Mastercard - Global Privacy

Notice

Eective Date: 1/1/2023

Mastercard International Incorporated and its aliates (collectively, “Mastercard”) respect your privacy.

1. Personal Information We May Collect

2. How We May Use Your Personal Information

3. How We Share Your Personal Information

4. Your Rights and Choices

5. Data Transfers

Data Analytics Opt-Out Marketing Email Opt-Out My Data

1. Personal Information We May Collect

“Personal Information” means any information relating to an identied or identiable individual. We may collect the following categories of Personal Information:

• Transaction information, such as personal account number, the merchant’s name and location, the date and the total amount of the transaction, and other information provided by

nancial institutions or merchants when we act on their behalf.

• Product and service information, such as registration and payment information, and program-specic information, when you request products or services directly from us, or participate

in marketing programs.

• Website, device and mobile app usage, and similar information collected via automated means, such as cookies and similar technologies.

• Job applications and related information when you apply for a job with us.

• Business contact information when you work for one of our business partners.

In addition, for certain products and services, your nancial institutions, the merchants where you make a transaction or other partners may provide us with more information about you,

or we may collect it directly from you to provide you with those products and services on their behalf, support their business or perform processing activities on their behalf.

In the above situations, we act on behalf of and under the instructions of nancial institutions, merchants and other partners which act as data controllers. Unless otherwise authorized

by law, we will process your Personal Information to process payment transactions or for the purposes agreed between Mastercard and the nancial institutions, merchants and other

partners. Please refer to their respective privacy policies for more information regarding the processing of your Personal Information.

Personal Information We Collect when Providing Mastercard’s Products and Services Directly to You

Mastercard may provide you directly with products and services such as marketing programs, rewards programs, eWallets, Open Banking solutions, prepaid services, location alert

programs, and biometric authentication tools. To benet from one or more of these products and services, you can submit information to us directly via various means including: (i) on

our websites and digital assets, (ii) in response to marketing or other communications, (iii) by signing up for a Mastercard product or service, or (iv) through your participation in an oer,

program or promotion. We may also obtain Personal Information about you through your use of our products or services, from companies that use or facilitate our products or services,

• Information we process to provide you with the program: We may collect dierent types of Personal Information depending on the program. For example, programs designed to oer

you location-based services will typically require the collection of your address or geolocation data. Programs within our Open Banking solutions may require the collection of your

nancial account information. Similarly, programs designed to allow you to authenticate for example, via facial or ngerprint recognition may require the processing of your photograph

and/or biometric information. All these programs are voluntary, and your Personal Information is only collected if you subscribe to such programs.

• Other information you choose to provide: You may choose to provide other information, such as dierent types of content (e.g., photographs, articles, comments), contact information

of friends or other people you would like us to contact, content you make available through social media accounts or memberships with third parties, or any other information you want

to share with us, for example when you contact customer service.

In addition, we may collect or use Personal Information for fraud prevention and monitoring, risk management, dispute resolution and other related purposes. Such information may

include identiers, commercial information, and Internet or other electronic network activity information, such as the personal account number, merchant’s name and location, date and

total amount of the transactions, IP address, fraud score, location data, merchant details, items purchased and information about the dispute. For more information, please click here.

visited.

We use this information to improve our online products and services by assessing how many users access or use our online products and services, which content, products and features of

our online products and services most interest our visitors, what types of oers our customers like to see and how our online products and services perform from a technical point of view.

For instance, we may use third-party web analytics services on our websites and mobile apps, such as those of Adobe Omniture. The analytics providers that administer these services use

technologies such as cookies and web beacons to help us analyze how visitors use our websites and apps.

We, our service providers and partners may also collect information about you in connection with our marketing activities, including oers, sweepstakes, contests and promotions. The

information collected for these purposes may include identiers and your contact information (e.g., name, postal address, email address, phone number), electronic identication data

(e.g., username, password, security questions, IP address), and data collected in the context of online marketing programs, including commercial information, Internet or other electronic

network activity information, geolocation data, and inferences drawn from Personal Information (e.g., personal characteristics, life habits, consumption habits, interests, location data,

and voice and image recordings).

corresponding social media platforms. As we do not control these third-parties’ data handling practices, we recommend that you review their privacy policies, terms of use, and license

agreements (if any). For further details, please consult Section 7 (“Features and Links to Other Websites”) of this Global Privacy Notice.

In addition, some of our online products and services include advanced fraud prevention technology using behavioral-based data or biometric information, such as keystroke timing, device

accelerometer, scroll position and mouse-location.

Where required under applicable law, we obtain your consent prior to using the above automated means, and prior to sending you marketing communications, tailored content and

advertising.

Please see the “Your Rights and Choices” section of this Global Privacy Notice to learn about your choices.

Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, Mastercard does not respond to web browser-based

DNT signals at this time. To learn more about browser tracking signals and DNT, visit http://www.allaboutdnt.com.

Personal Information We Obtain when You Apply for a Job with Us

questions, security passwords and other credentials. We may use this information to provide products and services directly to nancial institutions, corporate clients, merchants,

customers and partners, to manage our business relationships and nancial reporting, for franchise development and integrity, to protect us from nancial crime, to improve our service,

for marketing and to comply with applicable law, as well as for accounting, auditing and billing purposes.

If you are located in mainland China and you use our products and services, we may collect Personal Information about you as illustrated above, including the following information which

may be considered Sensitive Personal Information: personal account number, card expiration date, card verication code, answers to security questions, security passwords and other

credentials, address or location information (to the extent that it may reveal your personal tracks), voice and image recordings, and electronic identication data, etc. It may be necessary

for us to receive and process your Sensitive Personal Information to provide respective products and services to you and/or to nancial institutions, corporate clients, merchants,

customers and partners. Such processing of your Sensitive Personal Information will be protected with adequate security measures and be conducted in a manner so as to have the

lowest possible impact on your personal rights and interests. By using our relevant products or services or by participating in a relevant program, you will be deemed as having consented

to our collection and processing of your Sensitive Personal Information in accordance with this Global Privacy Notice (and the relevant program-specic privacy notice, if any).

• Provide you with personalized services and recommendations.

• Operate, evaluate and improve our business, including anonymization and analytics.

• Process your job application.

• Serve other purposes for which we provide specic notice at the time of collection, and as otherwise authorized or required by law.

• Generate anonymized and aggregated data to prepare insights to advise Mastercard’s customers and partners regarding spending patterns, fraud and other trends.

• Learn more about you, including your preferences or other characteristics. We treat these inferences as Personal Information where required under applicable law.

Where required under applicable law, we will only use your Personal Information with your consent; as necessary to provide you with products and services; to comply with a legal obligation;

or when there is a legitimate and overriding interest that necessitates the use.

We may use Personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information,

when we have a legal basis for the processing as identied in the table below. However, please note that even though the chart below does not list consent as a legal basis for each

• For other purposes for which we provide specic notice at the time of collection. Please consult the Specic Privacy Notice at the time of the collection.

Where required under applicable law, we have carried out balancing tests for the data processing based on our or a third party’s legitimate interests to ensure that such legitimate

interest is not overridden by your interests, fundamental rights or freedoms. For more information on our balancing tests, you may contact us as described in the “How to Contact Us”

section below.

We will not subject you to a decision based solely on automated processing that produces legal eects concerning you or similarly signicantly aects you, unless you explicitly consented

to the processing where required under applicable law, the processing is necessary for entering into, or performance of a contract between you and Mastercard, or when we are legally

• Mastercard’s headquarters in the U.S., our aliates and other entities within Mastercard’s group of companies.

• Service providers acting on our behalf.

• Other participants in the payment ecosystem, including nancial institutions, and merchants.

• Other participants in the Open Banking ecosystem, including nancial institutions, merchants and third parties.

• Third parties for fraud monitoring and prevention purposes, or other purposes required by law.

• Third parties whose feature you use in connection with our products and services or with your consent.

• Other entities as required under applicable law or in the event of a sale or transfer of our business or assets.

Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules.

We may also share your Personal Information:

• With nancial institutions and other entities that issue payment cards or merchants to process payment transactions and perform other activities that you request.

behalf or in compliance with applicable law. We also require them to safeguard the security and condentiality of the Personal Information they process on our behalf by

implementing appropriate technical and organizational security measures and condentiality obligations binding employees accessing Personal Information.

• With third parties whose features (e.g., third-party cookies, widgets, plug-ins) are integrated in our products and services. For further details, please consult Section 7

(Features and Links to Other websites) of this Global Privacy Notice.

• With social media networks when you directly engage with those platforms. For further details, please consult Section 7 (Features and Links to Other Websites) of this

Global Privacy Notice.

• With other third parties with your consent.

• As required under applicable law or legal process, or to respond to requests from law enforcement or governmental agencies. When receiving such requests, we will follow

the process set out in our Binding Corporate Rules (see Section 5 below) where applicable.

• When we believe disclosure is necessary to protect individuals’ vital interests, to enforce our Terms of Use, prevent Mastercard against harm or nancial loss, or in

exceed or alter the purposes and means of processing that you have originally consented or based on a non-consent legal basis. By using our relevant products or services

or participating in the specic program, you will be deemed as having consented to our sharing of your Personal Information to recipients whose categories are described

above in accordance with this Global Privacy Notice (and the relevant program-specic privacy notice, if any).

4. Your Rights and Choices

Depending on your country, you may have the right or choice to:

• Opt out of some collection or uses of your Personal Information, including the use of cookies and similar technologies, the use of your Personal Information for marketing purposes, and

the anonymization of your Personal Information for data analyses.

• Access your Personal Information, obtain a copy of it, rectify it, restrict or object to its processing, or request its deletion, destruction or anonymization.

• Receive the Personal Information you provided to us to transmit it to another company.

• Withdraw any consent provided.

the dierent price or level of quality of good or service is reasonably related to the value of the data that we receive from you. In some instances, we may not be able to provide you with

the good or service that you request if you choose to exercise certain rights.

You can choose:

• Not to provide Personal Information to Mastercard by refraining from conducting payment transactions or from submitting Personal Information directly to us. When we collect

Personal Information from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide Personal

Information, you may not be able to benet from the full range of Mastercard products and services, and we may not be able to provide you with the Mastercard products or services if

that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such product or service.

• To opt out of the collection and use of certain information, which we collect about you by automated means, when you visit our websites or use our apps. In certain jurisdictions, you can

exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of Mastercard websites. Your

browser may tell you how to be notied of and opt out of having certain types of cookies placed on your device. Note that without certain cookies you may not be able to use all of the

may also exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of our websites.

• To tell us not to send you marketing emails by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below. You also may opt

out of receiving marketing emails from Mastercard by clicking here.

• To opt out of the anonymization of your Personal Information to perform data analyses by clicking here.

Depending on the country in which you are located, you may have the right to:

• Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to

object to the processing of your Personal Information, to have the information anonymized, destroyed or deleted, as appropriate, or to exercise your right to data portability to easily

transfer your Personal Information to another company. In addition, you may also have the right to lodge a complaint with the relevant supervisory authority or regulator, including in

your country of residence, place of work or where an incident took place.

• Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going

To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specied in the “How

To Contact Us” section below.

We have developed Mastercard’s “My Data Center” portal to facilitate the exercise of your rights. You, or a party authorized to act on your behalf, can exercise your rights on Mastercard’s

“My Data Center” portal or by submitting a request as described in the “How To Contact Us” section below.

If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity

to x the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as

required under applicable law.

To learn more about the APEC Certication and access Dispute Resolution, please click on the TRUSTe seal.

5. Data Transfers

Mastercard is a global business. We may transfer your Personal Information to the United States and other countries which may not have the same data protection laws as the

for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found

here.

Mastercard is a global business. We may transfer the Personal Information we collect about you to recipients in countries other than your country, including the United

States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we

transfer your Personal Information to other countries, we will protect that information as described in this Global Privacy Notice, as disclosed to you at the time of data

collection or as described in our program-specic privacy notice.

We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located. In particular, we have

established and implemented Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection

to the Personal Information we process globally. A copy of our EEA BCRs is available here. We equally rely on UK BCRs to transfer Personal Information outside of the United

Kingdom. A copy of our UK BCRs is available here.

framework can be found here.

If you are located in mainland China, you understand that we may transfer the Personal Information we collect about you to recipients in countries or regions other than

mainland China, including Mastercard International Incorporated in the United States, Mastercard Asia/Pacic Pte. Limited in Singapore and to other aliates as listed here.

When we conduct international transfers of Personal Information, we will always ensure to comply with requirements stipulated under applicable laws. By using our relevant

products or services or participating in the specic program, you will be deemed as having consented to our cross-border sharing of your Personal Information to recipients

in countries or regions other than mainland China in accordance with this Global Privacy Notice (and the relevant program-specic privacy notice, if any).

6. How We Protect Your Personal Information

We maintain appropriate security safeguards to protect your Personal Information and only retain it for a limited period of time.

The security of your Personal Information is important to Mastercard. We are committed to protecting the information we collect. We maintain reasonable administrative, technical and

physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or

Our websites may include links to other third-party websites, social media tools, widgets or plug-ins, permitting sharing web content including IP address, with third parties and social media

providers. These social media providers may learn of your visit even if you are not logged in to your social media account or if you do not have an account with them. To the extent any linked

websites or features you visit or use are not owned or controlled by Mastercard, we suggest that you review their own privacy notices or policies.

Our websites may provide links to other websites for your convenience and information. Our website may also contain certain features for which we partner with other entities.

These entities may learn of your visit regardless of whether you use these features. These websites and features, which may include social networking and geo-location tools, operate

independently from Mastercard, and are clearly identied as such. To the extent any linked websites or features you visit or use are not owned or controlled by Mastercard, we suggest

that you review the privacy practices of the websites.

Mastercard oers you the possibility to share, link to, or mention things on social media about Mastercard’s products and services. For example, you may “like” an oer via your Facebook

account, or “tweet” an oer using Twitter. When you visit a website with a social media button, your browser establishes a direct connection to that social media provider, and data

concerning your visit, including IP address, is transferred to the social media provider. If you have an account with the social media provider, the provider may link your visit to your account,

• Analytics Providers.

• Users: Other users of our services.

• ISPs: Internet service providers.

• Government: Government entities.

• Advertising Networks.

• Social Networks.

• OS/Platform Provider: Operating systems and platforms.

• Partners: Business partners.

• Public: Publicly accessible sources.

3. Use of your Personal Information

• Personalization: Personalizing your experience on our services, such as presenting tailored content.

• Sending Messages: Sending you personalized text messages as requested on our Talent Community. Please see our Talent Community Privacy Notice for further information.

• Facilitating Payments: Facilitating transactions and payments.

• Deidentication and Aggregation: Deidentifying and aggregating information collected through our services and using it for lawful purposes.

• Job Applications: Processing your job application.

• Safety Issues: Responding to trust and safety issues that may arise.

• Compliance: For compliance purposes, including enforcing our Terms of Use or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial

• Loyalty Program Operation: Oering and supporting loyalty programs that allow you to earn points, cashback rewards, prize draw entries, or other benets for purchases made with

• Research: Undertaking internal research for technological development and demonstration.

• Improving Our Services: Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.

• Enabling Transactions: Otherwise enabling or eecting, directly or indirectly, a commercial transaction.

• Notied Purpose: For other purposes for which we provide specic notice at the time the information is collected.

4. Disclosure of your Personal Information to Third Parties

With respect to the categories of Personal Information identied above in Section 1, we disclose your Personal Information to the following categories of third parties:

• Advertising Providers: Advertising technology companies, such as advertising networks. We disclose your Personal Information to Advertising Providers only with your consent.

• Vendors: Vendors and service providers. Personal Information we disclose: Identiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of

• Integrated Third Parties: Third parties integrated into our services. Personal Information we disclose: Identiers; Internet or Other Electronic Network Activity; Geolocation Data.

• Third Parties as Legally Required: Third parties as required by law and similar disclosures. Personal Information we disclose: Identiers; Categories of Personal Information in Cal. Civ.

• Third Parties in Merger/Acquisition: Third parties in connection with a merger, sale, or asset transfer. Personal Information we disclose: Identiers; Categories of Personal Information

We do not use or disclose sensitive personal information for purposes which would require us to oer consumers the right to limit under the CCPA.

5. Collection and Sale of your Personal Information to Other Parties

We sell your Personal Information. However, we only sell your Personal Information for fraud prevention and identity verication purposes, as detailed further below.

With respect to Personal Information that we sell, we have collected information from Resellers (consumer data brokers).

We do not “share” Personal Information with third parties for “cross-context behavioral advertising” (“CCBA”).

The following is a list of categories of Personal Information (as dened by the CCPA) we have sold.

A. Identiers. Examples: Personal and business contact information (e.g., name, postal address, telephone number), internet protocol address, and email address. We may collect this

information about other people if you give us their information.

B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, postal address(es), telephone number, email address, and IP address.

c. Characteristics of Protected Classications under California or Federal Law. Examples: Age range, e.g., 35-39 years of age.

products. We share the following categories of Personal Information to our Customers for this purpose: Identiers; Categories of Personal Information in Cal. Civ. Code Section

1798.80(e); Characteristics of Protected Classications under California or Federal Law; Internet or Other Electronic Network Activity Information; and Geolocation Data.

We do not have actual knowledge that we sell Personal Information of consumers under 16 years of age or that we share Personal Information of consumers under 16 years of age for

CCBA.

6. Retention

We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which

we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of

products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services

we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

7. Your Privacy Rights

Verication. Requests for access, deletion, or correction of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested

pursuant to relevant CCPA requirements, limitations, and regulations. Mastercard is committed to secure personal information. When consumers exercise their privacy rights through

the My Data portal, a two-step verication will enable their account to be guarded by an extra layer of security. In addition to their email, name and surname, we require additional

verication through the second factor of authentication that they have chosen (mobile one-time passcode or security answer) during registration. Before disclosing information, we

also ask consumers to respond to specic questions about the products they use and that are in scope of their privacy request. Similarly, when consumers reach out to Mastercard via

email, we verify their identity by using their contact information (email, name and surname) and specic questions about the products they use.

Right to Opt Out. In some circumstances, you may opt out of the sale of Personal Information.

Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations. We will not deny,

charge dierent prices for, or provide a dierent level of quality of goods or services if you choose to exercise your rights, except where the dierent price or level of quality of good or

service is reasonably related to the value of the data that we receive from you.

• Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a California resident, you may submit a request on

8. CCPA Metrics

Each calendar year, we compile various metrics describing how we have complied with requests to delete, access, correct, and opt-out of sale or sharing. To view these metrics please visit

the “My Data portal”.