For the purpose of this Global Privacy Notice, unless otherwise specified, “Personal Information” means any information relating to an identified or identifiable individual. We may obtain different types of Personal Information (including Sensitive Personal Information, as may be the case under applicable laws) relating to you in the situations described below.

Personal Information We Receive from Financial Institutions, Merchants, and Other Partners in Connection with Mastercard’s Products or Services

As a processor of payment transactions and provider of related services, we obtain a limited amount of information in connection with your payment transactions such as the personal account number, the merchant’s name and location, the date and the total amount of the transaction. Importantly, we generally do not need or collect the cardholder’s name or other contact information to process payment transactions.

In addition, for certain products and services, your financial institutions, the merchants where you make a transaction or other partners may provide us with more information about you, or we may collect it directly from you to provide you with those products and services on their behalf, support their business or perform processing activities on their behalf.

In the above situations, we may act on behalf of and under the instructions of financial institutions, merchants and other partners which act as data controllers. Unless otherwise authorized by law, we will process your Personal Information to process payment transactions or for the purposes agreed between Mastercard and the financial institutions, merchants and other partners. Please refer to their respective privacy policies for more information regarding the processing of your Personal Information.

Personal Information We Collect when Providing Mastercard’s Products and Services Directly to You

Mastercard may provide you directly with products and services such as marketing programs, rewards programs, eWallets, Open Banking solutions, prepaid services, location alert programs, and biometric authentication tools. To benefit from one or more of these products and services, you can submit information to us directly via various means including: (i) on our websites and digital assets, (ii) in response to marketing or other communications, (iii) by signing up for a Mastercard product or service, or (iv) through your participation in an offer, program or promotion. We may also obtain Personal Information about you through your use of our products or services, from companies that use or facilitate our products or services, from publicly available sources, or from third party partners. Your Personal Information may also be passed on to us by your financial institution, merchant or other business partners.

Below is an overview of the types of Personal Information we may collect in relation to programs we offer directly to you. Each program differs, so where applicable, please refer to the relevant program-specific privacy notice for more information on the use of your Personal Information for that specific program.

• Registration and payment information: We may collect identifiers and your contact information (such as name, email address, telephone number, billing or shipping address), authentication information (e.g., username and password), age, date of birth, gender and family status, military and veteran status, language preferences, payment details, personal account number, commercial information, such as merchant’s name and location, date and total amount of the transactions, card expiration date and card verification code.
• Information we process to provide you with the program: We may collect different types of Personal Information depending on the program. For example, programs designed to offer you location-based services will typically require the collection of your address or geolocation data. Programs within our Open Banking solutions may require the collection of your financial account information. Similarly, programs designed to allow you to authenticate for example, via facial or fingerprint recognition may require the processing of your photograph and/or biometric information. All these programs are voluntary, and your Personal Information is only collected if you subscribe to such programs.
• Other information you choose to provide: You may choose to provide other information, such as different types of content (e.g., photographs, articles, comments), contact information of friends or other people you would like us to contact, content you make available through social media accounts or memberships with third parties, or any other information you want to share with us, for example when you contact customer service.

You may be subject to obligations under applicable laws, such as the obligation to provide complete and accurate Personal Information when consenting to the processing of your Personal Information.

In addition, we may collect or use Personal Information for fraud prevention and monitoring, risk management, dispute resolution and other related purposes. Such information may include identifiers, commercial information, and Internet or other electronic network activity information, such as the personal account number, merchant’s name and location, date and total amount of the transactions, IP address, fraud score, location data, merchant details, items purchased and information about the dispute. When we provide cryptocurrency and blockchain intelligence solutions, we may also collect and process information gathered from the blockchain, including blockchain addresses and other cryptocurrency transaction details. For more information, please click here.

For more information on our collection of Personal Information in the context of our Open Banking solutions, please click here.

Personal Information We Obtain from Your Interaction with Mastercard’s Ads, Websites, Apps or Other Digital Assets

We, our service providers and partners may collect certain information about you via automated means such as Internet or other electronic network activity information, cookies, and web beacons when you interact with our ads, mobile apps, or visit our websites, pages or other digital assets. The Internet and/or Device Information we collect in this manner may include: IP address, browser type, operating system, mobile device identifier, geographical area, referring URLs and information on actions taken or interaction with our digital assets. A “cookie” is a text file placed on a computer’s hard drive by a web server. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, is a technology that helps us identify when content has been accessed or visited.

We use this information to improve our online products and services by assessing how many users access or use our online products and services, which content, products and features of our online products and services most interest our visitors, what types of offers our customers like to see and how our online products and services perform from a technical point of view. For instance, we may use third-party web analytics services on our websites and mobile apps, such as those of Adobe Omniture. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyze how visitors use our websites and apps.

We, our service providers and partners may also collect information about you in connection with our marketing activities, including offers, sweepstakes, contests and promotions. The information collected for these purposes may include identifiers and your contact information (e.g., name, postal address, email address, telephone number), electronic identification data (e.g., username, password, security questions, IP address), and data collected in the context of online marketing programs, including commercial information, Internet or other electronic network activity information, geolocation data, and inferences drawn from Personal Information (e.g., personal characteristics, life habits, consumption habits, interests, location data, and voice and image recordings).

We, our service providers and partners may also collect information about you to provide you with content and advertising tailored to your individual interests based on inferences drawn from Personal Information. The information collected for these purposes may include Internet or other electronic network activity information, such as details about things like the particular pages or ads you view on our websites and apps and the actions you take on our websites and apps.

We, our service providers and partners may collect certain information about you via automated means such as, social media tools, widgets or plug-ins to connect you to your social media accounts. These features may allow you to sign in through your social media account, share a link or post directly to your social media account. When you visit a website that contains such tools or plugins, the social media or other service provider may learn of your visit. However, your interactions with these tools are governed by the privacy policies of the corresponding social media platforms. As we do not control these third-parties’ data handling practices, we recommend that you review their privacy policies, terms of use, and license agreements (if any). For further details, please consult Section 7 (“Features and Links to Other Websites”) of this Global Privacy Notice.

In addition, some of our online products and services include advanced fraud prevention technology using behavioral-based data or biometric information, such as keystroke timing, device accelerometer, scroll position and mouse-location.

Where required under applicable law, we obtain your consent prior to using the above automated means, and prior to sending you marketing communications, tailored content and advertising.

Please see the “Your Rights and Choices” section of this Global Privacy Notice to learn about your choices.

Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, Mastercard does not respond to web browser-based DNT signals at this time. To learn more about browser tracking signals and DNT, visit http://www.allaboutdnt.com.

Personal Information We Obtain when You Apply for a Job with Us

If you are applying for a job at Mastercard, we may collect certain identifiers and professional or employment-related information from your job applications on our Career website. To learn more about the type of information Mastercard collects in connection with job applications, please see the Mastercard Applicant Privacy Notice.

Personal Information We Collect in the Context of Our Business Relationship with a Financial Institution, Merchant or other Entity Partnering with Mastercard

We may collect Personal Information from individuals working for one of our business partners (including financial institutions, merchants, customers, suppliers, vendors and other partners), including identifiers, name, job title, department and name of organization, business email and postal addresses, business telephone number, queries, answers to security questions, security passwords and other credentials. We may use this information to provide products and services directly to financial institutions, corporate clients, merchants, customers and partners, to manage our business relationships and financial reporting, for franchise development and integrity, to protect us from financial crime, to improve our service, for marketing and to comply with applicable law, as well as for accounting, auditing and billing purposes.

In certain jurisdictions, it may be necessary for us to receive and process your Sensitive Personal Information to provide respective products and services to you and/or to financial institutions, corporate clients, merchants, customers and partners. Such processing of your Sensitive Personal Information will be protected with adequate security measures and be conducted in a manner so as to have the lowest possible impact on your personal rights and interests. The following information may be considered Sensitive Personal Information as defined by applicable law: personal account number, card expiration date, card verification code, answers to security questions, security passwords and other credentials, address or location information (to the extent that it may reveal your personal tracks), voice and image recordings, electronic identification data, payment transactions, and biometric information.

We may use Personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information, where permitted under applicable laws, and when we have a legal basis for the processing as identified in the table below. However, please note that even though the chart below does not list consent as a legal basis for each processing activity, in some countries consent is the only or most appropriate legal basis for the processing of Personal Information, and in those countries, we rely on consent.

Where required under applicable law, we have carried out balancing tests for the data processing based on our or a third party’s legitimate interests to ensure that such legitimate interest is not overridden by your interests, fundamental rights or freedoms. For more information on our balancing tests, you may contact us as described in the “How to Contact Us” section below.

We will not subject you to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you, unless you explicitly consented to the processing where required under applicable law, the processing is necessary for entering into, or performance of a contract between you and Mastercard, or when we are legally required to use your Personal Information in this way, for example to prevent fraud.

If you provide us with any information or material relating to another individual, you must make sure that the sharing with us and our further use as described to you from time to time is in line with applicable laws, so for example you should duly inform that individual about the processing of her/his Personal Information and obtain her/his consent, as may be necessary under applicable laws.

Where the Personal Information we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Information when requested, we may not be able to provide (or continue to provide) our products or services to you and you may not be able to purchase our products you require or fully use our services.

Please see the “Data Transfers” section below to understand how we comply with applicable cross-border data transfer rules.

We may also share your Personal Information:

• With financial institutions and other entities that issue payment cards or merchants to process payment transactions and perform other activities that you request.
• With entities that partner with Mastercard or assist Mastercard in providing its products and services, for fraud prevention and monitoring and third party identification services, to ensure the security of transactions and our payment processing system.
• With other participants in the Open Banking ecosystem, including financial institutions, merchants and other entities of your choice (e.g., your investment advisors).
• When we act as a service provider for third parties and provide them with Personal Information that we process on their behalf.
• With our service providers who perform services on our behalf for the purposes described in this Global Privacy Notice (or in the applicable program specific privacy notice). We require these service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or in compliance with applicable law. We also require them to safeguard the security and confidentiality of the Personal Information they process on our behalf by implementing appropriate technical and organizational security measures and confidentiality obligations binding employees accessing Personal Information.
• With third parties whose features (e.g., third-party cookies, widgets, plug-ins) are integrated in our products and services. For further details, please consult Section 7 (Features and Links to Other websites) of this Global Privacy Notice.
• With social media networks when you directly engage with those platforms. For further details, please consult Section 7 (Features and Links to Other Websites) of this Global Privacy Notice.
• With other third parties with your consent.
• As required under applicable law or legal process, or to respond to requests from law enforcement or governmental agencies. When receiving such requests, we will follow the process set out in our Binding Corporate Rules (see Section 5 below) where applicable.
• When we believe disclosure is necessary to protect individuals’ vital interests, to enforce our Terms of Use, prevent Mastercard against harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.
• In the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Personal Information you have provided to us in a manner that is consistent with our Global Privacy Notice. Following such a sale or transfer, you may contact the entity to which we transferred your Personal Information with any inquiries concerning the processing of that information.

Prior to the transfer or sharing of any Personal Information (including access to Personal Information), we require appropriate privacy and information security protections in agreements with third parties. We operate a comprehensive Third Party Risk Management Program and we perform appropriate due diligence as part thereof

If you are located in mainland China, you may contact us as specified in the “How to Contact Us” section below to obtain information regarding the third-party recipients who act in the capacity of data controllers and with whom we share your Personal Information. Such sharing will always be conducted to the extent necessary and will not exceed or alter the purposes and means of processing that you have originally consented or based on a non-consent legal basis.

You may have certain rights regarding the Personal Information we maintain about you and certain choices about what Personal Information we collect from you, how we use it, and how we communicate with you.

We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you. In some instances, we may not be able to provide you with the good or service that you request if you choose to exercise certain rights.

You can choose:

• Not to provide Personal Information to Mastercard by refraining from conducting payment transactions or from submitting Personal Information directly to us. When we collect Personal Information from you, we indicate whether and why it is necessary to provide it to us, as well as the consequences of failing to do so. If you do not provide Personal Information, you may not be able to benefit from the full range of Mastercard products and services, and we may not be able to provide you with the Mastercard products or services if that information is necessary to provide you with them, or if we are legally required to collect it in relation to the provision of such product or service.
• To opt out of the collection and use of certain information, which we collect about you by automated means, when you visit our websites or use our apps. In certain jurisdictions, you can exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of Mastercard websites. Your browser may tell you how to be notified of and opt out of having certain types of cookies placed on your device. Note that without certain cookies you may not be able to use all of the features of our websites, apps or online services.
• To opt out of certain uses of information, which we collect about you by automated means, when you visit third-party websites and interact with our ads. We may use service providers to serve ads on those third-party websites. These ads may be customized and served based on the use of data we and our partners have collected on our websites and apps. In addition, some of our service providers and partners may collect information about your online activities over time and across third-party websites to customize and serve these ads. Mastercard ads are sometimes delivered with icons that help consumers (i) learn more about how their data is being used and (ii) exercise choices they may have regarding the use of their data. Please click where applicable, on the icon in our targeted ads to learn about your ability to opt out or limit the use of your browsing behavior for advertising purposes. You may also exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of our websites.
• To tell us not to send you marketing emails by clicking on the unsubscribe link within the marketing emails you receive from us or by contacting us as indicated below. You also may opt out of receiving marketing emails from Mastercard by clicking here.
• To opt out of the anonymization of your Personal Information to perform data analyses by clicking here.

Depending on the country in which you are located, you may have the right to:

• Request access to and receive information about the Personal Information we maintain about you, to update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized, destroyed or deleted, as appropriate, or to exercise your right to data portability to easily transfer your Personal Information to another company. In addition, you may also have the right to lodge a complaint with the relevant supervisory authority or regulator, including in your country of residence, place of work or where an incident took place.
• Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.

If you reside in the United States, you may have additional rights as described in our U.S. Privacy Addendum.

For information on the number of privacy requests Mastercard processed pursuant to privacy laws globally, please review the “My Data Report” section of the “My Data” portal.

You may opt out from certain processing of your Personal Information, e.g., via our opt-out webpage.

Note that this list may not be exhaustive, which means that you may have additional rights in accordance with your local laws. In addition, the above rights may be limited in some circumstances by local law requirements.

To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specified in the "How To Contact Us" section below.

We have developed Mastercard’s “My Data” portal to facilitate the exercise of your rights. You, or a party authorized to act on your behalf, can exercise your rights on Mastercard’s “My Data” portal or by submitting a request as described in the “How To Contact Us" section below.

If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.

To learn more about the APEC Certification and access Dispute Resolution, please click on the TRUSTe seal.

Mastercard is a global business. We may transfer the Personal Information we collect about you to recipients in countries other than your country, including the United States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your Personal Information to other countries, we will protect that information as described in this Global Privacy Notice, as disclosed to you at the time of data collection or as described in our program-specific privacy notice.

We comply with applicable legal requirements, including obtaining consent where required, when transferring Personal Information to countries other than the country where you are located. In particular, we have established and implemented Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our EEA BCRs is available here. We equally rely on UK BCRs to transfer Personal Information outside of the United Kingdom. A copy of our UK BCRs is available here.

We may also transfer Personal Information to countries for which adequacy decisions have been issued (see list of countries for which the European Commission has issued an adequacy decision here; see list of countries which the Swiss Federal Council has determined to provide for adequate data protection legislation here), use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or their equivalent under applicable law, or rely on other data transfer mechanisms where applicable. Depending on your country, you may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of your jurisdiction.

Additionally, Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.

If you are located in mainland China, you understand that we may transfer the Personal Information we collect about you to recipients in countries or regions other than mainland China, including Mastercard International Incorporated in the United States, Mastercard Asia/Pacific Pte. Limited in Singapore and to other affiliates as listed here. When we conduct international transfers of Personal Information, we will always ensure to comply with requirements stipulated under applicable laws.

The security of your Personal Information is important to Mastercard. We are committed to protecting the information we collect. We maintain reasonable administrative, technical and physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use. We use SSL encryption on a number of our websites from which we transfer certain Personal Information.

In the event of a breach of our security safeguards, we will assess the extent of harm (if any) to individuals, and comply with reporting and notification obligations in accordance with the applicable law.

We also take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

Our websites may provide links to other websites for your convenience and information. Our website may also contain certain features for which we partner with other entities. These entities may learn of your visit regardless of whether you use these features. These websites and features, which may include social networking and geo-location tools, operate independently from Mastercard, and are clearly identified as such. To the extent any linked websites or features you visit or use are not owned or controlled by Mastercard, we suggest that you review the privacy practices of the websites.

Mastercard offers you the possibility to share, link to, or mention things on social media about Mastercard’s products and services. For example, you may “like” an offer via your Facebook account, or “tweet” an offer using Twitter. When you visit a website with a social media button, your browser establishes a direct connection to that social media provider, and data concerning your visit, including IP address, is transferred to the social media provider. If you have an account with the social media provider, the provider may link your visit to your account, even if you are not logged into this account.

You may also choose to use certain features on our websites that can be accessed through, or for which we partner with, other entities that are not otherwise affiliated with Mastercard. These features, including geo-location tools, are operated by third parties and are clearly identified as such. Social media providers such as Facebook and Twitter, and these other third parties, are independent from Mastercard and do not necessarily share the same policy as Mastercard regarding the protection of privacy. Please review their privacy notices if you decide to use their services and consult your social media account settings if you want to deactivate certain features.

Mastercard products and services are not directed to, likely to be accessed by, or intended for children. However, Mastercard may process Personal Information about children below 16 or 18 years of age with the parent or guardian’s consent, and with the child’s consent where required, or based on another legal basis in accordance with applicable law. If you learn that Mastercard is processing children’s Personal Information in violation of this Privacy Notice, then you may alert us at [email protected].

This Global Privacy Notice may be updated periodically to reflect changes in our Personal Information practices. We will post a prominent notice on relevant websites to notify you of any significant or material changes to our Global Privacy Notice prior to them being effective and indicate at the top of the Notice when it was most recently updated. If we update our Global Privacy Notice, in certain circumstances, we may seek your consent.

If you have any questions, comments or complaints about this Global Privacy Notice and our privacy practices, or would like to update your privacy preferences, please email us at: [email protected] or write to us at:

Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
USA

If you reside in a state in the United States which recognizes privacy rights under law, you may exercise your rights under applicable privacy law by submitting your request on Mastercard’s “My Data” portal, email us at: [email protected], or call our toll-free number: 1-833-244-4084. For more information on exercising these rights, please see our US Privacy Addendum.

If you are located in Quebec, Canada, you may contact our Data Protection Officer at [email protected]. For inquiries about your Mastercard card and your purchase, you should contact your financial institution or merchant. More information about how to contact them can be found on their respective websites.

If you are located in the EEA, the UK or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information (or data controller). You may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data” portal, or email us at: [email protected], or write to us at:

Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data” portal, or email us at: [email protected] or write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in Asia Pacific (excluding mainland China), Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: [email protected], calling our toll-free number listed here or write to us at:

Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352

If you are located in South Africa, you may also send your complaint to the South African Information Regulator at the following:

Email: [email protected]
Post: PO Box 31533, Braamfontein, Johannesburg, 2017
Website: https://www.justice.gov.za/inforeg/

If you are located in mainland China, Mastercard Shanghai Business Consulting Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: [email protected] or writing to us at:

China Data Protection Officer
Room 2907-14, Part of 29/F Tower 2
Shanghai IFC, 8 Century Avenue
China (Shanghai) Pilot Free Trade Zone

LAST UPDATED: August 10, 2023

Application

This U.S. Privacy Addendum supplements the information contained in the Global Privacy Notice. This U.S. Privacy Addendum applies to residents in the United States whose states have passed state specific privacy laws.

Additional Disclosures for California Residents

If you are a California resident from whom we collect Personal Information as a business under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) (“CCPA”), you may rely on the Global Privacy Notice and the additional information below.

If you are a job applicant who is a California resident, please see the Mastercard Applicant Privacy Notice for further information.

For the purpose of this section for California residents, “Personal Information” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by the CCPA. Personal Information does not include information that is publicly available, deidentified, or aggregated (as those terms are defined in the CCPA) or otherwise excluded from the scope of the CCPA.

1. Categories of Personal Information about you that we Collect and Disclose
   

   The following is a list of categories of Personal Information (as defined by the CCPA) we have collected and disclosed for a business purpose.

   A. Identifiers. Examples: Personal and business contact information (e.g., name, postal address, telephone number, job title), date of birth, unique personal identifiers or numbers, online identifier, device identifier(s), internet protocol address, email address, account name, authentication information, and similar identifiers. We may collect this information about other people if you give us their information. We may also associate information that you submit to us, such as articles, comments, or content on our social media pages, with your identifiers.

   B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, address, telephone number, email address, and IP address.

   C. Characteristics of Protected Classifications under California or Federal Law. Examples: Gender, family status, age range, and military and veteran status.

   D. Commercial Information. Examples: Information we create or retain that are fundamental to our business, e.g. records of personal property; transaction information, such as date and time of transaction, or a transaction ID provided by a customer, personal account number, the merchant’s name and location, the total amount of the transaction, and other information provided by financial institutions or merchants when we act on their behalf; product and service information, such as product version, registration and payment information, and program-specific information, when you request products or services directly from us, or participate in marketing programs; preferences that we infer about you based on products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies; accrued total of points or rewards and points or rewards redemption history.

   E. Biometric Information. Examples: Behavioral characteristics, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as keystroke timing, device accelerometer, scroll position, and mouse location.

   F. Internet or Other Electronic Network Activity Information. Examples: Cookie and web beacon data, IP address, browser type, operating system, mobile device identifier, referring URLs, pages viewed and actions you take on our online properties and apps, and behavioral-based data or biometric information, such as keystroke timing, device accelerometer, scroll position, and mouse location.

   G. Geolocation Data. Example: Your city, state or country or your IP address.

   H. Sensory Information. Examples: Photographs, audio recordings (including call recordings for customer service purposes), and video recordings.

   I. Professional or Employment-Related Information. Examples: Professional information such as job title, department, and name of organization. Additionally, information you provide as part of your job application or in the course of your employment with Mastercard, e.g., contact information and employment history. Please see the Mastercard Applicant Privacy Notice for further information.

   K. Inferences Drawn from Personal Information. Examples: Personal characteristics, life habits, consumption habits, and interests.

   L. Sensitive Personal Information. Examples: Biometric information, as described in more detail above in E, for fraud and security prevention. (We note, however, that we do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under the CCPA).

2. Sources of Collection of Personal Information
   

   We have collected Personal Information from the following categories of sources:

   • You/Your Devices: You or your devices directly.
   • Affiliates.
   • Analytics Providers.
   • Users: Other users of our services.
   • ISPs: Internet service providers.
   • Government: Government entities.
   • Advertising Networks.
   • Social Networks.
   • OS/Platform Provider: Operating systems and platforms.
   • Partners: Business partners.
   • Public: Publicly accessible sources.
   
   
3. Use of your Personal Information
   

   We collect, use, and disclose your Personal Information in accordance with the specific business and commercial purposes below:

   • Providing Services: Providing our services.
   • Communicating: Communicating with you, providing you with updates and other information relating to our services and products, providing information that you request, responding to comments and questions, and otherwise providing customer support.
   • Connecting Third Party Services: Facilitating the connection of third-party services or applications.
   • Marketing: Marketing purposes, such as developing and providing promotional and advertising materials that may be useful, relevant, valuable, or otherwise of interest to you.
   • Personalization: Personalizing your experience on our services, such as presenting tailored content.
   • Sending Messages: Sending you personalized text messages as requested on our Talent Community. Please see Talent Community Privacy Notice for further information.
   • Facilitating Payments: Facilitating transactions and payments.
   • Deidentification and Aggregation: Deidentifying and aggregating information collected through our services and using it for lawful purposes.
   • Job Applications: Processing your job application.
   • Safety Issues: Responding to trust and safety issues that may arise.
   • Compliance: For compliance purposes, including enforcing our Terms of Use or other legal rights, or as may be required by applicable laws and regulations or requested by any judicial process or governmental agency.
   • Loyalty Program Operation: Offering and supporting loyalty programs that allow you to earn points, cashback rewards, prize draw entries, or other benefits for purchases made with your eligible Mastercard card.
   • Auditing Interactions: Auditing related to your interaction with our services and concurrent transactions, including, but not limited to, counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with other standards.
   • Fraud and Incident Prevention: Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity.
   • Debugging: Debugging to identify and repair errors that impair existing intended functionality.
   • Transient Use: Short-term, transient use.
   • Contracting Vendors: Contracting with vendors and service providers to perform services on our behalf or on their behalf, including maintaining or servicing accounts, providing customer service, processing, or fulfilling orders and transactions, verifying customer information, processing payments, providing advertising or marketing services, providing analytics services, or providing similar services on behalf of Mastercard’s clients.
   • Research: Undertaking internal research for technological development and demonstration.
   • Improving Our Services: Undertaking activities to verify or maintain the quality or safety of our services, and to improve, upgrade, or enhance our services.
   • Enabling Transactions: Otherwise enabling or effecting, directly or indirectly, a commercial transaction.
   • Notified Purpose: For other purposes for which we provide specific notice at the time the information is collected.
   
   
   
4. Disclosure of your Personal Information to Third Parties
   

   With respect to the categories of Personal Information identified above in Section 1, we disclose your Personal Information to the following categories of third parties:

   • Advertising Providers: Advertising technology companies, such as advertising networks. We disclose your Personal Information to Advertising Providers only with your consent. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.
   • Analytics Providers: Companies that help us analyze and improve our online properties. We disclose your Personal Information to Analytics Providers only at your direction and only with your consent. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.
   • OS/Platform Providers: Operating systems and platforms. Personal Information we share: Identifiers; Internet or Other Electronic Network Activity Information; Geolocation Data.
   • Resellers: Consumer data brokers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Geolocation Data; Inferences Drawn from Personal Information.
   • Affiliates. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
   • Vendors: Vendors and service providers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
   • Integrated Third Parties: Third parties integrated into our services. Personal Information we disclose: Identifiers; Internet or Other Electronic Network Activity; Geolocation Data.
   • Third Parties as Legally Required: Third parties as required by law and similar disclosures. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
   • Third Parties in Merger/Acquisition: Third parties in connection with a merger, sale, or asset transfer. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
   • Third Parties with Consent or Direction: Other third parties for whom we have obtained your direction or permission to disclose your Personal Information. Personal Information we may disclose: Identifiers; Commercial Information.
   • Financial Institution(s) (e.g., banks that issued your Mastercard card) or Merchants: To the extent necessary for Mastercard to offer promotions, offers, benefits, campaigns, and other loyalty-related initiatives and to perform related activities for our customers. Personal Information we disclose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Commercial Information; Internet or Other Electronic Network Activity Information; Geolocation Data; Inferences Drawn from Personal Information.
   
   

   We do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit under the CCPA.

5. Collection and Sale of your Personal Information to Other Parties
   

   We sell your Personal Information. However, we only sell your Personal Information for fraud prevention and identity verification purposes, as detailed further below.

   With respect to Personal Information that we sell, we have collected information from Resellers (consumer data brokers).

   We do not “share” Personal Information with third parties for “cross-context behavioral advertising” (“CCBA”).

   The following is a list of categories of Personal Information (as defined by the CCPA) we have sold.

   A. Identifiers. Examples: Personal and business contact information (e.g., name, postal address, telephone number), internet protocol address, and email address. We may collect this information about other people if you give us their information.

   B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e). Examples: Name, postal address(es), telephone number, email address, and IP address.

   C. Characteristics of Protected Classifications under California or Federal Law. Examples: Age range, e.g., 35-39 years of age.

   E. Geolocation Data. Example: Your city, state or country, or your IP address.

   F. Associated People. Example: Household members, i.e., people with the same current address.

   G. Contact Information Metadata. Examples: Mobile phone carrier name, mobile phone carrier line type, mobile phone number subscriber name, and email address registered owner name.

   H. Device Information. Examples: Browser, ISP carrier, and platform.

   With respect to the categories of Personal Information identified above, we have sold Personal Information to our Customers, who use our identity verification and fraud prevention products. We share the following categories of Personal Information to our Customers for this purpose: Identifiers; Categories of Personal Information in Cal. Civ. Code Section 1798.80(e); Characteristics of Protected Classifications under California or Federal Law; Internet or Other Electronic Network Activity Information; and Geolocation Data.

   We do not have actual knowledge that we sell Personal Information of consumers under 16 years of age or that we share Personal Information of consumers under 16 years of age for CCBA.

6. Retention
   

   We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

7. Your Privacy Rights
   

   If you are a California resident, you may exercise the following rights.

   Right to Know and Access. You may submit a verifiable request for information regarding the: (1) categories of Personal Information collected, sold, shared with third parties for CCPA, or disclosed by us; (2) purposes for which categories of Personal Information are collected, sold, or shared with third parties for CCBA by us; (3) categories of sources from which we collect Personal Information; (4) categories of third parties with whom we disclosed Personal Information; and (5) specific pieces of Personal Information we have collected about you.

   Right to Delete. Subject to certain exceptions, you may submit a verifiable request that we delete Personal Information about you that we have collected from you. We maintain a record of such request as required by the CCPA.

   Right to Correct. You have the right to correct inaccurate Personal Information that we maintain about you.

   Verification. Requests for access, deletion, or correction of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested pursuant to relevant CCPA requirements, limitations, and regulations. Mastercard is committed to secure personal information. When consumers exercise their privacy rights through the My Data portal, a two-step verification will enable their account to be guarded by an extra layer of security. In addition to their email, name, and surname, we require additional verification through the second factor of authentication that they have chosen (mobile one-time passcode or security answer) during registration. Before disclosing information, we also ask consumers to respond to specific questions about the products they use and that are in scope of their privacy request. Similarly, when consumers reach out to Mastercard via email, we verify their identity by using their contact information (email, name, and surname) and specific questions about the products they use.

   Right to Opt Out. In some circumstances, you may opt out of the sale of Personal Information.

   Right to Equal Service and Price. You have the right not to receive discriminatory treatment for the exercise of your CCPA privacy rights, subject to certain limitations. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise your rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you.

   Submit Requests.

   To exercise your rights under the CCPA (other than the right to opt out of the sale of your Personal Information), please submit your request on Mastercard’s “My Data” portal, email us at [email protected], or call our toll-free number: 1-833-244-4084.

   To opt out of the sale of your Personal Information under the CCPA, and to exercise your rights under the CCPA with respect to your Personal Information processed by Ekata, Inc. (a Mastercard affiliate), please submit your request on Ekata’s website at https://privacyrequests.ekata.com/hc/en-us/requests/new, email us at [email protected], or call our toll-free number at +1 (855) 927-1072.

   Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a California resident, you may submit a request on Mastercard’s “My Data” portal, email us at [email protected], or call our toll-free number: 1-833-244-4084. Please note that we will require you to attach a written authorization signed by the resident whose Personal Information will be subject to the request.

8. CCPA Metrics
   

   Each calendar year, we compile various metrics describing how we have complied with requests to delete, access, correct, and opt-out of sale or sharing. To view these metrics please visit the “My Data” portal.

Additional disclosures for U.S. residents, other than California Residents

If you are a U.S. resident from whom we collect Personal Data as a controller, you may have certain rights under an applicable U.S. state privacy law. You may rely on the disclosures in the Global Privacy Notice regarding how we collect, use, and disclose your personal information as well as the choices you can make related to your personal information.

Collection and Sale of your Personal Information to Other Parties

We sell your Personal Information. However, we only sell your Personal Information for fraud prevention and identity verification purposes. With respect to Personal Information that we sell, we have collected such Personal Information from Resellers (consumer data brokers).

We do not “share” Personal Information with third parties for targeted advertising.

Your Rights and Choices

In addition to the rights identified in Section 4 (“Your Rights and Choices”) above, you may have the right to opt out of the processing of the personal information for purposes of (i) targeted advertising, (ii) the sale of personal information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you and the right to appeal a decision we make with respect to your privacy rights.

You (or, where permitted by law, your authorized agent) can exercise your rights on Mastercard’s “My Data” portal or by submitting a request as described in Section 7 (“Authorizing an Agent”) of the Additional Disclosures for California Residents above.

In addition, you may exercise your right to opt out of the sale of Personal Data processed by Ekata, Inc. (a Mastercard affiliate) by submitting your request on Ekata’s website at https://privacyrequests.ekata.com/hc/en-us/requests/new, emailing us at [email protected], or calling our toll-free number at +1 (855) 927-1072.

Please refer to Section 7 of the Additional Disclosures for California Residents above for more information on exercises these rights.