MEGA Group Data Privacy Policy
1. Introduction
The services, products, apps and in general the offers provided by MEGA may involve the collection of personal data. The purpose of this document is to explain the conditions under which personal data are collected and are likely to be processed so that these actions are carried out in the greatest transparency.
It also aims to precise how data subject may exercise their rights with the said collection and processing being carried out in compliance with the legislation in force.
2. Definitions
For the purposes of this Policy:
“personal data” means any information relating to an identified or identifiable natural person ('data subject'); 'identifiable natural person' means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;
“processing” means any operation or set of operations whether or not carried out by automated means and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or interconnection, limitation, erasure or destruction;
“file” means any structured set of personal data accessible according to specified criteria, whether centralized, decentralized or functionally or geographically distributed;
“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing;
“processor” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;
“consent” of the data subject means any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a statement or by a clear affirmative action, that personal data concerning him or her may be processed;
3. Who is concerned by this Policy?
This Policy is applicable to all companies of the MEGA Group.
4. How do we collect your personal data?
We collect personal data either directly or indirectly.
We may collect personal data directly when data subject provides it to us, for example by filling in a form on a website, or when we ask data subject for it on any occasion such as during the performance of a contract, a contact form on the Internet, a trade show, a survey, participation in a discussion forum, participation in a contest, interaction on professional social networks such as LinkedIn.
We may also collect personal data indirectly through a third party. This may be for example the performance of a contract in which an employer is a party when data subject is a user of an app, a product and/or services, or when the data subject is our contact in charge of, for example, billing, placing an order, paying a sum of money or other.
We may collect on these occasions your first name, last name, business contact details (telephone, title, physical and email address, and IP address.
If a data subject provides us with third party’s personal data, it is his/her responsibility to ensure that he/she complies with the applicable regulations on the protection of personal data and in particular his/her obligations to obtain the prior consent of the data subject whose personal data he/she provides to us. As such, in accordance with the applicable data protection regulations, he/she must notify the data subjects and obtain their express consent, or have a legal basis to provide us with their personal data. Furthermore, he/she must inform the data subjects how we collect, use, disclose and store their personal data and invite them to read our Privacy Policy.
5. How do we use personal data?
Subject to applicable laws, we collect and process your data for the following purposes:
- To provide any information and services requested and the applications or services ordered;
- To perform our contractual obligations towards the data subject or his/her employer;
- To manage our business relationship (for example, customer services and support activities);
- To detect, prevent or investigate criminal, illegal or prohibited activities, or protect our rights (including liaising with regulatory and law enforcement agencies for these purposes);
- To ask for participating in a customer survey (for example, feedback on use of our apps, products and services);
- To provide advertisements, marketing messages (which may include banner message windows) or targeted information that may be useful, based on how is used our app, products and services;
- To collect information about how users use the features of our websites, applications and services.
6. To whom may we transfer personal data?
We may transfer personal data to:
- Any company of the MEGA Group and any subcontractor for the proper performance of our contractual obligations. This is particularly the case for our maintenance and support activities (MEGA Group) and Microsoft Ireland Operations Ltd, One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521 (hosting of our SaaS services);
- Third parties that we use to carry out payment transactions, such as clearing companies, clearing systems, financial institutions and transaction beneficiaries;
- Third parties, for marketing purposes;
- Government agencies, regulators and any other third parties if the transfer is necessary to meet our legal and regulatory obligations;
- Police authorities, so that they can detect or prevent crimes or prosecute offenders;
- Any third party, in connection with legal proceedings, existing or imminent, provided that we are legally entitled to do so (e.g., in response to a court order);
- Our own auditors and consultants, as well as those of the MEGA Group, in order to assume our audit responsibilities;
- Any other company to which we may assign the contract; and
- Public bodies that have to be informed according to applicable laws.
7. What are data subject rights?
1. Transparency and modalities
We take appropriate measures to provide data subject with any information relating to the conditions of collecting, processing, modifying and deleting his/her personal data. The information shall be provided in writing or by other means including, where appropriate, electronically. The information may be provided orally, upon his/her request, provided that you’re his/her identity can be demonstrated by other means.
We will provide the data subject with information on the measures taken following a request, as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. We will inform the data subject of that extension and of the reasons for the delay within one month of receipt of the request. Whenever the data subject submits his/her request electronically, the information shall be provided electronically, if possible, unless the data subject request otherwise.
This information is provided free of charge. However, whenever the requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may: (a) require the payment of a reasonable fee which takes into account the administrative costs incurred in providing the information, organizing the communications or implementing the requested measures; or (b) refuse to comply with such requests.
Whenever we have reasonable doubts as to the identity of the requester, we may ask for the provision of additional information necessary to confirm you’re his/her identity.
2. Information and access to personal data
The Data Subject may send his/her requests directly to MEGA and/or to the Data Protection Officer of the MEGA Group can be contacted at any time at the following addresses. (i) MEGA INTERNATIONAL – Legal Department – 9 avenue René Coty, 75014 Paris, France or (ii) data-privacy@mega.com.
The recipients of the personal data are our employees who intervene in the context of the purpose of the collection of this data and our subcontractors, if necessary. It may also be any entity for commercial prospecting purposes.
Any transfer of personal data outside the territory of its collection is carried out in compliance with the legislation in force. Thus, in the context of the execution of contracts with our customers located in the EU, the personal data collected may be transferred outside the EU, said transfer being governed by Standard Contractual Clauses of the European Commission.
Personal data are kept for the period of time necessary for their processing, plus the duration of the applicable legal requirements.
Data subject may at any time request access to, rectification or erasure of his/her personal data, or restriction of processing. Data subject also have the right to object to the processing, the right to data portability, as well as the right to lodge a complaint with the supervisory authority in his/her country.
3. Right to rectification
The Data subject is granted the right to obtain from us, as soon as possible, the rectification of inaccurate data. Taking into account the purposes of the processing, the data subject is granted the right to request the completion of incomplete personal data, by providing a supplementary statement.
4. Right to erasure ("right to be forgotten")
The data subject is granted the right to obtain the erasure, as soon as possible, of his/her personal data and we will erase such personal data as soon as possible, where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
(b) the data subject has withdrawn the consent on which the processing is based
(c) the data subject objected to the processing if there is a compelling legitimate ground for the processing
(d) the personal data have been unlawfully processed;
(e) the personal data must be erased in order to comply with a legal obligation;
Paragraphs 1 and 2 shall not apply to the extent that such processing is necessary: (a) for the exercise of the right to freedom of expression and information; (b) to comply with a legal obligation which requires processing under Union law or by the law of the member state to which we are subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in MEGA; (c)the establishment, exercise or defense of legal claims.
5. Right to restriction of processing
The data subject is granted the right to obtain from the controller the restriction of processing where one of the following applies:
(a) the accuracy of the personal data is contested by the data subject for a period of time that allows us to verify the accuracy of the personal data;
(b) the processing is unlawful, and the data subject objects to their erasure and instead requests the restriction of their use;
(c) we no longer need the personal data for the purposes of the processing, but they are still necessary for the data subject to establish, exercise or defend legal claims;
If the data subject has obtained the restriction of processing pursuant to paragraph 1, we will inform him/her before the restriction of processing is lifted.
6. Obligation to notify with regard to the rectification or erasure of personal data or the restriction of processing
We will notify each recipient to whom the personal data have been communicated of any rectification or erasure of personal data or any restriction of processing carried out unless such communication proves impossible or requires disproportionate effort. We will provide the data subject with information on those recipients if he/she requests so.
7. Right to object
1. Whenever personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing for such direct marketing purposes.
2. Whenever the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.
At the latest at the time of the first contact with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to his/her attention and shall be presented clearly and separately from any other information.
8. What about the security and retention of personal data?
We ensure the security of your data by taking the necessary technical and structural measures to prevent their unlawful or unauthorized processing or accidental loss, destruction and/or damage. We strive to protect your personal data as best we can. However, we cannot guarantee the security of your data transmitted to our websites, applications or services or to other websites, applications and services via an Internet connection or any other connection. If we have assigned a password to allow the access to certain areas of our websites, applications or services, the users shall keep it confidential; we will not share this password with anyone.
If an account has been or seemed to be hacked, please contact us at: data-privacy@mega.com.
9. Cookies, statistics and traffic data
1. What is a cookie?
A cookie is a small file, usually composed of letters and numbers, downloaded when a user accesses a website. The cookies are then sent back to the originating website on each subsequent visit. Cookies are useful because they allow a website to recognize a user's hardware (computer, phone, tablet, etc.).
The use of cookies and similar technologies is common and cookies, in particular, are important for the provision of many online services. The use of these technologies is therefore not prohibited by law, but it requires that users be informed of the existence of cookies and that they have the choice to accept them or not.
2. The different types of cookies
1. Cookies session
Cookies can expire at the end of a browsing session (between the moment the user opens the browser window and the moment it leaves it) or be stored longer.
Session cookies - allow websites to link you’re a user’s actions during a browsing session. They can be used for a variety of purposes, for example to remember what a user put in their shopping cart when he browses a site. They can also be used for security purposes when a user accesses an online bank or to facilitate the use of email. These session cookies expire after a browsing session.
The use of so-called session cookies (which, in any case, are not stored persistently on the user’s computer and are automatically deleted as soon as the browser is closed) is strictly limited to the transmission of data (composed of random numbers created by the server) identifying the specific session and necessary to allow safe and efficient navigation on the site. The session cookies used on this site avoid any other computer method that may compromise the confidentiality of user’s browsing on the web.
2. Persistent cookies
Persistent cookies - are stored on a user’s device between browsing sessions and allow the user’s preferences or actions to be remembered on a site (or in some cases on different sites). Persistent cookies can be used for a variety of purposes, including remembering user’s preferences and choices when using a site.
3. First and third party cookies
Whether a cookie is a "first" or "third" party refers to the website or domain that places the cookie. First-party cookies, in simple terms, are cookies placed by a website visited by the user- the website displayed in the URL window: that is, cookies placed by the MEGA website. Third-party cookies are cookies placed by a domain other than the one visited by the user: i.e. cookies placed by websites other than mega.com. If user’s visits a website (such as mega.com) and a separate company places a cookie through it, it would be a third-party cookie.
3. Consent for cookies
Some cookies are strictly necessary for the proper functioning of the Internet and do not require the user’s consent, such as those that ensure that the content of a page loads quickly and efficiently by distributing the workload on many computers or those that provide security.
Other cookies are still reasonably necessary or important, but they are not strictly essential and, therefore, they require the user’s consent.
The user’s consent can be set using the browser settings, which makes it possible to refuse or give consent regarding cookies by configuring the user’s browser to warn of the presence of cookies, thus allowing the user to decide whether or not to accept the cookie. It is also possible to automatically reject all cookies by activating this option on the browser.
Each browser highlights instructions to this effect.
4. Withdrawal of consent
Your consent to the use of cookies can be withdrawn at any time, although withdrawing consent may have an impact on the functionality of the website.
5. Cookies we use
The collection of cookies helps us understand how our website is used, user behavior, and also tells us which parts of our website have been visited. It also allows us to tailor messages and display advertisements based on a given person’s interests on our website and other platforms. The collection of cookies facilitates and measures the effectiveness of advertisements and searches on the web. Cookies are stored for 13 months, unless he/she decides to delete them before the end of this period.
More specifically, this website uses these types of cookies, as listed in the table below:
technical: necessary for navigation in the site and the use of certain functions (for example, to navigate from one page to another, etc.).
analytical: for the statistical analysis of access to the site, for marketing and commercial purposes.
Pardot: Pardot cookies are tracking cookies attached to forms on our websites and tracking links. The data collected includes information about visits to and use of all MEGA websites, as well as information provided to register for our events and/or subscribe to our communications and resources. The personal data submitted on the forms (such as name, email, company, etc.) may be used to improve browsing experience and send information by email.
Storage: 390 days
Google Analytics – Google analytics uses cookies to collect standard internet log information and visitor behavior in an anonymous form. All information is processed to compile statistical reports on the activities of the MEGA website. Google analytics cookies help us to optimize navigation and improve content. The use of these cookies does not allow us to identify someone personally, and cannot be used from one website to another.
Storage: 50 months
Necessary
| Id | Type | Duration | Description |
|---|---|---|---|
| cky-active-check | https | 1 day | CookieYes sets this cookie to check if the consent banner is active on the website. |
| LS_CSRF_TOKEN | https | session | Cloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed. |
| cookieyesID | https | 1 year | CookieYes sets this cookie as a unique identifier for visitors according to their consent. |
| cky-consent | https | 1 year | The cookie is set by CookieYes to remember the users's consent settings so that the website recognizes the users the next time they visit. |
| cookieyes-necessary | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Necessary' category. |
| cookieyes-functional | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Functional' category. |
| cookieyes-analytics | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Analytics' category. |
| cookieyes-performance | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Performance' category. |
| cookieyes-advertisement | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Advertisement' category. |
| cookieyes-other | https | 1 year | CookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Other' category. |
| JSESSIONID | https | session | The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application. |
| cky-action | https | 1 year | This cookie is set by CookieYes and is used to remember the action taken by the user. |
| AWSALBCORS | https | 7 days | This cookie is managed by Amazon Web Services and is used for load balancing. |
Functional
| Id | Type | Duration | Description |
|---|---|---|---|
| UserMatchHistory | https | 1 month | LinkedIn sets this cookie for LinkedIn Ads ID syncing. |
| lang | https | session | LinkedIn sets this cookie to remember a user's language setting. |
| bcookie | https | 1 year | LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID. |
| lidc | https | 1 day | LinkedIn sets the lidc cookie to facilitate data center selection. |
| bscookie | https | 1 year | LinkedIn sets this cookie to store performed actions on the website. |
| _zcsr_tmp | https | session | Zoho sets this cookie for the login function on the website. |
| __cf_bm | https | 30 minutes | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. |
| __atuvc | https | 1 year 1 month | AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated. |
| __atuvs | https | 30 minutes | AddThis sets this cookie to ensure that the updated count is seen when one shares a page and returns to it, before the share count cache is updated. |
Analytics
| Id | Type | Duration | Description |
|---|---|---|---|
| _gcl_au | https | 3 months | Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services. |
| _ga | https | 2 years | The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors. |
| _gid | https | 1 day | Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously. |
| _ga_2D68ET6QTX | https | 2 years | This cookie is installed by Google Analytics. |
| pardot | https | past | The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking. |
| _gat_UA-41134202-1 | https | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
| _gat_UA-123215-15 | https | 1 minute | A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to. |
| at-rand | https | never | AddThis sets this cookie to track page visits, sources of traffic and share counts. |
| uvc | https | 1 year 1 month | Set by addthis.com to determine the usage of addthis.com service. |
| _gat_gtag_UA_49007075_1 | https | 1 minute | Set by Google to distinguish users. |
| CONSENT | https | 2 years | YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data. |
| sid | https | past | The sid cookie contains digitally signed and encrypted records of a user’s Google account ID and most recent sign-in time. |
Advertisement
| Id | Type | Duration | Description |
|---|---|---|---|
| MUID | https | 1 year 24 days | Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations. |
| test_cookie | https | 15 minutes | The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies. |
| personalization_id | https | 2 years | Twitter sets this cookie to integrate and share features for social media and also store information about how the user uses the website, for tracking and targeting. |
| _fbp | https | 3 months | This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website. |
| ANONCHK | https | 10 minutes | The ANONCHK cookie, set by Bing, is used to store a user's session ID and also verify the clicks from ads on the Bing search engine. The cookie helps in reporting and personalization as well. |
| IDE | https | 1 year 24 days | Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile. |
| fr | https | 3 months | Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin. |
| loc | https | 1 year 1 month | AddThis sets this geolocation cookie to help understand the location of users who share the information. |
| YSC | https | session | YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages. |
| VISITOR_INFO1_LIVE | https | 5 months 27 days | A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface. |
Performance
| Id | Type | Duration | Description |
|---|---|---|---|
| _uetsid | https | 1 day | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| _uetvid | https | 1 year 24 days | Bing Ads sets this cookie to engage with a user that has previously visited the website. |
| SRM_B | https | 1 year 24 days | Used by Microsoft Advertising as a unique ID for visitors. |
| AWSALB | https | 7 days | AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target. |
Other
| Id | Type | Duration | Description |
|---|---|---|---|
| muc_ads | http | 2 years | No description |
| _dc_gtm_UA-41134202-1 | http | 1 minute | No description |
| AnalyticsSyncHistory | http | 1 month | No description |
| isiframeenabled | https | 1 day | No description available. |
| li_gc | http | 5 months 27 days | No description |
| CLID | https | 1 year | No description |
| uesign | http | 1 month | No description |
| _clck | http | 1 year | No description |
| SM | https | session | No description available. |
| _clsk | http | 1 day | No description |
| mega-_zldp | http | 2 years | No description |
| mega-_zldt | http | 1 day | No description |
| visitor_id62412 | http | 1 year 24 days | No description |
| visitor_id62412-hash | http | 1 year 24 days | No description |
| lpv62412 | http | 30 minutes | No description |
| _gali | https | past | No description available. |
| 663a60c55d | https | session | No description available. |
| visitorId | http | 1 year | No description |
| oktolead-001jzslq0ea554j-Url | https | 1 day | No description |
| oktolead-001jzslq0ea554j-Country | https | 1 day | No description |
| LiSESSIONID | https | session | No description available. |
| LithiumVisitor | https | 10 years | No description available. |
| LithiumCookiesAccepted | http | 10 years | No description |
| VISITOR_BEACON | https | 10 years | No description available. |
| LithiumUserInfo | http | past | No description |
| LithiumUserSecure | http | past | No description |
| oktolead-001jzslq0ea554j-State | https | 1 day | No description |
| t | http | session | No description |
| DT | https | 2 years | No description |
| oktaStateToken | http | 1 hour | No description |
| autolaunch_triggered | http | past | No description |
Last Update: September 12th, 2022