F-Secure Riddler is a service for searching and discovering the web's topology. To achieve this:
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.
We provide you the option of registering for a user account. When registering, we ask you for your email address, password, first name, and last name. We also store the last IP address that you have logged in from. You may also provide us with your organization's name and website. We use this information to authenticate and manage your use of the service and to provide help and support to you. We may also use this information to send you news and offers, but only if you have opted to give us permission to do so.
This data can be updated or amended at any time by the logged-in user via the service.
While using the service, should you search for host names or IP addresses that the service has never encountered before, those host names or IP addresses may be added to our web crawler's queue for later crawling.
To help us improve the service, we generate statistics about the usage of the service by storing some data about all searches performed through the service. Specifically, we store the search query, the time and date of the search, and the IP address from which the search was performed. This data is not used for linking searches to personally identifiable individuals.
Since the service is intended to enable search and discovery of the web's topology, we also store data about websites and the servers hosting them. We collect this data by crawling publicly available websites. We only store technical data about the web's topology. We do not store the contents of any websites and we do not collect or store any data from the web about people, only about infrastructure.
We process your data so that we can provide you with this service in accordance to its terms, which you have contractually agreed to. Tendering of services may take the form of a purchase or be free of charge.
F-Secure needs to identify its portal users and monitor such users' portal usage as set out above to make sure that only authorized users are able to utilize the service and that services are only used for their lawful purposes. To this effect, you are responsible for providing accurate and truthful access credentials to be able to use the service.
The data collected by the service in the form of "search results" is processed so that we can continue improving the service for your and other customers' benefit. The search results themselves do not, by default, contain personally identifiable data.
F-Secure employs affiliates and subcontractors for delivering the service.
We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc,), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.
Our distribution partners are likely to have a pre-existing customer relationship with you or – in the case of our corporate services – with your employer. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners and corporate customers must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.
We may transfer or disclose some of your personal data to F-Secure group companies and our subcontractors who help us create the services.
Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.
F-Secure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services.
When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by the European Union – the fixed content of such clauses is available here.
In some cases, we may also accept other mechanisms to justify transfer outside the EEA. Such other justifications include providing data to entities who have registered under the United States’ Privacy Shield program or providing data to entities processing such data in countries with an adequate level of privacy legislation that safeguards the data subject’s rights.
We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.
We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.
One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.
Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.
We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business. F-Secure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.
We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.
While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.
We do this to create a seamless customer experience and to have the necessary information for solving support cases.
Typical examples of third-party sources are:
Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within F-Secure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.
The most prevalent such scenarios are the following:
All data associated with a user account is stored for the duration of the user account's existence and is deleted when the account is deleted. In addition to the above; the user search results remain stored in an identifiable format for one year from the date of the search and are thereafter deleted automatically.
This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.
However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.
Typical reasons why we deviate from the primary retention times include the following examples:
The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an F-Secure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an F-Secure Community account or ii) you continue to subscribe to our marketing messages. The F-Secure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.
If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, F-Secure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.
If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.
Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.
Data that does not contain personal data (e.g. security data and aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.
The service collects analytical data on service and website use (such as which features are used and how often). We do not seek to identify you personally from the analytics data. We are interested in the needs and behavior of our users as a part of the group, not in the names of those users.
This section outlines our general practices for the collection and processing of data for analytics purposes.
When speaking about F-Secure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.
We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.
What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.
On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.
Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards F-Secure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.
If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.
If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.
Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a "legitimate interest". The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.
Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as "Android marketing identifier" and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.
Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.
We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.
When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results – not the full data – of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.
We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our security cloud or in the traffic inside our VPN service.
Information on the security practices that we employ to keep your data secure.
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by F-Secure or our partners with access limited to authorized personnel only.
Information on your statutory rights and how to contact us.
You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:
You can exercise your rights via our customer care function. The links to contact us are in the "Contact information" section.
Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.
If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).
If you have any questions or concerns about the matters discussed in our privacy policies, please contact:
How to contact us:
Information on definitions and change management.
This is what we mean when we make certain references within this policy.
"Client", "you", refers to a private or corporate user or any other data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, and who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.
"Personal data" refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.
"Services" refer to any services or products that are manufactured or distributed by F-Secure, including software, web solutions, tools, and related support services.
"Website" refers to the www.f-secure.com website or any other website that F-Secure hosts or controls, including subsites and browser-based service portals.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.
We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.