For the purpose of this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual. There are two types of Personal Information processed by ID: “Identity Information” and “Activity Information”.

In connection with ID, Personal Information relating to you is obtained from various sources described below.

Where applicable, we indicate whether and why you must provide your Personal Information, as well as the consequences of failing to do so. If you do not provide certain Personal Information, you may not be able to benefit from ID if that information is necessary to provide you with it or if we are legally required to process that information.

Identity Information

• Signing up for ID

  You may create your Digital Identity using the Mastercard ID mobile app (Mastercard ID App) or the mobile app of a Trust Provider (e.g., your bank, your telecommunication provider etc.).

  The Trust Provider may pre-populate your Digital Identity with information it already has about you. The exact data elements are determined by the Trust Provider, but they typically include:

  • Name
  • Email address
  • Date of birth
  • Mobile number
  • Postal address
  • Other relevant information about you that the Trust Provider verified in the context of your customer relationship with the Trust Provider.

You will be requested to confirm that information. When creating your Digital Identity, you may also choose to add an identification document (i.e., driver’s license, passport or other government identification), or other information to ID.

During the creation of your Digital Identity with a Trust Provider you will also enable face login, which involves taking a scan of your face in a similar manner as when setting up face authentication on your phone. This is required to enable secure access to your Digital Identity. ID will perform a match with the photo on your identity document, which helps to confirm you are really you. When you use your camera to take the facial scan, we will also perform a “liveness check”, for example, by capturing a short video or series of pictures to make sure the facial scan is not a picture or a mask.

• Use of your Digital Identity with a Service Provider

  You may choose to use your Digital Identity for authentication when you access services from Service Providers. Selecting to use your Digital Identity will prompt a request from the Service Provider, indicating the information they need to receive (e.g., your name, address, email address, phone number) in order for them to provide their service to you. With your consent, ID will provide the relevant information from your Digital Identity to the Service Provider. In some cases, some data may be optional. You will be able to select which optional data elements the Service Provider may receive.

• Verifying your Information

  We use IVPs to verify certain data elements in your Digital Identity (e.g., verifying your driver’s license, passport, address against the relevant authoritative sources, etc.). This ensures ID is providing accurate information to the Service Providers you interact with. The match results of these verifications are stored on your device.

Activity Information

The following information about your usage of ID may be processed when you create your Digital Identity to log in and interact with Service Providers online, in mobile apps, in physical settings, and for other purposes described in this Privacy Notice:

• Your records of consents including to process your biometrics, to use your identity documents, and your acknowledgement of this Privacy Notice
• The types of attributes added to the Digital Identity and their verification status
• Logs about the authentication events and data disclosures to Service Providers
• Other events performed with your Digital Identity such as if you choose to delete it
• Information about your Trust Provider
• Country of creation of your Digital Identity
• Whether your information was verified by an IVP including date and time of such verification, and information about the IVP
• The types of evidence you provided such as the passport, driver’s license, etc.
• The types of verifications performed, such as liveness checks, checks with IVPs, etc.
• The status of the Digital Identity, such as Active, Suspended, Revoked
• Device identifiers (e.g., IP address, device ID).

The Activity Information does not contain your Identity Information. The Activity Information is encrypted and securely stored in Mastercard servers.

We do not share or otherwise disclose Personal Information we process in the context of ID, except as described in this Privacy Notice or otherwise disclosed to you at the time the data is collected.

During your use of ID, certain Personal Information is shared with Service Providers. With respect to Identity Information, you will be able to select which optional data elements will be shared with Service Providers to access their services. Service Providers are solely responsible for their processing of your Identity Information after it is provided to them via ID. With respect to Activity Information, it may be shared with Service Providers, if necessary, to provide ID. For example, a “yes” or “no” response may be shared with Service Providers with respect to your use of ID for dispute resolution purposes. Please see the relevant Service Provider’s privacy notice for more information. You can access the record of your interactions with Service Providers in your Digital Identity (see the Section “Your Rights and Choices” below for more information). This will allow you to view the information you provided to the Service Providers.

When creating and using your Digital Identity, your Personal Information may be shared with IVPs. With respect to Identity Information, IVPs will be able to verify some of the information in your Digital Identity on our behalf (e.g., name, address, phone number, government identification card, student identification card, age/date of birth). With respect to Activity Information, it may be shared with IVPs, if necessary, to provide ID. For example, a “yes” or “no” response may be shared with IVPs with respect to your use of ID for dispute resolution purposes.

Your Personal Information may also be shared with other technology service providers who perform services on our behalf and in relation to the purposes described in this Privacy Notice (e.g., technology service providers that assist with operating certain functionalities of ID). We require these technology service providers by contract to only process Personal Information in accordance with our instructions and as necessary to perform services on our behalf or comply with legal requirements. We also require them to safeguard the security and confidentiality of the Personal Information they process on our behalf by implementing appropriate technical and organizational security measures and confidentiality obligations binding personnel accessing Personal Information.

Your Activity Information may be shared, if necessary, with Trust Providers to provide ID.For example, a “yes” or “no” response may be shared with Trust Providers with respect to your use of ID for dispute resolution purposes

We may share the Activity Information we process with our headquarters and affiliates worldwide.

We may share information collected by our advanced fraud prevention technology with partners who have also embedded the technology in order to determine typical human behavior.

We may disclose Activity Information about you: (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or in connection with an investigation of suspected or actual fraudulent or illegal activity.

We also reserve the right to transfer Activity Information we have about you in the event we sell or transfer all or a portion of our business or assets. Should such a sale or transfer occur, we will use reasonable efforts to direct the transferee to use Activity Information in a manner that is consistent with this Privacy Notice.

Subject to applicable law, you have the right to:

• Request access to and receive information about the Personal Information processed by ID.
• Update and correct inaccuracies in your Personal Information, to restrict or to object to the processing of your Personal Information, to have the information anonymized or deleted, as appropriate. In addition, you may contact us at the contact details below if you have a complaint. You may also have the right to lodge a complaint with a supervisory authority, including in your country of residence, place of work or where an incident took place.
• Withdraw any consent you previously provided to us regarding the processing of your Personal Information, at any time and free of charge. We will apply your preferences going forward and this will not affect the lawfulness of the processing before your consent withdrawal.

The above rights apply to the extent they are provided by applicable law, and they may be limited in some circumstances by local law requirements. For instance, we may not be able to comply with a request to delete or rectify Activity Information in our servers because we need to keep the data for dispute resolution purposes or to comply with our legal obligations.

You can exercise your rights by contacting your Trust Provider, who will liaise with us when handling your request. We will handle such requests within one month unless applicable law provides for a different timeframe. Please read your Trust Provider’s privacy notice for information on how to exercise your rights.

In addition, your Identity Information can be accessed, rectified or deleted directly in your Digital Identity. At any time, you may access the information in your Digital Identity by using the mobile app that you created your Digital Identity with. Once in your Digital Identity, you can view your profile, make changes and add more information. You can also view the full history of your use of ID. If you wish, you can delete your Digital Identity. This will delete all Personal Information in the Digital Identity on your device. If the deletion function is not yet available, you can delete your Digital Identity by deleting the mobile app from your device. Please make sure to keep the Identity Information in your Digital Identity up-to-date at any times.

Finally, where you have created your Digital Identity using the Mastercard ID App, you can choose:

• To opt out of the collection and use of certain information, which Mastercard collects about you by automated means, when you visit our websites or use our apps. In certain jurisdictions, you can exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of Mastercard websites. Your browser may tell you how to be notified of and opt out of having certain types of cookies placed on your device. Note that without certain cookies you may not be able to use all of the features of our websites, apps or online services.
• To opt out of certain uses of information, which Mastercard collects about you by automated means, when you visit third-party websites and interact with our ads. We may use service providers to serve ads on those third-party websites. These ads may be customized and served based on the use of data we and our partners have collected on our websites and apps. In addition, some of our service providers and partners may collect information about your online activities over time and across third-party websites to customize and serve these ads. Mastercard ads are sometimes delivered with icons that help consumers (i) learn more about how their data is being used and (ii) exercise choices they may have regarding the use of their data. Please click, where applicable, on the icon in our targeted ads to learn about your ability to opt out or limit the use of your browsing behavior for advertising purposes. You may also exercise your choice regarding the use of cookies and similar technologies by clicking on the ‘Manage cookies’ banner displayed in the bottom right corner of our websites.
• To tell us not to send you marketing emails by clicking on the unsubscribe link within the marketing emails you receive from Mastercard or by contacting us as indicated below. You also may opt out of receiving marketing emails from Mastercard by clicking here .
• To opt out of the anonymization of your Personal Information to perform data analyses by Mastercard by clicking here.

We maintain appropriate administrative, technical, and physical safeguards to protect Personal Information against accidental or unlawful destruction, accidental loss, unauthorized alteration, unauthorized disclosure or access, misuse, and any other unlawful form of processing of the Personal Information in our possession. We restrict access to Activity Information about you to those employees who need to know that information to provide products or services to you.

Access to your Digital Identity is secured via biometric authentication.

We take measures to delete, destroy or de-identify your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it in the context of ID or when you request their deletion, unless we are required by law to keep the information for a longer period. When determining the retention period, we take into account various criteria, such as possible re-enrolment with ID, the impact on the services we provide to you if we delete some information about you, and mandatory retention periods provided by law and the statute of limitations.

We may retain your Personal Information if it is necessary to comply with applicable laws or if we need your Personal Information to establish, exercise or defend a legal claim. In those cases we will restrict the processing of your Personal Information for such limited purposes.

Mastercard is a global business. We may transfer or disclose Personal Information to recipients in countries other than your country, including to countries in the EEA and to the United States where our global headquarters are located. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer or disclose your Personal Information to other countries, we will protect that information as described in this Privacy Notice.

We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognized by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which adequacy decisions have been issued, use contractual protections for the transfer of Personal Information to third parties, such as the European Commission's Standard Contractual Clauses.

Mastercard’s privacy practices comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.

You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Activity Information outside of the EEA.

This Privacy Notice may be updated periodically to reflect changes in our Personal Information practices. We will notify you of any significant changes to our Privacy Notice by posting the new version on the Mastercard website and indicate at the top of the notice when it was most recently updated. If we update this Privacy Notice, in certain circumstances, we may seek your consent.

For any queries regarding ID, please contact your Trust Provider using the contact details provided in the Trust Provider’s privacy notice. The Trust Provider will work with us when handling your request. If you consider the Trust Provider did not adequately handle your request, or if you created your ID via the Mastercard ID App, you can e-mail us at privacyanddataprotection@mastercard.com.

If you are located in Canada or the United States Mastercard International Incorporated is the entity responsible for the processing of your Personal Information. You may write to us at:

Global Privacy Office
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577

If you are located in the EEA, UK or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You can write to us at:

EEA Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
B-1410 Waterloo
Belgium

If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may write to us at:

Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
São Paulo/SP
Brasil
CEP 04794-000

If you are located in Asia Pacific, Middle East and Africa, Mastercard Asia/Pacific Pte Ltd is the entity responsible for the processing of your Personal Information. You may write to us at:

Data Protection Officer
Mastercard Asia/Pacific Pte Ltd
3 Fraser Street, DUO Tower
Level 17
Singapore 189352

Mastercard will investigate your query or complaint as required by applicable law and will respond to you in writing within one month of receiving the written complaint, unless a different time frame is provided by applicable law. If we fail to respond to your complaint or if you are dissatisfied with the response that you receive from us, you may have the right to make a complaint to the applicable competent supervisory authority.

Mastercard is not responsible for any processing of your Personal Information by Trust Providers and Service Providers with whom you interact. To learn more about their practices, please read their privacy notices.

For information on Mastercard’s privacy practices in other contexts, please refer to our Global Privacy Notice.