GDPR

Last updated November 21, 2025

What is the GDPR?

GDPR (General Data Protection Regulation) is a current privacy law adopted by the European Union. GDPR is effective from May 25, 2018. Its purpose is to ensure the protection of the privacy and personal data rights of individuals who are EU citizens, also defined as data subjects. 

Personal data, or personally identifying data is a very important term under GDPR. It means any information that relates to an individual with which they can be directly or indirectly identified. For example, personal data includes the following:

• names
• email addresses
• information regarding the person’s location
• ethnicity
• gender
• web cookies
• political opinions etc. 

Under the GDPR, any piece of data that makes it possible to identify a particular person is personal data. Pseudonymised data can also constitute personal data if it allows to identify an individual without much difficulty.

GDPR is applied to every company registered within the EU and any company that processes EU residents’ personal data.

There are two main roles for a company under the GDPR. These are the data controller and data processor. The data controller decides why and how personal data will be processed. The data processor is a person (a legal entity or an individual) that processes personal data on behalf of a data controller.

Article 5 of the GDPR defines seven principles for protection and accountability of personal data:

• Lawfulness, fairness, and transparency: processing must be lawful, fair, and transparent (understandable) to the data subject.
• Purpose limitation:  a company must process data for legitimate purposes and explicitly notify the data subject when such data is collected.
• Data minimization: a company should collect and process only as much data as is absolutely necessary for the purposes of personal data processing.
• Accuracy: a company must keep personal data accurate and up to date.
• Storage limitation: a company may only store personal data for as long as necessary for the purposes of personal data processing.
• Integrity and confidentiality: personal data processing must be done in a way to ensure appropriate security, integrity, and confidentiality of personal data.
• Accountability: a data controller must be able to demonstrate GDPR compliance with all of the GDPR principles to a competent data protection authority.

If a company fails to comply with GDPR, a competent data protection authority may either fine or undertake administrative measures against such a company. 

Administrative measures are described in Article 58 of the GDPR. For example, they include issuance of warnings and reprimands to a company or ordering the company to comply with the request of the data subject. Fines for failure to comply with the GDPR provisions are high: 

• for significant violations, either 4% of annual global turnover or up to €20 million;
• for other violations, either 2% of annual global turnover or up to €10 million.

How to delete your email address from mercavoy.com

IN THIS ARTICLE: Find out how to claim your email address and have it permanently removed from mercavoy.com users lists and campaigns.

If you want to delete email address from mercavoy.com platform, don’t hesitate to contact us at support@mercavoy.com or via live chat. 

Is mercavoy.com compliant with the GDPR?

While providing services to clients and processing personal data, we adhere to the provisions and requirements of the GDPR. We undertake the best possible measures to ensure GDPR compliance from our side.

How does mercavoy.com comply with the GDPR?

We process all personal data according to a particular lawful basis for processing provided under the GDPR. Namely, we rely on such basis for personal data processing as:

• consent of the data subject
• performance of a contract
• legal obligation
• legitimate interest

You can find more information about this in this document or by accessing our Privacy Policy.

We also undertake appropriate organizational and technical measures to ensure effective protection of personal data. For example, we limit access to the personal data for our employees and contractors according to their competence level and conduct regular privacy training for our team members.

When it comes to technical measures, we encrypt and pseudonymise the personal data we process, have firewalls, anti-virus and anti-malware software, as well as fraud prevention algorithms put in place, and conduct regular security checks.

We pay great attention to every request and message from our clients and third-party data subjects. We do our best to manage and fulfill all the requests and messages we receive as fast as possible. Any data subject may contact us to exercise their rights under the GDPR via email address support@mercavoy.com or the chat window available at the lower right corner of every web-page on mercavoy’s website.  

Are mercavoy.com’s lead generation tools and extensions compliant with the GDPR?

Yes.

mercavoy.com provides such lead generation tools as: 

• Single and Bulk Email Search 
• individual and Bulk Domain Search

We also provide several other extensions that facilitate our users’ work: Email Tracker, Email Verifier, GBlast, and Technology Checker. You can check the categories of personal data processed by these extensions in our Privacy Policy. 

When our users activate any of the lead generation tools or extensions we provide, thereby ordering us to collect and process third-party personal data, we act as a data processor that processes personal data provided by the client or is gathered on the client’s demand. We act according to the client’s instructions during such personal data processing.

The only exception to this rule is the storage of gathered personal data: in this processing activity, our clients and mercavoy.com act as joint data controllers.

The processing of personal data via our lead generation tools or extensions is based on the necessity to perform a contract with the client and the legitimate interests of mercavoy.com, our clients, and third persons whose personal data is processed. You can find more information about this in our Privacy Policy.

During such personal data processing, mercavoy.com undertakes necessary organizational and technical measures to secure the processing of the personal data specified above.

Therefore, the lead generation tools provided by mercavoy.com are compliant with the GDPR as they process the personal data on a lawful basis provided under the GDPR. Moreover, mercavoy.com undertakes appropriate measures to secure such processing.

Who is who during the personal data processing?

General Data Protection Regulation (GDPR) defines different roles in relation to the processing of personal data. mercavoy.com may act in the following roles: 

• data controller
• joint data controller
• data processor

Let’s find out more about what these roles mean for you.

1. Who is the data controller?

GDPR defines data controller as a person (a legal entity or an individual) that determines the purposes and means of the processing of personal data. In other words, a data controller determines why and how personal data should be processed. 

The data controller bears the most responsibility in relation to your data: it has to implement appropriate technical and organizational measures to ensure that processing is compliant with the GDPR. 

The data controller is also initially responsible for dealing with data subjects’ requests and complaints, reacting to any data breaches, obtaining data subjects’ consent for data collection, etc.

mercavoy.com acts as a data controller regarding the information you provide through the registration form on the website, our social media accounts, email, website’s online chat, and feedback form. mercavoy.com also acts as a data controller regarding particular cookies.

To find out more, we recommend you check our Privacy Policy and Cookies Policy.

2. Who is the data processor?

GDPR defines data processor as a person (a legal entity or an individual) that processes personal data on behalf of the data controller. The overall relationship between them is simple: the controller collects data and determines how and why it will be processed; then, the controller provides personal data to a processor who processes it according to the received instructions. 

mercavoy.com acts as a data processor with regard to: 

• third-party information you provide us with through your personal account on mercavoy.com 
• information you request us to collect by using our lead generation tools and extensions

To find out more, we recommend you check our Privacy Policy and Cookies Policy.

3. Who is the joint data controller?

We have already defined the concept of a controller, so obviously, this next term is very connected to it. GDPR states that a joint controller is a data controller that determines the purposes and means of processing jointly with other data controllers.

Such controllers both bear the responsibilities that initially lie on a controller alone, but at the same time, they divide their duties, in particular towards data subjects’ rights. 

mercavoy.com acts as a joint controller while cooperating with Facebook. That is why we are the party to the Facebook Joint Controllership Addendum. We and Facebook act as joint controllers with regard to:

• marketing and statistical data collected by Facebook and shared with us via Facebook pixel
• emails of our clients we provide to Facebook to customise the advertising of our services

mercavoy.com also acts as a joint controller with clients while providing lead generation services to clients. We urge you to check our Joint Controllership Agreement to find out the details of this joint controllership relations.

What is the legal basis for processing my personal data?

Under the GDPR, a company can only process personal data under the legal basis for processing.

Article 6 of the GDPR lists the bases under which it’s lawful to process personal data. If a company does not use any of them, it must not collect, store or use any kind of personal data in any way.

Legal bases for the processing of personal data under the GDPR are as follows:

Consent of data subject: a company may process personal data if the data subject has consented to such processing. Consent of the data subject has to be freely given, specific, informed, and unambiguous. 

Performance of a contract: a company may process personal data if it is necessary to perform a contract with the data subject or take steps requested by the data subject prior to entering into a contract.

Legal obligation: a company may process personal data if it is required to do so under the applicable law, court order, authority’s instruction, etc. 

Vital interest: a company may process personal data if it is necessary to protect the vital interests of the data subject or another person. For example, various apps which monitor and provide the COVID-19’s morbidity and recovery statistics process the personal data on this basis.

Public interest: a company may process personal data if it performs a task that carries a public interest or exercises its official authority. For example, law enforcement agencies may process personal data on this basis.

Legitimate interest: a company may process personal data if it is necessary for the legitimate interest of the company. Such legitimate interest should not override the interests or fundamental privacy rights and freedoms of the data subject. 

mercavoy.com relies on several bases for personal data processing:

• Consent of the data subject, to process the registration form information and cookies
• Performance of a contract, to process the personal data client or user voluntarily provides to mercavoy.com.
• Legitimate interest, to process some cookies and information necessary for the provision of services.
• Legal obligation, to maintain the records of processing activities.

You may access more information regarding mercavoy.com’s bases for personal data processing by checking the Privacy Policy and Cookies Policy.

How does mercavoy.com collect, process, and protect personal data?

What personal data does mercavoy.com collect?

We collect the following categories of personal data:

• contact information (name, address, email, phone)
• third-parties first and last names and corporate emails
• identifiers (IP address, browser type)
• payment information (account balance information, card type, last 4 digits of the card number, name of payment processor)
• messages and other information you may provide us via available contact options

We collect the following categories of personal data under the instructions of our clients:

• third-parties first and last names and corporate emails
• clients’ APIs from Zapier, Pipedrive, and Calendly integrations and lists of clients’ actions performed via integrations which indicate the timeline of performance of such actions
• any personal data, including personal data of third parties which clients upload to mercavoy.com platform

From where does mercavoy.com collect personal data?

When we collect personal data for our purposes, we collect it directly from our clients who register on our platform or via the Email Finder extension active in the client’s browser. When the clients pay for our services and provide their payment information to 2Checkout or FastSpring, we have access to such information as well.

We may also collect data cookies and data you provide us with via contact and feedback forms with the help of third-party services: Hotjar, Crisp chat, Google Analytics, etc.

When we process the personal data under the instructions of our clients, we collect it directly from clients who provide us with the necessary information to obtain our services. We may also collect data through third-party services, e.g. Zapier, Pipedrive, or Calendly integrations.

For what purposes does mercavoy.com collect personal data?

We collect personal data for various purposes:

• to support the functionality and safety of the platform
• to verify clients’ reliability while paying and prevent any fraud
• to provide our services to clients and users, communicate with them, and solve any issues during the provision of services
• to develop and improve our platform
• to conduct marketing development activities, e.g. to send customised advertisements to clients
• to fulfill the clients’ and third-party data subjects’ requests etc.

You can find more information regarding our purposes of personal data processing in our Privacy Policy.

How does mercavoy.com protect your personal data?

mercavoy.com uses many physical, organisational, and technical measures to protect your personal data.

Organisational measures include:

• Adoption of the Risk Management Policy, Vulnerability Disclosure Program, Information Security Policy, Privacy User Data Detection
• Establishing rules that allow us to promptly and efficiently respond to any threats to the integrity and security of personal data
• Limitation of access to personal data only to the defined number of persons
• Regular privacy trainings for the team members

Physical measures include the following:

• Security alarm system of the office
• Key-password access system for all team members
• Password-protection of devices involved in personal data processing

Technical measures include the following:

• Encryption and pseudonymisation of personal data
• Security authentification procedures for persons who access the personal data
• Firewalls, anti-virus, and anti-malware software
• Fraud prevention algorithms
• Regular security checks

Where does mercavoy.com transfer your personal data?

How does mercavoy.com transfer personal data?

mercavoy.com transfers your personal data only to the trusted partners and suppliers to provide you with a range of services that may not be ensured solely by mercavoy.com. In particular, mercavoy transfers personal data to a few contractors based in the US.

We have established the Supplier Assessment Procedure under which we evaluate whether it is safe to transfer personal data and implemented sufficient technical measures to ensure the safety of your personal data while transferring. Such technical measures include encryption, anonymisation, and pseudonymisation of data. 

When choosing partners and contractors to which we transfer your personal data, we do our best to engage the partners and contractors who have implemented the requirements of the SOC 2 or ISO 27001 security protocols, still we cannot ensure for 100% the absence of non-compliance issues from the partners’/contractors’ side in future. 

How does mercavoy.com store personal data?

We use the services of cloud-based data storage service providers, namely Amazon, MongoDB and Hetzner, to store personal data. 

Most personal data is stored on the Amazon servers. Data provided by the web extensions used by our clients is stored on MongoDB.

We choose only verified data storage service providers to store the personal data we process. You can find more details on how we store and process personal data in our Privacy Policy.

Does mercavoy.com sell personal data?

mercavoydoes not sell your personal data to any third parties.

How does mercavoy.com secure the personal data transfers?

mercavoy.com concluded Data Processing Agreements (DPA) with every partner to whom we transfer personal data. These agreements are based on the Standard Contractual Clauses adopted by the European Commission and are considered as appropriate safeguards under the GDPR.

Some of the DPAs are publicly available, e.g. the DPA of Google is available via this link.

The requirements established by DPAs are legally binding for both mercavoy.com and our partners or contractors.

DPAs include the following requirements to the partners and contractors:

• to process personal data only on documented instructions from the controller (mercavoy.com or our clients)
• to ensure that persons authorised to process personal data will not breach the confidentiality of such personal data
• to take all security measures required in Article 32 of the GDPR, e.g. pseudonymisation and encryption of personal data, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, etc.
• to delete or return at the choice of mercavoy.com or its clients all the personal data after the end of the provision of services, unless the applicable laws provide otherwise
• to make available to mercavoy.com or our clients all information necessary to demonstrate compliance with the GDPR obligations
• to allow for and contribute to audits, including inspections, conducted by mercavoy.com or another auditor mandated by mercavoy.com

mercavoy.com also encrypts all personal data before its transfer, so that such personal data goes to the third parties, including those based in the US, already encrypted.

These measures allow mercavoy.com to secure the integrity and confidentiality of your personal data while transferring it to our trusted partners and contractors.

GDPR FAQ (for mercavoy.com users and clients)

Is it necessary to receive consent to process emails?

No, it is not strictly necessary. The GDPR provides six lawful bases for the processing of personal data. We rely on four of them, e.g. during the processing of the prospects’ email addresses we rely on the legitimate interest. You can find more information about it in this document. 

What is legitimate interest?

The legitimate interest basis is one of the lawful bases for personal data processing under the GDPR. Legitimate interest may apply in cases when: 

• processing of such personal data might be reasonably expected by the data subject 
• its impact on the data subject’s privacy is not significant
• there is a strong, justified reason to carry out the processing.

We have defined that the processing of emails relies on our, yours, and the prospects’ legitimate interests which are the following:  

• contribution to business cooperation between you and your potential prospects 
• creation and assistance in discovering the new business-targeted marketing and sales opportunities for you and your potential prospects
• your interest in the expansion of the database of the potential prospects
• development of the new unique platform that simplifies and facilitates professional interaction between businesses
• your interest in the use of an online platform for businesses that combines sales, CRM, analytics, marketing, and email service functionality
• prospects’ interest in the approach of new potential and verified clients or suppliers
• prospects’ interest in commercializing the use of their publicly posted information related to their professional or business interests/occupation.

For more information regarding the bases for the personal data processing we apply, please check our Privacy Policy. 

How does mercavoy.com ensure it has the right to process email contacts?

We do our best to ensure that our activities comply with the requirements of the GDPR. 

The GDPR requires conducting a legitimate interest assessment in cases when the processing relies on this lawful basis. 

mercavoy.com has completed such an assessment regarding all personal data whose processing is based on legitimate interest, including emails. We have verified that our acting as a joint controller during such processing does not override the interests or fundamental privacy rights and freedoms of the prospects. 

You can read more about the processing roles of mercavoy.com in this document.

For more information, please check our Privacy Policy.

How does mercavoy.com fulfill the rights of prospects?

We do our best to comply with the requirements of the GDPR and applicable laws. 

mercavoy.com fulfills the prospects’ rights as follows:

• undertakes appropriate technical and organizational measures to ensure secure processing and transfer of prospects’ personal data
• fulfills prospects’ requests regarding the processing of their personal data
• answers the prospects’ questions regarding the processing of their personal data
• processes prospects’ personal data on a lawful basis under the GDPR
• transfers prospects’ personal data only to the trusted partners. 

Do you need to comply with the GDPR?

We would strongly recommend that you comply with the requirements of the GDPR as far as it is possible. Please note that you act as a joint data controller together with us regarding the prospects’ personal data you provide us with. 

Important: as joint data controllers, we should cooperate and provide reasonable assistance to each other in order to ensure fulfillment of the prospects’ rights, so in case you receive requests from the prospect, you may contact us. 

In some cases, our data processing activities fall under Brazilian data protection laws. 

How to communicate with prospective clients

The services we provide help our clients find prospective clients all over the world and largely simplify this process. However, it is still necessary to comply with the requirements of the applicable laws, in particular regarding the sending of emails to other persons.

We created a list of the main tips regarding communication with prospective clients. 

Is it necessary to have a consent to send emails?

It depends on the requirements of the applicable laws, as different national legislations contain different requirements in this regard. 

For example, under the CAN-SPAM Act adopted in the U.S. since 2003, you do not need to get a consent prior to adding users located in the US to your mailing list or sending them commercial messages. However, you must provide such users with a clear and easy mechanism to opt-out from your mailing list.

CAN-SPAM Act is one of the most well-known pieces of legislation regarding the matter of sending of commercial emails in the world.

Tips for your email campaigns

We urge you to comply with all of the following tips when you send emails to any person using our platform:

• Do not include persons who have asked you not to send them emails into your mailing list.
• Clearly indicate yourself and your contact details in the email.
• Do not include false or deceptive information into the email header, particularly in the “From”, “To” and “Subject” email fields.
• Where possible, always receive consent from the prospects or clients to send them emails.
• Make it clear that your email is an advertisement or solicitation.
• Provide a recipient with a simple, clear, and easy-to-use opt-out option.
• Always fulfill the requests to unsubscribe from your mailing list immediately.
• Monitor your compliance with these tips and fix any faults and flaws immediately.

Note: this list of requirements and recommendations is not exhaustive. We urge you to check the requirements of the applicable law regarding email communication before sending emails to any person via our platform. You are responsible to comply with the requirements of the applicable laws.

What if a prospective client asks you where you got their email?

If you receive such a question, please contact one of our specialists for assistance at support@mercavoy.com or via live chat. We always provide our clients and users with assistance regarding mailing and privacy matters.

In most cases, the email addresses of prospective clients are publicly available online or on social media. You should explain this to the prospect. If the prospect requests you to provide clarifications to your answer, you should contact one of our specialists again and ask for assistance. 

If the prospect requests you to delete their email, you should notify us about this request and comply with it by removing their email address from your mailing list.

GDPR FAQ (for third-party data subjects)

How long do we process your personal data?

We process your personal data either as a joint data controller with our clients or as a data processor on behalf of and under the directions of our clients. 

When we act as a data controller jointly, we store your personal data for the entire period the particular client uses our services and 3 months following the termination of their account on our platform. 

In some cases, two or more clients provide your data to us simultaneously. In such a case, we store your personal data during the entire period during which one of such clients uses our services and 3 months thereafter.

When we act as a data processor, we process your personal data only for the period of time specified by the client.

What is the legal basis for your personal data processing?

When we act as a joint data controller with a client, we process your personal data on the basis of our, the clients’, and your legitimate interests. These interests are specified in our Privacy Policy. 

When we act as a data processor, we process your personal data only on the сlients’ behalf and due to their directions. In this case, we process your personal data on the basis of either our, the clients’, and your legitimate interests or duty to perform a contract with the clients.

We also urge our clients to ensure the presence of the legal grounds for your personal data processing under the GDPR and believe that clients have the rights to provide your personal data to us.

What rights do you have under the GDPR?

You have all the rights provided under the GDPR. These include:

• right to access
• right to rectification
• right to erasure (“right to be forgotten”)
• right to restriction of processing
• right to be informed
• right to data portability
• right to object
• right to withdraw the consent
• right not to be subject to a decision based solely on automated processing
• right to lodge a complaint with the supervisory data protection authority

You may exercise any of your rights by contacting us at support@mercavoy.com or via live chat in the lower right corner. 

Please make sure to provide your name, contact information, personal data processed and details for the reason/justification of your request.

When we are unable to solely fulfill your request without the involvement of a data controller, we will promptly direct your request to a data controller and assist the data controller in fulfillment of your request the best we can by providing necessary information and performing requested technical and organisational measures.

Can you request to provide you with a copy of your personal data?

Yes, you can. 

You may request to provide the following information:

• access to your personal data
• the copy of your personal data
• the purposes of the processing
• the categories of personal data concerned
• the recipients of the personal data, if any
• the retention period (or the criteria used to determine such period)
• the source from where the personal data were obtained
• your rights regarding your personal data

Before fulfilling your request, we have to confirm your identity. That means we may request additional information to confirm the identity if required.

Can you delete your data? 

Yes, you can. 

You may request us to delete (‘erase’) your personal data that we process as a joint data controller at any time by contacting us at support@mercavoy.com or via live chat on the website.

We will fulfill your request to deletion without undue delay where one of the following grounds applies:

• your personal data is no longer necessary for the purpose for which it was collected
• there is no legal ground for processing
• you object to the processing of your personal data
• your personal data has been unlawfully processed  
• your personal data has to be erased for compliance reasons, i.e. to meet our legal obligations
• where the personal data was relevant to you as a child

Where we act as a data processor regarding your personal data, after we receive your request to delete your personal data we will promptly direct it to the data controller who is solely responsible for its fulfillment. 

How does mercavoy.com comply with articles 13 and 14 of the GDPR?

Articles 13 and 14 of the GDPR oblige the data controller to provide certain information to the data subjects. 

At the same time, Article 26 of the GDPR provides that where personal data is processed by joint controllers, they have to determine their responsibilities for compliance with obligations under the GDPR themselves.

Under our Joint Controllership Agreement concluded with each our client, our and clients’ responsibilities are divided as follows:

• we are responsible for the technical and organizational security of your personal data
• clients are responsible for informing you regarding the processing of your personal data  

When we act as a data processor, it is the responsibility of the respective data controller to provide you with the respective information under the Articles 13 and 14 of the GDPR.

You can find all information regarding your personal data processing in our Privacy Policy, Cookies Policy, and other articles in this document.

How to delete your mercavoy.com account

mercavoy.com allows you to delete your account if it is no longer needed and you wish to remove it from our records.

To delete your account: send a message to support@mercavoy.com

LGPD FAQ (for mercavoy.com users and clients)

What is the LGPD?

Brazil’s General Data Protection Act (Lei Geral de Proteção de Dados) (LGPD) is the comprehensive privacy and security law governing the protection of personal data in Brazil. LGPD was enacted on August 14, 2018. 

Under the LGPD, any information that makes it possible to identify an individual can be considered personal data. 

The key definitions of the LGPD are similar to GDPR. For example, there are two main roles that a company can take on in personal data processing activities. These are the data controller and data processor. 

A data controller is an entity in charge of making the decisions regarding the processing of personal data, while a data processor is an entity that processes personal data on behalf of a data controller. However, in comparison with the GDPR, the LGPD does not explain the concept of joint controllership. 

However, the concept of joint controllership was introduced by ANPD (Brazil’s data protection authority) in its guidelines and can be understood as “the joint, common or convergent determination, by two or more controllers, of the purposes and essential elements for the realization of the treatment of personal data, through an agreement that establishes the respective responsibilities regarding compliance with the LGPD”.

If a company fails to comply with LGPD requirements, a national authority, i.e. ANPD may apply administrative sanctions against such a company, including fines of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (approximately USD 10,000,000) per infraction.

Is it necessary to receive consent to process emails?

No, it is not strictly necessary. The LGPD provides ten legal bases for the processing of personal data. We mostly rely on four of them, e.g. during the processing of the prospects’ email addresses as a controller we rely on legitimate interest. When we act as a processor, we believe that clients have the appropriate legal basis to transmit your personal data to us, including by obtaining valid consent from data subjects to do so.

What is legitimate interest?

The legitimate interest basis is one of the ten legal bases for personal data processing under the LGPD. 

We have defined that the processing of emails relies on our, yours, and the prospects’ legitimate interests which are the following: 

• contribution to business cooperation between you and your potential prospects; 
• creation and assistance in discovering the new business-targeted marketing and sales opportunities for you and your potential prospects; 
• your interest in the expansion of the database of the potential prospects; 
• development of the new unique platform that simplifies and facilitates professional interaction between businesses; 
• your interest in the use of an online platform for businesses that combines sales, CRM, analytics, marketing, and email service functionality;
• prospects’ interest in the approach of new potential and verified clients or suppliers;
• prospects’ interest in commercializing the use of their publicly posted information related to their professional or business interests/occupation.

How does mercavoy.com ensure it has the right to process email contacts?

We do our best to ensure that our activities comply with the requirements of the LGPD. 

Under Article 10 of the LGPD, the controller shall adopt measures to ensure transparency of data processing based on their legitimate interests.

mercavoy.com has completed a legitimate interest assessment regarding all personal data whose processing is based on legitimate interest, including emails. We concluded that the data subject’s fundamental rights and freedoms, which require personal data protection under applicable laws, do not prevail in this case and therefore do not contradict with requirements of Article 10 of the LGPD.

You can read more about the processing roles of mercavoy.com here. For more information, please check our Privacy Policy.

How does mercavoy.com fulfill the rights of prospects under the LGPD?

We do our best to comply with the requirements of the LGPD, guidelines issued by ANPD, and applicable laws. 

mercavoy.com fulfills the prospects’ rights as follows: 

• undertakes appropriate technical and organizational measures to ensure secure processing and transfer of prospects’ personal data; 
• fulfills the prospects’ requests regarding the processing of their personal data; 
• answers the prospects’ questions regarding the processing of their personal data; 
• processes prospects’ personal data on a lawful basis under the LGPD; 
• transfers prospects’ personal data only to the trusted service providers.

Do you need to comply with the LGPD?

We would strongly recommend that you comply with the requirements of the LGPD when this act applies to your data processing activities. Please note that you act as a joint data controller together with us regarding the prospects’ personal data you provide us with. 

Important: as joint data controllers, we should cooperate and provide reasonable assistance to each other in order to ensure fulfillment of the prospects’ rights, so in case you receive requests from the prospect, you may contact us. 

LGPD FAQ (for third-party data subjects)

In some cases, our data processing activities fall under Brazilian data protection laws. mercavoy.com complies with Brazil’s General Data Protection Act (LGPD) and implements appropriate technical and organizational measures to ensure secure processing and transfer of personal data.

What is the LGPD?

Brazil’s General Data Protection Act (Lei Geral de Proteção de Dados), or LGPD, is a privacy and security law created for protection of personal data in Brazil. LGPD was enacted on August 14, 2018. 

Under the LGPD, any information that makes it possible to identify an individual can be considered personal data. 

The key definitions of the LGPD are similar to the GDPR. For example, there are two main roles that a company can take on when processing personal data –  data controller and data processor. 

A data controller is an entity in charge of making the decisions regarding the processing of personal data, while a data processor is an entity that processes personal data on behalf of a data controller. However, unlike the GDPR, the LGPD does not explain the definition of a joint controller, but the concept of joint controllership was introduced by ANPD (Brazil’s data protection authority) in its guidelines.

If a company fails to comply with LGPD requirements, a national authority, i.e. ANPD may apply the administrative sanctions against such a company, including fines of up to 2% of the company’s revenue in its last fiscal year, excluding taxes, capped at R$ 50,000,000 (approximately USD 10,000,000) per infraction.

How long do we process your personal data?

We process your personal data either as a joint data controller with our clients or as a data processor on behalf of and under the directions of our clients. 

When we act as a data controller jointly with other controllers, we store your personal data for the entire period the particular client uses our services and 3 months after the termination of their account on our platform. 

In some cases, two or more clients provide your data to us simultaneously. In such a case, we store your personal data during the entire period during which one of such clients uses our services and 3 months after. 

When we act as a data processor, we process your personal data only for the period of time specified by the client.

What is the legal basis for your personal data processing?

When we act as a joint data controller with a client, we process your personal data on the basis of our, the clients’, and your legitimate interests. These interests are specified in our Privacy Policy. 

When we act as a data processor, we process your personal data only on the сlients’ behalf and due to their directions. 

We urge our clients to ensure the presence of the legal grounds for the processing of your personal data in accordance with requirements provided by Article 7 of the LGPD and believe that clients have the appropriate legal basis to transmit your personal data to us, including by obtaining valid consent from data subjects to do so.

What rights do you have under the LGPD?

Article 18 of the LGPD provides you with the following rights:

• right to confirmation of the existence of the processing; 
• right to access the data; 
• right to correct incomplete, inaccurate or out-of-date data; 
• right to anonymize, block, or delete unnecessary or excessive data or data processed in non-compliance with the provisions of the LGPD; 
• right to the portability of data to another service or product provider, by means of an express request; 
• right to delete personal data processed with the consent of the data subject; 
• right to obtain the information about the possibility of not giving consent and about the consequences of the refusal; 
• right to obtain the information about public and private entities with which the controller has shared data; 
• right to revoke consent.

You may exercise these rights by submitting your request at support@mercavoy.com  or via live chat in the lower right corner.

Please note that we cannot fulfill the request if we cannot verify your identity and confirm the personal data relates to you. So make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else.  

Can you request to provide you with a copy of your personal data?

Yes, you can by submitting your request at support@mercavoy.com or via live chat in the lower right corner.

You may also request the following information regarding the processing of your personal data under the LGPD:

• the specific purpose of the processing; 
• the type and duration of the processing, being observed commercial and industrial secrecy; 
• identification of the controller; 
• the controller’s contact information; 
• information regarding the shared use of data by the data controller and the purpose; 
• responsibilities of the agents that will carry out the processing; 
• the data subject’s rights;

Most of this information is already provided in our Privacy Policy.

We are committed to providing you with a copy of your personal data within a period of 15 days from the date of your valid request, subject to commercial and industrial secrecy unless otherwise implied by Brazil’s laws. 

We cannot fulfil the request if we cannot verify your identity and confirm the personal data relates to you, so please make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else. 

Can you delete your data? 

Yes, you can by submitting a deletion request at support@mercavoy.com , via live chat in the lower right corner.

You have the right to anonymize, block, or delete unnecessary or excessive data or data that is not being processed in compliance with the LGPD. In your request, please provide enough details to allow us to understand your justifications, evaluate and respond to the request.

You also have the right to delete personal data processed with the consent of the data subject. You have a right to request permanent deletion of your data, subject to certain exceptions (for example, if we have other legal grounds to process your personal data.)

We cannot fulfill the request if we cannot verify your identity and confirm the personal data relates to you, so please make sure to provide your name, contact information, and details in your request. We process such information only to verify your identity and not for anything else.

If you have any other questions about mercavoy.com platform, don’t hesitate to contact us at support@mercavoy.com or via live chat.