F-Secure privacy policy for services

This privacy policy is given by F-Secure Corporation, a Finnish publicly listed corporation with Business ID 0705579-2 ("F-Secure", "we", "our", "us"). All our subsidiaries also apply this policy.

This policy describes how we process our customers' personal data.

We seek to ensure that your personal data remains private. Any data that we collect is only used for the purposes that are explained in this policy, in the service-specific terms or notices, and in the license terms and the agreements between you and us.

Depending on what F-Secure services and software you use and on your other interaction with us, some sections of this privacy policy may not apply to you or may apply to you only in part.

Definitions

The following explains terms in the privacy policy that have a specific meaning.

"Client", "you", refers to a private or corporate user or any other data subjects who buy, register for use, or use our services and who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services (including web solutions), web sites, telephone, e-mail, registration forms, or other similar channels.

"Personal data" refers to any information on private individuals and their personal characteristics or circumstances, which are identifiable to them or their family or household members. This information may include names, e-mail and mailing addresses, telephone numbers, billing and account information, and other information incidental to the services and their provisioning.

"Services" refer to any services or products that are manufactured or distributed by F-Secure, including software, web solutions and related support services.

"Web site" refers to the http://www.f-secure.com web site or any other web site that F-Secure hosts or controls, including their sub-sites and content.

Legal basis for processing your personal data

By using our services, you are our client. Based on applicable laws, we have the right to process your personal data when you become our client.

We have the right to collect and process your personal data when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your e-mail address with us, or send us e-mail.

We need to automatically collect and process relevant personal data for our services to work, to enhance them and for you to benefit from the services. As such processing is inseparable from the services we provide to you, we have a valid need and legal authorization to do so.

In some cases, we separately ask for your consent for the processing.

If you visit our web sites when subscribing to or using our services, we may also collect personal data through our web site as stated in the separate Web site privacy policy.

What do we collect?

This section describes the different types of personal data that we collect.

Personal data

We may ask you to provide personal data that is necessary for subscribing to our services.

Such personal data includes your contact and billing information, name and e-mail address, mailing address, telephone number, country, city, language and age, and in some cases your age, gender or the name of your employer. We may also ask you to choose a password or give you a unique identifier that you can use to access and manage our services.

The majority of personal data we process is automatically collected by our services.

Typical information collected by our services includes the number of purchased licenses, devices covered by your license, purchase and payment history, the distribution partner used, your communication with our support services, device identification data, data on the technical environment (for example, operating system) of your device, and service usage data (for example, activation status, time of latest login).

If you have subscribed to our mobile products, we also collect the IMEI and IMSI codes of your mobile device automatically.

For location-based services we also process the location data of your device or that of your web traffic to enable the respective service features.

When using our content management services to manage your data and files, the content may be uploaded to and transmitted through our services and servers. In so doing, we will a) process whatever content you manage through that service, b) automatically collect related metadata, such as data on the date, time and IP address of your latest login to the service, file names, file geographic location, device serial numbers, connection identifiers and relations and files shared between customer accounts and other substantially similar data.

When using our social media services, we collect basic information on you as collected by the social media platform. Such information includes your e-mail address, hobbies and interests, date of birth, education history, groups that you belong to, hometown location, relationship information, subscribers and subscriptions, work history, personal web site URL, and other substantially similar information provided in the social media platform. The Service further needs to collect information about the activities of you and your friends' or contacts in the social media platform; such as user IDs associated with your account, the user IDs of your friends' accounts in your friends list, wall posts and news feed stories, the number and type of shared links and the links themselves, list of attended and planned events, notes, photos and video, status updates, contacts' descriptions, contacts' birthdays, contacts' education history, hometowns of friends of your contacts, contacts' work history and other substantially similar information provided in the social media platform.

To provide support services, we may need to collect and process relevant malware infection and e-mail identification data in a format that we can connect to you, where you have provided such data to us. Where it is relevant for resolving your support cases, we may also need to access partial logs of file activities and other such data that has been previously collected on your service usage and behavior.

Sources of personal data

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators) and corporate entities from whom you have purchased the services. We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Such other sources may further include subcontractors who have provided you with support services, or advertising partners who have assisted us in conducting our marketing activities.

If you use your social media account to register to our services, we may also collect relevant data (such as e-mail) from your account to enable us to authenticate your registration and to contact you.

Technical and security data

In addition to data we collect in identifiable format, our services also process technical metadata and security-related technical data from your device and activities. This is necessary to allow our services to perform their intended purpose.

The 'technical data' and 'security data' typically include:

  • the size, number and type (for example, a digital photo or a text document) of files
  • http header information
  • dates of file creation, modification and deletion
  • automatic keywords based on file contents
  • comments and annotations
  • device screen resolution
  • statistical and analysis data on possible malware activities
  • data on software applications and technical user environment
  • other substantially similar data

 

In addition to the data outlined here, our Real-time Protection Network needs to collect other security data. This is described in a dedicated privacy statement.

Analysis data

To provide you with better services, we also collect information on how you use our services. This kind of data can include the Internet browser that you use, elements clicked, timestamps, location, device identifier and relations between devices / users / user groups, product operation time, device metrics and operation system, IP address (whole or partial), product errors, problematic files and product performance data, how you interact with our service, the domain name from which you connect to the service and the service features that you use.

What do we do with it?

This section describes how we use the personal data that we collect.

The personal data that we collect is used to:

  • identify authorized users and check customer qualifications, process and track transactions such as issuing invoices, administering accounts, shipping, collecting and processing payments, and manage licenses;
  • provide help and support for our services;
  • provide, maintain, develop and enhance our services;
  • track the services that you have bought and used so that we can manage your customer relationship and communicate with you;
  • manage and improve the functionality of our services and web site;
  • send you information about the services, for example to inform you of new versions and features, and related services via direct messaging or other means of communication;
  • arrange competitions and conduct customer satisfaction surveys;
  • advertise and market our other services to you;
  • prevent fraudulent activities;
  • comply with any applicable legal or regulatory requirements or provisions;
  • remove or stop sharing of illegal or infringing material.

 

To help you evaluate the implications of such processing, some use scenarios are explained below in more detail.

Buying services from the F-Secure e-store

When you register to or buy our services from our e-store, we need to process your personal data and associated payment and billing information for conducting the purchase and keeping your account up to date. Most of these scenarios apply to personal data you submit by these means.

Depending on where you are located, the F-Secure e-store may also be operated by an external e-store provider or by one of our distribution partners as a whole or in part. Part of the purchase transaction may occur on third-party web sites, as indicated in the e-store. The entity with whom you are dealing with is indicated in our e-store web pages. In such cases, the personal data that you provide in connection with the purchase is also processed according to the terms and privacy policies of the external e-store provider or distribution partner and subject to applicable laws.

We do not store the payment card information that you submit in any of our F-Secure e-stores. This information is sent to either the selected payment provider or distribution partner, and is processed according to the privacy policies of that payment provider or distribution partner.

Location

In regards to those of our services which provide information on the location of your device or where your web traffic is directed, we will only process the location data in identifiable format to provide it for the purpose that you have requested via the services. The location data is processed for your use only for a limited amount of time, after which we will either delete it or make it anonymous.

Metadata of the files in your content may also consist of location data (for example, photographs). In such cases, the location data is processed as any other file metadata, as described below.

When you use and participate in our event application, your physical presence in the event location can be deduced from your participation in the event. This information may be visible to us, the event organizer or other users.

In some cases, where the data or a visible part of the service is provided by a third party (for example, your location is provided through the use of a third-party map service or you are provided with third-party search engine services), the provider of the location data utilizes such data based on its own terms, privacy statements and laws applicable to it. On the publication date of this policy, F-Secure is using Google maps in our content services, anti-theft and safe search features. Google privacy policies shall apply accordingly to your use of the features.

Content

Some of our services allow you to back up or manage your data and files. We consider the content that you back up or manage through our services to be your private data. We do not seek to usurp your rights to your content nor do we grant any licenses to third parties to it.

To ensure the best protection for your privacy, we seek to process i) your account information, ii) your actual content and iii) metadata and security data separately from each other as much as feasibly possible.

We also restrict our visibility to the actual contents of the files as much as possible. We do not seek or want to see the contents of your files. However, we need to process metadata and security data related to your content so that we can provide you with our services. In so doing, we also link some aggregate metadata to your account.

We access your specific file contents only where there is a clear need to do so. The most common such need is that you raise a support case relating to your content. In such cases, we enforce a process where only high-level support and hosting technicians can access your content when the case is escalated from the normal support level. We may also need to access your specific content when you use our services to distribute content which may violate our terms of use. In such case, our personnel's access to the content in question is provided on a need-to-know basis.

Naturally, you yourself may make your content available to a larger audience through the service options.

We process the necessary metadata from your content to enable our service to manage it for you and may also scan your content for any malicious software. The privacy aspects of these activities are included in the section regarding technical data and security data.

Social media applications

We will use the collected data to provide you with a measurement how secure / private social media profile you have, a list of vulnerabilities and the possible effects of said vulnerabilities and information on fixing the same.

To do this we need to analyze the data collected and may need to store your information for a limited time to the extent it is necessary for this purpose.

Technical data and security data

Technical data. As some of our services help you secure, back up and share the content on your devices, it is necessary for us to process the related technical data / metadata. For example, when you are storing, sharing or synchronizing your files as part of our services, we need to categorize the files to handle their storage, transfer, listing, playing, sharing and retrieval. We also need to collect metadata on files to enable copying and synchronizing them across various devices and to enhance their presentation. We limit our visibility to such metadata on the principles that we monitor only aggregate metadata (such as total size of your content) and process file-based metadata only automatically for the above purposes.

Security data. Security data is collected both to provide you with our security services you have explicitly subscribed to and also to enhance the security of our other services, we need to collect security data on unknown files, suspicious device behavior, or visited URLs. Some service features require this data to function.

By default, the security data that we collect from your device is not connected to you in an identifiable manner. Much of the security data that we collect is made irrevocably anonymous. In some cases, we may need to process some of the collected metadata or security data in a personally identifiable manner. We will do so only with your express consent or when we are unable to deliver our relevant services otherwise, for example, when solving a support case you have submitted. Security data is not used for personalized marketing purposes.

For use of security data collected as part of Real-time Protection Network, please see its dedicated privacy statement.

F-Secure may further disclose or transfer any of the security data to its affiliates, subcontractors, distributors and partners while maintaining the anonymity of the disclosed or transferred security data.

Marketing activities

We may market, sell, extend promotions, and send you special offers and other marketing communications based on the contact information you submit to us and as legally permitted.

These communications relate to our services and to services of our distribution partners. We will only send you such information where we have your consent to do so (e.g. you have indicated that you wish to receive our newsletters in our e-store or when participating in a competition). In addition to your explicit consent, the applicable laws allow us to send you such communications as you are our client, unless you have asked not to receive such communications. We may use our subcontractors and partners to undertake marketing activities on our behalf.

We will closely adhere to applicable laws when sending you information and you can request to be removed from our marketing communications at any time. Each of our direct marketing communications allows for this.

Do note that some of our services may display or create marketing advertisements as part of their operation. Such displays are not consent-based.

Analysis data

We may track the use of our services, web sites and advertising to improve your customer experience and to enhance our services.

When collecting data for this purpose, we are interested in learning our clients' behavior in aggregate, not in identifying individual clients. Such user behavior analysis is based on aggregate statistics and/or with the help of third-party providers, which help us create user profiles based on pseudonyms, and/or with other arrangements to avoid identifying you. We use pseudonyms or combine data from multiple individuals to create statistics, to build demographics, or to provide customer segmentation.

Your identity will only be known to us in this context if you submit your contact information in relation to your feedback to us (for example when submitting user feedback).

We use such data internally for the sole purpose of enhancing our services, with only the following exceptions:

  • Our subcontractors that provide us with analysis services may also create and publish aggregate reports on the data collected. The statistics and aggregate reports do not contain any data that could be linked to any individual person.
  • If you have a customer relationship with our operator partner who have provided you our services, the operator partner may be granted limited access to the relevant data.

 

Transfer of personal data

To whom we transfer personal data

We may disclose your personal data to subcontractors and F-Secure group companies who provide services or parts thereof that you have licensed.

Only the necessary personal data is shared with these companies, and it is always transferred electronically.

Where our clients' personal data needs to be disclosed to our subcontractors (for example, to solve a support case or to send it to logistic partners for product delivery), we require, in our contracts with them, that they use such information solely for providing services to F-Secure, and under the strict instructions of F-Secure, and in so doing, to act in a manner consistent with this privacy policy, your agreements with us and the mandatory laws applicable to F-Secure.

Some of our affiliates, subcontractors, distributors and partners are located outside the EEA to ensure the global availability of our services. When we transfer personal data outside EEA, we secure the personal data according to the requirements of the law. We will do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by European Union.

We disclose your personal data to our distribution partners (such as operators), who have sold, tendered, or distributed our services. We provide these companies access to such personal data that they need to provide their agreed activities. Such activities typically consist of customer management, direct marketing and invoicing. Our distribution partners must also comply with the agreements and legislation when handling your personal data.

We may also disclose your personal data to ensure the availability of the services or the web site according to our rights under the appropriate agreements, license terms or applicable legislation. We may also do this to protect ourselves against liability or prevent fraudulent activity, or where it is necessary to solve or contain an ongoing problem. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business.

We may also disclose your personal data to our insurers and to governmental regulatory agencies if so required by applicable laws.

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated to disclose information without acquiring your consent. This includes complying a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information, or to comply with the court rules.

To whom we do not transfer personal data

Except for the above, we will not sell, rent, or lease your personal data to any third parties.

We do not, for example, sell your name, e-mail addresses, or personal demographic to mass marketers.

We also take measures to lessen the likelihood of your content becoming subject to access claims from third-party nations' intelligence agencies. For example, our European customers' content is stored in Europe.

Retention period

We retain your personal data in our databases in line with our data retention policies and applicable laws.

We may retain your personal data beyond the end of your client relationship with us, but only as long as necessary. Typical reasons why we would retain personal data identifiable to you beyond our customer relationship include:

 

  • to retain information on your purchase and payment of our services
  • to prevent fraudulent activity
  • to allow us to pursue available remedies or to limit any damages that we may sustain
  • to solve or contain an ongoing problem
  • to have enough information to respond to future issues
  • to uphold agreements between you and us
  • to comply with the law

 

Technical data and security data that do not contain personal data are retained as long as such data is needed and is useful for the purpose it was collected.

Data security

We apply strict security measures to protect the confidentiality and integrity of your personal data when transferring, storing or processing it.

We use physical, administrative and technical security measures to reduce the risk of loss, misuse or unauthorized access, disclosure or modification of your personal data.

We store your personal data on secure servers that are located either at our offices, at the offices of our subcontractors, or at fully classed data centers. Only authorized personnel can access the information on these servers. Where our clients' personal data needs to be disclosed to our subcontractors, we require them to process and protect personal data in a manner consistent with this privacy policy and applicable laws. If you contact us through our web site or via e-mail, be aware that any information that is sent via the Internet might not be secure.

Accessing and modifying your personal data

We seek to keep your personal data accurate, complete and up to date.

You should update any changes to your personal data, for example, change of address or e-mail address. Some of our services portals allow you to update your current data. If you cannot update the changes yourself, you may inform us of the necessary changes.

You can contact us for more details about how your personal data is processed or to cancel your consent. Our contact information is included in this policy. You can unsubscribe from receiving marketing messages by following the instructions that are included in each message.

You have the right to ask us what personal data we have on you.

Third-party services

Our service may embed or interoperate with third-party services. In such cases, and where the third-party service is a visible part of the service's user experience, such services' respective data collection and privacy practices apply in lieu of this policy.

Changes to policy

To keep this privacy policy current and up to date, we will make changes to this policy from time to time, as necessary.

We will publish the changed privacy policy on our web site. If the changes are significant, we may also notify you by other means, such as posting a notice on our home page or sending an e-mail. Any changes will apply starting from the date that we publish the revised privacy policy on our web site.

Contact information

Contact information for matters related to Personal Data.

If you have any questions or concerns about the matters discussed in this privacy policy, please contact:

F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

http://www.f-secure.com/en/web/home_global/support/contact