Mega Limited Privacy and Data Policy
Introduction
- This Policy of Mega Limited (New Zealand company number 7970438) (“MEGA”, “we”, “us” or “our”) of Level 21, Huawei Centre, 120 Albert Street, Auckland, New Zealand governs our processing of your personal information and the way in which we deal with other data that is not personal information. “Personal information” is the term under the New Zealand Privacy Act 2020 for “personal data” as defined in the European Union’s General Data Protection Regulation (EU) 2016/679 (“GDPR”). The term “processing” is used as defined in the GDPR and includes collection, storage, and all of the ways we use, and allow you to use, personal information when we provide our services. You are the data controller under the GDPR of the personal data you provide to us as part of your Account Data (see below). We are the data controller under the GDPR of all other personal data.
- Important: We store Data in our primary data centres in New Zealand, Japan, Canada and/or the European Union. In order to provide our services, Data may transit or be temporarily stored on servers in other countries, the full details of which can be found on our website. In this Policy, ‘Data’ refers to Your Files, Your Chats, Account Data and Usage Data, together, as those terms are defined below. If you access your Data or give someone else access to your Data using our services and you or they are not in New Zealand, Canada, Japan or Europe, you or they may be accessing that Data from a country that does not give adequate protection to personal information when compared to that given under the New Zealand Privacy Act 2020, the Canadian Personal Information Protection and Electronic Documents Act 2000, the Japanese Act on the Protection of Personal Information 2003 or the GDPR. Under our Terms of Service (“Terms”) you authorise us to grant this access.
- This Policy is divided into five sections; one for each of the four different types of Data we collect and one that applies to all of the Data we collect. Words and phrases which are defined in our Terms have the same meanings when they are used in this Policy, unless expressly otherwise provided in our Terms or in this Policy.
- The five sections are titled:
- “Your Files”. This covers the actual encrypted files that you upload, access and share using our services.
- “Your Chats”. This covers the encrypted text, voice and video chats you engage in using our services.
- “Account Data”. This covers the information that you provide to us when you register and communicate with us and the metadata that is collected and generated by our systems when you use our services.
- “Usage Data”. This covers the data that is generated and collected, including under our Cookie Policy, when you use our services.
- “General”. This applies to all our services and all types of Data.
- The GDPR provides rights to European users, but, as a leading privacy company, to the extent possible, we aim to make the GDPR protections and rights available to all our users globally in respect of their personal information wherever they may live.
Your Files
- This is the section of this Policy that covers the actual encrypted files that you upload, access and share using our services (“Your Files”). The following specific terms apply:
- When you upload a file, it is already encrypted on your device, so we do not know whether it is personal to you or someone else, relates to a business or some other organisation, or what it contains. We generate and store encrypted previews of images, videos and certain other types of files. We gather a small amount of metadata about the type of file, but that does not disclose the content or information that the file contains. In relation to metadata, see the section of this Policy specifically covering Account Data.
- All Your Files remain encrypted at all times while they are on our system. They are never received, stored or otherwise dealt with by us in unencrypted form because any decryption takes place only on your device or that of another user to whom you have provided the file, folder or chat, album links and keys that are created when you create the links. Your Files are therefore not personal data since they are never held by MEGA in a form that is information about an identified or identifiable individual.
- We collect Your Files because that is necessary for us to provide our zero-knowledge encrypted cloud storage and collaboration services that you contract for when you agree to our Terms.
- None of Your Files are stored in, or made available from, the United States of America.
- We keep Your Files while you are subscribed to our services, subject to our file and data removal, suspension and termination rights set out in our Terms. For serious breaches of our Terms, we are entitled to remove any or all of Your Files immediately without notice and to suspend or terminate your account (e.g. if you upload and/or share child sexual abuse material or other illegal or infringing material). You must maintain copies of Your Files. We strive to provide great services but do not make any guarantees that there will be no loss of data or that the services will be bug free. You must download Your Files prior to the termination of services including where the administrator of a business account or multi-user account (“Business Account”), within which you have used the services, terminates that Business Account (see clause 13 below). If you forget your password you will lose access to all Your Files unless you have exported and retained a Recovery Key.
- When you delete one of Your Files it will be made inaccessible, marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically necessary to provide our services, allowed under this Policy and/or our Terms. After account termination, all Your Files will be marked for deletion and removed when the next appropriate file purging process is run, subject to any retention specifically allowed under this Policy or our Terms.
- The deletion process specified in clause 6.6 will not apply to a deduplicated file that is associated with another user (see our Terms).
- We may, but are not obliged to, keep Your Files after your account has been suspended or terminated. In particular, we may, but are not obliged to, keep Your Files where we consider it necessary for evidential purposes relating to a breach of our Terms or with respect to current or anticipated action by any competent law enforcement authority or other third party. In relation to the release of Your Files to competent law enforcement authorities and third parties, see our Takedown Guidance Policy.
- See also the General section of this Policy which applies to all types of data, including Your Files.
Your Chats
- This is the section of this Policy that covers the content of your text, voice and video chats and other related information (“Your Chats”). The following specific terms apply:
- For private chats, only the people using the accounts that you’re engaging within the chat can read, see or hear the chat content posted while they were a member of that chat group. Public chats can be read by anyone who has the link to that chat. Every text message you send is stored as an encrypted binary large object (“blob”). The times and participants of your successful and unsuccessful chats are stored in unencrypted form. The content of voice and video chats is not recorded or stored by MEGA. When the recording feature is activated by a participant for a given voice or video chat, the recording will be stored unencrypted on that participant’s device. If you have enabled rich URL previews, a plain text preview of the URL is generated in our system but is stored separately. When you view the text or voice chat history and contents, or reinitiate a chat with the same participant(s), the blobs are decrypted in your browser or mobile app.
- All Your Chats remain encrypted at all times while they are on our system. They are never stored or otherwise dealt with by us in unencrypted form because encryption and any decryption of the blob take place only on your device. Your Chats are therefore not personal data since they are never held by MEGA in a form that is information about an identified or identifiable individual.
- We retain and store Your Chats because that is necessary for us to provide our zero-knowledge encrypted chat service that you contract for when you agree to our Terms.
- None of Your Chats or related personal information are stored in, or made available from, the United States of America.
- We keep Your Chats while you are subscribed to our services but subject to our file and data removal, suspension and termination rights set out in our Terms. For serious breaches of our Terms, we are entitled to remove any or all of Your Chats immediately without notice and to suspend or terminate your account (e.g. if you exchange illegal or infringing material).
- Chats may be deleted by the moderator of the chat, who may be you or another MEGA user (depending on who has initiated the chat and been granted moderator rights). When the moderator deletes the chat history it will be removed from his or her chat and will no longer be accessible to any participant in that chat.
- See also the General section of this Policy which applies to all types of Data, including Your Chats.
Account Data
- This is the section of this Policy that covers account information you give us, and metadata and records of financial transactions that we generate in relation to Your Files, Your Chats and your account. The following specific terms apply:
- When you sign up for particular services you will need to give us the details required in our registration form and must keep that information up to date, including any payment information.
- For paid plans, MEGA and any of its related or affiliated entities, payment processors and resellers that you use to make payments, retain account and payment information including any tax identification and a record of all transactions on your account.
- When you use our services, our systems may retain the following metadata in unencrypted form:
- A unique device ID for the device used to log in to our services (that device ID doesn’t include the serial number, brand or model of your device);
- Browser type, device type and/or operating system of the devices from which you have logged in to MEGA, as applicable;
- IP address and port information used for: logging in to our services; API usage,; file uploads; file, chat, folder and album links; and VPN usage (including time and dates of those events);
- The country that we expect you are accessing our services from (inferred by matching your IP address to a public IP address database);
- File sizes, versioning order and parent-child file relationships;
- VPN bandwidth usage;
- The email address of anyone you have specifically made a contact using MEGA’s systems. Note that Your Files, including your folders and albums, can be shared privately by invitation to specified MEGA accounts identified by email addresses or shared more generally by creating and sharing a file, folder or album link and decryption key;
- Contact email addresses of chat participants, chat commencement time, chat duration and moderation activity;
- Takedowns and account suspensions;
- Our communications with you; and
- Certain account settings, including any avatar picture.
- From time to time we may need to communicate with each other directly. We will use MEGA’s chat facility, internal messaging system or the email or SMS address you have included in the settings information in your account and may also give notices to you and other users via popups or other notices prominently displayed on our website. Any communication to you will be deemed to be received by you in accordance with the electronic communication provisions of the New Zealand Contract and Commercial Law Act 2017, no matter whether you are actively monitoring the account or its email address or not. You can communicate with us using the appropriate address on our contacts page and your email will be deemed to be received by us. Examples of direct communications include copyright or other enforcement emails, notifications under our Takedown Guidance Policy, system update information, data breach notifications, notification of major changes to our Terms, any Policy and billing information.
- Access to your account is by way of nominated email address and password. It is your responsibility to keep these safe and secure as MEGA stores the email address but does not store the password. If you forget your password you will lose access to all your data unless you have exported and retained a Recovery Key.
- We will collect, store, use and otherwise process Account Data so that we can provide the services you have contracted to obtain from us under our Terms. We also have a legitimate interest in processing Account Data so that we can maintain and improve our systems and services and communicate with you as referenced in this Policy. This includes using your Account Data for marketing or targeted advertising purposes and sending you information about MEGA’s new products, upgrades and other marketing material from time to time. As further set out at clause 20, you can opt out of receiving marketing material at any time by clicking the ‘unsubscribe’ link in any emails you receive, or by updating your preferences in your account settings.
- We retain Account Data as long as your account is active. After account suspension or termination, including where the administrator of a Business Account, within which you have used the services, terminates that Business Account (see clause 13 below), we may, but are not obliged to, retain all Account Data if enforcement action is likely or commenced under our Terms, our Cookie Policy, or Takedown Guidance Policy or for 12 months, whichever is longer, or in the case of records of financial transactions relating to your account for such period of time as we are legally required to retain such information. Users sometimes request that an account be re-activated so we keep Account Data for 12 months for that purpose. Where there is no enforcement action likely or commenced and the 12 month period has expired, or after such longer period as is applicable in the case of records of financial transactions relating to your account that we are legally required to retain, Account Data that identifies you will be anonymised, and we will never re-identify that data, but where you are a contact of, have had a folder or album shared with you by, or have chatted with, another MEGA user, those details will continue to be retained to allow services to continue for those other users.
- You can download your Account Data at https://mega.nz/fm/account/security while you are logged into your account. This will provide your Account Data but not Your Files or Your Chats. You can request correction of Account Data if it is considered incorrect, in accordance with the New Zealand Privacy Act 2020 and the GDPR. Any requests for access to, or correction of, Account Data that is not available to you when you are logged into your account, or if you cannot log in to your account, should be made to [email protected] specifying the information in question. The information will be provided promptly, and at least within one month, without charge unless the request is manifestly unfounded or excessive. Corrections will be promptly considered and actioned if appropriate.
- If we have disclosed your Account Data to any third party (such as a compliance authority), we will inform them of any correction where possible and will also inform you about the third parties to whom the data has been disclosed where lawful and appropriate.
- See also the General section of this Policy which applies to all types of data, including Account Data.
Usage Data
- This is the section of this Policy that covers data relating to your activity using our services, including system logs and certain event timestamps (“Usage Data”). Our Cookie Policy also provides more specific information on certain types of Usage Data and your rights to control whether it is collected or not and what it is used for. Subject at all times to the rights you have pursuant to our Cookie Policy, the following specific terms apply:
- We may:
- collect Usage Data to assist in the operation and improvement of our services;
- join Usage Data with other users’ data and give it to advertisers in a way which doesn’t personally identify any particular user;
- analyse and use Usage Data for marketing or statistical purposes as well as to improve the way we provide services to our users;
- use third-party companies to assist with the collection of Usage Data for the purpose of analysing the use of our websites; and
- serve advertisements or use third-party advertising companies to serve advertisements on our services and on third-party sites, as well as to assist us in analysing our marketing and other business efforts.
- We collect and keep Usage Data with your consent to provide services and support related to our services, for market and product research and to be able to give users promotional material and special offers on our services.
- We retain Usage Data as long as your account is active and for no more than 12 months thereafter, subject to any retention specifically necessary to provide our services, allowed under this Policy and/or our Terms. You can request access to and deletion of your Usage Data by emailing us at [email protected].
- See also the General section of this Policy which applies to all types of data, including Usage Data.
- We may:
General
- This is the section of this Policy that covers all types of Data.
Basis of processing and dealing with data
- As noted above, we process your personal information because we have contracted with you to do so under our Terms, this Policy, our Cookie Policy and our Takedown Guidance Policy. We cannot provide our services without that data. Other data that is not personal information is also dealt with by us in accordance with our Terms, this Policy, our Cookie Policy, and our Takedown Guidance Policy.
Giving access to other users
- You must ensure that anyone to whom you give access to any of Your Files, Your Chats or your Account Data complies with our Terms, our Cookie Policy, our Takedown Guidance Policy and this Policy. You are responsible for their compliance, including where you are the administrator of a Business Account.
- For Business Accounts, the administrator of that account can see and deal with the files and data associated with all users within that account (including any data and any personal information). In addition:
- if the Business Account is suspended or terminated, the action will affect the data and personal information of every user within that account;
- the administrator of the Business Account will be able to see and deal with, change or delete the files and data associated with every user within that account (including any of Your Files, Your Chats, Account Data and any of your personal information); and
- the administrator of the Business Account will be able to terminate any user’s account within the Business Account, restrict or disable usage of the account, change any user’s password and otherwise deny access to the account and that user will then lose access to all Your Files, Your Chats, Account Data and all personal information associated with your usage of the Business Account.
Your own security practices are critical
- We strongly urge you to use best practices for ensuring the safety of your systems and devices (e.g. via strong unique passwords, two-factor authentication, security upgrades, firewall protection, anti-virus software, securing devices). MEGA will never send an email asking for your password, so do not be fooled by any such email since it will not be from us. We cannot guarantee the security of computers or devices nor of transmission from and to your device over the Internet and thus cannot guarantee there will be no unauthorised access. Also, if you lose or otherwise allow access to your password or encryption keys, you will lose the security of all your data. If you forget your password you will lose access to all your data unless you have exported and retained a Recovery Key. Using the same password for MEGA as you have used at other sites can lead to others accessing and taking control of your MEGA account if one of those other sites is breached or hacked.
Disclosure for civil or criminal enforcement
- If we think it is necessary or we are obliged by law in any jurisdiction, then we are entitled to give Your Files, Your Chats, any Account Data and any Usage Data to competent authorities, even if those items are encrypted. We reserve the right to assist any law enforcement agency with investigations, including disclosure of information to them or their agents. We also reserve the right to comply with any legal processes, including data breach notification processes, subpoenas, search warrants and court orders initiated by enforcement authorities or other third parties. We may disclose Your Files, Your Chats, any Account Data and any Usage Data to enforce or apply our Terms, our Cookie Policy, our Takedown Guidance Policy, this Policy or any other agreement we have with you, or to protect the rights, property, or safety of us or our other users, third parties or the operation of our services. For more details on disclosure to competent enforcement authorities and other third parties, see our Takedown Guidance Policy.
MEGA and its related or affiliated entities, payment processors and resellers
- You have a contract with MEGA but some ancillary services (including payment and personal information processing) may be provided by MEGA’s related or affiliated entities, payment processors and resellers, subject to applicable laws. You authorise MEGA and each of those related or affiliated entities to collect, store, share and otherwise process Your Files, Your Chats, any Account Data and any Usage Data among themselves, as necessary to provide the services, subject to applicable laws. All such entities are located in Europe or in countries (such as Canada, Japan or New Zealand) that the European Commission has determined to have an adequate level of protection under Article 45 of the GDPR or which have comparable protections to those given under the New Zealand Privacy Act 2020. You authorise MEGA and each of those related or affiliated entities, payment processors and resellers to collect, store, share and otherwise process among themselves such Account Data as is necessary to provide payment processing, subject to applicable laws.
No commercial sale of data
- We will never sell Your Files, Your Chats, Account Data or Usage Data. We will not disclose or otherwise provide Your Files, Chats, Account Data or Usage Data to a third party, or make any other use of any of them, for any purpose which is not specifically allowed under this Policy, our Cookie Policy, our Terms or our Takedown Guidance Policy or is not incidental to the normal use of our services. The only exception to this clause is where MEGA itself, or its business, is sold or proposed to be sold, in which case we are entitled to make such disclosure or provision to a purchaser or prospective purchaser of the business.
MEGA’s data security
- Data security is very important to MEGA, whether that is your personal information or any other Data. That is why we publish our client-side browser and mobile app software, provide a bug bounty to encourage reporting on any issues, and why we have provided information in this Policy on collection and storage of all Data whether or not it is personal information. For more information on our security practices, see our blog.
Communications
- We may send invoices, security or service updates and various other notices by email or SMS to the email or SMS address listed in your account or using any of our chat or messaging systems. We may also give notices to you and other users via popups or other notices prominently displayed on our website. They will be deemed to be received in accordance with our Terms.
- If appropriate, some of those notices will contain unsubscribe information so you can opt out of further receipt. We will abide by any email unsubscription request (other than those we need to send for invoicing, security or service updates and other service provider purposes).
- In some cases a person may receive an email from us asking the person to confirm their new MEGA account email address, but in fact they haven’t tried to open an account – someone else has started the process and used their email address either maliciously or by mistake. In these cases, MEGA has an ephemeral/incomplete account that might be used to upload files. On request, and after proving ownership of the email address, we will arrange for the account to be deleted.
Law
- Subject to the rights that you may have under applicable laws in your country (including under the Canadian Personal Information Protection and Electronic Documents Act 2000, the Japanese Act on the Protection of Personal Information 2003, and the GDPR), this Policy and its interpretation and operation are governed solely by New Zealand law. Subject to those rights, you, MEGA and all users, submit to the exclusive jurisdiction of the New Zealand arbitral tribunals and courts as further described in our Terms and you agree not to raise any jurisdictional issue if we need to enforce an arbitral award or judgment in New Zealand or another country.
Contact and complaints
- Questions and comments regarding this Policy are welcomed and should be addressed to the Privacy Officer at [email protected]. For a comprehensive list of contact details for MEGA, and each of our related or affiliated entities, payment processors and resellers, together with details of how to contact our privacy officer and data protection officer, see our contacts page.
- If you are in Europe or otherwise have the right to lodge a complaint with a supervisory authority, you can find contact details for MEGA’s European Representative and European supervisory authority on our contacts page.
- If you are a resident of California, click here to read our Additional Privacy Notice for California Residents under the California Consumer Privacy Act (CCPA).
Changes to our Policy
- We may make changes to this Policy in the future. Any changes will be notified to all users.
Last updated and effective 4 October 2024.