Privacy Policy and Terms

Data Protection Statement in Accordance with the GDPR

Introduction

MergeLabs GmbH’s (“MergeLabs,” “we,” “our” or “us”) highest ambition and goal as a company is to make organizing, marketing and booking events and activities as easy as possible. We want to provide a booking experience for the customers that is safe and easy. As part of this goal we place great value on your data protection rights and take any measures we can to help protect your data. 

This Privacy Policy describes how we collect, use, process and handle your personal information when you interact with us on this website – www.mergelabs.io, in person or during other interactions such as through telephone, email, social media or any other mode of communication (collectively “communications”). 

Who is responsible for the websites and services?

MergeLabs GmbH
CEO Ali Taghavi

Am Langen Sand 13
68723  Schwetzingen
Baden-Württemberg
Deutschland

If you have any questions or complaints, please do not hesitate to contact us at [email protected]

When do we collect and process personal data about you?

Here are the 3 different ways we collect information from you: 

  • Information you share voluntarily as part of the sign up and purchase processes of our services or newsletter. 
  • We use cookies on our website. For details see our Cookies’ page. 
  • Information based on how you use our services.

In this Privacy Policy, we are describing in full detail why we collect what data and how we store that data, for how long we store the data and who has access to the data. 

What data do we collect via our web-forms? 

  • First Name
  • Last Name
  • Email address

When you request an invoice from us, we are required by law to ask the following information from you: 

  • First name
  • Last name 
  • Company name (if applicable)
  • Full address (Street & No., Zip, City, Country)
  • VAT-ID (if applicable)

We need this data to fulfill our contractual obligation towards you as our customer as well as towards tax and other governmental authorities. Your data will be retained either until MergeLabs Services cease to exist, or when statutory retention periods have expired.

The legal basis for the processing of this data is Art. 6 GDPR.

What tools do we use for our webforms?

Internal IT-system

The primary method MergeLabs uses to process your purchase requests is through Mailchimp (see further down) and our own IT-system we developed in-house. The information you enter into a webform on our websites when you purchase an in-class experience (course, classes, workshops, events etc.) will be transferred to and stored in our in-house IT-system. 

Information storage 

In addition to our internal IT-system, we use Google Sheet, Google Docs and Google Forms to collect information in regards to our activities, services and your preferences. These forms and sheets are always clearly indicated and have distinctive design differences to enhance the clarity that they do not belong to our in-house IT-system. 

Email communication

Direct communication

Any email you send directly to us will be used only for the intended communication initiated by you. We initiate contact with you via email only if you have given us permission, for example through a request for or purchase of any of our services. We do not transfer your email to our newsletter nor share it with any third party. We keep emails for up to 18 months in our email accounts in accordance with Art. 6 GDPR

To comply with Art. 32 GDPR we have implemented the following security procedure for handling your emails communication with us: 

  • After 18 months, the emails get transferred into our Google Vault where they are archived for legal purposes indefinitely. 
  • Our policy is to delete emails that contain sensitive personal data, such as your phone number or bank account information, immediately after it serves its purpose.
  • We have set up end-to-end encryption for our emails so that our messages cannot be intercepted by third parties.
  • We have two-factor authentication set up on our email accounts for enhanced login security.

We use Google Workspace’s Gmail service to send and receive emails. Google Gmail is a service provided by Google Inc., 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (“Google”). 

When registering our account with Google Workspace, we also concluded a “Data Processing Agreement“ with Google Workspace that ensures us to use their Euro-zone based data centers when processing and storing our data. This is an agreement in which Google Workspace is obligated to protect the data of our users, to process it in accordance with its Privacy Policy on our behalf and to not forward this information to third parties.

Included in Google Workspaces’ services are Gmail, Drive, Sheets, Docs and Forms.  

We use Google’s Google Workspace Services in accordance with. Art. 28 GDPR compliances.

Service notification emails

You will receive email notifications as part of the service we provide when you purchase one of our services. 

Please note that we do make a difference between our newsletter services and the email notifications you receive. The email notifications you receive are directly related to specific services you have signed up for. If you also want to stay up to date with our overall events and services, please also sign up to our newsletter on mergelabs.io

The legal basis for the processing of this data is Art. 6 GDPR.

At any point, you may revoke your consent to receive email notifications according to Art. 7 Para. 3 GDPR

However, if you discontinue our email notification emails, you also discontinue the services you have booked as these messages are directly related to the service and we need to be able to contact you in regards to those services. In order to discontinue notification emails, please write to [email protected] or simply reply to the email in question. 

Besides Gmail, we also use SparkPost for service email notifications. This service is provided by SparkPost Inc. (dba SparkPost), 9160 Guilford Rd., Columbia, Maryland 21046, USA, using their US and EU-hosted email delivery services. For their US-hosted email delivery service we have signed a data privacy contract to ensure your security. www.sparkpost.com/policies/privacy

Newsletters

Each time we send you a newsletter, it is dispatched by “MailChimp”. That is a newsletter distribution platform of the US provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA. 

MailChimp can by its own admission also use the newsletters we send to enhance or improve its own services, e.g. to technically enhance the dispatch procedure and display of the newsletter or for commercial purposes to be able to determine which countries the recipients are from. However, MailChimp will not use your data to contact you on their own behalf, nor forward your data to third parties. 

We believe MailChimp has demonstrated both trustworthiness and reliability with their IT security and data security. When registering our account with MailChimp, we also concluded a “Data Processing Agreement“ with MailChimp. This is an agreement in which MailChimp is obligated to protect the data of our users, to process it in accordance with its Privacy Policy on our behalf and that they must not forward this information to third parties. You can view the MailChimp Privacy Policy here.

Double opt-in process

Registering to our newsletter is completed as part of a double opt-in process. This means that after you have registered to our newsletter, you will receive an email asking you to confirm. This confirmation is required so that nobody can register with email addresses that do not belong to them.

We keep track and record each registration in order to be able to verify that your registration was processed according to legal requirements. This includes storing the time of your registration, confirming your anonymized IP address in line with  Art. 7 Para. 1 GDPR.

During the sign-up process, you need to register with your first name, email address.

Statistical survey and analyses

Our newsletter contains tracking systems provided by MailChimp, eg. a “web beacon”, i.e. a pixel sized file that tells us which emails are being opened and which links are being clicked. This allows us to get some insight into what is valuable to you and what is not, and thus we can improve our services accordingly. 

Online access and data management

At the bottom of each newsletter you find this text: “You can update your preferences or unsubscribe from this list”. These links will lead you to one of MailChimp’s web pages that can process your information. Please be aware that cookies are used on the MailChimp web pages for the purpose of processing your data by MailChimp or possibly its partners and the service providers it uses (e.g. Google Analytics). We have no influence on this data collection. You can find more information in the privacy statement of MailChimp. 

The legal basis for the processing of our newsletter is Art. 6 GDPR

We reserve the right to delete any user from our newsletter list who seems to not open the newsletters. This is because Mailchimp charges per email address stored. Beyond this, we keep your email address in our newsletter list for as long as they seem to be of value to you. 

We also reserve the right to delete email addresses from our newsletter list from users who breach our code of conduct or display other harmful behaviours.

At any point, you may revoke your consent to receive our newsletter according to Art. 7 Para. 3 GDPR and object to future processing of your data according to Art. 21 GDPR. If you at any point wish to exercise your right to be forgotten, just email us to [email protected] and we will erase your data from our email database and archives. It helps us if you can be specific if you want us to remove you from all forms of communication, e.g, including our newsletter and all our other services or if you wish us to remove you from a specific service only. 

Payment Processing Services

When using third-party services for payment processing, we have no access to your account or credit card details. The third-party services have a highly sophisticated and trustworthy security process in place following the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, Mastercard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

Please note that when we request a payment to be processed we need to send the necessary information to these services. From our side it’s the service you are interested in purchasing, the amount to be paid as well as information about whether the payment is a one-time event or a recurring payment. 

When you fill in the payment processors forms, be it a login page like PayPal or actually filling in your name and credit card information, these processors collect further information from you such as your IP address, browser and other information deemed necessary to confirm your legitimacy. Some of the payment options reserves the right to carry out credit checks on you for the payment to be processed. 

All payment transfers take place in accordance with Art. 6 (1) point b GDPR and only insofar as it is necessary for payment processing. If you want to find out more about how a specific payment processor handles your data you can click on any of the links below: 

PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg.

Stripe Payments Europe Ltd, Block 4, Harcourt Centre, Harcourt Road, Dublin 2, Ireland.

TransferWise Limited – Shoreditch High Street London E1 6JJ United Kingdom

Klarna AB, Sveavägen 46, 111 34 Stockholm, Sweden

SOFORT GmbH, Theresienhöhe 12, 80339 Munich, Germany

External Links

Our website contains links or references to other websites that we do not control and to which our Privacy Statement does not apply. Please make sure that the first thing you are met with on those sites is a cookie warning and a direct link to their Privacy Policy to understand how they manage your data. Please understand that you are solely responsible for your interactions with those websites.

Video Call Services

Our primary method of video conferencing is Google Meet. It is a very secure option that is available to us as Google Workspace users. Google Meet offers many more security advantages than other Services such as Jitsi or Zoom. However, sometimes we might use other Services as they offer some different features. In these cases, please be extra careful about sharing any personal information during the conversations.

Google Meet adheres to the same robust privacy commitments and data protections as the rest of Google Cloud’s enterprise services. You can read more about it here: https://cloud.google.com/security/privacy

To inform yourself more about the various video call services and what data they collect, please read the following links: 

Google Meet: https://support.google.com/meet/answer/9852160?hl=en

Jitsi Meet: https://jitsi.org/security/

Zoom: https://zoom.us/privacy

Interactions outside the boundaries of our websites

Internal communication

Internally, we use communication platforms such as Slack and other Google Workspace Services. In order to provide you with the best possible experience, we communicate your wishes via these platforms. However, the communication stays within the boundaries of MergeLabs and is not communicated to Slack or Google Workspace. We do not directly share any Customer Data on Slack. 

If you want to know more about Slack’s Privacy Policy, please click here: https://slack.com/intl/en-de/privacy-policy

For Google Workspace Privacy Policy, click here: https://gsuite.google.com/security/?secure-by-design_activeEl=data-centers