Marqeta Services Privacy Notice

Marqeta, Inc. and its affiliates, Marqeta UK LTD,  Marqeta Australia Pty Ltd, and Marqeta Singapore Pte. Ltd., (collectively, “Marqeta”, “we”, “our”, or “us”) are committed to protecting consumers’ personal information and privacy rights. This Privacy Notice (or “Notice”) describes how we collect, use, and share personal information in connection with the products and services we provide to our business customers (“Services”). An overview of Marqeta’s Services is available here. 

This Privacy Notice applies only to information we handle in connection with the provision of Marqeta Services. It does not apply to any Marqeta websites, tools or platforms that display or reference a different privacy notice. For example, if you browse or interact with us via the Marqeta.com website, any personal information collected will be handled in accordance with our Website Privacy Notice and not this Notice. 

Please also note that when Marqeta processes your information solely on behalf of and at the direction of other companies to whom we provide our Services (e.g., when we act as a ‘data processor’), your personal information will be handled in accordance with our agreements with such other companies. In some cases, agreements with our customers may place additional limits on what we can or cannot do with the personal information we collect or receive when we provide Services to them, and we may not be permitted to use and share information in all of the ways described in this Privacy Notice. Marqeta is not responsible for its customers’ data handling practices.

Table of Contents:

• Personal Information We Collect

• How We Use Your Personal Information

• Information Sharing and Disclosure

• Bases for Processing Personal Information

• Information Protection

• Information Retention

• Your Rights and Choices

• Supplemental Notices

• Changes to this Privacy Notice

• Contact Us

Below we describe the categories of personal information Marqeta may collect depending on the context of our interaction(s) with you. These categories include information you provide directly to us, information created or collected during your use of the Services, inferences we make about you when you communicate with us or use the Services, and information we obtain from other sources, such as third-party service providers and public databases.

Claim or Dispute Information: Information you provide when you correspond with us about a claim or dispute, such as your contact information or transactional information.

Communications Information:  Information you provide when you communicate with us, including by phone, virtual chat, email, “contact us” forms, or social media.  This may include your contact information, feedback, photographs or recordings, and language preference.

Contact Information: Personal and business contact information, such as your name, telephone number, job title, email address, and office or home address.

Credit and Debit Card Information: Information associated with your credit or debit card, such as your primary account number, cardholder name, expiration date and service code, as well as information pertaining to the transactions you make using the credit or debit card.

Device Information: Information collected automatically about your computer or device through your web browser and other technologies, including cookies, web beacons, or other tracking/recording tools, such as your IP address, device type, unique device identification numbers, or browser type.

Identity Verification Information: Information about you and your business, including personal information about your business’ control persons and beneficial owners, such as name, job title, birthdate, gender, nationality, and government identifiers or other information used to verify such individuals’ identification.

Inferences: Information about your preferences and interests that we infer from your personal information and use of our Services, such as the topics you would like to learn more about and card usage habits.

Location Information: Information about your geographic location (typically country or city-level), which may be inferred from your Device Information (e.g., from your IP address).

Publicly Available Information: Information obtained from public sources and databases, such as your current place of employment.

User credentials: Information you provide to us when you create a user log-in or profile in connection with the use of our Services, such as a user ID, email address, name, password, authentication information, and profile information.

We may collect some of the personal information described above from third parties, including our customers, identity verification providers, social media services, data brokers and aggregators, and other sources, as permitted by applicable law. We may also obtain information from companies with whom we offer co-branded services or engage in joint marketing activities.

We use the personal information we collect for the purposes described in this Notice or as otherwise disclosed to you in a supplemental notice. In particular, we may use any of the above categories of information to:

• Provide the Services, including to issue credit and debit cards, facilitate payments transactions, provide risk monitoring services, and manage compliance with card network rules and applicable regulations

• Verify your identity

• Identify and protect against fraudulent transactions

• Maintain, improve and enhance our Services

• Analyze and better understand the use of our Services, including consumer spending patterns and trends

• Respond to correspondence and inquiries

• Provide cardholder support and customer service

• Monitor and enforce compliance with our policies, applicable laws and regulations, and contractual terms

We may disclose your personal information to the following categories of recipients:

• Customers: We may provide your personal information to our customers in order to provide our Services and fulfill transactions or requests you initiate.

• Affiliates: We may provide your personal information to our global affiliates. We share information with our affiliates so they can help us deliver our Services. 

• Third-Party Service Providers: We may provide your personal information to our third-party service providers (such as IT service providers, communications providers, customer support providers, and identity verification providers) who perform certain functions for us in connection with the Services and process personal information on our behalf.

• Parties in a Corporate Transaction or Proceeding: We may share personal information with actual or prospective parties to an actual or potential corporate transaction or proceeding, including their representatives and other relevant participants in or during negotiations of any sale, merger, acquisition, restructuring, bankruptcy, dissolution, or a change in control, divestiture, or sale involving all or a portion of Marqeta’s business or assets.

We may also use, transfer, disclose, or preserve personal information when we believe that doing so is necessary to:

• Comply with applicable law or respond to valid legal process, including from law enforcement, supervisory or regulatory authorities, or other government agencies.

• Protect our customers and others, for example to prevent attempts to commit fraud or to help prevent the loss of life or serious injury to anyone.

• Operate and maintain the security of our Services, including to prevent or stop an attack on our computer systems or networks.

• Protect our and others’ rights and property, including by enforcing our agreements, terms of service, and policies.

In each case, we will take reasonable steps to ensure that your personal information is used and protected as described in this Notice. For information about the safeguarding measures we implement, please see the Information Protection section below.

We do not sell your personal information to third parties for their own commercial purposes.

Applicable law in certain jurisdictions requires us to set out in this Privacy Notice the legal bases we rely upon when we collect and process personal information as a ‘data controller’ (i.e., when information is collected or processed for our own purposes). When we collect and process personal information on behalf of our customers or other parties (for example, when we process information solely to provide a service to a customer), we are typically acting as a ‘data processor’ or ‘service provider’ as defined in applicable laws and rely on our customer’s legal basis for processing.

As a data controller, we rely on different lawful bases for collecting and processing personal information about you in different circumstances, for example:

• Consent. We may process your personal information where we have received your explicit consent to do so.

• Legal Obligations. We may process your personal information as necessary to comply with our legal obligations (for example, to conduct sanction checks or respond to valid legal process).

• Legitimate Interests. Where another lawful basis does not apply, we may process your personal information where necessary to achieve our legitimate interests or the legitimate interests of others (for example, to respond to inquiries or provide support, to operate and develop our business, to protect against fraud, or to ensure the security of our Services). When we rely on this basis, we undertake a balancing test to ensure that our legitimate interests are not outweighed by your interests and fundamental rights.

If we have relied upon your consent as the basis for our processing, you can request to withdraw or partially revoke your consent at any time by contacting us at privacy@marqeta.com or by following the instructions for revoking consent contained within communications we send you. We honor such requests as required by applicable laws. 

If you have questions about or need further information concerning the legal basis we rely on to process your personal information, please contact us via email at: privacy@marqeta.com.

We use reasonable and appropriate technical and organizational security measures to protect the personal information that we collect and process. It is our policy and practice to comply with applicable data protection and privacy laws wherever we do business. In the event an applicable data protection or privacy law requires any action or imposes any standard more stringent than this Notice, the requirements of that law shall apply and take precedence over the terms of this Notice.

Marqeta operates globally and your personal information may be transferred to and processed in countries other than the country in which you are a resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective). We take steps designed to ensure that the personal information we handle is processed and protected according to the provisions of this Notice wherever the information is located.

Residents of the European Economic Area, UK, and Switzerland should note that we may transfer personal information from these jurisdictions to countries which have not been determined by your local authorities to have an adequate level of data protection. When we do so, we use a variety of mechanisms, including standard data transfer agreements, to help ensure your rights and personal information protection. To learn more about the European Commission’s decisions on the adequacy of personal information protections, please visit Adequacy Decisions.

You may obtain further details about how we protect your personal information by contacting us at: privacy@marqeta.com.

We retain personal information for as long as necessary to provide the Services and fulfill the transactions you have requested, comply with our legal obligations (including our contractual commitments to our customers), resolve disputes, enforce our agreements, and undertake other legitimate and lawful business purposes. Because these needs can vary for different types of information and the different products and services we provide, actual retention periods can vary. If you wish to receive further information about the period of time for which we retain your personal information, please contact privacy@marqeta.com. 

Depending on your state or country of residence, you may have some or all of the following rights:

• Right of access. You may have the right to request copies of the personal information that we hold about you and to receive additional information from us about how your information is used.

• Right of erasure. In certain circumstances, you may have the right to require us (or any parties with whom we have shared your information) to delete the personal information that we hold about you (for example, if it is no longer necessary for the purposes for which it was originally collected or to comply with applicable law). 

• Right to object to or opt-out of processing. You may have the right to request that Marqeta stop processing your personal information or that we restrict processing of your personal information in certain circumstances. For example, if you receive marketing email communications from us, you can update your preferences by using the “Unsubscribe” link found in those emails.

• Right of portability. You may have a right to obtain and reuse your personal information for your own purposes or across different services, including so that you can provide or port that information to another provider.

• Right to correction. You may have the right to require us to correct any inaccurate or incomplete personal information.

• Right to lodge a complaint. You may have the right to complain to your local Data Protection Authority about our collection and use of your personal information. If you reside in the EU, you can find information about your local Data Protection Authority by visiting: EU National Data Protection Authorities.

Please refer to the Contact Us section below to contact us if you would like to exercise any of your rights. Marqeta does not discriminate against individuals who exercise their rights under applicable laws and regulations.

When contacting us about a rights request, please identify yourself and describe your request in sufficient detail to enable us to properly understand, evaluate, and respond to it. We will consider all requests and provide our response within a reasonable period in accordance with applicable laws. Please note that we cannot respond to your request or provide you with personal information if we cannot verify your identity or your authority to make the request or confirm the personal information we hold relates to you. To verify your identity, we will seek to match the information you provide when you submit your request to any personal information we already maintain, and we may ask you to provide additional verification information in order to assist you with your request. 

In some jurisdictions, you may designate, in writing or through a power of attorney, an authorized agent to exercise these rights on your behalf. Before accepting such a request from an agent, we will require the agent to provide proof that you have authorized them to act on your behalf. Please note, we may deny a request from your authorized agent if they do not submit proof that they have been authorized by you to act on your behalf. We may also require you to verify your identity directly with us. 

If we are processing your personal information on behalf of one of our customers, we may redirect your request to our customer for handling. We may also decline to process certain requests, including requests that are unreasonably repetitive or systematic, require disproportionate effort, jeopardize the privacy of others, or conflict with our legal obligations. If we decline your request, we will notify you of the reason for declining. In some jurisdictions, you may have the right to appeal a denial of a rights request. 

In connection with the provision of certain Services, we may provide you with supplemental privacy notices. These supplemental notices describe our data collection, use, and sharing practices for specific activities in more detail, and in some cases may differ from the terms of this Notice. In the event of any conflict with this Notice, supplemental notices will govern the specific activities to which they apply, unless we state otherwise in the supplemental notice.

Changes to this Notice may be made periodically to reflect changes to our information handling practices or relevant laws. If the changes we make are material, we will provide you with prior notice and/or obtain consent regarding such changes in accordance with applicable laws. If the changes we make are not material, this Notice will be updated by posting an updated version on our website. You can tell when this Notice was last updated by looking at the date at the top of the Notice.