This Privacy Notice describes how we handle your Personal Information in the context of our online fraud prevention technology, NuDetect ("NuDetect"). NuDetect helps online platforms, merchants and financial institutions with online security, including in the context of payments. Where we say “we,” “us” and “Mastercard” we mean Mastercard International Incorporated, its affiliates and other entities within Mastercard’s group of companies.
This Privacy Notice describes the types of Personal Information we process in connection with NuDetect, the purposes for which we process that Personal Information, the other parties with whom it may be shared and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your Personal Information, and how you can reach us to get answers to questions you may have about our privacy practices.
Our use of your Personal Information in the context of NuDetect is subject to this Privacy Notice. This does not cover the processing of your Personal Information by Mastercard in the context of other Mastercard or third-party products or services or communications that may reference Mastercard outside of NuDetect. For more information about Mastercard’s privacy practices, please visit Mastercard’s Global Privacy Notice.
If you reside in the United States, the U.S. Privacy Addendum of our Global Privacy Notice supplements the information contained in this Privacy Notice.
NuDetect is a technology that helps prevent fraud by measuring user behaviour and assessing risk associated with that behaviour. NuDetect does this through an analysis of your online activity (for example when you perform a payment transaction or when you log onto an online account) compared to your own typical online interactions.
NuDetect is provided by Mastercard, an international organization recognized for facilitating simple and secure payments across the world.
The following categories of Personal Information may be processed in the context of NuDetect by Mastercard:
We obtain the above categories of Personal Information from various sources: from online platforms you interact with, merchants you transact with, financial institutions, and service providers enabling online payments such as payment processors and payment gateways.
Your biometric data and transaction information described above may be considered as sensitive Personal Information depending on the country or region you are located in. We will make sure that the processing of sensitive Personal Information is necessary to achieve the specific purposes as described in this Privacy Notice, and our processing of sensitive Personal Information will be equipped with strict security measures and be conducted in a manner of having the least impact on data subjects’ personal rights and interests.
Protect you against online fraud and unauthorized transactions by developing, maintaining and enhancing NuDetect to carry out fraud analytics and generate fraud risk scores.
Internal research in connection to fraud prevention and detection. This will enable us to create models to identify past and potential future fraud patterns and offer advanced fraud and security features to financial institutions, merchants, and other customers and partners.
We, or a third party, have a legitimate interest in using your Personal Information to ensure and improve the safety, security, and performance of our products and services, to protect against and prevent fraud and secure our network and the payment transactions that we process.
In response to a request from a court, law enforcement authorities, or government officials.
Comply with applicable legal requirements
The processing is necessary for compliance with a legal obligation such as to prevent and monitor fraud.
Where the Personal Information we collect from you is needed to meet our legal or regulatory obligations or enter into an agreement with you, if you do not provide your Personal Information when requested, we may not be able to provide (or continue to provide) our products or services to you and you may not be able to purchase our products you require or fully use our services.
We will rely on the legal basis of “having a legitimate interests” for collecting and processing your Personal Information to the extent such legal basis is recognized under the laws of the jurisdiction where you are located.
We do not share or otherwise disclose Personal Information we process in the context of NuDetect, except as described in this Privacy Notice or otherwise disclosed to you at the time the data is collected.
Your Personal Information may be shared in the context of NuDetect with:
In addition to the above, we may disclose Personal Information about you: (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or in connection with an investigation of suspected or actual fraudulent or illegal activity.
Subject to applicable law, you have certain rights and choices regarding the Personal Information processed in the context of NuDetect. In particular, you may have the right to:
The above rights apply to the extent they are provided by applicable law, and they may be limited in some circumstances by local law requirements. For instance, we may not be able to comply with a request to delete or rectify your Personal Information in our servers because we need to keep the data for dispute resolution purposes or to comply with our legal obligations.
Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint, unless a different time frame is provided by applicable law. If we fail to respond to your complaint or if you are dissatisfied with the response that you receive from us, you may have the right to lodge a complaint with the competent supervisory authority.
You can exercise your rights by contacting us, and our Data Protection Officers at email@example.com. You may also submit a request as described in the “How to Contact Us” section below.
We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. We restrict access to your Personal Information to those employees who need to know that information for the processing purposes set out above.
Mastercard has implemented a comprehensive information security program and implements robust security controls to protect Personal Information processed in the context of NuDetect. These may include one-way hashing of data and encryption of data in transit
We take measures to delete, destroy or de-identify your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it in the context of NuDetect or when you request their deletion, unless we are required by law to keep the information for a longer period. When determining the retention period, we take into account various criteria, mandatory retention periods provided by law and the statute of limitations.
We may retain your Personal Information if it is necessary to comply with applicable laws or if we need your Personal Information to establish, exercise or defend a legal claim. In those cases, we will restrict the processing of your Personal Information to such limited purposes.
We may transfer or disclose Personal Information to recipients in countries other than your country, including to countries in the EEA and to the United States where our global headquarters are located. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Privacy Notice.
We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which adequacy decisions have been issued, or use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses.
Mastercard’s privacy practices, described in this Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.
You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.
Mastercard products and services are not directed to, or intended for, children under the age of 16. However, Mastercard may collect Personal Information about children below the age of 16 years of age from the parent or guardian directly, and with that person’s explicit consent.
This Privacy Notice may be updated periodically to reflect changes in our privacy practices. We will notify you of any significant changes to our Privacy Notice by posting the new version on the Mastercard website and indicating at the top of the notice when it was most recently updated. In certain circumstances, we may seek your consent when we update this Privacy Notice.
For any questions regarding the processing of your Personal Information in the context of NuDetect, please contact us by sending an e-mail to firstname.lastname@example.org or write to us at:
Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
If you are located in the EEA, UK or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You can write to us at:
Europe Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:
Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
If you are located in Asia Pacific (excluding mainland China), Middle East or Africa, Mastercard Asia Pacific Pte. Ltd. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information by emailing us at: email@example.com or write to us at:
Asia Pacific, Middle East and Africa Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower, Level 17
Mastercard is not responsible for any processing of your Personal Information by online platforms, merchants, financial institutions or online payment service providers with whom you interact. To learn more about their practices, please read their privacy notices.
For information on Mastercard’s privacy practices in other contexts, please refer to our Global Privacy Notice.