GDPR: Mergo's Data Processing, and International Data Transfers

We'll discuss where Mergo's data are stored, how our data processing complies with GDPR, and its International Data Transfer clause.

Legitimacy of our data processing operations

Data Storage

We store and process your user and usage data in Firebase, the Google cloud-hosted database (please read our article on DATA STORAGE: What data are stored by Mergo and how are they used?).

Firebase is managed by Google and its servers are located primarily in the United States (refer to Firebase’s Privacy Policy for more information).

The physical storage of Mergo data and processing is protected under Data Processing and Security Terms of Google Cloud Platform.

Data Processing

Mergo is GDPR and HIPAA-compliant as we don't store or transfer any personal data. That is because your data (campaign sheet or mailing list) is stored in your Google Sheets and is never saved in our database.

Info: Mergo's Data Processing Agreement (DPA) is incorporated by reference to the Terms of Service that you (or your domain admin) accepted when you started using our Mergo add-on.

Does Mergo execute international transfer of personal data?

Note: No, we never process international data transfer in any way. Neither do we use in-house script nor perform file transfers.

We will never transfer, sell, make copies, or share any of your data stored by Mergo to third-party services or companies.

Can I exercise my right to data portability?

As detailed in our article DATA STORAGE: What data are stored by Mergo and how is it used?, we don't store any of your customers’ data (campaign sheet record or mailing list). As such, we are not obliged to any data portability requests.

Which Data Transfer mechanisms does Mergo rely on: Standard Clauses or Privacy Shield?

Upon completion of the Data Processing Agreement (DPA), it is stipulated that the application of lawful data transfer mechanisms for our customers who wish to transfer personal data to a third country (outside the European Economic Area or EEA) in accordance with Article 45 or 46 of the GDPR, relies on entering into Standard Contractual Clauses (SCC) or offer any alternative transfer solution if requested (for example, the EU-U.S. Privacy Shield).

On July 16, 2020, the Court of Justice of the European Union issued a judgment declaring as “invalid” the European Commission’s Decision (EU) 2016/1250 of 12 July 2016 on the adequacy of the protection provided by the EU-U.S. Privacy Shield. As a result of that decision, the EU-U.S. Privacy Shield Framework is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the European Union to the United States.

However, ScriptIt (the company that created Mergo) does not depend on the Privacy Shield mechanism. Rather, ScriptIt relies on the Standard Contractual Clauses to transfer all of its users’ EEA personal data in compliance with the GDPR. The Court confirmed that such Standard Contractual Clauses remain a valid data export mechanism. The Standard Contractual Clauses are referenced in and automatically apply through Mergo's Data Processing Addendum.

This means that our users can take comfort that their EEA personal data continues to be protected to European standards in compliance with applicable data protection laws including GDPR.