F-Secure privacy policy for services
This privacy policy is given by F-Secure Corporation, a Finnish publicly listed corporation with Business ID 0705579-2 ("F-Secure", "we", "our", "us"). The policy also applies to all subsidiaries of F-Secure Corporation.
This policy describes how we process our customers' personal data.
We seek to ensure that your personal data remains private. Any data that we collect is only used for the purposes that are explained in this policy, in the service-specific terms or notices, and in the license terms and the agreements between you and us.
Depending on what F-Secure services and software you use and on your other interaction with us, some sections of this privacy policy may not apply to you or may apply to you only in part.
Definitions
The following explains terms in the privacy policy that have a specific meaning.
"Client", "you", refers to a private or corporate user or any other data subjects who buy, register for use, or use our services and who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services (including web solutions), web sites, telephone, e-mail, registration forms, or other similar channels.
"Personal Data" refers to any information on private individuals and their personal characteristics or circumstances, which are identifiable to them or their family or household members. This information may include names, e-mail and mailing addresses, telephone numbers, billing and account information, and other information incidental to the services and their provisioning.
"Services" refer to any services or products that are manufactured or distributed by F-Secure, including software, web solutions and related support services.
"Web Site" refers to the http://www.f-secure.com web site or any other web site that F-Secure hosts or controls, including their sub-sites and content.
Legal basis for processing your personal data
Based on applicable laws, we have the right to process your personal data when you become our client.
We have the right to collect and process your personal data when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your e-mail address with us, or send us e-mail.
We need to automatically collect and process relevant personal data for our services to work and for you to benefit from the services. As such processing is inseparable from the services we provide to you, we have a valid need and legal authorization to do so.
In some cases, we separately ask for your consent for the processing.
If you visit our web sites when subscribing to or using our services, we may also collect personal data through our web site as stated in the separate Web site privacy policy.
You acknowledge and consent that we may disclose or transfer any of your personal data to our affiliates, subcontractors, distributors and partners that are located in the EEA or outside the EEA as described in this policy.
Types of data that we collect and process
This section describes the different types of personal data that we collect.
Personal data
By using our services, you are our client. Therefore, we ask you to provide personal data that is necessary for providing our services to you.
Such personal data includes your contact and billing information, name and e-mail address, mailing address, telephone number, country, city, language and age, and in some cases your age, gender or the name of your employer. We may also ask you to choose a password or give you a unique identifier that you can use to access and manage our services.
We may also automatically collect such information that we need to manage and provide our services and to process a purchase transaction.
Such information includes the number of purchased licenses, devices covered by your license, purchase and payment history, the distribution partner used, your communication with our support services, device identification data, data on the technical environment (for example, operating system) of your device, and service usage data (for example, activation status, time of latest login).
If you have subscribed to our mobile products, we also collect the IMEI and IMSI codes of your mobile device automatically.
For location-based services (such as anti-theft service) we also process the location data of your device or that of your web traffic to enable your location requests.
When using our content services, such as backup and content management services, to manage your data and files, the content may be uploaded to and transmitted through our services and servers. In so doing, we will a) process whatever content you manage through that service, b) automatically collect related metadata, such as data on the date, time and IP address of your latest login to the service, file names, file geographic location, device serial numbers, connection identifiers and relations and files shared between customer accounts and other substantially similar data.
To provide support services, we may need to collect and process relevant malware infection and e-mail identification data in a format that we can connect to you, where you have provided such data to us. To resolve support cases, we may also need to process partial logs of file activities when necessary.
The data collected and processed for our social media services, as well as use thereof is set out in a separate policy.
Sources of personal data
While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners and corporate entities from whom you have purchased the services.
Such other sources may further include subcontractors who have provided you with support services, or advertising partners who have assisted us in conducting our marketing activities.
Technical and security data
Most of our services constantly process technical metadata and security-related technical data from your device to allow our services to perform their intended purpose.
Whenever possible, this technical and security data is collected and processed in a manner that cannot be linked to you.
The 'technical data' and 'security data' are mostly comprised of metadata on files and folders that you handle via our services. Such metadata includes:
- the size, number and type (for example, a digital photo or a text document) of files
- http header information
- dates of file creation, modification and deletion
- automatic keywords based on file contents
- comments and annotations
- device screen resolution
- statistical and analysis data on possible malware activities
- data on software applications and technical user environment
- other substantially similar data
As part of our Real Time Protection Network, our security services also need to collect other types of security data, which are described in a dedicated privacy statement.
How personal data is used
This section describes how we use the personal data that we collect.
The personal data that we collect is used to:
- identify authorized users and check customer qualifications, process and track transactions such as issuing invoices, administering accounts, shipping, collecting and processing payments, and manage licenses;
- provide help and support for our services;
- provide, maintain, develop and enhance our services;
- track the services that you have bought and used so that we can manage your customer relationship and communicate with you;
- manage and improve the functionality of our services and web site;
- send you information about the services, for example to inform you of new versions and features, and related services via direct messaging or other means of communication;
- arrange competitions and conduct customer satisfaction surveys;
- advertise and market our other services to you;
- prevent fraudulent activities;
- comply with any applicable legal or regulatory requirements or provisions;
- remove or stop sharing of illegal or infringing material.
To help you evaluate the implications of such processing, some use scenarios are explained below in more detail.
Buying products and services from the F-Secure e-store
When you buy our products and services from our e-store, we need to process your personal data and associated payment and billing information for conducting the purchase and updating your account.
Depending on where you are located, the F-Secure e-store may also be operated by an external e-store provider or by one of our distribution partners as a whole or in part. Part of the purchase transaction may occur on third-party web sites, as indicated in the e-store. The entity with whom you are dealing with is indicated in our e-store web pages. In such cases, the personal data that you provide in connection with the purchase is also processed according to the terms and privacy policies of the external e-store provider or distribution partner and subject to applicable laws.
We do not store the payment card information that you submit in any of our F-Secure e-stores. This information is sent to either the selected payment provider or distribution partner, and is processed according to the privacy policies of that payment provider or distribution partner.
Location
In regards to those of our services which provide information on the location of your device or where your web traffic is directed, we will only process the location data in identifiable format to provide it for the purpose that you have requested via the services. The location data is processed for your use only for a limited amount of time, after which we will either delete it or make it anonymous.
Metadata of the files in your content may also consist of location data (for example, photographs). In such cases, the location data is processed as any other file metadata, as described below.
In some cases, where the data is provided by a third party (for example, your location is provided through the use of Google maps), note that the provider of location data utilizes such data based on its own terms, privacy statements and laws applicable to it.
Content
Some of our services allow you to back up or manage your data and files. We consider the content that you back up or manage through our services to be your private data.
To ensure the best protection for your privacy, we seek to process i) your account information, ii) your actual content and iii) metadata and security data separately from each other as much as feasibly possible.
We also restrict our visibility to the actual contents of the files as much as possible. We do not seek or want to see the contents of your files. However, we need to process metadata and security data related to your content so that we can provide you with our services. In so doing, we also link some aggregate metadata to your account.
We access your specific file contents only where there is a clear need to do so. The most common such need is that you raise a support case relating to your content. In such cases, we enforce a process where only high-level support and hosting technicians can access your content when the case is escalated from the normal support level. We may also need to access your specific content when you use our services to distribute content which may violate our terms of use. In such case, our personnel’s access to the content in question is provided on a need-to-know basis.
Naturally, you yourself may make your content available to a larger audience through the service options.
We process the necessary metadata from your content to enable our service to manage it for you and may also scan your content for any malicious software. The privacy aspects of these activities are included in the section below.
Technical data and security data
To provide you with our security services, our security software needs to collect security data on unknown files, suspicious device behavior, or visited URLs. This data is converted to an anonymous format when it is collected. Some service features require this data to function.
The security data that we collect from your device is not connected to you in an identifiable manner unless there is a valid reason to do so. Much of the security data that we collect is made irrevocably anonymous. In some cases, we may need to process some of the collected metadata or security data in a personally identifiable manner. We will do so only with your express consent or when we are unable to deliver our relevant services otherwise, for example, when solving a support case you have submitted. Security data is not used for personalized marketing purposes.
F-Secure may further disclose or transfer any of the security data to its affiliates, subcontractors, distributors and partners while maintaining the anonymity of the disclosed or transferred security data.
As some of our services help you secure, back up and share the content on your devices, it is necessary for us to process the related technical data / metadata. For example, when you are storing, sharing or synchronizing your files as part of our services, we need to categorize the files to handle their storage, transfer, listing, playing, sharing and retrieval. We also need to collect metadata on files to enable copying and synchronizing them across various devices and to enhance their presentation. We limit our visibility to such metadata on the principles that we monitor only aggregate metadata (such as total size of your content) and process file-based metadata only automatically for the above purposes.
Marketing activities
We may market, sell, extend promotions, and send you special offers and other marketing information.
This information can relate to our services and to the services of our distribution partners. We will only send you such information if we have your consent or if the applicable laws otherwise allow us to do so. Most laws allow marketing activities on the basis of a customer relationship. We may use our subcontractors and partners to undertake marketing activities on our behalf. We will closely adhere to applicable laws when sending you information and you can request to be removed from our direct marketing list at any time.
Service and web site user tracking
We may track the use of our services, web sites and advertising to improve your customer experience and to enhance our services.
By default, your activities are not tracked in any way that would be directly connected to you. We use pseudonyms or combine data from multiple individuals to create statistics, to build demographics, or to provide customer segmentation. However, when we use such data for marketing, the relevant portions of such data (for example e-mails) need to be processed in a personally identifiable format. If you have a customer relationship with our resellers (based on your use of our services), they may be granted limited access to the relevant data.
Our Web site privacy policy describes in detail how we collect data on the use of our web site.
Transfer of personal data
To whom we transfer personal data
We may disclose your personal data to subcontractors and F-Secure group companies who provide services or parts thereof that you have licensed.
Only the necessary personal data is shared with these companies, and it is always transferred electronically.
Where our clients' personal data needs to be disclosed to our subcontractors (for example, to solve a support case or to send it to logistic partners for product delivery), we require, in our contracts with them, that they use such information solely for providing services to F-Secure, and under the strict instructions of F-Secure, and in so doing, to act in a manner consistent with this privacy policy, your agreements with us and the mandatory laws applicable to F-Secure.
Some of our subcontractors and partners are located outside the EEA to ensure the global availability of our services. When we transfer personal data outside EEA, we secure the personal data according to the requirements of the law. We will do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by European Union.
We may disclose your personal data to our distribution partners, from whom you have bought our services. These companies can only access the personal data that they need to provide the agreed services. Our distribution partners must also comply with the agreements and legislation when handling your personal data.
We may also disclose your personal data to ensure the availability of the services or the web site according to our rights under the appropriate agreements, license terms or applicable legislation. We may also do this to protect ourselves against liability or prevent fraudulent activity, or where it is necessary to solve or contain an ongoing problem. In any such action, we will act according to the applicable laws.
We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business.
We may also disclose your personal data to our insurers and to governmental regulatory agencies if so allowed by applicable laws.
There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated to disclose information without acquiring your consent. This includes complying a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information, or to comply with the court rules.
To whom we do not transfer personal data
We will not sell, rent, or lease your personal data to any third parties.
We do not, for example, sell your name, e-mail addresses, or personal demographic to mass marketers.
Retention period
We retain your personal data in our databases in line with our data retention policies and applicable laws.
We may retain your personal data beyond the end of your client relationship with us, but only as long as necessary. Typical reasons why we would retain personal data identifiable to you beyond our customer relationship include:
- to retain information on your purchase and payment of our services
- to prevent fraudulent activity
- to allow us to pursue available remedies or to limit any damages that we may sustain
- to solve or contain an ongoing problem
- to have enough information to respond to future issues
- to uphold agreements between you and us
- to comply with the law
Technical data and security data that do not contain personal data are retained as long as such data is needed and is useful for the purpose it was collected.
Data security
We apply strict security measures to protect the confidentiality and integrity of your personal data when transferring, storing or processing it.
We use physical, administrative and technical security measures to reduce the risk of loss, misuse or unauthorized access, disclosure or modification of your personal data.
We store your personal data on secure servers that are located either at our offices, at the offices of our subcontractors, or at fully classed data centers. Only authorized personnel can access the information on these servers. Where our clients' personal data needs to be disclosed to our subcontractors, we require them to process and protect personal data in a manner consistent with this privacy policy and applicable laws. If you contact us through our web site or via e-mail, be aware that any information that is sent via the Internet might not be secure.
Accessing and modifying your personal data
We seek to keep your personal data accurate, complete and up to date.
You should update any changes to your personal data, for example, change of address or e-mail address. Some of our services portals allow you to update your current data. If you cannot update the changes yourself, you may inform us of the necessary changes.
You can contact us for more details about how your personal data is processed or to cancel your consent. Our contact information is included in this policy. You can unsubscribe from receiving marketing messages by following the instructions that are included in each message.
You have the right to ask us what personal data we retain about you. According to the applicable laws we may charge a small fee for this.
Changes to policy
To keep this privacy policy current and up to date, we will make changes to this policy from time to time, as necessary.
We will publish the changed privacy policy on our web site. If the changes are significant, we may also notify you by other means, such as posting a notice on our home page or sending an e-mail. Any changes will apply starting from the date that we publish the revised privacy policy on our web site.
Contact information
Contact information for matters related to Personal Data.