Open Finance Privacy Notice (U.S.)

Last updated: September 12, 2025

This Privacy Notice (the “Privacy Notice”) is provided by Finicity Corporation, a wholly-owned subsidiary of Mastercard International Inc. (“Finicity,” “we,” and/or “us”).

This Privacy Notice applies to the information you provide to us in connection with our Open Banking solutions including, for example, through Mastercard Data Connect and our other online services, websites, applications, and related services that link to this Privacy Notice (collectively the “Services”). It explains the types of personal information we collect, and how we collect, use, maintain, protect, and disclose this information. This Privacy Notice also tells you about the rights and choices you may have when it comes to your personal information. If you have questions, you can contact us at ob.privacy@mastercard.com for more information.

You may access our Services through other third parties and their related applications and services that you have authorized to access your information in order to provide a product or service to you. This Privacy Notice does not explain what those third parties do with any Personal Information we provide to them on your behalf, or any other information they may separately collect about you. We encourage you to review those third parties’ privacy notices and applicable terms of conditions for more information about their data practices.

We process your Personal Information in accordance with applicable law and our applicable obligations. By accessing or using our Services, you agree to the collection, use, and processing of your Personal Information as set forth in this Privacy Notice.

If you are a job applicant, please refer to the Mastercard Applicant Privacy Notice for further information.

The Personal Information We May Collect and Where it Comes From
How We Use Your Personal Information
How We Disclose Your Personal Information
How We Protect Your Personal Information
How Long We Keep Your Personal Information
Your Rights and Choices
Children’s Privacy
International Transfers
Updates to this Privacy Notice
Contact Us

1. The Personal Information We May Collect and Where it Comes From

When you use our Services to connect your financial account from your bank, financial institution, payroll provider, or other entity that provides your financial account, we will access and collect information from financial accounts (e.g., checking, savings, credit card, etc.) accessible through a set of credentials or an authenticated access token on your behalf. We also collect information from the devices you use to access our Services, and from affiliates, service providers, or third parties, including to protect you and others against fraud.

In this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual (or household or device that identifies a consumer or household, where required by applicable law). The Personal Information we collect, use, and disclose depends on the Services that you use, the information available from your financial account, and other factors. The categories of Personal Information we collect are:

Categories of Personal Information We Collect	Examples
Information from your financial account	Account identifying details (such as account name, type, number, owner, and identifying or routing information for the financial institution); account balance information; revolving credit account information (including balance owed, due dates, payment details, transaction history, credit limits, repayment status, and interest rates); payroll account information (including employer details, employment description, W2 and tax related information, income amount and dates paid, and amounts withheld for taxes, benefits, and insurance); loan account information (including due dates, repayment status, balances, payment details, interest rates, guarantor, loan types, and payment plans and terms); investment account information (including transaction information, type of asset, identifying details about the asset, quantity, price, fees, and cost basis); identifying information about the account owner(s), (including name, email address, phone number, date of birth, and address information); and transaction or other commercial information (including merchant, amount, date, payee, type, quantity, price, location, involved securities, and memo or description of the transaction)
Identifiers	Personal and business contact information (e.g., name, email address, postal address, phone number, job title), date of birth, social security number, unique personal identifiers or numbers, online identifier, internet protocol (IP) address, account name, authentication information, and similar identifiers
Authentication information	Credentials, username, password, security questions and responses, Personal Identification Numbers (PINs), multi-factor authentication responses, security tokens, and/or other information required to authenticate you and to connect your financial account(s) through the Services
Product and service information	Registration and payment information, first name, last name, email, phone/mobile device number, date of birth, social security number
Device, internet, and other electronic network activity information	Device hardware model, operating system, browser type, referring URLs, and other information collected via automated means such as cookies or web beacons when you interact with our Services
Geolocation data	Using your IP address and other device information, we collect your time zone setting and geographic area
Inferences drawn from personal information	Inferences may include fraud signals, such as the number of times a data element has been queried in a period of time or the last time a data element has been seen, to identify behavioral patterns and insights for our fraud prevention and identity verification services (e.g., patterns confirming that a provided address is genuine), authentication risk scores, transaction risk factors, risk reason codes, income, employment, cash flow information, your likelihood to make a payment on a given day, and your regular payments (e.g., utilities, rent subscription services)
Audio information	Audio recordings (including call recordings for customer service purposes)
Professional or Employment-Related Information	Business-to-business (“B2B”) information (such as job title, department, and name of organization); professional employment information; and payroll provider information
Commercial Information	Information we create or retain that is fundamental to our business, e.g., bank statements, bank transactions, records of personal property; products or services purchased or obtained; purchase history; consumer habits or tendencies; banking account numbers; bank routing numbers; W-2s and other tax-related documentation, and credit scores
Sensitive Personal Information	Some of the data above may be considered “Sensitive Personal Information” under applicable state privacy laws. We do not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under those laws.

We collect this Personal Information from various categories of sources, including:

Your bank or financial institution.
Directly from you or your devices.
Our affiliates within the Mastercard group, including to monitor and prevent fraud. For more information, please see the Mastercard Fraud & Security Notice
Third parties that you have authorized to access your information in order to provide a product or service to you.
Service providers, including analytics providers.
OS/platform providers.
Publicly accessible sources.
Third party data providers, who may collect the information from publicly available sources, directly from individuals, or other sources.

2. How We Use Your Personal Information

We use your Personal Information in a manner consistent with this Privacy Notice. For some processing activities, we may use techniques such as artificial intelligence and machine learning to process and analyze data. Specifically, we may collect, use, and disclose your Personal Information for the following purposes:

To provide, maintain, improve, and enhance our Services;
To verify your identity, which is required to give you access to our Services, including for account creation and for fielding disputes and data requests;
To remember you when you return to our Services to manage your eligible financial account connections and permissions;
To provide you with certain information that we derive from your Personal Information, such as your income based on your pay checks;
To protect you and others against fraud;
If you subscribe to a Service requiring payment, to process the initial payment and all subsequent payments;
To help us improve and personalize the content and functionality of our Services;
To help us understand your usage of the Services to improve the Services;
To communicate with you regarding customer service matters, questions and other various comments you may send to us;
To communicate various technical and administrative messages regarding the Services, including notices of technology updates;
To generate insights, such as your income or employment, your likelihood to make a payment on a given day, or your regular payments, in support of services you request from a third party who you have authorized to access your information;
Where permissible by law, to generate de-identified and/or aggregated data that we may use or disclose for any lawful purpose, including purposes described in this Privacy Notice;
Auditing related to your interaction with the Services;
Debugging to identify and repair errors that impair existing intended functionality;
Undertaking internal research for technological development and demonstration;
To maintain legal and regulatory compliance;
To enforce compliance with our Terms and Conditions and Policies; and
For any other purpose disclosed to you at the time we collect or receive the Personal Information, or otherwise with your consent.

3. How We Disclose Your Personal Information

When you authorize third parties, and their related applications and services that you have authorized, to access your information in order to provide a product or service to you, we disclose your Personal Information, including from the categories identified above in Section 1, to those third parties. We only provide your Personal Information to a third party after such third party has a signed a confidentiality contract with us, and we provide your Personal Information to such third parties only for business purposes.

We may also disclose your Personal Information as follows:

With your consent and at your discretion;
To third-party service providers that we employ to provide services on our behalf, including security, fraud prevention or identity verification, development, or other business processes;
To partners (such as financial institutions or payment processors that facilitate payment transactions) with whom we collaborate to provide services, so that they may use the Personal Information or de-identified, anonymized and/or aggregated data derived from that Personal Information to provide their services, including to third parties that you have authorized to access your information in order to provide a product or service to you;
To our affiliates within the Mastercard group; for more information, please see the Mastercard Global Privacy Notice;
As reasonably necessary to comply with applicable law, an investigation, or other legal process, such as a court order or a subpoena;
When we believe disclosure is necessary to protect individuals’ vital interests, to enforce our applicable Terms of Use, prevent Mastercard against harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity; or
To service providers, advisors, potential transactional partners, or other third parties in connection with the consideration, negotiation, or completion of a corporate transaction in which we are acquired by or merged with another company or we sell, liquidate, or transfer all or a portion of our assets.

4. How We Protect Your Personal Information

The security of your Personal Information is important to us. We have implemented and maintain administrative, technical, and physical security controls that are designed to safeguard your Personal Information, including physical, electronic, and procedural safeguards consistent with industry-standard practices. Please recognize that protecting your Personal Information is also your responsibility. We urge you to take every precaution to protect your Personal Information when you are on the internet and when you communicate with us and with other parties through the internet. Change your passwords often, use a combination of letters and numbers, and make sure you use a secure browser. If you have reason to believe that your interaction with us or our partners is no longer secure, please let us know immediately by contacting us as indicated in the Contact Us section below. By using our Services, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security breach involving your Personal Information, we may attempt to notify you electronically via any email or mobile device number we may have on file for you. If you have any questions about the security of your Personal Information, please email us at  ob.privacy@mastercard.com.

5. How Long We Keep Your Personal Information

We take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.

6. Your Rights and Choices

You may decline to share certain Personal Information with us, in which case we may not be able to provide to you some of the features and functionalities of our Services. Where required by applicable law, we will indicate whether and why you must provide us with your Personal Information, as well as the consequences of failing to do so.

Depending on your country or state, you may have the right to access, correct, or delete any Personal Information we hold about you; know more about the categories of Personal Information we collect, use, and disclose, as well as our sources of Personal Information and categories or a specific list of third parties with whom we disclose it; confirm whether we have processed your Personal Information; opt out of, object to, or restrict some uses of your Personal Information (including targeted advertising, sale of personal information, and profiling in furtherance of decisions that produce legal effects); and withdraw any consent provided.

You also have the right not to receive discriminatory treatment for the exercise of your privacy rights, subject to certain limitations. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise your rights, except where the different price or level of quality of good or service is reasonably related to the value of the data that we receive from you.

Submit Requests. To exercise your rights under the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act of 2020) or any other applicable privacy law granting such rights, please submit your request via our Data Privacy Consumer Rights Portal or call (855) 263-3072 and select option 3.

Verification. Requests for access, deletion, or correction of Personal Information are subject to our ability to reasonably verify your identity in light of the information requested pursuant to applicable law requirements, limitations, and regulations. We are committed to securing your personal information. When consumers exercise their rights through our Data Privacy Consumer Rights Portal, a two-step verification will enable their account to be guarded by an extra layer of security. To aid us in verifying your identity and identifying any relevant personal information on our systems, we will request all usernames with which you previously logged into Finicity systems, corresponding bank names, and last 4 digits of corresponding account numbers. We will also request a signed affidavit (we provide a suggested template which can be signed physically or electronically) affirming your state of residence, and that you are the consumer whose personal information is the subject of your request.

How to Appeal. If your request is denied, you have the right to appeal the decision by calling us at (855) 263-3072 and selecting option 3 or submitting a request through our Data Privacy Consumer Rights Portal  as described above in the “Submit Requests” subsection.

Authorizing an Agent. If you are acting as an authorized agent to make a request to know, delete, correct, or opt out on behalf of a consumer, you may submit a request via our Data Privacy Consumer Rights Portal or call (855) 263-3072 and select option 3. Please note that we will require you to attach a written authorization signed by the resident whose Personal Information will be subject to the request.

Finicity does not sell or “share” (disclose for targeted advertising purposes) your Personal Information.

Finicity does not use or disclose sensitive personal information for purposes which would require us to offer consumers the right to limit our collection and processing of this data under applicable law.

Do Not Track. Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, Finicity does not respond to web browser-based DNT signals at this time. To learn more about browser tracking signals and DNT, visit https://allaboutdnt.com.

7. Children’s Privacy

You must be at least 18 years old to use our Services. We do not knowingly direct our Services to individuals under 18 years old (“Minors”), nor do we knowingly collect, use, or disclose Personal Information about Minors who use our Services. If you use our Services, you represent that you are at least the age of majority under the laws of the jurisdiction of your place of residence. If you believe a Minor has provided us with Personal Information, please alert us at  ob.privacy@mastercard.com. If we learn that we have collected Personal Information from a Minor, we will promptly take steps to delete such information.

Finicity does not have actual knowledge that we sell or “share” (disclose for targeted advertising purposes) Personal Information of consumers under 16 years of age.

8. International Transfers

Our Services are hosted in the United States and are directed to people inside the United States. If you choose to use the Services from other regions of the world with laws governing data collection and use that may differ from United States law, then please note that you are transferring your Personal Information outside of those regions to the United States for storage and processing. Also, we may transfer your Personal Information from the United States to other countries or regions in connection with storage and processing of data, fulfilling your requests, and operating the Services. We comply with applicable legal requirements when transferring Personal Information to countries other than the country where you are located.

9. Updates to this Privacy Notice

We may revise this Privacy Notice to reflect how we collect, use, and process Personal Information at any time and in our sole discretion. If we make any material changes to how we treat Personal Information we have already collected about you, we will attempt to notify you by any email or mobile device number we may have for you, by a notice on our website, or by other means. You are advised to review this Privacy Notice periodically for any changes. Your continued use of our Services after such modifications will constitute your acknowledgment of the modified Privacy Notice. Changes to this Privacy Notice are effective when they are posted on this page.

10. Contact Us

Questions regarding this Privacy Notice, our information practices, or other aspects of privacy in connection with the use of our Services should be directed to our Data Privacy Officer, who can be reached by email at  ob.privacy@mastercard.com .

Finicity Headquarters:

434 West Ascension Way, Suite 200
Salt Lake City, UT 84123
(801) 984-4200

What are you looking for?

Featured Content

Mastercard launches Merchant Cloud to simplify and support commerce growth in global acceptance ecosystem

Mastercard unveils tools to power smarter agentic commerce