Mega Limited – Privacy and Data Policy

Introduction

  1. This Policy governs our processing of your personal information and the way in which we deal with other data that is not personal information. “Personal information” is the New Zealand term for “personal data” as defined in the European Union’s General Data Protection Regulation EU2016/679 (“GDPR”). The term “processing” is used as defined in the GDPR. It includes collection, storage, and all of the ways we use, and allow you to use, personal information, when we provide our services. You are the data controller under the GDPR of the personal information you provide to us as part of your Account Data (see below). Mega Limited (New Zealand company number 4136598) (“MEGA”, “we”, “us” or “our”) of Level 21, Huawei Centre, 120 Albert Street, Auckland, New Zealand is the data controller under the GDPR of all other personal information.
  2. Important: We store all data on servers in New Zealand, Canada and/or Europe. If you access your data or give someone else access to your data using our services and you or they are not in New Zealand, Canada or Europe, you or they may be accessing that data from a country that does not give adequate protection to personal information when compared to that to that given under the New Zealand Privacy Act 2020, the Canadian Personal Information Protection and Electronic Documents Act 2000 or the GDPR. Under our Terms of Service (“Terms”) you authorise us to grant this access.
  3. This Policy is divided into five sections to make it easier for you to see which provisions apply to different types of data. Words and phrases which are defined in our Terms have the same meanings when they are used in this Policy.
  4. The sections of this Policy are:
    1. This Introduction section
    2. The “Your files” section. This covers the actual encrypted files that you upload, access and share using our services.
    3. The “Your chats” section. This covers the encrypted text, voice and video chats you engage in using our services.
    4. The “Account data” section. This covers the metadata that is collected and generated by our systems when you use our services, and the information that you provide to us when you register and communicate with us.
    5. The “Usage data” section. This covers the data that is collected and generated when you use our services.
    6. The “General” section, which applies to all our services and all types of data.
  5. The GDPR provides rights to European users, but, as a leading privacy company, we make the GDPR protections and rights available to all our users globally in respect of their personal data (or “personal information” as we refer to it in New Zealand), wherever you may live.

Your files

  1. This is the section of this Policy that covers the actual encrypted files that you upload, access and share using our services (“Your Files”). The following specific terms apply:
    1. When you upload a file, it is already encrypted at your device, so we do not know whether it is personal to you or someone else, relates to a business or some other organisation, or what it contains. We also generate and store encrypted previews of images, videos and certain other types of file. We gather a small amount of metadata about the type of file, but that does not disclose the content or information that the file contains. In relation to metadata, see the section of this Policy specifically covering Account Data.
    2. All Your Files remain encrypted at all times while they are on our system. They are never received, stored or otherwise dealt with by us in unencrypted form because any decryption takes place only on your device or that of another user to whom you have provided the file/folder links and keys that are created when you give them access. Your Files are therefore not personal data under the GDPR (or “personal information” as we refer to it under the New Zealand Privacy Act 2020) since they are never held by MEGA in a form that is information about an identified or identifiable natural person.
    3. We collect Your Files because that is necessary for us to provide our end-to-end encrypted cloud storage and collaboration services that you contract for when you agree to our Terms.
    4. Although Your Files are not personal information within our system because you have encrypted them, you should know that we store Your Files and make them available from servers that are owned and controlled by us, in secure facilities in Europe or in countries (such as Canada or New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR and which have comparable protections to those given by the New Zealand Privacy Act 2020, depending where you are based. None of Your Files are stored in, or made available from, the United States of America.
    5. We keep Your Files while you are subscribed to our services but subject to our suspension and termination rights set out in our Terms. You must maintain copies of Your Files. We do not make any guarantees that there will be no loss of data or the services will be bug free. You should download Your Files prior to termination of services including where the administrator of a business account, within which you have used the services, terminates that business account (see clause 13 below). If you forget your password you will lose access to all Your Files unless you have exported a Recovery Key.
    6. When you delete one of Your Files it will be made inaccessible, marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically allowed under this Policy or our Terms. After account termination, all Your Files will be marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically allowed under this Policy or our Terms.
    7. The deletion process specified in clause 6.6 will not apply to a deduplicated file that is associated with another user (see our Terms).
    8. We may, but shall not be obliged to, keep Your Files after your account has been suspended or terminated. In particular, we may, but shall not be obliged to, keep Your Files where we consider it necessary for evidential purposes relating to a breach of our Cookie Policy, Terms or with respect to current or anticipated action by any competent enforcement authority or other third party. With respect to release of Your Files to competent enforcement authorities and third parties, see our Takedown Guidance Policy.
    9. See also the General section of this Policy which applies to all types of data, including Your Files.

Your chats

  1. This is the section of this Policy that covers the content of your text, voice and video chats (“Your Chats”). The following specific terms apply:
    1. For private chats, only the people using the accounts that you’re engaging with in the chat can read, see or hear the chat content posted while they were a member of that chat group. Public chats can be read by anyone who has the link to that chat. Every text message you send is stored as an encrypted binary large object (“blob”). The times and participants of your successful and unsuccessful chats are stored in unencrypted form. The content of voice and video chats is not retained. If you have enabled rich URL previews, a plain text preview is generated in our system but is stored separately. When you review the text or voice chat history and contents, or reinitiate that chat with the same participant(s), the blobs are decrypted in your browser or mobile app.
    2. All Your Chats remain encrypted at all times while they are on our system. They are never stored or otherwise dealt with by us in unencrypted form because encryption and any decryption of the blob takes place only on your device. Your Chats are therefore not personal data under the GDPR (or “personal information” as we refer to it under the New Zealand Privacy Act 2020) since they are never held by MEGA in a form that is information about an identified or identifiable natural person.
    3. We retain and store Your Chats because that is necessary for us to provide our end-to-end encrypted chat service that you contract for when you agree to our Terms.
    4. Although Your Chats are not personal information within our system because you have encrypted them, you should know that we store Your Chats and make them available in encrypted form from servers that are owned and controlled by us, in secure facilities in Europe or in countries (such as Canada or New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR or which have comparable protections to those given by the New Zealand Privacy Act 2020, depending where you are based. None of Your Chats are stored in, or made available from, the United States of America.
    5. We keep Your Chats while you are subscribed to our services but subject to our suspension and termination rights set out in our Terms. We do not make any guarantees that there will be no loss of data or the services will be bug free.
    6. Chats may be deleted by the moderator of the chat, which may be you or another Mega user (depending on who has initiated the chat and been granted moderator rights). When the moderator deletes the chat history it will be removed from his or her chat and will no longer be accessible to any participant in that chat.
    7. See also the General section of this Policy which applies to all types of data, including Your Chats.

Account data

  1. This is the section of this Policy that covers account information you give us, and metadata and records of financial transactions that we generate in relation to Your Files, Your Chats and your account. The following specific terms apply:
    1. When you sign up for particular services you will need to give us the details required in our registration form and will need to keep that information up to date, including any payment account details (e.g. online payment provider account information)
    2. You do not need to give us any information other than an email address to use a free MEGA account, but the volume of Your Files that you can store and some other functionality is limited with such accounts. Where you wish to access greater storage and other functionality under a paid plan, you will need to give us (including our related or affiliated entities, payment processors and resellers) the information (such as tax identification and payment information) that is required under the particular plan and our Terms in relation to those services. For paid plans MEGA and its related or affiliated entities, payment processors and resellers that you use to make payments, retain account and payment information including a record of all transactions on your account.
    3. When you use our services, our systems retain the following metadata in unencrypted form:
      1. Browser type and operating system of the devices from which you have logged in to MEGA;
      2. IP address and port information for logins, API usage, file uploads, folder creations and link exports;
      3. The country that we expect you are accessing our services from (inferred by matching your IP address to a public IP address database);
      4. File sizes, versioning order, timestamps and parent-child file relationships;
      5. Deletion timestamps;
      6. The email address of anyone you have specifically made a contact using Mega’s systems. Note that Your Files and folders can be shared privately by invitation to specified email addresses or shared more generally by creating a file or folder link and decryption key;
      7. Contact email addresses of chat participants, chat commencement time and chat duration, and moderation activity;
      8. Takedowns and account suspensions;
      9. Our communications with you; and
      10. Your personal account settings, including any avatar picture.
    4. From time to time we may need to communicate with each other directly. We will use Mega’s chat facility, internal messaging system or the email address you have included in the settings information in your account. Any communication to you will be deemed to be received by you in accordance with the electronic communication provisions of the New Zealand Contract and Commercial Law Act 2017, no matter whether you are actively monitoring the account or its email address or not. You can communicate with us using the appropriate address on our contacts page and your email will be deemed to be received by us in accordance with the electronic communication provisions of the New Zealand Contract and Commercial Law Act 2017. Examples of direct communications include copyright or other enforcement emails, notifications under our Takedown Guidance Policy, system update information, data breach notifications, notification of major changes to our Terms, our Cookie Policy or this Policy and billing information.
    5. Access to your account is by way of nominated email address and password. It is your responsibility to keep these safe and secure as Mega stores the email address but does not store the password. If you forget your password you will lose access to all your data unless you have exported a Recovery Key.
    6. We will collect, store, use and otherwise process Account Data so that we can provide the services you have contracted to obtain from us under our Terms. We also have a legitimate interest in processing Account Data so that we can maintain and improve our systems and services and communicate with you as referenced in this Policy.
    7. We retain Account Data as long as your account is active. After account suspension or termination, including where the administrator of a business account, within which you have used the services, terminates that business account (see clause 13 below), we may, but shall not be obliged to, retain all Account Data if enforcement action is likely or commenced under our Terms, our Cookie Policy, or Takedown Guidance Policy or for 12 months, whichever is longer, or in the case of records of financial transactions relating to your account for such period of time as we are legally required to retain such information. Users sometimes request that an account be re-activated so we keep Account Data for 12 months for that purpose. Where there is no enforcement action likely or commenced and the 12 month period has expired, or after such longer period as is applicable in the case of records of financial transactions relating to your account that we are legally required to retain, Account Data that identifies you will be anonymised, but where you are a contact of, have had a folder shared with you by, or have chatted with, another MEGA user, those details will continue to be retained to allow services to continue for those other users. See also the General section of this Policy with regard to retention.
    8. You can download your Account Data at https://mega.nz/fm/account/history while you are logged into your account. This will provide your Account Data but not Your Files. You can request correction of Account Data if it is considered incorrect, in accordance with the New Zealand Privacy Act 2020 and the GDPR. Any requests for access to, or correction of, Account Data that is not available to you when you are logged into your account, or if you cannot log in to your account, should be made to privacy@mega.nz specifying the information in question. The information will be provided promptly, and at least within one month, without charge unless the request is manifestly unfounded or excessive. Corrections will be promptly considered and actioned if appropriate.
    9. If MEGA has disclosed the Account Data to any third party (such as a compliance authority), it will inform them of any correction where possible and will also inform the individuals about the third parties to whom the data has been disclosed where lawful and appropriate.
    10. See also the General section of this Policy which applies to all types of data, including Account Data.

Usage data

  1. This is the section of this Policy that covers your activity using our services (“Usage Data”). Our Cookie Policy provides more specific information on certain types of Usage Data and your rights to control when it is collected and what it is used for. Subject at all times to the rights you have pursuant to our Cookie Policy the following specific terms apply:
    1. We may:
      1. collect Usage Data to assist in the operation and improvement of our services;
      2. join Usage Data with other users’ data and give it to advertisers in a way which doesn’t personally identify any particular user;
      3. analyse and use Usage Data for marketing or statistical purposes as well as to improve the way we do business with our users; and
      4. serve advertisements or use third-party advertising companies to serve advertisements on our services and on third party sites, as well as to assist us in analysing our marketing and other business efforts.
    2. We collect and keep Usage Data with your consent to provide services and support related to our services, for market and product research and to be able to give users promotional material and special offers on our services.
    3. See also the General section of this Policy which applies to all types of data, including Usage Data.

General

  1. This is the section of this Policy that covers all types of data.

Basis of processing and dealing with data

  1. As noted above, we process your personal information because we have contracted with you to do so under our Terms, this Policy, our Cookie Policy and our Takedown Guidance Policy. We cannot provide our services without that data. Other data that is not personal information is also dealt with by us in accordance with our Terms, this Policy, our Cookie Policy and our Takedown Guidance Policy.

Giving access to other users

  1. You must ensure that anyone to whom you give access to any of Your Files, Your Chats or your Account Data complies with our Terms, our Cookie Policy, our Takedown Guidance Policy and this Policy. You are responsible for their compliance. This applies particularly where you are the administrator of a business account.
  2. For business accounts, the administrator of that account can see and deal with the files and data associated with all users within that account (including any data and any personal information). In addition:
    1. if the business account is suspended or terminated, the action will affect the data and personal information of every user within that account;
    2. the administrator of the business account will be able to see and deal with, change or delete the files and data associated with every user within that account (including any of Your Data, Your Chats, Account Data and any of your personal information); and
    3. the administrator of the business account will be able to terminate any user’s account within the business account, restrict or disable usage of the account, change any user’s password and otherwise deny access to the account and you will then lose access to all Your Data, Your Chats, Account Data and all personal information associated with your usage of the business account.

Your own security practices are critical

  1. We strongly urge you to use best practices for ensuring the safety of your systems and devices (e.g. via strong unique passwords, security upgrades, firewall protection, anti-virus software, securing devices). MEGA will never send an email asking for your password, so do not be fooled by any such email since it will not be from us. We cannot guarantee the security of computers or devices nor of transmission from and to your device over the Internet and thus cannot guarantee there will be no unauthorised access. Also, if you lose or otherwise allow access to your password or encryption keys, you will lose the security of all your data. If you forget your password you will lose access to all your data unless you have exported a Recovery Key. Using the same password for MEGA as you have used at other sites can lead to others accessing and taking control of your MEGA account if one of those other sites is breached or hacked.

Disclosure for civil or criminal enforcement

  1. If we think it is necessary or we are obliged by law in any jurisdiction, then we are entitled to give Your Files, Your Chats, any Account Data and any Usage Data to competent authorities, even if those items are encrypted. We reserve the right to assist any law enforcement agency with investigations, including disclosure of information to them or their agents. We also reserve the right to comply with any legal processes, including but not limited to data breach notification processes, subpoenas, search warrants and court orders initiated by enforcement authorities or other third parties. We may disclose Your Files, Your Chats, any Account Data and any Usage Data to enforce or apply our Terms, our Cookie Policy, our Takedown Guidance Policy and this Policy or any other agreement we have with you, or to protect the rights, property, or safety of us or our other users, third parties or the operation of our services. For more detail on disclosure to competent enforcement authorities and other third parties, see our Takedown Guidance Policy.

Mega Limited and its related or affiliated entities, payment processors and resellers

  1. You have a contract with Mega Limited (New Zealand company number 4136598) but our services (including payment and personal information processing) may be provided by Mega Limited’s related or affiliated entities, payment processors and resellers, in other jurisdictions, subject to applicable laws. You authorise Mega Limited and each of those related or affiliated entities to collect, store, share and otherwise process Your Files, Your Chats, any Account Data and any Usage Data among themselves, as necessary to provide the services, subject to applicable laws. All such entities are located in Europe or in countries (such as Canada or New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR or which have comparable protections to those given under the New Zealand Privacy Act 2020. You authorise Mega Limited and each of those related or affiliated entities, payment processors and resellers to collect, store, share and otherwise process among themselves such Account Data as is necessary to provide payment processing, subject to applicable laws.

No commercial sale of data

  1. We will never sell Your Files, Your Chats, any Account Data or any Usage Data. We will not disclose or otherwise provide Your Files, Your Chats, any Account Data or any Usage Data to a third party, or make any other use of Your Files, Your Chats, any Account Data or any Usage Data, for any purpose which is not specifically allowed under this Policy, our Cookie Policy, our Terms or our Takedown Guidance Policy or is not incidental to the normal use of our services.

Mega’s data security

  1. Data security is very important to Mega, whether that is your personal information or any other data. That is why we publish our client-side browser and mobile app software, provide a bug bounty to encourage reporting on any issues, and why we have provided information in this Policy on collection and storage of all data whether or not it is personal information. For more information on our security practices, see our security.

Communications

  1. We may send invoices, security or service updates and various other notices by email to the email address listed in your account or using any of our chat or messaging systems. They will be deemed to be received in accordance with our Terms.
  2. If appropriate, some of those notices will contain unsubscribe information so you can opt out of further receipt. We will abide by any email unsubscription request (other than those we need to send for invoicing, security or service updates and other service provider purposes).
  3. In some cases a person may receive an email from us asking the person to confirm their new Mega account email address, but in fact they haven’t tried to open an account – someone else has started the process and used their email address either maliciously or by mistake. In these cases, Mega has an ephemeral/incomplete account that might be used to upload files. On request, and after proving ownership of the email address, we will arrange for the account to be deleted.

Law

  1. Subject to the rights that those in the European Union have under the GDPR, this Policy and its interpretation and operation are governed solely by New Zealand law. Subject to the rights that those in the European Union have under the GDPR, you, MEGA and all users, submit to the exclusive jurisdiction of the New Zealand arbitral tribunals and courts as further described in our Terms and you agree not to raise any jurisdictional issue if we need to enforce an arbitral award or judgment in New Zealand or another country.

Contact and complaints

  1. Questions and comments regarding this Policy are welcomed and should be addressed to the Privacy Officer at privacy@mega.nz. For a comprehensive list of contact details for Mega Limited, and each of our related or affiliated entities, payment processors and resellers, together with details of how to contact our privacy officer and data protection officer, see our contacts page.
  2. If you are in Europe or otherwise have the right to lodge a complaint with a supervisory authority, you can find contact details for MEGA’s European Representative and European supervisory authority on our contacts page.

Changes to our Policy

  1. We may make changes to this Policy in the future. Any changes will be notified to all users.

Last updated 18 December 2020, effective 18 January 2021.