Guides

Data sharing consent

Suggest Edits

The Guiding Principle

The owner of transaction data must always provide clear and informed consent to how their data is used.

“Informed consent” means the transaction data owner, whether it be an individual cardholder or a corporate administrator, is fully informed about what data will be collected, how it will be used, and with whom it will be shared. It further includes stating the implications of data sharing, the potential for data analysis, and how data contributes to and informs the services offered.

Cardholder Individual Enrollment

WithUnder individual enrollment, the cardholder is typically the account owner and thus owns the transaction data. Therefore, the cardholder must give informed consent about the data's destination and usage.

To remain consistent with the Guiding Principle, individual cardholders must consent to the following:

The network's sharing of transaction data from the enrolled card.

Astrada’s processing and sharing of transaction data associated with the SMP as governed under the SMP’s Terms of Service, the SMP’s Privacy Policy and Astrada’s Privacy Policy.

Consent must be explicit and provided on an opt-in basis. For example, confirmed via action such as selecting a check box.

Cardholder Individual Enrollment SDK

The Astrada SDK is designed to efficiently present and capture individual cardholder consent according to the conditions and principles described.

Network Bulk Enrollment

With network bulk enrollment, the corporate is considered the owner of transaction data and is therefore the entity required to provide consent. The corporate administrator, acting as the representative of the corporate, is the agent acting on behalf of the corporate. Through the corporate administrator, the corporate must provide informed consent regarding the destination and usage of transaction data.

Data Feed Endpoint Configuration

Bulk enrollment relies on the corporate working with their Issuing Bank to establish Astrada as an endpoint for the corporate’s transaction data. This may be accomplished either directly, with the issuing bank setting Astrada as the destination, or indirectly, with the SMP remaining as the destination.

Direct Data Feeds

By undertaking and completing the steps defined in the Corporate Setup Guides (Visa, Mastercard), the corporate must select Astrada as an explicitly-identified destination for transaction data. Consent is thus implicit in the corporate’s selecting Astrada as an identified destination, and then communicating that selection to the corporate’s Issuing Bank.

Indirect Data Feeds

Under certain circumstances, such as when a corporate has already configured the SMP as an endpoint with the SMP, establishing Astrada as indirect destination may be appropriate. Under such circumstances, the SMP may share or forward the corporate’s transaction data to Astrada. As the owner of the transaction data, the corporate must provide consent to the SMP’s sharing of the corporate’s transaction data with Astrada. This may be achieved through a pop-up requiring that the corporate opt in to sharing transaction data with Astrada for the purposes of enabling real-time transaction data feeds.

Acknowledgement of Employee Permission

Each corporate enrolling cards on the SMP is expected to possess the right to enroll corporate cards on its employees behalf and track expenses made by the employees holding the cards.

Existing Corporates

Corporates that have previously enrolled cards on the SMP, such as described in the “Indirect Data Feeds” section, are assumed to have demonstrated to the SMP that the corporate possesses the right to enroll corporate cards on behalf of its employees.

New Corporates

Corporates that are new to the SMP and intend to utilize the services provided to the SMP through Astrada are expected to provide explicit acknowledgement to the SMP at the initiation of the enrollment process.

Terms & Conditions and Privacy Policy

The SMP’s terms and conditions and privacy policy are expected to contain the specific terms that define how transaction data is collected, used and shared. By enrolling cards on the SMP to use services through Astrada, the transaction data owner agrees to the terms contained within those documents.

Key Terms

Collection of Transaction Data

Cardholders must be informed that the SMP receives transaction data shared by the networks with Astrada.

The types of data collected must be declared, including account information and transaction data such as, for example, the MCC (Merchant Category Code), authorization code, and amount paid.

Transaction Monitoring

Cardholders must be informed that transactions made with enrolled cards will be monitored by the SMP, the networks and Astrada. By enrolling a card with the SMP, the cardholder is consenting to the monitoring of transactions. Cardholders have the right to opt out at any time.

Corporate Permission

The SMP is expected to clearly state in its terms and conditions that:

Corporates offering the SMP’s services as provided through Astrada to its employees have received permission from their employees to enroll cards on their behalf and share data associated with the transactions employees make with the SMP and relevant subprocessors, including Astrada (see below).

As an employee of the company using the SMP’s services through Astrada, you have provided permission to your employer to enroll cards on your behalf and track transaction data associated with the card’s usage.

Astrada as a Subprocessor

Corporates enrolling cards through Astrada must be aware of the role that Astrada plays in providing services to the SMP if their consent is to considered informed.

To accomplish this objective, Astrada should be included as a subprocessor to the SMP alongside other service providers such as cloud hosting (e.g. AWS, Azure) or open banking (e.g. Yodlee, Plaid) in the SMP’s subprocessor list.

Astrada may be referred to as a subprocessor in the relevant sections of the terms and conditions document.

Updated 7 days ago