Marqeta Website Privacy Policy

Marqeta, Inc. (“Marqeta”, “we”, “our”, or “us”) is committed to protecting the privacy of individuals who use our website. Our company telephone number is 510-241-2132 and our registered office is located at 180 Grand Avenue, 6th Floor, Oakland, California 94612, USA. This Privacy Policy describes how we collect, use, and share the personal information that you provide to us or that we collect about you when you access and use our website at Marqeta.com (the “website”) and how you can protect your privacy rights.

This Privacy Policy was last updated on January 23, 2019.

What this Policy contains

This Privacy Policy describes the following important topics related to your information:

• Collection of Personal Information;
• Sharing of Personal Information;
• Legal Basis for Processing Personal Information (EEA visitors/users only);
• Cookies and Similar Tracking Technology;
• Children’s Privacy;
• Security;
• International Data Transfers;
• Data Retention;
• Your Data Protection Rights – Access and Limiting Use and Disclosure;
• Third-party Websites;
• Further Questions and How to Make an Inquiry.

Collection of Personal Information

Information submitted by you

We collect personal information from visitors to the website through the use of online forms or when you correspond with us via email or other means of communication.

When you visit the website, we or our service providers will collect certain information about your location, computer, or device through your web browser and technology such as cookies, web beacons, or other tracking/recording tools. Specifically, the information we collect automatically includes details like your IP address, device type, unique device identification numbers, browser type, broad geographic location (i.e., country- or city-level location), page views, time on page, “click stream” data, pointer location data, and other technical information. We also collect information about how your device has interacted with our website and products, including the pages and products accessed and links clicked. In some countries, including in the European Economic Area (EEA), this information is considered personal information under applicable data protection laws.
Collecting this information enables us to better understand the visitors who come to our website and the users of our products and services, including where they come from and what content on our website, products, and services is of interest to them. We use this information:

• To improve the quality and relevance to users, of our website, products, and services;
• To develop and update our website, products, and services;
• For customer service purposes, for instance, reviewing our customers’ training needs regarding the use of our products;
• To send you tailored information on our products and services that we believe may be of interest or value to you, and also marketing and promotional messages with your consent if and when required by applicable law. You have the right to object to our monitoring of your use of our website, and how you engage with our services for these purposes. For more information on how to exercise your right to object, see the heading  “Your Data Protection Rights – Access and Limiting Use and Disclosure” below.

Some of this information may be collected using cookies and similar tracking technology, as explained under the heading “Cookies and Similar Tracking Technology”.

Information we obtain from third-party sources

From time to time, we may receive personal information about you from third-party sources, but only when we have verified that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us.

The types of information we collect from other third parties include details about your organization (place of employment): company HQ, company addresses, industries, website technologies used, social media followers, stock ticker, number of employees, number of offices, company status (public or privately held), and funding raised. We may also collect personally identifiable information about you in respect to your place of employment: name, job title, work email address, phone number, social media networks, and work address. For example, we collect personal information from marketing vendors, social media sources, third-party conferences, and other sources to the extent permitted by applicable law. We use the information we receive from these third parties to market our products and services across our departments to you, to supplement personal information we have for purposes such as maintaining and correcting our records, adding supplemental data fields, and similar reasons to enhance the delivery of our products and services to you.

In general, we will use the personal information we collect from you or from third-party sources only for the purposes described in this Privacy Policy or for purposes that we explain to you at the time we collect your personal information.

Sharing of Personal Information

We may disclose your personal information to the following categories of recipients:

• Our group companies, third-party service providers, product content providers, and partners;
• Competent law enforcement bodies, regulators, government agencies, courts, or other appropriately empowered third party government entities;
• Any other person with your consent to the disclosure.

Learn More Below

Our group companies

We provide personal information to group companies such as Marqeta UK Limited who process personal information for purposes in line with those described in this Privacy Policy or notified to you when we collect your personal information. We do not sell your usage data to third parties for the purposes of them marketing third-party products or services to you.

Third-party service providers
We provide personal information to third-party service providers (such as IT service providers) who provide data-processing services to us.

Marqeta will take measures to obtain assurances from third-party service providers who process personal information on Marqeta’s behalf that they will process such information in a manner consistent with Marqeta policies and Privacy Shield Principles. For more information about Marqeta’s compliance with the EU-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce, see the heading “International Data Transfers” below. Marqeta remains responsible under the Privacy Shield Principles if third-party service providers who Marqeta engages to process personal information on its behalf do so in a manner inconsistent with the Privacy Shield Principles, except where Marqeta is not responsible for the event giving rise to the damage. Marqeta will take measures to only disclose personal information that is necessary for the third parties to provide the agreed-upon services to Marqeta. Where Marqeta has knowledge that a third-party business partner is using or disclosing personal information in a manner contrary to Marqeta’s Privacy Policy or Privacy Shield Principles, Marqeta will take reasonable steps to prevent or stop the use or disclosure.

We provide personal information to any competent law enforcement body, regulators, government agencies, courts, or other appropriately empowered third party government entities where we believe disclosure is necessary (i) as a matter of applicable law or regulation, including to meet national security or law enforcement requirements, (ii) to exercise, establish, or defend our legal rights, or (iii) to protect your vital interests or those of any other person with your consent to the disclosure.

Legal Basis for Processing Personal Information (EEA Visitors / Users Only)

We consider that the legal bases for using your personal information, as set out in this Privacy Policy, are as follows:

• Our use of your personal information is necessary to perform our obligations under any contract with you (for example, to fulfill an order which you place with us or to comply with the terms of use of our website which you accept by browsing our website); or
• Our use of your personal information is necessary for complying with our legal obligations (for example, for sanction checks); or
• Where neither of the legal bases above apply, use of your personal information is necessary for our legitimate interests or the legitimate interests of others (for example, to ensure the security of our website). Our legitimate interests are to (i) run, grow, and develop our business, (ii) reply to your inquiries, (iii) operate our website, (iv) improve our products and services, (v) carry out marketing, market research, and business development; and (vi) for internal group administrative purposes.

Learn More Below
If we ask you to provide personal information to comply with a legal requirement or to perform a contract with you, we will make this clear at the relevant time and advise you whether the provision of your personal information is mandatory or not (as well as of the possible consequences if you do not provide your personal information).

Similarly, if we collect and use your personal information in reliance on our legitimate interests (or those of any third party), we will undertake a balancing test to ensure that our (or the other person’s) legitimate interests are not outweighed by your interests or fundamental rights and freedoms which require protection of the personal information. You can ask us for further details about this balancing test by using the contact details in this Privacy Policy.

Where we send you communications regarding our products or services from our different departments and affiliates that may be of interest to you, we do so based on your consent, if and when required by applicable law.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us via e-mail at privacy@marqeta.com or by using the other contact details provided in this Privacy Policy.

Children’s Privacy

You must be aged 13 or over to purchase products or services from us. Our website and services are not directed at children and we do not knowingly collect any personal information from children.

If you are a child and we learn that we have inadvertently obtained personal information from you from our website, or from any other source, then we will delete that information as soon as possible.

Please contact us at privacy@marqeta.com if you are aware that we may have inadvertently collected personal information from a child.

Security 

We use appropriate technical and organizational measures to protect the personal information that we collect and process about you. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information.

Marqeta is Level 1 PCI-DSS Certified, which means that we receive the highest level of scrutiny due to the volume of transactions that we process. The PCI-DSS Security Standard is mandated by the card brands and administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around card holder data to reduce credit card fraud. Validation of this compliance is performed annually by an external Qualified Security Assessor (QSA) that creates a Report on Compliance for our organization.

An example of the PCI Standards that we apply is to encrypt card holder data both in transit and at rest. Physical access controls to premises, least-privileged access principles, staff training, anti-virus software, application and hardware firewalls, system hardening, and many other security mechanisms are in place to mitigate the risk of unauthorized access and/or data leakage.

International Data Transfers

Your personal information may be transferred to, and processed in, countries other than the country in which you are a resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, our servers are located in the USA, which may be located outside of the jurisdiction where we collected the data. This means that when we collect your personal information, we may transfer it to or process it in the USA.

Marqeta complies with the EU-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the USA. Marqeta has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Privacy Policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

Our group companies, third-party service providers, product content providers, and partners (with whom we may share personal information as described above) are located in and transfer personal information to various jurisdictions around the world.

If we provide any personal information about you to any such non-EEA members of our group or suppliers such as those based in the USA, we will take appropriate measures to ensure that the recipient protects your personal information adequately in accordance with this Privacy Policy. These measures will include the following, pursuant to Articles 45 and 46 of the General Data Protection Regulation:

• In the case of U.S.-based entities, entering into European Commission approved standard contractual arrangements with them, or ensuring they have enrolled in the EU-U.S. Privacy Shield (see further https://www.privacyshield.gov/welcome); or
• In the case of entities based in other countries outside the EEA, entering into European Commission approved standard contractual arrangements with them.

Further details on the steps we take to protect your personal information in these cases is available from us on request by contacting us at privacy@marqeta.com at any time.

Data Retention 

We retain personal information we collect from you where we are legally required to do so, or we have an ongoing legitimate business need to do so (for example, to provide you with a product or service you have requested, as set forth in our Information Governance Procedures, or to comply with applicable legal, tax, or accounting requirements).

When we have no ongoing legal requirement or legitimate business need to process your personal information, we follow our Information Governance Procedures and either delete or anonymize your personal information; if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

If you wish to receive further information about the period of time for which we will process your personal information, please contact privacy@marqeta.com

Your Data Protection Rights – Access and Limiting Use and Disclosure

Your rights include the right to access, correct, update or request deletion of your personal information. You also have the right to withdraw any consent you have provided to us in respect of our use of your personal information. You have the following data protection rights:

• To ask us to access, correct, update, restrict use of, or request deletion of your personal information;
• To object to the processing of your personal information, to ask us to restrict processing of your personal information, or to request portability of your personal information;
• To ask us to opt-out of marketing communications we send you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing messages we send you;
• If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent; and
• To complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.

We will consider all such requests and provide our response within a reasonable period (i.e., within one month of your request unless we tell you we are entitled to a longer period under applicable law). Please note, however, that certain personal information may be exempt from such requests in certain circumstances, for example if we need to keep using the information to comply with our own legal obligations or to establish, exercise, or defend legal claims.

Third-Party Wesbites 

The website may provide links to (or links from) third-party websites, none of which are governed by this Privacy Policy. Marqeta is not responsible for those websites’ content or information practices. We strongly encourage you to review the privacy policies of any site or service before providing any personal information.

Further Questions and How to Make an Inquiry

In compliance with the Privacy Shield Principles, Marqeta commits to resolve inquiries about our collection or use of your personal information.

If you have any inquiries about our collection, use, or storage of your personal information, or if you wish to exercise any of your rights in relation to your personal information, please send us an email at privacy@marqeta.com. We will investigate and attempt to resolve any such inquiries or dispute regarding the use or disclosure of your personal information.

EU individuals with inquiries regarding our collection or use of their personal information or our compliance with the Privacy Shield Principles should first contact Marqeta at privacy@marqeta.com. Marqeta has further committed to cooperate with the panel established by the EU data protection authorities with regard to unresolved Privacy Shield inquiries concerning data transferred from the EU. EU individuals may also make an inquiry to the Information Commissioner’s Office in the UK, or the data protection regulator in the country where they usually live or work, or where an alleged infringement of the General Data Protection Regulation has taken place. Alternatively, they may seek a remedy through the relevant European courts if they believe their rights have been breached.

Marqeta is subject to the investigatory and enforcement powers of the United States Federal Trade Commission.

An individual may invoke binding arbitration, at his or her own cost, subject to the procedures set forth in the Privacy Shield Framework.

As in relation to GDPR, Residents of the European Economic Area (EEA), the UK and Switzerland. The entity responsible for the collection and processing of Personal Data for residents of the EEA, the UK and Switzerland is Marqeta, Inc., a company incorporated in the United States of America and with an office at 180 Grand Avenue, 6 th Floor, Oakland, California. To exercise your rights, you may contact via GDPRDSrequest@marqeta.com.

Lastly, for California residents. If you are a California resident, then, subject to certain limits under California law, you may ask us to provide you with (i) a list of certain categories of Personal Data we have disclosed to third parties for their direct marketing purposes during the immediately preceding calendar year; and (ii) the identity of those third parties. To make this request, California residents may contact us at CCPArequest@marqeta.com.