VideoSanityIntra

GDPR Compliance

Last updated: March 8, 2026

1. Our Commitment

merg.ro is committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This page outlines how we comply with GDPR requirements for data processed through the moderation platform.

2. Legal Basis for Processing

We process personal data under the following legal bases:

  • Legitimate interest (Article 6(1)(f)): Platform security, fraud prevention, and maintaining the integrity of the moderation workflow.
  • Contractual necessity (Article 6(1)(b)): Processing staff account data necessary to provide access to moderation tools as part of employment or contract obligations.
  • Legal obligation (Article 6(1)(c)): Retaining audit logs of content moderation decisions where required by applicable law or regulation.

3. Data Subject Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you.
  • Right to rectification (Article 16): Request correction of inaccurate personal data.
  • Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention requirements for audit logs.
  • Right to restriction (Article 18): Request that we limit the processing of your data under certain circumstances.
  • Right to data portability (Article 20): Receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Article 21): Object to the processing of your personal data based on legitimate interest.

To exercise any of these rights, including requesting data deletion, contact us at gdpr@merg.ro. We will respond to valid requests within 30 days.

4. Data Protection Measures

We implement technical and organizational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest for sensitive data stores.
  • Argon2 password hashing with no plaintext credential storage.
  • OAuth 2.0 with PKCE for secure authentication flows.
  • Role-based access control limiting data access to authorized personnel.
  • Automatic session expiry and token rotation.
  • Audit logging of all authentication events and privilege changes.

5. Data Processing Records

In accordance with Article 30 of the GDPR, we maintain records of processing activities. These records document the categories of data processed, the purposes of processing, retention periods, and the technical measures in place to protect data. Processing records are available to supervisory authorities upon request.

6. International Data Transfers

When personal data is transferred outside the European Economic Area (EEA), we ensure adequate protection through approved mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission. Details of specific transfer safeguards are available from the data protection officer.

7. Data Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will also notify those individuals without undue delay in accordance with Article 34.

8. Contact

For GDPR-related inquiries, to exercise your data subject rights, or to report a concern, please contact us at gdpr@merg.ro. You also have the right to lodge a complaint with your local supervisory authority.