Last updated: September 2024
- What’s in this Privacy Notice
- What is Identity Insights Behavioral
- Personal Information Processed by Identity Insights Behavioral
- Use of Your Personal Information
- Sharing of Your Personal Information
- Your Rights and Choices
- How We Protect Your Personal Information
- Data Transfers
- Children’s Privacy
- Updates to This Privacy Notice
- How to Contact Us
1. What’s in this Privacy Notice?
This Privacy Notice describes how we handle your Personal Information in the context of our online fraud prevention technology, Identity Insights Behavioral Solutions ("Identity Insights Behavioral"), formely known as NuDetect. Identity Insights Behavioral helps online platforms, merchants and financial institutions with online security, including in the context of payments. Where we say “we,” “us” and “Mastercard” we mean Mastercard International Incorporated, its affiliates and other entities within Mastercard’s group of companies.
This Privacy Notice describes the types of Personal Information we process in connection with Identity Insights Behavioral, the purposes for which we process that Personal Information, the other parties with whom it may be shared and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your Personal Information, and how you can reach us to get answers to questions you may have about our privacy practices.
Our use of your Personal Information in the context of Identity Insights Behavioral is subject to this Privacy Notice. This does not cover the processing of your Personal Information by Mastercard in the context of other Mastercard or third-party products or services or communications that may reference Mastercard outside of Identity Insights Behavioral . For more information about Mastercard’s privacy practices, please visit Mastercard’s Global Privacy Notice.
If you reside in the United States, the U.S. Privacy Addendum of our Global Privacy Notice supplements the information contained in this Privacy Notice.
2. What is Identity Insights Behavioral?
Identity Insights Behavioral is a technology that helps prevent fraud by measuring user behaviour and assessing risk associated with that behaviour. Identity Insights Behavioral does this through an analysis of your online activity (for example when you perform a payment transaction or when you log onto an online account) compared to your own typical online interactions.
Identity Insights Behavioral is provided by Mastercard, an international organization recognized for facilitating simple and secure payments across the world.
3. Personal Information Processed in the context of Identity Insights Behavioral by Mastercard
The following categories of Personal Information may be processed in the context of Identity Insights Behavioral by Mastercard:
- Information about your device such as device identifier, device name, device channel, IP address, flash settings, system fonts.
- Behaviour-based interactions with your device such as device accelerometer values, mouse location, timing between keystrokes, window scroll position.
- Application information such as application placement, account identifier, session identifier.
- Transaction information such as personal account number, the date and the total amount of transaction.
- Account and contact details such as phone number, email address, username.
We obtain the above categories of Personal Information from various sources: from online platforms you interact with, merchants you transact with, financial institutions, and service providers enabling online payments such as payment processors and payment gateways.
Depending on the specific solution used by our customers who have a direct realtionshiop with you and the country or region you are located in, behavior-based interactions with the device may be considered as sensitive Personal Information. We will make sure that if processing sensitive Personal Information, it will be necessary to achieve the specific purposes as described in this Privacy Notice, and equipped with strict security measures in order to be conducted in a manner of having the least impact on data subjects’ personal rights and interests.
4. Use of Your Personal Information
|
|
Protect you against online fraud and unauthorized transactions by developing, maintaining and enhancing Identity Insights Behavioral to carry out fraud analytics and generate fraud risk scores. |
|
Internal research in connection to fraud prevention and detection. This will enable us to create models to identify past and potential future fraud patterns and offer advanced fraud and security features to financial institutions, merchants, and other customers and partners. |
We, or a third party, have a legitimate interest in using your Personal Information to ensure and improve the safety, security, and performance of our products and services, to protect against and prevent fraud and secure our network and the payment transactions that we process. |
In response to a request from a court, law enforcement authorities, or government officials. |
|
Comply with applicable legal requirements |
The processing is necessary for compliance with a legal obligation such as to prevent and monitor fraud. |
Where the Personal Information we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Information when requested, we may not be able to provide (or continue to provide) our products or services to you and you may not be able to purchase our products you require or fully use our services.
We will rely on the legal basis of “having a legitimate interests” for collecting and processing your Personal Information to the extent such legal basis is recognized under the laws of the jurisdiction where you are located.
5. Sharing of Your Personal Information
We do not share or otherwise disclose Personal Information we process in the context of Identity Insights Behavioral , except as described in this Privacy Notice or otherwise disclosed to you at the time the data is collected.
Your Personal Information may be shared in the context of Identity Insights Behavioral with:
- Mastercard’s headquarters, affiliates and other entities within Mastercard’s group of companies.
- Financial institutions or other third parties for fraud monitoring and prevention purposes.
- Technology service providers who perform services on our behalf and in relation to the purposes described in this Privacy Notice (e.g., technology service providers that assist with the storage of your Personal Information). We require these technology service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to safeguard the security and confidentiality of the Personal Information they process on our behalf by implementing appropriate technical and organizational security measures and confidentiality obligations binding personnel accessing Personal Information.
- Other entities in the event of a sale or transfer of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use your Personal Information in a manner that is consistent with this Privacy Notice.
- Other third parties with your consent.
In addition to the above, we may disclose Personal Information about you: (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or in connection with an investigation of suspected or actual fraudulent or illegal activity.
6. Your Rights and Choices
Subject to applicable law, you have certain rights and choices regarding the Personal Information processed in the context of Identity Insights Behavioral In particular, you may have the right to:
- Request access to and receive information about the Personal Information processed byIdentity Insights Behavioral .
- Update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate.
- Exercise your right to data portability to easily transfer your Personal Information to another company.
- Withdraw any consent you previously provided regarding the processing of your Personal Information, at any time and free of charge. Particularly, where consent was obtained indirectly, such as through your financial institution, a merchant or service provider enabling online payments, you may contact such entity to withdraw your consent. The withdrawal of consent will not affect the lawfulness of the processing before your withdrawal.
- Where applicable, lodge a complaint with your Supervisory Authority in your country of residence, place of work or where an incident took place.
The above rights apply to the extent they are provided by applicable law, and they may be limited in some circumstances by local law requirements. For instance, we may not be able to comply with a request to delete or rectify your Personal Information in our servers because we need to keep the data for dispute resolution purposes or to comply with our legal obligations. In addition, to the extent permitted by applicable law, you may also request us to further explain the rules of us processing your Personal Information should there be anything unclear in this Privacy Notice.
Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint, unless a different time frame is provided by applicable law. If we fail to respond to your complaint or if you are dissatisfied with the response that you receive from us, you may have the right to lodge a complaint with the competent supervisory authority.
You can exercise your rights by contacting us, and our Data Protection Officers at privacyanddataprotection@mastercard.com. You may also submit a request as described in the “How to Contact Us” section below.
7. How We Protect Your Personal Information
We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. We restrict access to your Personal Information to those employees who need to know that information for the processing purposes set out above.
Mastercard has implemented a comprehensive information security program and implements robust security controls to protect Personal Information processed in the context of Identity Insights Behavioral. These may include one-way hashing of data and encryption of data in transit
We take measures to delete, destroy or de-identify your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it in the context of Identity Insights Behavioral or when you request their deletion, unless we are required by law to keep the information for a longer period. When determining the retention period, we take into account various criteria, mandatory retention periods provided by law and the statute of limitations.
We may retain your Personal Information if it is necessary to comply with applicable laws or if we need your Personal Information to establish, exercise or defend a legal claim. In those cases, we will restrict the processing of your Personal Information to such limited purposes.
8. Data Transfers
We may transfer or disclose Personal Information to recipients in countries other than your country, including to countries in the EEA and to the United States where our global headquarters are located. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Privacy Notice.
We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which adequacy decisions have been issued, or use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses.
Mastercard’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.
You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.
9. Children’s Privacy
Mastercard products and services are not directed to, or intended for, children under the age of 16. However, Mastercard may collect Personal Information about children below the age of 16 years of age from the parent or guardian directly, and with that person’s explicit consent.
10. Updates to This Privacy Notice
This Privacy Notice may be updated periodically to reflect changes in our privacy practices. We will notify you of any significant changes to our Privacy Notice by posting the new version on the Mastercard website and indicating at the top of the notice when it was most recently updated. In certain circumstances, we may seek your consent when we update this Privacy Notice.
11. How to Contact Us
For any questions regarding the processing of your Personal Information in the context of Identity Insights Behavioral , please contact us by sending an e-mail to privacyanddataprotection@mastercard.com or write to us at:
Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
USA
If you are located in the EEA, UK or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You can write to us at:
Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium
If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:
Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000
If you are located in Asia Pacific, Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: privacyanddataprotection@mastercard.com or write to us at:
Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Singapore 189352
Mastercard is not responsible for any processing of your Personal Information by online platforms, merchants, financial institutions or online payment service providers with whom you interact. To learn more about their practices, please read their privacy notices.
For information on Mastercard’s privacy practices in other contexts, please refer to our Global Privacy Notice.