Main Menu

Data Privacy Policy

blank

Last Updated: 12/02/2024

1. Introduction

Merlin Search Technologies, Inc. (“Merlin,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data we process. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data received from clients. 

This Privacy Policy applies to:

  • Personal data we receive as a data processor when providing our discovery services to our clients
  • Personal data we receive as a data controller for our platform users and website visitors
  • Personal data transferred from the EU, UK, and Switzerland to the United States

For clarification, Merlin only hosts data for specific clients, whether based in the EU, UK, Switzerland or elsewhere. Our hosting is private and highly secure, with access only to named and identified users, typically legal professionals, representing or otherwise engaged by our clients. None of this data is displayed to members of the public. 

We host the data provided us by the clients and take direction from our clients with respect to that data. In all cases we follow client instructions regarding data location, data security, data use and data access. 

We do not control the data sent to us for hosting and in general do not review its contents for any purpose. We assume, unless knowledge indicates otherwise, that all data given to us for hosting is provided in accordance with local, state, country and region laws and in accordance with individual data privacy rights and protections. 

To the extent we receive requests for access to data, or are challenged with respect to the hosting of data, we will immediately inform our clients and take direction from our clients unless otherwise ordered by authorities with authority over us or the data we host. 

2. Data Collection and Processing

2.1 Roles and Responsibilities

As Data Processor: When providing software hosting and other services to our clients, Merlin acts as a data processor. In this role:

  • We process personal data only on behalf of and under the direction of our clients
  • Our clients, as data controllers, determine what data to store in the Merlin platform
  • We maintain appropriate technical and organizational measures to ensure data security
  • We process data in accordance with our clients’ instructions and applicable data protection laws

As Data Controller: For our platform users and website visitors, Merlin acts as a data controller. In this role, we determine the purposes and means of processing personal data.

When acting as a data controller, Merlin will inform individuals about:

  • The specific types of personal data collected
  • The purposes for which it collects and uses personal information
  • The type or identity of third parties to which it discloses personal information
  • The choices and means we offer individuals for limiting the use and disclosure of their personal data
  • The requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements

2.2 Categories of Personal Data

When Acting as Data Processor:

  • We may process any categories of personal data contained within the documents and data provided by our clients
  • The specific categories depend on the nature of the discovery matter
  • We do not independently determine what personal data to collect or process

When Acting as Data Controller:

We do not generally collect personal information except as may be required to process and host client data or when viewers to the Merlin website provide names and contract information. 

When we host client data, we collect user information including: 

  • Contact information (name, email address, phone number)
  • Authentication credentials
  • Usage data and platform activity logs
  • Technical information (IP address, browser type, device information)
  • Communication preferences and marketing choices

None of this data is used for any purposes other than providing services to our clients. 

2.3 Purposes of Processing

We process personal data for the following purposes:

  • Providing and maintaining our discovery platform and services
  • Managing user accounts and authentication
  • Ensuring platform security and preventing fraud
  • Responding to user inquiries and support requests
  • Complying with legal obligations
  • Improving our services and user experience

2.4 Legal Basis for Processing

We process personal data on the following legal grounds:

  • Performance of contracts with our clients and users
  • Legitimate business interests
  • Legal obligations
  • Consent, where required
  • Client instructions when acting as a data processor

3. Data Processing Principles

3.1 Notice and Choice

  • We provide clear notice about our data processing activities through this Privacy Policy
  • When acting as a data processor, we rely on our clients to obtain appropriate consent or establish other legal bases for processing
  • When acting as a data controller, we provide individuals with choices about their personal data, including:
    • Marketing communications opt-out options
    • Cookie preferences
    • Account settings customization

3.2 Purpose Limitation and Data Minimization

  • Personal data is collected and processed only for specified, explicit, and legitimate purposes
  • We limit data collection to what is necessary for the intended purpose
  • We maintain separate data environments through our single-tenant architecture to prevent data commingling
  • Data is retained only for as long as necessary to fulfill the purposes for which it was collected

3.3 Data Quality and Integrity

  • We employ technical measures to maintain data accuracy and completeness
  • Our automated backup systems ensure data integrity
  • Users can request corrections to their personal data subject to client consent
  • We implement version control and audit logging to track changes

4. Individual Rights

4.1 Rights of EU, UK, and Swiss Individuals 

Subject to direction from our clients, we respect and facilitate the following rights for individuals:

Right to Access:

  • Individuals may request confirmation of whether we process their personal data
  • We provide copies of personal data in a structured, commonly used format
  • Access requests are fulfilled within 30 days where possible

Right to Correction:

  • Individuals may request correction of inaccurate personal data
  • We will update incorrect information promptly upon verification
  • We notify relevant third parties of corrections when feasible

Right to Deletion:

  • Individuals may request deletion of their personal data
  • We will comply unless we have a legal obligation to retain the data
  • Our single-tenant architecture enables precise deletion of specific data

Right to Data Portability:

  • We provide personal data in a structured, machine-readable format
  • Data can be transmitted directly to another controller where technically feasible

Additional Rights:

  • Right to Object: Individuals may object to processing of their personal data
  • Right to Restrict Processing: Individuals may request restriction of processing
  • Right Not to be Subject to Automated Decision-Making: Individuals may object to automated decision-making, including profiling, which produces legal effects or similarly significant effects
  • Right to Data Protection Authority: Individuals have the right to lodge a complaint with their local supervisory authority

Exercise of Rights:

  • Rights can be exercised free of charge
  • Responses provided within one month (can be extended by two months for complex requests)
  • Identity verification required before fulfilling requests
  • Reasons provided for any inability to fulfill requests

4.2 Exercising Individual Rights To exercise these rights:

  • Platform users can submit requests through their account settings
  • Direct requests to privacy@merlin.tech
  • For data processed on behalf of our clients, we will coordinate with the relevant client
  • We verify the identity of requestors before fulfilling requests
  • We respond to requests within 30 days, with possible 60-day extension for complex requests

5. Data Security Measures

5.1 Technical Safeguards Our comprehensive security architecture includes:

Infrastructure Security:

  • AWS-based infrastructure with separate accounts per client
  • Virtual Private Cloud (VPC) isolation
  • Private subnets with no direct internet access
  • Secure VPC peering for shared services
  • Single-tenant architecture providing complete data isolation

Encryption:

  • AES-256 encryption for data at rest
  • TLS 1.2+ encryption for data in transit
  • AWS Key Management Service (KMS) for key management
  • Client-specific encryption keys

Access Controls:

  • Role-based access control with granular permissions
  • Multi-factor authentication
  • Time-limited authorization tickets for document access

6.2 Organizational Safeguards:

  • Regular security training for employees
  • Background checks for personnel
  • Documented incident response procedures
  • 24/7 security team availability

5.3 Monitoring and Incident Response:

  • Continuous monitoring through AWS CloudWatch
  • Comprehensive logging and audit trails
  • Automated alerts for suspicious activities
  • Regular vulnerability assessments
  • Incident response team available 24/7

5.4 Data Backup and Recovery:

  • Nightly automated backups with 7-day retention
  • Documented disaster recovery procedures
  • Regular backup testing and verification

5.5 Third-Party Security:

  • Vendor security assessments
  • Contractual security requirements
  • Regular security reviews of shared services
  • AWS security certifications including ISO 27001, SOC 2, and FedRAMP

6. Third-Party Transfers and Onward Transfers

As a general matter, Merlin does not transfer data to third parties except at the direction of its clients. Clients undertake responsibility for data transfers made at their direction. 

Merlin remains responsible and liable under general principles if third-party agents it engages to process personal information on its behalf do so in a manner inconsistent with the Principles, unless Merlin proves that it is not responsible for the event giving rise to the damage.

6.1 Conditions for Transfers

We only transfer personal data to third parties under specific conditions:

  • To fulfill our client service obligations
  • With client authorization when acting as a processor
  • As required by law or legal process
  • When we have appropriate contractual safeguards in place

6.2 Service Providers

  • We use AWS as our primary infrastructure provider but it has no direct access to the documents we host, which are encrypted at rest and in transit. 
  • All contracts with affiliated entities and contractors include generally-compliant data protection provisions

7. Dispute Resolution

7.1 Direct Resolution

  • We strive to resolve privacy concerns directly
  • Contact privacy@merlin.tech for complaints
  • Initial response within 5 business days
  • Resolution typically within 45 days

7.2 Independent Dispute Resolution

Unresolved complaints may be submitted to a designated third-party dispute resolution provider.

  • There is no cost to individuals for dispute resolution
  • Decisions will be binding on Merlin and its client. 

For non-HR data, if Merlin has not addressed your  complaint to your satisfaction individuals may file complaints with JAMS, an alternative dispute resolution provider based in the U.S., Please visit https://www.jamsadr.com for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Merlin acknowledges that individuals may choose to lodge complaints directly with their local data protection authority and that they have a right to invoke binding arbitration under certain conditions.

7.3 Regulatory Oversight

  • Subject to FTC investigatory and enforcement powers
  • Cooperation with EU DPAs, UK ICO, and Swiss FDPIC
  • Option for binding arbitration under certain conditions

8. Legal and Regulatory Compliance

8.1 Government Requests

  • We may disclose personal data in response to lawful requests
  • National security and law enforcement requirements
  • We provide Notice to clients unless legally prohibited
  • Transparency about government request process

8.2 Regulatory Compliance

  • Regular compliance assessments
  • Documentation of processing activities
  • Privacy impact assessments when required
  • Staff training on compliance requirements

8.3 General Compliance:

Merlin maintains records of:

  • Annual self-assessment verifications
  • Procedures for training employees on compliance requirements
  • Procedures for handling questions and complaints
  • Internal procedures for periodic compliance reviews
  • Processes for verifying that published privacy policies conform to generally accepted principles
  • Responses to independent recourse mechanism recommendations

 8.4 Verification:

Merlin verifies compliance with general compliance principles through:

  • Annual internal compliance reviews
  • Regular assessments of privacy policies and procedures
  • Employee training verification
  • Response tracking for privacy-related inquiries and complaint

9. Contact Information

  • Primary Contacts Privacy Officer: Kendra Smith 
  • EU/UK Representative Patrick Looney
  • Data Protection Authorities Individuals may contact their local data protection authority

10. Policy Updates

10.1 Changes to this Policy

  • We review this policy regularly
  • Updates posted on our website
  • Notice of material changes provided

10.2 Version Control

  • Current version: 1.0
  • Last updated: 2024-12-02
  • Previous versions available upon request

10.3 Effective Date: 2024-12-02.

Contact Us

If you have any questions about our Data Privacy Policy or want to discuss any aspect of it, contact us at privacy@merlin.tech.

Read Our Privacy Policy

Contact Us to Learn More

See our award-winning Alchemy platform and our GenAI tools in action.

Merlin Alchemy was named “Game Changer, The Most Innovative New: Legal Technology for 2024” by ACEDS London.

logo.svg
Transforming investigations and Discovery

© 2019-2025 Merlin Search Technologies, Inc. 
Contact:  +1-720-295-0822
Merlin Privacy Policy,  GDPR Data Privacy Policy,

Quick Links
book a demo
Software
Scroll to Top