services, which content, products and features of our online products and services most interest our visitors, what types of offers our customers like to see and how our online products and services perform from a technical point of view. For instance, we may use third-party web analytics services on our websites and mobile apps, such as those of Adobe Omniture. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyze how visitors use our websites and apps.
We, our service providers and partners may also collect information about you in connection with our marketing activities, including offers, sweepstakes, contests and promotions. The information collected for these purposes may include your contact information (e.g., name, postal address, email address, phone number), electronic identification data (e.g., username, password, security questions, IP address), and data collected in the context of online marketing programs (e.g., personal characteristics, life habits, consumption habits, interests, location data, and voice and image recordings).
We, our service providers and partners may also collect information about you to provide you with content and advertising tailored to your individual interests. The information collected for these purposes may include details about things like the particular pages or ads you view on our websites and apps and the actions you take on our websites and apps.
In addition, some of our online products and services include advanced fraud prevention technology using behavioral-based data, such as keystroke timing, device accelerometer, scroll position and mouse-location.
Where required under applicable law, we obtain your consent prior to using the above automated means, and prior to sending you marketing communications, tailored content and advertisings.
Please see the “Your Rights and Choices” section of this Global Privacy Notice to learn about your choices.
Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, Mastercard does not respond to web browser-based DNT signals at this time. To learn more about browser tracking signals and DNT, visit http://www.allaboutdnt.com.
Personal Information We Obtain when You Apply for a Job with Us
If you are applying for a job at Mastercard, we may collect certain Personal Information from your job applications on our Career website, such as your contact information (including name, postal address, email address and phone number), job history, curriculum vitae, contact details of your referees and any other Personal Information you choose to submit along with your application.
Personal Information We Collect in the Context of Our Business Relationship with Financial Institution, Merchant or other Entity Partnering with Mastercard
We may collect Personal Information from individuals working for one of our business partners (including financial institutions, merchants, customers, suppliers, vendors and other partners), including name, job title, department and name of organization, business email and postal addresses, business telephone number, answers to security questions, security passwords and other credentials. We may use this information to provide products and services directly to financial institutions, corporate clients, merchants, customers and partners, to manage our business relationships and financial reporting, for franchise development and integrity, for marketing and to comply with applicable law, as well as for accounting, auditing and billing purposes.
2. How We May Use Your Personal Information
We May Use Your Personal Information to:
- Process your payment transactions.
- Protect against and prevent fraud, and other legal or information security risks.
- Provide and communicate with you about products and services offered by Mastercard, financial institutions, merchants and partners.
- Provide you with personalized services and recommendations.
- Operate, evaluate and improve our business, including anonymization and analytics.
- Process your job application.
- Serve other purposes for which we provide specific notice at the time of collection, and as otherwise authorized or required by law.
If you are in the European Economic Area or Switzerland, we will only use your Personal Information with your consent; as necessary to provide you with products and services; to comply with a legal obligation; or when there is a legitimate and overriding interest that necessitates the use.
We may use the Personal Information we obtain about you to:
- Process your payment transactions (including authorization, clearing, chargebacks and other related dispute resolution activities).
- Protect against and prevent fraud, unauthorized transactions, claims and other liabilities, and manage risk exposure and franchise quality with respect to the integrity and security of our payments network.
- Create and manage any accounts you may have with us, verify your identity, provide our services, and respond to your inquiries.
- Provide, administer and communicate with you about products, services, offers, programs and promotions of Mastercard, financial institutions, merchants and partners (including contests, sweepstakes and any other marketing activities). If you provide your phone number, we may contact you using an automatic telephone dialing system to the extent permitted by applicable law.
- Create and publish business directories (which may include business contact information).
- Operate, evaluate and improve our business (including developing new products and services, such as new programs designed to make it easier for cardholders to make payments with a Mastercard card based on information indicating what features would appeal to you and our customers, or products designed to improve the security of payment transactions; managing our communications; determining the effectiveness of and optimizing our advertising; analyzing our products, services, websites, mobile apps and any other digital assets in order to facilitate their functionality; and performing due diligence reviews, accounting, auditing, billing, reconciliation and collection activities).
- Provide you with personalized services and recommendations. For example, we may use your Personal Information such as your email address and your interaction with our website to analyze your preferences, interests and behavior in order to decide to provide you with tailored content and the most relevant offers, recommendations and email communications about a specific product from Mastercard, financial institutions, merchants and partners.
- Anonymize Personal Information and prepare and furnish aggregated data reports showing anonymized information (including compilations, analyses, analytical and predictive models and rules, and other aggregated reports) for the purpose of advising our financial institutions, merchants and other customers and partners regarding past and potential future patterns of spending, fraud, and other insights that may be extracted from this data.
- Evaluate your interest in employment and contact you regarding possible employment with Mastercard.
- As may be required by applicable laws and regulations, including for compliance with Know Your Customers, Anti-Money Laundering, anti-corruption and sanctions screening requirements, or as requested by any judicial process, law enforcement or governmental agency having or claiming jurisdiction over Mastercard or Mastercard’s affiliates.
- Comply with industry standards and our policies.
- For other purposes for which we provide specific notice at the time of collection.
If you are located in the European Economic Area (“EEA”) or Switzerland, we will only process your Personal Information for the above purposes when we have a valid legal ground for the processing, including if:
- You consented to the use of your Personal Information. For example, we may seek to obtain your consent for our uses of cookies or similar technologies, to send you marketing communications or personalize our offerings, or to process Personal Information deemed sensitive under applicable law.
- We need your Personal Information to provide you with products and services, or to respond to your inquiries.
- The processing is necessary for compliance with a legal obligation or other regulatory obligations such as to prevent and monitor fraud in payment transactions.
- We, or a third party, have a legitimate interest in using your Personal Information, such as to ensure and improve the safety, security, and performance of our products and services, to protect against and prevent fraud and to anonymize Personal Information and carry out data analyses.
We will not subject you to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you, unless you explicitly consented to the processing, the processing is necessary for entering into, or performance of a contract between you and Mastercard, or when we are legally required to use your Personal Information in this way, for example to prevent fraud.
If you provide us with any information or material relating to another individual, you must make sure that the sharing with us and our further use as described to you from time to time is in line with applicable laws, so for example you should duly inform that individual about the processing of her/his Personal Information and obtain her/his consent, as may be necessary under applicable laws.
3. How We Share Your Personal Information
We May Share Personal Information with:
- Mastercard’s headquarters in the U.S., our affiliates and other entities within Mastercard’s group of companies.
- Service providers acting on our behalf.
- Other participants in the payment ecosystem, including financial institutions, and merchants.
- Third parties for fraud monitoring and prevention purposes, or other purposes required by law.
- Third parties whose feature you use in connection with our products and services or with your consent.
- Other entities as required under applicable law or in the event of a sale or transfer of our business or assets.
4. Your Rights and Choices
Depending on your country, you may have the right or choice to:
- Access your Personal Information, rectify it, restrict or object to its processing, or request its deletion.
- Receive the Personal Information you provided to us to transmit it to another company.
- Withdraw any consent provided.
- Where applicable, lodge a complaint with your supervisory authority.
If you are located in the EEA or Switzerland, you can exercise your rights on Mastercard’s “My Data Center” portal or submit a request as described in the “How to Contact Us” section below.
If you are located outside the EEA or Switzerland, you may also submit a request as described in the “How to Contact Us” section below.
You have certain rights regarding the Personal Information we maintain about you and certain choices about what Personal Information we collect from you, how we use it, and how we communicate with you.
You can choose:
- Not to provide Personal Information to Mastercard by refraining from conducting payment transactions or from submitting Personal Information directly to us. When we collect Personal Information from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide Personal Information, you may not be able to benefit from the full range of Mastercard products and services, and we may not be able to provide you with the Mastercard products or services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such product or service.
- To opt out of certain uses of information, which we collect about you by automated means, when you visit third-party websites and interact with our ads. We may use service providers to serve ads on those third-party websites. These ads may be customized and served based on the use of data we and our partners have collected on our websites and apps. In addition, some of our service providers and partners may collect information about your online activities over time and across third-party websites to customize and serve these ads. Mastercard ads are sometimes delivered with icons that help consumers (i) learn more about how their data is being used and (ii) exercise choices they may have regarding the use of their data. Please click here or, where applicable, on the icon in our targeted ads to learn about your ability to opt out or limit the use of your browsing behavior for advertising purposes.
- To tell us not to send you marketing emails by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below. You also may opt out of receiving marketing emails from Mastercard by clicking here.
- To opt out of the anonymization of your Personal Information to perform data analyses by clicking here.
In certain jurisdictions, you may have the right to:
- Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate, or to exercise your right to data portability to easily transfer your Personal Information to another company. In addition, you may also have the right to lodge a complaint with a supervisory authority, including in your country of residence, place of work or where an incident took place.
- Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.
You may opt out from certain processing of your Personal Information, e.g. via our opt-out webpage.
Those rights may be limited in some circumstances by local law requirements.
To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specified in the "How to Contact Us" section below.
If you are located in the EEA or Switzerland, in addition to contacting us as specified in the “How to Contact Us” section below, you may also utilize the “My Data Center” portal to facilitate the exercise of your rights.
If you are located outside of the EEA or Switzerland, contact us as specified in the “How to Contact Us” section below to facilitate the exercise of your rights.
If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.
To learn more about the APEC Certification and access Dispute Resolution, please click on the TRUSTe seal.
5. Data Transfers
Mastercard is a global business. We may transfer your Personal Information to the United States and other countries which may not have the same data protection laws as the country in which you initially provided the information, but we will protect your Personal Information in accordance with this Global Privacy Notice, or as otherwise disclosed to you.
If you are located in the EEA, we will process your Personal Information in accordance with our Binding Corporate Rules and other data transfer mechanisms.
Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
Mastercard is a global business. We may transfer the Personal Information we collect about you to recipients in countries other than your country, including the United States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your Personal Information to other countries, we will protect that information as described in this Global Privacy Notice, as disclosed to you at the time of data collection or as described in our program-specific privacy notice.
We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which adequacy decisions have been issued, use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or their equivalent under applicable law, or rely on third parties’ certification to the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks where applicable. You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.
Additionally, Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found at: http://www.apec.org/Groups/Committee-on-Trade-and-Investment/~/media/Files/Groups/ECSG/CBPR/CBPR-PoliciesRulesGuidelines.ashx
6. How We Protect Your Personal Information
We maintain appropriate security safeguards to protect your Personal Information and only retain it for a limited period of time.
The security of your Personal Information is important to Mastercard. We are committed to protecting the information we collect. We maintain administrative, technical and physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. We use SSL encryption on a number of our websites from which we transfer certain Personal Information.
We also take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
7. Features and Links to Other Websites
You may choose to use certain features for which we partner with other entities that operate independently from Mastercard, such as social media and third-party websites. We are not responsible for the content, your use of, nor the privacy practices of those websites.
Our websites may provide links to other websites for your convenience and information. We may also allow you to choose to use certain features for which we partner with other entities. These websites and features, which may include social networking and geo-location tools, operate independently from Mastercard, and are clearly identified as such. They may have their own privacy notices or policies, which we strongly suggest you review. To the extent any linked websites or features you visit or use are not owned or controlled by Mastercard, we are not responsible for their content, any use of the websites, or the privacy practices of the websites.
Mastercard offers you the possibility to share, link to, or mention things on social media about Mastercard’s products and services. For example, you may “like” an offer via your Facebook account, or “tweet” an offer using Twitter. You may also choose to use certain features on our websites that can be accessed through, or for which we partner with, other entities that are not otherwise affiliated with Mastercard. These features, including geo-location tools, are operated by third parties and are clearly identified as such. Social media providers such as Facebook and Twitter, and these other third parties, are independent from Mastercard and do not necessarily share the same policy as Mastercard regarding the protection of privacy. Please verify their privacy notices if you decide to use their services. Mastercard cannot be held liable for any of these social media tools’ and third parties’ websites’ and apps’ content, use or privacy practices.
8. Updates to This Global Privacy Notice
This Privacy Notice may be updated periodically to reflect changes in our privacy practices.
This Global Privacy Notice may be updated periodically to reflect changes in our Personal Information practices. We will post a prominent notice on relevant websites to notify you of any significant or material changes to our Global Privacy Notice prior to them being effective and indicate at the top of the Notice when it was most recently updated. If we update our Global Privacy Notice, in certain circumstances, we may seek your consent.
9. How to Contact Us
You can e-mail us, and our Data Protection Officer at firstname.lastname@example.org. If you are located in the EEA or Switzerland, Mastercard Europe SA is the data controller and you may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data Center” portal.
If you have any questions, comments or complaints about this Global Privacy Notice and our privacy practices, or would like to update your privacy preferences, please email us at: email@example.com or write to us at:
Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
If you are located in the EEA or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data Center” portal, or email us at: firstname.lastname@example.org or write to us at:
Global Privacy Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
For enquiries about your Mastercard card and your purchase, you should contact your financial institution or merchant. More information about how to contact them can be found on their respective websites.