Skip to Content

Effective Date: January 1st, 2023

At Mastercard, we develop market-leading applications, products, and services to underpin, enable and safeguard the Open Banking ecosystem (“Open Banking Solutions”). This Open Banking Notice (“Notice”) describes how Mastercard Europe SA and other entities within the Mastercard group of companies (collectively, “Mastercard”, “us” or “we”) process Personal Information in connection with our Open Banking Solutions in Europe and the UK.

  1. Personal Information We May Collect
  2. How We May Use Your Personal Information
  3. How We Share Your Personal Information
  4. Your Rights and Choices
  5. How to Contact Us

This Notice describes our processing of Personal Information as a data controller in connection with our Open Banking Solutions, such as:

    -   Aiia Data, which provides businesses with an account information service (“AIS”) through which account information is collected from a user's bank accounts and presented in a consolidated overview, and
    -   Aiia Pay, which provides businesses with a payment initiation service (“PIS”) through which users can initiate payments from their bank accounts.

This Notice does not cover the processing of Personal Information in connection with our Spiir product. Please consult the Spiir Privacy Notice for more information.

This Notice also does not cover the processing of Personal Information that we perform as a data processor, on behalf of our customers (such as financial institutions and merchants) who use our Open Banking Solutions. Please refer to our customers’ respective privacy notices for more information regarding the processing of your Personal Information.

1. Personal Information We May Collect

We may collect the following types of Personal Information:

  • Personal and/or Business Contact Information and Credentials
  • User Profile Information
  • Financial Information
  • Authorisations
  • Third Party Provider (“TPP”) Request Information
  • Transaction Information
  • Device-related Information
  • Fraud Prevention Information
  • General Communication Information
  • Logs of your use of the Open Banking Solutions

For the purpose of this Privacy Notice, “Personal Information” means any information relating to an identified or identifiable individual. In connection with the provision of the Open Banking Solutions, we obtain Personal Information relating to you from the various sources described below.

    a. Personal Information Provided by You

  • Personal and/or Business Contact Information and Credentials: such as, name, user ID, email address and phone number, and log-in credentials.
  • User Profile Information: such as e-mail address and password, and depending on the Open Banking Solution, any other information that you may be able to add to your profile, such as name, date of birth, address, social security number, Politically Exposed Person (“PEP”)-role, company shares, phone number, occupation, marital status, the number of people in your household, age or gender or third-party services with whom you wish to share your Personal Information.
  • Authorisations that you grant us to manage your Personal Information in specific ways (e.g., to access, retrieve and display your financial information or transaction information through our Open Banking Solutions, to update your profile based on recent transactions or to transfer financial information to third party services of your choice).
  • General Communication Information which we may receive when you contact us (e.g., via email, phone, or online web forms), such as your first and last name, telephone number, email address, physical address, as well as any other content that you provide. If you do not provide such information, we may not be able to answer your requests or queries.

    b. Personal Information provided by third parties

  • Financial Information: such as, information relating to a bank account that is enrolled in one of the Open Banking Solutions (e.g., account name or reference, unique account reference ID, balance, and transactions), refund account details (account number, sort code and financial institution servicing the refund account), payment receipts, payment card details and billing address.
  • Third Party Provider (“TPP”) Request Information: such as, payment initiation service requests, account information service requests, request reference number, and response status.
  • Transaction Information: such as, account provider and account number, date / time of payment, payment recipient and data needed for communication with your account provider, information about disputed transactions, fraud-related information (e.g., failed logins).

    c. Personal Information automatically obtained from your interaction with the Open Banking Solutions

  • Device-related Information: such as information which we obtain by automated means such as cookies, web beacons, and embedded scripts. This may include information from a web browser (such as browser type and browser language), an IP address, device identifier numbers, and the actions taken on a website (such as how a visitor interacts with the web pages and the links clicked, mouse location and keystroke timing). For detailed information about the use of cookies and similar technologies, please see the cookie notices and consent tools that are provided in our Open Banking Solutions.
  • Fraud Prevention Information that we may need to collect when you use the Open Banking Solutions to initiate payments (e.g., to comply with anti-money laundering legislation). This includes account holder name, address, and date of birth, and name, address, and date of birth of the beneficial owners, senior management, or authorized signatories, including copies of documents, if necessary, as well as device-related information and logs of your use of the Open Banking Solutions.
  • Logs of your use of the Open Banking Solutions, such as information on which profile is logged into or whether it concerns a one-time user, the IP-address used, the time and date, which action has been performed and device information, i.e., information on operating system, browser information and settings. Further, whenever a third-party service accesses the Open Banking Solutions, a similar log is created. We also monitor payments initiations for anomalies such as unusually high frequency of failed initiations, unusually high frequency of successful initiations, unusually high value of initiated payments or if payments are initiated from an unusual geographical location.

View summary

2. How We May Use Your Personal Information

We may use your Personal Information to:

  • To provide and develop our Open Banking Solutions and related services.
  • To diagnose, troubleshoot, and fix issues with the Open Banking Solutions, including customer support and quality control.
  • To monitor and understand IT performance.
  • To market, promote and advertise our Open Banking Solutions.
  • To enforce compliance with our terms (e.g., helping to resolve disputes about Open Banking transactions), comply with legal obligations, and to establish, exercise, or defend against legal claims.
  • To develop new features, technologies, and improvements to the Open Banking Solutions.
  • To generate aggregated or anonymized statistics for internal business purposes.
  • To monitor, detect and investigate possible fraud.
  • To manage our customer, vendor, and partner relationships.

Where required under applicable law, we will only use your Personal Information as necessary to provide you with our Open Banking Solutions; with your consent; to comply with a legal obligation; or when there is a legitimate and overriding interest that necessitates the use. We have carried out balancing tests for the data processing based on this basis to ensure that such legitimate interest is not overridden by your interests, fundamental rights, or freedoms.

We may use Personal Information we obtain about you for the purposes set out below. Depending on the country in which you are located, we will only process your Personal Information when we have a legal basis for the processing as identified in the table below.

Processing purposes Legal basis Categories of Personal Information

Provide and operate our Open Banking Solutions and related services

This includes creating your profile, facilitating direct and account-to-account payments from your linked bank account, providing you with a consolidated view of your various bank accounts, enabling spending categorization, enabling the sharing of your Financial Information with third parties with your permission, remembering your Credentials and preferred settings within the Open Banking Solutions.

We rely on the “performance of a contract” legal ground to provide our Open Banking Solutions to you.

  • Personal and/or Business Contact Information and Credentials
  • User Profile Information
  • Financial Information
  • Authorisations
  • TPP Request Information

Troubleshoot our Open Banking Solutions and provide customer support

This includes our ticketing system where you contact us for assistance when you are experiencing a technical issue as well as analysis to ensure quality control.

We have a legitimate interest in ensuring the safety, security, and performance of our Open Banking Solutions.

Where required under applicable laws, we obtain your prior consent to access Financial Information and Transaction Information for these purposes.

  • User Profile Information
  • Financial Information
  • Authorisations
  • TPP Request Information
  • Transaction Information
  • Logs of your use of the Open Banking Solutions
  • Device-related Information

Monitor and understand IT performance

We have a legitimate interest in monitoring and understanding IT performance of our Open Banking Solutions for stability and improvement and ensuring the integrity of our Solutions.

  • Logs of your use of the Open Banking Solutions
  • Device-related Information

Market, promote and advertise our Open Banking Solutions

We have a legitimate interest in promoting our business.

Where required under applicable laws, we will obtain your prior consent to send you electronic direct marketing communications.

  • User Profile Information
  • Personal and/or Business Contact Information and Credentials

Comply with legal obligations, and to establish, exercise, or defend against legal claims

Compliance with a legal obligation (e.g., to respond to law enforcement requests).

We, or a third party, have a legitimate interest in protecting against legal claims.

  • Personal and/or Business Contact Information and Credentials
  • User Profile Information
  • Financial Information
  • Authorisations
  • TPP Request Information
  • Transaction Information
  • Device-related Information
  • Fraud Prevention Information
  • General Communication Information
  • Logs of your use of the Open Banking Solutions

Develop new features, technologies, and improvements to the Open Banking Solutions

We have a legitimate interest in developing and improving our Open Banking Solutions (e.g., improve the algorithms and models).

Where required under applicable law, we obtain your prior consent to process your Financial Information and Transaction Information for this purpose.

  • Financial Information
  • TPP Request Information
  • Transaction Information
  • Device-related Information

Generate anonymized and/or aggregated statistics for internal business purposes

This includes analyzing the performance of and improving upon our Open Banking Solutions and preparing insights regarding spending patterns, fraud, and other trends.

We have a legitimate interest in anonymizing Personal Information and analyzing it for internal business purposes.

Where required under applicable law, we obtain your prior consent to process your Financial Information and Transaction Information for this purpose.

  • User Profile Information
  • Financial Information
  • TPP Request Information
  • Transaction Information
  • Device-related Information

Detect, investigate, and prevent possible fraud

This includes tracking and hindering any possible illegal activities and abuse of our Open Banking Solutions. For more information about our fraud and security activities, please refer to the Fraud and Security Notice.

We have a legitimate interest in detecting, investigating, and preventing fraud, such as illegal activities or abuse of our Open Banking Solutions, or we must do so to comply with legal obligations (e.g., under anti-money laundering laws).

  • Device-related Information
  • Fraud Prevention Information
  • General Communication Information
  • Logs of your use of the Open Banking Solutions

To manage our customer and vendor relationships

We have a legitimate interest in managing our customer and vendor relationships as necessary to operate our Open Banking Solutions.

  • Personal and/or Business Contact Information and Credentials

View summary

3. How We Share Your Personal Information

We may share Personal Information with the following third parties:

  • Other permitted users, depending on the Open Banking Solution used.
  • Financial institutions, business customers, partners, and service providers acting on our behalf
  • Public authorities
  • Potential transactional partners
  • Mastercard’s headquarters in the U.S., our affiliates, and other entities within Mastercard’s group of companies

We may disclose Personal Information we collect about you to the following third parties, for the purposes described below:

    a. Other permitted users, depending on the Open Banking Solution used

You may allow other users to access and view your Personal Information in the Open Banking Solutions. If you choose to do this, you agree that Mastercard, in order to comply with this agreement with you, may disclose your Personal Information to the person concerned. You can revoke this access at any time in the Open Banking Solutions’ settings.

    b. Financial institutions, business customers, partners and service providers acting on our behalf

We may share the Personal Information we collect with financial institutions, business customers (where you permit us to do so) and partners (such as disclosing Transaction Information to a third-party provider to enable the payment transaction), as well as service providers acting on our behalf, such as hosting and infrastructure providers, and providers of monitoring, security, and IT support services.

    c. Public authorities

We may share the Personal Information we collect with public authorities (i) if we are required to do so by law or legal process, (ii) in response to a request from a court, law enforcement authorities, or government officials, or (iii) when we believe disclosure is necessary or appropriate to prevent physical harm or financial loss, or in connection with an investigation of suspected or actual fraudulent or illegal activity.

    d. Potential transactional partners

We may share the Personal Information we collect with potential transactional partners or other third parties in the event of a sale or transfer of our business or assets.

    e. Mastercard Group

We may share the Personal Information we collect with Mastercard’s headquarters in the U.S., our affiliates and other entities within the Mastercard group of companies, for the purposes described in this Notice. Please see the “Data Transfers” section in the Global Privacy Notice to understand how we comply with applicable cross-border data transfer rules.

View summary

4. Your Rights, How To Contact Us, And Additional Information About Our Practices

The entity responsible for the processing of your Personal Information (or data controller) varies depending on the type of Open Banking Solutions that you use and your country.

  • For any Open Banking Solutions other than Aiia branded Open Banking Solutions, the entity responsible for the processing of your Personal Information (or data controller) is Mastercard Europe SA. You may contact our global privacy office at privacyanddataprotection@mastercard.com, or write to us at:

      Europe Data Protection Office
      Mastercard Europe SA
      Chaussée de Tervuren 198A
      B-1410 Waterloo
      Belgium

  • For Aiia branded Open Banking Solutions, the entity responsible for the processing of your Personal Information (or data controller) is Aiia A/S. You may contact our European privacy office at privacyanddataprotection@mastercard.com, or write to us at:

      Aiia A/S
      Att.: Privacy
      Artillerivej 86, st. tv.,
      2300, Copenhagen
      Denmark

You have certain rights and choices regarding the Personal Information we maintain about you. For more information about your rights, or to learn more about how we share, transfer, retain and protect your Personal Information, please read our Global Privacy Notice.

Some of the Open Banking Solutions mentioned above may have their specific privacy notices, such as Spiir. Please consult them for more information. For enquiries about your Mastercard card and your purchase, please contact your financial institution or merchant. More information about how to contact them can be found on their websites.


5. How to Contact Us

You can e-mail us at aiiaprivacy@mastercard.com. You may also submit a request to exercise your rights to your Personal Information by emailing us at aiiaprivacy@mastercard.com or write to us at:

    Europe Data Protection Office
    Mastercard Europe SA
    Chaussée de Tervuren 198A
    B-1410 Waterloo
    Belgium

    Aiia A/S
    Att.: Privacy
    Artillerivej 86, st. tv.,
    2300, Copenhagen
    Denmark