Mastercard International Incorporated and its subsidiaries and affiliates (“Mastercard”, “we”, “us”, or “our”) respect your privacy. This Privacy Notice applies to the Mastercard Click to Pay services. We recommend that you read this notice together with Mastercard's Global Privacy Notice and the Fraud & Security Notice
Our current Click to Pay services are the Click to Pay website and the payment profile that you may establish (collectively, the “Services”). Developed by Mastercard and built upon global payment industry standards, Mastercard's Click to Pay provides a new digital checkout option using advanced payment technology and intelligent security. The convenience of Mastercard’s Click to Pay means the experience is consistent across participating merchants, so users can pay the same way, every time – no passwords, no surprises. And, users can keep their Mastercard payment information stored securely in one place, so it’s there when they need it.
To learn more, click on one of the links beside to jump to the listed section:
This Privacy Notice describes the types of Personal Information we collect in connection with the Services, the purposes for which we collect that Personal Information, the other parties with whom we may share it and the measures we take to protect the security of the data. It also tells you about your rights and choices with respect to your Personal Information, and how you can contact us about our privacy practices.
“Personal Information” means any information relating to an identified or identifiable individual. We may collect Personal Information in connection with the Services, including when you register for an account, establish your payment profile, use the Services, or participate in our marketing programs. We may collect information about you directly from you or from third parties such as our service providers, marketing and business partners, financial institutions, merchants, and other Click to Pay participants (such as other payment card brands).
We may collect the following categories of Personal Information:
You may also choose to provide other information, such as different types of content (e.g., photographs, articles and comments), contact information of friends or other people you would like us to contact, content you make available through social media accounts or memberships with third parties, or any other information you want to share with us.
Personal Information We Collect by Automated Means
We, our service providers, and partners may collect certain information about you via automated means such as cookies, scripts and web beacons when you interact with the Services, visit our websites or ads, pages or other digital assets. A “cookie” is a text file placed on a computer’s hard drive by a web server. A “script” is an automated series of programmatic instructions carried out by your browser. A “web beacon,” also known as an Internet tag, pixel tag or clear GIF, is a technology that helps us identify when content has been accessed or visited.
The information we collect in this manner may include: IP address, browser type, operating system type and version number, device identifiers, screen resolution and color depth, time zone settings, geographical area, referring URLs, browser extensions and plug-ins installed in the browser and versions thereof, fonts installed on your device and other similar data. It may also include information on actions taken or interaction with our digital assets, such as pages or screens you viewed, how long you spent on a page or screen, navigation paths between pages or screens, information about your activity on a page or screen, such as information about your mouse movements, scrolling, and keystrokes, and, if applicable, information from your device accelerometer, access times, and length of access. Our service providers and partners may collect this type of information over time and across third-party websites and mobile applications that are involved in your use of the Services. We use this information for a variety of purposes, including to improve our products and services, for fraud prevention and to protect against unauthorized transactions, as further explained in the Fraud & Security Notice, and as further explained in the “How We May Use Your Personal Information” section below.
When we send emails in connection with the Services, we may track activity, such as whether the email was opened, the amount of time spent reading the email, and whether any links were clicked. We do that to measure the performance of our emails and to improve our features. To do this, we include single pixel GIFs, also called web beacons, in emails we send. Web beacons allow us to collect information about whether an email has been opened and the number of clicks inside that email. We use the data from those web beacons to create reports about how our email campaign performed and what actions individuals took within the email (e.g. links clicked). If you do not wish for us to track emails we send you, some email services allow you to adjust your display to turn off HTML or disable download of images which should effectively disable our email tracking.
We may use third-party web analytics services on our websites. The analytics providers that administer these services use technologies such as cookies and web beacons to help us analyze how visitors use our websites.
Please see the “Your Rights and Choices” section of this Privacy Notice to learn more about your choices.
We may use your Personal Information for the following purposes and as otherwise described in the Privacy Notice.
We do not sell your Personal Information as defined by the California Consumer Protection Act of 2018 or disclose Personal Information we collect about you, except as described in this Privacy Notice or as disclosed to you at the time of data collection. We May Share Personal Information with:
We may also share Personal Information with:
Depending on your country, you may have the right or choice to:
You have certain rights and we offer you certain choices about what Personal Information we collect from you, how we use that information, and how we communicate with you. We will not deny, charge different prices for, or provide a different level of quality of goods or services if you choose to exercise these rights, except where the different price or level of good or service is reasonably related to the value of the data that we receive from you; however, we do not control merchants’ practices in this regard. In some instances, we may not be able to provide you with the good or service that you request if you choose to exercise certain rights.
You can choose:
Because there is not yet a consensus on how companies should respond to web browser-based do-not-track (“DNT”) mechanisms, Mastercard does not respond to web browser-based DNT signals at this time. To learn more about browser tracking signals and DNT, visit http://www.allaboutdnt.com.
Depending on where you are located (such as California, the EEA, Switzerland or Brazil) you may have the right to:
You may opt out from certain processing of your Personal Information, e.g. via our opt-out webpage.
Those rights may be limited in some circumstances by local law requirements.
If we fall short of your expectations in processing your Personal Information or you wish to make a complaint about our privacy practices, please tell us because it gives us an opportunity to fix the problem. To assist us in responding to your request, please give full details of the issue. We attempt to review and respond to all complaints within a reasonable time and as required under applicable law.
To update your preferences, ask us to remove your information from our mailing lists or submit a request to exercise your rights under applicable law, contact us as specified in the "How to Contact Us" section below. We have developed Mastercard’s “My Data Center” portal to facilitate the exercise of your rights.
Mastercard is a global business. We may transfer your Personal Information to the United States and other countries which may not have the same data protection laws as the country in which you initially provided the information, but we will protect your Personal Information in accordance with this Global Privacy Notice, or as otherwise disclosed to you.
If you are located in the EEA, we will process your Personal Information in accordance with our Binding Corporate Rules and other data transfer mechanisms.
Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of Personal Information transferred among participating APEC economies. More information about the APEC framework can be found here.
Mastercard is a global business. We may transfer the Personal Information we collect about you to recipients in countries other than your country, including the United States, where we are headquartered. These countries may not have the same data protection laws as the country in which you initially provided the information. When we transfer your Personal Information to other countries, we will protect that information as described in this Global Privacy Notice, as disclosed to you at the time of data collection or as described in our program-specific privacy notice.
We comply with applicable legal requirements providing adequate safeguards for the transfer of Personal Information to countries other than the country where you are located. In particular, we have established and implemented a set of Binding Corporate Rules (“BCRs”) that have been recognised by EEA data protection authorities as providing an adequate level of protection to the Personal Information we process globally. A copy of our BCRs is available here. We may also transfer Personal Information to countries for which adequacy decisions have been issued, use contractual protections for the transfer of Personal Information to third parties, such as the European Commission’s Standard Contractual Clauses or their equivalent under applicable law, or rely on third parties’ certification to the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks where applicable. You may contact us as specified in the “How to Contact Us” section below to obtain a copy of the safeguards we use to transfer Personal Information outside of the EEA.
Mastercard’s privacy practices, described in this Global Privacy Notice, comply with the APEC Cross Border Privacy Rules System. The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. More information about the APEC framework can be found here.
We maintain appropriate security safeguards to protect your Personal Information.
The security of your Personal Information is important to Mastercard. We are committed to protecting the information we collect. We maintain reasonable administrative, technical and physical safeguards designed to protect the Personal Information you provide or we collect against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
We use SSL encryption on a number of our websites from which we transfer certain Personal Information.
We also take measures to delete your Personal Information or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we process it, unless we are required by law to keep this information for a longer period. When determining the retention period, we take into account various criteria, such as the type of products and services requested by or provided to you, the nature and length of our relationship with you, possible re-enrolment with our products or services, the impact on the services we provide to you if we delete some information from or about you, mandatory retention periods provided by law and the statute of limitations.
We will never ask you for your account details in any unsolicited communication (including unsolicited correspondence, such as letters, phone calls or e-mail messages). If you believe your account has been compromised, please contact us as specified in the "How to Contact Us" section below.
Our websites may include links to other third-party websites, social media tools, widgets or plug-ins, permitting sharing web content including IP address, with third parties and social media providers. These social media providers may learn of your visit even if you are not logged in to your social media account or if you do not have an account with them. To the extent any linked websites or features you visit or use are not owned or controlled by Mastercard, we suggest that you review their own privacy notices or policies.
Our websites may provide links to other websites for your convenience and information. Our websites may also contain certain features for which we partner with other entities. These entities may learn of your visit regardless of whether you use these features. For example, you may “like” an offer via your Facebook account, or “tweet” an offer using Twitter. When you visit a website with a social media button, your browser may establish a direct connection to that social media provider, and data concerning your visit, including IP address, may be transferred to the social media provider. If you have an account with the social media provider, the provider may link your visit to your account, even if you are not logged into this account.
You may also choose to use certain features on our websites that can be accessed through, or for which we partner with, other entities that are not otherwise affiliated with Mastercard. Also, your browser may be configured to automatically collect, store and auto-fill payment information that you provide to websites and in some cases may sync with its related online profile. These websites and features, which may include social networking and geo-location tools, operate independently from Mastercard, and are clearly identified as such. They do not necessarily share the same policy as Mastercard regarding the protection of privacy. To the extent any linked websites or features you visit or use are not owned or controlled by Mastercard, we suggest that you review the privacy practices of the websites and consult your social media account settings if you want to deactivate certain features.
Mastercard products and services are not directed to, nor intended for, children under the age of 16.
Mastercard does not knowingly collect, maintain, or use Personal Information from children under 16 years of age, and no part of our products and services are directed to children.
If you learn that a child has provided us with Personal Information in violation of this Privacy Notice, then you may alert us at email@example.com.
This Privacy Notice may be updated periodically to reflect changes in our privacy practices.
This Privacy Notice may be updated periodically and without prior notice to you to reflect changes in our Personal Information practices. We will post a prominent notice on our websites to notify you of changes to our Privacy Notice by indicating at the top of the notice when it was most recently updated. We may also notify you of updates via email or other appropriate mechanism. In certain circumstances, we may seek your consent. However, please always remember that we will never ask you for your account details in any unsolicited communication (including unsolicited correspondence, such as letters, phone calls or e-mail messages). If you believe your account has been compromised, please contact us as specified in the "How to Contact Us" section below.
You can e-mail us and our Data Protection Officer at firstname.lastname@example.org.
If you are located in the EEA, Switzerland, Brazil or California, you may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data Center” portal. You can e-mail us if you have any questions, comments or complaints about this Privacy Notice and our privacy practices, or would like to update your privacy preferences at: email@example.com or write to us at:
Global Privacy Officer
Mastercard International Incorporated
2000 Purchase Street
Purchase, New York 10577
If you are located in the EEA or Switzerland, Mastercard Europe SA is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data Center” portal, or email us at: firstname.lastname@example.org, or write to us at:
EEA Data Protection Officer
Mastercard Europe SA
Chaussée de Tervuren 198A
If you are located in Brazil, Mastercard Brasil Soluções de Pagamento Ltda. is the entity responsible for the processing of your Personal Information. You may submit your request to exercise your rights to your Personal Information on Mastercard’s “My Data Center” portal, or email us at: email@example.com or write to us at:
Brazil Data Protection Officer
Mastercard Brasil Soluções de Pagamento Ltda.
Avenida das Nações Unidas, 14.171, 20º andar, Crystal Tower
For enquiries about your Mastercard card and your purchase, you should contact your financial institution or merchant. More information about how to contact them can be found on their respective websites.