MEGA Group Data Privacy Policy

MEGA Group Data Privacy Policy

1. Introduction

The services, products, apps and in general the offers provided by MEGA may involve the collection of personal data. The purpose of this document is to explain the conditions under which personal data are collected and are likely to be processed so that these actions are carried out in the greatest transparency.

It also aims to precise how data subject may exercise their rights with the said collection and processing being carried out in compliance with the legislation in force.

2. Definitions

For the purposes of this Policy:

“personal data” means any information relating to an identified or identifiable natural person ('data subject'); 'identifiable natural person' means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more factors specific to his or her physical, physiological, genetic, mental, economic, cultural or social identity;

“processing” means any operation or set of operations whether or not carried out by automated means and applied to personal data or sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or interconnection, limitation, erasure or destruction;

“file” means any structured set of personal data accessible according to specified criteria, whether centralized, decentralized or functionally or geographically distributed;

“controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing;

“processor” means the natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller;

“consent” of the data subject means any free, specific, informed and unequivocal expression of will by which the data subject accepts, by a statement or by a clear affirmative action, that personal data concerning him or her may be processed;

 3. Who is concerned by this Policy?

This Policy is applicable to all companies of the MEGA Group.

4. How do we collect your personal data?

We collect personal data either directly or indirectly.

We may collect personal data directly when data subject provides it to us, for example by filling in a form on a website, or when we ask data subject for it on any occasion such as during the performance of a contract, a contact form on the Internet, a trade show, a survey, participation in a discussion forum, participation in a contest, interaction on professional social networks such as LinkedIn.

We may also collect personal data indirectly through a third party. This may be for example the performance of a contract in which an employer is a party when data subject is a user of an app, a product and/or services, or when the data subject is our contact in charge of, for example, billing, placing an order, paying a sum of money or other.

We may collect on these occasions your first name, last name, business contact details (telephone, title, physical and email address, and IP address.

If a data subject provides us with third party’s personal data, it is his/her responsibility to ensure that he/she complies with the applicable regulations on the protection of personal data and in particular his/her obligations to obtain the prior consent of the data subject whose personal data he/she provides to us. As such, in accordance with the applicable data protection regulations, he/she must notify the data subjects and obtain their express consent, or have a legal basis to provide us with their personal data. Furthermore, he/she must inform the data subjects how we collect, use, disclose and store their personal data and invite them to read our Privacy Policy.

5. How do we use personal data?

Subject to applicable laws, we collect and process your data for the following purposes:

  • To provide any information and services requested and the applications or services ordered;
  • To perform our contractual obligations towards the data subject or his/her employer;
  • To manage our business relationship (for example, customer services and support activities);
  • To detect, prevent or investigate criminal, illegal or prohibited activities, or protect our rights (including liaising with regulatory and law enforcement agencies for these purposes);
  • To ask for participating in a customer survey (for example, feedback on use of our apps, products and services);
  • To provide advertisements, marketing messages (which may include banner message windows) or targeted information that may be useful, based on how is used our app, products and services;
  • To collect information about how users use the features of our websites, applications and services.

6. To whom may we transfer personal data?

We may transfer personal data to:

  • Any company of the MEGA Group and any subcontractor for the proper performance of our contractual obligations. This is particularly the case for our maintenance and support activities (MEGA Group) and Microsoft Ireland Operations Ltd, One Microsoft Place, South County Industrial Park, Leopardstown, Dublin 18, D18 P521 (hosting of our SaaS services);
  • Third parties that we use to carry out payment transactions, such as clearing companies, clearing systems, financial institutions and transaction beneficiaries;
  • Third parties, for marketing purposes;
  • Government agencies, regulators and any other third parties if the transfer is necessary to meet our legal and regulatory obligations;
  • Police authorities, so that they can detect or prevent crimes or prosecute offenders;
  • Any third party, in connection with legal proceedings, existing or imminent, provided that we are legally entitled to do so (e.g., in response to a court order);
  • Our own auditors and consultants, as well as those of the MEGA Group, in order to assume our audit responsibilities;
  • Any other company to which we may assign the contract; and
  • Public bodies that have to be informed according to applicable laws.

7. What are data subject rights?

1. Transparency and modalities

We take appropriate measures to provide data subject with any information relating to the conditions of collecting, processing, modifying and deleting his/her personal data. The information shall be provided in writing or by other means including, where appropriate, electronically. The information may be provided orally, upon his/her request, provided that you’re his/her identity can be demonstrated by other means.

We will provide the data subject with information on the measures taken following a request, as soon as possible and in any event within one month of receipt of the request. If necessary, this period may be extended by two months, taking into account the complexity and number of requests. We will inform the data subject of that extension and of the reasons for the delay within one month of receipt of the request. Whenever the data subject submits his/her request electronically, the information shall be provided electronically, if possible, unless the data subject request otherwise.

This information is provided free of charge. However, whenever the requests are manifestly unfounded or excessive, in particular because of their repetitive nature, we may: (a) require the payment of a reasonable fee which takes into account the administrative costs incurred in providing the information, organizing the communications or implementing the requested measures; or (b) refuse to comply with such requests.

Whenever we have reasonable doubts as to the identity of the requester, we may ask for the provision of additional information necessary to confirm you’re his/her identity.

2. Information and access to personal data

The Data Subject may send his/her requests directly to MEGA and/or to the Data Protection Officer of the MEGA Group can be contacted at any time at the following addresses. (i) MEGA INTERNATIONAL – Legal Department – 9 avenue René Coty, 75014 Paris, France or (ii) data-privacy@mega.com.

Any data subject request will be answered within thirty (30) days of reception, except if the nature and complexity of the request requires a longer delay. In any case, an answer will be provided no later than sixty (60) days after receipt of the data subject request.

Upon expiration of the above-mentioned period, the data subject has the right to lodge a complaint with a Supervisory Authority in the form and manner provided by the legislation in force.

The recipients of the personal data are our employees who intervene in the context of the purpose of the collection of this data and our subcontractors, if necessary. It may also be any entity for commercial prospecting purposes.

Any transfer of personal data outside the territory of its collection is carried out in compliance with the legislation in force. Thus, in the context of the execution of contracts with our customers located in the EU, the personal data collected may be transferred outside the EU, said transfer being governed by Standard Contractual Clauses of the European Commission.

Personal data are kept for the period of time necessary for their processing, plus the duration of the applicable legal requirements.

Data subject may at any time request access to, rectification or erasure of his/her personal data, or restriction of processing. Data subject also have the right to object to the processing, the right to data portability, as well as the right to lodge a complaint with the supervisory authority in his/her country.

3. Right to rectification

The Data subject is granted the right to obtain from us, as soon as possible, the rectification of inaccurate data. Taking into account the purposes of the processing, the data subject is granted the right to request the completion of incomplete personal data, by providing a supplementary statement.

4. Right to erasure ("right to be forgotten")

The data subject is granted the right to obtain the erasure, as soon as possible, of his/her personal data and we will erase such personal data as soon as possible, where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed

(b) the data subject has withdrawn the consent on which the processing is based

(c) the data subject objected to the processing if there is a compelling legitimate ground for the processing

(d) the personal data have been unlawfully processed;

(e) the personal data must be erased in order to comply with a legal obligation;

Paragraphs 1 and 2 shall not apply to the extent that such processing is necessary: (a) for the exercise of the right to freedom of expression and information; (b) to comply with a legal obligation which requires processing under Union law or by the law of the member state to which we are subject, or to carry out a task carried out in the public interest or in the exercise of official authority vested in MEGA; (c)the establishment, exercise or defense of legal claims.

5. Right to restriction of processing

The data subject is granted the right to obtain from the controller the restriction of processing where one of the following applies:

(a) the accuracy of the personal data is contested by the data subject for a period of time that allows us to verify the accuracy of the personal data;

(b) the processing is unlawful, and the data subject objects to their erasure and instead requests the restriction of their use;

(c) we no longer need the personal data for the purposes of the processing, but they are still necessary for the data subject to establish, exercise or defend legal claims;

If the data subject has obtained the restriction of processing pursuant to paragraph 1, we will inform him/her before the restriction of processing is lifted.

6. Obligation to notify with regard to the rectification or erasure of personal data or the restriction of processing

We will notify each recipient to whom the personal data have been communicated of any rectification or erasure of personal data or any restriction of processing carried out unless such communication proves impossible or requires disproportionate effort. We will provide the data subject with information on those recipients if he/she requests so.

7. Right to object

1. Whenever personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing for such direct marketing purposes.

2. Whenever the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for those purposes.

At the latest at the time of the first contact with the data subject, the right referred to in paragraphs 1 and 2 shall be explicitly brought to his/her attention and shall be presented clearly and separately from any other information.

8. What about the security and retention of personal data?

We ensure the security of your data by taking the necessary technical and structural measures to prevent their unlawful or unauthorized processing or accidental loss, destruction and/or damage. We strive to protect your personal data as best we can. However, we cannot guarantee the security of your data transmitted to our websites, applications or services or to other websites, applications and services via an Internet connection or any other connection. If we have assigned a password to allow the access to certain areas of our websites, applications or services, the users shall keep it confidential; we will not share this password with anyone.

If an account has been or seemed to be hacked, please contact us at: data-privacy@mega.com.

9. Cookies, statistics and traffic data

1. What is a cookie?

A cookie is a small file, usually composed of letters and numbers, downloaded when a user accesses a website. The cookies are then sent back to the originating website on each subsequent visit. Cookies are useful because they allow a website to recognize a user's hardware (computer, phone, tablet, etc.).

The use of cookies and similar technologies is common and cookies, in particular, are important for the provision of many online services. The use of these technologies is therefore not prohibited by law, but it requires that users be informed of the existence of cookies and that they have the choice to accept them or not.

2. The different types of cookies

1. Cookies session

Cookies can expire at the end of a browsing session (between the moment the user opens the browser window and the moment it leaves it) or be stored longer.

Session cookies - allow websites to link you’re a user’s actions during a browsing session. They can be used for a variety of purposes, for example to remember what a user put in their shopping cart when he browses a site. They can also be used for security purposes when a user accesses an online bank or to facilitate the use of email. These session cookies expire after a browsing session.

The use of so-called session cookies (which, in any case, are not stored persistently on the user’s computer and are automatically deleted as soon as the browser is closed) is strictly limited to the transmission of data (composed of random numbers created by the server) identifying the specific session and necessary to allow safe and efficient navigation on the site. The session cookies used on this site avoid any other computer method that may compromise the confidentiality of user’s browsing on the web.

2. Persistent cookies

Persistent cookies - are stored on a user’s device between browsing sessions and allow the user’s preferences or actions to be remembered on a site (or in some cases on different sites). Persistent cookies can be used for a variety of purposes, including remembering user’s preferences and choices when using a site.

3. First and third party cookies

Whether a cookie is a "first" or "third" party refers to the website or domain that places the cookie. First-party cookies, in simple terms, are cookies placed by a website visited by the user- the website displayed in the URL window: that is, cookies placed by the MEGA website. Third-party cookies are cookies placed by a domain other than the one visited by the user: i.e. cookies placed by websites other than mega.com. If user’s visits a website (such as mega.com) and a separate company places a cookie through it, it would be a third-party cookie.

3. Consent for cookies

Some cookies are strictly necessary for the proper functioning of the Internet and do not require the user’s consent, such as those that ensure that the content of a page loads quickly and efficiently by distributing the workload on many computers or those that provide security.

Other cookies are still reasonably necessary or important, but they are not strictly essential and, therefore, they require the user’s consent.

The user’s consent can be set using the browser settings, which makes it possible to refuse or give consent regarding cookies by configuring the user’s browser to warn of the presence of cookies, thus allowing the user to decide whether or not to accept the cookie. It is also possible to automatically reject all cookies by activating this option on the browser.

Each browser highlights instructions to this effect.

4. Withdrawal of consent

Your consent to the use of cookies can be withdrawn at any time, although withdrawing consent may have an impact on the functionality of the website.

5. Cookies we use

The collection of cookies helps us understand how our website is used, user behavior, and also tells us which parts of our website have been visited. It also allows us to tailor messages and display advertisements based on a given person’s interests on our website and other platforms. The collection of cookies facilitates and measures the effectiveness of advertisements and searches on the web. Cookies are stored for 13 months, unless he/she decides to delete them before the end of this period.

More specifically, this website uses these types of cookies, as listed in the table below:

technical: necessary for navigation in the site and the use of certain functions (for example, to navigate from one page to another, etc.).

analytical: for the statistical analysis of access to the site, for marketing and commercial purposes.

Pardot: Pardot cookies are tracking cookies attached to forms on our websites and tracking links. The data collected includes information about visits to and use of all MEGA websites, as well as information provided to register for our events and/or subscribe to our communications and resources. The personal data submitted on the forms (such as name, email, company, etc.) may be used to improve browsing experience and send information by email.   

Storage: 390 days

Google Analytics – Google analytics uses cookies to collect standard internet log information and visitor behavior in an anonymous form. All information is processed to compile statistical reports on the activities of the MEGA website. Google analytics cookies help us to optimize navigation and improve content. The use of these cookies does not allow us to identify someone personally, and cannot be used from one website to another.

Storage: 50 months

Necessary

IdDurationDescription
LS_CSRF_TOKENsessionCloudflare sets this cookie to track users’ activities across multiple websites. It expires once the browser is closed.
cookieyesID1 yearCookieYes sets this cookie as a unique identifier for visitors according to their consent.
cky-consent1 yearThe cookie is set by CookieYes to remember the users's consent settings so that the website recognizes the users the next time they visit.
cookieyes-necessary1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Necessary' category.
cookieyes-functional1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Functional' category.
cookieyes-analytics1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Analytics' category.
cookieyes-performance1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Performance' category.
cookieyes-advertisement1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Advertisement' category.
cookieyes-other1 yearCookieYes sets this cookie to remember the consent of users for the use of cookies in the 'Other' category.
JSESSIONIDsessionThe JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
cky-action1 yearThis cookie is set by CookieYes and is used to remember the action taken by the user.
AWSALBCORS7 daysThis cookie is managed by Amazon Web Services and is used for load balancing.
TiPMix1 hourThe TiPMix cookie is set by Azure to determine which web server the users must be directed to.
x-ms-routing-name1 hourAzure sets this cookie for routing production traffic by specifying the production slot.
has_jssessionThis cookie is used to indicate whether the user's browser has enabled JavaScript.


Functional

IdDurationDescription
bcookie1 yearThis cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lidc1 dayThis cookie is set by LinkedIn and used for routing.
_hjAbsoluteSessionInProgress1 hourHotjar sets this cookie to detect a user's first pageview session, which is a True/False flag set by the cookie.
langsessionThis cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.


Analytics

IdDurationDescription
_gcl_au3 monthsThis cookie is used by Google Analytics to understand user interaction with the website.
_ga1 year 1 month 4 daysThis cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid1 dayThis cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
pardotpastThe cookie is set when the visitor is logged in as a Pardot user.
_gat_UA-*1 minuteGoogle Analytics sets this cookie for user behaviour tracking.
_ga_*1 year 1 month 4 daysGoogle Analytics sets this cookie to store and count page views.
_hjFirstSeen1 hourHotjar sets this cookie to identify a new user’s first session. It stores the true/false value, indicating whether it was the first time Hotjar saw this user.
_hjRecordingEnabledsessionHotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjTLDTestsessionTo determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
_hjSession_*1 hourHotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*1 yearHotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site. 
utsdbneverZoho SalesIQ sets this cookie to register data on visitor's website behaviour.
siqlsdbneverZoho sets this cookie to generate a unique ID for the session. This allows the website to obtain data on visitor behaviour for statistical purposes.
_sp_id.*neverSnowplow sets this cookie to store user information that is created when a user first visits a site and is updated on subsequent visits.
_sp_ses.*neverSnowplow sets this cookie to store user information that is created when a user first visits a site and is updated on subsequent visits.
_uetsid1 dayThis cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.
oktgid1 yearThis cookie is used for storing the visitor ID of the user who clicked on an okt.to link.
oktsidsessionThis cookie is used for storing the session ID of the user who clicked on an okt.to link.
_gat_UA-41134202-11 minuteThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-41134202-41 minuteThis is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites. 


Advertisement

IdDurationDescription
MUID1 year 24 daysUsed by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie15 minutesThis cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
personalization_id1 year 1 month 4 daysThis cookie is set by twitter.com. It is used integrate the sharing features of this social media. It also stores information about how the user uses the website for tracking and targeting.
_fbp3 monthsThis cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
IDE1 year 24 daysUsed by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
fr3 monthsThe cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
VISITOR_INFO1_LIVE6 monthsThis cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
yt-remote-device-idneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::requestsneverYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt-remote-connected-devicesneverYouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt.innertube::nextIdneverYouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
li_sugr3 monthsLinkedIn sets this cookie to collect user behaviour data to optimise the website and make advertisements on the website more relevant.
visitor_id*1 year 24 daysPardot sets this cookie to store a unique user ID.
visitor_id*-hash1 year 24 daysPardot sets this cookie to store a unique user ID.
bscookie1 yearThis cookie is a browser ID cookie set by Linked share Buttons and ad tags.
uid2 monthsThis cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.


Performance

IdDurationDescription
YSCsessionThis cookies is set by Youtube and is used to track the views of embedded videos.
AWSALB7 daysAWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.


Other

IdDurationDescription
muc_ads2 yearsNo description
uesign1 monthNo description
oktolead-001jzslq0ea554j-Url1 dayNo description
oktolead-001jzslq0ea554j-Country1 dayNo description
LiSESSIONIDsessionNo description available.
LithiumVisitor6 monthsNo description available.
VISITOR_BEACON6 monthsNo description available.
LithiumUserInfopastNo description
LithiumUserSecurepastNo description
oktolead-001jzslq0ea554j-State1 dayNo description
tsessionNo description
DT1 year 1 month 4 daysNo description
oktaStateToken1 hourNo description
autolaunch_triggeredpastNo description
_hjIncludedInSessionSample_33406801 hourDescription is currently not available.
zsessionNo description available.
box_visitor_id1 yearNo description available.
bv7 daysNo description available.
cn1 yearNo description available.
site_preferencesessionNo description available.
LithiumNecessaryCookiesAccepted6 monthsDescription is currently not available.
LithiumFunctionalCookiesAccepted6 monthsDescription is currently not available.
LithiumTargetingCookiesAccepted6 monthsDescription is currently not available.
LithiumTargetingCookiesAccepted6 monthsDescription is currently not available.
LithiumPerformanceCookiesAccepted6 monthsDescription is currently not available.
slireg7 daysNo description available.
sliguid1 yearNo description available.
slirequested1 yearNo description available.
site_identity1 yearNo description available.
VISITOR_PRIVACY_METADATA6 monthsDescription is currently not available.
ubpv6 months 1 dayNo description available.
ubvs6 monthsNo description available.
ubvt3 daysNo description available.
.AspNetCore.Antiforgery.9fXoN5jHCXssessionDescription is currently not available.
_ga_2D68ET6QTX2 yearsNo description
_uetvid1 year 24 daysNo description
_dc_gtm_UA-41134202-11 minuteNo description
isiframeenabled1 dayNo description
UserMatchHistory1 monthLinkedin - Used to track visitors on multiple websites, in order to present relevant advertisement based on the visitor's preferences.
AnalyticsSyncHistory1 monthNo description
mega-_zldp1 year 1 month 4 daysNo description
mega-_zldt1 dayNo description
visitor_id624121 year 24 daysNo description
visitor_id62412-hash1 year 24 daysNo description
lpv624121 hourNo description
663a60c55dsessionNo description
_zcsr_tmpsessionNo description
c1 yearThis cookie is set by the Rubicon Project. The exact purpose of the cookie is not known.
pf2 monthsNo description
CONSENT2 yearsNo description
_ga_CRC1RPCZW22 yearsNo description

 

Last Update: December 12th, 2023