Skip to Content

Last Updated : March 2021

  1. What’s in this Privacy Notice
  2. What is NuDetect
  3. Personal Information Processed by NuDetect
  4. Use of Your Personal Information
  5. Sharing of Your Personal Information
  6. Your Rights and Choices
  7. How We Protect Your Personal Information
  8. Data Transfers
  9. Children’s Privacy
  10. Updates to This Privacy Notice
  11. How to Contact Us

1.What’s in this Privacy Notice?

This Privacy Notice describes how we handle your Personal Information in the context of our online fraud prevention technology, NuDetect ("NuDetect"). NuDetect helps online platforms, merchants and financial institutions with online security, including in the context of payments. Where we say “we,” “us” and “Mastercard” we mean Mastercard International Incorporated, its affiliates and other entities within the Mastercard’s group of companies.

This Privacy Notice describes the types of Personal Information we process in connection with NuDetect, the purposes for which we process that Personal Information, the other parties with whom it may be shared and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your Personal Information, and how you can reach us to get answers to questions you may have about our privacy practices.

Our use of your Personal Information in the context of NuDetect is subject to this Privacy Notice. This does not cover the processing of your Personal Information by Mastercard in the context of other Mastercard or third-party products or services or communications that may reference Mastercard outside of NuDetect. For more information about Mastercard’s privacy practices, please visit Mastercard’s Global Privacy Notice.

2.What is NuDetect?

NuDetect is a technology that helps prevent fraud by measuring user behaviour and assessing risk associated with that behaviour. NuDetect does this through an analysis of your online activity (for example when you perform a payment transaction or when you log onto an online account) compared to your own typical online interactions.

NuDetect is provided by Mastercard, an international organization recognized for facilitating simple and secure payments across the world.

3.Personal Information Processed in the context of NuDetect by Mastercard

The following categories of Personal Information may be processed in the context of NuDetect by Mastercard:

  • Information about your device such as device identifier, device name, device channel, IP address, flash settings, system fonts.
  • Behaviour-based interactions with your device such as device accelerometer values, mouse location, timing between keystrokes, window scroll position. This may qualify as biometric data depending on the country or region you are located in.
  • Application information such as application placement, account identifier, session identifier.
  • Transaction information such as personal account number, the date and the total amount of transaction.
  • Account and contact details such as phone number, email address, username.

We obtain the above categories of Personal Information from various sources: from online platforms you interact with, merchants you transact with, financial institutions, and service providers enabling online payments such as payment processors and payment gateways.

4.Use of Your Personal Information

    Processing activity

Legal Basis for Processing (where required under applicable law)

    Protect you against online fraud and unauthorized transactions by developing, maintaining and enhancing NuDetect to carry out fraud analytics and generate fraud risk scores.

  • Your consent to the use of your Personal Information. For example, we will seek to obtain your consent for the processing of your biometric data either directly or indirectly, such as through your financial institution, a merchant or service provider enabling online payments.
  • We, or a third party, have a legitimate interest to ensure and improve the safety, security, and performance of our products and services, and to protect against and prevent fraud. Please note that we will not rely on a third party’s or our legitimate interest to process your biometric data for the described purpose (as explained above).

    Internal research in connection to fraud prevention and detection. This will enable us to create models to identify past and potential future fraud patterns and offer advanced fraud and security features to financial institutions, merchants, and other customers and partners.

    We, or a third party, have a legitimate interest in using your Personal Information to ensure and improve the safety, security, and performance of our products and services, to protect against and prevent fraud and secure our network and the payment transactions that we process.

    In response to a request from a court, law enforcement authorities, or government officials.

  • The processing is necessary for compliance with a legal obligation or other regulatory obligations; or
  • We, or a third party, have a legitimate interest in using your Personal Information for the purposes of responding to a judicial process, law enforcement or governmental agency.

    Comply with applicable legal requirements

    The processing is necessary for compliance with a legal obligation such as to prevent and monitor fraud.

5.Sharing of Your Personal Information

We do not share or otherwise disclose Personal Information we process in the context of NuDetect, except as described in this Privacy Notice or otherwise disclosed to you at the time the data is collected.

Your Personal Information may be shared in the context of NuDetect with:

  • Mastercard’s headquarters and, our affiliates and other entities within Mastercard’s group of companies.
  • Financial institutions or other third parties for fraud monitoring and prevention purposes
  • Technology service providers who perform services on our behalf and in relation to the purposes described in this Privacy Notice (e.g., technology service providers that assist with the storage of your Personal Information). We require these technology service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to safeguard the security and confidentiality of the Personal Information they process on our behalf by implementing appropriate technical and organizational security measures and confidentiality obligations binding personnel accessing Personal Information.
  • Other entities in the event of a sale or transfer of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use your Personal Information in a manner that is consistent with this Privacy Notice.
  • Other third parties with your consent.

In addition to the above, we may disclose Personal Information about you: (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or in connection with an investigation of suspected or actual fraudulent or illegal activity.

6.Your Rights and Choices

Subject to applicable law, you have certain rights and choices regarding the Personal Information processed in the context of NuDetect. In particular, you have the right to:

  • Request access to and receive information about the Personal Information processed by NuDetect.
  • Update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate.
  • Withdraw any consent you previously provided regarding the processing of your Personal Information, at any time and free of charge. Particularly, where consent was obtained indirectly, such as through your financial institution, a merchant or service provider enabling online payments, you may contact such entity to withdraw your consent. The withdrawal of consent will not affect the lawfulness of the processing before your withdrawal.
  • Where applicable, lodge a complaint with your Supervisory Authority in your country of residence, place of work or where an incident took place.

The above rights apply to the extent they are provided by applicable law, and they may be limited in some circumstances by local law requirements. For instance, we may not be able to comply with a request to delete or rectify your Personal Information in our servers because we need to keep the data for dispute resolution purposes or to comply with our legal obligations.

Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint, unless a different time frame is provided by applicable law. If we fail to respond to your complaint or if you are dissatisfied with the response that you receive from us, you may have the right to lodge a complaint with the competent supervisory authority.

You can exercise your rights by contacting us, and our Data Protection Officer at privacyanddataprotection@mastercard.com. You may also submit a request as described in the “How to Contact Us” section below.

7.How We Protect Your Personal Information

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. We restrict access to your Personal Information to those employees who need to know that information for the processing purposes set out above.

Mastercard has implemented a comprehensive information security program and implements robust security controls to protect Personal Information processed in the context of NuDetect. These may include one-way hashing of data and encryption of data in transit

We take measures to delete, destroy or de-identify your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it in the context of NuDetect or when you request their deletion, unless we are required by law to keep the information for a longer period. When determining the retention period, we take into account various criteria, mandatory retention periods provided by law and the statute of limitations.

8.Data Transfers

We may transfer or disclose Personal Information to recipients in countries other than your country, including to countries in the EEA and to the United States where our global headquarters are located. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Privacy Notice.

We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here.We may also transfer Personal Information to countries for which adequacy decisions have been issued, use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses.

Mastercard’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.

You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.

9.Children’s Privacy

Mastercard products and services are not directed to, or intended for, children under the age of 16. However, Mastercard may collect Personal Information about children below the age of 16 years of age from the parent or guardian directly, and with that person’s explicit consent.

10. Updates to This Privacy Notice

This Privacy Notice may be updated periodically to reflect changes in our privacy practices. We will notify you of any significant changes to our Privacy Notice by posting the new version on the Mastercard website and indicate at the top of the notice when it was most recently updated. In certain circumstances, we may seek your consent when we update this Privacy Notice.

11.How to Contact Us

For any questions regarding the processing of your Personal Information in the context of NuDetect, please contact us by sending an e-mail to privacyanddataprotection@mastercard.com or write to us at:

Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
USA

If you are located in the EEA, UK or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You can write to us at:

EEA Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

Mastercard is not responsible for any processing of your Personal Information by online platforms, merchants, financial institutions or online payment service providers with whom you interact. To learn more about their practices, please read their privacy notices.

For information on Mastercard’s privacy practices in other contexts, please refer to our Global Privacy Notice.