May 2024
We respect your right to privacy. We help you to manage the network traffic of your connected devices in your home and protect those devices against harm and unwanted content from the internet.
To do that:
we analyze the network traffic coming to and from your home network;
we collect typical service registration and service performance data and analyze them for service performance.
This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.
This service is offered via service providers (e.g. teleoperator or mobile broadband service provider) and we may receive user identifier data from the service provider. It is typically limited to name and email address. We may also collect other identifying data for the purpose of providing you with a smooth customer experience, such as serving your support request.
In cases where we provide you with personal support services, we may need to ask you for additional information.
The above information is connected with service identifiers (such as device serial number) and with subscription status and usage metadata (see below) for the purposes of:
delivering the services to you (including identifying authorized users and managing licenses);
providing help and support to you;
maintaining, developing, and enhancing the services and your customer experience and doing troubleshooting and performance measurement;
improving the functionality of the services and related websites;
tracking the services that you have bought and used so that we can manage your customer relationship and communicate with you;
sending you information about the services;
arrange competitions and conduct customer satisfaction surveys.
Our guiding principle is that we do not seek to spy on the exact content of your private communications. We only need to analyze your communications traffic to enable the service to protect your home network. To be more exact, this means that:
we analyze the traffic for suspicious or malicious sources and destinations (i.e. URL queries, FQDN addresses) to provide visibility to and protection for your network traffic. Suspicious or malicious sources and destinations are coming from an F‑Secure operated and maintained system called Security Cloud that is explained further in the section ‘Security Data’;
to provide you accurate information about your connected devices we collect device type and name, operating system and platform, and similar device details;
to map out your home network, our device type detection needs to collect the IP traffic source and destination address as well as DNS queries and replies per device MAC address(es). The same data is used for network traffic anomaly detection for IoT devices; and
we need to process metadata (such as IP addresses and DNS queries and replies) and traffic patterns of your PCs, phones, smart devices, and other IoT devices’ traffic to establish which of the above should connect to the internet or external servers at will.
For the Family Rules feature, we store your profile preferences and settings.
We are not using the above data to track your overall browsing habits. We do record the attempts to visit malicious websites or websites that the service owner has chosen to block from the service settings. These records will be made on all such attempts from all devices connected to the service owner’s home network and those records will be made available to the service owner as “events” and/or “notifications” in the service owner app or equivalent.
The service sends queries on potential malicious activities or protected devices and networks to F‑Secure Security Cloud. F‑Secure Security Cloud is a cloud-based system for cyber threat analysis that is operated by F‑Secure. With the Security Cloud, F‑Secure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. While we limit the processing of any information that could be considered sensitive by our users, we collect the minimum amount of user and organization information for the purpose of providing high quality protection to our users. The collected data may contain:
Files that are blocked by F‑Secure for a security reason, and related metadata. The metadata includes for example file hash, file name and file path. We need to analyze files and emails for malicious content and behaviors for your protection. Files are processed in a safe environment to catch harmful behaviors. Collection of this data helps F‑Secure to keep a global threat situation map that allows reacting quickly to new threats.
Web addresses that you have tried to visit but have been blocked by F‑Secure for a security reason or which exhibit potentially malicious behavior, and related metadata. The metadata includes for example response headers. A site may get blocked based on selected protection preferences and parental control reasons. The collected information also allows protection against phishing and ransomware attacks.
F‑Secure processes your data so that we can provide you with our services that you have made a contract for or are in the process of doing so. Such contracts may be made either directly with F‑Secure or with another entity (such as a service provider partner) that has tendered our services to you. Tendering of services may take the form of a purchase or be free of charge.
In the case of data that is not strictly necessary to provide you with the services — but would help F‑Secure or your service provider in providing you with better services in the long run — we collect such data only with your consent.
The service user interface may also provide you with other settings to adjust your preferences.
This section gives you a more comprehensive explanation of the legal grounds based on which we process personal data. This complements the exact service-specific legal grounds on which our personal data processing relies for the respective activity.
By using our services, you are our client. To interact with you and to provide our services to our clients, we must process some data on you. Such processing typically occurs when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your email address with us, or send us email.
Since we need the data to pursue the above legitimate activities, we have a right to process relevant personal data. This right typically takes place in the form of “contract performance”, “legitimate interest”, or “consent”.
We need to automatically collect and process relevant data for our services to work, to enhance them, and to provide them to you. The data is processed to:
provide F‑Secure services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;
enable F‑Secure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;
enable F‑Secure to provide a centralized security service framework across multiple continents to a large number of customers and partners.
The data processing by the services is mandatory for the efficient protection of the device/network and a prerequisite for F‑Secure’s capability to provide its contracted services. As such processing is inseparable from the services that we provide to you, this gives us a valid need to process your data and a justification to do so.
For consumer products, this right takes place in the form of “contract performance”. In some cases, processing may take place in the form of “legitimate interest” and we may also have a “legal obligation” to process data for specified purposes.
We also reuse the above service data and security data for data analytics purposes, based on the legal grounds established above. Data analytics are an integral part of our service delivery, as nearly all F‑Secure services are dependent on our infrastructure to properly operate. Our data analytics enables us to direct that infrastructure to support your use of the services.
Where our services collect data that is only needed for the purpose of gaining more insight on how people use the services or how to serve you better, but is not necessary for providing our services, we do so only with your separate consent. You also have the right to withdraw your consent later, should you wish to do so. The legal grounds for data that is solely collected for analytics purposes is thus “consent”.
In addition to above primary legal grounds for data collection, we may also need to use and/or continue to store data i) to meet a “legal obligation” to process data for specified purposes, or ii) under the grounds of “legitimate interest”. For an example list of situations where we may resort to such justifications, see the “Other disclosures” section.
We consider you a client of F‑Secure, not a client of the individual service. Hence, data collected by different services (e.g. Total) and interactions (e.g. contacting support) are combined to your F‑Secure account. However, we do not aggregate data against our specific privacy promises (for example, we maintain a hands-off approach to your traffic inside our VPN service).
The service provider you subscribed to the service through may undertake some of the activities listed above in our stead (such as user authentication or communications). We also exchange with the partner such above listed data (e.g. status of your subscription, installation success, service in active use, data collected for resolving a technical support case) as is necessary and proportional. The service provider you subscribed to the service through may also have access to all or the subset of data listed above under “Your home network” (e.g. devices connected to your home network, their statuses and traffic patterns, connections to suspicious sites). We do the above exchanges to provide you with necessary functionalities, smooth customer experience and support services, and to communicate with you in a consistent manner.
We exchange (both disclose and receive) some of your personal data with our distribution partners (operators, webstores, etc.), who market, distribute, administer, and support our services. We provide these companies access to such personal data that they may need for their agreed activities. The logic of this data sharing is to provide a seamless customer experience. This includes activities such as customer management, service support, incident management and problem resolution, direct marketing, and invoicing.
Our distribution partners are likely to have a pre-existing customer relationship with you. Such partners and corporate customers process your personal data as an independent entity, based on their applicable privacy policies. Regardless, our distribution partners must also comply with the agreements and legislation when handling your personal data. Each such entity is by default independently responsible for its own treatment of personal data, for its own purposes.
We may transfer or disclose some of your personal data to F‑Secure group companies and our subcontractors who help us create the services.
Where our clients’ personal data needs to be transferred or disclosed to our subcontractors, we require, in our contracts with them, that they use such information solely for providing their agreed services (for example, to solve a support case, to send it to logistics partners for product delivery, or to send marketing mails on our behalf). We require our subcontractors to process data pertaining to you in a manner that is consistent with our statements herein.
F‑Secure operates globally. Consequently, some of our affiliates, subcontractors, distributors, and service provider partners are located in multiple countries, including outside the European Economic Area to ensure the global reach and availability of our services. Depending on the scope of your interactions with F‑Secure, your personal information may be stored in or accessed from multiple countries. The locations of F‑Secure affiliates can be viewed from F‑Secure’s public web pages.
When we transfer personal data to other jurisdictions, including outside the European Economic Area, we secure such transfers of personal data according to the requirements of the law. We do this by imposing appropriate technical and contractual safeguards on relevant subcontractors and F‑Secure group companies, for example by using data transfer clauses that are approved by the European Union — the fixed content of such clauses is available here.
Additionally, F‑Secure complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) as set forth by the U.S. Department of Commerce. F‑Secure has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit the Data Privacy Framework website.
In compliance with the EU-U.S. DPF, F‑Secure commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit jamsadr.com/submit for more information or to file a complaint. The services of JAMS are provided at no cost to you. If you have a complaint that we have violated the DPF Principles that has not been resolved by other means, you may have the ability to invoke binding arbitration following the procedure explained on the DPF website. F‑Secure is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC).
We only do global or cross-border data transfers for a good reason and after assessing the resulting privacy risk. When we transfer your personal data onward to a third party, we remain liable under the DPF Principles if the data is processed in a manner inconsistent with the DPF Principles.
We store more sensitive customer data within Finland or the European Economic Area and keep it under our own control.
There are circumstances not covered by this privacy policy where the use or disclosure of personal data may be justified or permitted, or where we may be obligated by applicable laws to disclose information without acquiring your consent or independent of service provisioning.
For example, F‑Secure respects lawful warrants, court orders of the jurisdictions applicable to us, and public authorities, including to meet national security or law enforcement requirements.
Similarly, there may be other circumstances where there is a justifiable legitimate interest to disclose limited sets of information to a third party. Examples of such disclosures include cases where we need to protect ourselves against liability or to prevent fraudulent activity, where we analyze your use of our products to ensure that our products are working the way you would expect them to and that we are able to react to adverse experiences, where it is necessary to solve or contain an ongoing problem, or where we need to meet the legitimate information requirements of our insurers or governmental regulatory agencies. In any such action, we will act according to the applicable laws.
We may also need to transfer your personal data as part of a corporate transaction, such as a sale, merger, spin-off, or other corporate reorganization of F‑Secure, where the information is provided to the new controlling entity in the regular course of business. F‑Secure group discloses and transfers data internally as required by our then current operational model. We do, however, limit the disclosures internally to only those group companies, units, teams, and individuals who have a need to know such information for the intended purposes of processing it.
We weigh each disclosure requirement carefully and take the possibility of such disclosure requests into account when deciding where and how we store your personal data.
While we collect the majority of the above-mentioned data directly from you or your device, we also receive data from our affiliates, distribution partners (such as operators and retailers), and corporate entities from whom you have purchased the services. Such entities may be our resellers, but also include our external webstore partners. We also acquire some basic personal data (order data on purchases) and aggregate analytical data from app stores in which our services are sold. Such other sources may further include subcontractors who have provided you with support for our services, or advertising partners who have assisted us in conducting our marketing activities.
We do this to create a seamless customer experience and to have the necessary information for solving support cases.
Typical examples of third-party sources are:
information on your purchase made in our external webstore,
we acquire your credentials from previous sign-in data from our operator reseller partner, so that we can provide our service to you directly,
we acquire your contact data from corporate decision-maker registries for marketing purposes, and
when you use your social media account to register to our services, we collect the email address from your account to enable us to authenticate your registration and to contact you.
Our services are provided in conjunction with our partners and our services and websites may embed or interoperate with third-party services. This privacy document only applies to personal data as long as that data is within F‑Secure’s realm of influence. Where your personal data is processed by other entities for their independent purposes, such other party is responsible for processing your personal data in a justified manner in accordance to their policies as well as for fulfilling your rights under data protection laws.
The most prevalent such scenarios are the following:
Webstore. Our webstore is partially run by a third-party reseller. While the data you enter in the registration phase is handled under F‑Secure policies, our webstore providers’ policies apply to the actual purchase and related activities.
Device location queries. When you query the location of your device via our services, the provider of maps needs to process the related geographical data. On the publication date of this policy, F‑Secure uses Google maps in our device location and search features. Google privacy policies shall apply accordingly to your use of the features.
Personally identifiable user data is retained for the duration of an active service subscription plus for the grace period of six months thereafter. This is to allow customers to re-engage their expired subscription if they want. Thereafter, the customer account will be scheduled for removal.
If you have purchased the service via our service provider partners, the account deletion is controlled by that service provider partner. When the service provider notifies us that your subscription has been terminated, F‑Secure subsequently removes the account and deletes or anonymizes personal data related to the account.
The service analytics data that we receive consists of two main data streams.
The hardware unit in which the service is embedded sends installation and general device health status data and security event data to F‑Secure. It also updates its status to our backend systems, thus helping us to find and resolve any defects that may cause malfunctions. This is necessary for us to provide the service to you.
The service user interface may collect usage analytics data and selected security event data, so that we can learn which service features are of value to our customers, and how we can improve your service experience. You do not have to provide this data to us, but we would really appreciate it so that we can better develop the service in the direction that you and our other customers prefer.
You can naturally opt out from the majority of the analytics data collection at any time in the service settings.
This section outlines our general practices for the collection and processing of data for analytics purposes.
When speaking about F‑Secure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.
We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.
What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.
On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.
The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.
Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards F‑Secure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.
If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.
If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings, or to use our privacy product.
Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a “legitimate interest”. The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.
Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as “Android marketing identifier” and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.
Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.
We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.
When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results — not the full data — of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.
We also limit such added analytics only to the surface of our services and keep them at arm’s length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.
We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.
We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.
All personal data is stored on secure servers operated by F‑Secure or our partners with access limited to authorized personnel only.
You can cease data processing by the service by cancelling your subscription or by switching off the protection.
You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:
Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
Portability. You also have the right to ask for personal data that you yourself have provided — pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.
You can exercise your rights via our customer care function. The links to contact us are in the “Contact information” section.
Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.
If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (tietosuoja.fi).
If you have any questions or concerns about the matters discussed in our privacy policies, please contact:
F‑Secure Corporation
Tammasaarenkatu 7
PL 24
00180 Helsinki
Finland
How to contact us:
Please contact us via the support channels available on our website.
In privacy matters, you can also contact F‑Secure by sending a message to privacy@f-secure.com. Note that this email address is not monitored for data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.
Information on definitions and change management.
This is what we mean when we make certain references within this policy.
“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.
“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.
“Services” refer to any services or products that are manufactured or distributed by F‑Secure, including software, web solutions, tools, and related support services.
“Website” refers to the f-secure.com website or any other website that F‑Secure hosts or controls, including subsites and browser-based service portals.
This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.
We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.