F-Secure Privacy Statement

In brief

  • Our core interest is keeping our customers safe with our services.
  • To do that, we need to process data on you and on your devices.
  • We have a culture of respecting your privacy.

Our guiding privacy principles are here.

Structure

This privacy policy is given by F-Secure Corporation, a Finnish publicly listed corporation with Business ID 0705579-2 ("F-Secure", "we", "our", "us"). All our subsidiaries also apply this policy.

Our data collection can be grouped as follows:

  • Client relationship data; the data that we need to manage our relationship with our clients and to market and sell our services to you or to the legal entity that you represent.
  • Service data; the data that we automatically process to provide you with the services that you have requested. This also includes the data that you actively submit to us when subscribing to our services. This is explained in this policy.
  • Security data; anonymous data that we need to collect to keep you secure. Such data is processed separately from any other data in accordance to our Security Cloud privacy policy.
  • Analytics data; additional anonymous or pseudonymous data that we collect to learn when and how our services are found and used. This is explained here.

This privacy statement describes how we process our customers' personal data. It also complements service-specific privacy statements as well as our license terms and other, shorter notices on case-specific data collection (e.g. support tools). Depending on what F-Secure services you use and how much you interact with us, some sections of this policy may not apply to you or may apply to you only in part. If there is no specific policy for a service or interaction, this main privacy statement shall apply.

Definitions

This is what we mean when we make certain references within this policy.

"Client", "you", refers to a private or corporate user or any other data subjects who buy, register for use, or use our services and who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

"Personal data" refers to any information on private individuals and their personal characteristics or circumstances, which are identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

"Services" refer to any services or products that are manufactured or distributed by F-Secure, including software, web solutions, tools, and related support services.

"Website" refers to the http://www.f-secure.com website or any other website that F-Secure hosts or controls, including sub-sites and browser-based service portals.

What do we collect?

We typically need to ask at least for your email address, phone number, and name to be able to provide our services. The individual services also collect additional data directly both on our service and from your device and related data traffic. In cases of such automated collection, the focus of data collection is on our services, not on your private data.

The service and interaction-specific policies explain in more detail the personal data collected per service type.

What do we do with it?

The adjoining interaction and service-specific privacy policies and interaction-specific notices set out the specific purposes for using the personal data collected by each service or processed in such activity. In addition to the specific, detailed purposes set out therein, the following additional purposes for collecting personal data apply to any of our services:

  • Customer journey. To identify authorized users and check customer qualifications, process and track transactions such as administering accounts, shipping, invoicing, and managing licenses;
  • Deliver, fix, and enhance. To deliver our services to you, maintain and develop our services and websites, and to provide help and support for the services;
  • Analyze. To track how our services are acquired and used so that we can improve the services, manage your customer relationship, and approach you with relevant messages;
  • Communicate. To send you information relating to the services, conduct customer surveys, arrange competitions, advertise and market our services to you;
  • Regulatory. To prevent fraudulent activities, remove or stop sharing of illegal or infringing material, and comply with legal or regulatory requirements.

Legal grounds for data processing

Client relationship data

By using our services, you are our client. Such data processing may occur when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your email address with us, or send us email. The exact legal grounds on which our personal data processing relies are established in service-specific privacy policies.

We consider you a client of F-Secure, not a client of the individual service. Hence, data collected by different services (e.g. SAFE) and interactions (e.g. contacting support) are combined to your F-Secure account. However, we do not aggregate data against our specific privacy promises (for example, we maintain a hands-off approach to your traffic inside our VPN service).

Service data and security data

We need to automatically collect and process relevant data for our services to work, to enhance them, and to provide them to you. Due to the nature of our services, it is impossible to completely avoid data collection without preventing the services from functioning. As such processing is inseparable from the services we provide to you, this gives us a valid need to process your data and legal authorization to do so. However, we seek to give you as much control as possible. For example, we may provide the possibility to opt out from non-critical data collection.

Because of this, we have a right to process relevant personal data. This right typically takes place in the form of "contract performance", "legitimate interest", or "consent". In some cases, there is also a "legal obligation" to process data for specified purposes. The exact legal grounds on which our personal data processing relies are established in service-specific privacy policies.

Analytics data

Where our services collect data that is only needed to have more insight on how people use the services or how to serve you better, but is not necessary for providing our services, we do so only with your separate consent. You also have the right to withdraw your consent later, should you wish to do so. The purposes we aim to achieve are outlined in the "Analytics" section of this statement.

Transfers

We do much ourselves, but also have partners to help us provide our services. This also means that we need to exchange data with our partners. When doing so, we take great care in sharing only the necessary personal data.

We have explained below the two main instances of such personal data exchanges.

1) Subcontracting

We may disclose some of your personal data to subcontractors and F-Secure group companies who provide parts of our services that you use.

Where our clients' personal data needs to be disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistic partners for product delivery, or to send marketing mails on our behalf). We require such subcontractors to act in a manner consistent with this privacy policy and applicable laws. Whenever possible, we anonymize the data sent.

2) Sales and marketing

We exchange (both disclose and receive) some of your personal data with our distribution partners (resellers of corporate IT services, operators, webstores, etc,), who market, sell and distribute our services. We provide these companies access to such personal data that they need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support and problem resolution, direct marketing, and invoicing. Our distribution partners must also comply with the agreements and legislation when handling your personal data.

Most of our distribution partners may have a pre-existing customer relationship with you and are processing your personal data as an independent entity. In such cases, both F-Secure and the distribution partner have separate customer data entries on your customer relationship that are subject to our respective policies.

International transfers

Some of our affiliates, subcontractors, distributors, and partners are located outside the European Economic Area to ensure the global reach and availability of our services. When we transfer personal data outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F-Secure group companies, for example by using data transfer clauses that are approved by the European Union. We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk.

More importantly, we store more sensitive customer data within Finland and the European Economic Area and keep it under our own control.

Other disclosures

There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.

One example includes complying with a court order or a warrant issued by the authorities in the relevant jurisdiction to compel the production of information. We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.

Disclosing your personal data may also be justified to protect ourselves against liability or to prevent fraudulent activity, or where it is necessary to solve or contain an ongoing problem. In any such action, we will act according to the applicable laws.

We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F-Secure, where the information is provided to the new controlling entity in the regular course of business.

We may also disclose your personal data to our insurers and to governmental regulatory agencies if so required by applicable laws.

Retention

The default rule under the law is that personal data should be deleted or anonymized once we no longer need it for the purpose it was collected. Thus, we retain your personal data as set out in service-specific privacy policies and notices. However, some data may need to be stored for longer periods of varying lengths due to varying reasons. Here are the typical reasons for storing the data longer than stated elsewhere:

  • to communicate with you (e.g. keeping your personal data stored for the grace period after the end of your subscription or sending you communications after your customership if you have elected to receive them)
  • applicable laws require us to store the data (e.g. to keep track of your purchase and the payment of our services)
  • to pursue available remedies or to limit any damages that we may sustain (e.g. due to an ongoing dispute or investigation)
  • to solve or contain a recurring problem or to have enough information to respond to future issues (e.g. your support ticket related to a problem that was not permanently corrected during your customership)
  • to uphold agreements between you and us (e.g. you continue to subscribe to our other services)
  • to prevent fraudulent activity (e.g. to enforce a ban on our community).

Data that does not contain personal data (e.g. security data and aggregate analytical data) is retained as long as such data is needed and is useful for the purpose it was collected.

Analytics data collected with the user's consent is retained for statistical purposes and is not deleted on removal of personal data and the user account. Analytics data is pseudonymized so that it cannot be linked to any personally identifiable user or account after termination of the account.

If you have purchased our service via one of our operator partners, account deletion is controlled by said operator partner. Upon the partner notifying us that your subscription has been terminated, F-Secure subsequently removes the account and deletes or anonymizes the personal data related to the account.

Data security

We apply strict security measures to protect the confidentiality and integrity of your personal data when transferring, storing or processing it.

We use physical, administrative and technical security measures to reduce the risk of loss, misuse or unauthorized access, disclosure or modification of your personal data.

We store your personal data on secure servers that are located either at our offices, at the offices of our subcontractors, or at fully classed data centers. Only authorized personnel can access the information on these servers. Where our clients' personal data needs to be disclosed to our subcontractors, we require them to process and protect personal data in a manner consistent with this privacy policy and applicable laws. If you contact us through our web site or via e-mail, be aware that any information that is sent via the Internet might not be secure.

Your rights

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example, change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of you on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided – pursuant to a contract or your consent. You may request the data in a structured, commonly used and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable product analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communication via the preference center accessible from the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request us to cease any further processing of your personal data, and merely keep it in store, until the issue is resolved.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time.

If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Third parties

Our services and websites may embed or interoperate with third-party services.

The most prevalent such scenarios are the following:

  • Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under F-Secure policies, our webstore providers' policies apply to the actual purchase and related activities.
  • Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, F-Secure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.
  • External features. Where the third-party service is a visible, separately branded part of your user experience, such third-party services' privacy policies apply in lieu of this policy.

Sources

While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support services, or advertising partners who have assisted us in conducting our marketing activities.

We do this to create a seamless customer experience and to have the necessary information for solving support cases.

Typical examples of this kind of "third-party collection" are:

  • collection of your data from registration information that you have submitted to our external webstore,
  • we acquire your contact data from previous sign-in data from our operator reseller partner providing our service to you, and
  • when you use your social media account to register to our services, we collect the e-mail address from your account to enable us to authenticate your registration and to contact you.

Analytics

In brief

  • To provide services that our customers need, we analyze how our services are used.
  • We look at trends among our users, not at individual users.
  • We do this on our web site and in our products.
  • You can choose whether you want to participate.

In full

Why we do this. We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and customer segments in aggregate. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. Data analytics running in our services include things like the Internet browser that you use, elements clicked, timestamps, general location, device identifier and relations between devices / users / user groups, service operation time, device metrics (such as phone model and operation system, language), partial IP address, service errors, problematic files and service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service and the service features that you use, effectiveness of our commercials, installation success, installation and activation paths, performance, operation environment, connections, data routing, quota, as well as other similar data.

Data analytics running on our web sites are described in a dedicated policy.

How we treat such data. We are interested in the needs and behavior of our customers as part of a group, not in the names of those customers. When analyzing data inside F-Secure, we transfer the collected analytics data to statistics, demographics, and customer segments. We treat the collected analytics data as anonymous and have safeguards to prevent the identification of individual customers.

We keep the full data set safe. We use the full set of collected data only internally and do not give it to others.

Some data is exchanged. Because of the technical environment (that is, the Internet, the app store ecosystem, and social media), we are not able to do all of the data analytics collection and activities ourselves. We have to exchange some pseudonymous data (such as "Android marketing identifier" and other like identifiers) with our online analytics and marketing partners. Data on your actions may be shared in the following scenarios, for example:

  • We use data aggregators to enable you to access our product through other applications and to track the immediately following actions. In such cases, the data created from such activity is shared to the relevant parties.
  • Our subcontractors that provide us with analytics services may also create and publish aggregate reports on the data that they have collected. The statistics and aggregate reports do not contain any data that could be linked to any individual person.

This is a necessary evil in almost all digital analytics and marketing activities. The only way this may be visible to you is in the types of ads you see when browsing or using our applications, but it has no impact on the amount of ads you see in your online life.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

We also limit such added analytics only to the surface of our services and keep them at arm's length from the core privacy areas of our services. For example, we do not have any external analytics in our security cloud or in the traffic inside our VPN service.

Marketing

In brief

  • We aim to keep our marketing relevant.
  • The marketing permission links the aggregated results of data analytics to your account.
  • You can adjust your marketing choices in your subscription portal.

In full

Our marketing activities

We hope to send you relevant news, advice, offers, and other marketing communications. These help you get more our of our services and to protect your online life.

Firstly; with your consent, we send you direct marketing communications to your email or similar contact information that we have for you (e.g. you have indicated that you wish to receive our newsletters when subscribing to our service or when participating in a competition).

Secondly; in addition to direct marketing communications, we may also send you communications related to services, unless you have asked not to receive such communications.

Thirdly; we do marketing on the Internet, through third-party apps, and through other channels.

We seek to make our marketing communications relevant to you. Where allowed by your service and browser settings, we profile you based on your interaction with our services, web sites and the data collected via our online and in-app marketing activities. In so doing, we aggregate data, use pseudonyms and take other measures to keep our marketing analytics non-intrusive.

When you give permission for direct marketing, we connect the results of data analysis to you, so we can better serve you. You can request to be removed from our marketing communications at any time.

We may use our subcontractors and partners to undertake marketing activities on our behalf. Our marketing communications relate primarily to our services. In some cases, they may also relate to services of our distribution partners that relate to our services. However, our business models do not rely on selling your personal data to third-party mass marketers. For us, you are not a product. For us, you are a customer.

Your choices with analytics and marketing

We have sought to create a mutually beneficial solution by pairing your level of engagement with us and how accurate our analytical data is on your account.

By default, the analytics data you contribute to us is treated as anonymous. However, if we have your permission to send you "tips and offers" on how to better use our services, we will connect some of the information derived from the analytics data to you in order to give you more relevant tips and offers.

If you opt out from receiving our "tips and offers", then any analytics data you submit is only used for building better products, but the link between analytics data and your customer account is severed.

You can choose on a service-per-service basis whether you want to contribute to our analytics activities. The choice of whether you wish to have "tips and offers" from us and have derivative information from the analytics data connected to you is common for all services that you have under the same F-Secure user account. You can further adjust such settings from your subscription center, which we will gradually make available to all our services.

We really appreciate it if you help us improve our services. However, if you want to minimize all data traffic towards F-Secure, we respect that. Those of our services that employ additional analytics allow you to opt out from subsequent collection of such non-essential data collection.

If you have opted out from all analytics data collection, our messaging to you will be only based on the service data collection (the data we collect in any case to provide you with the services) and our tips are likely to be less relevant.

If you are against the collection of any data analytics, the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings or use our privacy product.

Changes

This version of the statement clarifies, updates, and replaces the previous statement. To continue keeping this statement up to date, we will make changes and additions to this from time to time also in the future. The service-specific policies and other case-specific policies are similarly updated.

We will publish the changed privacy statement on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means, such as posting a notice on our home page or sending an email. Any changes will apply starting from the date that we publish the revised privacy statement on our website or other interaction point.

Contact information

If you have any questions or concerns about the matters discussed in this privacy statement, please contact:

F-Secure Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

If you are a client of our consumer line of products, please contact us via www.f-secure.com/support.

If you are a client of our corporate line of products, please contact us via www.f-secure.com/en/web/business_global/support.

© F-Secure, June 2018