Privacy Policy

Overview
Information We Collect Through Our Website
Links to External Websites
Information Our Financial Institutions Share
Opting Out of a Cardlytics Program
Social Media Postings
Data Security
Additional State Privacy Rights
California Residents’ Additional Privacy Rights
Colorado Residents’ Additional Privacy Rights
Connecticut Residents’ Additional Privacy Rights
Montana Residents’ Additional Privacy Rights
Oregon Residents’ Additional Privacy Rights
Texas Residents’ Additional Privacy Rights
Utah Residents’ Additional Privacy Rights
Virginia Residents’ Additional Privacy Rights
GDPR
Modern Slavery Policy
Changes to Cardlytics Privacy Policies
Contact Us
Anti-Corruption Hotline

Privacy Overview

Thank you for choosing to learn more about the privacy policies of Cardlytics, Inc. (“Cardlytics,” “we,” “us,” “our”).

This privacy policy (“Privacy Policy”) explains how we may collect, store, use, and disclose information when you access or use: (1) www.Cardlytics.com and all of our other websites to which this Privacy Policy is posted (collectively, the “Website”) or (2) any services, content, and features offered by us (the “Services”).

Our corporate affiliates have their own privacy policies that apply to data they collect from the products, services, and applications they provide. Any data collected pursuant to this Policy that is disclosed to our affiliates will still be treated consistently with this Policy.

YOUR ACCEPTANCE OF THIS PRIVACY POLICY

By accessing or using the Services or the Website, you consent to our collection, storage, use, and disclosure of your information as described in this Privacy Policy. The provisions contained in this Privacy Policy supersede all prior notices and statements regarding our privacy practices with respect to the Website or the Services. If you do not agree to every provision of this Privacy Policy, you may not access or use the Website or the Services.

Through the links on this page, you can learn more about the privacy policies related to information that Cardlytics collects directly as well as information that our financial institution clients collect.

Information We Collect Through Our Website

Through our Website, we collect information you choose to provide us, as well as information that is automatically collected in order to enhance our website, our products, and our services. Through our Website, we may collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household (“Personal Information”), and we may also collect information that cannot reasonably be linked to you (“Anonymous Information”). When Anonymous Information is, directly or indirectly, associated or combined with Personal Information, such Anonymous Information will be considered Personal Information for purposes of this Privacy Policy. Our website is hosted in the United States and is not directed towards individuals under the age of sixteen (16). Cardlytics does not knowingly or intentionally collect Personal Information from individuals under sixteen (16) years of age.

A) Information You Choose To Provide Us Through Our Website

Cardlytics offers visitors to our website the opportunity to reach out to us in various ways, including the opportunity to contact us with questions or comments, or to request information from us about our business. In connection with these opportunities, you may provide – and we will therefore necessarily collect – certain Personal Information, including your name, mailing address, email address, or phone number.

We will use the information you choose to provide us through our Website for legitimate business purposes, including to: analyze, improve and customize the Services; send you announcements, newsletters, promotional materials, and other information about the Services; respond to your questions or comments, or provide you with the requested information. As a general matter, we will not disclose any of the Personal Information you provide us through our website to any third parties. However, we reserve the right to do so when necessary or required by the circumstances, such as (i) to protect or defend the legal rights of Cardlytics; (ii) to protect against fraud or for risk management purposes; (iii) to comply with applicable law or respond to legal process; or (iv) if Cardlytics undergoes bankruptcy or dissolution. Additionally, if Cardlytics sells, merges, or transfers all or part of its business or assets, we may transfer the information you provided us through our Website to the parties involved in that transaction.

Unless otherwise required by applicable law, we will retain the Personal Information you choose to provide us through our Website only for as long as necessary to fulfill the purposes outlined in this Privacy Policy. You may opt not to receive promotional emails from us at any time by following the “unsubscribe” instructions in any promotional email you receive from us.

B) Information Collected by Cookies and Similar Tracking Technologies

When you visit our Website, we may, subject to your opt-out preferences, automatically collect certain information through cookies and similar technologies (including pixels, tags and web beacons) (together “cookies”). Cookies are small text files stored by your browser on your computer, phone, tablet, or other device you use to access our Website. The cookies on our Website collect information related to the device you used to access our website such as the IP address and type of device. The cookies on our website also may collect the date and time of your visit to our Website, your behavior on our Website (e.g., paths you take through Website), and your geographic location information. Cookies allow us to identify visitors, track aggregate behavior, and recognize certain types of information on your computer, such as a cookie number, time and date of a page view, and a description of the page where a cookie is placed. The cookies on our Website also may collect the following categories of information (1) IP addresses; (2) domain servers; (3) types of computers accessing the Website; (4) referring/exit websites; (5) operating systems; (6) Internet Service Providers (ISPs); (7) types of web browsers used to access the Website and (8) your geographic location information.

The length of time a cookie will stay on your browser or device depends on whether it is a “persistent” or “session” cookie. Session cookies will only stay on your device until you stop browsing. Persistent cookies stay until they expire or are deleted. The expiration time or retention period applicable to persistent cookies depends on the purpose of the cookie collection and tool used. Unless otherwise required by applicable law, we will retain any Personal Information collected through cookies only for as long as necessary to fulfill the purposes outlined in this Policy.

We use information collected via cookies for legitimate business purposes, including to analyze, improve and customize the Services and the Website and for marketing purposes.

We may have some or all of the following four types of cookies operating on our Website: 1) necessary cookies, 2) targeted advertising cookies, 3) personalization cookies, and 4) analytics cookies. Our cookie settings pop-banner will have more detailed information regarding the cookies currently active on our Website.

Necessary Cookies

These cookies are required to enable the basic features of our Website such as navigating to pages or accessing secure areas. Without these cookies our Website cannot function properly. Necessary cookies are always stored on your browser as they are essential for enabling the basic functionalities of our site.

Targeted Advertising Cookies

Targeted advertising cookies are served by us and our third-party partners such as Octane11 and Google. These cookies help us show relevant advertising to you more effectively and to measure the performance of ads. The information collected via these cookies may be used to show you better and more personal advertisements on the Website and other sites you visit and to analyze traffic to the Website. We may share this information with our advertising partners. For more information on how our partners use data collected from their services please visit their respective privacy policies.

Personalization Cookies

Personalization cookies are served by us and help us remember your choices regarding the Website (such as your preferred language and what region you are in) to provide enhanced, personal features.

Analytics Cookies

Analytics cookies are served by us and our third-party partners such as Salesforce and Google. Analytics cookies help us understand how you use the Website and how we can provide a better experience. The information collected from these cookies helps us analyze trends in usage of the Website. We may share this information with our analytics partners. For more information on how our partners use data collected from their services please visit their respective privacy policies.

Your choices regarding cookies

You have the right to choose whether or not to accept all cookies except necessary cookies which are essential for enabling the basic functionalities of this Website. To manage your choices regarding cookies other than necessary cookies on the Website (the “non-essential cookies”), please navigate to our cookie settings pop-banner. You can also modify the settings on your browser to limit the types of cookies you encounter. Check out the documentation for your browser to learn more. Please note that if you disable non-essential cookies certain features of the Website may be limited or may not work at all.

Links to External Websites

Our Website contains links to third-party websites. We have no influence on the privacy practices or policies of any external websites. As a result, Cardlytics is not responsible for the privacy practices of websites operated by third parties. Once you leave our Website via such a link, we encourage you to read the applicable privacy policy of any third-party site to determine, among other things, how they handle any Personal Information they collect from you.

Information Our Financial Institutions Share

The power of Cardlytics is driven by its relationships with financial institutions. Cardlytics’ financial institution clients utilize Cardlytics’ services so that they can provide their customers with targeted and relevant offers or advertisements inside the banking platform. Cardlytics’ financial institution clients provide Cardlytics with deidentified spend data to make these targeted and relevant offers possible. Additionally, Cardlytics may in certain circumstances use the deidentified spend data to determine the efficacy of advertisements both inside and outside the banking platform as well as craft other spend-based insights. Cardlytics’ financial institution clients include some of the biggest and best names in banking. Your financial institution might be one of Cardlytics’ clients.

Cardlytics does not receive, or have access to, any Personal Information from its financial institution clients. As such, we cannot and will not use or share Personal Information with third parties, including our advertising partners.

Cardlytics commits to maintaining and using the deidentified spend data it receives from its financial institution clients in deidentified format and to not attempt to reidentify that deidentified data as Personal Information.

Your financial institution’s privacy policy governs its privacy and data sharing practices. If you are interested in learning more about your financial institution’s privacy and data sharing practices, we encourage you to contact your financial institution or examine its relevant policies.

Opting Out of a Cardlytics Program

If you are currently participating in and want to opt out of a Cardlytics card-linked marketing program, you can do so through your financial institution. Every financial institution’s opt-out feature will be slightly different. Cardlytics encourages you to contact your financial institution, or visit your financial institution’s website, for more details. Opting out of a Cardlytics card-linked marketing program will also opt you out of Cardlytics’ other programs and products.

Social Media Postings

In connection with your selection or redemption of an offer through the online banking website or mobile application of one of our financial institution clients, you may be presented with the opportunity to post about your selection or redemption of an offer, or overall participation in our program, via your social media account, such as Facebook or X. A social media post will only be made at your specific direction and with your express consent. Cardlytics does not collect any Personal Information, such as your social media username or password, your email address, or your name, in connection with any such social media posting. Cardlytics may collect Anonymous Information regarding the posting for Cardlytics’ internal analyses.

Data Security

The security of Cardlytics’ data is critical to our business mission. Cardlytics uses commercially reasonable administrative, technical, personnel, and physical security measures that comply with federal regulations to safeguard all of our data against loss, theft, or unauthorized use, disclosure, or modification.

We also regularly conduct risk assessments and audits on our information systems. These security measures help us continually assess our ability to maintain the security of our data. We also maintain strict physical security for our facilities and limit access to critical areas of our business.

Additional State Privacy Rights

Depending on where you reside, you might be entitled to certain data access rights. For residents of the specific U.S. states delineated below, the relevant rights will be available from the date that the laws and regulations become effective.

California Residents’ Additional Privacy Rights

If you are a California resident, this section applies to you. This section describes how we collect, use, and share your Personal Information in our capacity as a “business” under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2021(the “CPRA”), and the rights you have with respect to your Personal Information. For purposes of this section, “Personal Information,” has the meaning given in the CPRA and does not include information excluded from the CPRA’s scope. Under the CPRA, subject to exceptions and as relevant with regards to this Privacy Policy, California residents have the following rights regarding their data :

The right to know the categories of Personal Information we’ve collected and the categories of sources from which we got the information (see INFORMATION WE COLLECT THROUGH OUR WEBSITE);
The right to know the business purposes for collecting or sharing your Personal Information (see INFORMATION WE COLLECT THROUGH OUR WEBSITE );
The right to know the categories of third parties with whom we’ve disclosed Personal Information (see INFORMATION WE COLLECT THROUGH OUR WEBSITE);
The right to access the specific pieces of Personal Information we’ve collected about you in a portable format;
The right to opt out of the selling or sharing of your Personal Information;
The right to request the deletion of the Personal Information we have collected about you; and
The right to request the correction of inaccurate Personal Information.

‍

California Law also permits California residents to request certain information once per year regarding disclosure of any “personal information” (as that term is defined under California’s “Shine the Light” law) disclosed to third parties for such third parties’ direct marketing purposes. We do not currently disclose personal information protected under California’s “Shine the Light” law with third parties for their direct marketing purposes.

California residents have the right to not be discriminated against if they choose to exercise their privacy rights.

You may exercise your data rights under California law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to processing your request. You may also designate an authorized agent to make a request to know or a request to delete on your behalf. We may deny a request from an authorized agent that does not submit proof of authorization.

Colorado Residents’ Additional Privacy Rights

If you are a Colorado resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under the Colorado Privacy Act (“CPA”). For purposes of this section, “Personal Data,” has the meaning given in the CPA and does not include information excluded from the CPA’s scope. Under the CPA, subject to exceptions, Colorado residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of the use of your Personal Data for purposes of targeting advertising and the sale of your Personal Data (as those terms are defined under the CPA).

You may exercise your data rights under Colorado law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to fulfilling your request. You may also designate an authorized agent to make an opt out request. We may deny a request from an authorized agent that does not submit adequate proof of authorization. Colorado residents have the right to not be discriminated against if they choose to exercise their privacy rights.

If we deny your request, you may appeal our decision by emailing us at privacy@cardlytics.com with the subject “Appeal of Consumer Rights Request.” You must appeal our decision within 45 days of your receipt of our denial. If you have concerns about the results of an appeal, you may contact the Colorado attorney general.

Connecticut Residents’ Additional Privacy Rights

If you are a Connecticut resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under the Connecticut Data Privacy Act (“CTDPA”). For purposes of this section, “Personal Data,” has the meaning given in the CTDPA and does not include information excluded from the CTDPA’s scope. Under the CTDPA, subject to exceptions, Connecticut residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of the use of your Personal Data for purposes of targeting advertising and the sale of your Personal Data (as those terms are defined under the CTDPA).

You may exercise your data rights under Connecticut law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to fulfilling your request. You may also designate an authorized agent to make an opt out request on your behalf. We may deny a request from an authorized agent that does not submit adequate proof of authorization. Connecticut residents have the right to not be discriminated against if they choose to exercise their privacy rights.

Montana Residents’ Additional Privacy Rights
Effective October 1, 2024

If you are a Montana resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under Montana’s Consumer Data Privacy Act (“MCDPA”). For purposes of this section, “Personal Data,” has the meaning given in the MCDPA and does not include information excluded from the MCDPA’s scope. Under the MCDPA, subject to exceptions, Montana residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you and, for any Personal Data that you previously provided to us, the right to access that Personal Data in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of targeting advertising and the sale of your Personal Data (as those terms are defined under the MCDPA).

You may exercise your data rights under Montana law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to processing your request. You may also designate an authorized agent to make an opt-out request on your behalf. We may deny a request from an authorized agent that does not submit proof of authorization.

Montana residents have the right to not be discriminated against if they choose to exercise their privacy rights.

Oregon Residents’ Additional Privacy Rights
Effective July 1, 2024

If you are an Oregon resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under Oregon’s Consumer Privacy Act (“OCPA”). For purposes of this section, “Personal Data,” has the meaning given in the OCPA and does not include information excluded from the OCPA’s scope. Under the OCPA, subject to exceptions, Oregon residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of targeting advertising and the sale of your Personal Data (as those terms are defined under the OCPA).

You may exercise your data rights under Oregon law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to processing your request. You may also designate an authorized agent to make an opt-out request on your behalf. We may deny a request from an authorized agent that does not submit proof of authorization.

Oregon residents have the right to not be discriminated against if they choose to exercise their privacy rights.

Texas Residents’ Additional Privacy Rights
Effective July 1, 2024

If you are a Texas resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under the Texas Data Privacy and Security Act (“TDPSA”). For purposes of this section, “Personal Data,” has the meaning given in the TDPSA and does not include information excluded from the TDPSA’s scope. Under the TDPSA, subject to exceptions, Texas residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you and, for any Personal Data that you previously provided to us, the right to access that Personal Data in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of targeting advertising and the sale of your Personal Data (as those terms are defined under the TDPSA).

You may exercise your data rights under Texas law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior processing your request. You may also designate an authorized agent to make an opt-out request on your behalf. We may deny a request from an authorized agent that does not submit proof of authorization.

Texas residents have the right to not be discriminated against if they choose to exercise their privacy rights.

Utah Residents’ Additional Privacy Rights

If you are a Utah resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under the Utah Consumer Privacy Act (“UCPA”). For purposes of this section, “Personal Data,” has the meaning given in the CPA and does not include information excluded from the UCPA’s scope. Under the UCPA, subject to exceptions, Utah residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you and, for any Personal Data that you previously provided to us, the right to access that Personal Data in a portable format;
The right to request the deletion of the Personal Data that you previously provided to us;
The right to obtain a copy of the Personal Data that you previously provided to us in a portable format;
The right to opt out of the use of your Personal Data for purposes of targeting advertising and the sale of your Personal Data (as those terms are defined under the UCPA).

You may exercise your data rights under Utah law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior fulfilling your request. Utah residents have the right to not be discriminated against if they choose to exercise their privacy rights.

Virginia Residents’ Additional Privacy Rights

If you are a Virginia resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under Virginia’s Consumer Data Protection Act (“VCDPA”). For purposes of this section, “Personal Data,” has the meaning given in the VCDPA and does not include information excluded from the VCDPA’s scope. Under the VCDPA, subject to exceptions, Virginia residents have certain rights regarding their data, including, as relevant with regards to this Privacy Policy:

The right to access the specific pieces of Personal Data we’ve collected about you and, for any Personal Data that you previously provided to us, the right to access that Personal Data in a portable format;
The right to request the deletion of the Personal Data we have collected about you;
The right to request that we correct inaccurate Personal Data; and
The right to opt out of targeting advertising and the sale of your Personal Data (as those terms are defined under the VCDPA).

‍

You may exercise your data rights under Virginia law by emailing us at privacy@cardlytics.com. We may require you to verify your identity prior to opting you out or accessing, correcting, deleting your information. Virginia residents have the right to not be discriminated against if they choose to exercise their privacy rights.

GDPR

On May 25, 2018, the GDPR came into effect in the EU. Read Cardlytics’ external privacy notice here.

Modern Slavery Policy

Read Cardlytics’ Modern Slavery Policy here.

Changes to Cardlytics’ Privacy Policies

We may change Cardlytics’ privacy policies from time to time. We encourage you to periodically review this page for the latest information on our privacy practices.

Cardlytics’ privacy policies were last updated on May 14, 2024.

Contact Us

If you have any questions regarding Cardlytics’ privacy policies, please contact us by email at privacy@cardlytics.com.

Anti-Corruption Hotline

Report corruption, fraud, and other misconduct via the Cardlytics Anti-Corruption Hotline by phone (866-269-1020) or email CDLX@openboard.info.

Subscribe me to Cardlytics updates

Leave this field blank

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.