Online Privacy Notice

Merchant Risk Council, Inc., (“MRC” “we,” or “us”) wants you to be familiar with how we collect, use and disclose Personal Information.

“Personal Information” is information that identifies you as an individual or relates to an identifiable individual. This Privacy Notice describes our processing practices of Personal Information that we collect and use in connection with:

Websites operated by us from which you are accessing this Privacy Notice, including when you engage in our on-demand or live content and webinars (the “Websites”);
Software applications made available by us for use on or through mobile devices (the “Apps”);
Our social media pages from which you are accessing this Privacy Notice (collectively, our “Social Media Pages”);
Email messages that we send to you that link to this Privacy Notice or other communications with you; and
Offline business interactions you have with us, including in-person events.

Collectively, we refer to the Websites, Social Media Pages, Apps, emails, and offline business interactions as the “Services.”

COLLECTION AND PROCESSING OF PERSONAL INFORMATION

How we collect Personal Information

We collect Personal Information in a variety of ways, including through our Services and from other sources, as set out below. We collect this Personal Information from you and from publicly available databases (such as information on public social media pages or your company’s website) and marketing partners, when they share the information with us.

Personal Information we receive from you:

Name & Account Details	First and last name, email address (which also serves as a username for your account), account password, phone number, country/state of residence, job title, company name or organization, and company address.
User Content	Such as content you may create or share on our Websites or Apps.
Preferences	Such as language settings, interests, and other member feedback/preferences that you might express during your use of our Websites, Apps or during an MRC event.
Marketing Information	Such as your choices regarding our newsletters, surveys, and other marketing/advertising displayed or provided to you, and preferred methods of such promotional communication.
Relationship History	Such as details of your communications with us, and details of your claims, complaints and queries in general.
Event Information	Such as details of in-person or virtual events or courses that you have attended (such as feedback, photographs videos or other forms of media taken at events that could include your name, likeness, voice or other material taken at MRC events, meal preferences and event safety information such as CCTV).
Transaction Information	Items that you have purchased from our online shop, course and certification fees that you have paid, tokenized transaction information and billing address.
Certification Information	Personal email address, home address, education history, employment history, certification exam attempts and results, date of certification and expiry and any other information that you may provide as part of your application to be certified by MRC as a Certified Payments and Fraud Prevention Professional.

Personal Information we collect through your use of our Websites and Apps or from other sources:

Device Information

Such as information about your devices and your use of our Services. This includes data obtained through cookies and similar technologies, as described in our [cookies and similar technologies policy/banner] [hyperlink to new cookie banner once finalised].

We need to collect certain Personal Information in order to provide the requested Services to you. If you do not provide the information requested, we may not be able to provide the Services. We will note which Personal Information is required to provide the Services at the time of its collection. If you disclose any Personal Information relating to other people to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Notice.

Processing of Personal Information

We use your Personal Information for the following legitimate business purposes as described in more detail in the table below.

Making our Services available to you (e.g., to arrange access to your online account).
Events and conferences (e.g., to facilitate in-person conferences).
Marketing and member engagement (e.g., to send you marketing communications).
Personalization and improving our Services (e.g., to provide you with information tailored to your interests).
Security and legal reasons (e.g., fulfilling our legal and compliance-related obligations including complying with applicable laws)

Making our Services available to you

Purpose	Examples of Processing Activities	Personal Information Categories	Legal Basis	Third Party Sources
Providing the functionality of the Services	Provide the functionality of the Services to you, such as arranging access to your online account; facilitating your purchases and delivery of purchased products; organizing virtual and in-person events and facilitating member groups, MRC courses and certifications.	Name & Account Details; User Content; Preferences; Relationship History; Event Information; Transaction Information; and Device Information.	Performance of the contract, including our Online Terms of Service and Membership Terms and Conditions we enter into with you to provide the Services.	Publicly available databases.
Member care	Facilitating and addressing inquiries, requests, comments and complaints about any of our Services (such as in person, through phone lines, email, or on social media), for example, to send you documents or product information you request or assist you in using the Services.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Performance of the contract, including our Online Terms of Service and Membership Terms and Conditions we enter into with you to provide the Services. Legitimate interests, such as responding to inquiries or complaints. Legal obligations, such as when you submit a request to access your Personal Information.	N/A
Communicating important changes / Service messages	To send you important information regarding our relationship with you, our Services, any changes to our terms, conditions, policies and procedures, and/or other administrative information.	Name & Account Details; User Content; Preferences; Relationship History; Event Information; and Transaction Information.	Legitimate interests, such as to ensure our Services are used in accordance with our terms, conditions, and policies. Performance of the contract, including our Online Terms of Service and Membership Terms and Conditions we enter into with you to provide the Services. Legal obligations, such as to inform you of material changes to our Online Terms of Service and Membership Terms and Conditions to comply with applicable consumer and/or data protection laws.	N/A
Facilitating certifications	Verifying the eligibility of an individual to be certified by MRC, administering certification exams and maintaining details of certified professionals.	Name & Account Details, Preferences; Relationship History, Transaction Information and Certification Information	Legitimate interests, such as enforcing our certification standards. Performance of the contract, including facilitating exams that you have requested.	N/A
Operations and general business	Administering our Services (including troubleshooting and diagnostic testing, conducting performance analyses of our systems and Services, testing new system features to evaluate their impact, system and log maintenance, technical support, system debugging, and the hosting of data); employee training and managing work activities and personnel generally; and facilitating mergers, acquisitions and other reorganizations and restructurings of our business (including prospective transactions).	Personal Information as relevant for the specific business operation.	Legitimate interests, such as responding to customer complaints and concerns. Legal obligations, for example, relating to financial transactions, such as the obligation to maintain books and records.	Third party organizations, when they share personal information with us to, for example, facilitate mergers, acquisitions and other reorganization and restructurings of our business.

Events and conferences

Purpose

Examples of Processing Activities

Personal Information Categories

Legal Basis

Third Party Sources

Conferences and other events

Facilitate and participate in conferences and events, such as industry events, conferences, regional networking events and webinars.

Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.

Performance of a contract with you, such as collecting information regarding a planned event in which you participate.

Legitimate interests, such as responding to customer complaints or concerns relating to an event.

Event management service providers.

Marketing and member engagement

Purpose	Examples of Processing Activities	Personal Information Categories	Legal Basis	Third Party Sources
Marketing	Send you promotional information about our Services, products, newsletters, promotions, offers and other news about MRC.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legitimate interests, such as to promote our Services. Consent, for example, where we would like to send you direct SMS and email marketing communications, but do not have an existing relationship with you, we will ask for and rely on your prior opt-in consent.	Publicly available databases. Marketing / advertising service providers. Data broker service providers.
Relationship building and engagement	Facilitate and respond to any reviews, social sharing and posts about our Services.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legitimate interests, such as engaging with individuals who post on our Social Media Pages.	Marketing / advertising service providers. Data broker service providers.

Purpose

Examples of Processing Activities

Personal Information Categories

Legal Basis

Third Party Sources

Marketing

Send you promotional information about our Services, products, newsletters, promotions, offers and other news about MRC.

Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.

Legitimate interests, such as to promote our Services.

Consent, for example, where we would like to send you direct SMS and email marketing communications, but do not have an existing relationship with you, we will ask for and rely on your prior opt-in consent.

Publicly available databases.

Marketing / advertising service providers.

Data broker service providers.

Relationship building and engagement

Facilitate and respond to any reviews, social sharing and posts about our Services.

Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.

Legitimate interests, such as engaging with individuals who post on our Social Media Pages.

Marketing / advertising service providers.

Data broker service providers.

Personalization and improving our Services

Purpose	Examples of Processing Activities	Personal Information Categories	Legal Basis	Third Party Sources
Personalizing our Services	Personalize our interactions with you and provide you with information tailored to your interests, such as events or courses; and to deliver content via our Services that we believe will be relevant and interesting to you.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legitimate interests, such as providing tailored Services based on past usage and/or preferences, and such tailoring would be based on basic and privacy-non-intrusive segmentation.	Publicly available databases. Marketing / advertising service providers. Data broker service providers.
Improving and developing our Services	Conduct data analysis, for example, monitoring and analyzing usage of Services and using data analytics to improve the efficiency of our Services; develop new Services; consider ways for enhancing, improving, repairing, maintaining or modifying our current Services; identify usage trends, for example, understanding which parts of our Services are of most interest to subscribers and members; determine the effectiveness of our promotional campaigns, so that we can adapt our campaigns to the needs and interests of our subscribers and members; and operate and expand our business activities, for example, understanding which parts of our Services are of most interest to our subscribers and members so we can focus our energies on meeting our subscribers’ and members’ interests.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legitimate interests, such as developing new Services. Consent, such as when we use cookies and similar technologies and the data collected by means of such technologies qualify as Personal Information.	Publicly available databases. Marketing / advertising service providers. Data broker service providers.
Aggregating and/or anonymizing Personal Information	Aggregate and/or anonymize Personal Information so that it will no longer be considered Personal Information.	Personal Information as relevant for the specific business purpose.	Legitimate interests, such as to generate other data for our use, which we may use and disclose for any purpose, as it no longer identifies you or any other individual.	N/A

Security and legal reasons

Purpose	Examples of Processing Activities	Personal Information Categories	Legal Basis	Third Party Sources
Fraud prevention and security	Conduct audits, verify that our internal processes function as intended and are compliant with legal, regulatory or contractual requirements; monitor for and prevent fraud; and security purposes, including system security and on-site security of our premises.	Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legal obligations, such as to detect and prevent cyberattacks. Legitimate interests, such as identifying and/or preventing fraudulent transactions.	N/A
Legal and compliance	Fulfil our legal and compliance-related obligations including complying with applicable laws; complying with legal processes; responding to requests from public and government authorities; meeting national security or law enforcement requirements. Enforcing our terms and conditions; protecting our operations; protecting the rights, privacy, or property of MRC; and allowing us to pursue available legal remedies, defend claims and limit the damages that MRC may sustain.	Personal Information as relevant for the specific legal action, regulatory investigation, and/or legal processes in question, which may include: Name & Account Details; User Content; Preferences; Marketing Information; Relationship History; Event Information; Transaction Information; and Device Information.	Legal obligations, such as complying with legal processes. Legitimate interests, such as enforcing terms and conditions to protect trademarks and bringing or defending legal claims.	Public and/or government and/or regulatory authorities, including courts, tribunals, regulators and government authorities. Third persons (legal or natural), as relevant for the specific legal action and/or processes in question (such as lawyers, auditors, insurers, advisory firms etc.).
Emergency and incident response	Ensuring the safety of on-site personnel and visitors; responding to, handling and documenting on-site accidents and medical and other emergencies; actively monitoring properties to ensure adequate incident prevention, response and documentation (including CCTV); requesting assistance from emergency services; and sending notifications and alerts in the event of incidents or emergencies (such as via SMS, email, call, audio-visual device prompts, etc.).	Name & Account Details; Event Information.	Legal obligations, for example, relating to health and safety regulations and documenting on‑site accidents. Legitimate interests, such as monitoring properties through CCTV to ensure individuals’ safety. Protect individuals’ vital interests, such as contacting medical or emergency services where an individual’s life is at risk.	N/A

DISCLOSURE OF PERSONAL INFORMATION

We disclose Personal Information:

To our third-party service providers, to facilitate services they provide to us.
- These can include providers of services such as website hosting, data analysis, payment processing, fraud prevention, information technology and related infrastructure provision, email delivery, auditing, and other services.
To our partners and sponsors.
- We will share Personal Information with our partners and sponsors who support MRC’s activities. You may opt-out of our sharing of your Personal Information for these purposes in accordance with the “Contacting Us“ section below.
To your employer.
- For example, if your employer is an MRC member, we will share your name, email address, title, Event Information and account activity with your employer.
By using the Services, you may elect to disclose Personal Information.
- During in-person or virtual events hosted by MRC, and other services to which you are able to post information and content (including, without limitation, our Social Media Pages). Please note that any information you post or disclose through these services will become public and may be available to other individuals and the general public.

Other Uses and Disclosures

We also use and disclose your Personal Information as necessary or appropriate, in particular when we have a legal obligation or legitimate interest to do so:

To comply with applicable law and regulations.
- This may include laws outside your country of residence.
To cooperate with public and government authorities.
- To respond to a request or to provide information we believe is necessary or appropriate.
- These can include authorities outside your country of residence.
To cooperate with law enforcement.
- For example, when we respond to law enforcement requests and orders or provide information we believe is important.
For other legal reasons.
- To enforce our terms and conditions; and
- To protect our rights, privacy, safety or property, and/or that of our affiliates, you or others.
In connection with a business transaction.
- We have a legitimate interest in disclosing or transferring your Personal Information to a third party in the event of any reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any portion of our business, or assets (including in connection with any bankruptcy or similar proceedings).

COOKIES AND SIMILAR TECHNOLOGIES

We may collect personal information through the use of cookies and similar technologies. Please see our cookies and similar technologies page for more information.

SECURITY

We seek to use reasonable organizational, technical and administrative measures to protect Personal Information within our organization. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Contacting Us“ section below.

CHOICES AND INDIVIDUALS' RIGHTS

Your choices regarding our use and disclosure of your Personal Information

We give you choices regarding our use and disclosure of your Personal Information for marketing purposes. You may opt out from:

Receiving marketing-related emails from us. If you no longer want to receive marketing related emails from us on a going-forward basis, you may opt out in accordance with the “Contacting Us“ section below.
Our sharing of your Personal Information with our partners and sponsors for their direct marketing purposes. If you would prefer that we discontinue sharing your Personal Information on a going-forward basis with our partners and sponsors for their direct marketing purposes, you may opt out of this sharing in accordance with the “Contacting Us“ section below.

We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt out of receiving marketing from us, we may still send you important administrative messages, from which you cannot opt out.

How you can exercise your rights

If you would like to request to access, correct, update, suppress, restrict, or delete Personal Information, object to or opt out of the processing of Personal Information, withdraw your consent (which will not affect the lawfulness of processing prior to the withdrawal), or if you would like to request to receive a copy of your Personal Information for purposes of transmitting it to another company (to the extent these rights are provided to you by applicable law), you may contact us in accordance with the “Contacting Us“ section below. We will respond to your request consistent with applicable law. Subscribers can view and edit Personal Information in the MRC Member Portal at: https://mrc1.my.site.com/portal.

In your request, please make clear what Personal Information you would like to have changed or whether you would like to have your Personal Information suppressed from our database. For your protection, we may only implement requests with respect to the Personal Information associated with the particular email address that you use to send us your request, and we may need to verify your identity before implementing your request. We will try to comply with your request as soon as reasonably practicable.

Please note that we may need to retain certain information for recordkeeping purposes and/or to complete any transactions that you began prior to requesting a change or deletion (e.g., when you make a purchase or enter a promotion, you may not be able to change or delete the Personal Information provided until after the completion of such purchase or promotion).

You may lodge a complaint with a data protection authority for your country or region where you have your habitual residence or place of work or where an alleged infringement of applicable data protection law occurs. A list of data protection authorities for the EEA is available here, the contact details for the Swiss Federal Data Protection and Information Commissioner is available here and the UK Information Commissioner’s Office contact details are available here.

RETENTION PERIOD

We will retain your Personal Information for the period necessary to fulfill the purposes outlined in this Privacy Notice unless a longer retention period is required or permitted by law, for example, for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements.

The criteria used to determine our retention periods include (i) the length of time we have an ongoing relationship with you and provide the Services to you (for example, for as long as you have an account with us or keep using the Services); (ii) whether there is a legal obligation to which we are subject (for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or (iii) whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations, litigation or regulatory investigations).

Where a legal obligation arises or retention is advisable in light of our legal position, in some circumstances, we will retain certain Personal Information, even after your account has been deleted and/or we no longer provide the Services to you; for example:

To cooperate with law enforcement or public, regulatory and government authorities: If we receive a preservation order or search warrant, related to your Services account, we will preserve Personal Information subject to such order or warrant after you delete your Services account.
To comply with legal provisions on tax and accounting: We may retain your Personal Information, such as Transaction Information, for up to 7 years after you delete your Services account, as required by tax law and to comply with bookkeeping requirements.
To pursue or defend a legal action: We may retain relevant Personal Information in the event of a legal claim or complaint, including regulatory investigations or legal proceedings about a claim related to your Personal Information, or if we reasonably believe there is a prospect of litigation (whether in respect of our relationship with you or otherwise) for up to 7 years after the dispute has been settled or decided by a court or tribunal from which there is no further right of appeal.

THIRD PARTY SERVICES

This Privacy Notice does not address, and we are not responsible for, the privacy, information, or other practices of any third parties, including any third party operating any website or service to which the Services link. The inclusion of a link on the Services does not imply endorsement of the linked site or service by us or by our affiliates.

The Services may provide functionality allowing you to make payments to MRC using third-party payment services with which you have created your own account. When you use such a service to make a payment to us, your Personal Information will be collected by such third party and not by us, and will be subject to the third party’s privacy notice, rather than this Privacy Notice. We have no control over, and are not responsible for, this third party’s collection, use, and disclosure of your Personal Information.

In addition, we are not responsible for the information collection, use, disclosure, or security policies or practices of other organizations, such as Facebook, Apple, Google, Microsoft, RIM, or any other app developer, app provider, social media platform provider, operating system provider, wireless service provider, or device manufacturer, including with respect to any Personal Information you disclose to other organizations through or in connection with the Apps or our Social Media Pages.

USE OF SERVICES BY MINORS

The Services are not directed to individuals under the age of 18 and we do not knowingly collect Personal Information from individuals under 18.

JURISDICTION AND CROSS-BORDER TRANSFER

Your Personal Information may be stored and processed in the United States or other countries where we have operations or in which we engage service providers, and by using the Services you understand that your Personal Information will be transferred to countries outside of your country of residence, including the United States, which may have data protection rules that are different from those of your country.

Where this will involve transferring your Personal Information outside the UK, EEA and/or Switzerland, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

Adequacy Decisions: Some countries are recognized under the UK government, the European Commission or the Swiss Federal Data Protection and Information Commissioner as providing an adequate level of data protection (the full list of countries recognized by the European Commission is available here).

Standard Contractual Clauses: For transfers of Personal Information subject to UK, EEA or Swiss law which are not considered adequate under the Swiss Federal Data Protection and Information Commissioner, UK government and/or by the European Commission, we have put in place standard contractual clauses adopted under the UK government and/or by the European Commission to protect your Personal Information. You may obtain a copy of these measures by contacting us in accordance with the “Contacting Us“ section below

Where we cannot rely on standard contractual clauses for the transfer that we need to carry out, we will rely on exemption to carry out the transfer when permitted by applicable law.

SENSITIVE INFORMATION

Unless we request it, we ask that you not send us, and you not disclose, any sensitive Personal Information (e.g., social security numbers, information related to racial or ethnic origin, political opinions, religion or other beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) on or through the Services or otherwise to us.

CONTACTING US

If you have any questions about this Privacy Notice, please contact us at

Email: privacy@merchantriskcouncil.org
Phone: (206) 364-2789
Mail: Merchant Risk Council, Inc., 8201 164th Ave NE #200 PMB #50, Redmond, WA 98052, USA

Because email communications are not always secure, please do not include credit card or other sensitive information in your emails to us.

UPDATES TO THIS PRIVACY NOTICE

The “Last Updated” legend at the bottom of this Privacy Notice indicates when this Privacy Notice was last revised. Any changes will become effective when we post the revised Privacy Notice on the Services.

LAST UPDATED: 1 October 2024