Data Privacy Policy
Merlin is in the process of applying to self-certify for the Data Privacy Framework that can be viewed here. Here is a general statement about how we handle data hosted with us by our EU, UK and Swiss clients.
Last Updated: 12/02/2024
1. Introduction
Merlin Search Technologies, Inc. (“Merlin,” “we,” “us,” or “our”) is committed to protecting the privacy and security of personal data we process. This Privacy Policy describes how we collect, use, disclose, and safeguard personal data received from the European Union, United Kingdom, and Switzerland in accordance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
This Privacy Policy applies to:
- Personal data we receive as a data processor when providing our discovery services to our clients
- Personal data we receive as a data controller for our platform users and website visitors
- Personal data transferred from the EU, UK, and Switzerland to the United States
For clarification, Merlin only hosts data for specific clients, whether based in the EU, UK, Switzerland or elsewhere. Our hosting is private and highly secure, with access only to named and identified users, typically legal professionals, representing or otherwise engaged by our clients. None of this data is displayed to members of the public.
We host the data provided us by the clients and take direction from our clients with respect to that data. In all cases we follow client instructions regarding data location, data security, data use and data access.
We do not control the data sent to us for hosting and in general do not review its contents for any purpose. We assume, unless knowledge indicates otherwise, that all data given to us for hosting is provided in accordance with local, state, country and region laws and in accordance with individual data privacy rights and protections.
To the extent we receive requests for access to data, or are challenged with respect to the hosting of data, we will immediately inform our clients and take direction from our clients unless otherwise ordered by authorities with authority over us or the data we host.
2. DPF Certification Statement
Merlin Search Technologies, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce.
- Merlin Search Technologies, Inc. (“Merlin”) has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF.
- Merlin has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.
- The Federal Trade Commission has jurisdiction over Merlin’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF).
In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Merlin commits to resolve complaints about our collection or use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our DPF policy should first contact Merlin at:
- Privacy Officer: Kendra Smith
- Email: privacy@merlin.tech
- Phone: +1-720-295-0822
Merlin has committed to refer unresolved DPF complaints to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from Merlin, or if Merlin has not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
In some situations under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, you may have the possibility to invoke binding arbitration. Please visit this link for more information: https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.
The Federal Trade Commission has jurisdiction over Merlin’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.
3. Data Collection and Processing
3.1 Roles and Responsibilities
As Data Processor: When providing software hosting and other services to our clients, Merlin acts as a data processor. In this role:
- We process personal data only on behalf of and under the direction of our clients
- Our clients, as data controllers, determine what data to store in the Merlin platform
- We maintain appropriate technical and organizational measures to ensure data security
- We process data in accordance with our clients’ instructions and applicable data protection laws
As Data Controller: For our platform users and website visitors, Merlin acts as a data controller. In this role, we determine the purposes and means of processing personal data.
When acting as a data controller, Merlin will inform individuals about:
- The specific types of personal data collected
- The purposes for which it collects and uses personal information
- The type or identity of third parties to which it discloses personal information
- The choices and means we offer individuals for limiting the use and disclosure of their personal data
- The requirement to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
3.2 Categories of Personal Data
When Acting as Data Processor:
- We may process any categories of personal data contained within the documents and data provided by our clients
- The specific categories depend on the nature of the discovery matter
- We do not independently determine what personal data to collect or process
When Acting as Data Controller:
We do not generally collect personal information except as may be required to process and host client data or when viewers to the Merlin website provide names and contract information.
When we host client data, we collect user information including:
- Contact information (name, email address, phone number)
- Authentication credentials
- Usage data and platform activity logs
- Technical information (IP address, browser type, device information)
- Communication preferences and marketing choices
None of this data is used for any purposes other than providing services to our clients.
3.3 Purposes of Processing
We process personal data for the following purposes:
- Providing and maintaining our discovery platform and services
- Managing user accounts and authentication
- Ensuring platform security and preventing fraud
- Responding to user inquiries and support requests
- Complying with legal obligations
- Improving our services and user experience
3.4 Legal Basis for Processing
We process personal data on the following legal grounds:
- Performance of contracts with our clients and users
- Legitimate business interests
- Legal obligations
- Consent, where required
- Client instructions when acting as a data processor
4. Data Processing Principles
4.1 Notice and Choice
- We provide clear notice about our data processing activities through this Privacy Policy
- When acting as a data processor, we rely on our clients to obtain appropriate consent or establish other legal bases for processing
- When acting as a data controller, we provide individuals with choices about their personal data, including:
- Marketing communications opt-out options
- Cookie preferences
- Account settings customization
4.2 Purpose Limitation and Data Minimization
- Personal data is collected and processed only for specified, explicit, and legitimate purposes
- We limit data collection to what is necessary for the intended purpose
- We maintain separate data environments through our single-tenant architecture to prevent data commingling
- Data is retained only for as long as necessary to fulfill the purposes for which it was collected
4.3 Data Quality and Integrity
- We employ technical measures to maintain data accuracy and completeness
- Our automated backup systems ensure data integrity
- Users can request corrections to their personal data subject to client consent
- We implement version control and audit logging to track changes
5. Individual Rights
5.1 Rights of EU, UK, and Swiss Individuals
Subject to direction from our clients, we respect and facilitate the following rights for individuals:
Right to Access:
- Individuals may request confirmation of whether we process their personal data
- We provide copies of personal data in a structured, commonly used format
- Access requests are fulfilled within 30 days where possible
Right to Correction:
- Individuals may request correction of inaccurate personal data
- We will update incorrect information promptly upon verification
- We notify relevant third parties of corrections when feasible
Right to Deletion:
- Individuals may request deletion of their personal data
- We will comply unless we have a legal obligation to retain the data
- Our single-tenant architecture enables precise deletion of specific data
Right to Data Portability:
- We provide personal data in a structured, machine-readable format
- Data can be transmitted directly to another controller where technically feasible
Additional Rights:
- Right to Object: Individuals may object to processing of their personal data
- Right to Restrict Processing: Individuals may request restriction of processing
- Right Not to be Subject to Automated Decision-Making: Individuals may object to automated decision-making, including profiling, which produces legal effects or similarly significant effects
- Right to Data Protection Authority: Individuals have the right to lodge a complaint with their local supervisory authority
Exercise of Rights:
- Rights can be exercised free of charge
- Responses provided within one month (can be extended by two months for complex requests)
- Identity verification required before fulfilling requests
- Reasons provided for any inability to fulfill requests
5.2 Exercising Individual Rights To exercise these rights:
- Platform users can submit requests through their account settings
- Direct requests to privacy@merlin.tech
- For data processed on behalf of our clients, we will coordinate with the relevant client
- We verify the identity of requestors before fulfilling requests
- We respond to requests within 30 days, with possible 60-day extension for complex requests
6. Data Security Measures
6.1 Technical Safeguards Our comprehensive security architecture includes:
Infrastructure Security:
- AWS-based infrastructure with separate accounts per client
- Virtual Private Cloud (VPC) isolation
- Private subnets with no direct internet access
- Secure VPC peering for shared services
- Single-tenant architecture providing complete data isolation
Encryption:
- AES-256 encryption for data at rest
- TLS 1.2+ encryption for data in transit
- AWS Key Management Service (KMS) for key management
- Client-specific encryption keys
Access Controls:
- Role-based access control with granular permissions
- Multi-factor authentication
- Time-limited authorization tickets for document access
6.2 Organizational Safeguards:
- Regular security training for employees
- Background checks for personnel
- Documented incident response procedures
- 24/7 security team availability
6.3 Monitoring and Incident Response:
- Continuous monitoring through AWS CloudWatch
- Comprehensive logging and audit trails
- Automated alerts for suspicious activities
- Regular vulnerability assessments
- Incident response team available 24/7
6.4 Data Backup and Recovery:
- Nightly automated backups with 7-day retention
- Documented disaster recovery procedures
- Regular backup testing and verification
6.5 Third-Party Security:
- Vendor security assessments
- Contractual security requirements
- Regular security reviews of shared services
- AWS security certifications including ISO 27001, SOC 2, and FedRAMP
7. Third-Party Transfers and Onward Transfers
As a general matter, Merlin does not transfer data to third parties except at the direction of its clients. Clients undertake responsibility for data transfers made at their direction.
Merlin remains responsible and liable under the DPF Principles if third-party agents it engages to process personal information on its behalf do so in a manner inconsistent with the Principles, unless Merlin proves that it is not responsible for the event giving rise to the damage.
7.1 Conditions for Transfers
We only transfer personal data to third parties under specific conditions:
- To fulfill our client service obligations
- With client authorization when acting as a processor
- As required by law or legal process
- When we have appropriate contractual safeguards in place
7.2 Service Providers
- We use AWS as our primary infrastructure provider but it has no direct access to the documents we host, which are encrypted at rest and in transit.
- All contracts with affiliated entities and contractors include DPF-compliant data protection provisions
8. Dispute Resolution
8.1 Direct Resolution
- We strive to resolve privacy concerns directly
- Contact privacy@merlin.tech for complaints
- Initial response within 5 business days
- Resolution typically within 45 days
8.2 Independent Dispute Resolution
Unresolved complaints may be submitted to a designated third-party dispute resolution provider.
- There is no cost to individuals for dispute resolution
- Decisions will be binding on Merlin and its client.
For non-HR data, if Merlin has not addressed your DPF Principles-related complaint to your satisfaction individuals may file complaints with JAMS, an alternative dispute resolution provider based in the U.S., Please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.
Merlin acknowledges that individuals may choose to lodge complaints directly with their local data protection authority and that they have a right to invoke binding arbitration under certain conditions.
8.3 Regulatory Oversight
- Subject to FTC investigatory and enforcement powers
- Cooperation with EU DPAs, UK ICO, and Swiss FDPIC
- Option for binding arbitration under certain conditions
9. Legal and Regulatory Compliance
9.1 Government Requests
- We may disclose personal data in response to lawful requests
- National security and law enforcement requirements
- We provide Notice to clients unless legally prohibited
- Transparency about government request process
9.2 Regulatory Compliance
- Regular compliance assessments
- Documentation of processing activities
- Privacy impact assessments when required
- Staff training on compliance requirements
9.3 DPF Framework Compliance:
Merlin maintains records of:
- Annual self-assessment verifications
- Procedures for training employees on DPF requirements
- Procedures for handling questions and complaints
- Internal procedures for periodic compliance reviews
- Processes for verifying that published privacy policies conform to the DPF Principles
- Responses to independent recourse mechanism recommendations
9.4 Verification:
Merlin verifies compliance with the DPF Principles through:
- Annual internal compliance reviews
- Regular assessments of privacy policies and procedures
- Employee training verification
- Response tracking for privacy-related inquiries and complaint
10. Contact Information
- Primary Contacts Privacy Officer: Kendra Smith
- Email: privacy@merlin.tech
- Phone: +1-720-295-0822
- 10.2 EU/UK Representative Patrick Looney
- Email: PLooney@Merlin.Tech
- Phone: +44 7733 100011
- 10.3 Data Protection Authorities Individuals may contact their local data protection authority
11. Policy Updates
11.1 Changes to this Policy
- We review this policy regularly
- Updates posted on our website
- Notice of material changes provided
11.2 Version Control
- Current version: 1.0
- Last updated: 2024-12-02
- Previous versions available upon request
11.3 Effective Date: 2024-12-02.
Contact Us
If you have any questions about our Data Privacy Policy or want to discuss any aspect of it, contact us at privacy@merlin.tech.