Privacy Notice for customers
Privacy Notice for customers and users of MEGA pursuant to Article 13 of the EU General Data Protection Regulation (GDPR)
Classification: Public
Last update: 21.11.2023
Introduction
MEGA.AI Inc. (in the following "MEGA", “we”, “our”, “us”) takes the protection of your personal data very seriously. With this privacy notice (“Privacy Notice”), we want to inform the public and data subjects about the nature, extent, and purpose of the personal data collected, used, and processed by us pursuant to Article 13 of the GDPR and inform data subjects about their rights.
This Privacy Notice is structured as follows: In the overview (A) we provide an overview of our privacy practices related to our services and our platform as well as your rights. In the second part, we explain in detail the processing operations carried out by us (B), their respective data scope, purpose, and associated legal bases. In the third part you receive information about how and when we share data with third parties (C).
MEGA has implemented numerous measures to ensure the protection of personal data.
A) Overview
In this Privacy Notice, we use the terms defined in Article 4 of the GDPR: personal data, data subject, processing, restriction of processing, pseudonymization, controller, processor, recipient, third parties, and consent. Since MEGA is a company specializing in data processing in the Business-to-business (B2B) sector, we have also defined other terms that are intended to help you understand the following explanations:
Publicly available data means all data, information, and entries which are accessible or viewable for everyone via public sources directly (e.g. by a link) or indirectly (e.g. by a query). Examples of public sources are: websites, news portals, press or blog articles, publicly shared posts and profiles from social media, as well as public databases of specialist portals, job boards, forums, the commercial register, the Federal gazette, or Wikipedia.
Business related data is data that is associated with a business or an organization. For example, a change of management notification may include the name of the company and the manager; a press release may include the contact of the press representative; include a public social media profile (e.g. LinkedIn) with the name of the employer and mention a product rating of the manufacturer concerned.
A1) The controller / data protection officer
For the purposes of this Privacy Notice, the data controller of the personal data collected, processed and stored through the platform, or through the communication platforms related thereto, is MEGA.AI Inc., with registered office at 8 The Green, #15967 Dover, DE 19901, United States (hereinafter "Data Controller").
You can always contact the Data Controller by e-mail at: hallo@mega.ai.
For any questions regarding the data processing carried out in the context of using the platform or our services and products, may also contact Troels Christensen, the group data protection officer ("DPO") designated by MEGA at any time by email: hallo@mega.ai.
A2) How and when do we obtain personal data from you?
MEGA may collect personal data from you in the following circumstances:
- Data collected by automated means such as cookies or similar technologies when you visit the MEGA website or use MEGA’s services (for additional information see here.
- Data collected from you when you create an account, complete a form, contact us directly or subscribe to our services
- Data you provide us about others in your organization or data that others have provided about you.
We process personal data in accordance with the applicable data protection regulations, namely the GDPR:
a) for the fulfilment of contractual obligations pursuant to Article 6 para. 1 lit. b of the GDPR
We process your personal data in the context of the performance of our contracts with our customers, users and/or applicants or for the implementation of pre-contractual measures. The purposes of the data processing are based primarily on the specific product and may include, but are not limited to, general communication about our services, analysis and consulting for the purpose of creating an offer, support or consulting, the provision of online software, or the processing of application documents.
b) if we have a legitimate interest pursuant to Article 6 para. 1 lit. f of the GDPR
In accordance with Article 6(1)(f) of the GDPR, we may process your personal data where it is necessary for the purposes of the legitimate interests pursued by us, except where such interests are overridden by your interests or fundamental rights and freedoms. We ensure that these processing activities are balanced and considerate of your privacy. Our legitimate interests include:
- Enhancing the user experience and ensuring the efficient operation and security of our website.
- Conducting analyses to improve customer engagement and streamline processes, which may involve optimizing navigation and functionalities on our website.
- Tailoring our marketing efforts to offer you relevant and personalized content, provided you have not opted out of receiving such communications.
- Undertaking market research to better understand your preferences and needs, subject to your right to object to such processing.
- Pursuing and defending legal claims as necessary to protect our legal rights.
- Maintaining the integrity and security of our IT systems, including troubleshooting and preventing potential threats.
- Preventing fraudulent or illegal activities and ensuring compliance with legal obligations.
- Supporting effective business and risk management practices to enhance our services and operational efficiencies.
- Developing and improving our product and service offerings based on customer feedback and market trends.
- Organizing and managing events that may be of interest to our clients and partners.
c) on the basis of your consent pursuant to Article 6 para. 1 lit. a of the GDPR
Certain processing activities (e.g. the receipt of newsletter, downloads of whitepapers or other materials) are based on your consent. Consent given can be revoked at any time.
d) in case we are legally required to process your data (Art. 6 para. 1 lit. c of the GDPR)
Insofar as MEGA is required by law to process certain data, personal data may also be affected.
A4) Deletion and retention periods
We process and store your personal information as long as it is necessary for the fulfilment of our contractual and legal obligations. It should be noted that our business relationship is a continuing obligation, which is intended for several years. If the data are no longer required for the fulfilment of contractual or legal obligations, these are regularly deleted unless the consent given also extends beyond the end of the contract or a balance of interests comes to the conclusion that a legitimate interest of MEGA exists for further storage which outweighs the interests of the data subject.
A5) How do we share the data?
We may share data as follows:
- within the MEGA group in order to provide you the requested services and products
- with service providers that perform services or handle transaction on our behalf
- other parties when we are required to do so by law or as necessary to protect our rights, or in the context of corporate transactions.
You may be entitled to exercise some or all of the following rights:
require (i) information as to whether your personal data is retained and (ii) access to and/or duplicates of your personal data retained, including the purposes of the processing, the categories of personal data concerned, and the data recipients as well as potential retention periods;
request rectification, removal or restriction of your personal data, e.g. because (i) it is incomplete or inaccurate, (ii) it is no longer needed for the purposes for which it was collected, or (iii) the consent on which the processing was based has been withdrawn;
refuse to provide and – without impact to data processing activities that have taken place before such withdrawal – withdraw your consent to processing of your personal data at any time;
object, on grounds relating to your particular situation, that your personal data shall be subject to a processing. In this case, please provide us with information about your particular situation. After the assessment of the facts presented by you we will either stop processing your personal data or present you our compelling legitimate grounds for an ongoing processing;
take legal actions in relation to any potential breach of your rights regarding the processing of your personal data, as well as to lodge complaints before the competent data protection regulators;
require (i) to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and (ii) to transmit those data to another controller without hindrance from our side; where technically feasible you shall have the right to have the personal data transmitted directly from us to another controller; and/or
not to be subject to any automated decision making, including profiling (automatic decisions based on data processing by automatic means, for the purpose of assessing several personal aspects) which produce legal effects on you or affects you with similar significance.
You may (i) exercise the rights referred to above or (ii) pose any questions or (iii) make any complaints regarding our data processing by contacting at: hallo@MEGA.com.
A7) Non-use of "profiling"
Profiling describes a type of automated processing of personal data that consists in assessing, analyzing, or predicting certain personal aspects such as health or personal preferences and which produces legal effects on the data subject. MEGA does not use such profiling.
B) Comprehensive Privacy Notice
When you visit our platform, use our services or contact us directly, we obtain various types of data related to you and your use of our services. This data may include information that directly identifies you such as your name or contact details as well as identifiers (e.g. your IP address) or cookie-level data that may indirectly identify you. The information we obtain generally consists of (B1) automatically collected data about your interactions with our platform and our services or (B2) data you provide us about yourself or we directly collect from you or (B3) data you provide us about others in your organization or (B4) data that others have provided us with about you.
B1) Information automatically collected
If you are visiting our websites or accessing our applications, we collect the following information provided by your browser or mobile device: pages accessed, time of visit and time of last visit, frequency of recurring visits, IP address, name of the owner of the IP address, domain or provider of IP address, referrer (site/service/queries that led you to our website), browser information, device information.
Such data is collected and processed for different purposes such as:
- to deliver the contents of our websites and apps correctly,
- to optimize the content of our website, enhance user experience and to advertise our services and products,
- to ensure the permanent functioning of our systems and the technology of our website,
- to provide law enforcement with information necessary for prosecution in the event of a cyber-attack, and
- to facilitate the access to and the use of our services.
To collect such data, we use cookies and similar technologies. For more information about cookies and other technologies used by us please see here.
B2) Information provided by you
If you contact MEGA, if you send us an email or inquiry, or if you wish to use certain offers and services of our company, the processing of your personal data may be necessary. Examples include:
- You request a whitepaper, a price list, or another document.
- You sign up to receive our newsletter.
- You contact our service team or our sales team.
- You apply for one of our job advertisements.
- You contact us during a lecture, trade fair or similar event.
- You are testing software or an app and sharing your data with us.
- name, job title, affiliation
- email address, phone number or other contact details
- billing and payment information
- user information from integrated tools
- messages with our support and sales teams
- metadata related to your request or inquiry
- search queries and results of such queries
- other data uploaded by you to our systems
B2.1) To provide you with our services and products (Art, 6 (1) lit. b GDPR)
Such services may include:
- processing your requests and inquiries on our platform,
- deliver platform/website content to you
- providing customer assistance and IT support, and/or
- providing online learning content to you.
We may communicate with you via different means, such as by post, email, personal contact, messenger or chat systems or social media. The communication purposes may include:
- sending you service-related messages and notifications (Art. 6 (1) lit. f GDPR (our legitimate interest in marketing and sales of our products and services);
- sending you our newsletter (Art. 6 (1) lit. a GDPR);
- responding to your questions or addressing your requests (Art. 6 (1) lit. b GDPR);
- sending you materials you have requested (Art. 6 (1) lit. b GDPR);
- sending you payment or billing related information (Art. 6 (1) lit. b GDPR) and to fulfil our legal obligations regarding accounting and bookkeeping (Art. 6 (1) lit. c GDPR in conjunction with Sec. 257 (4) of the German Commercial Code)
- in conjunction with job applications and the application procedure (Art. 6 (1) lit. b GDPR and Art. 6 (1) lit. c GDPR).
B2.3) To protect our rights or the rights of others
This may include activities like:
- Detecting and preventing fraud or illegal activities or misuse of our services (Art. 6 (1) lit. f GDPR);
- Backing up our systems (Art. 6 (1) lit. f GDPR (our legitimate interest in IT security and recovery of our data));
- Performing audits, testing, assessments or other troubleshooting activities (Art. 6 (1) lit. f GDPR (our legitimate interest in IT security and recovery of our data));
- Complying with and enforcing applicable legal requirements (Art. 6 (1) lit. c GDPR);
- Collecting and recovering money owed to us (Art. 6 (1) lit. b GDPR).
These activities include:
Developing, managing and executing advertising and marketing campaigns, promotions and offers related to our services, products and our platform;
Interest-based advertising. We use online and offline information obtained from you for interest-based advertising and marketing activities. To learn more about this, please also refer to our cookie notice.
B3) Information provided by you about third parties
You may provide information about other people, such as the name and email of a contact who you want to invite as a user to our services and products. These third parties may include team members or colleagues in your organization or external agencies with whom you are, in accordance with our terms and conditions, authorized to give access to our services. Such information may include the name, job title and contact information. Do not give us information about others unless you are authorized or have their permission to do so. We will use their information for the purposes described in this Privacy Notice.
B4) Information provided about you by third parties
Others may have provided us with information about you, such as your name and contact details either because they wanted to invite you as a user to our services or products or in the context of verifying your information for the use of or in the context of our services. We inform and ask anyone sharing information with us not to give us such information about others unless they are authorized or have the respective data subjects permission and knowledge to do so. We will use your information for the purposes described in this Privacy Notice.
C) Data Sharing
C1) Recipients
We may share data with the following recipients:
C1.1) MEGA.AI Inc.
In order to offer you comprehensive support and to ensure an ongoing high quality of our services and products, MEGA.AI Inc. relies on the assistance of MEGA group companies (each a “Joint Controller” and together the “Joint Controllers”). The legal basis for such processing is Art. 6 (1) lit. b as well as Art. 6 (1) lit. f (legitimate interest in providing and improving our services). In accordance with Art. 26 of the GDPR, the Joint Controllers have entered into a Joint Controller Agreement stipulating in a transparent manner their respective responsibilities with regard to compliance with their obligations under the GDPR. The essential content of the Agreement is available here. In addition, we may share data with other affiliates for marketing or customer support purposes. Such processing activity is based on Art. 28 GDPR in conjunction with a data processing agreement concluded with the respective affiliates.
C.1.2) Service Providers
MEGA doesn’t sell your data to other service providers. We may share some data with some companies that help us provide our services (for example accounting or job application tools). The legal basis for this data transfer and processing activity is Art. 28 GDPR in conjunction with a data processing agreement concluded with the respective service provider. These service providers are only allowed to use the data shared with them for the specific task they’ve been hired to do.:
- Web analysis service providers
- Advertising service providers
- Map Services / Maps
- CDN / Content Delivery Networks
- Video Player
- Screensharing / Video Chats
- Tools for communication
- Contact data management / CRM tools
- Job application tools
- Accounting tools
- Cloud Storage and Hosting Providers
- Online learning systems and tools
C.1.3) Legal Disclosure
We may disclose your personal data to comply with legal requirements and obligations, including court orders or to comply with legitimate requests from law enforcement agencies or regulators.
C.1.4) Change of ownership
We may disclose your personal data in the event of an acquisition, merger or other transaction to the new owner
C2) Cross Border Data Transfers
MEGA operates globally, however, data provided by you and processed by us in the context of providing our services to you is exclusively stored and processed on servers within the European Union. We also strive to have all our service providers be based within the EEA/EU. Thus, only in rare cases and as part of our data sharing activities mentioned above (see (C)), we may need to transfer your personal data to other countries, including those outside the European Economic Area (EEA), which may have different data protection standards than your country of residence. We will ensure that your personal data is adequately protected when shared with such service providers. In the event of a transfer outside of the EEA, we use EU Standard Contractual Clauses or (where applicable) rely on adequacy decisions as a safeguard in compliance with Article 46 of the GDPR.
D) Changes to our Privacy Notice
We reserve the right to amend this Privacy Notice to ensure continued compliance with legal requirements or to reflect changes to our services in the Privacy Notice.
Mailing Address:
MEGA.AI Inc.
8 The Green, #15967
Dover, DE 19901
United States