WithSecure Elements Mobile Protection Privacy Policy

August 2022

In brief

Mobile Protection combines VPN surfing and malware protection with mobile device management, which are both controlled via the management portal. To achieve this:

  • the service encrypts your data traffic from third parties;
  • the focus of data collection is on your device and our service, not you as an individual;
  • much of the collected data is available for your employer’s IT administrator, so they can better manage company devices and applications; and
  • we collect anonymous security data to protect your device.

The purpose of the service is to secure and manage your device and its connections. The service is not built to monitor employees. The service does not enable WithSecure or your company’s IT administrator to follow your movements, view your photos, or see who you call or communicate with, nor are we able to track the sites that you visit through the service.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular 1) the type of personal and private data that the service collects, 2) what we use it for, 3) our justification, 4) typical disclosures, and 5) for how long we store it. More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links.

What do we collect and what do we do with it?

Your private communications. Our guiding principle is that we do not seek to spy on the exact content of your private communications. We only analyze your communications traffic to provide you the service and to keep your data transfers clean. To be more exact, this means that:

  • we need to process some metadata (such as the traffic volume and IP addresses) of your traffic when providing the service to you. To safeguard your privacy, the target IP, port or URL of traffic relayed through the VPN are not stored in a way that they could be later connected to you;
  • we analyze the traffic for suspicious or malicious files and destinations (i.e. URLs); and
  • we automatically screen the traffic to inhibit usage that is against our acceptable use policy.

Service provisioning logging. When the service is taken into use or a license is modified at later stages of the lifecycle, the provisioning log data is collected. This is done in order to enable and diagnose successful provisioning to authorized devices, detect abuse of the service, and as a precaution for disaster recovery in case it is needed. This log contains the IP address of the client, a random device ID generated by the service, the time of access, the country code obtained via a GeoIP lookup of the client IP address, and other similar technical device data.

Service logging. We do not keep any logs about connections established through the VPN service to external addresses. We cannot link the IP address of your browsing destination to you.

To protect the service against fraudulent use, we maintain temporary logs that contain the duration of the VPN sessions, the amount of data transferred, the device ID, public IP address, and host name from where the VPN client connects to our service. Traffic anomalies that look like a potential abuse of our service (such as port scanning, spamming, or DdoS attacks performed by our clients) are detected by our software and will be logged as well. The logs are stored for 90 days prior to deletion, and can be used to deal with any misuse of our service or attacks against us.

Traffic Protection. With the Traffic Protection feature, you can choose to log the tracking data of your traffic for 24 hours. The log is required for displaying the blocked tracking attempts as a visual map to you. The Traffic Protection log will be marked for deletion and detached from the user record once you start a new log, delete it manually, or automatically after 3 days.

Securing your device with Security Cloud. The service sends queries on potential malicious activity, malicious software, or unwanted applications on protected devices, data traffic, and networks to WithSecure Security Cloud. WithSecure Security Cloud is a cloud-based system for cyber threat analysis that is operated by WithSecure. With the Security Cloud, WithSecure can maintain an up-to-date overview of the global threat landscape and protect our customers against new threats the moment they are first found. These queries — such as URLs, file identifiers, and application metadata — cannot be connected to an identifiable user by WithSecure.

To protect your privacy, WithSecure separates the above security data from other data collected on your use of the service, anonymizes it, and destroys it when it is no longer need it for the purpose.

No back doors. This service and the underlying infrastructure are built to protect you from undesired spying — by governments, criminals, stalkers, or commercial entities. We do not build back doors to our services.

Criminal investigations. WithSecure respects lawful warrants and court orders of the jurisdictions applicable to us. We provide information to the authorities when it is required of us under law, but not otherwise. Such occurrences include investigations and prosecutions of serious crimes and other qualified illegal activities. After all, our goal is to secure your privacy when browsing the web, not securing your anonymity when committing crimes. We carefully review the lawfulness of each request and ensure that our users' constitutional rights to privacy are protected.

Client relationship data

The Service collects a varying set of data depending on the situation. We use client relationship data for the following purposes:

Customer journey. To identify authorized users and check customer qualifications, process and track transactions such as administering accounts, shipping, invoicing, managing licenses, financial controlling and auditing, and customer support requests.

Deliver, fix, and enhance. To deliver our services to you, maintain and develop our services and websites, and to provide help and support for the services.

Analyze. To track how our services are acquired and used so that we can improve the services, manage your customer relationship, and approach you with relevant messages.

Communicate. To send you information relating to the services, conduct customer surveys, arrange competitions, advertise and market our services to you.

Regulatory. To prevent fraudulent activities, remove or stop sharing of illegal or infringing material, and comply with legal or regulatory requirements.

User data

User data in the management portal

The service collects the following data about you, your device, and use of the service, and makes it available through the management portal:

  • User’s email, first name, family name, and alias. This data is linked to your "device UUID" that acts as an identifier of the user data in the system.
  • The service version number, device identifiers (e.g. UUID, model, etc.), subscription key, installation and update date and time, operating system and version, feature status.
  • In addition to the above, the service collects: your mobile device model, as well as the potential jailbreak or root status, service statistics per device such as the virtual location, the aggregate amount of traffic in the VPN tunnel, the amount of traffic scanned, the harmful sites, the number of blocked tracking attempts and blocked website counters.

The collected data varies according to what devices and services you use.

We use this data to operate the services, to manage them (including identifying authorized users and managing licenses), to measure performance, and to further develop, enhance, and improve the service. The data can be used to provide support and problem resolution services.

This data is visible to your company's IT administrator and is also available to WithSecure and through the portal. If the company's IT administration has been outsourced, the data is also available to the outsourcing partner (WithSecure's 'distributor partner'), so that they can provide your company with support and like IT services.

User data in WithSecure systems

In addition to data that is made available in the portal, WithSecure also collects the following data via the service:

  • your device ID, so we can send push notifications to the devices and to combine different types of user data;
  • your device's language, so the service language is consistent with the device language; and
  • we may also collect the battery level, internal memory and SD card memory sizes, and a list of installed applications (to check that the service is installed correctly) for management feature development purposes.

Some jurisdictions require that we collect user devices' public and private IP addresses as well as the start and end time for the VPN tunnel. If we receive a legally valid request, this data can be used to reveal which origin IP was used to connect to a target IP at a given time. It does not compromise the invisibility of your browsing traffic via the service towards WithSecure or your IT administrator, as we do not connect the IP address to you. We do not sell or disclose your VPN data to any third parties unless we are required under law.

Legal grounds

WithSecure processes your data so that we can provide you with our services that you have made a contract for or are in the process of doing so. Such contracts may be made either directly with WithSecure or with another entity (such as our webstore or partner) that has tendered our services to you. Tendering of services may take the form of a purchase or be free of charge.

This section gives you a more comprehensive explanation of the legal grounds based on which we process personal data. This complements the exact service-specific legal grounds on which our personal data processing relies for the respective activity.

Client relationship data

To provide our services to our clients, we must process some data on you. Such processing typically occurs when you communicate with us or our business partners relating to our services, install and use our services, fill out a form or survey, register to use our services, submit information through our web solutions, enter a contest or sweepstakes, register your email address with us, or send us email.

Since we need the data to pursue the above legitimate activities, we have a right to process relevant personal data. This right typically takes place in the form of “contract performance”, “legitimate interest”, or “consent”.

Service data and security data

We need to automatically collect and process relevant data for our services to work, to enhance them, and to provide them to you. The data is processed to:

1.  provide WithSecure services to secure our customers’ networks and devices as well as the confidentiality and availability of the data therein;

2. enable WithSecure to detect emerging threats and security-relevant trends among all of its customers, so that our services can keep on par with evolving threats;

3. enable WithSecure to provide a centralized security service framework across multiple continents to a large number of customers and partners.

The data processing by the services is mandatory for the efficient protection of the device/network and a prerequisite for WithSecure’s capability to provide its contracted services. As such processing is inseparable from the services that we provide to you, this gives us a valid need to process your data and a justification to do so.

In some cases, processing may take place in the form of “legitimate interest” and we may also have a “legal obligation” to process data for specified purposes.

Analytics data

We also reuse the above service data and security data for data analytics purposes, based on the legal grounds established above. Data analytics are an integral part of our service delivery, as nearly all WithSecure services are dependent on our infrastructure to properly operate. Our data analytics enables us to direct that infrastructure to support your use of the services.

Secondary uses

In addition to above primary legal grounds for data collection, we may also need to use and/or continue to store data i) to meet a “legal obligation” to process data for specified purposes, or ii) under the grounds of “legitimate interest”. For an example list of situations where we may resort to such justifications, see the “Other uses and disclosures” section in our general privacy policy.

General

We consider you a client of WithSecure, not a client of the individual service. Hence, data collected by different services (e.g. Business Suite) and interactions (e.g. contacting support) are combined to your WithSecure account. However, we do not aggregate data against our specific privacy promises (for example, we maintain a hands-off approach to your traffic inside our VPN service).

Transfers and disclosures

Commercial transfers and disclosures. If you have subscribed to the service via our partner, that partner may undertake some of the activities listed above in our stead (such as user authentication or communications). We also exchange with the partner such above listed data (e.g. status of your subscription, installation success, service in active use, data collected for resolving a technical support case) as is necessary and proportional. We do the above exchanges to provide you with a smooth customer experience and support services, and to communicate with you in a consistent manner. We do not sell or disclose your VPN data to any third parties unless we are required under law. With your permission, the partner may also access your account to provide you with customer support.

Criminal investigations. WithSecure respects lawful warrants and court orders of the jurisdictions applicable to us. We provide information to the authorities when it is required of us under law, but not otherwise. Such occurrences include investigations and prosecutions of serious crimes and other qualified illegal activities. After all, our goal is to secure your privacy when browsing the web, not securing your anonymity when committing crimes. We carefully review the lawfulness of each request and ensure that our users’ constitutional rights to privacy are protected.

Retention

Personally identifiable user data is retained for the duration of an active service subscription plus for the grace period of six months thereafter. This is to allow customers to re-engage their expired subscription. Thereafter, the customer account will be scheduled for removal.

Additionally, some data is subject to more limited data retention practices.

  • Service provisioning log entries are retained for one year, after which they are deleted.
  • Service log events for provisioned devices are retained for three months, after which they are deleted.
  • Traffic Protection data is retained for 96 hours, after which it is deleted.

If you have purchased the service via our partners, the account deletion is controlled by that partner. When the partner notifies us that your subscription has been terminated, WithSecure subsequently removes the account and deletes or anonymizes personal data related to the account.

Some partners offering the services are subject to more comprehensive data retention obligations than WithSecure. In such cases we may collect additional service / traffic log data and retain it longer than set out above. The data is collected to assist the partner to comply with local laws and only for this purpose.

Analytics

For us to learn when and how you use our service, to enhance it, and to learn how customers find out about the service, the service collects data on installation success, installation and activation paths, performance, operation environment, connections, used features, etc. We do this so that we can create services that are of value to you and our other customers.

This section outlines our general practices for the collection and processing of data for analytics purposes.

When speaking about WithSecure data analytics, it comprises both reused service data, reused security data, and the data that is collected for analytics purposes to begin with.

We want to give you a more personal customer experience and provide you with even better services in the future. For that we need to track usage patterns and create customer segments. For example, what features are used most, where the service fails, what needs fixing, and how you found out about our services.

What we collect. The data that we process for the purposes of data analytics include things like device identifier and relations between devices / users / user groups, operation environment, service operation time, license type (trial or paid version), device metrics (such as phone model and operating system, language), partial IP address, service errors, problematic files and URLs, service performance data, how you interact with our services (such as which features are used and how often), the domain name from which you connect to the service, elements clicked, timestamps, regional location, effectiveness of our in-service messaging, service activation (such as tracking that you have received the related messages and that installation was successful), installation and activation paths, service performance, connections, data routing, quota, and other similar data.

On a practical level, when we ask for your consent in our services’ user interface, it controls whether the following data is sent: i) additional data, like which features are used and how often, and service metrics, and ii) the number of attributes sent in a given data set.

The above relates to your use of our cyber security services. Data analytics running on our websites are described in our website privacy policy.

Opting out. We really appreciate your help in improving our services. However, if you want to minimize all data traffic towards WithSecure, we respect that. Those of our services that employ additional analytics give you the choice on whether to contribute. You can opt out at any time from the subsequent collection of analytical data that is non-essential to our service provisioning.

If you have opted out from all analytics data collection, our messaging directed to you will be based only on the service data collection (the data that we collect in any case to provide you with the services) and some of our messaging is likely to be less relevant.

If you oppose all collection of data from your online life (including our websites), the more wholesale method for preventing online advertisers from profiling your mobile device usage is to reset the advertising identifier from time to time and to turn on the do-not-track setting in your device settings.

Analytics data retention. In our data analytics activities, we combine analytics data with the service data. The resulting combined data set then continues to be processed based on a "legitimate interest". The previously collected analytical data is retained as part of the service statistics, as its retroactive removal would break the statistics. When you cease subscribing to our services (i.e. your account is deleted), the analytical data related to your service use will be reverted to anonymous data, and we are no longer able to associate it with you.

Data exchange. Because of the technical environment (that is, the internet, the app store ecosystem, and social media), we are not able to do all of the collection and activities related to data analytics ourselves. We have to exchange some data (such as "Android marketing identifier" and other like identifiers) with our online analytics and marketing partners to enable our digital analytics and marketing activities. The vast majority of the data that we have on you is not shared with others.

Some of our subcontractors who provide us with analytical capabilities for our products may also create and publish aggregate reports on the data that they have collected. In such cases, the statistics and aggregate reports do not contain any data that could be linked to any individual person.

We do not sacrifice your privacy. Where we differ from most companies doing this is in that we understand how the ecosystem works and go through great pains to select our few partners with care, removing all data that is not absolutely necessary for the above purpose. You can naturally opt out from the collection of analytics data at any time via the service settings.

When we process the data for analytical or statistical purposes, we pseudonymize the data. In other words, our data analysts do not know the individual to which a specific data set refers to. The pseudonymization is only reversed in specified use cases. For example, when we communicate with you, we connect the results – not the full data – of our data analytics to your email address. Another example is that we may use the data to resolve issues you may have with our product, when providing you with technical support services.

We also limit such added analytics only to the surface of our services and keep them at arm's length from the core privacy areas of our services. For example, we do not have any external analytics in our Security Cloud or in the traffic inside our VPN service.

Elements Endpoint Protection privacy policy

The roles in which different parties process your personal data, and data retention rules are described in the WithSecure Elements Endpoint Protection privacy policy.

Security

Information on the security practices that we employ to keep your data secure.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by WithSecure or our partners with access limited to authorized personnel only.

Your rights

Information on your statutory rights and how to contact us.

You have the right to the data that we have on you. In particular, you have the following rights to the personal data that we hold on you:

  • Access and rectification. You have the right to ask us what personal data we have on you and to get a copy of the data that we can identify pertaining to you in this context. Should you find any errors (e.g. obsolete information) in such data, we urge you to contact our customer care to resolve the issue. Some of our service portals allow you to update your customer information. For such, you should update any changes to your personal data, for example change of address or email address. If you cannot update the changes yourself, you may inform us of the necessary changes.
  • Objection. You are entitled to object to certain processing of personal data, including for example the processing of your personal data for marketing purposes or when we otherwise base our processing of your data on a legitimate interest. In the latter case, you need to establish a legally valid rationale for your objection.
  • Right to be forgotten. You also have the right to request us to cease storing your personal data and erase it. In this case you need to establish a legally valid rationale for your request.
  • Portability. You also have the right to ask for personal data that you yourself have provided – pursuant to a contract or your consent. You may request the data in a structured, commonly used, and machine-readable format and further that the data is transmitted to another controller, where technically feasible.
  • Withdrawing consent. In cases where the processing is based on your consent, you have the right to withdraw your consent at any time via relevant settings. For identifiable service analytics data, you can find the settings in the service user interface. You also have the right to opt out from our marketing communications via the preference center accessible through the link.
  • Restriction. If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request that we cease any further processing of your personal data, and merely keep it in store until the issue is resolved.

You can exercise your rights via our customer care function. The links to contact us are in the "Contact information" section.

Note that there may be situations where our confidentiality obligations, our right of professional secrecy, and/or our obligations to provide our services (e.g. to your employer) may prohibit us from disclosing or deleting your personal data or otherwise prevent you from exercising your rights. Your above rights are also dependent on the legal grounds based on which we process your personal data.

If you have any complaints about how we process your personal data, or would like further information, please contact us at any time. If you feel that we are not enabling your statutory rights, you have the right to lodge a complaint with a supervisory authority. In most cases, this authority is the Finnish Data Protection Ombudsman (www.tietosuoja.fi).

Contact information

If you have any questions or concerns about the matters discussed in our privacy policies, please contact:

WithSecure™ Corporation
Tammasaarenkatu 7
PL 24
00181 Helsinki
Finland

How to contact us:

  • Please contact us via our Support channels available on our website at: Customer support | WithSecure™.
  • In privacy matters you can also contact WithSecure™’s Data Protection Officer by sending a message to privacy@withsecure.com. Please note that this email does not monitor data subject requests. If you wish to exercise your rights as a data subject, please use the above support channels instead.

Information on definitions and change management.

Definitions

This is what we mean when we make certain references within this policy.

“Client”, “you”, refers to any data subjects who buy, register for use, or use our services, whose devices and data traffic are protected by our services, or who may have submitted personally identifiable information to us. This information may have been submitted through the use of our services, websites, telephone, email, registration forms, or other similar channels.

“Personal data” refers to any information on private individuals that is identifiable to them or their family or household members. This information may include names, email and mailing addresses, telephone numbers, billing and account information, and other, more technical information that can be linked to you, your device, or the behavior of either, that we process while providing our services.

“Services” refer to any services or products that are manufactured or distributed by WithSecure™, including software, web solutions, tools, and related support services.

“Website” refers to the WithSecure.com website or any other website that WithSecure™ hosts or controls, including subsites and browser-based service portals.

Changes

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time also in the future.

We will publish the changed policy document on our website or at another interaction point where it has previously been made available. If the changes are significant, we may also notify you by other means. Any changes will apply starting from the date that we publish the revised policy document.