March 2019
When the F‑Secure Support tool is run, it gathers information about your computer system and configuration, as well as the logs created by our services. The information is used for troubleshooting and solving problems in our services.
In most cases, you may review and edit the information before you send the archive file to customer support.
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.
Information collected from F‑Secure service logs
The information includes F‑Secure service logs. This information contains detailed information of the service activity, for example downloading and installing updates, communication between the service components, engaging a feature, and security events. The information may contain service crash dumps, file paths, banking web sites, and blocked web pages.
Information collected from the operating systems logs
The information contains the current configuration of your operating system, for example the network configuration, installed applications, operating system services (e.g. OS update services) and running processes and applications (e.g. internet browser), mapped drives and device and user names, system crash dumps and logs. The submitted information also includes a snapshot of the system event history.
Purposes
Service log information is collected to establish whether our service has operated as intended, including resolving potential incorrectly categorized issues. Operating system information is collected for the purpose of troubleshooting problems in cases where our own service logs provide insufficient information. The archive file is also used as a data source to support our development activities, so that we can prevent the re-occurrence of the issue on your device or on those of other customers.
The interaction and service-specific privacy policies and notices set out the specific purposes for using the personal data collected by each service or processed in such activity.
In addition to such specific purposes, the following general purposes of personal data use apply across all of our services:
Adjustments
If you have been asked (by F‑Secure Customer Care or by our partners or your company IT administrator) to change the logging level to “full” prior to (re)running this tool to record information from an F‑Secure service, the following scan performed by this tool includes additional data compared to the above. The type of collected additional data varies according to the target of the debugging activity. Our Customer Care can advise you on what kind of data would be likely collected for the issue at hand. We typically need to do this when we do not have enough data to diagnose the problems on your device.
If you are manually running the support tool yourself — i.e. the tool is not activated remotely — the information collected by the tool is saved as an archive file to your desktop or computer. In such cases, you can extract the files and edit the information before recompressing and sending it to us.
Our legal grounds for the processing of personal data varies depending on whether you are running this tool as a consumer or as a corporate customer. In each case, the collection of the above data is necessary for us to be able to effectively provide you / your employer with our support services. Absent of this data, it will be more difficult to help you in solving the incident with our services.
If you are a consumer, the data is collected so that we can deliver the service that you have made a contract for (i.e. so we can help you to solve the technical problem with your use of F‑Secure services). Such contracts may have been made either directly with us or with another entity (such as our webstore or operator partner) that has tendered our services to you.
If you are a corporate customer or employee of our corporate customers, we have a legitimate interest to use the collected / submitted data to solve the problems that have given rise to support cases and also to store the data for the time that is necessary to prevent the incident from re-occurring in our services. Regardless of our justification, you retain control over whether to send / allow sending of the information package to F‑Secure.
The archive file may be handled by F‑Secure Corporation, our affiliated companies, relevant subcontractors, and our support partners, but only for the purposes set out in this policy. Where the service has been provided to you via our corporate reseller or operator partner, your support contact is likely via these entities. These entities will typically forward the archive file to F‑Secure for analysis and in-depth problem resolution activities. In some cases, the archive file may also be handled by such reseller if they have the capability to perform the problem resolution activities independently from F‑Secure.
We exchange (both disclose and receive) some of your personal data with our distribution partners (operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.
Our distribution partners are likely to have a pre-existing customer relationship with you. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.
We may transfer or disclose some of your personal data to F‑Secure group companies and our subcontractors who help us create the services.
Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.
F‑Secure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with F‑Secure, your personal information may be stored in or accessed from multiple countries. The locations of F‑Secure affiliates can be viewed from F‑Secure’s public web pages.
When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F‑Secure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.
We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.
We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.
There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.
One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information.
Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.
We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F‑Secure, where the information is provided to the new controlling entity in the regular course of business. F‑Secure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.
We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.
While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.
We do this to create a seamless customer experience and to have the necessary information for solving support cases.
Typical examples of third-party sources are:
Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within F‑Secure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.
The most prevalent such scenarios are the following:
The file is stored by F‑Secure as long as necessary for ascertaining that the encountered issues will be fixed and will remain fixed in future service releases and for a maximum of two years from closing the support case.
While the archive file is under F‑Secure care, we respect the possibly private and confidential nature of the information in the archive file and do not use it or share it except as necessary for the above purposes.
This text complements the service-specific retention times. The default rule under the law is that personal data should be deleted or anonymized once it is no longer needed for its purpose.
However, some personal data needs to be nonetheless stored for longer periods of varying lengths due to varying reasons.
Typical reasons why we deviate from the primary retention times include the following examples:
The final removal of your account may be delayed to avoid disturbing the other interactions you have with us. This is the case when you have an F‑Secure account (e.g. you have subscribed to our consumer services with your email address) and also i) have an F‑Secure Community account or ii) you continue to subscribe to our marketing messages. The F‑Secure Community account deletion policy is set out in its terms of service. You can opt out from our marketing messages at any time.
If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, F‑Secure subsequently removes the account. This removal leads to the deletion or anonymization of any personal data related to the account.
If we have received your information when providing you with technical support, the information is stored as long as the respective support case remains unsolved. Once solved, the information is gradually deleted or anonymized within two years from closing the case.
Analytics data collected with the user’s consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. After termination of the account, analytics data cannot be linked to any personally identifiable user.
Data that does not contain personal data (e.g. aggregate analytical data) is retained as long as such data continues to be useful for the purpose it was collected.
Information on the security practices that we employ to keep your data secure.
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by F‑Secure or our partners with access limited to authorized personnel only.
Information on your statutory rights and how to contact us.
You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:
You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.
Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.
If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (tietosuoja.fi).
If you have any questions or concerns about the matters discussed in our privacy policies, please contact:
F‑Secure Corporation
Tammasaarenkatu 7
00180 Helsinki
Finland
How to contact us:
Information on definitions and change management.
This is what we mean when we make certain references within this policy.
“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.
“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.
“Services” refer to any services or products that are manufactured or distributed by F‑Secure, including software, web solutions, tools, and related support services.
“Website” refers to the f-secure.com website or any other website that F‑Secure hosts or controls, including subsites and browser-based service portals.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.
We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.